Crypto

IT-Artikelen

Penetration Testing and Ethical Hacking

 

 

penetration testing and ethical hacking

 

Ethical Hacking: Ken Underhill

Penetration Testing and Ethical Hacking

Course at Cybrary: https://cybrary.it/course/ethical-hacking/

 

 

Requirements:

Basic knowledge of Windows in a domain environment (not discussed, but you should've)

Medior knowlegde of Linux (for command line executions and switches)

 

- Minimum of 2 years experience in IT Security or an official ECcouncil Training (6000 dollar)  (which this is not).

- 100 euro upfront for getting approved for the exam (no refund)

- Exam is 1200 dollar

- Retake differs on localization (europe 560 euro).

 

 

What you can do is get an certificate from your boss - proving that you've worked on IT Security for the last 2 years. In fact, every proof you can find or have published will benefit you in getting approved.

 

Module 1: Introduction
1.0 Course Introduction EH
5 minutes

Course structure:
Pre-assessments
Post-assessments
Video lectures
Labs
Resources

1.1 CIA Black White Grey Hats EH
10 minutes

Pre-assessments

What is another name for ethical hacker
Penetration tester

Money motivation?
Bug bounty programs

Penetration Testing Methodology
1. Reconnaissance
2. Scanning
3. Gaining access
4. Maintaining access
5. Covering tracks

Black hat
Grey/Gray hat (publishing online for a fix is grey)
White hat

Gray box testing = Black box testing + White box testing = Gray box testing

Identity and Access Management (IAM)
Providing the right people, the right access at the right time.

Red vs Blue
Blue team = defender (block attacks)
Red team = offender

C.I.A. Triad
- Confidentiality - only the people need to know, know about it
- Integrity - The information is valid and not altered.
- Availability - When needed access it

Authentication / Non-repudiation

Authentication
something you are (biometric)
something you have(badge)
something you know (password)

Nonrepudiation: I can prove you did it (send e-mail, came from this person)

Physical Security

- Plans steps and procedures to protect your assets
- Physical measures: touch, taste
- Technical measures: smartcards
- Operational measures: policies & procedures

AI and cyber security

event correlation - corresponding data - flagged or not

1.2 Laws EH
7 minutes

Laws
HIPAA
PCI-DSS
SOX
DMCA
FISMA
ISO/IEC 270001: 2013

HIPAA
Health Insurance Portability and Accountability Act
Safeguarding private medical information
incorparates strict violations

PCI-DSS
PCI Data Security Standard - High level Overview
credit cards
patch management
security policy

SOX
Sarbanes-Oxley Act
Management Document Controls
financial reporting
External test internal auditing for finance

DMCA
Digital Millennium Copyright Act
copyright infrignment content - remove search result request

FISMA
Federal Information Security Management Act
Requires annual reviews of information security programs. Meeting standards annual basis

ISO/IEC 270001: 2013
Management needs to:
Examine information security risks
Design/implement security controls
Monitor controls

1.3 Bonus VB and Kali EH
5 minutes

# Cyber Labs included in paid subscription (100 dollar per/month)

Download Virtual Box
Download Kali

File > preferences > new nat network.
Go to settings, > network > adjust.

 

1.4 Password Crack Lab EH
7 minutes

https://www.md5hashgenerator.com/

PASSWORD
md5 hash
319f4d26e3c536b5dd871bb2c52e3178

 

start john the ripper from applications
locate rockyou.txt > extract
john --format=RAW-md5 /usr/share/wordlists/rockyou.txt /root/Desktop/passwd1.txt --show

 

Module 2: Footprinting
2.0 Intro Preassessment EH 05:58

Question 1: John is a criminal hacker and decides to search the dumpster outside Super Secret, Inc to see if he can find any information about the company. According to the EC-Council definition, John is doing what?

a- Active footprinting
b- Brute force
c- Passive footprinting
d- DDos

 

Question 2. Which example would be passive footprinting?

a- having coffee with the target
b- performing google hacking on the target
c- interacting with the target on social media, but not meeting in person (active-footprinting)
d- Tailgating (unauthorized access to building or property)
piggybagging - basically following a person while nobody know who you are.

 

Question 3: The command to search only for file of a specific type is:

a- info:string (displays information about the website itself)
b- filetype:type
c- link:string (based on a particular search term)
d- inurlinurl:string (with a character(set) in an url

Question 4: if i want to get notified anytime a company updates their social media page, i could set up a:

a- url
b- website
c- alert
d- DDos

2.1 Footprinting EH 11:45

Learning Objectives

Active vs Passive

Footprinting
Active: Interaction
Passive: publicly available

(product launching, users)

Know security posture
Reduce focus area
Identify vulnerabilities
Network map

(websites, dns, cnames, azure, aws?)

How?
Search engines
(names)
Google hacking
google search: *password.xlsx* ext:xlsx*
google search: intitle:"D-Link VoIP Router" "Welcome"
Shodan
shodan.io:
Whois: whois.icann.org
Social media
Facebook
LinkedIn
Twitter
Instagram
Competitive intelligence
- Product x on this date (customers?)
Job boards
sec.gov/edgars.html
indeed.com
Alerts
visualping.io
(we monitor webpages...so you don't have to!
Mirror website
httrack.com (website copier)
Email footprinting
kali: theharvester -h
email footprinting

Tools:
Maltego
- maps out
Recon-ng
kali: ~/recon-ng
OSRFramework
kali:

Post-Assement:
All of the following are benefits of footprinting, except:
a. map the network
b. know the security posture of the target
c. activate a DDoS against the target
d. narrow the focus area

Shodan is know as the
a. Hacker's search engines
b. grandma's search engine
c. best search engine
d. executive search engine

2.2 Lab Intro EH 01:39

Footprinting
filetype: type
intitle: string
inurl:string
site:domain

search terms
passwords in the website

NIKTO
Harvester
Shodan
Google Hacking

CREATE REPORTS

2.3 Footprinting NIKTO EH 05:56

nikto --help
nikto -H (more details)
-e (evasion test)
-h (hostname or ip)

nikto -e 1 -h webscantest.com

2.4 Footprinting Harvester EH 06:25

theharvester -h
50 / 500
theharvester -d microsoft.com -l 50 -b google -h myresult.html

2.5 Footprinting Shodan EH 04:48
account > login > search for cisco router
passwords visible? Reports > customers!

2.6 Footprinting Google Hacking EH

google: Google hacking database
https://www.exploit-db.com/google-hacking-database

 

Module 3: Scanning and Enumeration
3.0 Scan Enumeration EH 02:36
ACK FYN

Check for live systems
open port
beyond the ids
banner grabbing (os in use)
vulnerability scan
network diagram
prepare proxies (anonymous)

Three way handshake
syn
syn/ack
ack

TCP Header flags
synchronize SYN
Ackknowledgement
Reset (RST) forces termination both direction

Finish flag (FIN) ordered close
Push (PSH) Forces the delivery of date without concern for any buffering
Urgent (URG) indacates the data is begin sent out of band

Post-Assement
What does the FIN Flag signify: ORDERED CLOSE

3.1 TCP Handshake EH 04:21

Three way handshake

HOST A - HOST B

HOST A:
Syn 100 - Syn/Ack (+1) 101 - Send Back SYN 300 - Ack (+1) 301

Sent syn packet first
Syn + Ack Back
Ack Confirmed

3.2 Banner Grab EH 10:48

Framentation
- Breaking
- Colasoft Packet Builder

nmap / packettracer

ICMP
0. Echo Reply (answer to the Type 8 Echo Request
3. Destination Unreachable: 0,1,6,7,9,10,13
4. Source Quench: A congestion control message
4. Redirect: 0 (Redirect network, 1 (Redirect Host)
8: Echo Request: Ping message that request the echo reply
11: Time Exceeded

ICMP Message Type 3
0=Destination network unreachable
1=Destination host unreachable
6=Network unknown
7=Host unknown
9=Network administratively prohibited
10=Host administratively prohibited
13=Communication administratively prohibited

Port Scanning types
- Full Open - tcp connect scan - three way handshake
- half open - stealth or syn - no completion of three way handshake
- Inverse tcp - uses fin, urg psh flags, no response port is open
- xmas - does not work on windows (RFC 793)
- ack - ack packet sent and header reviewed for RST packet TTL 64<
- IDLE - spoofed IP address (taken over computer)

nmap

banner grabbing
kali.
telnet x.x.x.x 80
SERVER: Microsoft-IIS/5.1

request: ns, dns
/pentest/enumeration/dns/dnsrecon# ./dnsrecon.py -d cisco.com

Source Routing (newer material CEH Exam)
All posible paths
Best Patch
Srouce routing forced path
(attacker forces the path)

Enumeration
- Discovery of host or devices

Vulnerability Tools
- OpenVAS
- Nessus

# help with compliance #

Vulnerability Scoring Systems
common Vulnerability Scoring System (CVSS)

https://www.first.org/cvss/ (Calculator, getting it scored)

Vulnerability Management Lifecycle

assess > report > remediate > verify > discover > prioritize assets > asses again (first take)

https://www.gartner.com/reviews/market/vulnerability-assessment

Post-Assement
Question 1
Jennifer is a pentester working vor Dybray, Inc. She know that fragmenting packets can help her do what against the target network?

