CEH Flashcards
Foot printing
Footprinting first step of any attack on IS in which attacker collects information about network to identify various ways to intrude into the system
First thing to look for is points of communication and interaction
Can be technical or physical
Passive - Active footprinting
Passive - gathering information about target with out direct interaction - may not be able to get more useful information - less return on investment, on the other hand less risk
sometimes referred to as OSINT
Active - gathering information with direct interaction - more risk and more information
Info obtained in footprinting
Organization info:
Employee details
TElephone numbers
Branch and locations
Web techs
New articles and so on
Network info:
Domain and sub domains
Network blocks
network topology trusted routers and firewalls
IP address of the reachable systems
Whois records
DNS records
System info:
Web server OS
Location of web servers
Publicly available email addresses
Username and passwords
Search engines
Attackers use search engines to extract information about a target such as employed technology platforms. employee detail, login pages and intranet portals, which help to perform social engineering and other types of advanced system attacks
Advanced search operators
specific syntax that crafts specific queries with specific results
Google dorks
intitle: index of - Command in Google could give an interesting information on the version of the server
cache: Displays the webpages stored in google cache
link: lists web pages that have links to a specified web page
related: pages that are similar to the specified web page
info: Presents some information that google has about particular web page
site: restricts the result of those websites in the given domain
allintitle: restricts the result to those websites containing all the searh keywords
intitle: restricts the result to documents containing starch keyword intitle
allinurl: restircts results to those containing the search keyword in url
location: finds information for a specific location
Google hacking database
Helps with google dorks
DNS enumeration
netcraft - a website that shows all the domains
Sublist3r a python script which enumerates sub domains across multiple sources at once
Harvester - helps to enumerate website
Email Spider - helps with email harvesting, phishing and so on
Deep web/ dark net footprinting
hidden and unindexed and cannot be located using traditional and search engines
Can be accessed by using TOR browser
determining operating systems
Shodan - finds connected devices, if the devecie is reachable it shows IP address through port services
and Censys
Mirroring website
Downloading website to a local directory
Can impersonate website - can capture credentials
Can do offline analysis and code analysis
Archive dot org
Tracking Email communications
In email header - there could be prikols like resieve fields that shows the info of the sender, recieve field that might have RFC address, adress for gateway, info about recepient and so on
Can locate the user via IP adresses
Whois lookup
Whois databases are maintained by regional internet registries and contain personal info of domain owner
Whois queries return:
Domain name details
Contact details of domain owners
Domain name servers
NetRange
When a domain was created
Expiry records
Last updated record
Information obtained from whois database assits an attacker to:
gather personal information that assists in social engineering
Create a map of the target organization’s network
Obtain internal detailss of the target network
Regional internet registireies (RIRs):
ARIN
AFRINIC
RIPE NCC
lacnic
APNIC
Scanning network
Actively engaging target by sending specific crafted targeted prompts to the target and getting specific answer
There are 2 parts
1. Host identification, ports and services on the network. Allows to gather intelligence which can be used to create a profile of the target organization
Discover live hosts - IP addresses and open ports of the live host
Also discover systems and system architecture, discover services running on hosts and vulnerabilities on live hosts
Protocol
ICMP - Interned Control Message protocol
2 categories - message types - reason you receive the message the code is reason why. It doesn’t use ports, it uses messages and codes.
TCP and UDP transport protocols
TCP - Connection oriented and reliable - preferable for connection that requires reliability
UDP is not connection oriented and not relievable
First 16 numbers of TCP protocol is Source
Next 16 numbers of TCP is destination port
next 32 numbers Sequence number
next 32 number Acknowledgment - makes sure that bits got to the destination
TCP flags
There are 6 flags
SYN - synchronization initiate communication
ACK - Acknowledgment
RST - reset - terminates connection
FIN - finishes connection
URG - process immediately
PSH - push sends all buffered data immediately
TCP session establishment is 3 way handshake
Sends SYN with seq number, if port is open, then gets SYN ACK back with its own ack and seq number, RST get if the port is closed, if the host is down or filtered no response.
