1 / 47

ITT Certified Ethical Hacker Certification Study Group

ITT Certified Ethical Hacker Certification Study Group. Week 2 – Scanning, Enumeration and Password Cracking. CEH Study Group – Week 2 Overview. Review of Week 1 Objectives CEH Exam Objectives Study Group Meeting Schedule Chapter 1 – Intro to Ethical Hacking

calantha
Download Presentation

ITT Certified Ethical Hacker Certification Study Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITT Certified Ethical HackerCertification Study Group Week 2 – Scanning, Enumeration and Password Cracking

  2. CEH Study Group – Week 2 Overview • Review of Week 1 Objectives • CEH Exam Objectives • Study Group Meeting Schedule • Chapter 1 – Intro to Ethical Hacking • Chapter 2 – Footprinting & Social Engineering • Week 2 Learning Objectives (Ch 3 & 4) • Chapter 3 – Scanning and Enumeration • Chapter 4 – System Hacking • Week 2 Homework • Read Chapters 3 & 4 of CEH Review Guide • Study for Quiz 1 covering Chapters 1 - 4

  3. Ethics and Legality Footprinting Scanning Enumeration System Hacking Trojans and Backdoors Sniffers Denial of Service Social Engineering Session Hijacking Hijacking Web Servers Web Application Vulnerabilities Web-Based Password Cracking SQL Injection Wireless Hacking Viruses and Worms Physical Security Linux Hacking Evading IDS’s, Honeypots, and Firewalls Buffer Overflows Cryptography Penetration Testing Methods Certified Ethical Hacker Exam (312-50) Objectives

  4. Study Group Meeting Frequency and Location • Study Group Location: ITT-Omaha, Main Conference Room • Frequency: Once a Week • Day: Wednesday Night • Time: 6:00pm • Duration: 3 hours (1.5 Lecture/1.5 Lab)

  5. Certification Text and Schedule • Certification Text(s): • Official Certified Ethical Hacker Review Guide (Available on the ITT Virtual Library) • CEH Prep Guide • Certified Ethical Hacker Exam Prep • Certification Schedule: • We will cover two to three chapters of the Study Guide Per Week and plan to sit for the exam in 5 – 9 Weeks

  6. Week 1 Learning Objectives • Chapter 1 – Introduction to Ethical Hacking, Ethics, and Legality • Understanding Ethical Hacking Terminology • Identifying Different Types of Hacking Technologies • Understanding the different “Phases” and Five Stages of Ethical Hacking • What is Hackivism? • List the Different Types of hacker Classes • Define the skills required to become an ethical hacker • What is vulnerability research? • Describe the ways to conduct ethical hacking • Understand the legal implications of hacking • Understand 18 U.S.C. 1029 and 1030 U.S. Federal law

  7. Week 1 Learning Objectives (con’t) • Chapter 2 – Foot printing and Social Engineering • Footprinting • Define the Term Footprinting • Describe Information Gathering Methodology • Describe Competitive Intelligence • Understand DNS Enumeration • Understand ARIN and WHOIS Lookup • Identify the types of DNS Records • Understand how TRACEROUTE is used in footprinting • Understand how E-mail Tracking Works • Understand how Web Spiders work • Social Engineering • What is Social Engineering? • What are the common types of Attacks? • Understand dumpster diving • Understand Reverse Social Engineering • Understand Insider Attacks • Describe Phishing Attacks • Understand Online Scams • Understand URL Obfuscation • Social Engineering Countermeasures

  8. Week 2 Overview • Lecture • Chapter 3 – Scanning and Enumeration • Chapter 4 – System Hacking • Lab • NMAP Fundamentals • NMAP Switch Practice • Banner Grabbing and OS Fingerprinting

  9. CEH Week 2 • Chapter 3 – Scanning and Enumeration • Scanning • Port Scanning, Network Scanning, Vulnerability Scanning • CEH Scanning Methodology • Ping Sweep Techniques • *NMAP Command Switches • SYN, Stealth, XMAS, NULL, IDLE, FIN Scan • WAR Dialing • Banner Grabbing and OS Fingerprinting • Proxy Servers and Anonymizers

