CEH Certification Notes

3. Gaining Access

1. Basics 4. Maintaining Access

5. Covering Tracks
a. Essential Terms d. Types of Threats

 Hack Value: A hacker’s interest in something based on its worth.

 Network threats: Attacker may break into the channel and steal the information that is being
 Vulnerability: A weakness in a system that can be exploited.
exchanged on a network.
 Exploit: Taking advantage of the identified vulnerability.
 Host threats: Gains access to information from a system.
 Payload: Malware or exploit code that the hacker sends to the victim.
 Application threats: Exploiting unprotected gateways in application itself.
 Zero-day attack: Exploiting previously unknown unpatched vulnerabilities.
e. Types of Attacks
 Daisy-chaining: A specific attack carried out by hackers to gain access to a single system and

using it to access other systems on the same network.  OS: Attacks the primary OS of the victim.
 Doxing: Tracing an individual’s personally identifiable information (PII) with malicious intent.  App level: Application sourced attacks, usually caused by lack of security testing by
 Bot: A software used to carry out automated tasks.
developers.

 Shrink Wrap: Exploiting unpatched libraries and frameworks of the application.

 Misconfiguration: Hacks carried out on systems with poorly configured security.

b. Elements of information security 2. Legal

 18 U.S.C 1029 & 1030

 Confidentiality: Ensures that information is available only to authorized people.
 RFC 1918 - Private IP Standard
 Integrity: Ensures the accuracy of the information.
 RFC 3227 – Data collection and storage
 Availability: Ensuring availability of resources when required by authorized users.
 ISO 27002 - InfoSec Guidelines
 Authenticity: Ensures the quality of being uncorrupted.
 CAN-SPAM - Email marketing
 Non-repudiation: Ensures report of delivery and receipt by senders and recipient respectively.
 SPY-Act - License Enforcement
c. Phases of Penetration Testing
 DMCA - Intellectual Property

 SOX - Corporate Finance Processes

1. Reconnaissance
 GLBA - Personal Finance Data
2. Scanning & Enumeration
  FERPA - Education Records  site : Only from the specified domain

 FISMA - Gov Networks Security Std  inurl: Only pages that has the query in its URL

 CVSS - Common Vulnerability Scoring System  intitle: Only pages that has the query in its title.

 CVE - Common Vulnerabilities and Exposure  cache: Cached versions of the queried page

3. Reconnaissance  link : Only pages that contain the queried URL. Discontinued.

 filetype: Only results for the given filetype

Also called footprinting, refers to preliminary surveying or research about the target.
Google hacking tools:

a. Footprinting information
Google hack honeypot, Google hacking database, metagoofil.

 Network information: Domains, subdomains, IP addresses, Whois and DNS records, VPN
4. Scanning Networks
firewalls using e.g. ike-scan.

 System information: OS of web server, locations of servers, users, usernames, passwords, Involves obtaining additional information about hosts, ports and services in the network of

passcodes. the victim. It’s meant to identify vulnerabilities and then create an attack plan.

 Organization information: Employee information, Organization's background, Phone numbers,

Locations. a. Scanning types

b. Footprinting tools
 Port scanning: Checking open ports and services.

Maltego, Recon-ng (The Recon-ng Framework), FOCA, Recon-dog, Dmitry (DeepMagic  Network scanning: A list of IP addresses.

Information Gathering Tool).  Vulnerability scanning: Known vulnerabilities testing .

b. Common ports to scan

c. Google Hacking

22 TCP SSH (Secure Shell) (Secure

Google Hacking uses advanced Google search engine operators called dorks to identify

specific text errors in search results for the purpose of discovering vulnerabilities.

23 TCP Telnet
Common dorks:
 Nmap: Network scanning by sending specially crafted packets. Some common Nmap
25 TCP SMTP (Simple Mail (Simple
options include:

53 TCP/UDP DNS (Domain Name (Domain

 sA: ACK scan

 sF: FIN scan

80 TCP HTTP (Hypertext Transfer (Hypertext  sS: SYN

 sT: TCP scan

 sI: IDLS scan

123 TCP NTP (Network Time (Network  sn: PING sweep

 sN: NULL

 sS: Stealth Scan

443 TCP/UDP HTTPS
 sR: RPC scan

 Po: No ping

 sW: Window
500 TCP/UDP IKE/IPSec (Internet Key (Internet
 sX: XMAS tree scan

 PI: ICMP ping

631 TCP/UDP IPP (Internet Printing (Internet  PS: SYN ping

 PT: TCP ping

 oN: Normal output

3389 TCP/UDP RDP (Remote Desktop (Remote  oX: XML output

 A OS/Vers/Script -T<0-4>: Slow – Fast

Hping: Port scanner. Open source. Hping is lower level and stealthier than Nmap as nmap
9100 TCP/UDP AppSocket/JetDirect (HP JetDirect, (HP
can scan a range of IP addresses while hping can only port scan one individual IP

address.

c. Scanning Tools
d. Techniques include DNS stands for "Domain Name System". A DNS record is database record used to map a

URL to an IP address. Common DNS records include:

 Scanning ICMP: Broadcast ICMP ping, ICMP ping sweep.

 Scanning TCP: TCP connect, SYN scanning, RFC 793 scans, ACK scanning, IDLE scan. DNS enumeration tools: dnsrecon, nslookup, dig, host.

 Scanning UDP: It exploits the UDP behavior of the recipient sending an ICMP packet

containing an error code when the port is unreachable. c. DHCP:

 List Scanning: Reverse DNS resolution in order to identify the names of the hosts.

 SSDP Scanning: Detecting UPnP vulnerabilities following buffer overflow or DoS attacks.  Client —Discovers--> Server

 ARP Scan: Useful when scanning an ethernet LAN.  Client ßOffers à Server

5. Enumeration  Client …. Request …> Server

 Client <…Ack…> Server

Engaging with a system and querying it for required information. Involves uncovering and
 IP is removed from pool
exploiting vulnerabilities.
6. Sniffing

a. Enumeration techniques: Involves obtaining packets of data on a network using a specific program or a device.

 Windows enumeration a. Sniffing types

 Windows user account enumeration

 NetBIOS enumeration  Passive sniffing: No requirement for sending any packets.

 SNMP enumeration  Active sniffing: Require a packet to have a source and destination addresses.

 LDAP enumeration b. Sniffer

 NTP enumeration

 SMTP enumeration Are packet sniffing applications designed to capture packets that contain information such

 Brute forcing Active Directory as passwords, router configuration, traffic.

b. DNS enumeration:
c. Wiretapping
Refers to telephone and Internet-based conversations monitoring by a third party. b. Attack types

d. Sniffing Tools  Passive Online: Learning about system vulnerabilities without affecting system resources

 Active Online: Password guessing

 Cain and Abel  Offline: Password stealing, usually through the SAM file.

 Libpcap  Non-electronic: Social Engineering

 TCPflow c. Sidejacking
 Tcpdump

 Wireshark Stealing access to a website, usually through cookie hijacking.

 Kismet

e. Sniffing Attacks d. Authentication Types

 MAC flooding: Send large number of fake MAC addresses to the switch until CAM table  Type 1: When you know something

becomes full. This causes the switch to enter fail-open mode where it broadcasts the incoming  Type 2: When you have something

traffic to all ports on the network. Attacker can then starts sniffing the traffic passing through  Type 3: When you are something

the network. e. Session Hijacking

 DHCP attacks: A type of Denial-of-Service attack which exhaust all available addresses from

the server. Established session hijacking involves:

 DNS poisoning: Manipulating the DNS table by replacing a legitimate IP address with a

malicious one. 1. Targeting and sniffing traffic between client and server

 VLAN hopping: Attacking host on a VLAN to gain access to traffic on other VLANs. 2. Traffic monitoring and predicting sequence

 OSPF attacks: Forms a trusted relationship with the adjacent router. 3. Desynchronize session with client

7. Attacking a System 4. Take over session by predicting session token

5. Inject packets to the target server

a. LM Hashing
If you feel like you’re lagging in the fundamentals of cybersecurity, Check out our best

cyber security courses at any time.

7 spaces hashed: AAD3B435B51404EE
8. Social engineering 3. Crossover error rate (CER): Combination of the FRR ad FAR; determines how good

a system is
Social engineering refers to compelling individuals of target organization to reveal
 Environmental disasters: E.g., hurricanes, tornadoes, floods.
confidential and sensitive information.
10. Web Based Hacking

a. Steps of social engineering a. Web server hacking

1. Research: Gather enough information about the target company A web server is a system used for storing, processing, and delivering websites. Web

2. Select target: Choose a target employee server hacking involves:

3. Relationship: Earn the target employee's trust e.g. by creating a relationship

4. Exploit: Extract information from the target employee  Information gathering: Acquiring robots.txt to see directories/files that are hidden from web

5. Identity theft crawlers.

Stealing an employee’s personally identifiable information to pose as that person.  Footprinting: Enumerate common web apps nmap --script http-enum -p80

 Mirroring.

b. Types of Social Engineers  Discover vulnerabilities.

 Perform session hijacking and password cracking attacks.

 Insider Associates: Limited authorized access b. Web server hacking tools

 Insider Affiliates: Insiders who can spoof identity.

 Outsider Affiliates: Outsider who makes use of a vulnerable access point. Wfetch, THC Hydra, HULK DoS, w3af, Metasploit
9. Physical Security

c. Web application hacking

 Physical measures: E.g., air quality, power concerns, humidity-control systems

 Technical measures: E.g., smart cards and biometrics

Web Application is user interface to interact with web servers. Web application hacking
 Operational measures: E.g., security policies and procedures.
methodology includes:
 Access control:

1. False rejection rate (FRR): When a biometric rejects a valid user

 Web infrastructure footprinting
2. False acceptance rate (FAR): When a biometric accepts an invalid user
 Web server attack.
d. SQL Injection  RC (Rivest Cipher): Symmetric-key algorithm.

 Blowfish: fast symmetric block cipher, 64-bit block size, 32 to 448 bits key

Injecting malicious SQL queries into the application. Allows attacker to gain unauthorized  Twofish: Symmetric-key block cipher

access to system e.g. logging in without credentials. Steps involve:  RSA (Rivest–Shamir–Adleman): Achieving strong encryption through the use of two large

prime numbers.

 Information gathering: E.g. database structure, name, version, type.  Diffie–Hellman: Used for generating a shared key between two entities over an insecure

 SQL injection: Attacks to extract information from database such as name, column names, and channel.

records.  DSA (Digital Signature Algorithm): Private key tells who signed the message. Public key

 Advanced SQL injection: Goal is to compromise underlying OS and network verifies the digital signature

Tools: 12. Cloud security

Cloud providers implement limited access and access policies with logs and the ability to
Sqlmap, jSQL Injection, SQL Power Injector, The Mole, OWASP SQLiX tool.
require access reason against repudiation.

11. Cryptography
Cloud computing attacks
Cryptography Is the process of hiding sensitive information.

 Wrapping attack: Changes the unique sign while still maintaining validity of the signature.

a. Terms:  Side channel attacks: Attacker controls a VM on same physical host (by compromising one or

placing own)

 Cipher: encryption and decryption algorithm.  Cloud Hopper attack: Goal is to compromise the accounts of staff or cloud service firms to

 Clear text / plaintext: unencrypted data obtain confidential information.

 Cipher text: encrypted data  Cloudborne attack: Done by exploiting a specific BMC vulnerability

Encryption algorithms  Man-In-The-Cloud (MITC) attack: Done by using file synchronization services (e.g. Google

Drive and Dropbox) as infrastructure.

 DES (Data Encryption Standard): Block cipher, 56-bit key, 64-bit block size 13. Malware and Other Attacks
 3DES (Triple Data Encryption Standard): Block cipher, 168-bit key
Malware is a malicious program designed to cause damage to systems and give system
 AES: Iterated block cipher.
access to its creators. Mainly include:
a. Trojans:

Malware contained inside seemingly harmless programs. Types include:

 Remote access trojans (RATs): Malware that includes a back door for administrative control

over the target computer.

 Backdoor Trojans: Uninterrupted access to attackers by installing a backdoor on the target

system.

 Botnet Trojans: Installation of Boot programs on target system.

 Rootkit Trojans: enable access to unauthorized areas in a software.

 E-banking Trojans: Intercepts account information before encryption and sends to attacker.
Table of Contents
 Proxy-server Trojans: Allows attacker to use victim’s computers as proxy to connect to the
Module 1: Introduction to Ethical Hacking Module 2: Footprinting and Reconnaissance
Internet. Module 3: Scanning Networks
Module 4: Enumeration
b. Viruses:
Module 5: System Hacking
Module 6: Malware Threats
Module 7: Sniffing
 Stealth virus: Virus takes active steps to conceal infection from antivirus
Module 8: Social Engineering
Module 9: Denial of Service
 Logic Bomb virus: Not self-replicating, zero population growth, possibly parasitic. Module 10: Session Hijacking
Module 11: Hacking Web Servers Module 12: Hacking Web Applications Module 13: SQL
 Polymorphic virus: Modifies their payload to avoid signature detection. Injection

 Metamorphic virus: Viruses that can reprogram/rewrite itself.

