Phase 1: Passive and Active Reconnaissance In addition to the active and passive categories, attacks are categorized as either inside attacks or outside attacks. Figure 1.2 shows the relationship between passive and active attacks, and inside and outside attacks. An attack originating from within the security perimeter of an organization is an inside attack and usually is caused by an “insider” who gains access to more resources than expected. An outside attack originates from a source outside the security perimeter, such as the Internet or a remote access connection. Security, Functionality, and Ease of Use Triangle Many ethical hackers acting in the role of security professionals use their skills to perform security evaluations or penetration tests. These tests and evaluations have three phases, generally ordered as follows: FIGURE 1.4 Security audit steps 2. Review the report and determine valuable keywords, links, or other information. To use the SpyFu online tool to gather competitive intelligence information: To use the KeywordSpy online tool to gather competitive intelligence information: FIGURE 2.4 _ ARIN output for ww. Yahoo. com ARIN database can be queried using the Whois tool, such as the one located at ww. arin.net. Figure 2.4 shows an ARIN Whois search for ww. yahoo.com. Notice that addresses, emails, and contact information are all contained in this Whois search. This information can be used by an ethical hacker to find out who is responsible for a certain IP address and which organization owns that target system, or it can be used by a malicious hacker to per- form a social-engineering attack against the organization. As a security professional, you need to be aware of the information available to the public in searchable databases such as ARIN and ensure that a malicious hacker can’t use this information to launch an attack against the network. FIGURE 2.5 _ Traceroute output for ww. yahoo. com Sam Spade and many other hacking tools include a version of traceroute. The Windows operating systems use the syntax tracert hostname to perform a traceroute. Figure 2.5 is an example of traceroute output for a trace of ww. yahoo.com. TABLE 3.1 Types of scanning FIGURE 3.1 CEH scanning methodology TABLE 3.3 Commonnmap command switches To complete the three-way handshake and make a successful connection between two hosts, the sender must send a TCP packet with the synchronize (SYN) bit set. Then, the receiving system responds with a TCP packet with the synchronize (SYN) and acknowl- edge (ACK) bit set to indicate the host is ready to receive data. The source system sends a final packet with the ACK bit set to indicate the connection is complete and data is ready to be sent. Open a web browser to the Netcraft website, www.netcraft.com. Use Netcraft to Identify the OS of a Web Server TABLE 4.1 _ Offline attacks A dictionary attack is the simplest and quickest type of attack. It’s used to identify a password that is an actual word, which can be found in a dictionary. Most commonly, the attack uses a dictionary file of possible words, which is hashed using the same algorithm used by the authentication process. Then, the hashed dictionary words are compared with hashed passwords as the user logs on, or with passwords stored in a file on the server. The dictionary attack works only if the password is an actual dictionary word; therefore, this type of attack has some limitations. It can’t be used against strong passwords containing numbers or other symbols. FIGURE 4.1 SMBrelay MITM attack SMB relay countermeasures include configuring Windows 2000 to use SMB signing, which causes it to cryptographically sign each block of SMB communications. TABLE 5.1 Common Trojan programs A backdoor is a program or a set of related programs that a hacker installs on a target system to allow access to the system at a later time. A backdoor can be embedded in a mali- cious Trojan. The objective of installing a backdoor on a system is to give hackers access into the system at a time of their choosing. The key is that the hacker knows how to get into the backdoor undetected and is able to use it to hack the system further and look for important information. Netcat needs to run on both a client and the server. The server side of the connection in enabled by the -1 attribute and is used to create a listener port. For example, use the fol- lowing command to enable the Netcat listener on the server: Download a version of Netcat for your system. There are many versions of Netcat for all Windows OSs. Also, Netcat was originally developed for the Unix system and is available in many Linux distributions, including BackTrack. FIGURE 5.1 Norton Internet Security 6. Inthe sigverif program, choose Advanced to see the signature verification report. >. Type sigverif, and click Start. System File Checker is another command line—based tool used to check whether a Trojan program has replaced files. If System File Checker detects that a file has been overwritten, it retrieves a known good file from the Windows\system32\d11cache folder and overwrites the unverified file. The command to run the System File Checker is sfc/scannow. TABLE 5.1 Common Virus Hoaxes CLICGL WiIClt LIC LI Wad CLOPlea UL Cillall€a, LIC ViIlLuUs SpitdaG dAlOls Wéitli LLC Lit, Virus Hoaxes