CEH - Book.
Chapter 2
Attack Methodology
- Steps: recon, scanning/enumeration, getting access, escalation of privs, maintaining access (Rootkits) covering tracks.
Recon: - Reconnaissance entails determining the footprint of the target.
- This is passive information gathering.
- Microsoft: website, ftp sites, vendor sites, DNS servers, web servers.
- Determine the entire footprint of the target.
- Can include dumpster diving for info, social engineering, ARIN, WHOIS lookups.
- From there you form a picture of what you want to attack.
Scanning and Enumeration - Scanning to elicit a response. Active info gathering.
- Enumeration to determine what services you can attack.
- This phase means moving from passive recon to active info gathering.
- Caution should be used to avoid being detected and identified. Use an alternate host.
- My target?
www.eviloctal.com. Chinese attackers who attacked metasploit.com on 1 June 2008.
- I think everyone is getting tired of Chinese hackers bothering the rest of the world.
- The goal of scanning is to determine open ports and services hosted on those ports.
- Thereafter, we enumerate the versions of the services and find the vulns thereof for attack - "Down Level" software and applications may have vulnerabilities.
- Key in defense against scanning and enumeration is a default deny policy. - Some kiddies use nessus to enumerate vulnerabilities which is considered newbie.
- Elite hackers ID the target and develop their own vulnerabilities by reverse engineering the service software on the target.
Gaining Access - Movement from scanning to attacking.
- There isn't a lot of info in this chapter about gaining access but it involves a few things:
- finding vulnerable services and exploiting them to a degree that you get root access to the box.
- somehow getting malicious software installed onto the computer so that it basically gives you local admin/root privs.
- sniffing the target's local network looking for logins and passwords.
- attacking infrastructure devices to gain network access to the desired traffic and its lovelies.
- installing keylogger software to get keystrokes and related logins and passwords.
- Installing physical keyloggers to get the above. (key catcher)
- If you have physical access you can boot to a CD and install software or simply read the disk drive for what you want.
- Send the target a link and hope he clicks it thereby infecting himself.
- Determine the target's login/password to chat programs like AIM or ICQ with dsniff and test to see if the password is the same as the admin password.
- Post a malware binary to a newsgroup to see if anybody installs it. Then it will contact you with its credentials : /
- Compose a software application suite that has what the user wants but embed malware into it so it's installed when the user installs it.
Escalation of Privileges - There are ways to do this starting with a basic user account
Maintaining Access - Rootkit.com has rootkits for this. Basically, it hides itself from security scanners and antivirus programs.
- Maintaining access can involve hiding binaries from AV software.
- NTFS alternate data streams are an option in the WIN32 world but most AV scanners can detect ADS data.
Covering Tracks - This involves deleting logfiles or flooding them with bogus entries. Win32 systems can be set to overwrite old events so at some point your tracks are overwritten.
- There are a number of Win32 log file removal utilities. in Unix/Linux, it's simply echo " " >/var/log/messages or security or *
- The default WIn32 policy for security files is to log only successful logon attempts and not failed logon attempts.
Ethical Hacker Process- Assessment: penetration testing and hands-on security testing
- Policy development based on findings
- Implementation of policy, controls and technical solutions to assert policy.
- Training users
- Auditing to ensure policy compliance.
Resources- NIST: National Institute of Standards and Technology. NIST.gov.
- They have publications on planning, discovery, attack and reporting as part of your security assessment.
- TRAWG: Threat and Risk Assessment Working Guide:
- This helps guide you in determining which assets are most at risk.
- See www-cse-cst.gc.ca/publications/gov-pubs/itsg/itsg04-e.html (English)
- OCTAVE: Operational Critical Threat, Asset and Vulnerability Evaluation.
-
www.cert.org/octave- OSSTM: Open Source Security Testing Methodology Manual
-
www.isecom.org/osstmm - Helps with determining how long assessments should take given a security topic.
Security and the Stack- OSI Model Review (zzZzZZzzzzz)
7. Application Layer: Where user data is generated with applications like Telnet, SSH, web browsers or text editors.
6. Presentation Layer: Formatting of data so that the adjacent layer can understand. (ANSI, EBCDIC, ASCII)
5. Session Layer: RPC and SQLNet from Oracle operations are here. Otherwise not used much.
4. Transport Layer: TCP and UDP occur here. Segments are created here. (According to Cisco)
3. Network Layer: IP and ARP Addresses are slapped on here and considered Packets.
2. Data Link Layer: 2 sublayers: LLC and MAC. MAC addresses reside here but ARP resides at layer 3 with IP. Weird.
1. Physical Layer: Bits and cabling.
TCP/IP Anatomy
Application Layer:
- Page 65.
Author