Module 14: Hacking Wireless Networks
 Macro virus: MS Office product macro creation. Module 15: Hacking Mobile Platforms
Module 16: Evading IDS, Firewalls, and Honeypots Module 17: Cloud Computing
Module 18: Cryptography
 File infectors: Virus infects executables
Post Module: Extra Resources
 Boot sector infectors: Malicious code executed on system startup.
Module 1: Introduction to Ethical Hacking
 Multipartite viruses: Combines file infectors and boot record infectors.
Information Security Overview

● Terminology

o ○ Hack Value: Notion among hackers that something is worth doing or

interesting
 o ○ Vulnerability: Existence of a weakness, design, or implementation error that  ● Five Phases of Hacking: Reconnaissance, Scanning, Gaining Access, Maintaining
can lead to an expected event Access, Clearing Tracks
 ● Reconnaissance: Preparation phase when an attacker seeks to gather
information. Does not directly interact with the system, and relies on social
compromising the security of the system engineering and public info
 ● Scanning: Identify specific vulnerabilities (in-depth probing). Using Port scanners
o ○ Exploit: A breach of IT system security through vulnerabilities to detect listening ports (companies should shut down ports that are not required)
 ● Gaining Access: Using vulnerabilities identified during reconnaissance [DoS,
o ○ Payload: Part of an exploit code that perform the intended malicious action
Logic/Time Exploit, reconfiguring/crashing system]
o ○ Zero-Day Attack: An attack that exploits computer app vulnerabilities  ● Maintaining Access: Keeping a low profile, keeping system as a launch pad, etc.
before the software developer releases a  ● Clearing Tracks: Hiding malicious acts while continuing to have access, avoiding
suspicion
patch for the vulnerability
Ethical Hacking Concepts and Scope
o ○ Daisy Chaining: Gaining access to one network and/or computer and then Ethical Hacking: Using tools and techniques to identify vulnerabilities w/ permission
using the same info to gain access to

multiple networks and computer that contains desirable info

o ○ Doxing: Publishing personally identifiable information

o ○ Bot: software app that can be controlled remotely to execute or automate
pre-defined tasks
 ● Elements of Information Security
Information Security Controls
o ○ Non-Repudiation: Sender of a message cannot later deny having sent the
message
o ○ Confidentiality: Only authorized users able to view content  ● Information Assurance: Assurance for integrity, availability,confidentiality, and
o ○ Integrity: Trustworthiness of data or resource in prevention of unauthorized authenticity of info
 ● Threat Modeling: Risk Assessment approach for analyzing security. 1) Identify
changes
Security Objectives 2) Application overview
o ○ Availability: assurance systems are accessible
o ○ Authenticity: The quality of being genuine
3) Decompose Application 4) Identify Threats 5) Identify Vulnerabilities

Information Security Threats and Attack Vectors

 ● Network Security Zoning (High to Low): Internet Zone - Internet DMZ -
Production Network Zone - Intranet Zone - Management Network Zone
 ● Cloud computing: is an on-demand delivery of IT capabilities, and stores data.  ● Security Policies are the foundation of security infrastructure
Must be secure  ● Info security policy defines basic requirements and rules to be implemented in
 ● Advanced Persistent Threats: APT focus on stealing info from victim machine order to protect and secure organizations information systems
w/o user aware  ● 4 types of security policies
 ● Viruses and Worms: Capable of infecting a network within seconds o ○ Promiscuous Policy
 ● Mobile Threats: Many attackers see mobile phone as a way to gain access o ○ Permissive Policy
 ● Botnet: huge network of compromised systems
 ● Insider Attack: an attack performed on a corporate network by an entrusted o ○ Prudent Policy
person w/ access o ○ Paranoid Policy
 ● Threat categories: Network Threats, Host Threats, App Threats  ● Incident Management: set of defined processes to identify, analyze, prioritize,
 ● Types of Attacks: OS Attacks, Mis-Config attacks, App Level Attacks, Shrink and resolve security incidents
Wrap Code Attacks  ● Types of Vulnerability Assessments:
o ○ Active Assessments
Hacking Concepts, Types, and Phases o ○ Passive Assessments
o ○ Host-Based assessment
 ● Hacking: Exploiting system vulnerabilities and compromising security o ○ Internal Assessment
o ○ External Assessment
 o ○ Application Assessments
o ○ Network Assessments
o ○ Wireless Network Assessments
 ● Methodology of Assessment: - Acquisition - Identification - Analyzing -
Evaluation - Reports
 ● Penetration Testing: Simulating an attack to find out vulnerabilities
 ● Blue T eam: Detect and Mitigate

○ Red Team: Attack w/ limited access w/ or w/o warning

 ● Types of Pen Test:

o ○ black-box (no prior knowledge)
o ○ white-box (complete knowledge)
o ○ grey-box(limited knowledge)
 ● Lots of open source security testing methodologies (OWASP, NIST , etc)
Information Security Laws & Standards

 ● Payment card Industry Data Security Standard (PCI-DSS) - Payment Systems

 ● Sarbanes Oxley Act (SOX) - Protect investors and public by increasing reliability
of corporate disclosures .

Module 2: Footprinting and Reconnaissance

Sections

1. Footprinting
2. Footprinting
3. Footprinting
4. Footprinting
5. Footprinting

Footprinting Concepts

Footprinting Methodology

1. Footprinting through search engines

a. Google, Netcraft (restricted URL’s, Determine OS), SHODAN Search Engine,GMAPS,
Google Finance, etc

2. Footprinting using advanced Google Hacking Techniques

a. Using technique to locate specific strings of text within search results using an advanced
operator in the search

engine (finding vulnerable targets), Google Operators to locate specific strings of text,
GHDB 3. Footprinting through social networking sites
a. Fake identifies of co-workers, finding personal info, tracking their groups, etc, Facebook, b. Social engineers depend on the fact that people are unaware
Twitter, LinkedIn etc 4. Website Footprinting
Footprinting Tools
a. Looking at system information from websites, personal information, examining HTML a. Maltego, Recon-NG (Web Reconnaissance Framework)
source comments, Web Spiders, archive.org, mirroring sites etc
Footprinting Countermeasures
5. Email Footprinting
a. Can get recipient's IP address, Geolocation, Email Received and Read, Read Duration,
1. Restrict the employees to access social networking sites
Proxy Detection, Links,
2. Configure web servers to avoid information leakage
3. Educate employees to use pseudonyms
OS and Browser info, Forward Email 4. Limit the amount of information that you are publishing
5. Use footprinting techniques to discover and remove sensitive information
6. Use anonymous registration services
6. Competitive Intelligence
7. Enforce security policies
1. Competitive Intelligence gathering is the process of identifying, gathering,
analyzing, and verifying, and using the information about your
competitors from sources such as the internet. Monitoring web traffic etc. Footprinting penetration testing
2. Non-interfering and subtle in nature
3. This method is legal
1. Footprinting pen testing is used to determine organization’s public available
7. WHOIS Footprinting
information
2. Tester attempts to gather as much information as possible from the internet and
a. WHOIS databases are maintained by regional internet registries and contain PI of domain other publicly accessible sources
owners 8. DNS Footprinting 3. Define scope and then use footprint search engines
4. Report Templates
a. Attacker can gather DNS information to determine key hosts in the network

9. Network Footprinting
1. Network range information assists attackers to create a map of the target Module 3: Scanning Networks
network
2. Find the range of IP addresses using ARIN whois database search
3. Traceroute programs work on the concept of ICMP protocol and use the  - Overview of Network Scanning
TTL field in the header of ICMP  - Understanding different techniques to check for live systems
 - Understanding different techniques to check for open ports
 - Understanding various scanning techniques
packets to discover on the path to a target host  - Understanding various IDS evasion techniques
 - Understanding banner grabbing
10. Footprinting through Social Engineering  - Overview of vulnerability scanning
 - Drawing Network Diagrams
 - Using proxies and anonymizers for attack
a. Art in exploiting human behaviour to extract confidential information
 - Understanding IP spoofing and various detection techniques
 - Overview of Scanning Pen Testing
Concepts Methodology
Tools Countermeasures Penetration Testing
Overview of Network Scanning

is process of collecting as much information as possible about a target network

 ● Network scanning refers to a set of procedures for identifying hosts, ports, and
services in a network
Threats: social engineering, system and network attacks, information leakage, privacy loss,  ● Network scanning is one of the components of intelligence gathering and
corporate espionage, business loss attacker uses to create a profile of the target

 ● Footprinting organization
 ● Footprinting
 ● Types of scanning

i. Port scanning (list the open ports and services) ii. Network Scanning (lists IP
addresses)

iii. Vulnerability Scanning (shows presence of known weaknesses)

 ● TCP communication Flags (controls transmission of data)

1. URG(urgent): Data contained in packet should be processed immediately
2. PSH(push): Sends all buffered data immediately
3. FIN(Finish): There will be no more transmissions
4. ACK(Acknowledgement): Acknowledges receipts of a packet
5. RST(Reset): Resets a connection
6. SYN(Synchronization): Initiates a connection between hosts
 1. Check for a.

b. c. d. e.

2. Check for a.

b. c. d.

e. f. g.

h. i. j. k.

live systems
ICMP Scanning: Ping scans involves ICMP ECHO requests to a host. If the host is live, it will
return an ICMP ECHO reply
Useful for locating active devices and if ICMP is passing through firewall
Ping sweep is used to determine the live hosts from a range of IP addresses
Attackers calculate subnet masks using Subnet Mask Calculators
Attackers then use the Ping Sweep to create an inventory of live systems in the subnet
Open Ports
Simple Service Discovery protocol (SSDP) works in conjunction with UPnP to detect plug and
play devices on a networks
Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks
Scanning IPv6 networks are computationally less feasible due to larger search space (128
bits)
Network admins can use Nmap for network inventory, managing service upgrade schedules,
and monitoring host or service uptime
CEH Scanning Methodology Attacker uses Nmap to extract info such as live hosts on the network, services, type of
packet filters/firewalls, operating systems and OS versions
Hping2/Hping3: command line network scanning and packet crafting tools for the TCP/IP
protocol

i. It can be used for network security auditing , firewall testing

TCP connect scan detects when a port is open by completing the three-way handshake

i. TCP connect scan establishes a full connection and tears it down sending a RST
packet
ii. It does not require superuser privileges

Attackers send TCP probe packets with a TCP flags (FIN,URG,PSH) set or with no flags. No
responses means port is open, RST means the port is closed
In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags
set

i. Won’t work against any current version of Microsoft Windows

Attackers can an ACK probe packet with random sequence number, no responses means
the port is filtered (stateful firewall is present) and RST response means the port is not
filtered
A port is considered open if an application is listening on the port
 i. Most web servers are on port 80 and mail servers on 25 target system. There are two types
ii. One way to determine whether a port is open is to send a “SYN” (session
establishment) packet to
i. Active Banner Grabbing: specifically crafted packets are sent to
remote OS and responses are noted,
the port
then compared with a database to determine OS.
1. The target machine will then send back a SYN|ACK packet is the port is open, and a RST
(reset) packet if the port is closed
ii. Passive Banner Grabbing: Sniffing the network traffic. Banner
grabbing from error message, and
iii. IDLE Scan
banner grabbing from page extensions (stealthy)
1. Attack a zombie computer. A zombie machine is one that assigns IPID packets
3. Identifying OS’s allow an attack to figure out the vulnerabilities running on
incrementally. a remote target system
4. An attacker uses banner grabbing to identify the OS used on the target
host and thus determine the system
2. Can retrieve IPID number for IP address spoofing

vulnerabilities
l. UDP Scanning: When UDP port is open ---There is not three-way TCP handshake for UDP
scan. System does not respond with a me. The system does not respond with a message
when the port is open. When UDP port is closed -- the system responds with ICMP port 5. Tools like Netcat reads and writes data across network connections
unreachable message. Spywares, Trojan Horses, and other apps use UDP ports 6. Countermeasures for banner grabbing
i. Display False Banners
ii. Turn off unnecessary services
13. There are port scanners for mobile as well
iii. Use ServerMask
14. Port scanning counter measures
7. Hiding file extensions from web pages
i. Configure firewall, IDS rules to detect/block probes
5. Scan for Vulnerability
ii. Run port scanning tools against hosts to determine firewall properly
1. Vulnerability scanning identifies vulnerabilities and weaknesses of a
detects port scanning activity
system
iii. Ensure mechanism used for routing and filtering at the routers and
2. Nessus is the vulnerability and configuration assessment product
firewalls respectively cannot be bypassed
6. Draw Network Diagrams
iv. Ensure sure the router, IDS, and firewall firmware are updated
1. A network diagrams helps in analyzing complete network topology.
v. Use custom rule set to lock down the network and block unwanted ports
2. Drawing target’s network diagram shows logical or physical path to a
vi. Filter all ICMP message at the firewalls and routers
potential target. Shows network and its
vii. Perform TCP and UDP scanning
viii. Ensure that anti scanning and anti spoofing rules are configured
architecture to attacker
3. Scanning Beyond IDS
7. Prepare Proxies
1. Proxy servers serves as an intermediary for connecting with other
1. Evasion techniques: fragmented IP packets, spoofing IP address, source routing,
computers
connect to proxy servers
i. Hides the source IP
2. Lower the frequency of packets, split into parts
ii. Chain multiple proxies to avoid detection
2. Many hackers use proxies to hide his/her identity so they cannot be
4. Banner traced. Logs record proxy’s address rather
1. An attacker uses banner grabbing techniques to identify network hosts
running versions of applications and
than the attacker’s

OSs with known exploits.

