The text provides thorough coverage of all topics, along with challenging chapter review questions and Exam Essentials, a key feature that identifies critical study areas. Subjects include intrusion detection, DDoS attacks, buffer overflows, virus creation, and more. Thanks to its clear organization, all-inclusive coverage, and practical instruction, the CEH v10 Certified Ethical Hacker Study Guide is an excellent resource for anyone who needs to understand the hacking process or anyone who wants to demonstrate their skills as a Certified Ethical Hacker.
CEH can be said as a certified ethical hacker. This certification is a professional certificate and it is awarded by the EC council international council of E-commerce consultant.
An ethical hacker is employed by the organization with full trust with the employer ethical hacker for attempting the penetrating the computer system in order to find and fix all the computer security vulnerabilities. Footprinting using Advanced Google Hacking Techniques Google Advanced Search Operators Some advanced options can be used to search for a specific topic using search engines.
These Advance search operators made the searching more appropriate and focused on a certain topic. Google Hacking popularized by Johnny Long. This categorized database of queries is designed to uncover the information.
This information might be sensitive and not publically available. Google hacking is used to speed up searches. As shown in the figure, through www. Similarly, www. This trick is used to gather information from different social networking and other platforms from people for fraud, hacking and getting information for being close to the target.
Footprinting using Social Engineering on Social Networking Sites Social Networking is one of the best information sources among other sources. Different popular and most widely used social networking site has made quite easy to find someone, get to know about someone, including its basic personal information as well as some sensitive information as well.
Advanced features on these social networking sites also provide up-to-date information. Figure Social Networking Sites Social Networking is not only a source of joy, but it also connects people personally, professionally and traditionally. Social Networking platform can provide sufficient information of an individual by searching the target. Searching for Social Networking for People or an organization brings much information such as Photo of the target, personal information and contact details, etc.
What Users Do Information What attacker gets People maintain Photo of the target Personal Information about a their profile Contact numbers target including personal Email Addresses information, photo, etc.
By using this personal information, an attacker can create a fake profile with the same information. Posts have location links, pictures and other location information helps to identify target location. Timelines and stories can also reveal sensitive information. By gathering information of interest and activities, an attacker can join several groups and forums for more footprinting. Furthermore, skills, employment history, current employment and much more.
These are the information that can be gathered to easily and used for determining the type of business of an organization, technology, and platforms used by an organization.
In the posts, people are posting on these platforms, never think that what they are posting. Their post may contain enough information for an attacker, or a piece of required information for an attacker to gain access to their systems.
This information can be gathered by online service as defined earlier like netcraft. These tools can bring information like connection type and status and last modification information. Determining the Operating System Using websites such as Netcraft. Go to the website www. Results in the figure below are hidden to avoid legal issues. If you enter a complete URL, it shows the in-depth detail of that particular website.
Go to the following URL www. This browsing is targeted to a website to gather specific information such as names, email addresses. Downloading entire website onto the system enables the attacker to use, inspect the website, directories, structure and to find other vulnerabilities from this downloaded mirrored website copy in an offline environment.
Instead of sending multiple copies to a web server, this is a way to find vulnerabilities on a website. Mirroring tools are available which can download a website. Additionally, they are capable of building all directories, HTML and other files from the server to a local directory. Extracting Information using the Wayback machine 1. Search for a target website. Select Year from the calendar. Select date from the highlighted dates. The following is the snapshot of the website on 2nd October These tools automatically check for updates and changes made to target websites.
Email is one of the most popular, widely used professional ways of communication which is used by every organization. Content or body of Email is hence important, extremely valuable to attackers. This content may include hardware and software information, user credentials, network and security devices information, financial information which is valuable for penetration testers and attackers. Polite Mail is a very useful tool for Email footprinting.
Polite Mail tracks email communication with Microsoft Outlook. Using this tool, with a list of email addresses of a targeted organization, the malicious link can be sent and trace the individual event. Several online and software applications offer Email header tracing. Email Tracker Pro is one of the popular tools. These websites gather information and reports of companies including legal news, press releases, financial information, analysis reports, and upcoming projects and plans as well.
