December 9, 2015

GHR 102 – Basic Training Part 2

OBJECTIVES for NCST Basic Training Part 2:

Basic Training Part 2 continues where part 1 left off but focuses on the methods used by attackers and ethical hackers followed by geeking out on technical details of protocols.

Topic 102.1 – Attacker’s Process

  • RULE : The steps that attackers use can be divided into 6 phases:
    • Step 1 is “performing reconnaissance and fingerprinting.”
    • Step 2 is “scanning and enumeration.”
    • Step 3 is “gaining access.”
    • Step 4 is “escalation of privileges.”
    • Step 5 is “maintaining access.”
    • Step 6 is “covering tracks and placing backdoors.”
  • RULE : Performing recon and fingerprinting is considered to be the first step and refers to a systematic attempt to locate, identify, and gather intelligence about the target.
  • RULE : Scanning and enumeration is considered to be the second step and refers to actively attempting a connection to target systems to elicit responses.  This will not only include port scanning.
  • RULE : Other intelligence can be gathered from banners.
  • RULE : Attackers like locating systems with outdated and no longer patched versions of operating systems.
  • RULE : Script kiddies will typically use noisy vulnerability scanners like OpenVAS and are easily detected by the most basic Intrusion Detection Systems.  True black hats will use more stealthy techniques.
  • RULE : Gaining access is considered to be the third step and is when the attacker moves from simply probing to conducting an active attack.
  • RULE : Escalation of privileges is considered the fourth step and happens after the attacker has gained access.  Here the attacker leverages a vulnerability in the operating system or an application running on the target system to gain access to data and resources that normal users don’t have privileges for.
  • RULE :  Maintaining access is considered the fifth step and is like a parasite digging into the target system.  Rootkits and capturing user credentials are effective ways to maintain access.
  • RULE : Covering tracks and placing backdoors is considered the sixth and typically the last step.  Here the attacker tries to remove all traces of the intrusion.  Backdoors are created by the attacker to make reentry into the compromised system effortless.
  • RULE : If the attacker is not successful in gaining access to the target, a option to the attacker is to perform a Denial Of Service (DoS) attack.
  • RULE : You can think of DoS attacks as an optional step 7, since they can be uses to extort money from the victim, if the DoS attack results in lost income.  Some victims would pay to make the attack stop.

Topic 102.2 – Ethical Hacker’s Process

  • RULE : Do no harm.
  • RULE : The ethical hacker typically will take these steps to perform a vulnerability assessment:
    • Step 1 is “Permission.”  The ethical hacker will first obtain written permission to perform the penetration by the organization.  This is something the attacker doesn’t do.
    • Step 2 is “Recon.”  The ethical hacker will conduct both passive and active reconnaissance.  The attacker also does recon.
    • Step 3 is “Scanning.”  The ethical hacker will scan ports and begin to map the network.  The attacker also does scanning.
    • Step 4 is “Gaining Access.”  The ethical hacker will attempt to gain access into the network, systems, and applications.  The attacker also attempts to gain access.
    • Step 5 is “Maintaining Access.”  The ethical hacker will try to stay in control of the compromised system by such techniques as escalating privileges.  The attacker also tries to maintain access and escalate privileges.
    • Step 6 is “Covering Tracks.”  The ethical hacker will clear logs to cover up the breach and leave no tracks.  The attacker also covers his tracks.
    • Step 7 is “Reporting.”  Obviously the attacker doesn’t do this, but the ethical hacker must report the finding and provide remediation steps to the organization.
  • RULE : The methodology used to secure the organization can be summarized into 5 steps:
    • Step 1 is what was just mentioned, the vulnerability assessment.  The ethical hacker performs his 7 steps, permission, recon, scanning, gaining access, maintaining access, covering tracks, and finally reporting.  This reporting drives the remaining 4 steps of this 5 step process.
    • Step 2 is “Policy Development.”  With the focus being on critical assets, the policy should be driven by the goals, mission, and objectives of the organization.
    • Step 3 is “Implementation.”  This step is where the actual building of operational, technical, and managerial processes happens.
    • Step 4 is “Training.”  After the implementation occurs and new systems are in place, the employees and team members need to be trained on how the organization is going to operate going forward.
    • Step 5 is “Auditing.”  Periodic and frequent auditing should take place to make sure people don’t revert back to their previous insecure processes once the excitement wears off from the initial assessment and reaction it.
  • RULE : The National Institute of Standards and Technology (NIST) created a the “Technical Guide to Information Security Testing and Assessment.”  Special Publication 800-115.
  • RULE : In the NIST publication 800-115, the document mentions a variation of the 7 steps mentioned before.  Rather than the 7 steps they only mention 4 steps.  They are planning, discovery, attack, and reporting as seen on page 5-3, figure 5-1.
  • RULE : Another methodology to be aware of is named OCTAVE.  Which stands for Operational Critical Threat, Asset, and Vulnerability Evaluation.
  • RULE : The OCTAVE method is an approach used to assess an organization’s information security needs.
  • RULE : OCTAVE Allegro is the most recently developed and actively supported method. This method is based on two older versions called OCTAVE Original and OCTAVE-S.
  • RULE : OCTAVE, focuses on organizational risk.
  • RULE : OCTAVE, is self-directed and the goal is too get people from different departments to work together.
  • RULE : Yet another methodology of securing the organization is actually open source and is divided into 6 sections.  It is named, “Open Source Security Testing Methodology Manual (OSSTMM).”
  • RULE : The 6 sections of OSSTMM are:
    • Step 1 is “Physical Security.”
    • Step 2 is “Internet Security.”
    • Step 3 is “Information Security.”
    • Step 4 is “Wireless Security.”
    • Step 5 is “Communications Security.”
    • Step 6 is “Social Engineering.”