3. Burp suite includes an intercepting proxy, which lets you inspect and
modify traffic between your browser and
2. Banner grabbing or OS fingerprinting is the method to determine the
operating system running on a remote
target app. Popular.
 4. Anonymizers removes all identifying information from a user’s computer Enumeration Concepts
while user surfs internet
5. Tails is a live operating system, that user can start on any computer from
● In the enumeration phase, attacker creates active connections to system and performs
a DVD, USB stick, or SD card
directed queries to gain more
6. Can use HPING2 to IPSpoof
7. IP spoofing counter measures
information. Uses this information to identify system attack points and perform password
attacks ○ Conducted in an intranet environment
Grabbing

 ● Techniques for Enumeration

i. Encrypt all network traffic
ii. Use multiple firewalls o ○ Extract user names using email IDs
iii. Do not rely on IP-based authentication o ○ Extract user names using SNMP
iv. Use random initial sequence number o ○ Extract user groups from windows
v. Ingress filtering: use routers and firewalls at network perimeter to filter incoming o ○ Extract information using the default passwords
packets that appear to come from an internal IP address
vi. Egress filtering: Filter all outgoing packets with an invalid local IP address as source
o ○ Brute force active directions
address o ○ Extract information using DNS Zone Transfer
 ● Popular Ports to Enumerate
8. Scanning Pen Testing
o ○ TCP/UDP 53 - DNS Zone Transfer
o ○ TCP/UDP 135 - Microsoft EPC Endpoint Manager
o ○ UDP 137 - NetBIOS Name Service (NBNS)
1. Pen testing a network determines the network's security posture by identifying live
systems, discovering open ports, associating services and grabbing system o ○ TCP 139 - SMB over NetBIOS
banners to simulate a network hacking attempt o ○ TCP/UDP 445 - SMB over TCP (direct host)
2. Here’s how to conduct a pen-test of a target network o ○ UDP 161 - Simple Network Management Protocol (SNMP)
i. Host Discovery: detect live hosts on the target network. It is difficult to o ○ TCP/UDP 389 - Lightweight Directory Access Protocol (LDAP)
detect live hosts behind a
o ○ TCP/UDP 3268 - Global Catalog Service
o ○ TCP 25 - Simple Mail Transfer Protocol (SMTP)
firewall (Nmap, Angry IP scanner, colasoft)
o ○ TCP/UDP 162 - SNMP Trap
ii. Port Scanning: Check for open ports (Nmap, Netscan)
iii. Banner Grabbing or OS fingerprinting: determine the OS running on the NetBIOS Enumeration
target host
iv. Scan the network for vulnerabilities (nessus)  ● NetBIOS name is a unique 16 ASCII string used to identify the network devices
v. Draw Network Diagrams that help you understand the logical connection (15 of it are device name, 16 is reserved for service or name record type)
vi. Prepare Proxies: Hides yourself from detection  ● Nbtstat utility displays NetBIOS over TCP/IP protocol statistics, NetBIOS name
vii. Document all findings tables/cache
 ● Net View utility is used to obtain a list of all the shared resources of remote
Module 4: Enumeration hosts or workgroup

Module Objectives

 - Understanding Enumeration Concepts

 - Understanding different techniques for NetBIOS enumeration
 - Understanding Different Techniques for SNMP enumeration
 - Understanding different techniques for LDAP enumeration
 - Understanding different techniques for NTP enumeration
 - Understanding different techniques for SMTP and DNS Enumeration
 - Enumeration countermeasures
 - Overview of enumeration pen testing
  ● Network Time Protocol (NTP) is designed to synchronize clocks of networked
computers
 ● Uses UDP port 123
 ● Can use it to find important information on a network
 ● Can use Nmap, Wireshark

SMTP and DNS Enumeration

 ● SMTP has 3 built-in commands

○ VRFY - Validates users

○ EXPN - Tells actual delivery addresses of aliasses and mailing lists

○ RCPT TO - Defines the recipients of the message

 ● SMTP servers respond differently to these commands

 ● Attackers can directly interact with SMTP via the telnet prompt and collect a list
of valid users on the SMTP Server

Enumeration Countermeasures

SNMP Enumeration (simple network Management protocol enumeration)

 ● SNMP enumeration is a process of enumerating user accounts and devices on a

target system using SNMP
 ● SNMP contains a manager and agent. Agends are embedded on every network,
manager installed on a seperate

computer

 ● SNMP has two passwords

o ○ Attacker uses default community strings to extract info
o ○ Uses it to extract information about network resources such as hosts,
routers, devices, shares
 ● Management Information Base (MIB)

○ MIB is a virtual database containing formal description of all the network objects
managed using SNMP

LDAP Enumeration

 ● LDAP is an internet protocol for accessing distributed directory services

 ● Attacker queries LDAP service to gather information such as valid user names,
addresses, departmental details, etc

NTP Enumeration
 o ○ Ensure that the access to null session pipes, null session shares, and
IPsec filtering are restricted
 ● DNS countermeasures

○○○○

● SMTP ○ ○ ○

Disable DNS zone transfers to the untrusted hosts

Make sure private hosts and their IP addresses are not published into DNS zone files of
public DNS server Use premium DNS registration services to hide sensitive information
Use standard network admin contacts for dns registrations in order to avoid social
engineering attacks

countermeasures
Ignore email messages to unknown recipients
Disable open relay features
Do not include sensitive mail server and local host information in mail responses

countermeasures

 ● LDAP countermeasures
o ○ Restrict access to active directory by using software such as citrix
o ○ Enable account lockout
o ○ Use SSL technology for LDAP traffic
 ● Enumeration Pen Testing
o ○ Used to identify valid user accounts or poorly protected resource
shares
o ○ Information can be users and groups, network resources
o ○ Used in combination with data collected in reconnaissance phase
o ○ Steps in Enumeration Pen Testing
 Find the network range
 Calculate the subnet mask
 Undergo host discovery

 Perform port scanning

 Perform NetBIOS enumeration
 Perform SNMP enumeration
 Perform LDAP enumeration
 Perform NTP enumeration
 Perform SMTP enumeration
 Perform DNS enumeration
 ● SNMP  Document all findings
o ○ Remove SNMP agent on turn off the SNMP service (block 161)
o ○ Change default community string name ● Remember OneSixtyOne application, used for scanning SNMP port 161
o ○ Upgrade to SNMP3, which encrypts passwords/messages
o ○ Implement additional security option called “additional restrictions for Module 5: System Hacking
anonymous connections”
Module Objectives
  - Overview of CEH hacking Methodology
 - Understanding Techniques to gain access to the system
 - Understanding privilege escalation techniques
 - Understanding Techniques to create and maintain remote access to the system
 - Overview of different types of rootkits
 - Overview of steganography and steganalysis techniques
 - Understanding Techniques to hide the evidence on compromise
 - Overview of system hacking penetration testing

System hacking is one of the most important and sometimes ultimate goal of an
attacker.

Information at hand before system hacking stage

1. Footprinting: IP range, Namespace, Employees

2. Scanning module: target assessment, identified systems, identified services
3. Enumeration: Intrusive probing, user lists, security flaws

System Hacking Goals:

1. Gaining Access - password cracking, social engineering

2. Escalating Privileges (get other passwords) - exploiting known system
vulnerabilities
3. Executing Applications (backdoors) - Trojans, Spywares, Backdoors, Keyloggers
4. Hiding Files - Rootkits, Steganography
5. Covering Tracks - Clearing logs

Cracking Passwords

 ● Password cracking techniques are used to recover passwords from computer

systems
 ● Attackers use password cracking techniques to gain unauthorized access
 ● Most cracks are successful due to guessable passwords
 ● Types of password attacks

○ Non-electronic attacks: Attacker does not need technical knowledge to crack password
(looking at keyboard/screen, convincing people, trash bins etc)

 ○ Active Online Attacks: Attacker performs cracking by directly communicating

with the victim machine (dictionary, brute force, rule based - some info known)
 ○ Passive Online Attacks: Performs cracking without communicating with party
 ○ Offline Attack: attacker copies password file and tried to crack it

 ● Default passwords are set by the manufacturer

  ● Trojans can collect usernames and passwords and send to attacker, run in ○ If attackers place a malicious DLL in the application directory, it will be executed in place
background of the real DLL ● Resetting passwords using command prompt
 ● Can use USB drive for a physical approach
 ● Hash Injection Attack: attacker injects compromised hash into local session then
○ An admin can reset passwords while an administrator
use it to validate network resource. Finds ● Countermeasures: restrict interactive login privileges, use least privilege policy,
implement multi-factor, run services as
and extracts a logged on domain admin account hash
unprivileged accounts, patch systems regularly, use encryption technique, reduce amount
 ● Passive Online Attack: Wire Sniffing of code, perform debugging Executing Applications
o ○ Packet Sniffer tools on LAN
o ○ Capture data may include sensitive information such as passwords  ● Attackers execute malicious programs remotely in the victim's machine to
o ○ Sniffed credentials are used to gain unauthorized access gather information
 ● Rainbow table attack o ○ Backdoors
○ Precomputed table which contains word lists like dictionary files, brute force o ○ Crackers
lists, and their hash values ○ Compare the hashes o ○ Keyloggers
○ Easy to recover passwords by comparing captured password hashes to
precomputed tables
o ○ Spyware
 ● Offline Attack: Distributed Network Attack (DNA)  ● Software like RemoteExec can remotely install software, execute
○ A DNA technique is used for recovering passwords from hashes or password programs/scripts
protected files using the unused  ● There are hardware and software keystroke loggers (USB vs App)
 ● Spyware
o ○ Records user’s interaction
processing power of machines across the network to decrypt passwords
o ○ Hides its process
o ○ Hidden component of freeware program
 ● Microsoft Authentication o ○ Gather info about victim or organization
o ○ Windows stores passwords in the Security Accounts Manager (SAM)  ● GPS spyware also exists
Database, or in the Active Directory database in domains. They are  ● Countermeasures for Keyloggers
hashed.
o ○ NTLM Authentication
 NTLM authentication protocol types
 LM authentication protocol
 These protocols stores user’s password in the SAM database
using different hashing methods
o ○ Kerberos Authentication

■ Microsoft has upgraded its default authentication protocol ○ Password Salting

■ Random strings of characters are added to the password before calculating their hases ●
Advantage: salting makes it more difficult to reverse hashes

 ● Use password crackers like L0phtCrack, Cain&Abel, RainbowCrack

 ● Enable SYSKEY with strong password to encrypt and protect the SAM database

Escalating Privileges

 ● An attacker can gain access to the network using a non-admin user account,
next step is to gain admin privileges
 ● Privilege Escalation Using DLL Hijacking
  ○ Pop-up blocker o ○ Heuristic/Behavior based detection: any deviations in the systems
 ○ anti-spyware/virus normal activity
 ○ Firewall software o ○ Runtime Execution path profiling: compares runtime execution paths of
 ○ Anti-keylogging software all system processes before and after
 ○ Recognize phishing emails and delete
 ○ Choose new passwords for different online accounts
 ○ Avoid opening junk emails rootkit infection

 ● There are Anti-keyloggers out there o ○ Cross View-Based detection: enumerates key elements in the computer
 ● Rootkits are programs that hide their presence and an attacker's malicious system such as system files,
activities, granting them full access to the
processes, and registry keys and compares them to an algorithm to
server or host at the time or in future generate a similar data set that does not

○ Typical Rootkit has backdoor programs, DDos programs, packet sniffers, log-wiping rely on common APIs
utilities, IRC bots, etc
 ● NTFS Data Stream
 ● 6 Types of Rootkits o ○ NTFS alternate data stream (ADS) is a windows hidden stream which
o ○ Hypervisor Level Rootkit: Acts as hypervisor and modifies boot contains metadata for the file such as attributes, word count, author
sequence of the computer to load the host OS name, access and modification time of files
o ○ Using NTFS stream, an attacker can almost completely hide files within
as a virtual machine. the system.
o ○ You can hide a file side another file (trojan in a readme.txt)
o ○ Countermeasures: use a third party file integrity checker
o ○ Boot Loader level rootkit: replaces original boot loader with one  ● Steganography
controlled by attacker o ○ Steganography is a technique of hiding a secret message within an
o ○ Hardware/Firmware Rootkit: Hides in hardware devices or platform
ordinary message and extracting it at the
firmware which is not inspected for code

destination
integrity

o ○ Utilizing a graphic image as a cover is the most popular method to

o ○ Application level rootkit: replaces regular application binaries with fake
conceal the data in files
trojan, or modifies the behavior of o ○ Attackers can use steganography to hide messages such as list of
compromised servers, source code for the
existing applications
hacking tools, plans for future attacks, etc
o ○ Kernel Level Rootkit: Adds malicious code or replaces original OS
kernel and device driver codes
o ○ Technical Steganography: invisible ink/microdots, physical methods to
o ○ Library Level Rootkits: Replaces original system calls with fake ones to hide
hide information about attacker o ○ Linguistic Steganography: Type that hides the message in another file
 ● Detecting
o ○ Integrity-Based detection: compares a snapshot of the filesystem,boot
records, or memory ■ Semagrams: use of symbols to hide information
o ○ Signature-based technology: compares characteristics of all system
processes and executable files with a  ○ Least Significant bit insertion: The rightmost bit of a pixel is called the LSB
 ○ Masking and Filtering: Making technique hides data similar to watermarks on
database of known rootkit fingerprints actual paper. Can be detection

with simple statistical analysis. Mostly in grayscale images.