are emails sent to users usually with a warning about a virus attack. The Virus Hoax emails usually make outlandish claims about the damage that will be caused by a virus and then offer to download a remediation patch from well-known companies such as Microsoft or Norton. Other Hoaxes recommend users delete certain critical sys- tems files in order to remove the virus. Of course, should a user follow these recommenda- tions they will most certainly have negative consequences. Some of the most common virus hoaxes are shown in Table 5.1: The address system ensures accurate delivery to the receiver. In normal network opera- tions, a host should not receive data intended for another host as the data packet should only be received by the intended receiver. Simply said, the data should only be received by the station with the correct IP and MAC address. However, we know that sniffers do receive data not intended for them. containing source and destination MAC addresses. IP addresses are used to route traffic to the appropriate IP network, and the MAC addresses ensure the data is sent to the cor- rect host on the destination IP network. In this manner, traffic is sent from source host to destination host across the Internet and delivery to the correct host is ensured. The postal system works much the same way. Mail is routed to the appropriate area using the zip code, and then the mail is delivered within the zip code to the street and house number. The IP address is similar to the zip code to deliver mail to the regional area, and the street and house numbers are like the MAC address of that exact station on the network. In addition to understanding network addresses, it is also important to understand the format of the TCP Header. Figure 6.2 shows the TCP Header format. Create a Wireshark filter to capture only traffic to or from an IP address Exercise 6.2 shows you how to write filters in Wireshark. ort 80 This sets the filter to capture traffic to destination port 80 (HTTP). FIGURE 7.1 Master and Slaves in a DDoS Attack DDoS is done in two phases. In the intrusion phase, the hacker compromises weak sys- tems in different networks around the world and installs DDoS tools on those compromised slave systems. In the DDoS attack phase, the slave systems are triggered to cause them to attack the primary victim. See Figure 7.2. How BOTs/BOTNETs Work FIGURE 7.3 Anatomy of a Distributed DoS Attack Smurf and SYN Flood Attacks A smurf attack sends a large amount of ICMP Echo (ping) traffic to a broadcast IP address with the spoofed source address of a victim. Each secondary victim’s host on that IP network replies to the ICMP Echo request with an Echo reply, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, hundreds of machines might reply to each packet. This creates a magnified DoS attack of ping replies, flooding the pri- mary victim. IRC servers are the primary victim of smurf attacks on the Internet. ge Sees Bae eae a fe FIGURE 7.4 _ netstat output under a SYN flood attack In Exercise 7.1, you will learn how to prevent SYN flood attacks on Windows 2000 ALrTTere FIGURE 8.2. Thestages of a web application attack Hacking web applications is similar to hacking other systems. Hackers follow a five-step process: they scan a network, gather information, test different attack scenarios, and finally plan and launch an attack. The steps are listed in Figure 8.2. A call stack, or stack, is used to keep track of where in the programming code the execu- tion pointer should return after each portion of the code is executed. A stack-based buffer overflow attack (Figure 9.2) occurs when the memory assigned to each execution routine is overflowed. As a consequence of both types of buffer overflows, a program can open a shell or command prompt or stop the execution of a program. The next section describes stack- based buffer overflow attacks. -IGURE 9.1 = Stack versus Heap Memory Buffer Overflow Memory Attack FIGURE 10.1 Wireless LANs in the OSI Model The initial 802.11 standard included only rudimentary security features and was fraught with vulnerabilities. The 802.111 amendment is the latest security solution that addresses the 802.11 weaknesses. The Wi-Fi Alliance created additional security certifications known as Wi-Fi Protected Access (WPA) and WPA2 to fill the gap between the original 802.11 standard and the latest 802.11i amendment. The security vulnerabilities and security solu- tions discussed in this chapter are all based on these IEEE and Wi-Fi Alliance standards. TABLE 10.1 802.11 comparison TABLE 10.2 Wi-Fi security comparison The process by which RC4 uses IVs is the real weakness of WEP: it gives a hacker the opportunity to crack the WEP key. The method, knows as the Fluhrer, Mantin, and Shamir (FMS) attack, uses encrypted output bytes to determine the most probable key bytes. The ability to exploit the WEP vulnerability was incorporated into products like AirSnort, WEPCrack, and Aircrack. Although a hacker can attempt to crack WEP by brute force, the most common technique is the FMS attack. TABLE 10.3 802.11 and WPA security solutions and weaknesses 802.11i and WPA use the same encryption and authentication mechanisms as WPA2. However, WPA2 doesn’t require vendors to implement preauthorization. Preauthorization enables fast, secure