Scrolling down the page shows further results such as a Geographical view of the audience, percentage, and ranking in every country and much more. These tools are used to track the reputation, ranking, setting up a notification when an organization known over the internet and much more. Here you can search any keyword such as those shown in the figure showing the result for Microsoft. Their icons separate results from different sources; you can review the result by selecting an entry. WHOIS lookup helps to find out who is behind the target domain name.
Figure whois. There are several lookup tools powered by www. There are several tools available on internet which perform DNS lookup. You can expand fields to extract information. Consider the figure below. Fortunately, there are several tools available which can be used for network footprinting to gain information about the target network. Using these tools, an information seeker can create a map of the targeted network. Using these tools, you can extract information such as: - Network address ranges Hostnames Exposed hosts OS and application version information Patch state of the host and the applications Structure of the applications and back-end servers Tools for this purpose are listed below: - Whois Ping Nslookup Tracert Traceroute Tracert options are available in all operating system as a command line feature.
Visual traceroute, graphical and other GUI based traceroute applications are also available. Traceroute or Tracert command results in the path information from source to destination in the hop by hop manner. The result includes all hops in between source to destination. The result also includes latency between these hops. After observing the following result, you can identify the network map. Figure Tracert Tracert result of It can either connected to To verify, trace next route.
We can collect information from a human quite easily than fetching information from systems. Using Social Engineering, some basic social engineering techniques are: - Eavesdropping Shoulder Surfing Dumpster Diving Impersonation Social Engineering You can understand the social engineering as an art of extracting sensitive information from peoples. Social Engineers keep themselves undetected, people are unaware and careless and share their valuable information.
This information is related to the type of social engineering. Operating System information. Software information. Network information. Eavesdropping Eavesdropping is a type of Social Engineering footprinting in which the Social Engineer is gathers information by listening to the conversation covertly. Listening conversations includes listening, reading or accessing any source of information without being notified.
Phishing In the Phishing process, Emails sent to a targeted group contains email message body which looks legitimate. The recipient clicks the link mentioned in the email assuming it as a legitimate link. Once the reader clicks the link, enticed for providing information. It redirects users to the fake webpage that looks like an official website. For example, Recipient is redirected to a fake bank webpage, asking for sensitive information.
Shoulder Surfing Shoulder Surfing is another method of gathering information by standing behind a target when he is interacting with sensitive information. By Shoulder surfing, passwords, account numbers, or other secret information can be gathered depending upon the carelessness of the target. Dumpster Diving Dumpster Diving is the process of looking for treasure in trash.
This technique is older but still effective. This interactive tool gathers data and represents graphs for analysis. The measure purpose of this Data mining tools is an online investigation of relationships among different pieces of information obtained from various sources lies over the internet. Using Transform, Maltego automate the process of gathering information from different data sources.
Nodes based graph represents this information. Registration is required to download the software. After Download, Installation needs a license key to run the application with full features. On the topmost, Click create new graph Icon. In our case, For example, Domain is Selected. Select the option and observed the results shown. This tool is written in python, having independent modules, database interaction and other features.
You can download the software from www. Figure Recon-ng Search command You can search for any entity within a module. Type Run to execute and press enter. FOCA tool finds Metadata, and other hidden information within a document may locate on web pages.
Scanned searches can be downloaded and Analyzed. Click Create to proceed. Click on Search All Button. You can select the file, download it, Extract Metadata, and gather other information like username, File creation date, and Modification.
Devices and Servers are configured to avoid data leakage. Provide education, training, and awareness of footprinting, impact, methodologies, and countermeasures to the employees of an organization. Avoid revealing sensitive information in Annual reports, Press releases, etc. Prevent search engines to cache web pages. Using Windows-based tools, let's gather some information about the target. You can assume any target domain or IP address, in our case, we are using example.
IP address of example. Round Trip Time 4. TTL value 5. Figure Ping example. You can try again to get the more appropriate fragment value. Download and install HTTrack tool. In this lab, we are going to copy a website into our local directory and browse it from there in an offline environment. Now you can explore the website in an offline environment for the structure of the website and other parameters.
Figure Original Website To make sure, compare the website to the original example. Open a new tab and go to URL example. Metasploit Pro enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test. You can use Metasploit Pro to scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect evidence, and create a report of the test results.