  ○ Algorithms and Transformation Module 6: Malware Threats
 Hide data in mathematical functions used in compression algorithms
 Data is embedded by changing the coefficients of a transform of an image Module Objectives
 ○ Audio steganography - information in hidden frequency

 - Introduction to Malware and Malware propagation techniques

● Steganalysis  - Overview of Trojans, their types, how to to infect systems
○ Art of discovering and rendering covert messages using steganography. It attacks  - Overview of Viruses, their types, and how they infect files
steganography efforts
 - Introduction to the Computer Worm
 - Understanding the Malware Analysis process
Covering Tracks  - Understanding Different techniques to detect malware
● Techniques used for covering tracks  - Malware countermeasures
 - Overview of Malware penetration testing
Rootkits
Introduction to Malware

 ● Malware is a malicious software that damages or disables computer systems

and give limited control or full control of the systems to the attacker for the
purpose of theft or fraud
 ● Examples of Malware: Trojan Horse, Backdoor, Rootkit, Ransomware, Adware,
Virus, Worms, Spyware, Botnet, Crypter
 ● Common techniques attackers use to distribute malware: Blackhat SEO, Social
Engineer Clickjacking, Spear Phishing

sites, Malvertising, Compromised legitimate websites, Drive by downloads on

browser vulnerabilities

Trojan Concepts

 ● A trojan is a program which the malicious or harmful code is contained inside an

apparently harmless program or in such a way it can get control and cause
damage, such as ruining a file allocation table on your hard disk
 ● Trojans get activated upon user’s certain predefined actions, and conduct
abnormal activities on the system
 ● When a trojan is installed, they attacker can basically do anything to your
computer

 ○ Disable Auditing: disabling audit features of target system

 ○ Clearing logs: attacker clears/delete the system log entries for their activities
 ○ Manipulating logs: Manipulates logs in a way they won't be caught in legal
actions

● If system is exploited with metasploit, attacker uses meterpreter shell to wipe logs
Penetration Testing

 ● Password Cracking
 ● Privilege Escalation
 ● Execute Applications
 ● Hiding Files
 ● Covering Tracks
  ● Attackers use crypters to hide viruses, spyware, keyloggers to make them
undetectable by antivirus
 ● Attackers can deploy a trojan by creating a malicious link/email attachments
 ● Exploit kit: Platform to deliver exploits and payloads such as trojans, backdoors,
bots, buffer overflow scripts,etc
 ● Evading Anti-Virus Techniques:
o ○ Break the trojan file into multiple pieces and zip them as a single file
o ○ ALWAYS write your own Trojan, and embed it into an application
o ○ Change the Trojans Syntax

■ Convert EXE to VB script

 ○ Change the content of the Trojan using Hex Editor and also change the
checksum and encrypt the file
 ○ Never use trojans downloaded from the web (antivirus can detect these easily)

 ● Command shell trojans give remote control of a command shell

 ● How to infect systems using a trojan
 ● Trojan server is installed on the victim’s machine, which opens a port for
o ○ Create a new trojan packet using a trojan horse construction kit attacker to connect.
o ○ Create a dropper, which is part in a trojanized packet that installs the  ● Defacement Trojans: Can destroy or change entire content present in a
malicious code on the target system database. Much more dangerous when attackers
 ● A wrapper binds a trojan executable with an innocent looking .EXE application
such as games or office applications. When an EXE is executed, it first installs the
target websites
trojan in the background.
  ● Botnet Trojans: infect a large number of computers to create a network of
bots(chewbacca)
 ● Proxy Server Trojans: Converts user’s computer into proxy servers, thus making
them accessible to specific attackers.
 ● VNC Trojan: VNC trojan starts a VNC server daemon in the infected systems.
Attacker can connect to the victim using

any VNC viewer

 ● HTTP/HTTPS Trojans: bypass firewall, spawn a child program and child program
appears to be a user to the firewall
 ● ICMP Tunneling
o ○ Covert channels are methods in which an attacker can hide the data in
a protocol that is undetectable
o ○ They rely on techniques called tunneling, which allow on protocol be
carried over to another protocol . very

stealthy

 ● Remote Access Trojans: provide attackers with full control over the victim’s
system
 ● E Banking Trojans - intercept a victim’s account information before it is
encrypted ○
● Stages of
○ Steals victim’s data such as credit card information
○○○○○○
 ● Notification Trojans: Sends the location of the victim’s IP address to attacker
 ● Whenever victim’s computer connected to the internet, the attacker receives Transmitted through downloads, infected flash drives, email attachments Virus Life
the notification Design: creating the virus
Replication: Replicating the virus on target system
Viruses and Worm Concepts
Launch: launching/running the virus (.exe file)
Detection: Target system identifies virus
● Virus: A self replicating program that produces its own copy by attacking itself to another
Incorporation : Anti-virus softwares update
program, computer boot sector or document
Elimination: users install anti-virus update to eliminate virus

 ● Indications of a virus attack: abnormal activities (slow, anti virus alerts, folders
missing, etc)
 ● There are many Fake Anti-Viruses that are actually viruses
 ● Ransomware restrict computer files until a sum is paid
 ● Boot Sector Viruses: moves MBR to another location on hard disk

 ● File Virus: Infects files which are executed or interpreted on the system such as
(COM, EXE, SYL, OVL, OBJ, MNU and BAT files
 ● Multipartite Virus: Infect the system boot sector and the executable files at the
same time (hybrid, top 2 combined))
 ● Macro Viruses: Infect files created by Microsoft Word or Excel. Most of these are
written in macro language Visual Basic

for Applications (VBA)

○ Infect Templates, convert infected documents into template files  ● Intrusive Viruses: Overwrite the host code partly or completely with the viral
code
 ● Transient/Direct Action Virus: Transfers all the controls of the host code to
 ● Cluster Viruses: These modify directory table contents so that it points users to
where it resides in the memory. Virus runs
system processes to the virus code isntead of the actual program
o ○ There is only one copy of the virus on the disk infecting all the
programs in the computer system when the host code is run and terminates itself or exits memory as soon as host
o ○ Will launch itself first when any program on the computer system is code execution ends
started
 ● Stealth/Tunneling Virus: This virus evades anti-virus software by intercepting its  ● Terminate and Stay Resident Virus: remains permanently in the memory during
requests to the operating system entire work session even after the host’s

○ Virus can return an uninfected version of the file to the anti-virus software, so it appears program is executed and terminated. Removed only by rebooting system.
as if the file is “clean”
 ● Computer Worms: Malicious programs that replicate, execute, and spread
 ● Encryption Viruses: uses simple encryption to encipher the code. Virus is across network connections independently
encrypted with different key for each infected
without human interaction. Most are created only to replicate and spread, but
file. AV Scanner cannot directly detect these types fo viruses using signature some have payloads
detection methods
o ○ Attackers use payloads to install backdoors which turns them into a
 ● Polymorphic Code: Code that mutates while keeping the original algorithm zombie for a botnet
intact. Well written polymorphic code has no o ○ A worm is a special type of malware that can replicate itself and use
memory, but cannot attach itself to other
parts that stay the same on each infection
programs
 ● Metamorphic Viruses: Rewrite themselves completely each they are to infect
new executable
o ○ A worm takes advantage of file or information transport features on a
computer and spreads through the
○ Can Reprogram itself by translating its own code into a temporary representation and
then back to the normal code again
infected network

 ● File Overwriting or Cavity Virus: Overwrites a part of the host file that is
constant (usually nulls), without increasing the length of the file and preserving its Malware Reverse Engineering
functionality
 ● Sparse Infector Viruses: Infects only occasionally, or only files whose length falls
within a narrow range. By infection less often, they try to minimize the probability
of being discovered
 ● Companion/camouflage Viruses: Creates a companion file for each executable
file the viruses infects. Therefor, a companion virus may save itself as notepad.com
and every time the user executes notepad.exe (good program), the computer will
load the virus notepad.com and infect
 ● Shell Viruses: Virus code forms a shell around the target host program’s code,
making itself the original program and host code as its sub-routine. Almost all boot
program are shell viruses
 ● File Extension Viruses: changes the extensions of files. Ex. .TXT is a safe file.
Virus file is BAD.TXT.VBS but will only show up as bad.txt . When opened a script
executes.
 ● Add-on Virus: adds on their code to the host code without making any changes
to the latter or relocate the host code to insert their own code at the beginning
 o ○ Run the virus and monitor the process actions and system information
with help of process monitor/explorer
o ○ Record network traffic information using monitoring tools (TCP view,
netResident)
o ○ Determine the files added, processes spawn, and changes to registry
with tools
o ○ Collect Service requests and DNS tables information, attempts for
incoming and outgoing connections using

tools Malware Detection

 ● Trojans open unused ports in victims machine to connect back to Trojan

handlers
 ● Look for connection established to unknown or suspicious IP addresses

○ You can use a port monitoring tool

 ● Scanning for Suspicious Processes

o ○ Trojans camouflage themselves as genuine Windows services
o ○ Some trojans use Portable Executable to inject into various processes
o ○ Processes are visible but may look like a legitimate processes and
helps bypass desktop firewalls
o ○ Trojans can also use rootkit methods to hide their processes
o ○ Use process monitoring tools to detect hidden trojans and backdoors
 ● Trojans are installed along with device drivers downloaded from untrusted
sources

○ Scan suspicious drivers and verify they are genuine and downloaded from publishers
original site

 ● Trojans normally modify system’s files and folders. Use these tools to detect
changes
o ○ SIGVERIF: checks integrity of critical files digitally signed by microsoft
o ○ FCIV - Computes MD5 or SHA-1 cryptographic hashes for files
o ○ TRIPWIRE: system integrity verifier that scan and reports critical
system file for changes
● Sheep Dipping refers to the analysis of suspect files, incoming messages, for malware  ● Scanning for suspicious network activities
○ A sheep dip computer is installed with port monitors, file monitors, network monitors and o ○ Trojans connect back to handlers and send confidential info to
antivirus software and attackers
o ○ Use network scanners
connects to a network only under strictly controlled conditions  ● Virus Detection Methods
o ○ Anti-virus executes the malicious code to simulate. Effective for dealing
with encrypted and polymorphic viruses
 ● Anti-Virus Sensor Systems: Collection of computer software that detects and
analyzes malicious code threats o ○ Heuristic Analysis: Can be static or dynamic. In static, anti-virus
 ● Malware Analysis Procedure: analyzes the file format and code structure to
o ○ Perform static analysis when the malware is inactive
o ○ Collect info of string values found in binary with tools
o ○ Setup network connection and check there are no errors
 Countermeasures
Avoid opening email attachments from unknown senders
Block unnecessary ports
Avoid accepting programs transferred by instant messaging
Hard weak default configs and unused functionality including protocols/services Monitor
internal network traffic for odd ports
Avoid downloading and executing apps from untrusted sources
Install security updates
Scan CD’s and DVD’s w/ antivirus software
Restrict permissions within desktop environment
Manage local workstation file integrity
Run Host-Based Antivirus

● Backdoor ○

Countermeasures
Anti-viruses
Educate users not to download from untrusted sites

○ Anti-Malware Software

Counter-Measures

determine is code is viral. In dynamic, the AV performs a code emulation

Norton, Mcafee, Nessus etc.