TCP session termination
FIN - ACK - FIN
NMAP syntax
nmap -PI xx.xx.xx.xx/24
ICMP ping sweep scan
P - ping type
I - ICMP
Other syntax
E - echo
M - netmask
P - for timestamp
T - TCP
U - UDP
A - ACK
S - SYN
R - ARP
O - IP protocol scan - scanning socket itself
-sn host discvocery
-sS - scantype
-PI - ping type
-T4 - timing
-O - OS
-sV -service version detection
TCP scan
TCP connect / Full open Scan
nmap -sT v [target]
SYN packet request
if the Response is syn ack - host live
if response is RST - port closed
if no answer - port is filtered
Stealth scan / half open - doesn’t establish connection and doesn’t display logs, nowadays IDS can detect stealth scans
Single SYN packet request
syn+ack response port open
rst port closed
Inverse TCP flag scan -
nmap -(sF, sN, -sX)
Probe packet - with weird flags like unsolicited FIN/URG/PSH/NULL flags - doesnt work with windows, since gives RST response
of no response - port is open
if rst - port closed
Xmas Scan
nmap -sX -v [target]
probe packet (fin + urg + PSH)
flavored inverse scan
if no response - port open
if rst - port closed
FIN scan
nmap -sF -v [target]
sending FIN flag
same as xmas
no -response - port is open
rst - port is closed
Null scan - nmap -sN -v [target]
scan with no flag
same thing as sF
no response - port open
rst - port closed
TCP maimon scan
nmap -sM -v [target]
no response port is open
ICMP unreachable error - port is filtered
rst - port closed
ACK flag probe
nmap -sA -v [target]
nmap -f - fragmentation of the packet which allows to decrease chances of being spotted by IDS signature
nmap -g / –source port allows to scan using the desired port example:
nmap -g 80 [target]
nmap -D RND:10 [target]
D -decoy uses different addresses as decoys for scanning
nmap -D decoy1, decoy2, decoy3
IP spoofing
changing the source of IP address
Attacker modifies the address information in the IP packet header and the source address bits field in order to bypass IDS or firewall
can be palevo if the TTL and IP ID is different
Also if the TCP flow control spoofed IP can exhaust its window size and still send the packets which says about spoofed dude
Proxy`
intermediary between you and the target
proxy chaining - using a lot of proxies, hoping from one to other, and the proxies know only the one before them - makes difficult to track
Enumeration
Scanning phase of hacking lifecycle which more intrusive
Listing the details of and specifics of network resoruces shares, routing tables. service settings SNMP and FQDN details, LDAP enumertaion, SMB ewnumertaion and so on
Creating activee connection with target and getting info through active queries.
Enumeration techniques conducted in intranet, but there are enumerations externally like public DNS
Enumeration techniques
email IDs
Extracting information using default passwords
Bruteforce Active Directory
DNS zone transfer
Extract user groups from Windows
Extract using SNMP
TCP/UDP - 53 DNS zone transfer should be shutdown for unknown host
TCP/UDP 135 Microsoft RPC Endpoint mapper
UDP 137 - Netbios
TCP 139 - SMB over NetBIOS
TCP/UDP 445 SMB over TCP (Direct host)
UDP 161 - SNMP
TCP/UDP 389 - LDAP
TCP 2049 - NFS (Linux version of SMB)
TCP 25 - SMTP
TCP/UDP 162 - SNMP Trap (Alerts and notifications)
UDP 500 - ISAKMP/Internet Key exchange (IKE) (Establishment of IPSec connection)
TCP 22 - SSH (some kind of box not windows since by default windows doesn’t use SSH)
NetBIOS enumeration
Can get
List fo computers that belong to a domain
The list of shares on the individual host in the network
Polcies and passwords
nbtstat
netbios over tcp/ip that shows netbios stats
nbstat -c = shows netbios cache which has recently connected machines to the server in 10 minutes or 60 secs
nmap has command - nmap –script -nbstat commanc
PsTools
PsEXec - executes process remotely
PsFile - shows files opened remotely
PsGetSid - displays SID of the computer (enumeraions)
PsLoggedOn shows who is currently logged into machine (enumeration)
PsKill - kills the process
PsInfo - info about machine
PsList - lists detailed information about the process
PsLogList - dumps event log records
PsPasswd - changes account passwords
PsShutdown - shutdowns and optionally reboot a computer
psgetsid
shows SID of the host
S-1-5-21 - xxxxx-xxxx-xxxx-xxxx
first numbers are static
x - are the numbers that are unique to a machine
last X - are relative identifiers where 500 is administrator and 501 is a guest 1000 and up are user accounts
relative identifires and SID never changes when you rename accounts
Admin accounts need to be renamed or disabled, since if person knows the name of the account, hacker can bruteforce the Admin, since its default name