Topology Information: In this lab, we are running Metasploit Framework on a private network Network Distance: 1 hop Service Info: Host: localhost. All scanned ports on Nmap done: IP addresses 9 hosts up scanned in X device X server Now Scanning network phase requires some of this information to proceed further. Network Scanning is a method of getting network information such as identification of hosts, port information, and services by scanning networks and ports.
When a user probes another user, it can reveal much useful information from the reply is received. In-depth identification of a network, ports and running services helps to create a network architecture, and the attacker gets a clearer picture of the target.
TCP is connection oriented. Bidirectional communication takes place after successful connection establishment. UDP is a simpler, connectionless Internet protocol. Multiple messages are sent as packets in chunks using UDP. ACK Acknowledge the receipt of a packet.
URG Indicates that the data contained in the packet is urgent and should process immediately. PSH Instructs the sending system to send all buffered data immediately. FIN Tells the remote system about the end of the communication. In essence, this gracefully closes a connection. RST Reset a connection. This handshaking ensures successful, reliable and connection- oriented session between these hosts. The process of establishment of a TCP connection includes three steps.
After successful handshaking results in the establishment of TCP connection. IP defines how computers can get data to each other over a routed, interconnected set of networks.
IP defines addressing and routing, while TCP defines how to have a conversation across the link without garbling or losing data. The only difference is they combine top three layers into a single Application Layer. These Customized Network packets can penetrate the network for attacks. Customization can also use to create fragmented packets.
Select the Packet type from the drop-down option. This response verifies that the host is live. ICMP Echo reply packet from host verify the host is live. Ping Scanning is a useful tool for not only identification of live host, but also for determining ICMP packet are passing through firewalls, and TTL value. Thus, instead of probing individually, we can probe a range of IPs using Ping Sweep.
There are several tools available for Ping Sweep. Scanning Tool 1. Nmap Another way to ping a host is by performing a ping using nmap. Operating system version information. We are using a Windows 7 PC for scanning the network. Procedure: Performing ping scans the network Command: nmap —sP We can scan for all host using command nmap —O Hping can also handle fragmentation, arbitrary packets body, and size and file transfer. Using Hping, the following parameters can be performed: - Test firewall rules.
Testing net performance. Path MTU discovery. Transferring files between even fascist firewall rules. Traceroute-like under different protocols. Don't show replies. Full Open Scanning ensures the response that the targeted host is live and the connection is complete. However, it can be detected, logged by security devices such as Firewalls and IDS. Host A is the initiator of the TCP connection handshaking. Host A sends the Sync packet to initiate the handshaking.
In case, if there is no flag set, it is known as Null Scanning. Receiving system has to take a decision when this condition occurs. Closed port responds with single RST packet. If the port is open, some systems respond as an open port, but the modern system ignores or dropped these requests because the combination of these flags is bogus. It means the firewall is enabled.
Now, go back to Windows Server and disable the Firewall. Figure Disabling Firewall Now again, run the scan. These packets can reliably pass the firewall.
FIN Scan packets, when sent to the target, the port is considered to be open if there is no response. If the port is closed, RST is returned. If Null Scan packet sends to an open port, it brings no response. Performing this scan is comparatively easier to be detected as there is logically no reason to send a TCP packet without any flag.
If RST packet receives from the target, it means that packets toward this port are not filtering. If there is no response, it means Stateful firewall is filtering the port. Using this scan is capable of remaining low profile.
Idle scanning describes the hiding ability of attacker. If target investigates the threat, it traces Zombie instead of tracing the attacker. Target Machine responds with RST packet if the port is closed. IPID of Zombie is not incremented. Zombie responds with RST packet.
Compare the IPID. Port is open if IPID is incremented by 2. UDP does not have flags. UDP packets are working with ports; no connection orientation requires. No response if the targeted port is open however if the port is closed, the response message of "Port unreachable" returned.
The following are some effective tools for network Scanning. IDS must have to reassemble these incoming packet stream to inspect and detect the attack. The small packet is further modified to be more complicated to reassemble and detect by packet reassemble. Another way of using fragmentation is by sending these fragmented packets out of order. These fragmented out of order packets are sent with pauses to create a delay. These packets are sent using proxy servers, or through compromised machines to launch attacks.
