Ethical Hacking Overview
CEH Course Modules
*Introduction to Ethical Hacking
there are five phases of hacking
1. Information gathering (Reconnaissance)
2. scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks (back door)
Footprinting and reconnaissance
Footprinting is the process of collecting as much information as possible about a target network, for identify various ways to intrude into an organization's network system
Footpriting is the first step of any attack on information systems;attacker gather publicly available sensitive information, using which he/she performs social engineering, system and network attacks, etc.
Footprinting Methodology
1. Footprinting through search engines
2. Footprinting using advanced google hacking techniques
3. Footprinting through social networking sites
4. Website footprinting
5. Email footprinting
6. Competitive intelligence
7. WHOIS Footprinting
8. DNS Footprinting
9. Network footprinting
10. Footprinting through social engineering
Scanning Networks
Overview of network scanning
1. Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network
2. Network scanning is one of the components of intelligence gathering an attacker uses to create a profile of the target organization
CEH Scanning Methodology
1. Check for live systems
2. Check for open ports
3. Scanning beyond ids
4. Annear grabbing
5. Scan for Vulnerability
6. Draw network diagrams
7. Prepare proxies
8. Scanning pen testing
Vulnerablity scanning
Vulnerability scanning identifies vulnerabilities and weaknesses of a system and network in order to determine how a system can be exploited
1. Network vulnerabilities
2. Open ports and running services
3. Application and services vulnerabilities
4. Application and services configuration errors
*Enumeration
1. In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information about the target
2. Attackers use extracted information to identify system attack point and perform password attack to gain unauthorized access to information system resources
3. Enumeration techniques are conducted in an internet environment
Techniques for enumeration
1. Extract user names using email IDs
2. Extract information using the default passwords
3. Extract user names using
SNMP
4. Brute force active directory
5. Extract user groups from windows
6. Extract information using DNS zone transfer
Enumeration Module Flow
1. Enumeration concepts
2. NetBIOS enumeration
3. SNMP Enumeration
4. LDAP Enumeration
5. NTP Enumeration
6. SMTP and DNS Enumeration
7. Enumeration Countermeasures
8. Enumeration pen testing
System Hacking
Information at Hand Before System Hacking stage
-Footprinting Module
1. IP Range
2. Namespace
3. Employees
-Scanning Module
1. Target assessment
2. Identified Systems
3. Identified Services
-Enumeration Module
1. Intrusive Probing
2. User Lists
3. Security Flaws
CEH Hacking Methodology (CHM) –
CEH System Hacking Steps
1. Cracking Passwords
2. Escalating Privileges
3. Executing Applications
4. Hiding Files
5. Covering Tracks
6. Penetration Testing
Malware Threats
Malware is malicious software that damages or disables computer systems and gives limited or full control of the systems to the malware creator for the purpose of theft or fraud
Examples of malware
1. Trojan horse
2. Virus
3. Backdoor
4. Worms
5. Rootkit
6. Spyware
7. Ransomware
8. Botnet
9. Adware
10. Crypter
Different Ways a Malware can Get into a System
1. Instant Messenger applications
2. IRC (Internet Relay Chat)
3. Removable Devices
4. Attachments
5. Legitimate \"shrink-wrapped\" software packaged by a disgruntled employee
6. Browser and email software bugs
7. NetBIOS (File Sharing)
8. Fake Programs
9. Untrusted sites and freeware software
10. Downloading files, games, and screensavers from internet sites
Module Flow
1. Introduction to malware
2. Trojan concepts
3. virus and worm concepts
4. malware reverse engineering
5. malware detection
6. countermeasures
7. anti-malware software
8. penetration testing
Common Ports Used by Trojans –
computer worms
1. Computer worms are malicious programs that replicate, execute, and spread across the network connections independently without human interaction
2. Most of the worms are created only to replicate and spread across a network, consuming available computing resource;however, some worms carry a payload to damage the host system
3. Attackers use worm payload to install backdoors in infected computers, which turns them into zombies and creates botnet;these botnets can be used to carry further cyber attacks
Sniffing
Network sniffing and Threats
- sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools
- It is form of wiretap applied to computer networks
- Many enterprises' switch ports are open
- Anyone in the same physical location can plug into the network using an Ethernet cable
How a Sniffer Works
- Sniffer turns the NIC of a system to the promiscuous mode so that it listens to all the data transmitted on its segment
- A sniffer can constantly monitor all the network traffic to a computer through the NIC by decoding the information encapsulated in the data packet
Active Sniffing
- Active sniffing is used to sniff a switch-based network
- Active sniffing involves injecting address resolution packets (ARP) into the network to flood the switch's content addressable memory (CAM) table;CAM keeps track of which host is connected to which port
Hardware protocol Analyzer
- A hardware protocol analyzer is a piece of equipment that capture signals without altering the traffic in a cable segment
- It can be used to monitor network usage and identify malicious network traffic generated by hacking software installed in the network
- It captures a data packet, decodes it, and analyzes its content according to certain predetermined rules
- It allows attacker to see individual data bytes of each packet passing through the cable
Module flow
Social Engineering
Social engineering is that art of convincing people to reveal confidential information.
Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
Module Flow
1. Social Engineering concepts
2. Social engineering Techniques
3. Impersonation on social networking sites
4. Identify theft
5. Social engineering countermeasures
6. Penetration testing
Type of social engineering
*Denial-of-Service
- Denial of service (DoS) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resources to its legitimate user
- In a DoS attack, attacker flood a victim system with non-legitimate service requests or traffic to overload its resources
- DoS attack leads to unavailability of a particular website and slow network performance
Basic Categories of DoS/DDoS Attack Vectors
Permanent denial-of-service Attack
Phlashing - permanent DoS, also known as phlashing, refers to attacks that cause irreversible damage to system hardware
Sabotage - Unlike other DoS attacks, it sabotages the system hardware, requiring the victim to replace or reinstall the hardware
Bricking a system - This attack is carried out using a method known as \"bricking a system\"
Using this method, attackers send fraudulent hardware updates to the victims
Process
Module Flow
Hacking Webservers
Web server security issue
- Web server is a program (both hardware and software) that hosts websites;attackers usually target software vulnerabilities and configuration errors to compromise web servers
- Nowadays, network and os level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. however, web servers are accessible from anywhere on the web, which makes them less secured and more vulnerable to attacks
Impact of webserver Attacks
1. Compromise of user accounts
2. Website defacement
3. Secondary attacks from the website
4. Root access to other applications or servers
Module Flow
Open Source Webserver Architecture
*Hacking Web Applications
- web applications provide an interface between end user and web server through a set of web pages that are generated at the server end or contain script code to be executed dynamically within the client web browser
- Though web applications enforce certain security policies, they are vulnerable to various attacks such as SQL injection, cross-site scripting, session hijacking, etc.
- Web technologies such as Web 2.0 provide more attack surface for web application exploitation
- Web applications and web 2.0 technologies are invariably used to support critical business functions such as CRM, SCM, etc. and improve business efficiency
Module Flow
SQL Injection
- SQL injection is a technique used to take advantage of non-validate input vulnerabilities to pass SQL commands through a web application for execution by a backend database
- SQL injection is a basic attack used to either gain unauthorized access to a database or to retrieve information directly from the database
- It is a flow in web applications and not a database or web server issue
Type of SQL injection
SQL Injection Methodology
1. Information Gathering and SQL injection vulnerability Detection
2. Launch SQL Injection Attacks
3. Advanced SQL Injection
Module Flow
Testing for SQL Injection
*Hacking Wireless Networks
Wireless Networks
- Wi-Fi refer to wireless local area networks (WLAN) based on IEEE 802.11 Standard
- It is widely used technology for wireless communication across a radio channel
- Devices such as a personal computer, video-game console, smartphone etc. use Wi-Fi to connect to a network resource such as the internet via a wireless network access point
Wireless Standard
Type of Wireless Encryption
- WAP2 Enterprise
- WEP
- ASE
- EAP
- 802.11i
- TKIP
- WPA
- LEAP
- CCMP
- RADIUS
WEP Vs. WPA Vs. WPA2
WEP should be replaced with more secure WPA and WPA2
How to break WPA Encryption
1. WPA PSK
WPA PSK user a user defined password to initialize as it is a per- packet key but the keys can be brute-forced using dictionary attacks
2. Offline Attack
You only have to be near the AP for a matter of secound in order to capture the WPA/WPA2 authentication handshake, by capturing the right type of packets, you can crack WPA keys offline
3. De-authentication Attack
Force the connect client to disconnect, then capture the re-connect and authentication packet using tools such as aireplay, you should be able to re-authenticate in a few second then attempt to dictionary brute force the PMK