  10. Port, Network, & Vulnerability Scanning • Port Scanning • Definition: Determining Open Ports and Services • Know the Services for these Well-Known Ports: 21, 25, 23, 80, 110, 443 • Know the Well-Known ports for these services: FTP, Telnet, HTTP, SMTP, POP3, HTTPS

  11. Port, Network, & Vulnerability Scanning • Network Scanning • Definition: Determining “live” Hosts, by pinging or other means • Vulnerability Scanning • Definition: Determining the Presence of Known Weaknesses

  12. CEH Scanning Methodology • Check for Live Systems • Check for Open Ports • Service identification • Banner Grabbing/OS Fingerprinting • Vulnerability Scanning • Draw Network Diagrams of Vulnerable Hosts • Prepare Proxies (Why?) • Attack

  13. Ping Sweep Techniques • Simplest Technique: Ping Sweep IP Range assigned to “Target” • Tools: Pinger, Friendly Pinger, WS_Ping_Pro, Solarwinds Ping Sweep • Use of Tools covered on the Exam

  14. Port Scanning with NMAP • Types of Scans: • TCP Connect: Attacker makes full TCP Connection to Target (SYN, SYN-ACK, ACK) • XMAS Tree: Sets TCP URG, PSH, and FIN flags • SYN Stealth Scan: Sends TCP SYN Packet, waits only for SYN-ACK (full connection NOT made) • NULL Scan: All flags off or not set; works only on UNIX systems • ACK Scan: Used to map firewall rules; Only works on UNIX systems • Windows Scan: Similar to ACK Scan and can detect open ports.

  15. Port Scanning with NMAP • NMAP Scan Switches: • -ST: TCP Connect Scan • -sS: SYN Scan • -sF: FIN Scan • -sX: Xmas Scan • -sN: NULL Scan • -sP: Ping Scan • -sU: UDP Scan

  16. Port Scanning with NMAP • NMAP Scan Switches (con’t): • -sO: Protocol Scan • -sA: ACK Scan • -sW: Windows Scan • -sR: RPC Scan • -sL: List/DNS Scan • -sI: Idle Scan

  17. Port Scanning with NMAP • NMAP Output Switches: • -oN: Normal • -oX: XML output • -oG: Greppable Output • -oA: All output • NMAP Scan Parameter Switches: • -T Paranoid: Serial Scan; 300 sec between scans • -T Sneaky: Serial Scan; 15 Seconds between scans • -T Polite: Serial Scan; 0.4 Seconds between scans • -T Normal: Parallel Scan • -T Aggressive: Parallel Scan; 300 Sec Timeout; 1.25 sec/probe • -T Insane: Parallel Scan; 75 Sec Timeout; 0.3 sec/probe

  18. SYN, Stealth, XMAS, NULL, IDOL, & FIN Scan • SYN: Half-Open Scan does not complete three-way handshake; RST received back if port is closed • XMAS: Sets PSH, URG, FIN Flags; RST received back if port is closed • FIN: Sets FIN Flag; RST received back if port is closed • NULL: Sends packet with no flags set; RST received back if port is closed • IDLE: Uses Spoofed IP Address to send SYN packet to target; depending on response, port can be assumed opened or closed. Determines port response by monitoring header sequence numbers

  19. War Dialing • In the “Olden Days” companies used to connect to the Internet and the “Outside World” with Dial-Up Modems • War Dialing was a technique used to rapidly dial thousands of numbers in a pool of numbers hoping a modem would answer. • Security was more lax from the “Modem End” and presented a nicer target • War Driving, due to our reliance on Wireless Communications, has almost replaced War Dialing as the “entrance of choice”

  20. Banner Grabbing and OS Fingerprinting • Banner Grabbing: Many web servers will respond to certain HTTP Requests with the version and patch level of the Web Server, which will provide clues as to potential vulnerabilities. • OS Fingerprinting: • Active TCP Stack Fingerprinting: Sending TCP Data to a system to see how the system responds. Windows and Unix Systems respond differently • Passive RCP Stack Fingerprinting: Sniffing the network to determine responses to TCP requests.