Module 7: Sniffing

Objectives: Overview of sniffing concepts, understanding MAC attacks, Understanding DHCP

attacks, understanding ARP poisoning, Understanding MAC spoofing attacks, Understanding
● Trojan ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○
DNS poisoning, Sniffing tools, Sniffing countermeasures, Understanding various techniques MAC Attacks
to detect sniffing, overview of sniffing pen testing
● Each switch has a fixed size dynamic content addressable memory (CAM table)
Sniffing Concepts

 ● Sniffing is a process of monitoring and capturing all data packets passing

through a given network using sniffing tools

(form of wire tap)

o ○ Many enterprises switch ports are open

o ○ Anyone in same physical location can plug into network with ethernet
 ● How a sniffer works

○ Sniffer turns on the NIC of a system to the promiscuous mode that it listens to all the data
transmitted on its

segment

 ● Each computer has a MAC address and an IP address

 ● Passive sniffing means through a hub (involves sending no packets), on a hub
traffic is sent to all ports

○ Most modern networks use switches

 ● Active Sniffing: Searches for traffic on a switched LAN by actively injecting

traffic into the LAN. Involves injecting address resolution packets (ARP) into the
network
 ● Protocols vulnerable to sniffing:

○ HTTP, Telnet and Rlogin, POP, IMAP, SMTP and NNTP

 ● Sniffers operate at the Data Link layer of the OSI model

 ● Hardware Protocol Analyzer: equipment that captures signals without altering
the traffic in a cable segment

○ Can be used to monitor traffic. Allows attacker to see individual data bytes

 ● Span Port: A port which is configured to receive a copy of every packet that
passing through a switch
 ● Wiretapping: Process of monitoring telephone and internet convo’s by third
party
o ○ Via connecting a listening device (hardware or software) to the circuit
o ○ Active Wiretapping: Monitors, records, and injects something into the
communication or traffic
o ○ Passive Wiretapping: It only monitors and records the traffic and gain
knowledge of the data it contains
o ○ Lawful interception: legally intercepting data communication
○ CAM table stores information such as MAC address available on physical ports
● If CAM table is flooded with more MAC address it can hold, then the switch turns into a
HUB

○ Attackers exploit this

 ● Switch Port Stealing: uses mac flooding to sniff the packets

 ● How to defend against MAC attacks: use a port security to restrict inbound
traffic from only a selected set of mac

addresses and limit MAC flooding attacks

DHCP Attacks

 ● DHCP servers maintain TCP/IP configuration information (provides leases)

 ● DHCP starvation attack: attacker broadcasts forged DHCP requests and tries to
lease all DHCP addresses available in

the DHCP scope

○ As a result, legitimate user is unable to obtain or renew an IP address

 ● Rogue DHCP: rogue DHCP server in network and responds to DHCP requests
with bogus IP addresses
 ● How to defend against DHCP starvation and Rogue Server Attack: Enable port
security for DHCP starvation, and enable
 DHCP snooping that allows switch to accept DHCP transactions from a trusted port o ○ Results in substitution of a false IP address
ARP Poisoning o ○ Attacker can create fake DNS entries
 ● Intranet DNS spoofing: must be connected to LAN and able to sniff. Works well
o ● Address Resolution Protocol (ARP) is a stateless protocol used for against switches with ARP poisoning the
resolving IP address to machine (MAC) addresses
o ● All network devices broadcasts ARP queries in the network to find router.
machine’s MAC address
o ● When one machine needs to communicate with another, it looks up to
○ Intranet DNS spoofing attacker infects machine with trojan and changes DNS IP to that of
the ARP table. If it’s not there, the ARP_REQUEST attacker

is broadcasted over the network  ● Proxy Server DNS poisoning: attacker sends a trojan to machine that changes
hosts proxy server settings in internet explorer to that of the attacker’s and
o ● ARP packets can be forged redirect to fake website
 ● DNS Cache Poisoning: Refers to altering or adding forged DNS records into DNS
o ● ARP spoofing involves constructing large number of forged ARP
resolver cache so that a DNS query is redirected to a malicious site
requests
 ● How to defend: resolve all DNS queries to local DNS server, Block DNS requests
o ● Switch is set in ‘forwarding mode’ after the ARP table is flooded with from going to external servers, configure firewall to restrict external DNS lookup,
spoofed ARP replies Implement IDS and deploy correct, Implement DNSSEC
o ● Attackers flood a target computer’s ARP cache with forged entries,
which is also known as poisoning
Sniffing Tools
o ● ARP spoofing is a method of attacking an ethernet LAN
o ● Using Fake ARP messages, an attacker can divert all communications
between two machines so that all traffic is

exchanged via his/her PC

o ● ARP Tools: Cain & Abel, WinArpAttacker

o ● How to defend: Implement dynamic ARP inspection, DHCP Snooping,
XArp spoofing detection

Spoofing

o ● Attacker can sniff network for MAC addresses, then spoof them to
receive all the traffic destined for the user. Allows allows attacker to gain
access to the network
o ● IRDP spoofing: ICMP Router discovery protocol allows host to discover
the IP address of active routers.

○ Attacker sends spoofed IRDP router advertisement message to the host on the subnet,
causing it to change its

default router
● How to defend: DHCP snooping, Dynamic ARP inspection, IP source guard Wireshark

DNS Poisoning Counter-Measures

 ● DNS poisoning is a technique that tricks a DNS server into believing that it has  ● Restrict physical access
received authentication when it really has not  ● Use encryption
  ● Permanent add MAC address to the gateway to the ARP cache
 ● Use static IP addresses
 ● Turn off network ID broadcasts
 ● Use IPV6
 ● Use HTTPS instead of HTTP
 ● Use switch than Hub
 ● Use SFTP instead of FTP

Sniffing Detection Techniques

 ● Runs IDS and notice if mac address of certain machines have changed
 ● Check which machines are running in the promiscuous mode

○ Promiscuous mode allows a network device to intercept and read each network packet ●
Only a machine in promiscuous mode cache the ARP information

○ A machine in promiscuous mode replies to the ping message as it has correct information
about the host sending a ping request

Sniffing Pen Testing

● Sniffing pen test is used to check if the data transmission from an org is secure from
sniffing and interception attacks
 ● Social engineering is the art of convincing people to reveal confidential information
○ Depends on the fact people are unaware of their valuable info and careless about
protecting it

Social Engineering Techniques

 ● Human-based social engineering, Computer-Based social engineering, Mobile-

based social engineering
 ● Human Based Social Engineering
o ○ Reverse social engineering (attacker presents as authority)
o ○ Piggybacking (“I forgot my ID badge, please help)
o ○ Tailgating (walking directly behind someone for entrance)
 ● Computer Based Social Engineering

○ Hoax Letters, free gifts, etc

 ● Mobile-based social engineering

o ○ Repackaging legitimate apps
o ○ Fake security applications
 ● Insider attack
o ○ Disgruntled employee
o ○ Prevention: separation and rotation of duties, least privilege, controlled
access, logging and auditing, legal

policies, archive critical data Impersonation on Social Networking Sites

● Social engineering on facebook, twitter, linkedin etc Identify Theft

● When someone steals your PI

Social Engineering countermeasures

● Periodic password change, good policies, etc.

Module 8: Social Engineering

Objectives: overview of social engineering concepts, understanding various social

engineering techniques, understanding insider threats, understanding impersonation on
social networking sites, understanding identity theft, social engineering countermeasures,
identify theft countermeasures, overview of social engineering pen testing

Social Engineering Concepts

 DoS/DDoS Concepts

● Denial of Service (DoS) is an attack on a computer or network that reduces, restricts or

prevents accessibility of system resource to its legitimate users

○ Attackers flood a victim system with non-legitimate service requests

● DDoS attack involves a multitude of compromised systems attacking a single targeted
system (botnet)

DoS/DDoS Attack Techniques

 ● Basic categories of the attacks

o ○ Volumetric Attacks: consumes the bandwidth of the target network or
service
o ○ Fragmentation: overwhelms target’s ability of reassembling
fragmented packets
o ○ TCP state-exhaustion attack: consumes connection state table present
such as load balancers ,firewalls, app

servers

o ○ Application layer attack: consumes app resources or service making it

unavailable to other legitimate users
 ● SYN Attack

○ Attacker sends a large number of SYN request to target server

 Target machine sends back a SYN ACK in response to the request waiting for the
ACK to complete session
 Attacker never sends ack

● ICMP flood attack: type of DoS where perpetrators send a large number of ICMP packets
causing the system to stop

responding to legitimate TCP/IP requests

○ To protect yourself: set a threshold limit that invokes a ICMP protection feature

 ● Peer to Peer Attack: attackers instruct clients of p2p file sharing hubs to
disconnect for their p2p network and connect to victims fake website. Attackers
can launch massive DoS attacks and compromise websites
 ● Permanent Denial-of-Service Attack: Also known as phlashing, refers to attacks
Module 9: Denial of Service that cause irreversible damage to system hardware

Objectives: Overview of DOS attacks and DDoS attacks, understanding the techniques of ○ Unlike other DoS attacks,, it sabotages the system hardware
DoS/DDoS Attack Techniques, Understanding the Botnet Network, Understanding Various ● Application-Level Flood Attack: Application-level flood attacks results in the loss of
DoS and DDoS attack tools, DoS/DDoS countermeasures, Overview of DoS attack services
penetration testing
○ Using this attack , attackers exploit weaknesses in programming source code to prevent
in the application from processing legitimate requests

● Distributed Reflection Denial of Service (DRDoS)

○ Also known as a spoofed attack, involves the use of multiple intermediary and secondary
machines that

contribute to the actual DDoS attack against the target machine or application

Botnets

● Bots are software applications that run-automated tasks over the internet
○ A botnet is a huge network of compromised systems and can be used by an attacker to
launch a DoS attack

 ● Scanning Methods for Finding Vulnerable Machines: Random Scanning, Hit-list

scanning, topological scanning, local subnet scanning, permutation scanning
 ● DoS and DDoS attack tools

○ LOIC, GoldenEye

Countermeasures ■ Analyzes network traffic in terms of spectral components. Divides incoming signal into
various frequencies for analyzation
● Techniques
○ Activity Profiling  ● DoS/DDoS countermeasure strategies
o ○ Absorbing the attack (requiring additional resources)
■ Increases in activity levels, distinct clusters, average packet rate etc ○ Changepoint o ○ Degrading services (identify critical services and stop non-critical)
detection o ○ Shutting down the services
 ● Deflect Attacks: Honeypots act as an enticement for an attacker. Serve as a
■ Filters network traffic by IP addresses, targeted port numbers, stores traffic flow data in a means for gaining information about attackers, stores their activities
graph that shows the traffic flow rate vs time  ● Ingress filtering: protects from flooding attacks. Enables originator be traced to
its true source
 ● Egress Filtering: scanning packet headers of IP address leaving a network.
○ Wavelet-based signal analysis Ensures unauthorized or malicious traffic

never leaves the internal network

 ● Mitigate Attack: Load balancing, throttling

 ● Post-Attack Forensics

○ Analyze traffic patterns for new filtering techniques, analyze router, firewall, and IDS
logs , can update load- balancing and throttling countermeasures

Module 10: Session Hijacking

Module Objectives
  - Understanding session hijacking concepts o ○ Application Level Hijacking: App level hijacking is about gaining control
 - Understanding application level session hijacking over the HTTPs user session by obtaining the session IDs
 - Understanding network level session hijacking  ● Spoofing vs Hijacking
 - Session hijacking tools
 - Session hijacking countermeasures
 - Overview of session hijacking penetration testing ○ Spoofing Attack: pretends to be another user

■ Attack pretends to be another user

Session Hijacking Concepts
○ Hijacking: process of taking over an existing active session

● What is session hijacking?

Application Level Session Hijacking

○ Since most authentication occurs at the start of a TCP session, this allows the attacker to
gain access to the machine. He can take the cookie and play it as his own

■ Cookie will however expire after sometime. Much easier to steal cookie than brute force a
password/token

 ● Why is session hijacking successful?

o ○ No account lockout for invalid session IDs
o ○ Weak session ID generation algorithm
o ○ Insecure handling of session IDs
o ○ Indefinite session expiration time
o ○ Most computers using TCP/IP are vulnerable
o ○ Most countermeasures do not work unless you use encryption
 ● Session Hijacking Process

○ Referer attack: attacker tries to lure a user to click on a link to malicious site

■ Get Request [pull the web page]

 ○ During Session Hijacking process (syn-ack), attacker must time it to jump into
the session
 ○ Brute forcing: attacker attempts difference IDs until he succeeds ● A session token can be compromised in various ways ○ Session sniffing
 ○ Sniff>Monitor>Session Desynchronization>Session ID prediction>Command
Injection
■ Sniff to capture valid session token or ID

 ● Types of session hijacking

o ○ Active Attack: Attacker finds active session and takes over  ○ Predictable session token
o ○ Passive Attack: Attack hijacks a session but sits back and watches and  Predict a session ID generated by a weak algorithm
 Guesses unique session value or deduce session ID
records all the traffic that is being sent  ○ Man-in-middle attack
 Intruding an existing connection and intercept
forth  Attackers use different techniques and split the TCP connection
 ○ Man-in-browser attack
 ● Session Hijacking in OSI Model: Network Level Hiking, Application Level
Hijackings ■ Uses a trojan horse to intercept calls between browser and its security mechanisms ●
o ○ Network Level OSI Model: Network level hijacking can be defined as the Can be a malicious extension
interception of the packet during transmission between client and server
  ○ Cross-site script attack ● UDP Hijacking
 XSS enables attackers to inject malicious client side scripts into web ○ Manipulating the packet
pages
 Malicious Javascript code Session Hijacking Tools
 Trojan horse can change proxy settings in user’s browser
 ○ Cross-site request forgery attack (CSRF)
 ● ZAP (zed attack proxy by OWASP) is an integrated penetration testing tool
 ● BURP Suite: inspect and modify traffic. Analyzes all kinds of content. Is an
■ A CSRF attack exploits victim’s active session with a trusted site in order to perform interception proxy
malicious

Countermeasures
activities

 ○ Session replay attack

 In session reply, the attacker listens to the conversation between the user
and the server and captures the authentication token of the user
 Once authentication token is captured, the attacker replays the request to
the server with the authentication token
 ○ Session fixation
 Session fixation is an attack that allows an attacker to hijack a valid user
session
 Attack tries to lure a user to authenticate himself with a known session ID
and then hijacks the user-

validated session

 Attacker has to provide a legitimate web app session ID and try to lure the
victim browser to use it

● CSRF
○ User visits banking site. Attacker has user somehow visit his site. His site infects and adds
onto her session and

Cross site request forgery:

insert more commands into her session and do things she did not authorize.

