certified ethical hacking - book summary

Certified Ethical Hacking


- Introduction

- Footprinting and Reconnaissaince

- Scanning Networks

- Enumeration


- System Hacking

- Trojans Backdoors +

- Viruses Worms +

- Sniffer


- Social Engineering

- Denial of Sevices

- Session hijacking

- Hacking Web Servers

- Hacking Web Apps


- SQL Injection

- Wireless Hacking

- Evading IDS, Firewalls, Honeypots

- Buffer Overflow

- Cryptography

- Pen Testing

Introduction - CEH

- No legal advice

• The legal framework is not very clear about what is actually lawful or not

• Be authorized in advance by those in power.

• Demonstrate and highlight how you can access the data without accessing it.

• In Italy, use a document created with the help of Indemnity of Legal possibly

- It may be illegal to make PenTest on propia network • No prior authorization

• Access to sensitive data

- Most are unsuccessful Hack

- Expansive Exam

Introduction - CEH

- Current Situation • News Suglia cyber attacks

• Criminal activities

- Anonymous Activities

- Cyber Terrorism

- Companies must necessarily have and implement

security policies • Management of utilities

• Access Management

• Authentication and security levels

• Delegation: rules for delegation

• Authoritative sources of data

Introduction - CEH

- Overview of legislation

• Computer Misuse Act 1990 (UK)

• CANspam Act (2003)

- In Italy

• Law 48/2008: European Convention on Cybercrime.

• Law 196/2003

• DPS (Document Security)

• Measures of protection commissioner 27/11/2008

• The Indemnity

Introduction - CEH

- Terminology

• Hacking

• Hackers

• Black Box Testing

• White Box Testing

• Gray Box Testing

• Security

• Vulnerability

• Exploit / Proof of concept

• Zero Day

• Vulnerability Scan

• Penetration Test

Introduction - CEH

- Origin threats

• Within the company

a. Licensed physical access

b. Logins via the network

c. Directors

d. Employees

• Outside the company

a. External Consultants

b. External Collaborators

c. Its affiliates, subsidiaries of company

d. External maintenance, visitors, etc..

Introduction - CEH

- Who is a Hacker? (1/2)

• Black Hats / Crackers / Malicious

Individuals with high computer skills used for malicious activity or destructive

• White Hats / Ethical Hacker / pentester

Individuals with expertise in the field of computer hacking who use their knowledge to improve the safety of the environment and are often identified with the term Security Analyst

Introduction - CEH

- Who is a Hacker? (2/2)

• Gray Hats

Individuals with high computer skills used, as appropriate, both for business "offensive", and "defensive"

• Suicide Hecker

Individuals that use their computer skills to create inefficiencies in companies victims or critical infrastructure, not caring if possible iripercussioni of legal they face.

• Hactvism / Script Kiddie / Phreak / Red Team

Introduction - CEH

- How does a Hacker? (1/3)

• Step 1: Patrol

a. Research information about the victim

b. Connections on a large scale for possible points of attack

c. Looking for any information about customers, employees, networks, systems employed, etc..

• Step 2: Scanning

a. Port Scan

b. Networks scan

c. Extract useful information on which versions and service

Introduction - CEH

- How does a Hacker? (2/3)

• Step 3: Obtain access

a. Exploit

b. Weak Password

c. Buffer Overflow

d. Denial of service

• Step 2: Maintain access

a. Keylogger

b. Backdoor

c. Rootkits

d. Trojan / Worm

Introduction - CEH

- Why do you need the Ethical hacking?

• Vulnerability Testing and Security Audit does not ensure that our infrastructure is safe

• Need to implement defense strategies taking advantage of targeted Pentest

• The Ethical Hacking is necessary in order to anticipate the moves of any malicious people who would compromise our systems

Introduction - CEH

- Benefits Ethical Hacking?

• Risk Assessment

• Auditing

• Mitigate fraud

• Best Practies

• Good infrastructure management

Introduction - CEH

- Benefits Ethical Hacking

• Risk Assessment

• Auditing

• Mitigate fraud

• Best Practies

• Good infrastructure management

- Disadvantages Ethical Hacking

• Despite the intentions of companies in hiring external people to test their systems, does not guarantee that this leads to a positive contribution in raising the level of security of the company.

• An Ethical Hacker can only help to understand the levels of security in place in the company. It will be the latter that must be put in place proper countermeasures

Introduction - CEH

- What is an Ethical Hackers?

• Sniffing out Vulenaribilità

• Verify the effectiveness of the strategies implemented safety

• Head found in any vulnerbilità systems and network

• Test the ability to access sensitive data

Introduction - CEH

- The triangle of safety,

functionality, ease of use

Safety

Functionality Ease of use

Introduction - CEH

Introduction Virtual Lab + Linux

Introduction - CEH

Questions?

Footprinting and Reconnaissaince - CEH

- Information gathering

- Rating Size of attack

- Exposure


- Information gathering

• Search technical information

a. Registered domains

b. IP range used

c. Services Provided

• Additional Information

a. IT administrators of groups, forums, etc..

b. Instruments used, and software versions

c. Hardware devices and technologies


- Attack Surface

• Discover the machines and services used

• Discover any open wireless networks

• Other types of network access:

a. Waiting Rooms

b. Chiosci

c. Shared networks

• Ability to use in the attack malware


- Exposure

• Check for services found and the cars reach:

a. Exploit for the optional field

b. Potential for abuse services

• Organize the information collected

• Create a plan of attack

a. An attack can 'be performed using more' weaknesses in a coordinated manner

• Testing diving the posture (position) before the attack


- Footprinting

• Delimit the scope of attack

a. DNS / WHOIS

b. Internic

c. Physical location

d. RF (Wi-Fi, Bluetooth) monitoring - WarDriving

• Analysis Traceroute

• Mirroring the site of the target company

• Tracking email communications

• Using Google Hacking

• Nessus Scan

• Nikto Scan


- Perimeter attack

• Analysis of DNS records

a. IP Assigned

b. MX Record

c. etc. ..

• Sniffing out the company's website

a. Public or restricted WebSite

• Search information via search engines (eg google, bing, yahoo, etc..), Job sites, financial services, etc..

• Research staff on Social Networks, Chat services, etc..

• Physical location of the office


- Analysis Traceroute

• Identification devices routers, firewalls, etc..

es. # traceroute 10.10.10.10

traceroute to 10.10.10.10, 64 hops max, 52 byte packets

1 10.10.10.1 (10.10.10.1) 1.427 ms 1.160 ms 0956 ms

2 10.10.10.3 (10.10.10.3) 33,266 ms 34.849 ms 33,298 ms

3 * * * *

...

• By correlating the information obtained it is possible to draw the network topology

• Traceroute Tools

a. VisualRoute Trace (http://viualroute.visualware.com)

b. Visual IP Trace (http://www.visualiptrace.com)

c. vTrace (http://vtrace.pl)


- Mirroring the corporate website

• Create a copy of the entire site azinedale in order to obtain information on the structure as CSS, images, flash files, video, html code, etc..

• Website mirroring tools:

a. Wget (http://www.gnu.org)

b. BlackWidow (http://softbytelabs.com)

c. WinWSD (http://winwsd.uw.hu)

d. etc..


- Tracking email communications

• The Tracking of Email is a valid

method for monitor and spy on the emails sent to

recipients

a. When an email has been read or received

b. Possibility to send email destructive

c. Phishing attack

d. Find the endpoints of e-mail communication

e. Tracking of documents, etc.

• E-mails Tracking tool:

a. Trout (http://www.foundstone.com)

b. 3d Visual Trace Route (http://www.3dsnmp.com)

c. etc..


- Using Google Hacking (1/2)

• What a hacker can do with the techniques of Google Hacking

a. Find errors that contain sensitive information

b. File containing password

c. Warnings or safety vulenrabilità

d. Pages containing the login form

e. Pages containing data regarding the configuration or network vulnerabilities

• Examples of some operators used for advanced searches of google:

a. [Cache:] - shows the version of the site that is cached by google

b. [Inurl:] - restricts the search of the given string only if present in the URL

c. [Intitle:] - narrows the search to documents that contain the specified string in the title

d. etc ...


- Using Google Hacking (2/2)

• Google Hacking Tool:

a. MetaGoofil (http://www.edge-security.com)

b. SiteDigger (http://www.foundstone.com)

c. Google Hacks (http://code.google.com)

d. GMapCatcher (http://code. Google.com)

e. Goolink Scanner (http://www.ghacks. Net)

f. etc ...


- Nessus Scan

• Nessus is a tool that allows of find and possibly identify the services exposed by a particular server

Picture of nessus

• Nessus Site (http://www.tenable.com/products/nessus)

http://www.tenable.com/products/nessus)


- Nikto Scan

• Nikto is a tool that allows of Identify a webserver and make crowling of the sites configured in it.

• Nikto is in degrees also identify any known vulnerabilities present on that webserver on the basis of its own internal DB

Picture of Nikto

• Nikto Site (http://www.cirt.net/nikto2)

http://www.cirt.net/nikto2)


- Countermeasures Footprinting (1/2)

• Secure destruction of documents

• Configuring Router / IDS

a. Reject any suspicious traffic

b. Identify patterns of footprinting

c. Close access to the ports that are not strictly necessary for the provision of the service and filter any unused protocols from their applications.

• Configure the web server so that it does not provide useful information

• Perform tests to verify footprinting countermeasures


- Countermeasures Footprinting (2/2)

• Removal of any sensitive data on the DMZ

• Prevention of spider and loading of copies cache (robots.txt)

• Split - DNS

• Honeypot


Questions?

Scanning - CEH

- CEH scanning methodology

- Types of Scan

- Firewalking

- 3 way handshake

- Closing Sessions

- Scanning techniques

- War Dialing

- Scan tool

Scanning - CEH

- CEH scanning methodology

1) Check the Live systems

2) Check open ports on the system

3) Identify the types of services and versions

4) Vulnerability Scanning

5) Design diagram network

6) Using Proxy

Scanning - CEH

- Types of Scan

• Network scanning

a. ICMP scanning

b. Ping Sweep scanning

• Port scanning

a. Check open ports on a system

• Vulnerability scaning

a. Identification of services

b. Identifying versions of applications

c. Identification Applications

Scanning - CEH

- Firewalking

• Identifies the ACL (Access Control Lists) configured on the Firewall

• It uses the TTL (Time To Live) of a package to find "hop"

• Forwarding packets to the open services

a. Icmp_time_exceded

b. Drop Package

• It is not necessary to reach the destination

3-way handshake

Scanning - CEH

- 3 way handshake

Computer Computer

A B

SYN = 1, SEQ # 10

SYN = 1, ACK = 1 ACK # 11

ACK = 1, SEQ # 11

Time Time

Scanning - CEH

- Chiusira sessions

Computer Computer Computer Computer

A B A B FYN, ACK

RTD

FIN

ACK,

ACK

ACK

Time Time

Scanning - CEH

- Scanning techniques

• TCP Connect Scan

• Stealth Scan

• XMAS Scan

• SYN / ACK / FIN Scan

• NULL Scan

• IDLE Scan

• UDP Scan

Scanning - CEH

- TCP Connect Scan

• Indicates whether the port is open only after completing three way handshake

- Sequence packages:

SYN

SYN, ACK,

ACK, RST

• TCP Connect scan uses a RST packet to terminate the

communication

Scanning - CEH

- Stealth Scan

• Used to bypass firewall rules, logging mechanisms or hide their

activities as normal traffic

SYN SYN

SYN, ACK RT

D RTD

Open Door Closed Door

Scanning - CEH

- XMAS Scan

• forge a packet with the URG, ACK, RST, SYN and FYN settati

• The FIN flag works only for systems that have

implemented the TCP stack according to RFC 793

• Often does not work for some systems Microsoft Windows

FIN, URG, PUSH FIN, URG, PUSH

None RTD

reply


Scanning - CEH

- NULL Scan




No Flags settati No Flags settati

None RST, ACK

reply


Scanning - CEH

- FIN Scan

• Send packets with the FIN flag set




FIN FIN

None RST, ACK

reply


Scanning - CEH

- Idle Scan

• To verify an open door just send a SYN packet

• The target responds with SYN, ACK, RST if it is open or closed if

• A PC receives a response to SYN, ACK, it did not send any request will

respond with RST

• Each RTD is not required ignored

• Each packet on the network contains a number of "fragment

identification" (IPID)

• The Idle scan + is a scanning technique that spoofed packets are

sent to check the status of the ports on a target.

Scanning - CEH

- Idle Scan: Step 1

• Send SYN, ACK to Zombie PC to check on the IPID

• Each packet on the network has its own IP ID,

consisting of 4 digits and is incremented each

time a PC sends a packet

• The PC Zombie not expecting the SYN, ACK, it

responds with an RST by adding your own IPID probe package SYN, ACK

Zombie

Scanning - CEH

- Idle Scan: Step 2.1 Open Door

• Send SYN to port 80 for example of the target with spoofed

ip of Zoombie

Striker SYN on port 80 IP = Zoombie

Target

SYN, ACK Open Door

RTD IPID = xxxx +1

Scanning - CEH

- Idle Scan: Step 2.2 port Close

• If the door is closed, the target will send a RST packet to

the zombie who will not follow response.

Striker SYN on port 80 IP = Zoombie

Target

RTD

Zombie

Scanning - CEH

- Idle Scan: Step 3

• The attacker sends a request to the zombie

• If the IPID is incremented by one stage the door is open,

otherwise not SYN, ACK

Striker Zombie

RTD IPID = xxxx +2

Scanning - CEH

- SYN / FYN IP Fragments Scan:

• Is not a method different from the previous scan

• Involves sending fragmented packets with the TCP header so that any

systems "Packet filtering" fail to intercept

- ACK Scan:

• The attacker sends packets with the ACK flag active and random

number sequences

• No response means that the port is filtered

• RST packet response indicates that the port is not filtered

Scanning - CEH

- UDP Scan:

• For the UDP port scan is not required 3 way TCP

handshake

• When a packet is sent to a port in the state Open, the target

system does not send any return package

• If a UDP request is sent to a port in a state close, the target

system risposnde with an ICMP port unreachable message

• Spyware, Trojan horses and other malicious applications

using the UDP port to propagate between systems

Scanning - CEH

- War-Dialing

• One of the attack techniques used in the past (Mitnick)

• Was to call a range of phone numbers looking for an EndPoint

that responds to initiate a connection.

• Often automated

a. They use the range of random numbers

• The response by an EndPoint, often detects the presence of an

access of "emergency" reserved for system administrators

Scanning - CEH

- Scan tool

• Nmap (http://nmap.org/)

• Nesus (http://www.tenable.com/products/nessus)

• OpenVAS (http://www.openvas.org/)

• Hping (http://www.hping.org/)

• Netcat (http://netcat.sourceforge.net/)

• SuperScan (http://www.foundstone.com)

• Free Port Scanner (http://www.nsauditor.com)

• THC-Scan (http://freeworld.thc.org)

• iWar (http://www.softwink.com)

http://nmap.org/)

http://www.tenable.com/products/nessus)

http://www.openvas.org/)

http://www.hping.org/)

http://netcat.sourceforge.net/)

Scanning - CEH

Questions?

Enumeration - CEH

- Enumeration

- Tecnihce enumeration

- NetBIOS Enumaration

- Enumerating User Account

- SNMP Enumeration

- Unix / Linux Enumeration

- SMTP Enumeration

Enumeration - CEH

- What is an enumeration?

• By enumerating the process of extracting

username, machine name, network resources,

shared resources and services of a system

• Enumeration techniques are applied in an

intranet environment or for more '

Enumeration - CEH

- Enumeration techniques

• Remove users from the email ID

• Pull user names through the SNMP service

• Remove groups from Windows macchien

• Extracting data using the Default Password

• Brute forcing Active Directory

• Extract information using DNS Zone

Transfer

Enumeration - CEH

- NetBIOS Enumeration

• An attacker exploits the enumeration of

NetBIOS

a. The list of computers that belong to a

domain

b. The list of the Share network that exposes

single host on the network

c. Policies

d. Password

Enumeration - CEH

- Enumeration systems using default password

• Apparatus as HUB, switches, routers, are

often used with the default password

• An attacker can 'get access and the

information contained in these systems

using default credentials

• Default Password Site (http://

www.defaultpassword.com)

Enumeration - CEH

- SNMP Enumeration

• The SNMP (Simple Network Management Protocol) is a

protocol used to monitor and maintain hosts, routers,

and in general any device on the network that supports

• An attacker uses the SNMP enumeration to extract

information about the resources of the network devices

• The SNMP consists of a manager and an agent; the

agent is directly integrated in the apparatus and the

manager is usually an installed system apart and

dedicated.

• The default string is used to monitor and read access to

the information is "public", while

maintaining and write access is "private"

• The technique uses SNMP enumeration of these strings

to extract useful information on the equipment

Enumeration - CEH

- Unix / Linux enumeration

• For Unix / Linux, there are several commands to

enumarare resources on the network

a. Showmount: provides a list of the share exposed by

the system

b. Finger: the possibility to enumerate users and

hosts, providing detailed information such as home

directories, etc..

c. Rpcclient: Provides a list of users on Linux and OS X

d. Rpcinfo: helps to enumerate RPC (Remote Procedure Call)

protocol. RPC protocol allows communication via network

applications.

Enumeration - CEH

- SMTP Enumration

• Service that enables iterating through

the direct command "Telnet"

• Allows enumeration of users through the

normal commands available

a. VRFY / EXPN

b. RCPT TO

Enumeration - CEH

- User Account Enumeration

• You can 'try to get through

interrgoazione anonymous LDAP

Server

• On Windows systems using the SID

(Security Identifier)

a. Null Session

b. SID to User

Enumeration - CEH

Questions?

System Hacking - CEH

- Password Cracking / Attack

- Privileges Escalation

- Running programs Spyware / Keylogger / rootkits

- NTFS Data Stream

- Steganography

- Covering the tracks


- Password Cracking / Attack

• Password Cracking Techniques are used

to recover the password of a given system

• Attackers use this type of techniques to

obtain unauthorized access to vulnerable

systems

• The use of this type of techniques work for

the simplicity of the passwords used by the

users


- Password Cracking Techniques

• Dictionary attack

a. Use a file containing common passwords

• Brute force attack (Brute Forcing Attack)

a. Combination of numbers and characters until the password

• Attack Hybrid (Hybrid Attack)

a. All'ìattacco similar to the dictionary, adds numbers and letters to the

words used in the dictionary

• Attack syllable (Syllable Attack)

a. Combine the dictionary attack and brute Forzza

• Attack du based rules (Rule-Based Attack)

a. It is based on information that the attacker has previously found

regarding the password (Business Policy, the amount of special

characters, etc.)


- Types of attack on Password

• Passive Online Attack

• Attack Active Online

• Attack Offline

• Attack is not computerized


- Passive Online Attack

• Sniffing the network

• MIM (Man in the Middle)

• Replay


- Attack Active Online

• Predictability of passwords

• Trojan / Spyware / Keylogger

• Hash injection

System Hacking

- Attack Offline

• Precalculated hash

• Rainbow tables

• Distributed

networks

-

CEH


- Attack is not computerized

• Spying on behind those who are typing

password (Shoulder Surfing)

• Social Engneering

• Rummage in garbage (dumpster diving)


- Privileges Escalation

• Exploits vulnerabilities in the operating system

• Vunlnerabilità software

• Errors in programming

a. Data buffer overflow

b. No distinction between data and code executive

c. Failure to check user input Etc. ..

• Often used with Exploit shellcode


- Spyware

• Program that records user actions that are performed on your

computer and surfing the Internet without the user knowing

anything

a. It hides its process

b. It hides their files, and other objects

c. Difficult to remove

• Methods of propagation

a. Masquerading as anti-spyware

b. Downloaded from the internet

c. Exploit vulenrabilità browser

d. Add-on fictitious

e. Software installations containing macros specifically designed


- Keylogger (Keystroke Logger)

• Software or hardware components that allow the

recording of what the user types on the keyboard

• All the recorded will be saved in a file and sent to a

remote destination

• The Keylogger meddle in the communication between

the keyboard and the operating system

• Some companies use this type equipment or software to

monitor their employees, as well as for a more home for

the purpose of monitoring children or whatever.


- RootKit

• These are programs that reside at the kernel

level to hide themselves and cover the tracks

of their attivià

• Replace specific routines or operating system

components with modified versions of the ad

hoc

• The RootKit allow an attacker to maintain

access to the system path


- Types RootKit (1/2)

• Hardware / Firmware

• He hides in physical devices or firmware updates that do not

check code integrity

• Hypervisor level

• Change the boot sequence so as to put himself before the operating

system virtual

• Boot Loader level

• Replaces the original boot with one controlled by a remote attacker



• Kernel level

Replaces or adds malicious code parts of the kernel of the operating

system or device

• Library level

Replaces the libraries of the operating system in order to obfuscate the

information of the attacker

• Application level

Replaces the executives of regular applications with Trojans or malicious

pieces of code


- NTFS Data Stream

• NTFS Alternative Data Streams (ADS) is a system of hidden flow of

information in windows which contains the metadata of a file

(attributes, word count, author name, etc ...

• ADS is the system that allows you to add attributes to the file

without changing its functionality or how they appear in the file

manager

• ADS can be exploited by an attacker to inject code into a corrupt

system and execute commands without being detected by the user


- Steganography (1/2)

• The shorthand is the technique of hiding secret messages

and extract the same joints at the destination while

maintaining the confidentiality of the message

• Utilizziare graphic images as a cover to hide data,

coordinates, secret plans is one of the most widely used

methods

• There are several free programs that allow the use of the

techniques stenogragrafiche


- Steganography (2/2)

• Example with ImageHide

(http://www.dancemammal.com/ imagehide.htm)

http://www.dancemammal.com/

history and temporary files


- Covering the tracks

• Remove all WEB activities such as MRU (Most Recently Used), cookies, cache,

• Disable auditing systems

• Edit the log file, do not delete!

a. Operating System

b. Applications

c. Access to DB

d. Administrative

e. UTMP / lastlog / WTMP

• Close all connections to the target machine

a. Use tools or alter files to obfuscate its presence

b. Windows Watcher, Tracks Eraser Pro Evidence Eliminator, etc.

• Close all possible ports used, apply patches to the system, to prevent others from entering Hacker


Questions?

Trojans Backdoors + -

- What is a Trojan?

• It 'a program containing malicious code within itself, that

allows you to take control and cause damage to the system

• With the help of a Trojan attacker is able to gain access to the

password registered on the system, but in general what is all

this about it as personal documents, deleted files, images,

messages, etc..


- What is the purpose of a Trojan?

• Steal information important, which password

secret codes, informaizoni on credit cards, bank details, etc.

• Registration of activities on the PC victim

• Modify or replace operating system files

• DOS Attack

• Download spyware, keyloggers

• Disable protection systems, anti-virus, anti-spyware, etc.

• Use your PC victim to propagate the infection of Trojan


- Against which method to infect a system used by

a Trojan?

1. Create a package modified by using a Trojan Horse Constructor Kit

2. Create the procedure ("droppers") that will be the heart of the Trojan

and execute malicious code on the target system

3. Create a container ("wrapper") through the tool containing the Trojan,

which will be used to install everything on the victim's PC

4. Propagate the Trojan

5. Run the dropper

6. Perform routine harmful


- Ways by which a Trojan is able to infect a

system

• Software packages created by employees not satisfied

• Fake programs (AV pop-ups, rogue security)

• Files downloaded from the internet (games, music, screen savers, etc.)

• Systems messaging (IM, IRC, AOL, etc.)

• Sugeriti links or attachments provided in the e-mail address

• File Sharing

• Vulnerability of browsers or mail clients used

• Physical access to the PC


- As a Trojan virus evades controls

• Subdivide the code of Trojan in small

parts separate and tablets

• Change the content, the checksum and encrypt the code of

the Trojan using hex editor

• Do not use Trojan downloaded directly from the internet

• Use different types of common extensions to convert the

esegutivo of Torjan


- Some types of Trojans

• Command Shell Trojan

• Covert Channel Trojan

• Botnet Trojan

• Proxy Server Trojan

• Remote Access Trojan (backdoor)

• E-Mail Trojan

• FTP Trojans

• E-Bancking Trojan

• Mobile Trojan

• Spam Trojan

• MAC OSX Trojan

• etc ...


- Methods for detecting the presence of

Trojans within a system compromise

• Scanning open ports

• Scan active processes

• Scan of the drivers installed

• Scan Windows Services

• Scanning of the programs that start at boot

• Scan for suspicious files or cartelel

• Monitoring network activity

• Scan of any file of system operating last

modified

• Using Trojan Scanner

Viruses Worms + - CEH

- What is a Virus?

• It ' a program self-replicating that modification the

inserting its code in other executive programs

• Some Virus infect the computer a

time performed the program that contains

• Other forms of Virus riamangono Dormant as long as a

triggering event makes them active


- Why are created Virus?

• Damage to society competitors

• Financial Benefits

• Progietto to research climate

• How fun

• Acts of vandalism

• Cyber terrorism

• For the distribution of political messages


- How can a virus infect a computer?

• The DB of the tracks viragli the antivirus is not updated

• Plugin outdated versions of installed

• By installing pirated software or crackkato

• Opening infected e-mails

• When a user downloads files without verifying the source


- Some examples of Type Virus

• System or Boot Sector Virus

• File Virus

• Cluster Virus

• Multipart Virus

• Macro Virus

• Encryption Virus

• Polymorphic Virus

• Shell Virus

• Tunneling Virus


- What is a Worm?

• It 'a malicious program that can replicate, run and propagate itself through

the network without internvento of a human being

• Most Worm created are able to replicate and spread to the network in order to

consume computing resources

• Acluni Worm may contain code that can harm the infected ssitema

• The attackers use to install Backdoor Worm on infected systems in such a way

as to create zombies or botnets. Botnets are used for future cyber attack

Viruses Worms + -

CEH - How to avoid infections Worm and Virus

• Install an Antivirus and keep updated LDB of the tracks

• Aggionrare steadily the systems with the Latest

Patch of available safety

• Pay particular attention to files or programs downloaded from the Internet

• Avoid of perform attachments of e-mail the which

sender not is known

• Always keep backup of the data so that you can restore in case of

infection

• Regularly scan your PC

• Do not use administrative accounts

• Using programs that control connections (personal firewalls, etc.)

• Use programs such as tripware, sigverif, widnows file protection


Questions?

Sniffer - CEH

- ARP

- Using the sniffing

- Techniques sniffing

- Sniffing active

- Countermeasures

Sniffer - CEH - ARP

• It 'a network protocol, whose task is to provide a mapping

between IP address and MAC address in the Ethernet

network, a PC

• Specifc according to RFC 826

• ARP tables

• System requst ARP / ARP Reply

Sniffer -

CEH - Using the sniffing

• To identify the elements of a network

a. Router

b. DNS Server

c. Addressing type used

d. Network equipment

• Get MAC address and IP address of a computer on the network

• Obtaining sensitive data

a. Credentials traveling on criptatti channels (HTTP, FTP)

b. Confidential documents

c. Password hashes

d. Etc.

Sniffer -

CEH - Techniques sniffing

• Passive Sniffing

a. Applicable only in a network where there are "HUB"

b. Is to monitor the number of packets traveling over the network

c. HUB obsolete today

• Active Sniffing

a. A technique used on networks where there are "Switch"

b. Consists of injecting packets (ARP) to the network that generates

requests

Sniffer - CEH - Sniffing active (1/3)

• It is used where it is not possible to passive listening of the network,

the presence of Switch

• Fictitious involves injecting packets in the network in order to

divert traffic to the attacker

• Exploits the weaknesses of the ARP protocol

• And 'lawful if used for monitoring or control of the network

a. SPAN Port: Reserved for duplication of traffic in the switch

b. Monitoring Port

c. Port Mirroring

Sniffer - CEH - Sniffing active (2/3)

• ARP Spoofing (Poison)

a. Inject ARP Reply modified (e.s. Gateway MAC)

b. It requires consistency and frequency

c. Easily identifiable

d. Easy to prevent enabling the "port security" on the equipment

• MAC duplication

a. Substitute your own MAC address with that of the target

machine

Sniffer -

CEH - Sniffing active (3/3)

• MAC Flooding

a. Generate a quantity of elevta Spoofed ARP reply

b. Saturates the memory and the ability to refresh the switches

c. Turn the switch in the HUB

• Attack in the DHCP

a. IP is sending requests to the DHCP server in order to

saturate the available addressing

b. And 'considered a DoS (Denial of Service)

Sniffer - CEH - Countermeasures

• Enable port security on the switches available

a. Prevents the presence of duplication of MAC addresses

b. Maintains mapping of MAC addresses and the ports to which they are connected

• Using IDS (Intrusion Detection System)

a. Allow the immediate detection of MAC Flood, MAC Duplicates, high

amounts of ARP traffic

• Use static ARP tables

• Enable the DHCP Snooping

a. Prevents attcchi DHCP

Sniffer - CEH - Some useful programs

• ARP attacks

a. Ettercap (http://ettercap.github.io/ettercap/)

b. Cain & Abel (http://www.oxid.it/cain.html)

c. SMAC (http://www.klcconsulting.net/smac-cl/)

• Sniffing tools

a. TCP Dump (http://www.tcpdump.org/)

b. Wireshark (http://www.wireshark.org/)

c. Dsniff (http://www.monkey.org/ dugsong ~ / dsniff /)

d. Aircrack-ng (http://www.aircrack-ng.org/doku.php?id=airodump-ng)

http://ettercap.github.io/ettercap/)

http://www.oxid.it/cain.html)

http://www.klcconsulting.net/smac-cl/)

http://www.tcpdump.org/)

http://www.wireshark.org/)

http://www.monkey.org/~dugsong/dsniff/

http://www.aircrack-ng.org/doku.php?id=airodump-ng)

Sniffer - CEH

Questions?

Social Engineering - CEH

- Social Engineering

• The "Social Engineering" is the art of fooling

people into revealing confidential

information

• This kind of technique has the strength of the

value unaware that cover the information in

the possession of people and the lack of care

in keeping this information confidential

Social Engineering -

CEH

- Victims of such attacks Social Engineering

• Secretaries or help desk personnel

• Users or customers of the company

• Suppliers company

• System Administrators

• Technical support staff

Social Engineering - CEH - Phases of an attack type of Social Engineering

a. Search information on the company target

• Dumpster diving

• Website

• Information about the employee

• Inspections to the premises of the company

• etc.

b. Select a victim

• Identifying such as a disgruntled employee

c. Develop relationship with the victim

• Begin a relationship with / the employee selected as a victim

d. Exploit the relationship

• Get information such as user names, financial information, technologies used, etc..

Social Engineering -

CEH

- Techniques of Social Engineering (1/2)

• Human-based

a. Dumpster Diving (Research in the trash)

b. Featuring a user attempts to crystallize

c. Presenting itself as a company VIP

d. By posing as a technical support person

e. Interception of telephone conversations

f. Spy on people behind (Shoulder Surfing)

g. Entering the sly

h. Presenting himself as a third party

i. etc ...


- Techniques of Social Engineering (2/2)

• Computer-based

a. Using pop-up windows that appear during

navigation (gifts, sweepstakes millionaire, etc.).

b. Through letters buffaloes (Hoax)

c. Through chain letters

d. Chat via message (dates of birth, names bachelors /

bachelorettes, household names, etc.)

e. Via email Spam

f. Phishing

g. Sending fake SMS requesting banking information


- Countermeasures

• Adopt corporate policies of behavior clear and

enforce them

• Enhance the physical security

• Train staff to respond to such threats

• Implement control measures and verification of the

same constants

• Draw the possible recipients and dangerous

content of the e-mail


Questions?

Denial of Sevices - CEH

- What is a Denial of Service?

• Denial of Service (DoS) attack is an attack on a computer or a

computer network designed to inhibit the normal delivery of

services available

• In a DoS attack the attacker floods the victim richeiste the

system up to the saturation of the available resources


- Techniques DoS attack

• Ping of Death (ICMP Flood)

a. Submit a large number of ICMP requests

b. It affects the saturation of available memory

c. The modern OS have a system of prevention Ping of Death

• SYN Flood

a. Exploits the normal operation of the 3 way Handshakiing

b. Saturate the available memory

c. Leave hung connections for up to 75 seconds


- Why use DoS attack

• Vandalism

• As a method monitivo or activist

• As anti-tracking method (Mitnick, Shimomura)

Denial of Sevices

- Joint programs DoS

• Trinity - IRC DDOS

• r-u-dead-yet (Rudy) - HTTP POST DDOS

• Tribe - Network flood

• Slowloris - HTTP DoS

• Low Orbit Ion Cannon (LOIC) - DoS tool

-

CEH


Questions?

Session hijacking - CEH

- What is Session Hijacking?

• With the Session Hijacking refers to the exploitation and

compromise of a valid session between two computers

• An attacker steals a valid session ID to gain access to

the system and the dti contained in it

• With TCP Session Hijacking is meant when an attacker takes

control of a TCP session between two computers


- Types of Session Hijacking?

• Enable

a. Is to replace the host to which it was unearthed session

• Passive

a. Is to turn the traffic through the attacker who merely

observe and record

• Hybrid

a. Similar to the passive less than find important information


- Key Techniques Session Hijacking

• Brute forcing

a. An attacker tries different valid session ID

• Stealing

a. An attacker uses different techniques to steal session IDs

valid

• Caluclating

a. An attacker tries to calculate the value of a valid session ID


- Brute Forcing

• Try to indivduare the session Id in the clear (no SSL)

• Try to identify multiple sessions of valid ID

• Sessions that do not have expiration times

• Accounts that do not have the credentials Lokout


- Man in the Middle

• Based on Sniffing traffic

• Since the ability to add packages to an existing session

• It can be used to change the sequence number for groped to

maintain the active user session for the purpose of inettare

malicious code

• you can change the payload of the packets sent by adding


- Session Fixation

• The attacker determines the session ID

• In the case of log already made attempts to keep the

session active

• Phishing exploits techniques to send the session ID of the user

• Once authenticated attacker is able to access the target user's

data


- What are the advantages of Session Hijacking

• Access to the server as an authenticated user

• Often the access remains hidden

a. Keeping a session ID exists, replacing the orignal client

b. The Hijacking is difficult to trace

c. The credentials are valid

• The nature of the TCP Session from the possibility of continuous access

• No need to re-authenticate or alteration of the security package


- Programs for Hijacking

• Hamster / Ferret

• Firesheep

• Ettercap

• Juggernaut

• Hunt

• T-Sight

• Metasploit

• SSL Strip


- Countermeasures

• Be used wherever possible communications on secure channels (SSL)

• Cookie exchange through encrypted channels (HTTPS)

• Implement systems for deauthenticate Logout user sessions

• Use session ID generated only after Authorized Access

• Use sequences of random numbers and letters for the

generation of session keys

• Use only encrypted data is exchanged between the user and webserver


Questions?

Hacking Web Servers -

CEH

- Suppliers Webserver current

• Apache

• Microsoft IIS

• Lighttpd

• Google

• Nginx


CEH - Architecture of a WebServer

• Communication ports and protocols used

a. HTTP (Hypertext Transfer Protocol) Port 80

b. HTTPS (Hyper-Text Transfer Protocol over Secure Socket Layer) Port 443

• Manages requests received from clients with various methods

a. GET

b. POST

c. TRACE

• Potentially vulnerable

a. GET / POST malformed

b. SQL Injection

c. Configuration Errors

d. Etc. ..


CEH

- Impact of attacks on WebServer

• Compromise of user accounts

• Tampering with data managed

• As a bridge to other web attacks

• Abduction of information

• Administrative access to the server or other applications

• Site managed defacement


CEH

- Some types of attack on the WebServer

• Configuration errors WebServer

a. Administrative capabilities enabled

b. Error messages or debug information-rich

c. Backup, old copies of configuration files, scripts

d. Anonymous user test with password or easily

ascertainable enabled

e. Etc. ..


CEH


• Directory Traversal

a. Access to confidential directory of the system

b. Running external commands to the WebServer

c. Access to confidential information

d. Use UNICODE encoding to mask requests


CEH


• Tampering with the parameters of the request (URL)

a. Changing the parameters exchanged between client and serves

b. Example:

http://www.example.com/sample? a =

1234 & b = 456 & admin = 1

• URL Obfuscation

a. UNICODE encoding, Binary, Decimal, etc ...

http://www.example.com/sample


CEH


• Source Code Analysis

a. Discovery of DIrectory sensitive, any servers or services

b. Users and Passwords

c. ID preconfigured sessions or defualt

• Password

a. Brute Force Attack

b. Dictionary attack

c. Attack hybrid

d. Simple passwords


CEH

- Meotodologia to attack the WebServer (1/2)

• Collection information

a. Collection of information about the target company

b. Search news groups, forums, etc.

c. Whois, Traceroute, etc. structure systems victim

• Identification of the type of WebServer

a. Type of server, operating system, etc ...

• Copy of the structure of Website

a. Create a copy of the site structure

b. Find useful comments within the code


CEH

- Meotodologia to attack the WebServer (2/2)

• Scanning for known vulnerabilities

a. Identify any weaknesses in the system

b. HP WebInspect, Nessus, etc ...

• Session Hijacking

a. Sniffing valid session ID for unauthorized access

b. Burp Suite, Paros Proxy, Hamster, FireSheep

• Hacking Passwords used by the WebServer

a. Groped to find passwords with various techniques useful

b. Brutus, THC-Hydra, etc ...


CEH

- Countermeasures

• Regular scanning and patch systems

• Apply any update provided by the manufacturers of

the software

• Ensure that all systems have the same versions of Service

Pack, Hotfixes and Security Patches

• Provide a plan for disaster recovery and backup systems in

the event of a recovery is required


CEH

Questions?

Hacking Web Apps - CEH

- Defining a Web Application

• It 'a communication interface between the user and the

Web Server consists of several server-generated pages that

contain the same scripts or commands to be executed

dynamically dul Browser User

• Businesses rely on web applications, but in general on web

technology as a key support for business processes and

improvements of the same


- Components of a Web App

• The Web Server

• The application Content

• Data Access

User Web Server

OS Command


- Funionamento a Web App

User request

Output DBMS

Web Application

...

...

...

...


- Types of attacks Web App (1/2)

• SQL Injection

a. The most common attacks and the more functional

b. Sfruttta input modules present in web pages

c. Forca login requests to obtain valid credentials

d. interface to the DB (alter, insert, delete table)

• Automated tools

a. SQL Map

b. SQL Ninja

c. Havis

d. Etc. ..


- Types of attacks Web App (2/2)

• Cross Site Scripting (XSS)

a. Forces the execution of the script actions not foreseen

b. Executing commands or software installation

c. Based on an incorrect handling by the application of user input

d. The tag for excellence to indicate an XSS "<script>"

• Cross Site Request Forgery (CSRF)

a. Force the user's browser to send malicious requests without the control of

the latter

b. The victim uses a valid active session on a site "Trusted" while visiting a

malicious site, which injects a malformed HTTP request that is turned over

to the main site and carried out in a lawful manner


- Methodology for attack on a Web App

• Get a scheme infrastructure WEB

• Attack on Web Servers

• Analysis of the Web

• Attempting to bypass authentication mechanisms

• Attempting to bypass the authorization mechanisms

• Attack of the session control mechanisms

• Attempted injection of packets

• Attack of the possible client Web App

• Attack Web services used by the application


- Web Application Firewall (WAF)

• Firewall with Advanced Features

• Specializing in defending web applications

• It allows the analysis of the HTTP / HTTPS traffic to intercept

and possibly dangerous lock requests

• It allows you to block SQL injection attacks, buffer

overflows, XSS, etc.


Questions?

SQL Injection - CEH

- What is SQL Injection?

• SQL injection is a technique that exploits the wrong part of the

application from user input validation WEB, to execute SQL

commands on the DB BackEnd

• The SQL Injection is an attack aimed at obtaining unauthorized

access to the DataBase or the information contained in it

SQL Injection - CEH

- Types of SQL Injection attack

• Bypass Authentication Methods

• Disclosure of sensitive information

• Compromised the integrity of the data managed

• Impairment of the availability of data managed

• Run remote commands

SQL Injection - CEH

- Meotdi detecting SQL Injection

a. Check to see if the web application accesses the DB server

b. Enumerate POSSIBLE INPT user exploitable to execute sql commands

c. Simulate the insertion of code into user input fields

d. Simulate entering numbers in the fields reserved for strings

e. The operator UNION is used in techniques of SQL

Injection to concatenate SQL statements

f. Check the level of information

content within error messages

SQL Injection - CEH

- Types of SQL Injection

a. Simple SQL Injection

• SQL Union

• SQL Error

b. Blind Injection

SQL Injection - CEH

- Simple SQL Injection Attacks

• Store System procedures

a. Attacks are based on the use of "store procedures" already in the DB

b. UNION Query

SELECT name, phone, address FROM Users WHERE ID = 1 UNION ALL

SELECT CreditCardNumber, 1, 1, from creditcardtable

c. Tautology (true by definition Affirmation)

SELECT * FROM user WHERE name = ' 'OR '1' = '1 ';

d. Commenting on the end of the line

SELECT * FROM user WHERE name = 'x' AND userid IS NULL; - ';

e. Understanding the structure of the DB via requests with parameters that are not allowed

SQL Injection - CEH

- Blind SQL Injection

• It 'a technique used when the Web application is subject to SQL

injection but but the answers are not visible to the attacker

• the Blind SQL Injection exploit the same philosophy of normal

SQL Injection except for the fact that the attacker is not able to

see the specific error generated

• This type of attack can become very expansive in terms of time

because of the excessive amount of requests from having to

send for every single bit of information obtained

SQL Injection - CEH

- Methodology SQL Injection attack

a. Collection information

b. Sniffing out a vulenrabilità SQL Injction

c. Exploit the vulnerability found

d. Extract data from the Data Base

e. Interacting with the Operating System

f. Compromise the entire network

SQL Injection - CEH

- Programs for SQL Injection

a. SQL Power Injection (http://www.sqlpowerinjector.com/)

b. BSQLHAcker (http://labs.portcullis.co.uk/tools/bsql-

hacker /)

c. Marathon Tool (http://marathontool.codeplex.com/)

d. Absinthe (https://github.com/HandsomeCam/Absinthe)

e. SqlNinja (http://sqlninja.sourceforge.net/)

f. Sqlmap (http://sqlmap.org/)

http://www.sqlpowerinjector.com/)

http://labs.portcullis.co.uk/tools/bsql-

http://marathontool.codeplex.com/)

http://sqlninja.sourceforge.net/)

http://sqlmap.org/)

SQL Injection - CEH

- Countermeasures

a. Use account with minimum privileges on the DB

b. Disable the functions or procedures not necessary to

the performance of the application

c. Monitor connections with IDS, WAF, etc.

d. Use custom error messages

e. Filtering Data Client

f. Provide of controls of safety in data passed

by the application to make requests to the Data Base

SQL Injection - CEH

Questions?

Hacking

Wireless

-

CEH

- Wireless LAN

- Bluethoot

Hacking Wireless - CEH

- Wireless LAN

• The Wi-Fi was developed according to the IEEE

802.11 and is widely used in wireless

communication, as it provides access to applications

and data over the wireless network

• The standardized Wi-Fi set nuemrosi ways to use

a connection between the transmitter and the

receiver, such as DSSS, FHSS, Infrared (IR) and

OFDM


- Types of Wireless

• As an extension of a wired network

• Multiple Access Points

• LAN-to-LAN Wireless Network (Bridge Mode)

• 3G Hotspot


- Wireless Standard

• 802.11a: bandwidth up to 54 Mbps, 5 GHz frequency used

• 802.11b bandwidth up to 11 Mbps, 2.4 GHz frequency used

• 802.11g: up to 54 Mbps bandwidth, use higher frequency of

2.4 GHz

• 802.11i is a standard that goes back 802 .11a/b/g inserting an

improvement in cryptography for networks

• 802.11n: 100Mbps bandwidth over the

• 802.16: A standard for wireless broadband developed for the

MAN (Metropolitan Area Network)

• Bluethoot: standard range with very small (<10 m) and low-low

speed (1-3 Mbps), developed for low-power network devices such

as PDAs


- Types of encryption used in wireless

• WEP

a. It 's the first and the old standard used in wireless

communications

• WPA

a. Use 48 BIT IV

b. 32 Bit CRC

c. TKIP encryption

• WPA2

a. Use AES encryption (128 bit) and CCMP

• WPA2 Enterprice

a. It integrates with the standard WPA EAP


- How to decrypt the WEP

• Configure the interface wireless into monitor

mode on a specific channel of the access point

• Verify the ability to inject packets to the AP

• Use a program like aireplay-ng to simulate

false authentication to the AP

• Run a sniffer to collect unique IV

• Use a tool to extract the encryption key

from the collected IV

Hacking Wireless - CEH - How to decrypt the WPA/WPA2

• WPA PSK

WPA PSK it uses a user-selected key to initialize the TKIP that can not be violated as a

precompiled package, but it can 'be unearthed with a dictionary attack Brute-Forced

• Brute-Force WPA

Use a program such as aircrack, aireplay, KisMAC to try to find the key

• Attack Offline

Collect a considerable number of packets so as to obtain WPA/WPA2 authentication

handshake

• Attack deautentica that clients connected

Is to force the client already connected to the AP disconnect and reconnect in order

to collect authentication packets for subsequent cracking


- Methodology attacks Wireless

• Locating the Wi-Fi network target

• GPS mapping

• Wireless Network Traffic Analysis

• Attack on the Wi-Fi network

• Cracking the encryption used

• Impaired Wi-Fi network


- Bluetooth

• Easy to use

• Easy to detect

• Types of Attack

a. BlueSmacking

b. Bluejacking

c. BlueSniffing

d. Bluesnarfing


Questions?

Evading IDS, Firewalls, Honeypots - CEH

- IDS

- Firewall

- Snort

- HoneyPot


- IDS

• An Intrusion Detection System (IDS) is a system that

collects and analyzes information from a computer or

a network, in order to identify possible violations of

security policies

• With IDS identifies a system of "packet-sniffer", which

intercepts packets traveling, for example, a wild TCP

/ IP network

• The packets are analyzed after they were caught

• An IDS evaluates a suspected intrusion once it has

taken place and signals an alarm


- Methods for the identification of an intrusion

• Identification by signatures (Signaure Recognition)

This type of system attempts to identify the events that improper use of the

system.

• Identification of anomalies (Anomaly Detection)

You try to identify threats based on analysis of behavior characteristic of a

user or a fixed component in a system

• Identification of abnormalities in the communication protocol (Protocol

Anomaly Detection)

The models used for this type of recognition are based on the specifications

of the protocol used. For example, the TCP / IP


- Types of Intrusion Detection System (1/2)

• Based on the Network

a. This system typically consists of a blackbox placed inside the

network, which captures traffic in promiscuous mode and tries to

identify threats based on preset patterns

• Host-based

a. This system is based on listening to the events generated by a

specific host

b. It is not commonly used due to the excessive workload for

monitoring


- Types of Intrusion Detection System (2/2)

• Monitoring of log files

a. This type of system is based on a program that scans

the log files looking for events that have already

happened

• Checking file integrity

a. This type of system checks for the presence of any Trojan

Horse present or changed files that indicate the possible

presence of an intrusion.

b. Tripwire (http://www.tripwire.com/)

http://www.tripwire.com/)


- Firewall

• It 'a system hardware, software designed to prevent

unauthorized access to or from a private network

• And 'placed at strategic points such as junctions or as a

network gateway

• A firewall monitors all messages entering and leaving the private

network, blocking those that do not meet specific security criteria

• Firewalls only care about the type of traffic, addresses and

destination ports


- DeMilitarized Zone (DMZ)

• The DMZ is an isolated segment of the LAN, accessible from

both internal and external networks, but characterized by the

fact that the hosts on the DMZ certificates have limited

possibilities of connection to specific hosts on the internal

network

• It is created using a Firewall with at least 3 physical network

adapters, which are assigned specific rules as Trusted

Network, Network and Network DMZ Un-Trusted External

(Internet)


- Types of Firewall (1/2)

• Packet Filter

a. It works at the network layer of the OSI model

b. Each packet is analyzed according to established rules before being

forwarded

c. The rules can be specified IP address, source port or destination and the type

of protocol

• Circuit-Level Gateway

a. It works at the level of the OSI Model Session

b. To identify a legitimate connection monitors TCP handshaking

c. The information passed to the remote computer have as their origin the

Gateway / Firewall

d. This type of firewall is able to macherare the information about the network

that protects but does not filter the packets individually


- Types of Firewall (2/2)

• Applicaiton-Level

a. It works at the Application layer of the OSI model

b. It does not allow access to services that are not proxati the Firewall

c. When configured as a Web Proxy services like FTP, telnet, and

others are not allowed

d. Acting on the application level this kind of devices are able to filter

the specific application commands. For example, GET or HTTP Post

• Stateful Multilayer Inspection

a. This kind of Firewall and combines the functionality of previous models

b. They work by filtering packets at the network layer to identify a

legitimate session and pass the inspection of the content for the

application


- Intrusion Detection System: Snort

• Open source IDS can analyze traffic in real-time and to log any

problems of a network

• And 'able to analyze the protocols and contents of the package to

detect attempted attacks, buffer overflow, Port Scan, attacks to CGI

scripts, etc..

• Use language for writing their own rules

• Uses of Snort

a. Dirattamente as simple as sniffer TCP Dump

b. Recorder of packets (for any network problems)

c. As IPS (Intrusion Prevention System)


- The Snort rules

• The rules engine allows you to create personal rules and

specifications for the various types of network and use that if you

want to do

• The Snort rules allow distunguere between normal browsing activity,

network activity lawful, and activities such as "mischievous"

• The rules must be contained in a single line, the parser does not

allow the preparation of more 'lines

• The Snort rules are logically divided into two parts:

a. Header of the rule (Rule Header): identifies the action that the

rule will execute. For example, alert, log, pass, activate, etc..

b. options of the rule (Rule Option): identifies the message alert rule

Evading IDS, Firewalls, Honeypots

- CEH

- HoneyPot

• It 'a system used and configured specifically to attract and

trap those who attempt to penetrate our network

• Simulates a system or service vulnerable and easily hackerabile

• Uses:

a. Sutdio of attack methods used

b. Study of the sources of attack

c. How effective palliative to protect the real target systems

• Must be positioned so im segregated compared to the production

environment

• Verify the legality of use of this type of systems


- Preventing IDS

• Identify any interfaces in promiscuous mode

a. AntiSniff program

b. NEPAD program antisniffer

• Intercepting the IDS alerts sent

• Use techniques of evasion or polymorphic shellcode

• Attach the IDS:

a. Snort Vulnerability

b. Vulenrabilità OS or in exposed services


Questions?

Buffer Overflow - CEH

- Defining Buffer Overflow

- Method Buffer Overflow

- Identify a Buffer Overflow

- Countermeasures to Buffer Overflow


- Defining Buffer Overflow

• It 'a security vulnerability that occurs when a program does

not properly check the length of the incoming data, but

merely write down their value in a baffer fixed length,

trusting that the data do not exceed more than previously

allocated


- Why do the programs and applications are vulnerable?

• Controls are ineffective or absent in many cases with regard to the data managed

• In many cases, the same programming languages used are subject to

vulnerability

• Prograami and applications are developed following the Best Practies safety

• Functions such as strcat (), strcpy (), sprintf (), vsprintf (), gets (), scanf (), used

in "C" may be subject to buffer overflow in that they do control the length of

the buffer


- The Stack and Buffer Overflow

• A stack buffer overflow occurs when a buffer is overwritten

on the stack space

• An attacker can exploit this issue, coming into possession of the

control flow of the stack and execute arbitrary code


- The Heap Buffer Overflow and the

• When a program copies data in memory, without having carried

out the necessary checks, it can be exploited by an attacker to

gain control of the information managed heap

• An attacker creates a buffer to fill the bottom of the heap and

overwrite the other dynamic variables with unexpected effects

from the normal execution of the program


- Method Buffer Overflow

• Find the presence of a possible buffer overflow and what is

the condition triggering

• Send more data than the program can handle

• Overwrite the return address of a function

• Run your own malicious code (Shellcode)


- How to Identify a Buffer Overflow?

a. Run a program on your own machine

b. Insert large amounts of data with control characters identifiable.

For example, "$ $ $ $" at the end of a string

c. In the event of a crash program

d. Look in the dump of the program the control character used to

identify the trigger point of Buffer Overflow

e. Setup using a debugger (gdb, OllyGdb, etc.). Analyze the

behavior of the program

f. Writing the exploit that exploits the buffer overflow found just


- Countermeasures to Buffer Overflow

• Manual code review

• Tecnihce Compilation

• Use Libraries for developing secure

• Disabling stack execution

• Use destination randomiche Stack

• Implement controls in real-time


Questions?

Cryptography - CEH

- What is Encryption?

• Encryption is the conversion of a given data into encrypted code

• Encryption can be used to protect:

a. E-mail messages

b. Information on credit cards

c. Sensitive Data

d. etc..

• Objectives of cryptography

a. Discretion

b. Integrity

c. Non-repudiation

d. Authenticity

Cryptography - CEH

- Types of Encryption

• Symmetric Cryptography

Symmetric encryption uses the same key to encrypt and decrypt a given data

(secret-key, shared-key, private-key)

• Asymmetric encryption

Asymmetric encryption uses different keys for encryption and

decryption. These keys are identified as public and private key (public-

key)

• Hash Functions

the hash function does not use any key to encrypt or decrypt

Cryptography - CEH

- Encryption Algorithms

• The encryption algorithms are used to encrypt and decrypt data

• Algortmi classic

a. Replacing figures

It consists in the replacement of bits, characters, or blocks of characters with

different bits, characters, or blocks

b. Transposition of digits

The letters of the plaintext are moved tot positions to create the ciphertext

• Modern algorithms

a. Based on types of keys used

Private key: the same key to encrypt and decrypt

Public key: two different keys to encrypt or decrypt

b. Based on the types of input

• Block cipher: encryption of data blocks according to a fixed length

• Stream cipher: Encryption of a continuous data stream

Cryptography - CEH

- Symmetric encryption

• Same key to encrypt and decrypt

• ECB / CBC and other variants

• The key is difficult to distribute

• Since DES AES

a. NIST Competition 1995-2001

b. Originally called Rijndael

Cryptography - CEH

- Asymmetric encryption

• ECDSA: based dulle ellipses

• RSA is based on prime numbers

• Two public and private keys

a. If encrypted with Private, Public deciphered with

b. If encrypted with the Public, Private deciphered with

Cryptography - CEH

- Hash

• From a text a "number" unique and irreversible

• The limits of hash collisions

• Algortmi hash:

a. MD5

b. SHA-1,

c. Etc..

Cryptography - CEH

- Symmetric Asymmetric + + Hash

• Certificates

• Digital Signature

• Authentication (Strong Autentication)

- Use:

• GSM

• SSL

• Etc. ..

Cryptography - CEH

Questions?

Pen Testing - CEH

- Penetration Test

• A Pentest simulates the methods used by intruders to

gain unauthorized access to the network and resources

of an organization, for the purpose of compromising

data and information

• When carrying out safety tests, the tester is limited by

available resources, such as time, expertise and access

to equipment as specified in the indemnity

• Many attacks follow a common approach to violate the

security of a system

Pen Testing - CEH

- Security Assessments

• Every organization uses different types of security

assessment to validate the security level of resources

within the network

• Categories of Security Assessment:

a. Security Audit

b. Vulnerability Assessment

c. Penetration Testing

• Each type of Security Assessment requires on the part of

those who lead testing different skill levels

Pen Testing - CEH

- Vulnerability Assessment

• Network Scanning

• Scanning tools

• Security Errors

• Test systems and network

Pen Testing - CEH

- Limitations of Vulnerability Assessment

• The scanning programs used to identify vulnerabilities are limited

to a given point of time

• Need to be updated when they come new vulnerabilities or

funzinoalità

• This affects the result of the evaluation

• The methodologies used by the various softaware and options

used may give different results in tests

Pen Testing - CEH

- Penetration Testing

• The pentest not carried out in a professional manner, can cause

serious disruption to normal service delivery

• The pentest verify the security model of the company as a

whole

• Detect potential threats that would be exploited in a real attack

• The testers are differentiated by attackers only by the end of their actions

Pen Testing - CEH

- What should be tested?

• Communication errors, abuse of e-commerce, loss of

credentials, etc.

• Public systems exposed; websites, mail servers, platforms,

remote access (RDP, VPN, etc.).

• Mail, DNS, Firewalls, passwords, FTP, IIS, and webserver

Pen Testing - CEH

- What makes a pentest reliable?

• Establish a perimeter precise PenTest; objectives, limitations,

gisutificazione of the procedures used

• Relying on experienced professionals and competent to perform the tests

• Choose a suitable test set that balances costs and benefits

• Follow methodologies planned and well-documented

• Document the results in a complete and asaustiva, but most

clearly understood by the final customer

• Highlight chairamente in the final report of the potential risks and

vulnerabilities solutions

Pen Testing - CEH

- Types of Penetration Testing (1/2)

• From the outside

a. The external PenTest provide this information by analyzing the full

public tiguardanti the target (eg email server, web server, firewall,

router, etc.)

b. And 'the traditional approach to penetration testing

c. The tests are focused only on the server, the infrastructure and the

basic software of the target

d. The tests may be done:

• without any prior information of the target (Black Box)

• with comprehensive information about the type and environment

that you will be tested (Gray / White box)

Pen Testing - CEH

- Types of Penetration Testing (2/2)

• From

a. The tests are efettuati from every possible point of access

b. Within an object, test access from external locations,

branch offices, DMZ, etc..

c. The tests basically follow from the methods used for

testing but add an external point of view much more

comprehensive infrastructure

Pen Testing - CEH

- Black-box Penetration Testing

• No knowledge of the infrastructure to be tested

• It comes usually just the name of the company

• The tests faithfully simulate an attack real

• Provides a considerable amount of time spent on

information retrieval and understanding of the

infrastructure to be tested

• It 'a kind of test expensive and time-consuming

Pen Testing - CEH

- Gray-box Penetration Testing

• Limited knowledge of the infrastructure to be tested

• Perform internal security assessment and testing

• Focused on the security of the applications that head all the

possible vulnerabilities that an attacker could exploit

• It runs mostly 'when starting from a Black box testing, we

need a deeper understanding of a well-protected system

for further investigation of possible vulnerabilities

Pen Testing - CEH

- White-box Penetration Testing

• Complete knowledge of the infrastructure to be tested

• The tests simulate the actions committed by employees of the company evenutali

• The preliminary information provided:

a. The infrastructure of the company

b. Type of network

c. The security measures taken

d. Firewall, Indirizzamneto network, IDS, etc..

e. The company policy on what and what not to do

Pen Testing - CEH

- Stages of a Penetration Testing (1/3)

• Phase preattacco

a. This phase deals with the ways in which it will be tested and the

objectives to be achieved

b. The portion of the acquisition of information about dental on the

target is considered essential in this phase of initial

c. He formulates a plan of attack to follow

d. Can be of two types:

Reconnaissance passive collect target information from the

information public

Active Reconnaissance: Collect information through

publications on social-network, social engineering, web sites

visited, interviews, questionnaires, etc..

Pen Testing - CEH


• Attack phase

a. Penetrate the perimeter to gain unauthorized access to

the network

b. Capturing | Costasur.com safety of the various target

c. Compromised systems, access to data managed,

running exploits, etc..

d. Escalating privileges

Pen Testing - CEH


• Phase postattacco

a. Being more 'criticism of the whole process

b. Is to "clean up" the traces of the action taken by the tester, in order to

bring the systems before testing

c. The actions include:

• Removal of the copied files on the systems

• Cleaning of the registers or vulnerabilities created

• Exploit or removal of any programs used

• Disable any share or unauthorized connections

• Analysis of the results found and presentation of the same customer

Pen Testing - CEH

Questions?

Th ank you

Make a basic course on "Penetration test".

https://www.udemy.com/basic-professional-penetration-tests/?couponCode=HACKING%408

Hacking Basic Professional Penetration Test

Designed to perform in penetration testing and web security, a good way to become a Certified Ethical Hacking!

Price lowered to $ 8




certified ethical hacking - book summary

Internet

indemnity introduction

service introduction

pen testing introduction

red team introduction

high computer skills

gray hats individuals

field of computer

security levels delegation