By gathering information about running operating system, attacker determines the vulnerabilities and possible bugs that an operating system may possess. The two types of OS Fingerprinting are as follows: - 1. Active OS Fingerprinting 2. Passive OS Fingerprinting Banner Grabbing is similar to OS fingerprinting, but actually, Banner grabbing is determining the services that are running on the target machine.
Typically, Telnet is used to retrieve information of banner. NMAP, as we know, is a powerful networking tool which supports many features and commands. A detailed assessment of this response bring some clues regarding nature of an operating system disclosing the type an OS. Having valuable network information such as security zones, security devices, routing devices, number of hosts, etc. Once Network diagram is designed, it defines logical and physical path leading to the appropriate target within a network.
Network diagram visually explains the network environment and provide an even more clear picture of that network. Network Mappers are the network mapping tools, which uses scanning and other network tools and techniques and draw a picture of a network.
The thing that is important to care about is, these tools generate traffic which can reveal the presence of attacker or pentester on the network. It can also perform performance management. Network View is an advanced network discovery tools. List of some popular tools are: - 1. Network Topology Mapper 2. OpManager 3. Network View 4. It also offers additional features like editing nodes manually, exporting diagram to Visio, multi-level network discovery, etc.
Select all or required devices to add to the topology. Figure Discovered Devices List Topology view of the scanned network. Now you can add nodes manually, export it to Vision and use other features of the tool. Proxy systems play an important role in networks. Proxy systems are basically used by scanners to hide their identity to be traced back to the target.
When a user sends a request for any resources to the other publically available servers, proxy server act as an intermediary for these requests. Users request is forwarded to proxy server first. The most popular use of the proxy server is in terms of web proxy servers.
These Web proxy servers are used to provide access to world wide web by bypassing the IP address blocking. Remote Access to Intranet. Redirecting all requests to the proxy server to hide identity. Proxy Chaining to avoid detection. In addition to proxy servers, one proxy server forwards the traffic to next proxy server. This process is not recommended for production environments, or a long-term solution, however, this technique leverages your existing proxy.
Figure Proxy Chaining Proxy Tool There is a number of proxy tools available as well as you can online search for a proxy server and configure manually on your web browser.
These tools include: - 1. Proxy Switcher 2. Proxy Workbench 3. TOR 4. You can enable any proxy server to hide your IP address. The following figure is showing the searching process of Proxy servers using Proxy Switcher tool. It is an operating system that is specially designed to help you to use the internet anonymously leaving no trace behind. Tails preserve privacy and anonymity.
An attacker illicitly impersonates any user machine by sending manipulated IP packets with spoofed IP address. Spoofing process involves modification of header with a spoofed source IP address, a checksum, and the order values.
Packet-switched networking causes the packets arriving at the destination in different order. When these out of order packets are received at the destination, these packets are resembled to extract the message. In the process of sending direct TTL probes, packets are sent to the host that is suspected of sending spoofed packets and responses are observed.
However, TTL values can vary in even normal traffic and this technique identify the spoofing when the attacker is on a different subnet. If IPID values are not closer, suspect traffic is spoofed. This technique can be used in case if the attacker is within a subnet. We have also discussed several tools that can be helpful in collecting the general information regarding the target. Now we are moving to observe the target more closely in order to gain detailed information. This information is sensitive such as network information, network resources, routing paths, SNMP, DNS and other protocol-related information, user and group information, etc.
This sensitive information is required to gain access to a system. This information is gathered by using different tools and techniques actively. With this active connection, direct queries are generated to gain more information. These information helps to identify the system attack points. Once attacker discovers attack points, it can gain unauthorized access using this collected information to reach assets.
Using the tools required for enumeration phase may cross legal boundaries and chances to being traced as using active connections with the target. You must have proper permission to perform these actions.
An Email address contains username and domain name in it. Enumeration using Default Password Another way of enumeration is using default passwords. Every device and software has its default credentials and settings. This default setting and configuration are recommended to be changed. It became so easy for an attacker to gain unauthorized access using default credentials.
Finding default settings, configuration and password of a device is not a big deal. The attacker uses default community strings or guesses the string to extract information about a device.
