Ethical Hacking Overview

CEH Course Modules

*Introduction to Ethical Hacking

 there are five phases of hacking

1. Information gathering (Reconnaissance) 

2. scanning

3. Gaining Access

4. Maintaining Access

5. Covering Tracks (back door)

Footprinting and reconnaissance

Footprinting is the process of collecting as much information as possible about a target network, for identify various ways to intrude into an organization's network system

Footpriting is the first step of any attack on information systems;attacker gather publicly available sensitive information, using which he/she performs social engineering, system and network attacks, etc.

Footprinting Methodology

1. Footprinting through search engines

2. Footprinting using advanced google hacking techniques

3. Footprinting through social networking sites

4. Website footprinting

5. Email footprinting

6. Competitive intelligence

7. WHOIS Footprinting

8. DNS Footprinting

9. Network footprinting

10. Footprinting through social engineering

Scanning Networks

Overview of network scanning

1.    Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network

2.    Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization

CEH Scanning Methodology

1. Check for live systems

2. Check for open ports

3. Scanning beyond ids

4. Annear grabbing

5. Scan for Vulnerability

6. Draw network diagrams

7. Prepare proxies

8. Scanning pen testing

Vulnerablity scanning

Vulnerability scanning identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited

1. Network vulnerabilities

2. Open ports and running services

3. Application and services vulnerabilities

4. Application and services configuration errors

*Enumeration

1. In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target

2. Attackers use extracted information to identify system attack point and perform password attack to gain unauthorized access to information system resources

3. Enumeration techniques are conducted in an internet environment

Techniques for enumeration

1. Extract user names using email IDs

2. Extract information using the default passwords

3. Extract user names using

SNMP

4. Brute force active directory

5. Extract user groups from windows

6. Extract information using DNS zone transfer

Enumeration Module Flow

1.    Enumeration concepts

2.    NetBIOS enumeration

3.    SNMP Enumeration

4.    LDAP Enumeration

5.    NTP Enumeration

6.    SMTP and DNS Enumeration

7.    Enumeration Countermeasures

8.    Enumeration pen testing

System Hacking

Information at Hand Before System Hacking stage

-Footprinting Module

 1. IP Range

 2. Namespace

 3. Employees

-Scanning Module

 1. Target assessment

 2. Identified Systems

 3. Identified Services

-Enumeration Module

 1. Intrusive Probing

 2. User Lists

 3. Security Flaws

CEH Hacking Methodology (CHM) – 

CEH System Hacking Steps

1. Cracking Passwords

2. Escalating Privileges

3. Executing Applications

4. Hiding Files

5. Covering Tracks

6. Penetration Testing

Malware Threats

Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud

Examples of malware

1.    Trojan horse

2.    Virus

3.    Backdoor

4.    Worms

5.    Rootkit

6.    Spyware

7.    Ransomware

8.    Botnet

9.    Adware

10.  Crypter

Different Ways a Malware can Get into a System

1.    Instant Messenger applications

2.    IRC (Internet Relay Chat)

3.    Removable Devices

4.    Attachments

5.    Legitimate \"shrink-wrapped\" software packaged by a disgruntled employee

6.    Browser and email software bugs

7.    NetBIOS (File Sharing)

8.    Fake Programs

9.    Untrusted sites and freeware software

10.  Downloading files, games, and screensavers from internet sites

Module Flow

1.    Introduction to malware

2.    Trojan concepts

3.    virus and worm concepts

4.    malware reverse engineering

5.    malware detection

6.    countermeasures

7.    anti-malware software

8.    penetration testing

 Common Ports Used by Trojans –

 computer worms

 1. Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction

2. Most of the worms are created only to replicate and spread across a network, consuming available computing resource;however, some worms carry a payload to damage the host system

3. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet;these botnets can be used to carry further cyber attacks

Sniffing

Network sniffing and Threats

- sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools

- It is form of wiretap applied to computer networks

- Many enterprises' switch ports are open

- Anyone in the same physical location can plug into the network using an Ethernet cable

How a Sniffer Works

- Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment

- A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet

Active Sniffing

- Active sniffing is used to sniff a switch-based network

- Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's content addressable memory (CAM) table;CAM keeps track of which host is connected to which port

Hardware protocol Analyzer

- A hardware protocol analyzer is a piece of equipment that capture signals without altering the traffic in a cable segment

- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network

- It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules

- It allows attacker to see individual data bytes of each packet passing through the cable

Module flow 

Social Engineering

Social engineering is that art of convincing people to reveal confidential information.

Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.

Module Flow

1. Social Engineering concepts

2. Social engineering Techniques

3. Impersonation on social networking sites

4. Identify theft

5. Social engineering countermeasures

6. Penetration testing

Type of social engineering

*Denial-of-Service

- Denial of service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate user

- In a DoS attack, attacker flood a victim system with non-legitimate service requests or traffic to overload its resources

- DoS attack leads to unavailability of a particular website and slow network performance

Basic Categories of DoS/DDoS Attack Vectors 

Permanent denial-of-service Attack

Phlashing - permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware

Sabotage - Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware

Bricking a system - This attack is carried out using a method known as \"bricking a system\"

Using this method, attackers send fraudulent hardware updates to the victims

Process 

Module Flow 

Hacking Webservers

Web server security issue

- Web server is a program (both hardware and software) that hosts websites;attackers usually target software vulnerabilities and configuration errors to compromise web servers

- Nowadays, network and os level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. however, web servers are accessible from anywhere on the web, which makes them less secured and more vulnerable to attacks

Impact of webserver Attacks 

1. Compromise of user accounts

2. Website defacement

3. Secondary attacks from the website

4. Root access to other applications or servers

Module Flow

Open Source Webserver Architecture

*Hacking Web Applications

- web applications provide an interface between end user and web server through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser

- Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.