Network Level Session Hijacking

 ● The 3-way handshake: if the attacker can anticipate the next sequence and ACK
number , they can spoof bobs address and start a communication with the server
 ● TCP/IP Hijacking:
 ● Blind Hijacking
o ○ Attacker injects malicious data or commands into the intercepted
communication in the TCP session even if the source-routing is disabled
o ○ The attacker can send the data or comments but has no access to see
the response

■ You might be able to see the effects however

 o ○ Installing the server with default settings
o ○ Unnecessary services enabled
o ○ Security conflicts
o ○ Lack of proper security policy
o ○ Improper Authentication
o ○ Default Accounts
o ○ Misconfigs
o ○ Bugs in OS
o ○ Misconfigured SSL certificates
o ○ Use of self-signed certs
 ● IIS (internet information service) is a webserver application developed by
Microsoft for Windows.

Webserver Attacks

● DoS/DDoS Attacks: Attackers may send numerous fake requests to the web server which
results in the web server crash or become unavailable

○ May target high-profile web servers

● IPSec: protocol suite for securing IP communications by authenticating and encrypting

each IP packet of a communication session

 ○ Deployed widely to implement virtual private networks (VPNs) and for remote
user access through dial up connection to private networks
 ○ Transport Mode: Authenticates two connected computers. Option to encrypt
data transfer. Compatible with NAT
 ○ Tunnel Mode: Encapsulates packets being transferred. Option to encrypt data.
Not compatible with NAT.

Module 11: Hacking Webservers

Objectives: Understanding web server concepts, understanding web server attacks,

understanding webserver attack methodology, webserver attack tools,
countermeasures against web server attacks, overview of patch management,
webserver security tools, overview of web server penetration testing

Web server Concepts

● A web server is a program that hosts websites, attackers usually target software
vulnerabilities and config errors to compromise the servers

○ Nowadays, network and OS level attacks can be well defended using proper network  ● DNS Server Hijacking: Attacker compromises DNS server and changes the DNS
security measures such as firewalls, IDS, etc. Web servers are more vulnerable to attack settings so that all requests coming towards the target web server is redirected to
since they are available on the web another malicious server
 ● DNS Amplification Attack: Attacker takes advantage of DNS recursive method of
DNS redirection to perform DNS amplification attack
 ● Why are web servers compromised
o ○ Improper file/directory permissions
○ Attacker uses compromised PCs with spoofed IPs to amplify the DDoS attack by exploiting  ● Information Gathering: Robots.txt file contains list of web server directory and
the DNS recursive method files that website owner wants to hide from web crawlers
 ● .Use tools such as burp suite to automate session hijacking
 ● Directory Traversal Attack: Attackers use ../ to sequence to access restricted
directories outside of the web server root directory (trial and error) Webserver Attack Tools
 ● Man-in-the middle Sniffing Attack: MITM attacks allow an attacker to access
sensitive info by intercepting and altering communications
 ● Metasploit: Encapsulates an exploit.
 ● Phishing Attacks: Attacker tricks user to submit login details for website that
looks legit but it's not. Attempts to steal credentials o ○ Payload module: carries a backpack into the system to unload
 ● Website Defacement: intruder maliciously alters visual appearance of a web o ○ Metasploit Aux Module: Performing arbitrary, one-off actions such as
page by inserting offending data. Variety of methods such as MYSQL injection port scanning, DoS, and fuzzing
 ● Web Server Configuration: Refers configuration weaknesses in infrastructure o ○ NOPS module: generate a no-operation instructions used for blocking
such as directory traversal out buffers
 ● HTTP Responses Splitting Attack: involves adding header data into the input  ● Password Cracking: THC Hydra, Cain & Abel
field so that the server split the response into
Countermeasures
two responses. The attack can control the second response to redirect user to
malicious website whereas the other
 ● An ideal web hosting network should be designed with at least three segments
namely: The internet segment, secure server security segment (DMZ), internal
response will be discarded by browser network
o ○ Placed the web server in DMZ of the network isolated from the public
 ● Web Cache Poisoning: An attacker forces the web server’s cache to flush its network as well as internal network
actual cache content and sends a specially o ○ Firewalls should be placed for internal network as well as internet
traffic going towards DMZ
 ● Patches and Updates: Ensure service packs, hotfixes, and security patch levels
crafted requests, which will be stored in cache
are consistent on all domain controllers
 ● Protocols: block all unnecessary ports, ICMPs, and unnecessary protocols such
 ● SSH Bruteforce Attack: SSH protocols are used to create encrypted SSH Tunnel as NetBIOS and SMB. Disable WebDav if
between two hosts. Attackers can brute
not used
force the SSH login credentials
 ● Files and Directories: delete unnecessary files, disable serving of directory
 ● Webserver Password Cracking: An attacker tries to exploit the weaknesses to listings, disable serving certain file types ,
hack well-chosen passwords (social
avoid virtual directories
engineering, spoofing, phishing,etc).
 ● Detecting Hacking Attempts: Run scripts on the server that detects any changes
 ● Web Application Attacks: Vulnerabilities in web apps running on a webserver made in the existing executable file.
provide a broad attack path for webserver
Compare hash values of files on server to detect changes in codebase. Alert user
compromise upon any change in detection

○ SQL Injection, Directory Traversal, DoS, Cookie Tampering, XSS Attack, Buffer Overflow,  ● Secure the SAM (stand-alone servers only)
CSRF attack,

Attack Methodology:

Information Gathering, Webserver Footprinting, Mirroring Website, Vulnerability Scanning,

Session hijacking, Hacking webserver passwords
 understanding web app countermeasures, web app security tools, overview of web app pen
testing

Web App Concepts

 ● Web apps provide an interface between end users and web servers through a
set of pages
 ● Web tech such as Web 2.0 support critical business functions such as CRM, SCM

Web App Threats

 ● Cookie Poisoning: by changing info in a cookie, attackers can bypass

authentication process
 ● Directory Traversal: Gives access to unrestricted directories
 ● Unvalidated Input: Tempering http requests, form field, hidden fields, query
strings, so on. Example of these attacks

include SQL injection, XSS, buffer overflows

 ● Cross Site Scripting: Bypassing client-ID mechanisms to gain privileges, injecting

malicious scripts into web pages
 ● Injection Flaws: Injecting malicious code, commands, scripts into input gates of
● Defending against DNS hijacking: choose ICANN accredited registrar. Install anti-virus
flawed apps
Patch Management
 ● SQL Injection: type of attack where attackers inject SQL commands via input
data, and then tamper with the data
 ● Hotfixes are an update to fix a specific customer issue
 ● A patch is a small piece of software designed to fix problems
○ LDAP Injection to obtain direct access to databases behind LDAP tree

○ Hotfixes and Patches are sometimes combined for server packs

● Patch Management is a process used to ensure that the appropriate patches are installed
on a system to help fix known

vulnerabilities
○ Before installing a patch, verify the source.

● Patch Management Tools: MBSA (Microsoft baseline Security Analyzer) - checks for
available updates to OS, SQL Server, .NET framework etc

Webserver Security Tools

● Syhunt helps automate web app security testing and guards. N Stalker is a scanner to
search vulnerabilities

Webserver Pen Testing

● Used to identify, analyze, and report vulnerabilities

Module 12: Hacking Web Applications

Module Objectives: Understanding Web Application concepts, understanding web app

threats, understanding web app hacking methodology, web app hacking tools,
 ● Parameter/Form tampering: Manipulates the parameters exchanged between
client and server to modify app data such as user cred and permissions.
 ● DoS: intended to terminate operations
 ● Broken Access Control: method in which attacker identifies a flaw related to
access control and bypasses the

authentication, then compromises the network

 ● Cross-Site Request Forgery: attack in which an authenticated user in made to

perform certain tasks on the web app that

an attacker chooses.

 ● Information Leakage: can cause great losses to company.

 ● Improper Error Handling : important to define how a system or network should
behave when an error occurs. Otherwise,

error may provide a chance for an attacker to break into the system. Improper
error can lead to DoS attack

 ● Log Tampering: Attackers can inject, delete, or tamper with app logs to hide
their identities
 ● Buffer Overflow: Occurs when app fails to guard its buffer property and allows
writing beyond its maximum size
 ● Broken Session management: When credentials such as passwords are not
properly secured
 ● Security Misconfigurations
  ● Broken Account Management: account update, forgotten/lost password  ● Detecting Web App Firewalls and Proxies on target site
recovery/reset
 ● Insecure Storage: Users must maintain the proper security of their storage
○ Use Trace method for proxy, and cookie response for a firewall
locations
 ● Platform Exploits: Each platform (BEA WEBLOGIC, COLD FUSION) has its own
various vulnerabilities  ● Hidden Content discovery: Web spidering automatically finds hidden content
 ● Insecure Direct Object References: When developers expose objects such as  ● Launch web server attack to exploit identified vulnerabilities, launch DoS
files, records, result is insecure direct object  ● Attacking authentication mechanism

reference ○ Username enumeration

■ Verbose failure messages. Predictable user names
 ● Insecure Cryptographic Storage: Sensitive data should be properly encrypted
using cryptographic. Some cryptographic ○ Cookie Exploitation
■ Poisoning(tampering), Sniffing Replay
techniques have inherent weaknesses however
○ Session Attack
■ Session prediction, brute forcing, poisoning
 ● Authentication Hijacking: Once an attacker compromises a system, user
impersonation can occur
 ● Network Access attacks: can allow levels of access that standard HTTP app ○ Password Attack:
methods could not grant ■ Guessing, brute force
 ● Cookie Snooping
 ● Web Services Attack: Web services are based on XML protocols such SOAP  ● Authorization attack: finds legitimate accounts then slowly escalates privileges
(simple object access protocol) for  ● Attack Session Management Mechanism: involves exchanging sensitive info
between server and clients. If session
communication between web services
management is insecure, attacker can take advantage of flawed session
 ● Insufficient Transport layer protection management session
 ● Hidden Manipulation
 ● DMZ protocol attacks ○ Bypassing authentication controls
 ● Unvalidated redirects and forwards
 ● Failure to restrict URL access
 ● Obfuscation Application
 ● Security Management Exploits
 ● Session Fixation Attack: Attacker tricks user to access a genuine web server
using an explicit session ID value. Attacker

assumes identity of the victim and exploits credentials on the server

 ● Malicious File Execution

Hacking Methodology

● Hackers first footprint the web infrastructure ○ Server discovery, location

 ● Service Discovery: Scan Ports

 ● Banner grabbing: footprinting technique to obtain sensitive info about target.
They can analyze the server response to

certain requests (server identification)

 o ○ Perform thorough input validation
 ● How to defend against web services attack

○ Multiple layer protection

Tools
● N-Stalker is effective suite of web security assessment tools

Pen Testing

1. Info Gathering
2. Config Management Testing
3. Authentication Testing
4. Session Management testing
5. Authorization Testings
6. Data Validation Testing
7. DoS T esting
8. Web Services Testing
9. AJAX T esting
10. Use Kali Linux tools

a. Metasploit
 ● Perform injection attacks: exploiting vulnerable input validation mechanism
implement
Module 13: SQL Injection
 ● Attack Data connectivity: attacking database connection that forms link
between a database server and its client software
o ○ Connection string injection: attacker injects parameters in a connection - Understanding SQL injection concepts, understanding various types of SQL injection
string. CSPP attacks (Connection String Parameter Attacks). attacks, understanding SQL injection methodology, SQL injection tools, understanding
o ○ Connection Pool DoS: Attacker examines connection pooling settings different IDS evasion techniques, SQL injection countermeasures, SQL injection detection
tools
and constructs large SQL query, and runs multiple queries simultaneously
to consume all connections
SQL Injection Concepts
Countermeasures
 ● SQL injection is a technique used to take advantage of non-validated input
vulnerabilities to pass SQL commands through
● Encoding Schemes: employing encoding schemes for data to safely handle unusual
characters and binary data in the way
a web app for execution by the backend database
you intent
○ Ex. unicode editing o ○ Usually to retrieve information
o ○ This is a flaw in web apps
 ● How to defend against SQL Injection Attacks  ● Attacker can deface a web page with this attack
o ○ Limit length of user input  ● They can add info to your website, extract data, and insert new data
o ○ Perform input validation
 ● How to defend against xss Types of SQL Injection

○ Validate all headers, cookies, strings, form fields. Use firewall ● Error based SQL Injection: Attacker puts intentional bad input into app to see the
database-level error messages. Uses this to create carefully designed SQL Injections
 ● How to configure against DoS
o ○ Configure firewall to deny ICMP traffic access
  ○ Char encoding

Countermeasures

 ● Use Firewalls on SQL server

 ● Make no assumptions about size, type, or content of the data that is received by
the application
 ● Avoid constructing dynamic SQL with concatenated input values

Module 14: Hacking Wireless Networks

- Understanding Wireless Concepts, understanding wireless encryption algorithms,

understanding wireless threats, understanding wireless hacking methodology, wireless
hacking tools, understanding bluetooth hacking techniques, understanding wireless hacking
countermeasures, overview of wireless penetration testing

Wireless Concepts

 ● GSM: universal system used for mobile transportation for wireless network
worldwide
 ● Bandwidth: Describes amount of information that may be broadcasted over a
connection
 ● Blind SQL Injection: Attacker has no error messages from the system with which
 ● BSSID: The MAC address of an access point that has set up a basic service set
to work. Instead, attack simply sends a malicious SQL query to the database
 ● ISM band: a set of frequency for the international industrial, scientific, and
 ● Whenever you see SELECT, it is probably a SQL command
medical communities
 ● Union SQL command, joining a forged query to the original query
 ● Access Point: Used to connect wireless devices to a wireless network
 ● Time-Based SQL Injection: evaluates time delay in response to true-false queries
 ● Hotspot: Places where wireless network is available for public use
 ● Association: Process of connecting a wireless device to an access point
SQL Injection Methodology  ● Orthogonal Frequency Division Multiplexing: method of encoding digital data on
multiple carrier frequencies
 ● Direct-Sequence Spread Spectrum: original data signal is multiplied with a
 ● Information gathering and SQL vulnerability detection
pseudo random noise spreading code
o ○ Attackers analyze web GET and POST requests to identify all input  ● Frequency-hopping spread spectrum (FHSS): Method of transmitting radio
fields signals rapidly switching a carrier among many
o ○ Afterwards, launch attack
o ○ Advanced SQL injections frequency channels
 ● SQL Injection Black Box Pen Testing
o ○ Send single quotes and input data to see where the user input is not
sanitized  ● Wireless Networks
o ○ Send long strings of junk data to detect buffer overruns
o ○ Used right square bracket as input data ○ WiFi refers to IEEE 802.11 standard

Evasion Techniques

● Evading IDS

 ○ Obscure input strings

 ○ Hex Encoding
 ○ Manipulating whitespace
 ○ Inline Comment
○

 ○ SSID (service set identifier)

 ○ Open System Authentication Process: in open system, any wireless client that
wants to access a WiFi networks

sends a request to the wireless AP for authentication.