Net commands
Net view utility is used to obtain a list of all the shared resources of a remote host or workgroup
It shows all the users on the network
UDP - 161 SNMP - simple network management protocol
MIB - management information base has hirerachy of object identifieres - which are decimal noted strings that are mapped to a specific pieces of information - accounts, listening ports and process tables
LDAP - inumeration
Lightweight directory access protocol - used for accessing distributed directory services
A client starts LDAP session by connecting to a directory system agent (DSA) on TCP port 389 and then send an operator request to the DSA
Information is transmitted between the client and server using basic encoding rules (BER)
Attackers querry the LDAP service to gather information such as valid usernames, addresses and departmental details which can be further used to perform attacks
RPC
remote procedure call - listners waiting to get request for remote processing (executes processes remotely)
SMTP
Simple mail transfer protocol
VRFY - Validates users
EXPN - Shows the actual delivery addresses of aliases and mailing lists
RCPT TO - Defines the recipients of a message
DNS cache snooping
enumeration where attacker enumerates the DNS server for the cache
DNS zone walking
Two individual servers have zone files that should be separated or hacker can obtain
External and internal DNS zone files, if they are not separated, by zone walking hacker can gain access on internal records of the DNS server
Peresmotret 4 pro enumeraciu
DNS and DNSSec enumeration
IPSec enumeration
may indicate VPN connection, endpoint or access point
VPN is access point for outside world
IPSec uses Enacpsulation Security payload, Authentication Header and Internate Key exchange
ISAKMP port 500 uses diffie helman algorithm
VOIP enumeration
exploit of VOIP gateway servers, evasdroping, voip phishng
RPC enumeration
Remote procedure call -
In linux and Unix
rusers - display list of users who are logged on remotely
rwho list of isers logged on the network
finger - display information about system such as login name, real name, terminal name, idle time, login time, office location, and office phone numbers
Telent and SMB
IoT or Honeypot - runs on TCP 23 - everything cleartext, easy to hijack
SMB enumeration 139 and 445 - primary microsoft communication point
Vulnurabilities
TCP IP
OS
Network device
User account
System account
Internet service misconfig - (servisi na portah)
Default passwords senting
Network device misconfiguration
dalshe
Vulnurabilities are clasified by sevirty level and exploit range (local or remote)
Vulnurability management lifecycle
identify assets and create baseline
Vulnerability scan
Risk Assessment
Remediation
Monitoring
Pre assessment phase Identify assets phase
Identify and understand business processes
Identify the applications, data, and services that spport the business process and perform code reviews
Identify approved software, drivers, and the basic configuration of each system
Create inventory of all assets and prioritize critical assets
Understand the network architecture and map the network infrastructure
Identify controls already in place
Understand policy implementation standards compliance
Define the scope of the assessment
Create information protection procedures to support effective planning, scheduling, coordination and logistics
Vulnurability assessment phase
Examine and evaluate the physical security
Check for misconfiguration and human errors
Run vulnurability scans
Select type of scan based on the organization or compliance requirements
Identify and prioritize vulnurabilities
Identify false positives and false negatives
Apply business and technology context to scanner results
Perform OSINT information gathering to validate the vulnurabilities
Creaate a vulnerability scan report
Post assessment phase
Risk Assessment
perform risk categorization
assess the level of impact
determine the threat and risk levels
Remediation
prioritize remediation based on the risk ranking
develop an action plan to implement the recommendation/remediation
perform root cause analysis
apply patches/fixes
capture lessons learned
conduct awareness training
Verification
rescan of system
perform dynamic analysis
review of surface of attack
Monitoring
periodic vulnurability scan and assessment
timely remediation of identified vulnurabilities
intrusion detection and intrusion prevention logs
implementation of policies prcedures and controls
Types of assessments
Active assessment - network scanner to find hsots and services
Passive assessment - sniff traffic
