Final Exam Flashcards
Reconnaissance
To investigate the target using publicly available information. One key objective is to have a list of the target’s IP.
Scanning
To look for openings of target’s system.
Port Scanning
Output is a list of open ports and potential services running on the target.
Exploitation
Using password cracking and other techniques to gain administrative control over the target machine, but the access may be temporary and non-persistent.
Maintaining Access
Creating a more permanent backdoor for subsequent access to the system.
Active Reconnaissance
Interacting directly with the target. The target may record your IP address and log your activity.
Passive Reconnaissance
Makes use of the vast amount of information available on the web. You do not directly interact with the target and as such, the target has no way of knowing, recording, or logging your activity.
Google as a Reconnaissance Tool
Search the Google cache rather than the target’s web site to reduce your digital footprints on the target’s server, and to gain access to files that have been removed from the target’s web site.
theharvester
A program to collect email addresses from the Web using google, bing, etc.
Theharvester is intergated into kali.
Username can be used in brute force password cracking.
Interrogating DNS Server
Networks may need multiple DNS servers for the sake of redundancy (fault tolerance) or load balancing. These DNS servers need to stay in sync by doing zone transfer (a.k.a. AXFR or Asynchronous Full Transfer Zone), where one DNS server will send all its host-to-IP mappings to another DNS server.
Hackers may attempt zone transfer to acquire all IP address for subsequent scanning.
Defence: Interrogating DNS Server
Allow “zone transfer” only for legitimate users such as secondary DNS.
DNS records should not contain operating system type and version information. DO NOT keep host information and text records (HINFO and TXT).
METAGooFIL
Microsoft documents such as Word or a PowerPoint contain metadata that describes the file name, the file size, file owner, username, and path of location.
MetaGooFil scours a specific target for such files, download them, and extract useful metadata.
Port scanning: Nmap
A port scanner (e.g. Nmap) sends a packet to each port to determine which ports are open.
Xmas Scan & Null Scan
X-mas Scan sends packets with FIN, URG and PUSH flags turned on, but SYN,ACK, & RST off.
Null Scan sends a packet with no TCP flags set.
Closed port responds with RESET, and live port sends nothing.
Specially Crafted Probes
A specially crafted packet that the remote system can’t understand or deal with
e.g. a packet longer than the expected packet size (548 byte) and thus causes buffer overflow
Defense Against Port Scanning
All unneeded ports and their related services must be shut off. Periodically use Nmap to scan (across network) for open ports on each host, and closed all unused ports (e.g. TCP 25 for SMTP on Web server).
Vulnerability Scanners and Common Vulnerabilities
Vulnerability scanners keep a database of vulnerabilities of many systems, and automate the process of checking across the network to see if any of these known vulnerabilities are present on the target. Common vulnerabilities are:
(1) Poor configuration settings leave various openings for an attacker to gain access. e.g. files not properly protected
(2) Weak default configuration security settings such as default accounts and passwords.
(3) Well-known system vulnerabilities and new security holes are discovered and published on the Internet, but patching may be slow to catch up.
Nessus (pre-installed on kali)
Nessus is a vulnerability scanner. It automates the process of connecting to the target, and checking for:
(a) backdoors, vendor specific vulnerabilities (Cisco, Windows, etc.)
(b) loopholes that let attackers gain command-line access or super-user access remotely
(c) vulnerable cgi (also asp, jsp, php, etc) scripts
(d) misconfigured firewall
(e) missing patching
Vulnerable CGI Scripts
Run on the Web-server side to process user input. Many widely used CGI scripts include flaws that accept inputs with embedded malicious commands. The CGI script then allow the attacker to send the embedded malicious commands directly to the command line for execution.
Exploitation
Attackers gaining access through Program loopholes (e.g. stack-based buffer overflows attack) password attacks Sniffing network traffic Or through Web exploitation SQL injection Web application attacks
Stack-Based Buffer Overflows Attack
stack = a special reserved area for storing information on subroutines and functions
A program writing more data (i.e. exceeding the allocated buffer) to a memory address in the stack causes this data to overflow and corrupt adjacent data on the stack.
Attackers enters input data (containing attack code) into a program through a GUI, or command line. The input data corrupts the stack and cause executable attack code to be run.
NOP Command
A command telling the processor to do nothing and move on.
Administrators’ Defense Against Stack-Based Buffer Overflows Attack
Keep systems patched. The computer underground and security professionals are constantly discovering new vulnerabilities.
Use a nonexecutable stack (i.e. only read and write). If the system is configured to refuse to execute instructions from the stack, most stack-based buffer overflows won’t work.
Software developers must be trained to understand what buffer overflows are and how to avoid them. Computer code should check size of input against buffer size before writing.
Metasploit: an Exploitation Platform
Manually crafting an exploit tool to take advantage of a flaw (e.g. buffer overflow) is a painstaking process. Loading the attack machine code and calculating the return pointer require great care.
Metasploit provides a platform for mass production of exploits.
Metasploit is installed in kali
Metasploit Attack 3 Steps
Choosing exploit. A vulnerability (e.g. missing a patch) may be open to zero or multiple exploits (codes to exploit the vulnerability).
Choosing payload (command shell such as meterpreter which stealthily runs entirely in memory without using harddisk, admin user, installing remote control software, etc)
Choosing target
Administrator’s use of Metasploit
Some vulnerability scanner (Nessus) may report false alarms/false vulnerabilities (30-40%). Metasploit can confirm if a vulnerability exists.
Use Metasploit in penetration testing of the strength of firewall, IPS/IDS, etc.
Encrypt Versus Hash (very simplistic view)
Encrypt: A->C, B->D, C->E;
CAB->ECD
Hash: CAB->log(676566) = 5.8303102…
Note: ASCII value: A=65, B=66, C=67
Hashes are irreversible.
User Mode vs Kernel Mode
Applications run in user mode, and core operating system components run in kernel mode. Many drivers run in kernel mode, but some drivers run in user mode.
User Mode
In User Mode, when a user enters his or her username and password during the logon process, the Security subsystem sends these entries to SAM (security account manager). The SAM has a user authentication database (SAM database).
SAM database contains two encrypted passwords (i.e. LM lan manager and NT new tech) for each user account.
LM Password
LM is calculated for passwords with 14 or fewer characters.
LM representation is calculated only after all characters have been converted to uppercase.
LM is then broken into two 7 character passwords
NT Pasword
NT password hashes (i.e. similar to encryption) are far stronger (i.e. using more secure algorithm)
Modem versions of Windows do not use LM passwords by default, but have options to enable LM passwords to support backward compatibility with legacy systems. Enabling LM passwords for legacy systems puts the entire network at risk.
The lesson:
Upgrade and discard old systems (win95, 98).
Medusa
Online password guessing tool integrate with kali
user names from theHarvester and metagoofil
Ip addresses from reconnaissance
Password Guessing Limitations
Password guessing is slow. Each login attempt could take a few seconds (transmission, encrypting submitted password, looking up real userID and encrypted password, comparison, etc).
The constant attempts to login to the target generate a significant amount of network traffic and log activity, which could easily alert a system administrator or an IDS/IPS. Some systems are configured to disable an account after a fixed numbers of login failures (password throttling). The user must call the help desk or wait for a time out. This account lockout feature helps prevent password-guessing attacks through login scripting.
However, with account lockout in place, an attacker could conduct a denial-of-service attack by locking out all accounts using a script.
Password Cracking Tools
Cain (run on Windows)
John the Ripper (run on Unix, Linux, Windows, etc.)
The password cracking software runs on the attacker’s computer, and will not alert the target’s administrator or IDS/IPS.
Cain/John the Ripper
Cain supports reverse dictionary guesses, apply mixed case to guesses, and appends numbers to words.
John (part of kali) will append and prepend characters, and attempt dictionary words forward, backward, and typed in twice. It will even truncate dictionary terms and append/prepend characters to the resulting strings.
Persistent Cookie
Written to the local file system when the browser is closed, and will be read the next time the browser is executed. Persistent cookies, therefore, are most often used to store long-term user preferences.
Netcat
Allows a user to move data across a network, while functioning much like the UNIX “cat” command. While cat just dumps data on the local system, Netcat moves arbitrary data over the network through any TCP or UDP port.
2 Modes of Netcat
In listener mode (listener = server, which is invoked with the -l option), Netcat opens any TCP or UDP port on the local system, waiting for data to come in through that port. Netcat listeners send all data gathered from the network to standard output, which could be displayed on the screen or piped through another program.
In client mode, Netcat can be used to initiate a connection to any TCP or UDP port on another machine. Netcat takes its data from standard input (i.e. the keystrokes from keyword) or data from a program (piped into it) and sends the data across the network.
Rootkit
Embed themselves deep into the operating system (kernel) and help hackers completely hide malicious processes and programs from users, administrators, and even the operating system.
Rootkits are so effective at hiding files that they are successful at evading even the most finely tuned antivirus software.
Hidden Table
Hiding files and folders from explorer and task manager. Admin may check % ls -al
Hidden Processes
Hiding processes or programs from a task manager. Admin may check % ps -a
Root Processes
Grant processes the right to access hidden folders and processes.
Hidden Services
Hiding services from a task manager. Services run in the background. Admin may check % ls /etc/init.d/ or ls rc.d for startup script or running command.