- Web technologies such as Web 2.0 provide more attack surface for web application exploitation

- Web applications and web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency

Module Flow 

SQL Injection

- SQL injection is a technique used to take advantage of non-validate input vulnerabilities to pass SQL commands through a web application for execution by a backend database

- SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database

- It is a flow in web applications and not a database or web server issue  

Type of SQL injection

SQL Injection Methodology

1. Information Gathering and SQL injection vulnerability Detection

2. Launch SQL Injection Attacks

3. Advanced SQL Injection

Module Flow    

Testing for SQL Injection

*Hacking Wireless Networks

Wireless Networks

- Wi-Fi refer to wireless local area networks (WLAN) based on IEEE 802.11 Standard

- It is widely used technology for wireless communication across a radio channel

- Devices such as a personal computer, video-game console, smartphone etc. use Wi-Fi to connect to a network resource such as the internet via a wireless network access point

Wireless Standard

Type of Wireless Encryption

-    WAP2 Enterprise

-    WEP

-    ASE

-    EAP

-    802.11i

-    TKIP

-    WPA

-    LEAP

-    CCMP

-    RADIUS

WEP Vs. WPA Vs. WPA2

WEP should be replaced with more secure WPA and WPA2

How to break WPA Encryption

1. WPA PSK

   WPA PSK user a user defined password to initialize as it is a per- packet key but the keys can be brute-forced using dictionary attacks

2. Offline Attack

    You only have to be near the AP for a matter of secound in order to capture the WPA/WPA2 authentication handshake, by capturing the right type of packets, you can crack WPA keys offline

3. De-authentication Attack

    Force the connect client to disconnect, then capture the re-connect and authentication packet using tools such as aireplay, you should be able to re-authenticate in a few second then attempt to dictionary brute force the PMK

4. Brute- force WPA keys

    You can use tools such as air crack, airplay, kismac to brute-force WPA keys

Hacking Mobile Platforms

How a hacker can Profit from mobile when successfully compromised

Surveillance

- Audio

- Camera

- Call logs

- Location

- SMS message

Financial

- sending premium rate Sms messages

- stealing transaction authentication numbers (TANs)

- Extortion via ransomware

- Fake antivirus

- Making expensive calls

Data Theft

- Account details

- Contacts

- Call Logs

- Phone number

Stealing data via app vulnerabilities

- Stealing international mobile equlpment identity Number (IMEI)

Botnet Activity

- Launching D DOS attacks

- Click Found

- Sending Premium rate SMS messages

Impersonation

- SMS redirection

- Sending email messages

- posting to social media

Mobile Platform vulnerabilities and risks

Module Flow

*Evading IDS, Firewalls, and Honeypots

An intrusion detection system (IDS)

An intrusion detection system (IDS) inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach

The IDS checks traffic for signatures that match known intrusion patterns, and signals an alarm when a match is found

Firewall

- Firewall is hardware and/or software designed to prevent unauthorized access to or from a private network

- They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the internet

- Firewall examines all messages entering or leaving the internet and locks those that do not meet the specified security criteria

- Firewall may be concerned with the type of traffic or with the source or destination addresses and ports

Type of firewall

1. Packet Filters

2. Circuit Level Gateways

3. Application Level Gateways

4. Stateful Multilayer Inspection Firewalls

Honeypot

- A honeypot is an information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network

- It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise

- A honeypot can log port access attempts, or monitor an attacker's keystrokes. these could be early warnings of a more concerted attack

*Cloud Computing

Cloud computing is an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network

Characteristics of cloud computing

1. on-demand self service

2. Distributed storage

3. Rapid elasticity

4. Automated management

5. Broad network access

6. Resource pooling

7. Measured service

8. Virtualization technology

Type Of cloud computing services

 Cloud computing Benefits

 Module Flow 

1. Introduction to cloud computing

2. Cloud computing threats

3. Cloud computing attacks

4. Cloud security

5. Cloud security tools

6. Cloud penetration testing

 Cryptography

- Cryptography is the conversion of data into a scrambled code that is decrypted and sent across a private or public network

- Cryptography is used to protect confidential data such as email message, chat sessions, web transaction, personal data, corporate data, e-commerce applications, etc.

- Objectives

1. Confidentiality

2. Integrity

3. Authentication

4. Non-repudiation

 Module flow 

1. Cryptography concepts

2. Encryption algorithms

3. Cryptography Tools

4. Public Key infrastructure (PKI)

5. Email Encryption

6. Disk Encryption

7. Cryptography Attacks

8. Cryptanalysis tools

 Penetration Testing

Penetration testing defined

There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test(Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network

Penetration testing methodology

Check Weakness