Topic 102.3 – Security and the Stack

  • RULE : The International Standards Organization (ISO) developed the Open Systems Interconnect (OSI) model in 1984.
  • RULE : The OSI model has 7 layers:
    • Layer 1 of the OSI model is the “Physical Layer.”
    • Layer 2 of the OSI model is the “Data Link Layer.”
    • Layer 3 of the OSI model is the “Network Layer.”
    • Layer 4 of the OSI model is the “Transport Layer.”
    • Layer 5 of the OSI model is the “Session Layer.”
    • Layer 6 of the OSI model is the “Presentation Layer.”
    • Layer 7 of the OSI model is the “Application Layer.”
  • RULE : The Physical Layer (layer 1) is where the transmitting and receiving of bits take place.
  • RULE : The Data Link Layer (layer 2) organizes the logical structure of data into frames and places on the wire.  This layer actually has 2 sublayers, Logical Link Control (LLC) and Media Access Control (MAC).
  • RULE : Most computers today come with at least 1 Network Interface Card (NIC).  Those NIC cards have a 6-byte or 48-bit MAC address.  Network switches use this MAC address to forward traffic out of a specific port where the end node is located.  This all happens at layer 2, the Data Link Layer.  From a security standpoint, ARP Poisoning can occur here.
  • RULE : The Network Layer is where IP addresses come into play.  Datagrams are carried from source to destination.  From a security standpoint, route poisoning, Denial Of Service, and fragmentation attacks happen at this layer.
  • RULE : IPSEC lives in the network layer.
  • RULE : The Transport Layer (layer 4) handles end-to-end flow control and error recovery.  Security concerns here are SYN attacks, Denial of Service (DoS) attacks, and buffer overflows.
  • RULE : TCP is a layer 4 connection oriented protocol and provides reliable communications with acknowledgements, error detection, and session teardown.
  • RULE : UDP is a layer 4 protocol used for speed with it’s low overhead, but doesn’t resend lost packets because it’s connectionless.
  • RULE : The Sessions Layer (layer 5) is used to create, control, and teardown a  TCP session.  Remote Procedure Calls (RPC) live here.  Session hijacking is a concern at layer 5, the session layer.
  • RULE : The Presentation Layer (layer 6) is ASCII, EBCDIC, ANSI, encryption and decryption live here.
  • RULE : The Application Layer (layer 7) is where things like your web browsers, email clients, ssh clients, office applications, and other purchased software applications all live.
  • RULE : It is important to know which defenses and attacks occur at which OSI layer.
  • RULE : The 4 layers of TCP/IP are:
    • The Application Layer (more detail in CEH topic 102.4).
    • The Transport Layer, also known as the Host-to-Host Layer (more detail in CEH topic 102.5).
    • The Internet Layer (more detail in CEH topic 102.6).
    • The Network Access Layer (more detail in CEH topic 102.7).