Break up packets - avoid IDS system

3.3 Live Systems Lab Part 1 EH 02:22

apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade tightvncserver

apt-get update && apt-get install -y x11vnc

x11vnc

note port number

3.4 Live Systems Lab Part 2 EH 02:49

ifconfig

eth0
lo

3.5 Live Systems Lab Part 3 EH 04:08

nmap -h
nmap -sn 192.168.1.0/24

host is up
mac address

3.6 Live Systems Lab Part 4 EH 02:23

hping3 -h
hping3 -1 192.168.1.251

 

3.7 Port Check Lab Part 1 EH 03:21

x11vnc

vnc viewer

3.8 Port Check Lab Part 2 EH 02:21

nmap 192.168.1.40 / 151

 

3.9 Port Check Lab Part 3 EH 03:05

hping3 -8 0-5000 -S 192.168.1.151

3.10 Scanning Techniques Lab Part 1 EH 04:05

install xampp on windows machine
host: ipconfig

3.11 Scanning Techniques Lab Part 2 EH 03:31

half connect scan
nmap -sS 192.168.1.110

3.12 Scanning Techniques Lab Part 3 EH 02:21

full connect scan
nmap -sT 192.168.1.110

3.13 Scanning Techniques Lab Part 4 EH 04:06

christmass xmas scan
zenmap (gui version of nmap)

install nmap (comes with zenmap for windodws)

3.14 Scanning Techniques Lab Part 5 EH 05:00

very noisy!

nmap -sX 192.168.1.110
nmap -sX --reason 192.168.1.110

3.15 Scanning Techniques Lab Part 6 EH 03:08

nmap -sA -p 80 192.168.1.110
filtered/unfiltered

3.16 Scanning Techniques Lab Part 7 EH 04:46

firewall.cpl > enable and block incl in the allowed apps.
nmap -sA -p 80 192.168.1.110

filtered

3.17 Scanning Techniques Lab Part 8 EH 02:40

hping3
syn scan
-S Syn flag
hping3 -8 0-5000 -S 192.168.1.110

3.18 Scanning Techniques Lab Part 9 EH 02:30

hping3
ack scan
hping3 -c 1 -V -p 80 -s 5555 -A 192.168.1.110

 

3.19 Scanning Techniques Lab Part 10 EH 04:50

HPING3 Ack Scan and Windows Firewall

hping3 -c 1 -V -p 80 -s 5555 -A 192.168.1.110

3.20 Scanning Techniques Lab Part 11 EH 03:43

hping3 xmas scan

hping3 -C 1 -V -p 80 -s 5555 -M 0 -UPF 192.168.1.110

hping3 -8 80 -S 192.168.1.110

3.21 OS Fingerprinting Lab Part 1 EH 06:05

nmap -sS -O 192.168.1.110 192.168.1.40

3.22 OS Fingerprinting Lab Part 2 EH 05:53

-p listen on interface in promicious mode
-i listen on specifice interface

p0f -p -i eth0

3.23 Mapping Networks Part 1 EH 05:00

zenmap + manageengine op manager

3.24 Mapping Networks Part 2 EH 03:23

opmanager scan + credentials

3.25 Mapping Networks Part 3 EH 06:40

opmanager scan + credentials

3.26 Mapping Network Part 4 EH 10:21

opmanager scan + credentials

3.27 Banner Grabbing Lab Part 1 EH 03:07

open: http://192.168.1.110:8888/DVWA/login.php

prep: telnetting

3.28 Banner Grabbing Lab Part 2 EH 02:59

telnet 192.168.1.110 80

GET /dvwa/ HTTP/1.1

banner grabbing

3.29 Banner Grabbing Lab Part 3 EH 02:45

netcat

nc 192.168.1.110 8888
GET /dvwa/ HTTP/1.1
Host: 192.168.1.110

enters

Server: Apache

3.30 Banner Grabbing Lab Part 4 EH 03:55

nmap -sS -p 80 -A 192.168.1.110

3.31 Enumeration Tools Part 1 EH 04:21

nslookup

server 192.168.1.1
set type=any

ls -d practice-labs.com

no results if not an dns server

3.32 Enumeration Tools Part 2 EH 02:58

dig axfr practice-labs.com 192.168.1.1
zone-transfer failed

dig = domain information groper (zone transfers)

3.33 Enumeration Tools Part 3 EH 02:54

pstools download

psinfo.exe \\192.168.1.110 -h -d (credentials must be correct)

3.34 Enumeration Tools Part 4 EH 03:59

finger tool in linux

finger -s root

 

Module 4: System Hacking
4.0 System Hacking EH 08:45

SAM File
Security Accounts Manager
- Stores password hashes
- SYSKEY (since nt4.0)

Types of password attacks
- Dictionary
OPR - Combined dictionary attacker
pcd files

- Brute force
Attackers tries all possible combinations
CrackMapExec# cme smb COMPUTERNAME -u Administrator -d builtin -p ~/passwordts.txt

- Rule-based
Seven characters long and must contain one number

- Rainbow tables
rainbowcrack#
rtgen md5 loweralpha.numeric 6 8 0 3800 334553

Salting passwords
Random data input in the hash
Randomly generated for each password

 

module 4.0 Salting Passwords

aricrack-ng wireless password
cain and abel - password recovery tool - different attack methods

john the ripper
hydra
hascat

spectre and meltdown
Computer chips contain security flaws
protected memory being stored in CPU cache
not exploited in the wild.

Rootkits
Provide continued access to the computer
often run stealthily

Types of rootkits
horse pill
Infects the initial ramdisk in linux, so it controls early in the boot process

grey fish
equation group (NSA)
Trojan.Win32.GrayFish.b
ehdrv.sys (eset helper driver)

Steganography Tools (hiding information in image file)
QuickStego: BMP, JPEG, GIF
OpenStego: BMP, PNG
MP3Stego: MP3
StegoShare: BMP, JPEG, PNG, GIF, TIFF
mostly used for image files.
Clear history: history -c

Question 1: BASH stands for:
Bourne Again Shell

Covering BASH Tracks
Bourne Again Shell
Disable history: export HISTSIZE=0
HISTSIZE: Determines how many commands are stored.

 

4.1 Lab Intro EH 07:23

Pre-Lab Knowledge check
1 b
2 a
3 C RFC 1350
4 B

RFC 959 - FTP File Transfer Protocol
RFC 793 - TCP Transmission Control Protocol
RFC 130 - TFTP Trivial File Transfer Protocol
RFC 1321 - MD5 Message Digest 5 Hash

TFTP - transferring files - port 69, no user authentication or list directories.

Backdoors allow you to maintain access.
Turn on webcam etc.