SNMP protocol was developed to allow the manageability of devices by the administrator, such as servers, routers, switches, workstations on an IP network. It allows the network administrators to manage network performance of a network, finds, troubleshoots and solve network problems, design, and plan for network growth.
SNMP is an application layer protocol. It provides communication between managers and agents. It restricts the access to network resources only to the defined users and computers. The AD is a big target, a greater source of sensitive information for an attacker. Brute force attack to exploit, or generating queries to LDAP services are performed to gather information such as username, address, credentials, privileges information, etc. A zone transfer is a process to update DNS servers; Zone file carries valuable information which is retrieved by the attacker.
We will enumerate services, ports and operating system information using nmap utility with Kali Linux. The Initial 15 Characters are for identifying the device, 16th Character is to identify the service.
It is also used to display information such as NetBIOS name tables, name cache, and other information. Command using nbstat utility is shown below: - nbtstat. Enter the Hostname or IP address of target Windows machine. Select the Enumeration type from the left section. After configuring, to start enumeration process, Click Enumerate to initiate the process. Figure Super Scan Enumeration tool After starting the Enumeration, it will gather the information about the target machine such as MAC address information, operating system information and other information depending upon the type of enumeration selected before initiating the process.
Nsauditor Network Nsauditor network monitoring provides some insight Security Auditor into services running locally, with options to dig down into each connection and analyze the remote system, terminate connections and view data. In this lab, we are using Windows Server to perform scanning using SoftPerfect Network Scanner to scan shared resources in a network.
Go to Properties. This host has shared folders with different users. Figure Exploring Results Now select other host and go to properties. SNMP requires community string to authenticate the management station. Using the default community string, by guessing the community string, attacker extracts the information such as Host, devices, shares, network information and much more by gaining unauthorized access.
SNMP Read-Write Used in requests for information from a device community string and to modify settings on that device. Management station collects the information regarding different aspects of network devices. The second thing is configuration and software support by networking devices itself. Technically three components are involved in deploying SNMP in a network: - SNMP Manager: A software application running on the management station to display the collected information from networking devices in a nice and representable manner.
SNMP Agent: The software is running on networking nodes whose different components need to be monitored. Management Information Base: MIB stands for Management Information Base and is a collection of information organized hierarchically in a virtual database.
These are accessed using a protocol such as SNMP. Tabular It defines multiple related objects instances. MIBs are collections of definitions, which define the properties of the managed object within the device to be managed.
MIB Example: The typical objects to monitor on a printer are the different cartridge states and maybe the number of printed files, and on a switch, the typical objects of interest are the incoming and outgoing traffic as well as the rate of packet loss or the number of packets addressed to a broadcast address.
Plain text community V1 string is used for authentication No support for encryption and hashing either. Implementation of version 3 has three models.
NoAuthNoPriv means no encryption and hashing will be used. It helps network engineers to manage their devices and IP Address Space with ease. It performs network monitoring, detection of a rogue device intrusion, bandwidth usage monitoring and more.
LDAP is for accessing and maintaining distributed directory information services in a hierarchical and logical structure. A directory service plays an important role by allowing the sharing of information like user, system, network, service, etc. LDAP provides a central place to store usernames and passwords. The NTP is an important protocol, as directory services, network devices and host rely on clock settings for login purposes and logging to keep a record of events.
NTP helps in correlating events by the time system logs are received by Syslog servers. It is just like TTL number that decreases every hop a packet passes by. Stratum value, starting from one, increases by every hop.
For example, if we see stratum number 10 on local router, it means that NTP server is nine hops away. Securing NTP is also an important aspect as the attacker may change time at first place to mislead the forensic teams who investigate and correlate the events to find the root cause of the attack. This authentication can be used to mitigate an attack.
NTP Enumeration Another important aspect of collecting information is the time at which that specific event occurs. Thanks to the creators of NTP v3, it has support for authentication with NTP server before considering its time to be authenticated one.
Figure ntptrace commands ntpq is a command line utility that is used to query the NTP server. It uses the standard NTP mode 6 control message formats. Multiple -c options may be given. Prompts will be written to the standard output and commands read from the standard input.
