CEHv10 Series - Introduction Ethical Hacking

Terminology

Phases of Ethical Hacking

Phase 1 — Reconnaissance

This is a set of techniques like footprinting, scanning, and enumeration along with processes used to discover and find information about the target system. An ethical hacker during reconnaissance attempts to gather as much information about a target system as possible. They follow a seven-step process as listed below:

1. Information Gathering
2. Determining the network range
3. Identifying the active machine
4. Finding open ports and access points
5. OS fingerprinting
6. Fingerprinting Services
7. Mapping the Network

Phase 2 — Scanning and Enumeration

Collecting more information using complex and aggressive reconnaissance techniques is termed as Scanning

Scanning is a set of steps and methods that are for identifying live hosts, ports, services and discovering operating systems and architecture of the target system. Identifying vulnerabilities, threats in the network by scanning which is used to create a profile of the target organization.

Following procedure is to be followed while performing the process of Scanning:

• Which servers are alive
• Specific IP address
• Operating System
• System Architecture
• Services running on each system

Here 3 types of scanning are explained below:

• Port scanning: 

Process of identifying open and available TCP/IP ports on a system. Port scanning tools enable a hacker to learn about the services available on a given system. Each service or application on a machine is associated with a well-known port number.

Port numbers are divided into 3 ranges:

1. Well-known: 0-1023
2. Registered Ports: 1024-49151
3. Dynamic Ports: 49152-65535

See port list: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

• Network scanning:

Network scanning is a procedure for identifying active host on a network, either to attack them or as a network security assessment.

Hosts are identified by their invidual IP address. Network scanning tools attempt to identify all the live or responding hosts on the network and their corresponding IP addresses.

• Vulnerability scanning:

Vulnerabilty scanning is the process of proactively identifying the vulnerabilities of computer systems on a network. Generally, a vulnerability scanner first identifies the operating system and version number, including service packs that may be installed. Then, the scanner identifies weakness or vulnerabilities in the operating system. During the later attack phase, a hacker can exploit those weaknesses in prder to gain access to the system.

Enumeration makes a fixed active connection to the system and is the first attack on the target system. It is defined as the process of extracting user names, network resources, machines names, shares and services from the system. Under this phase, the attacker creates an active connection to the system and performs directed queries in order to gain more information about the target IP address and port.

The gathered info is then used to identify the vulnerabilities or weak points in the system security and tries to exploit the system gaining phase.

Phase 3 — Gaining Access

The goal here is to collect enough information to gain access to the target.

Password Cracking:

There are few basic methods of password cracking:

• Bruteforce: trying all possible combinations until the password is cracked.
• Dictionary attack: This is a compiled list of meaningful words, compared against the password field till a match is found.
• Rule based attack: If some details about the target are known, we can create rules based on the information we know.
• Rainbow table: Instead of comparing the passwords directly, taking the hash value of the password, comparing them with a list of pre-computed hash values until a match is found. Rainbow table method gives an advantage to the attacker since no account lockout is enabled for wrong hashes against the password. To prevent rainbow table attack, salting can be used. Salting is a process of adding random numbers to the password so the attacker will not be able to crack the hash without that salt added.

Phase 4 - Maintaining Access

Once a pentester manages to gain access to the target system, he should work hard to keep his boat afloat, metaphorically speaking. He can choose either to use the hijacked system as a launching-pad (i.e., to be part of a botnet for DDoS attacks or spam campaigns), at this moment attack, scan and exploit other systems, or keep on exploiting the current system in stealth mode. Both actions can entail a great deal of damage.

For example, the pentester could set up a sniffer to intercept all inbound/outbound network traffic, including an FTP (file transfer protocol) and telnet sessions with other systems, so that he will later transmit that data wherever he wants.

For those who want to remain undetected, it will be imperative to undertake further steps to secure their presence. There are different ways through which that can happen, but typically through the installation of hidden infrastructure for repeated and unfettered access based on backdoors, Trojan horses, rootkits, buffer overflows, and covert channels (section 1). When this infrastructure is all set to go, the pentester can then proceed to exfiltrate whatever data he considers being valuable (section 2).

Tools and Methods for Maintaining Access

• Backdoor or Trojan

A backdoor or a Trojan is a convenient tool for establishing easy access into the already breached system. A Trojan horse provides access at the application level, but to gain it, the user needs to install the piece of malware locally. In Windows-run systems, the majority of Trojans proceed to install themselves as a service and then run as a local system, having administrative access. Furthermore, the pentester can mount Trojans to sneak out passwords, credentials, and any other sensitive information stored on the system.

Much like remote access Trojans (RATs), backdoors are installed in target systems and come with built-in upload/download functionality. They upload gathered files of interest and then rely on ports like port 53 (for DNS) and 80 and 443 (for HTTP and HTTPS, respectively) to cover up their traffic.

• Covert channel

A covert channel is when data is being sent through secret communication tunnels. VoIP, DNS tunnels, ICMP tunnels, and HTTP tunnels are such paths for data extraction from the inside of a network. All of these covert channels can transport encrypted data as well. 

Although detecting covert channels is not impossible, it may require considerable efforts on the part of the victim. Network signatures, flow data analysis and protocol analysis are some of the indicators of anomalies in the outbound traffic which a pentester wielding the right tools can come across. On top of that, despite that protocol- or application-specific tools do not yield easily to security purposes, they could show better results in comparison to their security-specific counterparts.

To detect a covert tunnel is one thing, but to block it is a completely different matter.

Pentester can:

• block ICMP outbound at the corporate information border

• block DNS requests to servers outside the corporate network but not to such to internal DNS servers

• leverage Web proxies to dispose of the HTTP tunnels;

• delay delivery for a voicemail in cases of VoIP RTR exfiltration tunneling so that he can send to an audio processor, which will examine every packet for encoded data in a voicemail (in a similar fashion as antispam software works).

• Rootkit

A rootkit is a type of malware highly adept at hiding itself from a computer system. Hence, what distinguish rootkits from other types of malware is their heightened ability to conceal themselves to bypass the computer security measures. In effect, that is the main idea behind their creation.

Rootkits are usually loaded with the help of Trojan horses, starting on the targeted platform with “user” level access. Once getting an initial foothold into the system under attack, they spy on passwords and other similar login details to gain “administrator” level access. This process is called privilege escalation. Nevertheless, the rootkits’ real “specialty” is maintaining access.

In this regard, rootkits are somehow reminiscent of some forms of parasites, which enter the body but may remain dormant for years until they muster up enough strength to overcome the immune system from within the body.

• Data Exfiltration

Data exfiltration is an unauthorized transfer of data from a computer system or IT servers to an external system or device. It can be carried out manually (similar to a ‘copy-paste’ command) or automatically via malware spread across a network.

When the data is exfiltrated electronically, it is usually through different kinds of web protocols, tunneling protocols, email or file transfers. While the file transfer protocol (FTP) is regarded as a standard network protocol whose purpose is to transfer files, it may also be used to facilitate data exfiltration campaigns. Other protocols and techniques are applicable as well, for instance, routing control packets, secure shell, peer-to-peer, instant messaging, Windows Management Instrumentation, hiding data within video or images, and VoIP. Webcams, microphones, and similar peripheral devices may be rigged to monitor the target’s activities. Pentester can also make use of HTTP file transfers or the Tor anonymity network as a means to mask location and traffic.

Sometimes before the exfiltration takes place, the pentester would want to process the data to transfer it easier outside the exploited system. Typical activities with relation to this point are compression, encryption and password protection. Then the processed data will be uploaded from within the target network to a server somewhere outside. Common traffic channels are a preferable route for smuggling data out of the targeted system since the extraction will blend in with the noise of the network.

Phase 5 - Clearing Tracks

Once an attacker when finishes his work, he wants to erase all tracks leading the investigators tracing back to him. This can be done using:

• Disable auditing.
• Clearing logs.
• Modifying logs, registry files.
• Removing all files, folders created.

Phase 6 - Reporting

The result of a penetration test or security audit is an ethical hacking, or pen test report.
This report details the results of the hacking activity, the types of tests performed, and the hacking methods used. The result are compared against the expectations initially agreed upon with the customer. Any vulnerability identified are detailed countermeasures are suggested. This document is usually delivered to the organization in hard-copy format, for security reasons. The details of the ethical hacking report must be kept confidential, because they highlight the organization's security risk and vulnerabilities. If this document falls into the wrong hands, the results could be disastrous for the organization. It would essentially give someone the roadmap to all the security weeknesses of an organization.

Types of Penetration Testing