Backdoor Trojans allow attackers to:
Collect information
Terminate tasks and processes
Run tasks and processesDownload additional files
Upload files/content
Open command-line shells
Persorm denial of service against other computers from the infected machine
Change the computer settings
Restart or shutdown the computer

Example of RAT Backdoors
Gh0st

Mirai botnet: IoT

PwnWind

4.2 Backdoor System Hacking EH 11:02

Install OpenTFTPserver

nmap -sU -p 69 -A 192.168.1.110

question: transfer file

4.3 System Hacking Plant backdoor EH

cmd:RunAs Admin

psexec \\192.168.1.110 cmd

dism /online /Enable-Feature /FeatureName:TFTP

 

Module 5: Malware
5.0 Malware Viruses EH 08:08

Umbrella term that descibes malicious program or code

- computer slows down, crashes, or freezes,
- ad pop-ups
- system resources use is high
- newvtoolbars and extensions in browser
- your antivirus becomes disabled

module 5.0 viruses continued

How do i get it?
visiting hacked website
using game demos
downloading infected music files
opening malickous email attachements
can also hide in seemingly legit apps

module 5.0 viruses continued

boot sector virus
ransomware
shell virus (wraps arround application)

cluster virus (modifies discovery table entries)
multipartite virues (boot sector + files)
macro virus (infects templates office)
polymorphic code virus (mutates its code (polymorphic engine) change of signature.

encryption virues (evade AV)
metamorphic virues (rewrites itself every time it infects a file)
stealth virus (evade AV, alters request to show uninfected, send back to AV, tunneling virus)
cavity virues (overwrites portions of host files, so it does'nt increase).

sparse infector virues (infects occasionally, every 5th time or on a specific date)

file extension virus (readme.txt.vbs shows as readme.txt as show file extensions is off).

5.1 Malware Worms Trojans EH 07:45

Worms (a self replicating and self-propagating program using networking mechanisms to spread), eats up resources.

Worms continued

Code red: exploited IIS servers back in 2001 using a buffer overflow

SQL Slammer: DoS worm that attacked buffer overflow weaknsses in SQL. Alos used UDP and was small in size.

Nimda: spread throught open network shares, webistes, and e-mail. It also used backdoors that were left on machines by Code Red.

Trojans

How Dyre works

module 5.1 trojan dyre

Used browser to hook foward.

Trojan: appear to perform a desired function, but actually performs actions without the user's knowledge intended to steal information or harm the user's system/data.

 

Covert channel: used to transmit information in a way that is illegitimate or supposedly impossible. It violates security policy on a system.

Overt channel: usd to send infromation or perform other actions in a legitimate way (i.e.- TCP/IP).

Indication of a trojan infections (some)
cd drawer randomly opens/closes
computer screen inverts or flips
docment randomly print
browser redirection
mouse pointer dissapears

Trojan common ports:

back oriffice: UDP 31337/31338
best: tcp 6666
whack-a-mole: tcp 12361 / 12362
girlfriedn: tcp 21544
netbus 2 pro: tcp 20034
timbuktu: tcp/udp 407

Zeus trojan

module 5.1 trojan zeus

5.2 Malware Lab Intro EH 05:55

Pre-Lab Knowledge hacked

Question
a
port 23 is telnet
b
port 389 is ldap

pop 3 110
kerberos 88

 

137 netbios name service
139 netbios session service
138 netbios datagram service

Stinger is a free tool from McAfee that allows for the detection and removal of viruses and other malware.

mcafee stinger google search

tools:
currports (marks particular ports as suspicious)
tcpview (tcp / udp running state of connections)
Hashcalc:

Stinger

CurrPorts

TCPView

What's running

Hash calc

5.3 Malware Stinger EH 02:45
5.4 Malware CurrPorts EH 02:11
5.5 Malware TCP View EH 04:07
5.6 Malware Whats Running EH 12:12
5.7 Malware Hash Calc EH

 

Module 6: Sniffing
6.0 Sniffing EH 06:24

Sniffing
Capture and scan traffic flowing acrross the network
passive: listening only
active: monitor and altered

protocols for easy sniffing
telnet keystrokes
http cleartext
smtp no protection against sniffing
nntp cleartext
pop intercepted
ftp transmissions cleartext
imap similar to smtp.

Sniffing tools
wireshark
tcpdump
windump
omnipeek
dsniff
netwitness nextgen

wireshark filters:
== equal
Eq equal
!= not equal
ne not equal
contains

command line interface tools

tshark
dumpcap
capinfos
editcap
mergecap
text2cap

sudo tcpdmp -i any port 70 and host maintain
windump.exe
omnipeek
dsniff -i eth0
netwitness nextgen

sectools.org (sniffing, security tools)

mac flooding

goal is convert the switch to act like a hub

attackers floods the switch with mac addresses

swithc is unable to write to its own cam (CONTEN ADDRESSABLE MEMORY) TABLE, which causes it to act like a hub (fail open)
no seen much with newer switches

ARP Poisining (Address Resolution Protocol)
Contaminate the network with improper gateway mapping
ARP mps IP addresses to MAC adresses
tools: ettercadp, cain & abel, arpspoof

Switched Port analyzer (SPAN) Port
generally requires physical access to the machine.
Sends a copy of every network packet on one switchport to another port for monitoring.

Sniffing defense

uncrypt sensitvie traffic (ssh, ipsec)
use hardware-switched network for the most parts of the network
implement IP DHCP snopping on cisco switches to prevent ARP poisining.
Implement policies preventing promiscuous mode on network adapters.

Question
MAC Flooding
poison cam table, ,do what we want with the system.

6.1 Sniffing Lab Intro EH 13:40

Question 1; C
Question 2: True (avoiding getting caught)

Sniffing is : used to log traffic on a network
Mac Address, is hardcoded by the manufacturer.

Wireshark benefits
Capture packets (network traffic)
Allows you to identify and analyze protocols.
Identification of the source and destination of traffic
Display contents of packets

6.2 Sniffing Wireshark EH 13:24

6.3 Sniffing MAC Spoof EH 07:2

 

Module 7: Social Engineering
7.0 Social Engineering EH 12:23

Social engineering

The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudelent purposes.

Social Engineering Attack Phases

4 phases

research target company
select victim
deelop relationshiop
exploit relationship

 

module 7 phases social engineering

Human-based social engineering

Impersonation
- pretending to be somebody else
reset password
- normally in authority

Vishing
- Using a telephone (voice phishing)
- Tech support scam

Eavesdropping
- Listening

Shoulder surfing
- Looking over someon's shoulder to gain information
- software
- users
- financial person

Dumpster diving
- Looking in the trash
easier way's to get this.

Reverse social engineering
- Tech Support Scam
- browser redirect
- poison cookies
- clear cache
- provide own phone number on redirect page.

Pyggybacking
- attacker asks someone to let them in

Tailgating
- - attacker asks someone to let them in
requires an ID, like a badge.
- Fake badge

Phishing - users
Wailing - Board of Directors

Smishing:
sms link phishing message

Insider threats:
- employees
- former employees
- contractors or business associates

Types of insider threats
- non-responders (consistent negligence)
- Inadvertent insiders: comply with policy
- Insider collusion - insider colluting with contractor
- Persistent malicious insiders: sell data, second income
- Disgruntled employees: sabotage, ip theft

Social Media
Fake Profiles - know the law!
Malisious intent?
Female profiles work better.

Socian engineering countermeasures
- Research
- Reject request for help
- Do not post personal data or photos
- Do not reveal sensitive data
- Follow policies and procedures

Insider threat countermeassures
- deterrence (make it difficult so you can identify them)
- know your weak links
- identify valuable information
- monitor ingress and gress points.

Post-Assessment
Question 1: false
Question 2: False

7.1 Social Engineering Lab Intro EH 09:21

Pre-assessment

Question 1: C
Question 2: False

Social engineering:
The use of deception

Common attack types
Physhing: to obtain personal information. Sense of urgency

pretexting: sense of trust

baiting: promised some type of good

quid pro quo: similar to baiting, but then for a service.

Tailgating: the attacker has a fake badge, and follows the authorized person through the door.

Piggybacking: the attacker does'nt have a badge and just asks someone to let them in.

7.3 Social Engineering Lab Recon EH

do research on a person.