roaming, which is necessary in very mobile environments with time- sensitive applications such as wireless VoIP. Tahla 10 2 enmmarizvee the anthentiratnn and encevarian aAntinne tar WT ANe and acer: TABLE 12.1 Linux file system navigation Moving around the Linux files system may take a little getting used to if you are primarily a Windows user. The commands in Table 12.1 will help you start to navigate the Linux file system. TABLE 12.2 Linux directories TABLE 12.2 Linux directories (continued) Linux networking commands are similar to the Windows networking commands. For the CEH exam, you should be familiar with the commands in Table 12.3. TABLE 12.3 Linux networking commands An IDS can perform either signature analysis or anomaly detection to determine if the traffic is a possible attack. Signature detection IDSs match traffic with known signatures and patterns of misuse. A signature is a pattern used to identify either a single packet or a series of packets that, when combined, execute an attack. An IDS that employs anomaly detection looks for intrusion attempts based on a person’s normal business patterns and alerts when there is an anomaly in the behavior of access to systems, files, logins, and so on. EC OQ iD Og ee Oc el The location of a network-based IDS in a network architecture is depicted in Figure 13.1. A network IDS sensor can be located as a first point of detection between the firewall and the Internet or on the semi-private DMZ, detecting attacks on the organization’s servers. Finally, a network IDS can be located on the internal private network, with the corporate servers detecting possible attacks on those servers. TABLE 13.1 Snort variables Here is a sample Snort configuration file using the 192.168.1.0 network as the home network: FIGURE 13.2 _ Perimeter hardware firewall A honeypot (Figure 13.3) is a decoy box residing inside your network demilitarized zone (DMZ), set up by a security professional to trap or aid in locating hackers, or to draw then away from the real target system. Perform a port scan against the system running KFSensor to identify the services. 12. Click the IP address of a visitor to view the connections. 10. Attempt to connect to a service running on the KFSensor system. The easiest way to bypass a firewall is to compromise a system on the trusted or internal side of the firewall. The compromised system can then connect through the firewall, from the trusted to the untrusted side, to the hacker’s system. A common method of doing this is to make the compromised system connect to the hacker with destination port 80, which looks just like a web client connecting to a web server through the firewall. This is referred to as a reverse WWW shell. FIGURE 14.1 Cleartext and cipher text Vernam Cipher In 1917, AT&T Bell Labs engineer Gilbert Vernam sought to improve the Vigenere cipher and ended up creating the Vernam cipher, or “one-time pad.” The Vernam cipher is an encryption algorithm where the plain text is combined with a random key, or “pad,” that is the same length as the message. One-time pads are the only algorithm that is provably unbreakable by brute force. Vigenere Cipher Sixteenth-century French cryptographer Blaise de Vigenere created a polyalphabetic cipher to overcome the shortcomings of simple substitution ciphers. The Vigenere cipher (Figure 14.5) uses a table to increase the available substitution values and make the substitution more complex. The substitution table consists of columns and rows labeled “A” to “Z.” To get cipher text, first you select the column of plain text and then you select the row of the key. The intersection of row and column is called cipher text. To decode cipher text, you select the row of the key and find the intersection that is equal to cipher text; the label of the column is called plain text. Generating Public and Private Keys A stream cipher encrypts single bits of data as a continuous stream of data bits. Stream ciphers typically execute at a higher speed than block ciphers and are suited for hardware usage. The stream cipher then combines a plain text bit with a pseudorandom cipher bit stream by means of an XOR (exclusive OR) operation. The XOR process (see Figure 14.6) is to compare the plain text and key one bit at a time and, based on the XOR logic, create cipher text. If the plain text and secret key are the same bit, the result is a 0; if they are dif- ferent, such as 1 and 0, then the resulting encrypted bit is a 1. FIGURE 14.7 Certificate authority 4. Click the Details tab to see all the certificate fields. Click each field to see the values. 3. Click the Certificates button on the page’s properties sheet. 3. Click the File menu in WinMD5 and choose Open. Select any file from your system. Here is an example of a bad MD5 hash on a file: Digital signatures (see Figure 14.8) are based on public key cryptography and used to verify the authenticity and integrity of a message. A digital signature is created by passing a message’s contents through a hashing algorithm. The hashed value is then encrypted with the sender’s private key. Upon receiving the message, the recipient decrypts the encrypted sum and then recalculates the expected message hash. 4. Usethe sample report as a template for creating your own security auditing reports.