4. Brute- force WPA keys
You can use tools such as air crack, airplay, kismac to brute-force WPA keys
Hacking Mobile Platforms
How a hacker can Profit from mobile when successfully compromised
Surveillance
- Audio
- Camera
- Call logs
- Location
- SMS message
Financial
- sending premium rate Sms messages
- stealing transaction authentication numbers (TANs)
- Extortion via ransomware
- Fake antivirus
- Making expensive calls
Data Theft
- Account details
- Contacts
- Call Logs
- Phone number
Stealing data via app vulnerabilities
- Stealing international mobile equlpment identity Number (IMEI)
Botnet Activity
- Launching D DOS attacks
- Click Found
- Sending Premium rate SMS messages
Impersonation
- SMS redirection
- Sending email messages
- posting to social media
Mobile Platform vulnerabilities and risks
Module Flow
*Evading IDS, Firewalls, and Honeypots
An intrusion detection system (IDS)
An intrusion detection system (IDS) inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network or system security breach
The IDS checks traffic for signatures that match known intrusion patterns, and signals an alarm when a match is found
Firewall
- Firewall is hardware and/or software designed to prevent unauthorized access to or from a private network
- They are placed at the junction or gateway between the two networks, which is usually a private network and a public network such as the internet
- Firewall examines all messages entering or leaving the internet and locks those that do not meet the specified security criteria
- Firewall may be concerned with the type of traffic or with the source or destination addresses and ports
Type of firewall
1. Packet Filters
2. Circuit Level Gateways
3. Application Level Gateways
4. Stateful Multilayer Inspection Firewalls
Honeypot
- A honeypot is an information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network
- It has no authorized activity, does not have any production value, and any traffic to it is likely a probe, attack, or compromise
- A honeypot can log port access attempts, or monitor an attacker's keystrokes. these could be early warnings of a more concerted attack
*Cloud Computing
Cloud computing is an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network
Characteristics of cloud computing
1. on-demand self service
2. Distributed storage
3. Rapid elasticity
4. Automated management
5. Broad network access
6. Resource pooling
7. Measured service
8. Virtualization technology
Type Of cloud computing services
Cloud computing Benefits
Module Flow
1. Introduction to cloud computing
2. Cloud computing threats
3. Cloud computing attacks
4. Cloud security
5. Cloud security tools
6. Cloud penetration testing
Cryptography
- Cryptography is the conversion of data into a scrambled code that is decrypted and sent across a private or public network
- Cryptography is used to protect confidential data such as email message, chat sessions, web transaction, personal data, corporate data, e-commerce applications, etc.
- Objectives
1. Confidentiality
2. Integrity
3. Authentication
4. Non-repudiation
Module flow
1. Cryptography concepts
2. Encryption algorithms
3. Cryptography Tools
4. Public Key infrastructure (PKI)
5. Email Encryption
6. Disk Encryption
7. Cryptography Attacks
8. Cryptanalysis tools
Penetration Testing
Penetration testing defined
There is a considerable amount of confusion in the industry regarding the differences between vulnerability scanning and penetration testing, as the two phrases are commonly interchanged. However, their meaning and implications are very different. A vulnerability assessment simply identifies and reports noted vulnerabilities, whereas a penetration test(Pen Test) attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible. Penetration testing typically includes network penetration testing and application security testing as well as controls and processes around the networks and applications, and should occur from both outside the network trying to come in (external testing) and from inside the network
Penetration testing methodology
Check Weakness