This is equivalent to the peer's interactive command. By inspecting and comparing the responses for valid and invalid users through interacting the SMTP server via telnet, valid users can be determined. DATA To define data. HELP Show help. QUIT To terminate a session. Using port scanning techniques, you can find if the port is open. DNS Zone transfer process provides support for resolving queries, as more than one DNS server can respond to the queries.
Consider a scenario in which both primary and secondary DNS Servers are responding to the queries. DNS Zone Transfer using nslookup command 1. Figure nslookup command 2. It will retrieve all records from a DNS server. If not allowed, it will show the request failed. Figure nslookup command 7. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we will discuss the concept of Vulnerability Assessment, Vulnerability Assessment phases, types of assessment, tools and other important aspects.
Vulnerability assessment includes discovering weaknesses in an environment, design flaws and other security concerns which can cause an operating system, application or website to be misused.
These vulnerabilities include misconfigurations, default configurations, buffer overflows, Operating System flaws, Open Services, and others. There are different tools available for network administrators and Pentesters to scan for vulnerabilities in a network. Discovered vulnerabilities are classified into three different categories based on their security levels, i.
Vulnerability Assessment Vulnerability Assessment can be defined as a process of examination, discovery, and identification of system and applications security measures and weaknesses.
Systems and applications are examined for security measures to identify the effectiveness of deployed security layer to withstand attacks and misuses. Types of Vulnerability Assessments Active Assessments: Active Assessment is the process of Vulnerability Assessment which includes actively sending requests to the live network and examining the responses.
In short, it is the process of assessment which requires probing the target host. Passive Assessments: Passive Assessment is the process of Vulnerability Assessment which usually includes packet sniffing to discover vulnerabilities, running services, open ports and other information. However, it is the process of assessment without interfering the target host.
External Assessment: Another type in which Vulnerability assessment can be categorized is an External assessment. It the process of assessment with hacking's perspective to find out vulnerabilities to exploit them from outside. Internal assessment includes discovering vulnerabilities by scanning internal network and infrastructure. Figure Types of Vulnerability Assessment Vulnerability Assessment Life-Cycle Vulnerability Assessment life cycle includes the following phases: Creating Baseline Creating Baseline is a pre-assessment phase of the vulnerability assessment life-cycle in which pentester or network administrator who is performing assessment identifies the nature of the corporate network, the applications, and services.
He creates an inventory of all resources and assets which helps to manage, prioritize the assessment. In the end, baseline helps to plan the process effectively, schedule the tasks, and manage them with respect to priority.
Vulnerability Assessment Vulnerability Assessment phase is focused on assessment of the target. The assessment process includes examination and inspection of security measures such as physical security as well as security policies and controls.
Once scanning is complete, findings are ranked in terms of their priorities. At the end of this phase, vulnerability assessment report shows all detected vulnerabilities, their scope, and priorities. Figure Vulnerability Assessment Lifecycle Risk Assessment Risk Assessment includes scoping these identified vulnerabilities and their impact on the corporate network or on an organization. Remediation Remediation phase includes remedial actions for these detected vulnerabilities. High priority vulnerabilities are addressed first because they can cause a huge impact.
Verification Verification phase ensures that all vulnerabilities in an environment are eliminated. Vulnerability Assessment Solutions Different approaches for Vulnerability Assessment Product based Solution Vs Service based Solution Product- based solutions are deployed within the corporate network of an organization or a private network.
These solutions are usually for dedicated for internal private network. Service-based solutions are third-party solutions which offers security and auditing to a network. These solutions can be host either inside or outside the network. As these solutions are allowed to the internal network, hence a security risk of being compromised. Tree-based Assessment Vs. Inference-based Assessment Tree-based assessment is the assessment approach in which auditor follows different strategies for each component of an environment.
For example, consider a scenario of an organization's network where different machines are live, the auditor may use an approach for Windows-based machines whereas another technique for Linux based servers. Inference-based assessment is another approach to assist depending on the inventory of protocols in an environment.
For example, if an auditor found a protocol, using inference-based assessment approach, the auditor will investigate for ports and services related to that protocol. Best Practice for Vulnerability Assessment The following are some recommended steps for Vulnerability Assessment for effective results. A network administrator or auditor must follow these best practices for vulnerability assessment.