Module 8: Denial of Service
8.0 Denial of Service EH

DoS/DDoS
Dos: Denial of Service
DDoS: Distrubuted Denial of Service
Prevent legit users from accessing a resource.
C.I.A. Triad - Confidentiality Integrity Availability

UDP Flood
UDP Unicorn:
Large number of UDP pakcets to random ports
Target replies with ICMP Destination Unreachable
Tools: loic, udp unicorn

ICMP Flood
ping (echo request) packets
more successful if attacker has bandwidth advantage

Ping of Death and Smurf
Ping of death: sends malformed ping packet, with goal of casuing buffer overflow

SmurfAttack; spoofs victim IP and sends large amount of ICMP packets/.

SYN Flood
bot:
Attacker sends SYN Packets

Slowloris
Open connections on the target
never completes the request
goal is to have server block other connections
mitigation: limit number of connections for a single IP address.

Distributed Reflection Denial-of-Service (DRDoS)

SCRUTINIZER:
UDP
Availability

Botnets:

 


"Zombie" computers or devices.

DDoS and Botnet Coutnermeassures
recognize early signs
contact ISP
incident response plan
load balancer
anti-ddos solution (cloud)

Post-Assessment
Question 1:
A DRDoS uses TCP Packets
False

Module 9: Session Hijacking
9.0 Hijacking EH 03:45

Session Hijacking
- Attacker tries to take over an active session from the client.
sniffs on the session - next sequence number

Spoofing vs Hijacking
Spoofing: Intent is to Sniff traffic
Hijacking: Intent is to take over the entire session

Steps:
sniff
monitor
desynchronize
predict
inject

tcp reset session
ack fin

Monitor:
monitor traffic and predict sequence numbers

Desynchronize:
desynchronize the client session
tcp reset
fin flag

Predict:
Predict wat session token is and take over the session

Inject:
inject packets to the target server, pretending to be the client.

Ettercap
Packet sniffer

Ferret

ferret -i eth0

Burp Suite - Session Hijacking

Session Hijacking Prevention:
- unpredictable session IDS
Limiting incoming connections
Reduce remote access
Regenerate session keys after authentication is completes
IPSec

IPSec
Transport Mode: IP header is not encrypted and it can be used with NAT

Tunnel mode: entire orginal packet is encrypted and does not work with NAT

Authentication header
Protocol that guarantees the integrity and authentication of the IP packet sender

Encapsulating Security Payload (ESP)
- protocol that provides integrity, authenticity, and confieentiality to the entire packet in tunnel mode.

IKE (Internet Key Exchange)
- protocol that produces keys for the encryption process.

Oakley:
- protocol that uses Diffie-Hellman to create a master and session keys

Post-Assessment
Question 1 Nat used in IPSec Tunnel Mode
false

9.1 Session Hijacking Lab Intro EH 03:40

Post-Assessment
ARP Stands for
Question 1: B
Address Resolution Protocol
A main purpose of ARP is to:
Question 2: A
Resolve IP addresses to MAC addresses
ARP is a broadcast protocol:
Question 3: True

ARP Resolve IP addresses to MAC addresses

Man-in-the-middle-Attack

 

9.2 Session Hijacking Lab Part 1 EH 07:48

Ettercap

poison the arp

9.3 Session Hijacking Lab Part 2 EH 03:43

 

Module 10: Web Servers and Apps
10.0 Web Server EH 04:37

What is a webserver?

refers to the server software/hardeware that can 'serve' the content

HTTP Request Methods:

Get
Request data from a resource
data will be tagged in the url.

Head method:
simular to get
serer must not return a message-body in the response
method used for requesting headers/metadata.
testing hypertext links for validity, accessibility, and modifications.

Post method
used to request the origin server accept the entity in the request as a new suborinate of the resource identified by the request-line.
Function of post is determined by the server.
Good method of submitting data to a resource for proecessing
Safer than GET when it is not stored in browser history.
Does'nt display returned data in URL like GET

PUT Method
request that stored entity be stored under the supplied Request-URI
Request-URI points to existing resource, then enclosed entity should be considered a modified version.

DELETE Method
Request that the origin server delete the resource identified by the Request-URI

TRACE Method
Used to invoke a remote, application layer loop back of the request message.

CONNECT Method
Reserved for use with a proxy that can dynamically switch to being a tunnel

Web server Attacks: Directory Traversal
- attempt to access restricted directories
- Sends HTTP requests asking the server to drop back to the root directory
- Known as the dot-dot-slash attack

Example:
http://ww.test.com/../../../../etc/passwd

Website Mirroring: HTTrack
HTTrack Website Copier
httrack.com

10.1 Web Applications EH 06:55

OWASP Top 10 Web Application Security Risks
A1:2017-Injection
A2:2017-Broken Authentication
A3:2017-Sensitvie Data Exposure
A4:2017-XML External Entities (XXE)
A5:2017-Broken Access Control
A6:2017-Security Misconfiguration
A7:2017-Cross-Site Scripting (XSS)
A8:2017-Insecure Deserialization
A9:2017-Using Components with Known Vulnerabilities
A10:2017-Insufficient Logging & Monitoring

 

A1:2017-Injection
Can result in data loss or corruption
safe api (avoids interpreter)
whitelist server side input validation
use sql controls with queries to prevent mass disclosure in sql injection attacks.

A2:2017-Broken Authentication
Can result in identity theft and fraud.
-mfa
no default creds
check weak passwords
follow NIST800-63 sECTION 5.1.1. FOR PASSWORD GUIDELINES
Harden against enumeration of accounts
limit failed login attempts.

A3:2017-Sensitive Data Exposure
can lead to identity theft
classify data being process, stored and transmitted
apply apprpriate controls
encrypt all data in transit

A4:2017-XML External Entities (XXE)
weaknesses in xml processors
can lead to data extraction, DoS, internal system scans

use less complex data formats, like json
patch/upgrade all xml processors and libraries.
disable xml external entity processing in xml documents and headers.

A5:2017-Broken Access Control
can cause administrator privilege for attacker and users acessing/deleting records

deny by default
disable web server directory listing
log access control failures

A6:2017-Security Misconfiguration
can lead to unauthorized access or complete system compromise.

platform with no unnecessary features
hardening
segmented application architecture

A7:2017-Cross-Site Scripting (XSS)
can lead to remote code execution on victim's browser, stealing of credentials, and delivery of malware to the victim

seperating untrusted data from active browser content.
escaping untrusted HTTP request data
enabling content security policy (csp)

A8:2017-Insecure Deserialization
Can lead to remote code execution

implement integrity checks, like digital signatures
code isolation
logging deserialization exceptions and failures.

A9:2017-Using Components with Known Vulnerabilities
can lead to massive data breaches

patching
only obtain from official sources

continuous inventory of client and server-side frameworks and libraries.

A10:2017-Insufficient Logging & Monitoring
can lead to succesful exploits.

ensure all login and access control failures are logged with sufficient context.
esnure all logs are generated in an easily consumed format.
establish effective monitoring and alers.

 

Post-Assessment
Question 1: One way to preent against Broken Access Control is to deny by:

default

 

10.2 Web Server Lab Intro EH 03:57

Preassessment

Question 1: C
Question 2: A
Question 3: C

Benefits of Burp Suite
https:/portswigger.net/burp

HTTP Proxy (mitm)
Scanner (vulnerability scanner)
Intruder (automate attacks, sql injection, xss etc.)
Spider (automatically crawl web applciations to map out the applications content and functionality)
Repeater (modify request and monitor results)
Decoder (convert encoded data into canonical form or convert to encoded and hashed forms)
Comparer (compare two items of data)
Extender (load burp suite extensions)
Sequencer (analyze the quality of randomness in sample data items, like session tokens, pwd reset tokens).

https://www.owasp.org/index.php/Main_Page

http://exploitpack.com/index.html
subscription based 100euro p/m

10.3 Web Tool Burp Suite Lab EH 05:43

 

Module 11: SQL Injection
11.0 SQL Injection EH 07:15

Structured Query Language

Structured data (relationship between variables)

SQL commands
Select
SELECT * FROM CustomerID;

delete
DELETE FROM Customers
WHERE CustomerName='John smith';

update
UPDATE Customers
Set ContactName='John Smith',City='London'
WHERE CustomerID=1;

insert into

INSERT INTO Customers (CustomerName, ContactName,Adress,City,PostalCode,Country)
VALUES ('Cardinal','Tom B. Erischen','Skagen 21','Stavanger','4006','Noray');

SQL Injection
Code injection technique
Exploits vulnerability application software (user input)
Identity spoofing, voiding transactions, data dump, alteration/destruction, etc..

