Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you...
Transcript of Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you...
![Page 1: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/1.jpg)
Ethical Hacking Series: 0x01 - Hacking Methodologies
JaxHax MakerspaceTravis Phillips
![Page 2: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/2.jpg)
About Me● Member of Jax Hax since it opened.● Specializes in Ethical Hacking, IT Security,
and penetration testing.● Formerly a programmer.● Enjoys electronics, Linux, embedded
systems, anything hackery-ish, small physical projects from time to time to keep hands-on skills honed, puzzles, Open Source everything, and lock picking.
● Easy to find. Big dude dressed in black or grey. Seek me out anytime you are here.
![Page 3: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/3.jpg)
Intended Audience● This is intended as an intro class as part
of a series of classes. ● This is a class that is for people who are
interested in security and require proof it's working!
● This first class covers methodologies and doesn't really go into the technical side of things just yet
– DON'T BE AFRAID TO STOP ME TO ASK QUESTIONS!
– The only stupid question is the question never asked.
![Page 4: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/4.jpg)
What is Ethical Hacking?
Ethical Hacking is the practice of using the same tools and techniques of hackers to evaluate security of systems we own or have permission of the system owner to test. An ethical hacker will always obey the law and will not leverage what they gain knowledge of for personal gain. This is very important as your clients have to be able to trust you with their data, so your reputation as honest cannot be compromised.
![Page 5: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/5.jpg)
Why Should it Exist?
● How do you know if a defense works if it's never been attacked? (Think wargame drills)
● Best for you to think offensively a bit against your defenses.
● A great way to detect those "well we opened it up for debugging and forgot to close it after we were done."
● Attacks are on the rise. You are ALWAYS under attack; by an actual hacker or by an automated piece of malware.
![Page 6: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/6.jpg)
Is There Actually a Market For This?
● *YES!!!*● There are lots of companies that have to engage in
these activities due to government or industry regulation.
● Other companies engage in penetration testing to relieve liability of the words “Negligent Network Security Practices” when in a lawsuit.
● Not a bad idea to run this on your own systems, especially before traveling or moving your machine into a network you don't control (wifi networks, School LANs, etc)
![Page 7: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/7.jpg)
Just Ask These Guys...
![Page 8: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/8.jpg)
… Or These Guys...
![Page 9: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/9.jpg)
Taking in Account Side Channel Cost:
![Page 10: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/10.jpg)
… Or These Guys...
![Page 11: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/11.jpg)
… Or These Guys...
![Page 12: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/12.jpg)
… Or These Guys...
![Page 13: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/13.jpg)
… Or These Guys...
![Page 14: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/14.jpg)
… Or These Guys...
![Page 15: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/15.jpg)
… Or These Guys...
![Page 16: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/16.jpg)
… Or These Guys...
![Page 17: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/17.jpg)
… Or These Guys...
![Page 18: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/18.jpg)
… And Yes, Even These Guys...
![Page 19: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/19.jpg)
So Why a Methodology?● Uniform and consistent.● Reproducible results.● Easier to document finding.● Ensures you don't skip steps, especially in
the begin during the information gathering stages.
● Ensures things don't get overlooked.● Information is important if you want a good
successful, surgical attack.
![Page 20: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/20.jpg)
So what is the Methodology?
● Varies from field of technology and also by group conducting the test.
● The approach I use is a modified version of the model from Foundstone Security.
– Used because they were one of the most published models when I started out with learning hacking and there weren't many at that time.
![Page 21: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/21.jpg)
My Methodology
![Page 22: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/22.jpg)
Step 1: Footprinting
![Page 23: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/23.jpg)
Footprinting
● Footprinting is the stage of passive recon.– SINGLE MOST IMPORTANT STEP!
– Think of it to the likes of movies where bank robbers "case the joint" before a heist.
● This is a process for trying to learn about the target in a passive manner (That is in a manner that doesn't draw attention or seems innocent at a glance.)
![Page 24: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/24.jpg)
Information to Footprint
● What is the size of the target?● How large is their technological footprint?● How strongly does the culture of the target
foster security?● IP ranges? Hosting servers in-house or via a
hosting provider?● Sister companies?● Try to find domains and sub-domains via
![Page 25: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/25.jpg)
Information to Footprint (con't)● Download files offered by a company and
look through the metadata in the file for hostnames, usernames, groups, etc.
● Contacts?– Email naming conventions?
● find any forums showing compromised accounts with these addresses?
– Contacts we should be aware of? IT admins, HR Personal, etc
● Watching these people to learn about the target.
– Different departments have different priorities. Perhaps security falls lower in a few.
![Page 26: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/26.jpg)
Information to Footprint (con't)● Any interesting news about the target?
– Mergers with other companies?
– An exciting new contract with another Vendor?
● Office locations?– Any nearby?
● Google streetview available; ● Employee uploaded photos from location
on social media?● Good lunchspots nearby employees may
frequent?● Smoking policies?
![Page 27: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/27.jpg)
Step 2: Scanning
![Page 28: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/28.jpg)
Scanning
● Scanning is getting into a more active form of recon.
● Trying to locate domains and sub-domains via DNS techniques.