Before starting any vulnerability assessment tool on a network, the auditor must understand the complete functionality of that assessment tool.
It will help to select appropriate tool to extract your desired information. Make sure about the source location of scan to reduce the focus area. Run scan frequently for vulnerabilities. The numerical score can then be translated into a qualitative representation such as low, medium, high, and critical to help organizations properly assess and prioritize their vulnerability management processes. Security Base Score Rating None 0. CVE maintain the list of known vulnerabilities including an identification number and description of known cybersecurity vulnerabilities.
Vulnerability Scanning In this era of modern technology and advancement, finding vulnerabilities in an existing environment is becoming easy using different tools.
Various tools, automated as well as manual tools, are available to help you in finding vulnerabilities. Vulnerability Scanners are automated utilities which are specially developed to detect vulnerabilities, weakness, problems, and holes in an operating system, network, software, and applications.
These scanning tools perform deep inspection of scripts, open ports, banners, running services, configuration errors, and other areas. These tools not only inspect running software and application to find risk and vulnerabilities by Security experts but also by the attackers to find out loopholes in an organization's operating environment.
Vulnerability Scanning Tool 1. This Scanning Product focuses on vulnerabilities and configuration assessment. Using this tool, you can customize and schedule scans and extract reports. It provides a quick snapshot of security and compliances posture of Network and Web along with recommendations. The following figure is showing the result of Vulnerability scan for a targeted network.
This lab is performed on Windows 10 virtual machine using Nessus vulnerability scanning tool. Configuration: 1. Download and install Nessus vulnerability scanning tool. Open a web browser. Click on Advanced Button. Proceed to Add Security Exception.
Confirm Security Exception. Figure Confirm Security Exception 7. Following dashboard will appear. Figure Nessus Dashboard 9. In Basic Settings, Set a name of the Policy. Figure Configuring Policy Now go to Credentials tab to set credentials. Check the Policy, if it is successfully configured Figure Verify Policy Figure Launching Scan Observe the status if scan is successfully started. Upon completion, observe the result.
Figure Scan results Click on Vulnerabilities Tab to observe vulnerabilities detected. You can also check other tabs, Remediation, Notes and History to get more details about history, issues and remediation actions.
Go to Export tab to export the report and select the required format. The following is the preview of Exported report in pdf format. All information extracted so far are focused toward the target, now using this collection of information, we are moving forward to access the system. Summarizing the information collected in previous phases, such as a list of valid Usernames, Email addresses, passwords, groups, IP range, operating system, hardware and software version, shares, protocols and services information, and other details.
Depending upon the collection of information, the attacker will have a more precise image of the target. The process of system hacking is much difficult and complex than previous ones. Before starting the system hacking phase, an ethical hacker, or pentester must remember that you cannot gain access to the target system in a go.
You must have to wait for what you want, deeply observe and struggle; then you will find some results. System Hacking Methodology The process of System hacking is classified into some System hacking methods. This methodology includes: - 1. Cracking passwords 2. Escalating privileges 3.
Executing applications 4. Hiding files 5. Covering tracks Goals of System hacking In the methodological approach of System hacking, bypassing the access control and policies by password cracking or social engineering attacks will lead to gain access to the system.
Using the operating system information, it helps to exploit the known vulnerabilities of an operating system to escalate the privileges. Once you have gained access to the system and acquire the rights and privileges, by executing an application such as Trojans, backdoors, and spyware, an attacker can create a backdoor to maintain the remote access to the target system.
Now, to steal actual information, data or any other asset of an organization, the attacker needs to hide its malicious activities. Rootkits and steganography are the most common techniques to hide malicious activities. Once an attacker steals the information and remains undetected, the last phase of system hacking ensures to be undetected by hiding the evidence of compromises by modifying or clearing the logs.
Usually, only the username and password authentication are configured but now, password authentication is the moving toward two-factor authentication or multiple-factor authentication which includes something you have such as username and password with the biometrics.
Password cracking may be performed by social engineering attack or cracking through tempering the communication and stealing the stored information. Guessable password, short password, password with weak encryption, a password only containing numbers or alphabets can be cracked with ease. Having a strong lengthy and difficult password is always an offensive line of defense against these cracking attacks.