Types of SQL Injection

Union-based
Error-based
Blind

Union-based
Uses the UNION statement
Union ALLOWS you to join together SELECT Queries
Each select same number of columns
similar data types

Error-based
Goal is to get the database to respond with table names and other information in error messages.

Blind
No error messages received from the database.

Boolean-based
slow attack
HTTP response may change

Time-based
Forces the database to wait a period of time before responding
Response time indicates statement is true or false.

SQL Injection Tools
SQLMap
Whitewidow
BBQSQL
Blisqy

python sqlmap.py -h "http://debiandev/sqlmap/mysql/get_int.php?id-1" --batch

python blisqy.py -h

Post-Assessment
boolean-based

Module 12: Hacking WiFi and Bluetooth
12.0 Wifi Bluetooth EH

What is a wireless network
Wireless data connections between network nodes
cost reduction

wireless frequencies

 

module 12 wireless frequencies

SSID

Service set Identifier
Provides no security
Helps identify your wireless network

Wireless Authentication
Open system authentication
Shared key authentication

Open System Authentication
make network available to a wide range of clients
authentication frame sent from client to the access point
SSID is verified
Verification frame to client

Shared Key Authentication
each client knows the key ahead of time
connect as needed

WEB, WPA, and WPA2

 

module 12 web wpa wpa2

WEP (Wired Equivalent Privady)

Uses initalization vector for integrity and confidentiality
32-bit integrity check value (ICV)

Flaws:
With slight modification, packets may be modified by an attacker consisstenly
WEP is susceptible to know plaintext attacks and DoS attacks.

 

WPA (Wi-Fi Protect Access)
- Temporal Key Integrity Protocol (TKIP)
- Changes outt the key after every frame
- Keys are transferred back and forth during EAP (Extensible Authentication Protocol)

Flaws:
Week keys
Packet Spoofing

WPA-2
Uses AES and copliant with FIPS140-2
(CCMP) Cipher Block Chaining Message Authentication Code Protocol for Integrity
WPA-2 Enterprise uses a server for key management and authentication.

Flaws:
De-Authentication attack (Wifite tool)

Risk Mitigation for WEP and WPA-2
complex passwords or phrase
use server validation
eliminate the user of web and wpa move to wpa2 wpa3
use encryption.

 

Wireless Hacking
Roque Access Point
Mac spoofing
Ad-Hoc
Misconfiguration
Client missassociation
Jamming attacks
Honeyspot

 

Roque Access Point
Attackers install new AP and obscures it
Allows attacker access to the network

Mac spoofing
Attacker spoofs mac address of an approved client

tools:
smac
ifconfig
changemac.sh

Ad-Hoc
Relies on attacker using a wifi adapter.
most users unaware.

Misconfiguration
common sense

Client missassociation

client attaches to an access point that is not on their network.
can lead to attacker gaining access to protected company network.

Jamming attacks
DoS attack
Overwhelm and deny the availalility of the access point by legitmate users.

Honeyspot
Attackers sets up a roque access point with a stronger signal than others

Unwitting users connect

Wireless Hacking Tools
Aircrack-ng
Cain & Abel (sniffing standpoint)
Kismet
NetStumbler
Wifite

Aircrack-ng

Cain & Abel (sniffing standpoint)
Wireless mode

Kismet (popular)

NetStumbler

Wifite
wifite -mac -aircrack -dict /kitten/wifite/darkc0de.lst

Post-Assessment
Question 1: TKIP is seen in:
WPA

WPA2 uses AES

Hacking Bluetooth
Modes

Discoverable: allows the device to be scanned and located by other bluetooth-enabled devices
Limited Discoverable: short period of time.
Non-Discoverable: device cannot be located by other devices, unless been located by another device before.

Bluetooth Threats
Bleujacking : sending anonymoustext messages to a victim
Bluesnarfing: extracts information at a distance from a bluetooth device
Bleutooth Honeypots: bluepot can be used to draw malware and bluetooth devices.

Module 13: Mobile Hacking and Security
13.0 Mobile Android EH 07:00
https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10

 

module 13 anatomy of a mobile attack

M1 - Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform security controls. It might include Android intents, platform permissions, misuse of TouchID, the Keychain, or some other security control that is part of the mobile operating system. There are several ways that mobile apps can experience this risk.

Platform permissions
Misuse of TouchID
Keychain API

M2 - Insecure Data Storage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.

Insecure storage or unintended data leackage
Lost/stolen phone
Identity theft or fraud
Reputation damage

 

M3 - Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.

Incorrect SSL version
Weak negotiation
Cleartext communication of senstivie data
Poor handshake

M4 - Insecure Authentication
This category captures notions of authenticating the end user or bad session management. This can include:

Failing to identify the user at all when that should be required
Failure to maintain the user's identity when it is required
Weaknesses in session management

Failing to identify end users
Failing to maintain user's identity
Session management weakness

M5 - Insufficient Cryptography
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.

Cryptography not done correctly or not at all
Physical access or malware.

M6 - Insecure Authorization
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).

If the app does not authenticate users at all in a situation where it should (e.g., granting anonymous access to some resource or service when authenticated and authorized access is required), then that is an authentication failure not an authorization failure.

Failed authorization decisions on the client side.

M7 - Client Code Quality
This was the "Security Decisions Via Untrusted Inputs", one of our lesser-used categories. This would be the catch-all for code-level implementation problems in the mobile client. That's distinct from server-side coding mistakes. This would capture things like buffer overflows, format string vulnerabilities, and various other code-level mistakes where the solution is to rewrite some code that's running on the mobile device.

Client-side code level implementation issues
Buffer overflows
Format string vulnerabilities

 

M8 - Code Tampering
This category covers binary patching, local resource modification, method hooking, method swizzling, and dynamic memory modification.

Once the application is delivered to the mobile device, the code and data resources are resident there. An attacker can either directly modify the code, change the contents of memory dynamically, change or replace the system APIs that the application uses, or modify the application's data and resources. This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

Attacer modifies code
changes/replaces system APIs
Modify application data/resources
Change contents of memoery dynamically
Binary patching, method hooking, local resource modification, method swizzling, and dynamic memory modification

M9 - Reverse Engineering
This category includes analysis of the final core binary to determine its source code, libraries, algorithms, and other assets. Software such as IDA Pro, Hopper, otool, and other binary inspection tools give the attacker insight into the inner workings of the application. This may be used to exploit other nascent vulnerabilities in the application, as well as revealing information about back end servers, cryptographic constants and ciphers, and intellectual property.

Attacker analyzes the core binary
Tools: IDA Pro, Hopper, otool etc...
Exploit vulnerabilities
Harvest information about backend server, ciphers, IP, cryptogrpahic constants.

M10 - Extraneous Functionality
Often, developers include hidden backdoor functionality or other internal development security controls that are not intended to be released into a production environment. For example, a developer may accidentally include a password as a comment in a hybrid app. Another example includes disabling of 2-factor authentication during testing.

Extraneous functionality
Hidden backdoor functionality
Disabling two-factor authentication
Password in a hybrid app

How a Criminal Hacker can profit

stealing your identity
banking credentials
blackmail

SMS Phishing Attack
sms with link, update http / https

13.1 Mobile Android Part 2 EH 05:49

Hacking Android Tools

AndroRAT
Hackode
zANTI
Csploit
FaceNiff
Shark for Root
Droidsheep
DroidBox
APKInspector
Nmap

 module 13 android os architecture

AndroRAT
Takes control of Android OS
Runs as a service and can activate a server connection with SMS or a call
Collects call logs, device location, messaging, tracks user activity, camera access, etc..