External assessment - scan the internal from hakir perspective
Internal
Host based assessment
Application assessment
Database assessment
Wireless network assessment
Distributed assessment - assesses distributed organizational assets such as client and server applications simultaneously through appropriate sync techniques
Credentialed assessment
non credentialed assessment
manual assessment - eth hacker manually assesses the vulnurabilites, vulnurability ranking, vulnurability score and etc
automated assessment - nessus qualys i td
assessment tools
OpenVAS - framework of several tools offering a comprehensive and powerful vulnurability scanning and management solution
Nikto - a web server assessment tool that examines a web server to discover potential problems and security vulnurabilities
Vulnurability assessment report
discloses the risks detected after scanning a network
alerts the organiation and suggests counter measures
used to fix security flaws
Hacking
NTLM has a challenge response mechanism which will prevent replay attack by incorporating unique string every time
Combination of pass hash and challenge hash
It can still be eavesdropped
Pass the hash
mimikatz
whn someone inject compromised hash into local session
priveleged dude can steal the hash by checking logged on domain admin account hash
the attacker uses the extracted hash to log on to the domain controller
Active online attacks: LLMNR/NBT-NS Poisoning
LLMNR/NBT-NS Poisoning - impersonating the server
LLMNR/NBT-NS 2 main elements of Windows operating systems that are used to perform name resolution for hosts present on the same link
NetBIOS Name Server and Local-Link Multicast Name Resolution (NBNS and LLMNR) are protocols that a Windows computer uses to look for a host on the internal network when a host’s IP address cannot be resolved through the organizational DNS (Domain Name Server) server
Identification through NetBios
Attacker cracks NTLMv2 Hash, cracks it and uses to authenticate
Kerberos psswd crack
KDC - key distribution center
A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account
AS-REP - request TGT(ticket granting ticket) from KDC - compromise tickets, in the form of AS-REQ packet and crack the ticket to obtain user’s password
Kerberoasting - request TGS (Ticket granting server) for the SPN of the target service account and crack the ticket to obtain the user’s password
Only asks for Kerberos authentication ticket
Kerberoasting goes after TGS
Mimikatz allows pass the Kerberos TGT, it steals the ticket from the system
Distributed network attack (DNA)
DNA technique used for recovering passwords from hashes or password-protected files using unsed processing power of the machines accross the network
DNA manager installed in a central location where machines running on DNA client can access it over the network
The DNA manager coordinates attack and allocates small portions of the key search to machines that are distributed over the network
The DNA client runs in the background consuming unused processor time
The program combines the processing capabilities of all the clients connected to the network and uses to crack the password
Rainbow table
Rainbowcrack cracks hashes with rainbow tables.
It uses time-memory tradeoff algorithm to crack hashes
Password salting
Salt is a variable string
Pepper is a fixed value
added to the password
Buffer overflow
Lack of input validation, which might result in flood of the memory
stack based overflow - overwriting stack running process, rewrite return address
heap based overflow
Buffer overflow steps
Spinking - sending crafted TCP UDP packets to see if the server is going to crash, if it crashes, it means it might be vulnurable to the exploit
Fuzzing - sending unexpected large amount of data to the server, to see how far you can push to see when the server crashes
Identify offset - finds EIP register = EIP is a register in x86 architectures (32bit). It holds the “Extended Instruction Pointer” for the stack. In other words, it tells the computer where to go next to execute the next command and controls the flow of a program
overwrite EIP register with malicious code
Identify bad characters that might cause issue with shell code
Identify right module - module of the vulnerable server that lacks protection
Generate shell code and gain access - attackers use msvenom command to generate shellcode and inject it into EIP register to gain shell access to the target vulnurable server
Dylib hijaciking
same thing as dll, but for MAC
DLL hijacking
hacker detect hijackable dll trhough tools like Robber and Powersploit to replace it with malicious file