Typically, as good password contains: - Case Sensitive letters Special characters Numbers lengthy password typically more than 8 letters Types of Password Attacks Password Attacks are classified into the following types: - 1.
Non-Electronic Attacks 2. Active Online Attacks 3. Passive Online Attacks 4. Default Password 5. Offline Attack 1. Non-Electronic Attacks Non-Electronic attacks or Nontechnical Attacks are the attacks which do not require any type of technical understanding and knowledge. This is the type of attack that can be done by shoulder surfing, social engineering, and dumpster diving. Active Online Attacks Active Online Attack includes different techniques that directly interact with the target for cracking the password.
Active Online attacks include: - 1. Dictionary Attack In the Dictionary attack to perform password cracking, a password cracking application is used along with a dictionary file. This dictionary file contains entire dictionary or list of known and common words to attempt password recovery. This is the simplest type of password cracking, and usually, systems are not vulnerable to dictionary attacks if they use strong, unique and alphanumeric passwords.
Brute Force Attack Brute Force attack attempt to recover the password by trying every possible combination of characters. Each combination pattern is attempted until the password is accepted. Brute forcing is the common, and basic technique to uncover password. Hash Injection In the Hash injection attack, hashing and other cryptography techniques knowledge is required.
In this type of attack, a. By compromising a workstation, or a server by exploiting the vulnerabilities, attacker gain access to the machine. Once it compromises the machine, it extracted the log-on hashes of valuable users and admins. With the help of these extracted hashes, attacker logged on to the server like domain controller to exploit more accounts.
Passive Online Attacks Passive online attacks are performed without interfering with the target. Importance of these attacks is because of extraction of the password without revealing the information as it obtains password without directly probing the target. There are different sniffing tools available which can collect the packets flowing across the LAN, independent of the type of information carrying.
Some sniffers offer to filter to catch only certain types of packets. Man-in-the-Middle Attack A man-in-the-middle attack is the type of attack in which attacker involves himself into the communication between other nodes.
MITM attack can be explained as a user communicating with another user, or server and attacker insert himself in between the conversation by sniffing the packets and generating MITM or Replay traffic. Once packets are captured, relevant information such as passwords is extracted. By generating replay traffic with the injection of extracted information, attacker gain access to the system 4.
Default Password Every new equipment is configured with a default password by the manufactures. It is recommended to change the default password to a unique, secret set of characters. An attacker using default passwords by searching through the official website of device manufacturer or through online tools for searching default passwords can attempt this type of attack.
The following are the list of online tools available for searching default password. Go to any of the websites you would like to use for searching default password of a device.
Offline Attacks Pre-Computed hashes and Rainbow Table An example of offline attacks is comparing the password using a rainbow table. Every possible combination of character is computed for the hash to create a rainbow table. When a rainbow table contains all possible precomputed hashes, attacker captures the password hash of target and compares it with the rainbow table.
The advantage of Rainbow table is all hashes are precomputed. Hence it took few moments to compare and reveal the password. Limitation of a rainbow table is it takes a long time to create a rainbow table by computing all hashes. To generate rainbow tables. Click Ok to proceed. Using the unused processing power of machines across the network, DNA recovers the password by decrypting the hashes.
Password Guessing Password guessing is the trial and error method of guessing the password. The attacker uses the information extracted by initial phases and guess the password, attempt manually for cracking the password. This type of attack is not common, and rate of failure is high because of the requirement of password policies. Normally, information collected from social engineering helps to crack the password. As USB drive plugs in, Window Autorun feature allows running the application automatically if the feature is enabled.
Once the application is allowing to execute, it will extract the password. When you authenticate an entity, the motive of authentication is to validate if the device is legitimate or not. When you authenticate a user, it means you are verifying the actual user against the imposter.
These protocols ensure the authentication of users, computers, and services. Within Microsoft platform, SAM database contains passwords in a hashed form and other account information. While the operating system is running, this database is locked to be accessed by any other service and process. There are several other security algorithms are applied to the database to secure and validate the integrity of data.
Windows XP and Later version of Windows do not store the value of LM hash, or when the value of LM hash is exceeding 14 characters, it stores blank or dummy value instead. This challenge is a byte random number generated by the domain controller.
0コメント