Hackode
3 categories
Google hacking
Scanning
SQL injection
DNS Lookup

zANTI (sniffer)

Csploit
Catalog local hosts
Installs backdoors
Detect vulnerabilities
Determines Wifi passwords

FaceNiff
Twitter
Facebook

Shark for Root
Traffice sniffer
Works on rooted Android devices
Based on tcpdump
Wireshark for Android

Droidsheep
Operates as a router to oversee wifi network traffic
Gains access to active sessions
twitter
facebook
linkedin
etc..

 

DroidBox
Hashes for APK packages
SMS
Calls
Network traffic

APKInspector
Reverse enginerering of app code
App lciense and credit deletion

Nmap
Works on rooted and non-rooted devices

Android Rooting Tools (GUIs)
oneclickroot
rescueroot
kingoroot

Vulnerability scanners
Ostorlab android ios
Appvigil analysis owasp top 10
Andrototal scans for malware
Akana check apps for malicious code
Sandroid performs static and dynamic analysis (android)s

 

13.2 IOS Arch Jailbreak EH 05:43

iOS Atchitecture
Cocoa tocuh: objective-C API for app development
media services: graphics audio, video
core services, cloud computing, databases.
core operating system: based on mac os x kernel

iOS jailbreaking tools (GUIs)
Electra
Cydia
Yalu
Pangu
PP Assistant
TaiG
Evasi0n
Redsn0w (ceh study)

iOS Malware
appbyer (buy apps in victims name)
keyraider (steal credentials via itunes traffic)
xcodeghost (targeted chines developers)
pegasus spyware: text, calls, passwords, phone location, jailbreaks the phone)

mspy (monitor, parental controls)

Securing iOS Device
Update software
Activate location feature
Long passcode
auto-wipe data after login attempts
don't click unknown links
revoke app permissions
turn off siri

 module 13 ios pentesting

13.3 IOS Mobile Device Management EH 09:32

MDM (Mobile Device Management)

data segregation
email security
securing corporate documents
enforcing policies (no youtube cat videos)
on-premise or cloud based
mobile, laptops, handhelds
reduce support cost and business risk

MDM Solutions (website screenshots)
ManageEngine mdm plus
vmware airwatch
soti mobicontrol
citrix xenmobile
ibm MaaS360
Microsoft Intune
AppTec360 Enterprise Mobility Management
Baramundi Management Suite

BYOD
Bring your own device

increased productivity
reduced IT and operating costs
improved mobility
appeal

BYOD Security Guidelines
Who pays for the device and data coverage
regulations in play
meassures for securing devices
where is dta stored
do we need an agreement with employees
safegueards for device being compromised
support
privacy?

Tips for securing devices and reducing BYOD Risk
password protected access controls
control wireless network connectivity
control application access
keep software up to date
backup device data
remote wipe service/location tracking
no personal financial information
no free apps
mobile antivirus/antimalware scans
use MDM

Post-Assessment
Question 1: which one of these i not a way to jailbreak iOS?

pangu
rescueroot
redsn0w
TaiG

android: root in the name, most likely android.

Question 2:
Insecure NOC is not an owasp top 10 mobile risk.

 

Module 14: IDS, Firewalls, and Honeypots
14.0 IDS EH 12:06

IDS
Intrustion detection System (IDS): a device or software application that monitors a network or system for malicious activity or policy violations.
- HIDS (Host-Based Intrusion Detection System)
- NIDS (Network-Based Intrusion Detection System)

 

module 14 NIDS AND HIDS

How IDS Detects Intrusions

traffic to and from devices is monitored
traffic matched to library of known attacks
check for abnormal behaviour
alert sent to Administrator

IPS (Intrusion Prevention Systems
- generally combined with IDS
- Attempt to block or stop the malicious activity (drop pakcets, reset connection, block traffic from an IP address)

IPS/IDS Detection Methods
- Signature based - packets are monitored and compared to known attack signatures
- Anomaly-based: monitors network traffic and compares against a baseline
- Stateful protocol analysis: deviations of protocol states by comparison of observed events

Types of IDS/IPS Alerts
True positive: bad traffic triggers an alert
False positive: Good traffic triggers an alert
False negeative (worst kind): Bad traffic does not trigger an alert)
True negative: good traffice does not trigger an alert

Snort
Intrusion Detection System (free and open-source)

Snort Rule Actions

pass - tells snort to ingnore the packet
log - used to log a packet
alert - send alert message
active - create alert
dynamic rules - invoked by other rules using activate
user action - send message to syslog take multiple action on packet

Snort Direction Operator
<> bi-directional
-> one direction
any for any ip
port ranges operator :
nummeric ip addresses must be used with CDIR (Cllassless Inter-Domain Routing) netmask.

Other IDS/IPS Tools
AlientVault OSSIM (trial, paid)
TippingPoint (free/paid)
Security Onion

Evading IDS
- Insertion attack (host machine rejects packet)
- Denial-of-Server (DoS): overwhelm IDS
- Obfuscationg: unique attack patterns (polymorphic shell code)
- Unicode: changes signature
- Fragmentation: split payload into small packets

Evasion Tools:
ssl proxy
nmap
Whisker: craft packets with small payloads (session splicing)
Stick and snot: generate a large number of alerts to overwhelm the "human" element

nmap
Use a t0 or t1 switch
nmap 192.168.1.1 -T0
nmap 192.168.1.1 -T1

used to slow down communication stream.

Coutermeassures for IDS Evasion
Snort: use the -z switch, which will ignore the Stick and Snot Attacks
Traffic re-assembly
Closely monitor fragmented traffic

14.1 Firewalls EH 06:49

Firewalls

Rules
Implicit deny

Firewall Technologies
- Packet filtering (static)
- Circuit-level gateway
- Application-level
- Statful Inspection
- Application Proxy
- Network Address Translation (NAT)

- Packet filtering (static)
source - destination - tcp/udp source destination

- Circuit-level gateway
sender does not know ip, random port

- Application-level

- Stateful Inspection
syn is send but no ack, and drops

- Application Proxy

Functions as a proxy between systems
uses a lot of resources

- Network Address Translation (NAT)
Port address translation
Firewall assigns an outside IP address for the computer in the private network.

Firewall limitations
net effective against social engineering attacks
cannot enforce password policies
users accessing websites with malicious code
security policy

Firewall Tools
ManageEngine Firewall Analyzer
Zone Alaerm Free Firewall
NoRoot (mobile)
NoGuard / Netguard (mobile)

Firewall Evasion:
IP Address Spoofing: attacker appears as a trusted host
Tiny Fragments; breaking up packets
URL Blocking: use IP address instead
ICMP tunneling (covert): obfuscation using echo requests
HTTP tunneling: sending traffic on port 80, Tool: HTTP tunnel
WAF (Web Application Firewall): XSS

 

14.2 Honeypots EH 05:51

Honeypots
Low interaction: services frequently requested by attackers
High interaction: mimics a real system

 

Low interaction Honeypot Tools
Dionaea
Glastopf
Thug
Conpot

High interaction Honeypot Tools
The Honeynet Project (google search)

Capture-HPC
Dockpot

Detecting Honeypots

No outbound traffice or traffic will not follow a normal patterns
Random machine sitting outside DMZ
Too "insecure"

Honeypot Detection Tool
Send-Safe HoneyPot Hunter 3.2.28

Module 15: IoT
15.0 IoT Basics EH 07:20

What is IoT?
Network of physical devices, vehicles, home appliances, etc..
Collect and exchange data.

IoT Protocols
1. Infrastrucutre IPv4/IPv6, 6LowPAN, RPL
2. Identification: URIs, EPC, uCode
3. Communications/Transport: Wifi, Bluetooth
4. Discoery: mDNS, DNS-SD
5. Data Protocol: MQTT, CoAP, AMQP, Websocket
6. Device Management: TR-069, OMA-DM
7. Semantic: JSON-LD, Web Thing Model
8. Multi-Layer Frameworks: Weave, Homekit, IoTivity

 

IoT Communication Models:
1. Device to device: light swithc, lightbulb, thermostat
2. Device to cloud: exchange knowledge
3. Device to gateway: go-between device
4. Back-end Data sharing: sensible data

Challenges of IoT (screenshot)

Security; baby monitors, infusion pumps, pacemakers, thermostats, etc..
Connectivity: client/server architecture and scale
Compatibility/ longevity: lack of standard protocols
Standard: unstructured data, technical skills
Intelligent Analysis/Actions: inaccurate analysis due to flaws in data models, legacy systems ability to manage unstructered or real-time data, slow adoption of new technologies.