 ○ Shared Key Authentication Process: in this process, each wireless station

receives a shared secret key over a

secure channel that is distinct from the 802.11 comm channels.

 ○ Centralized Authentication server (RADIUS)

● WiFi Chalking
○ WarChalking: draw symbols in public places to advertise open Wi-Fi networks

 ● Types of Wireless Antennas

o ○ Directional Antennas: Used to broadcast and obtain radio waves from a
single direction
o ○ Omni-Directional Antennas: provides 360 degrees horizontal
broadcasts, used in wireless base stations
o ○ Parabolic Grid Antenna: Based on the idea of a satellite dish. Can pick
up Wi-Fi signals ten miles or more
o ○ Yagi Antenna: unidirectional antenna
 o ○ Dipole Antenna: Bi-Directional Antenna, used to support client
connection rather than site-to-site applications
 ● Parabolic grid antennas let attackers attack from from farther away (10 miles!)
Wireless Encryption

● WEP (wired equivalent privacy): weakest encryption. Uses 24-bit initialization vector. A 64
bit WEP uses a 40 bit key etc ○ Can use Cain & Abel to crack

 ● WPA (Wifi Protected Access): Stronger encryption with TKIP.

o ○ You can brute force the keys offline
o ○ You can defend by using stronger passphrases
 ● WPA2: Stronger data protection with AES
o ○ WPA-2 personal uses a pre-shared key to protect access
o ○ WPA-2 Enterprise includes EAP or RADIUS for centralized authentication
w/kerberos etc

Wireless Threats

 ● Access Control Attacks: Aims to penetrate a network by evading WLAN access

control measures, such as AP MAC filters and Wi-Fi port access controls
 ● Integrity Attacks: Sending forged control management or data frames over a
wireless network
 ● AD Hoc connection attack: Wifi Clients communicate directly in ad-hoc and do
 ● Confidentiality Attacks: attempt to intercept confidential information sent over
not require AP to relay packet. Attack can attack OS direct since the encryption is
wireless associations
weak
 ● Availability Attacks: DoS
 ● Honeyspot Access Point Attack: Attacker takes advantage of multiple WLAN’s in
 ● Authentication Attacks: Steal the identity of Wi-Fi clients, their PI, logins, etc. to
area and use same SID
unauthorized access of network resources  ● AP MAC Spoofing: Hacker spoofs the MAC address of the WLAN client equipment
 ● Rogue Access Point Attack: Hijacking connections and acting as a middle man
to mask an authorized client
sniffing  ● Jamming Signal Attack: High gain amplifier
 ● Client Mis-Association: Attacker sets up a rogue access point outside of the
corporate perimeter and lures the employees
Wireless Hacking Methodology
of the organization to connect with it
1. WiFi Discovery: discovers the WiFi network
2. GPS Mapping: Attackers create a map of discovered Wi-Fi network and create a
 ● Misconfigured Access Point Attack: Accidents for configurations that you can database
exploit 3. Wireless Traffic Analysis: identify vulnerabilities, WiFi reconnaissance, Tools for
Packet Capture & Analysis
4. Launch Wireless Attacks

a.

2. Fragmentation Attack: can obtain 1500 bytes of PRGA data that can be
used for injection attacks
3. Mac Spoofing: attackers change MAC address to that of an authenticated
user to bypass the MAC filtering

configured in an access point

4. Denial of Service: Deauthentication and Disassociation attacks

 5. Man in the middle attack MITM : Attacker spoofs his MAC, sends a deAuth
requests and then puts himself in

the middle

6. Wireless ARP poisoning attack:

7. Rogue Access Point: Wireless APs attacker installs on a network without
authorization and are not under

management of the network administrator. Are not configured with any

security

8. Evil Twin: Replicates another wireless APs name via common SSID
5. Crack Wi-Fi encryption

2. Crack WEP using Aircrack

3. Crack WPA-PSK using aircrack
4. WEP cracking using Cain & Abel

6. Compromise the Wi-Fi Network

● What is spectrum analysis

 ○ RF spectrum analyzers examine Wi-Fi radio transmissions and measure power

(amplitude)
 ○ Employ statistical analysis to plot spectral usage
 ○ Can be used for DoS attack

Bluetooth

Hacking
 ● Bluetooth
○ Discoverable, Limited Discoverable (timed), Non-discoverable

● Pairing Modes

 ○ Non-pairable models: rejects every pairing request

 ○ Pairable mode: will pair upon request

Countermeasures

● How to defend against bluetooth hacking

 ○ Use non-regular patterns such as PIN keys

 ○ Keep device in non-discoverable mode
 ○ Keep a check of all paired devices
 ○ Always enable encryptions

Wireless Security Tools

● Wireless Intrusion Prevention Systems

● Exploitation of Bluetooth Stack implementation vulnerabilities

Module 15: Hacking Mobile Platforms

 ○ Bluesmacking: DoS attack which overflows Bluetooth-enabled devices with

- Understanding Mobile platform attack vectors, understanding various Android Threats and
random packets causing device to
Attacks, Understanding various iOS threats and attacks, understanding various Windows
Phone OS Threats and Attacks, Understanding various blackberry threats as attacks,
crash understanding mobile device management (MDM), Mobile Security Guidelines and Security
Tools, Overview of Mobile Pen Testing
 ○ Bluejacking: sending unsolicited messages over bluetooth to bluetooth-enabled
devices such as mobile phones, Mobile Platform Attack Vectors

laptops, etc ● OWASP Mobile Top 10 Risks

○ Insecure Data Storage
 ○ Bluesnarfing: Theft of information from a wireless device through a bluetooth
connection ■ Assumption malware won't enter system. Jailbreaking bypasses encryption ○ Unintended
 ○ Blue Sniff: Proof of concept code for a bluetooth wardriving utility Data Leakage
 ○ Bluebugging: remotely accessing the bluetooth-enabled devices and using its
features ■ When a user places sensitive data in a location accessible to other apps ○ Broken
 ○ BluePrinting: collecting information about bluetooth enabled devices such as Cryptography
manufacturer, device model,

■ Weak encryption algorithms. Users should use ARS or 3DES algoirhms ○ Security
firmware Decision via Untrusted Inputs

 ○ MAC spoofing attack: intercepting data intended for other bluetooth enabled ■ Apps use protection mechanisms dependent on input values (cookies, environmental
devices variables, hidden form fields), but these input values can be altered by an attacker to
 ○ MITM: Modifying data between bluetooth enabled devices communication on a bypass protection mechanism
piconet
○ Lack of Binary Protections: Lack of binary protections in a mobile app exposes it and
owner to wide variety of technical and business risks if insecure. Must use countermeasures
such as

 Secure coding techniques

 Jailbreak detection controls
 Checksum controls
 Certificate Pinning Controls

Modes:

 ● Anatomy of a Mobile Attack

o ○ The device -> the network > the data center
o ○ Clicking Jacking: tricking users to click something different than what
they think they are clicking. Attackers

obtain sensitive info or take control of device

 o ○ Framing: a webpage integrated into another webpage using iFrame can exploit to perform malicious activities such as delete, modify, or steal
elements in HTML data on the device, eavesdrop on
o ○ Drive By Downloading: unintended download of software from the
internet. Android is affected by this attack calls
o ○ Man in the Middle: Attacker implants malicious code on victim's mobile
device
o ○ Zero-day exploits: launch an attack by exploiting a previously unknown
o ○ Buffer Overflows: writing data to buffer suites ,
vulnerability in a mobile OS or app.
o ○ Data Caching: Caching in mobile devices used to interact with web  ● The Network based point of attacks
apps, attackers attempt to exploit the data o ○ WiFi (weak encryption or no encryption)
o ○ Rogue Access Points: attackers install illicit wireless access point by
caches physical means, which allows them to

 ● Phone/SMS-Based attacks access a protected network by hijacking the connections of network users
o ○ Baseband attacks: exploiting vulnerabilities in phone’s GSM/3GPP
baseband processor, which sends/receives signals to towers
o ○ Man in the Middle (MITM): attackers eaves on existing network
o ○ SMiShing - Type of phishing where attacker uses SMS text message to connections between two systems
link to malicious site
o ○ SSLStrip: Type of MITM attack which exploits vulnerabilities in the
o ○ RF (radio frequency) attacks: exploit vulnerabilities found on different SSL/TLS implementation
peripheral communication channels
o ○ Session Hijacking: Attacker steal valid session ID’s
o ○ DNS Poisoning: Attackers exploit DNS servers, redirect website users to
normally used in nearby device-device communications another website of the attacker’s

 ● Application-based attacks choice

o ○ Sensitive Data Storage: Some apps employ weak security in their
database architecture, which make them targets for attacker to hack and
steal sensitive user information stored on them o ○ Fake SSL certificates: Fake SSL certs represent another kind of MITM
o ○ No encryption/weak encryption: apps transmit data unencrypted or attacks. Attacker issues a fake SSL cert
weakly encrypted are susceptible to attack such as session hijacking
o ○ Improper SSL validation: Security Loopholes in apps SSL validation to intercept traffic on a supposedly secure HTTPS connection
process may allow attackers to circumvent the data security
o ○ Config Manipulation: Apps may use external files and libraries,  ● The Data Center
modifying those entities or affecting apps’ capability of using those results o ○ Two main point of entry: web server and a database
in a config manipulation attack
o ○ Web server-based attacks
o ○ Dynamic Runtime Injection: attackers manipulate and abuse the  Platform vulnerabilities: Exploiting vulnerabilities in the OS,
runtime of an app to circumvent security locks, logic checks, access Server software, or app modules running on the web server
privileges parts of an app, and steal data  Server Misconfiguration
o ○ Unintended Permissions: Misconfigured apps can at times open doors  XSS
to attackers by providing unintended permissions  CSRF
o ○ Escalated privileges: Attackers engage in privilege escalation attacks ,  Weak Input Validation
which take advantage of design flaws, programming errors, bugs, or  Brute-Force Attacks
config oversights to gain access to resources  ● Database Attacks
 ● OS Based Attacks
o ○ iOS Jailbreaking: removing security mechanisms set by apple to  ○ SQL Injection
prevent malicious code  ○ Data Dumping
o ○ Android Rooting: allows users to attain privileged control (root access)  ○ OS command execution
within android's subsystem.  ○ Privilege Escalation
o ○ Passwords and data accessible
o ○ Carrier-loaded software: pre installed software or apps on devices may ● Sandboxing: helps protect systems and users by limiting the resources the app can
contain vulnerabilities that an attacker access in the mobile platform; however, malicious apps may exploit vulnerabilities
Hacking Android OS ● MDM provides platforms for over the air or wired distribution of application, data and
configuration settings for all types of mobile devices, smartphones, tablets, etc.
 ● The device administration API provides device administration features at the
system level  ○ Helps implementing enterprise-wide policies to reduce support cost s
 ● Rooting allows android users to attain privileged control (root access)  ○ Can manage both company-owned and BYOD devices

○ Involves exploiting security vulnerabilities in the device firmware Mobile Security Guidelines and Tools

 ● Securing Android Devices: ● General Guidelines

o ○ Enable screen locks
o ○ Don't root your device  ○ Do not load too many apps and avoid auto-upload of photos to social networks
o ○ Download apps only from android market  ○ Perform a security assessment of the Application Architecture
o ○ Keep device updated with google software  ○ Maintain configuration control and management
o ○ Do not directly download APK files  ○ Install apps from trusted app stores
 ○ Securely wipe or delete the data disposing of the device
o ○ Update OS regularly
o ○ Use free protector app
 ● Google Apps device policy: allows domain admin to set security policies for your
android device Hacking iOS

 ● Layers of the OS
○ Cocoa Touch: key framework that help in building iOS app. Defines appearance,
basic services such as touch ○ Media: contains graphics, audio, and video
technology experienced in apps
○ Core Services: contains fundamental system services for apps
○ Core OS: low level feature on which most on which most other technologies are
built
 ● Tethered (kernel will be patched upon restart) and untethered Hacking Windows
Phone
Hacking Blackberry

 ● Malicious Code Signing: Blackberry apps must be signed by RIM. Attacker can
obtain code-signing keys for a malicious app and post it in the store
 ● JAD file exploits: A jad file allows a user to go through app details and decide
whether to download the app. However, attackers created spoofed .jad files to trick
user
 ● PIM Data Attacks: PIM (personal information manager) includes address , books,
calendars, tasks

○ Malicious apps can delete or modify this data

● TCP/IP Connections Vulnerabilities: If the device firewall is off, signed apps can open TCP
connections without the user being prompted.