– can sometimes reveal more then it should (remote.example.com, vpn.example.com, test.example.com, etc)
● Port scanning their hosts and subnets to attempt to discover hosts and services being provided by their servers.
![Page 29: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/29.jpg)
Step 3: Enumeration
![Page 30: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/30.jpg)
Enumeration
● Enumeration by it's definition is: “A collection of items that is a complete, ordered listing of all of the items in that collection.”
● This is the most intrusive step of recon.● This is where we will try to detect services
that are actually running, versions, how they are configured, and any information that can be obtained via these services (OS details, usernames, shares, etc).
![Page 31: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/31.jpg)
Enumeration (con't)
● Use some of the services and dump packet captures to review how it works.
● On web servers, check robots.txt and crossdomain.xml.
● On FTP servers check if they allow anonymous logins.
● On SMB check to see if they allow LookupSID or enumeration of Shares.
![Page 32: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/32.jpg)
Step 4: Data Review &
Research
![Page 33: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/33.jpg)
Data Review and Research
● At this point the recon should have given you a lot of data.
● Time to review what it shows us for potential attack vectors and surfaces.
● Research the software versions for vulnerabilities and common misconfiguration mistakes.
● If software is open source and no vulnerabilities exist, perhaps it's time for a code audit. ;-)
![Page 34: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/34.jpg)
Data Review and Research (con't)
● If you've found any know vulnerabilities keep notes on that, those sound like a great start.
● Spend a day to think about this information.– No need to rush
– I personally suggest you think about it away from your machine, go for a walk, get some coffee, find a quite spot to think, and review the facts in your head about what you know about your target.
● Once you've thought about it, order your attack surfaces by success probability
![Page 35: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/35.jpg)
Step 5: Exploitation/
Gaining Access
![Page 36: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/36.jpg)
Exploitation● Research should give you a few ideal attack
vectors you will pursue.● The best part of the hacking – compromising
the machine and gaining access to the system of interest.
● Methods used here depending on what your trying to gain access to.
– Tons of tools out there for a lot of already know bugs.
– Knowing a programming language like Python helps when there aren't any tools.
![Page 37: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/37.jpg)
Step 5a: Escalation of
Privileges
![Page 38: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/38.jpg)
Privilege Escalation● This is optional and should only be pursued
if really needed.● If you can get what your after without, skip it.● If it is needed, go for it.● Universal Options: keyloggers and packet
sniffers.● Windows: scheduler exploit, process token
hijacking, process injection.● Unix: varies privilege exploits come from
time to time.
![Page 39: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/39.jpg)
Step 5b: Backdooring
![Page 40: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/40.jpg)
Backdooring Systems● This is optional and should only be pursued
if really needed.● Keep in mind counter-defenses host may
have deployed (anti-virus, firewalls, tripwire, etc)
● Backdoor can be malicious RATs (Remote Admin Tools) or simply adding a user account and enabling remote access.
● Up to you how you want to proceed, but minimal is usually best practice, skip this if possible.
![Page 41: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/41.jpg)
Step 6: Data Ex-filtration/
Pilfering
![Page 42: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/42.jpg)
Data Ex-filtration / Pilfering● This is the step where you do what you
came for– Extract the data you want or modify the
system as you need to.
● Usually involves finding the data you and a valid channel that enables you to get it out of their network and into your hands.
● DLP (Digital Loss Prevention) can be a thorn in your side but seldom an issue.
– Steganography and encryption can help here.
![Page 43: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/43.jpg)
Step 7: Housekeeping
![Page 44: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/44.jpg)
Housekeeping / Covering Tracks● This step is where you finish up with the
host.● If you are supposed to go undetected, then
delete logs and apply other anti-forensics techniques.
● If this is a normal pentest then it's more housekeeping then anything; cleaning up after yourself.
– Deleting tools you may have pushed to the system during the attack, etc.
![Page 45: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/45.jpg)
Wrapping It Up - Reporting
● Should be several sections:– Explaining your testing methods
– Executive summary of findings
– Technical details of findings● providing details on how to exploit,
probablity of exploitation, risk of whats to be lost at the exploit attempt.
– Suggested remedies to the findings
![Page 46: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/46.jpg)
Wrapping It Up – Reporting (con't)● Why are you testing if it's not to document
the issues and attempt to remedy them?● Important but boring part of the testing. Is
the deliverable you give to the clients.
![Page 47: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/47.jpg)
Recap
![Page 48: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/48.jpg)
Questions?
![Page 49: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/49.jpg)
Next Presentations
● Rolling Your Own Hacking Lab for Legal Target Practice.
● Using OSINT (Open Source Intelligence) For Footprinting and Passive Recon
● Scanning For Host and Services● Common Networking Protocols, Sniffing,
and The Joys of RFCs
![Page 50: Ethical Hacking Series: 0x01 - Hacking …...Research should give you a few ideal attack vectors you will pursue. The best part of the hacking – compromising the machine and gaining](https://reader035.fdocuments.in/reader035/viewer/2022081402/5f0beb767e708231d432de4b/html5/thumbnails/50.jpg)
Thanks For
Coming Out!