15.1 IoT OWASP EH 04:56

2018
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

 

module 15 owasp IoT attack surface areas

Weak, guessable, or hardcoded passwords
Insecure network services
Insecure ecosystem interfaces
Lack of secure update mechanism
Use of insecure or outdated components
Insufficient privacy protection
Insecure data transfer and storage
Lack of device management
Insecure default settings
Lack of physical hardening

2014

I1 Insecure Web Interface
I2 Insufficient Authentication/Authorization
I3 Insecure Network Services
I4 Lack of Transport Encryption
I5 Privacy Concerns
I6 Insecure Cloud Interface
I7 Insecure Mobile Interface
I8 Insufficient Security Configurability
I9 Insecure Software/Firmware
I10 Poor Physical Security

 

I1 Insecure Web Interface
change default passwords and usernames
ensure password recovery methods are robust
ensure itnerface is not susceptible to XSS CSRF
ensure no credentials are exposed on network traffic
no weak passwords allowed
account lockout after 3-5 failed login attempts

I2 Insufficient Authentication/Authorization
strong passwords
granular access control
two factor authentication
secure password recovery mechanisms

I3 Insecure Network Services
only open necessary ports
ensure services are not vulnerable to buffer overflow
esnuring services are not vulnerable to Dos

I4 Lack of Transport Encryption
ensure data is encrypted with protocols like TLS
avoid proprietary encryption protocols and only use accepted encryption standards

I5 Privacy Concerns
Ensure only data critical to the functionality of the device is collected
ensure data is protected with encryption
ensure only authorized individuals have access to personal information

I6 Insecure Cloud Interface
default usernams and passwords need to be changed during intial setup
account lockout after 3-5 attempts
ensuring web interface not susceptible to XSS and CSRF
ensuring credentials not exposed over the internet
two factor authentication

I7 Insecure Mobile Interface
change default usernames/passwords
strong password reset mechanisms
ensure account lockout after 3-5 attempts
ensure credentials are not exposed with wireless networks
two factor authentication

I8 Insufficient Security Configurability
ensure ability to keep Admin users seperate
encrypt data at rest or in transit
strong password policy enforcement
security event logging

I9 Insecure Software/Firmware
Updates
Ensure update file is encrypted
ensure update file does not contain sensitive data
ensure signatur/verification of udpate file
ensure updat server is secure

I10 Poor Physical Security
ensure data storage medium cannot be easily removed
stored data encrypted at rest
eliminate use of USB ports for malicious access
ensure device cannot be disaamled easily
ensure procut cna limit administrative capabilities.

15.2 IoT Surface Area Tools EH 08:00

screenshot
https://www.owasp.org/index.php/IoT_Attack_Surface_Areas

 

Ecosystem Access Control

Implicit trust between components
Enrollment security
Decommissioning system
Lost access procedures

Device Memory

Cleartext usernames
Cleartext passwords
Third-party credentials
Encryption keys

Device Physical Interfaces

Firmware extraction
User CLI
Admin CLI
Privilege escalation
Reset to insecure state
Removal of storage media

Device Web Interface

SQL injection
Cross-site scripting
Cross-site Request Forgery
Username enumeration
Weak passwords
Account lockout
Known default credentials

Device Firmware

Hardcoded credentials
Sensitive information disclosure
Sensitive URL disclosure
Encryption keys
Firmware version display and/or last update date

Device Network Services

Information disclosure
User CLI
Administrative CLI
Injection
Denial of Service
Unencrypted Services
Poorly implemented encryption
Test/Development Services
Buffer Overflow
UPnP
Vulnerable UDP Services
DoS

Administrative Interface

SQL injection
Cross-site scripting
Cross-site Request Forgery
Username enumeration
Weak passwords
Account lockout
Known default credentials
Security/encryption options
Logging options
Two-factor authentication
Inability to wipe device

Local Data Storage

Unencrypted data
Data encrypted with discovered keys
Lack of data integrity checks

Cloud Web Interface

SQL injection
Cross-site scripting
Cross-site Request Forgery
Username enumeration
Weak passwords
Account lockout
Known default credentials
Transport encryption
Insecure password recovery mechanism
Two-factor authentication

Third-party Backend APIs

Unencrypted PII sent
Encrypted PII sent
Device information leaked
Location leaked

Update Mechanism

Update sent without encryption
Updates not signed
Update location writable
Update verification
Malicious update
Missing update mechanism
No manual update mechanism

Mobile Application

Implicitly trusted by device or cloud
Username enumeration
Account lockout
Known default credentials
Weak passwords
Insecure data storage
Transport encryption
Insecure password recovery mechanism
Two-factor authentication

Vendor Backend APIs

Inherent trust of cloud or mobile application
Weak authentication
Weak access controls
Injection attacks

Ecosystem Communication

Health checks
Heartbeats
Ecosystem commands
Deprovisioning
Pushing updates

Network Traffic

LAN
LAN to Internet
Short range
Non-standard

IoT Hacking Tools

Wireshark
Burp Suite
Binary Ninja
IDA PRO
Ubertooth One

 

Wireshark

Burp Suite

Binary Ninja
compiler - reverse engineer - crack

IDA PRO
reverse engineer some app on a phone

Ubertooth One
grab bluetooth communications (30/40 euros)

 

Post Assement
Question 1: All of the following are challenges of IoT, except:

D Sensors

 

Module 16: Cloud
16.0 Cloud EH 12:50

Pre-Assessment: Targeted toward Software Development in the cloud

B Platform as a Service

SaaS on demand 3rd party
LaaS ingnore
IaaS Everything in the cloud.
PaaS Develop application in the cloud.

Module 16 NIST Cloud Computing Reference Architecture

Question 2: the individual or ogranization that uses the cloud services.

Cloud carrier; intermidiary, electric company
Cloud broker: develiver performance and infrastructure
Cloud auditor: keep you safe in the cloud.

Cloud what is it?
You're putting data on someone else's stuff
On scale

Module 16 NIST Cloud Computing Reference Architecture

Cloud Deployment Models
private (org)
community (shared concerns)
hybrid (on-prem and cloud)
public (general public, selling cloud services)

 module 16 shared responsibility for the cloud

Cloud benefits:
faster software
reduced infrastrcture costs
elasticity
reliabbility
mobility
DRP/BCP
DRP= Disaster Recovery planning/Protocol
BCP= Business continuity planning/protocol

Virtualization
Allows you to use one piece of hardware to run multiple simulated environments.

Cloud Threats
Data breach/loss
Insider threats
Account hijacking
DoS/DDoS
Insecure APIs

Post-Assessment
Question 1: More rapid softare release are a benefit of cloud computing.
True/False

16.1 Cloud Attacks EH 06:34

Cloud Computing Attacks:

Side channel/Cross-gues VM attacks
SQL Injection Attacks
Wrapping attack
Man-in-the-Cloud attack

Side channel/Cross-gues VM attacks
SQL Injection Attacks
Wrapping attack (soap messages intercepted, replayed)
Man-in-the-Cloud attack

service hijacking by sniffing

module 16 service hijacking by sniffing

Session Hijacking by XSS

module 16 session hijacking by xss

DNS Amplification Attack

 

module 16 DNS Amplification Attack

16.2 Cloud Final EH 10:12

Pre-Assessment
Question 1:
Cloud security is only the responsibility of the cloud provider
True/False

module 16 Cloud Security

Cloud Security
layer vs controls
Applications - SDLC, binary analysis, applciation scanners and web application firewalls

Information - Database monitoring, encryption, DLP, content management framework (CMF)

Management - Patch and configuration management, governance, compliance, IAM, virtual machine administration

Network - Firewalls NIDs, DNS security

Trusted Computing - Hardware and software roots of trust and APIs

Computer and storage - HIDS, Log management, firewalls, encryption

Physical - Video monitoring, guards

shared responsibility for the cloud - screenshot

Cloud computing security considerations

is the data critical?
can i move the data?
availalility?
BCP/DRP?
backups?
encryption
ownership?
vendor?