○ Malicious apps create a reverse connection with the attacker enabling him to use the
infected device as a TCP proxy and gain access to organization’s internal resources

Mobile Device Management (MDM)

 - Understanding IDS, Firewall, and Honeypot Concept : IDS, Firewall and Honeypot Solutions:
Understanding different techniques to bypass IDS : Understanding different techniques to
bypass firewalls, IDS/Firewall Evading Tools : Understanding different techniques to detect
honeypots : Overview of IDS and Firewall Penetration Testing

IDS, Firewall, and Honeypot Concepts

 ● An IDS inspects all inbound and outbound network traffic for suspicious patterns
that may indicate a network security breach
o ○ Checks traffic for signatures that match known intrusion patterns
o ○ Anomaly Detection (behavior detection)
o ○ Protocol Anomaly Detection
 ● Indications of Intrusions
o ○ System Intrusions
 Presence of new files/programs
 Changes in file permissions
 Unexplained changes in file size
 Rogue Files
 Unfamiliar file names in directories
 Missing files
o ○ Network Intrusions
 Repeated probes of the available services on your machines
 Connections from unusual locations
 Repeated login attempts from remote hosts
 Arbitrary data in log files
 ● Firewall Architecture

○ Bastion Host

■ Computer system designed and configured to protect network resources from attack ○
Screened Subnet

■ Also known as the DMZ contains hosts that offer public services. DMZ zone only responds
to public requests, and has no hosts accessed by the private network

○ Multi-homed Firewall
■ A firewall with two or more interfaces

● DeMilitarized Zone (DMZ)

 ○ Ensure bluetooth is off by default

 ○ Do not share location within GPS enabled apps
 ○ Never connect two separate networks such as Wi-Fi and Bluetooth
simultaneously

Module 16: Evading IDS, Firewalls, and Honeypots

 Stateful Multilayer Inspection Firewalls: combines the aspects of the other three types of
firewalls

Information system resource that is expressly set up to attract and trap people who attempt
to penetrate an organization's network

■ Honeypot can log port access attempts, monitor attacker’s keystrokes, show early signs
etc 2 Types of Honeypots

 Low-interaction Honeypots: simulate only a limited number of services and apps.

Cannot be compromised
 High-interaction Honeypots: simulates all services and apps. Can be completely
compromised by attackers.

● Captures complete information about an attack vector such attack techniques

A network that serves as a buffer between the internal secure network and insecure internet

Can be created using firewall with three or more main network interfaces of Firewall

IDS Tools

 ● Types ○

 ● Honeypot

○○

Packet Filters: works on the network layers of OSI. Can drop packets if needed
Circuit Level Gateways: Works at the sessions layer. Information passed to a remote ● Snort Evading IDS
computer through a circuit-level gateway appear to have originated from the gateway. They
monitor requests to create sessions, and determines if the session will be allowed. They
 ● Insertion Attack: IDS blindly believes and accepts the packet
allow or prevent data streams
 ● Evasion: End system accepts a packet that an IDS rejects. Attacker is exploiting
Application Level Gateways: App-level proxies can filter packets at the application later of
the host computer
the OSI
 ● DoS Attack: Attackers intrusion attempts will not be logged
  ● Obfuscating: encoding the attack payload in a way that the target computer  ● Banner Grabbing: Banners are service announcements provided by services in
understands but the IDS will not (polymorphic response to connection requests, and

code, etc) often carry vendor version information

 ● False Positive Generation: Attackers w/ knowledge of the target IDS, craft  ● IP address spoofing to a trusted machine
packets just to generate alerts. Causes IDS to  ● Source Routing: Allows sender of a packet to partially or completely specify the
route of a packet through a network, going
generate large number of false positive alerts. Then use it to hide real attack traffic
around a firewall
 ● Session Splicing
 ● Unicode Evasion Technique: Attackers can convert attack strings to unicode  ● Tiny Fragments: Forcing some of the TCP packet’s header info into the next
characters to avoid pattern and signature fragment
 ● ICMP Tunneling: Allows tunneling a backdoor shell in the data portion of ICMP
echo packets
matching at the IDS
 ● Ack Tunneling: Allows tunneling a backdoor application with TCP packets with
the ACK bit set
 ● Fragmentation Attack: Attackers will keep sending fragments with 15 second  ● HTTP Tunneling Method: allows attackers to perform various internet tasks
delays until all attack payload is despite restrictions imposed by firewalls.

reassembled at the target system

 ● TTL attacks require attacker to have a prior knowledge of the topology of the
victim's network
 ● Invalid RST Packets

○ Uses a checksum to communicate with host even though the IDS thinks that
communication has ended ● Urgency Flag

○ A URG flag in the TCP header is used to mark the data that requires urgent processing ■
Many IDS do not address the URG pointer

 ● Polymorphic Shellcode: Most IDSs contains signatures for commonly used

strings within shellcode. This can be bypassed by using encoded shellcode
containing a stub that decodes the shell code
 ● App Layer Attacks: IDS cannot verify signature of a compressed file Evading
Firewalls

● Port Scanning is used to identify open ports and services running on these ports
○ Open ports can be further probed to identify the version of services, which helps in
finding vulnerabilities in

these services Detecting

● Firewalking: A technique that uses TTL values to determine gateway ACL filters
Method can be implemented if the target company has a public web server with port 80
○ Attacker sends a TCP or UDP packet to the targeted firewall with a TTL set to one hop used for HTTP traffic
greater
Honeypots
  ● Attackers craft malicious probe packets to scan for services such as HTTP over Introduction to Cloud Computing
SSL, SMTP over SSL, and IMAP
 ● Ports that show a particular service running but deny a three-way handshake
 ● Cloud computing is an on-demand delivery of IT capabilities where IT
indicate the presence of a honeypot
infrastructure applications are provided to subscribers as a metered service
 ● Types of Cloud Computing Services:
Countermeasures o ○ IaaS: Provides virtual machines and other abstracted hardware and
OSs which may be controlled through a
o ● Shut down switch ports associated with the known attack hosts
o ● Reset (RST) malicious TCP sessions service API

Module 17: Cloud Computing o ○ PaaS: Offers development tools, config management, and deployment
platforms on-demand and can be used
- Understanding cloud computing concepts, understanding cloud computing threats,
understanding cloud computing attacks, understanding cloud computing security, by subscribers to develop custom applications
understanding cloud computing security tools, overview of cloud pen testing
o ○ SaaS: Offers software to subscribers on-demand over the internet
 ● Cloud Deployment Models
o ○ Private Cloud: Cloud Infrastructure operated solely for a single
organization
o ○ Community Cloud: Shared Infrastructure between several organizations
from a specific communications with

common concerns

o ○ Hybrid Cloud: Composition of two or more cloud (private, community or

public)
 o ○ Public Cloud: Services are rendered over a network that is open for  ○ Modern Ciphers: provide secrecy, integrity, and authentication of sender. Uses a
public use one-way mathematical

Cloud Computing Threats function capable of factoring large prime numbers

● Data Breach/Loss, Abuse of Cloud Services, Insecure Interfaces and APIs, Insufficient due  Block Ciphers: Deterministic algorithm operating on block of fixed size
diligence, shared technology issues, unknown risk profile, Inadequate infrastructure design with an unvary transofmration
and planning, conflicts between client hardening procedures and cloud environment,
malicious insiders, illegal access to the cloud, privilege Escalation via error specified by a symmetric key.

Module 18: Cryptography  Stream Ciphers: Symmetric key ciphers are plaintext digits combined with
a key stream (random).
Heartbleed:: Security Flaw in OpenSSL PoodleBleed: Security vulnerability in SSL 3.0  ○ Data Encryption Standard (DES)

Understanding Cryptography Concepts, Overview of Encryption Algorithms, Cryptography,

Cryptography Tools, Understanding Public key Infrastructure, Understanding Email
Encryption, Understanding disk encryption, Understanding cryptographic attacks,
cryptanalysis

Cryptography Concepts

● The conversion of data into a scrambled code that is decrypted and sent over a private or
public network
○ Used for email messages, chat sessions, web transactions, personal data, corporate data,
e-commerce apps,

etc.

 ● Types of Cryptography
o ○ Symmetric Encryption: Uses the same key for encryption as it does for
decryption
o ○ Asymmetric Encryption: Uses different key for encryption for
encryption and decryption
 ● Government Access to Keys (GAK)
o ○ Software companies will give copies of all keys
o ○ Government promises they will hold on to the keys in a secure will, and
will only use them when a court issues

a warrant to do so

■ Gives them ability to wiretap phones

Encryption Algorithms

● Cipher is an algorithm for performing encryption and decryption

 ○ Classical Cipher: Most basic type, operates on the alphabet (A-Z)

  ○ RC4 variable key size stream cipher
 ○ RC5: parameterized algorithm with variable block size, 128 bits
 ○ RC6: Symmetric key block cipher derived from RC5
 ○ Digital Signature Algorithm(DSA): Specifies algorithm to be used in the
generation and verification of digital

signatures for sensitive, unclassified application

 ○ Digital Signature: Computed using a set of rules (I.e, the DSA) and a set of
parameters
 ○ RSA (Rivest Shamir Adleman)
 RSA is an internet encryption and authentication system
 Widely used and is one of the de facto encryption standard
 Uses modular arithmetic and elementary number theories
 ○ Message Digest (one way Hash)
 Hash functions calculate a unique fixed-size bit string
 Every output bit has a 50% of changing
 MD5, SHA 128/256

 ● Secure Hashing Algorithms

o ○ SHA-1: Produces 160 digest with maximum length 264-1, resembles
MD5
o ○ SHA-2: comprised of SHA-256 and SHA-512(64 bit)
o ○ SHA-3: Uses sponge construction in which message block are XORed
 ● What is SSH (Secure Shell)
o ○ Replacement for telnet
o ○ Provides an encrypted channel
o ○ Provides strong host-to-host and user authentication

Public Key Infrastructure

 ● Public Key infrastructure (PKI): set of hardware, software, people, policies, and
procedures required to create, manage, distribute, use , store, and revoke digital
certificates
 ● Signed CA vs Self Signed: Signed is more trustworthy Email Encryption

● Digital signature used asymmetric cryptography to simulate the security properties of a

signature in digital, rather than written form

○ A digital signature may be further protection, by encrypting the signed email

● SSL (Secure Sockets Layer): SSL is an app protocol developed for netscape for managing
the security of a message
■ Uses a secret key for both encryption and decryption (symmetric). 62 bit secret key.
transmission on the internet
○ It uses RSA asymmetric (public key) encryption
 ○ Advanced Encryption Standard (AES): Symmetric key algorithm for securing
sensitive but unclassified material
● Transport Layer Security (TLS): Protocol to establish a secure connection between a client
and a sever. Uses RSA algorithm with 1024 and 2048 bit strengths
by U.S. Government agencies (128 bit)
Cryptographic Attacks ●
●
 ● Ciphertext only attack: goal of this attack to recover encryption key from cipher
text
●
 ● Adaptive Chosen-plaintext attack: attacker makes a series of interactive queries ●
 ● Chosen-plaintext attack: attacker defines his own plaintext, feeds it into the ●
cipher, and analyzes the resulting cipher text
 ● Chosen-plaintext Attack: Attacker defines his own plaintext, feeds it into the ●
cipher, and analyzes the resulting ciphertext ●
 ● Known-plaintext Attack: Attacker has knowledge of some part of the plain text ●
 ● Code Breaking Methodologies:
o ○ Trickery and Deceit: Social Engineering techniques ●
o ○ Brute Force: trying every possible combination ●
o ○ One-Time pad: contains many non-repeating groups of letters or ●
number keys which are randomly chosen ●
o ○ Frequency Analysis: Study the frequency of letters or groups of letters ●
in a ciphertext
 ● MITM on digital sig schemes ●
●
○ Attack works by encrypting one end and decrypting from the other end, the meeting in ●
the middle ●
■ Can be used for forging signatures even on digital signatures
● Side Channel Attack: Physical attack performed on a cryptographic device/cryptosystem  ● NMAP Switches:
to gain sensitive information  ● CEH Pre-Assesment:
 ● CEH v9 Questions (create a free account to view all questions):

Extra Resources: