Download - Intro to Ethical Hacking
![Page 1: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/1.jpg)
INTRO TO ETHICAL HACKING
MIS 5211.001Week 5
Site: http://community.mis.temple.edu/mis5211sec001f14
/
![Page 2: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/2.jpg)
2
Conference Opportunity ISSA – Delaware Valley
Friday September 26th
Topics: Security Vulnerabilities in Automobiles Vendor Management Using Risk Strategically Human Side of Data Protection Big Data Behavioral
Register http://www.issa-dv.org/meetings/registration.php
Agenda http://
www.issa-dv.org/meetings/agendas/Agenda_ISSA-DV_2014-09-26.pdf
![Page 3: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/3.jpg)
MIS 5211.001 3
Tonight's Plan
Questions from last week In the news Nmap
Fundmentals Scan and Scan Options ZenMap
![Page 4: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/4.jpg)
MIS 5211.001 4
Questions
CVE – Common Vulnerabilities and Exposures http://cve.mitre.org/ Database of known vulnerabilities
Basically, this is the list that the vulnerability scanner industry writes against
![Page 5: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/5.jpg)
MIS 5211.001 5
In The News
Submitted http://www.infosecurity-magazine.com/news/android-flaw
-spells-privacy/ Accepting flaws?
http://www.welivesecurity.com/2014/08/28/google-dorks/ External DNS information?
https://www.blackhat.com/html/webcast/10092014-cyberspace-as-battlespace.html
http://www.bbc.com/news/technology-29279213 XSS Vulnerability Other tools for enumeration?
http://thehackernews.com/2014/09/yahoo-quickly-fixes-sql-injection_19.html Building out VPN?
![Page 6: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/6.jpg)
MIS 5211.001 6
In The News
http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open
http://www.citon.com/7-notable-cyber-attacks-of-last-7-years/
http://thehackerspost.com/2014/09/massachusetts-institute-technologymit-hacked-sahoo.html
http://www.myfoxdc.com/story/26610194/tech-company-finds-mysterious-fake-cell-towers-in-dc-area
![Page 7: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/7.jpg)
MIS 5211.001 7
In The News
What I noted http://motherboard.vice.com/read/a-deep-web
-service-will-leak-your-documents-if-the-government-murders-you
http://threatpost.com/researcher-discloses-wi-fi-thermostat-vulnerabilities/108434
https://blog.lookout.com/blog/2013/09/23/why-i-hacked-apples-touchid-and-still-think-it-is-awesome/
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html
![Page 8: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/8.jpg)
MIS 5211.001 8
First, A Little Refresher
Recall, two principle packet types TCP (Transmission Control Protocol)
Connection oriented Reliable Sequenced
UDP (User Datagram Protocol) Connectionless Best effort (Left to higher level application to
detect loss and request retransmission if needed)
Independent (un-sequenced)
![Page 9: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/9.jpg)
9
TCP Protocol
• Number of flags have grown over the years, adding flags to the left as new ones are approved
• With nine flags, there are 512 unique combinations of 1s and 0s• Add the three reserved flags and the number grows to 4096
![Page 10: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/10.jpg)
MIS 5211.001 10
TCP Control Bits
Control bits also called “Control Flags” Defined by RFCs 793, 3168, and 3540 Currently defines 9 bits or flags
See: http://en.wikipedia.org/wiki/Transmission_Control_Protocol
![Page 11: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/11.jpg)
MIS 5211.001 11
Three Way Handshake
Every “Legal” TCP connection begins with a three way handshake.
Sequence numbers are exchanged with the Syn, Syn-Ack, and Ack packets
Syn-AckSyn
ConnectionAck
![Page 12: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/12.jpg)
MIS 5211.001 12
How This Applies to Scanning
Per the RFC (793) A TCP listener on a port will respond with
Ack, regardless of the payload Listener responds with a Syn-Ack Therefore, if you get a Syn-Ack,
something that speaks TCP was listening on that port
![Page 13: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/13.jpg)
MIS 5211.001 13
Behaviors
Port Open
Port Closed or Blocked by Firewall
Syn-AckSyn
RST-AckSyn
![Page 14: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/14.jpg)
MIS 5211.001 14
Behaviors 2
Port Inaccessible (Likely Blocked by Firewall)
Port Inaccessible (Likely Blocked by Firewall)
Note: Nmap will mark both as “filtered”
ICMP Port UnreachableSyn
Syn
![Page 15: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/15.jpg)
MIS 5211.001 15
UDP Protocol
As you can see, UDP is a lot simpler. No Sequence Numbers No flags or control bits No “Connection”
As a result Slower to scan Less reliable scanning
![Page 16: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/16.jpg)
MIS 5211.001 16
Behaviors
Port Open
Port Closed or Blocked by Firewall
UDPUDP
ICMP Port UnreachableUDP
![Page 17: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/17.jpg)
MIS 5211.001 17
Behaviors 2
Port Inaccessible
Could be: Closed Blocked going in Blocked coming out Service not responding (Looking for a particular
payload) Packet simply dropped due to collision
UDP
![Page 18: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/18.jpg)
MIS 5211.001 18
On to Nmap the Tool
Written and maintained by Fyodor http://nmap.org/ Note: Lots of good info on the site, but
the tutoriak is a bit out of date. Latest info was put in a book and is sold on Amazon http://
www.amazon.com/Nmap-Network-Scanning-Official-Discovery/dp/0979958717/ref=sr_1_1?ie=UTF8&qid=1411443925&sr=8-1&keywords=nmap
![Page 19: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/19.jpg)
MIS 5211.001 19
Nmap Location On Kali
![Page 20: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/20.jpg)
MIS 5211.001 20
A Suitable Target
Metasploitable Deliberately vulnerable version of Linux
developed for training on Metasploit We’ll use it here since there will be worthwhile
things to find with nmap. http://
sourceforge.net/projects/virtualhacking/files/os/metasploitable/metasploitable-linux-2.0.0/download
UserID: msfadmin Password: msfadmin
![Page 21: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/21.jpg)
MIS 5211.001 21
Heads Up
After downloading the zip file, extract to a convenient location. VMWare should have created a folder in “My Documents” called “Virtual Machines”
Let Kali get started first Then, select “Open a Virtual Machine” and
navigate to the folder for metasploitable. Then launch.