  21. Proxy Servers & Anonymizers • How can an attacker disguise him/herself? By using a Proxy Server or Anonymizer, which will “conduct the attack” for him/her

  22. CEH Week 2 • Chapter 3 – Scanning and Enumeration • Enumeration • What is Enumeration? • NULL Sessions and their Countermeasures • SNMP Enumeration and Countermeasures • Windows 2000 DNS Zone Transfer & Counternmeasures • What steps are involved in Enumeration?

  23. Enumeration • What is Enumeration? • Answer: The process of connecting to the target system and gathering and compiling user names, machine names, network resources, shares, and services • What are Built in tools we can use to Enumerate a Windows Platform? • Answer: Net View, Net Use, NBTStat • What are some other tools we can use? • Answer: DumpSec, Hyena, SMB Auditing Tool, NetBios Auditing Tool

  24. NULL Sessions & Countermeasures • What is a NULL Session? • Answer: Gaining access to a system without Logging On • C:\> net use \\192.168.0.10\IPC$ “” /u: “” • After the NULL Session is established, the hacker has a channel over which to operate • NULL Sessions are Windows NetBios Vulnerabilities

  25. NULL Sessions & Countermeasures • How can I prevent a NULL Session from being established? • Answer: Hack the registry • Registry Key: HKLM\SYSTEM\CurrentControlSet\LSA • Add Value • Value Name: RestrictAnonymous • Data Type: Reg_Word • Value: 2

  26. SNMP Enumeration & Countermeasures • What is SNMP? • Answer: Simple Network Management Protocol. Used to manage Network devices • What is the Vulnerability? • Default SNMP “Read” passwords (community string), public, and “Write” passwords, private, are sometimes not changed from their default values

  27. SNMP Enumeration & Countermeasures • What is the Countermeasure? • Answer: Change the Read and Read/Write community strings to something other than the default values or disable the SNMP protocol

  28. W2K DNS Zone Transfers & Countermeasures • What is a Zone transfer? • Answer: Complete list of Host Names and IP Addresses is transferred to an attacker. The Utility NSLookup can be used • What is the Vulnerability? • The Host names and IP Addresses of all Network Hosts are known by the Attacker, which will allow easier access for the purpose of scanning and enumereation.

  29. W2K DNS Zone Transfers & Countermeasures • What is the Countermeasure? • Answer: Configure the DNS Server Properties to allow Secure DNS Transfer only (to another DNS on the Network, by IP Address, if necessary).

  30. Steps in Enumeration • Extract usernames using enumeration • Gather information about the host using null sessions • Perform Windows enumeration using Superscan Tool • Acquire the user accounts using the tool GetAcct • Perform SNMP Port Scanning

  31. CEH Week 2 • Chapter 4 – System Hacking • Password Hacking Techniques • LanManager hash • Cracking Windows 2000 Passwords • Redirecting SMB Logon • NetBIOS Dos Attacks • Password Cracking Countermeasures • Online Password Attacks • Offline Password Attacks

  32. LanManager Hash • Hash is 14 bytes • Hash is based on two 7 byte segments and a segment less than 7 bytes is passed to 7 with spaces • Each is segment is hashed separately and then combined into a single hash value • Passwords that are 7 characters or fewer always hash to AAD3B435B51404EE and takes less than 60 seconds

  33. Cracking Windows 2000 Passwords • Usernames and Passwords stored in windows\system\config\SAM file, which is locked while windows is running • Files can be copied if the system is booted to an alternate OS such as DOS or LINUX • SAM file is also copied to a backup file called SAM._ when RDISK utility is used to bacup windows • The SAM._ can be expanded by using c:\expand sam._ sam • Once obtained, the SAM file can be subjected to a dictionary, hybrid, or brute force attack using a tool such as LOphtCrack

  34. Redirecting SMB Logon • Vulnerability: • Passwords can also be captured when SMB logon requests (passing user ID and password to connect a network share) • Type of man-in-the-middle attack • SMBRelay and SMBRelay2 are two tools that will redirect SMB requests and capter ID’s and passwords. • Countermeasure: • Windows 2000 and beyond can be configured to use SMB signing, which validates the SMB request is from the correct source and not a relay

  35. NetBIOS Denial of Service (DoS) • Description of Attack: • NetBIOS Denial of Service (DoS) Attack sends a NetBIOS Release Message to the NetBIOS Name Service (WINS) on a target Windows System, which causes the system to place that name in conflict (duplicate name) to that name cannot be used, preventing the system from connecting to resources • Resolution: • Replace WINS resolution with DNS Resolution

  36. Password Cracking Countermeasures • Never keep a default password • Never use a password that can be found in a dictionary • Never use a password that can be related to a host name, domain name, or anything else that can be found in whois • Never use a password related to your hobbies, pets, relatives, or date of birth • Use a word that has more than 21 characters from a dictionary (pass phrase) as a password • Change passwords at least every 30 days • Use Complex passwords

  37. Online Password Attacks • Passive Online Password Attack: • Network sniffing, wired or wireless • Man in the middle • Relay Attack • Active Online Password Attack: • Password Guessing, manual or automated

  38. Offline Password Attacks • Obtain the Password File, SAM or etc/Passwd, and conduct Dictionary, Hybrid, or Brute Force attack against it • Conduct Dumpster Diving, Shoulder Surfing, Social Engineering, and Keyboard Sniffing to obtain User ID/Password combinations

  39. CEH Week 2 • Chapter 4 – System Hacking • Keyloggers and Spyware Technologies • Escalating Privledges • Buffer Overflows • Rootkits & Countermeasures • NTFS Streams & Countermeasures • Steganography Technologoes • Covering Your Tracks

  40. Escalating Privileges • Definition: Adding more rights or permissions to a user account • Ways to Escalate Privilege: • Windows: Use Runas after logging on and attempt to guess privileged account and password • UNIX: su • Use GetAdmin.exe utility

  41. Buffer Overflows • Question: • Remember the old saying “Garbage in, Garbage out”? • Answer: • Yes. Buffer overflows, caused by a failure on the part of a developer to validate input field size, could cause Denial of Service (system crashes) or input to be “forced” into the incorrect variable, leading to unpredictable results

  42. Rootkits & Countermeasures • Types of Rootkits • Kernel-Level: Add or replace a portion of the Kernel (Core part of the OS). Accomplished via a driver install, or loadable kernel module • Library-Level: Commonly patch, hook, or replace system calls with “infected” versions of the same code. • Application-Level: Replace application binaries (executables) with infected versions • Planting Rootkits • Attacker gains access to the system • Copies _root_.sys and deploy.exe to the target system • Attacker executes deploy.exe to install rootkit • Attacker deletes deploy.exe • Countermeasures • Password Security • Use MD5 Checksum Utility to add Checksum to executable code • Checksum ensures code has not been modified • Tripwire: provides integrity checking to Unix/Linux systems

  43. NTFS Streams & Countermeasures • NTFS Streams are used to Hide malicious code in the “slack space” of existing files to prevent detection • The makestrm.exe utility moves data from the original file to an alternate data stream linked to the original file • The attrib +h command will hide the malicious file without using NTFS Streams • NTFS Streams Countermeasures • Move the NTFS file to a FAT partition and then back • LNS.exe will detect NTFS streams

  44. Steganography Technologies • Definition: Hiding data within images or text files • Tools to Hide Data: ImageHide, Blindside, MP3Stego, Snow, etc • Countermeasures: Stegdetect, DskProbe

  45. Covering Tracks • Disable Auditing: On Windows NT-Based systems, the Auditpol utility is contained on the Windows NT Resource Kit and can be installed on the system. An Attacker can run the utility to disable Auditing • Clear Event Logs • Eslave.exe, WinZapper • Erase all other evidence • Evidence Eliminator – Cleans recycle bin, system files, temp folders, etc

  46. Week 2 Lab • NMAP Practice • Download Command Line Version of NMAP (Unix Version Preferred) • Perform SYN, XMAS, NULL, and FIN Scan on Test Workstation/Laptop • See Command Switches for Clues • Banner Grabbing and OS Fingerprinting • Download HTTrack and Fingerprint Test Workstation/Laptop Operating System

  47. Week 2 Homework • Read CEH Study Guide Chapters 5 & 6 • Study Chapters 1 – 4 for Quiz 1, next week

More Related