Cloud Security Controls

match to the business function
encryption
track changes
Strong IAM controls (Identity Access Management Controls)

Cloud security best practices

end to end encryption
encryption at rest
vulnerability/ incident response
data retention policy
RBAC (Role Based Access Control)
VPC (Virtual Private Cloud)
Compliance Certifications

Cloud Security Tools

Netskope
McAfee Skyhigh
Ciphercloud
IBM Cloud Security Enforcer
Avast CloudCare

Pentesting the cloud

considerations (know what allowed to touch)!
shared responsibility
cloud stack

Module 17: Cryptography
17.0 Algorithim Cryptography EH 04:23

Pre-assessment
Question 1: This uses a single key for both encryption and decryption

B: Symmetric Encryption

asymmetric - 2 keys

Question 2: All of the following are primary functions of cryptography in today's world, except:

D: OSI

Cryptography terms:

Cryptography the study and practice of techniques for secure communication in the presence of third parties.

Cryptanalysis: the study of analyzing information systems to study the hidden aspects of the system.

Cipher: an algorithm for performing encryption or decryption

Types of Cryptogrpahy:

Symmetric
Assymentric
Hashing

module 17 types of cryptography

GAK (ceh study)
Government Access to Keys (GAK)
Government Access to Keys (also know as key escrow) means that software companies will give copies of all keys, (or at least enought of the key that the remainder could be cracked) to the government.
The government promises that they wil hold on to the keys in a secure way, and will only use them when a court issues a warrant to do so.
To the government, this issue is similar to the ability to wiretap phones.

module 17 GAK

Encryption Algorithms

Ciphers
DES/3DES
AES
RC4, RC5 and RC6 Algorithms
Twofish
DSA
RSA
Diffie-Helman
MD5,SHA,RIPEMD-160,HMAC

 

Ciphers
generally substitue the same number of characters that are input
plaintext = original information
ciphertext = encrypted information
block vs stream

DES/3DES
DES: Data Encryption Standard
56-bit key size
insecure, but influential
3DES: Applies DES three times to each block
Symmetric

AES
Advanced Encryption Standard
Symmetric key algorithm
Fixed 128 bit block size
Key size 128, 192, or 256 bits

 

module 17 aes design

RC4, RC5 and RC6 Algorithms
Rivest Cipher 4 (ron cipher)
Stream cipher
Insecure
first few bytes non-random
analyze high volume of messages

Rivers Cipher 5
Block size: 32, bit ,64 bit, 128 bit
Key size 0 - 2040 bits
Rounds --255
Data dependent rotation: resistance to cryptanalysis
Rotation dependent on the lease significant few bits.

RC6
River Cipher 6
Block size: 128 bits
Key sizes: 128 bit, 192, bit and 256 bit
Rotation dependent on every bit in the word.

 

17.1 Algorithim and Hash Cryptography EH 04:56

Twofish
Symmetric key block cipher
Block size: 128 bits
Key size: up to 256 bits
Key-dependentS-Boxes: obscure relationship of key and cipher

DSA
2 phaes of key generation

1. choice of algorithm parameters (shared between different users)
2. computes public and private keys for user

ECDSA (Elliptic Curve Signature Algorithm)
- sony playstation 3 (2012, little hack, bypass sony's signature software)
- Failoverflow

RSA
(Rivest Shamir Adleman)
Asymmetric

module 17 RSA

Diffie-Helman

module 17 diffie helman

screenshot

Hashing

MD5
Produces 128 bit value
Non-identical messages can have same hash value
risk collisions same output differnt file

SHA
SHA-1
160 bit hash value

SHA-2
224, 256, 384, and 512 bit values

SHA-3
512 bit value
Sponge construction (sponge: any amount of data, various outputs on squeeze)

RIPEMD-160
(RACE Integrity Primitves evealuation Message Digest)
160 bits

Avalanche effect behahaviour
same command, different hashes

HMAC
Hash-based message authentication code
Cryptographic has function and cryptographic key
integrity and authentication

HMAC_MD5
HMAC_SHA1
HMAC_SHA256A

all produces different key lenghts and hashes

 

17.2 Cryptography Tools EH 02:24

Cryptographic Tools

Hash Calculators
Advanced Encryption Package 2017
Bctextencoder
WhisperCore

Hash Calculator
hashcalc
input/output

Advanced Encryption Package 2017
www.aeppro.com (beginners)

Bctextencoder
jetico.com

WhisperCore
android
whipsercore-app-encrypts-all-data-on-android

17.3 PKI Disk Encrypt Email Cryptography EH 05:42
Cryptography

PKI
Email encryption
Disk encryption

PKI
Roles, policies, and procedures, eneded to creat, manage, distribut, use, store, and revoke digital dcertificate and manage public key encryption.

bind public keys to entities
ca (certificate authority)
RA (registration authority)
web of trust (self-signed)

module 17 pki

Email encryption

Digital signature (DSA)
ssl (Secure Sockets Layer): POODLE
TLS (Transport Layer Security)

TLS
tls1.2
sha-256
Removed SSL Compatibility

tls1.3
removed support for: md5, sha-224, weak elliptic curves

PGP (Pretty Good Privacy)
end-to-end encryption
OpenPGP Standard (RFC 4880)
hashing
data compression
symmetric
asymmetric

OpenSSL
keyczar
symantec

GNU Privacy Guard (free tool)

Disk encryption
Full disk encryption
every bit of data encrypted
MBR or similar area not encrypted with many tools.

Encryption Tools
VeraCrypt
Symantec Drive Encryption (endpoint security suite)

17.4 Cryptography Lab Part 1 EH 06:57
Hashing lab 1

hash calc sha1 sha512

17.5 Cryptography Lab Part 2 EH 03:55

hxdsetup unzip install open photo - edit text save

 

17.6 Photo Cryptography Lab EH 05:43

compare files

17.7 Bonus Cryptography Lab EH 02:15

certificate check

17.8 Cryptography Final EH 06:51

Cryptanalysis

Linear Cryptanalysis
Differential cryptanalysis
Integral Cryptanalysis

Linear Cryptanalysis
2 parts
Construct linear equations relating to plaintext, ciphertext, and key bits. that are likely to be close to 0 or 1
Use the discovered linear equestions, along with known plaintext-ciphertext pairs to figure out the key bits.

* Used in block and stream cipher attacks

 

Differential cryptanalysis

Non-random behaviour in ciphers
chosen-palintxt attack (attacker must obtain ciphertext for set of plaintext)
method uses pairs of plaintext (related by constant difference: XOR)
Ciphertext patterns

Integral Cryptanalysis
Uses sets/multisets of chose plaintexts
part of plaintexts will be constant with other being variables

Example: 256 plaintexts that have all but 8 bits the same.

Cyprtography Attacks
Brute-froce: passwords/passphares
birthday: depends on more collisions found between random attack attempts
meet-in-the-middle: space-time tradeoff ( i encrypt my data, multiple times, not making it secure, find pattern)
DUHK = later
Rainbow table - password file combinations

DUHK
Don't use hard-coded keys
VPN and Web Sessions

Online md5 decryption tools
MD5 Online
www.md5online.org

Post-Assessment
Question 1: Which one was retired because of the Poodle Attack?

Module 18: Reports
18.0 Reporting EH 04:21

 

# DISCLAIMER

# IF AND WHEN YOU ARE SURE I DID NOT PUT A PAYLOAD IN THIS DOCUMENT, FEEL FREE TO DOWNLOAD IT #

 Download: How to write a decent REPORT

# END OF DISCLAIMER #

 

Attach: Ethical hacking report template document.

Module 19: Review
19.0 Course Summary EH 04:43
Finished on 10-10-2019

Subcategorieën