You get a prompt asking if you moved or copied the VM, select “Moved”
Once started, login and issue command ifconfig to get you IP address and your done.
![Page 22: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/22.jpg)
MIS 5211.001 22
Back to Nmap
Lets try something simple
Nmap 192.168.233.135
![Page 23: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/23.jpg)
MIS 5211.001 23
What This Tells Us
There are a number of interesting ports here ftp Ssh telnet Smtp (Mail) domain (DNS) http (Web Server)
Keep in mind, ports are “commonly associated” with these services, but not guaranteed
http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
![Page 24: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/24.jpg)
MIS 5211.001 24
Points to Remember
-n – Don’t resolve host names -nn – Don’t resolve host names OR port
names -v – Verbose, tell me more -vv – Really Verbose, tell me lots more -iL – Input from list, get host list from a
text file --exclude – Don’t scan a particular host --excludefile – Don’t scan hosts from a
text file Remember – “man nmap”
![Page 25: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/25.jpg)
MIS 5211.001 25
--packet-trace
Nmap prints a summary of every packet sent or received
May want to limit ports “-p1-1024” or less There are also
--version-trace --script-trace
![Page 26: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/26.jpg)
MIS 5211.001 26
Basic Scan Types
-sT – TCP connect() scanning If connect succeeds, port is open
![Page 27: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/27.jpg)
MIS 5211.001 27
Basic Scan Types
-sS – SYN stealth Scan If SYN-ACK is received, port is open
![Page 28: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/28.jpg)
MIS 5211.001 28
FIN Scan
-sF – Like SYN Scan, less likely to be flagged Closed port responds w/ RST, Open port drops Works on RFC 793 compliant systems
Windows not compliant, could differentiate a Windows system
![Page 29: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/29.jpg)
MIS 5211.001 29
Other Options
-sN – Null scan Similar to FIN
-sX – Xmas tree scan Sets FIN, PSH, and URG
-sM – Maiman scan sets FIN and ACK
All work by looking for the absence of a RST
![Page 30: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/30.jpg)
MIS 5211.001 30
Roll Your Own
--scanflags Example:
Nmap –scanflags SYNPSHACK –p 80 19
![Page 31: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/31.jpg)
MIS 5211.001 31
UDP Scans
-sU – 0 Byte UDP Packet Port unreachable – Port is closed No response – Port assumed open Very time consuming
20 ports took 5.46 seconds, -sT scan only took 0.15
![Page 32: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/32.jpg)
MIS 5211.001 32
Protocol Scan
-sO – Looks for IP Protocols supported Sends raw IP packets without additional
header information Takes time
![Page 33: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/33.jpg)
MIS 5211.001 33
Version Detection
-sV – Attempts to determine version of services running
![Page 34: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/34.jpg)
MIS 5211.001 34
More on Version
-A – Looks for version of OS as well
![Page 35: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/35.jpg)
MIS 5211.001 35
Still More on Version Scan
-O – Fingerprint the operating system -A = -sV + -O
![Page 36: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/36.jpg)
MIS 5211.001 36
Nmap Scripting Engine
Also known as NSE Written in “Lua” Activated with “-sC” or “- - script”
Categories Safe Intrusive Malware Version Discovery Vulnerability
![Page 37: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/37.jpg)
MIS 5211.001 37
Script Location
In Kali, nmap scripts are located in: /usr/share/nmap/scripts
Can view using either “cat” OR gedits
![Page 38: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/38.jpg)
MIS 5211.001 38
Script Example
SSL-Heartbleed Try: nmap –p 443 --script ssl-heartbleed
{target} In this case, 443 is not even open
![Page 39: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/39.jpg)
MIS 5211.001 39
Zenmap
Graphical User Interface for nmap Why did we just spend that time on the
command line? Better control Better understanding
![Page 40: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/40.jpg)
MIS 5211.001 40
Zenmap Location
![Page 41: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/41.jpg)
MIS 5211.001 41
Zenmap Scan
![Page 42: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/42.jpg)
MIS 5211.001 42
Still Really a Command Line
Look at the arrow
You can add to command line
Remember that SSL-hearbleed script
![Page 43: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/43.jpg)
MIS 5211.001 43
With a few Extras
![Page 44: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/44.jpg)
MIS 5211.001 44
And More
![Page 45: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/45.jpg)
MIS 5211.001 45
Zenmap Reference
https://www.linux.com/learn/tutorials/381794-audit-your-network-with-zenmap?format=pdf
![Page 46: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/46.jpg)
MIS 5211.001 46
Due for Next Week
Readings and Articles as usual Class will be by Webex I will set up and mail info to all by Sunday
![Page 47: Intro to Ethical Hacking](https://reader036.vdocument.in/reader036/viewer/2022062314/56812a43550346895d8d6a08/html5/thumbnails/47.jpg)
MIS 5211.001 47
Questions
?