Topic 102.4 – The TCP/IP Application Layer

  • RULE : The Application Layer of TCP/IP is responsible for supporting the application, shockingly enough.  Applications are mapped by port number in TCP and UDP packets.
  • RULE : In the Application Layer of TCP/IP there are 65,536 ports, numbered from 0 to 65,535.  However port 0 isn’t used to communication between hosts, so technically speaking you only have 65,535 to use.
  • RULE : TCP/IP ports that are numbered from 0 to 1023 are “well known ports.”
  • RULE : TCP/IP ports that are numbered from 1024 to 49,151 are “registered ports.”
  • RULE : TCP/IP ports that are numbered from 49,152 to 65,535 are “dynamic ports.”
  • RULE : Commonly used ports that you should be familiar with include:
    • TCP port 20 and 21 are File Transfer Protocol (FTP).  Port 21 is for the control stream where commands are passed.  Then port 20 is used to actually transfer the files.
    • TCP port 22 is Secure Shell (SSH).
    • TCP port 23 is Telnet.
    • TCP port 25 is Simple Mail Transfer Protocol (SMTP).
    • Domain Name System (DNS) works on both TCP and UDP.  The DNS queries are sent on UDP port 53 .  While the DNS zone transfers are sent with TCP port 53.
    • UDP ports 67 and 68 are for Dynamic Host Configuration Protocol (DHCP).
    • UDP port 69 is Trivial File Transfer Protocol (TFTP).  Cisco uses this for backing up configuration files.  TFTP runs over UDP so it is faster then FTP.  TFTP doesn’t require authentication which is part of why the Nimda worm used TFTP.
    • TCP port 79 is Finger.
    • TCP port 80 is everyone’s favorite, HyperText Transfer Protocol (HTTP).  Attacks that exploit HTTP can target the web server (like Code Red did), the web browser itself, or use scripts that run in the browser.
    • UDP port 88 is Kerberos.
    • TCP port 110 is Post Office Protocol version 3 (POP3).
    • UDP and TCP port 135 are used by Microsoft for Remote Procedure Calls (MS RPC)
    • UDP and TCP port 139 are used by Microsoft for NetBIOS sessions.
    • UDP port 161 is Simple Network Management Protocol (SNMP).
    • UDP port 162 is for SNMP traps.
    • TCP port 389 is Lightweight Directory Access Protocol (LDAP).
    • TCP port 443 is Secure Sockets Layer (SSL).
    • UDP and TCP port 445 are used by Microsoft for Server Message Block (SMB) over IP.
    • TCP port 1433 and 1434 are used by Microsoft SQL server.
    • TCP port 3389 is used by Microsoft for Remote Desktop Protocol (RDP).
  • RULE : Don’t use Telnet or FTP, they send usernames and passwords in clear text.
  • RULE : Don’t use SNMP versions prior to version 3, because community strings are sent in the clear.  SNMP version 3 added security features.
  • RULE : SMTP has 2 parts, the address header and the message text.  Spoofing and Spamming are just 2 vulnerabilities associated with SMTP.

Topic 102.5 – The TCP/IP Transport Layer

  • RULE : The Transport Layer provides end-to-end delivery with the 2 main protocols being TCP and UDP.
  • RULE : TCP is covered in RFC 793.
  • RULE : UDP is covered in RFC 768.
  • RULE : TCP has a 1-byte Flags field, but the 6 most common ones are:
    • URG is the urgent flag.
    • ACK is the acknowledgement flag.
    • PSH is the push flag.
    • RST is the reset flag.  The reset flag is used to terminate an abnormal session.
    • SYN is the synchronize flag.
    • FIN in the finish flag.  The finish flag is used in a normal 4-step shutdown.
  • RULE : The TCP checksum is added to each segment transmitted, checking it at the receiver, and discarding damaged segments.
  • RULE : Security concerns at the TCP/IP Transport Layer include:
    • TCP sequence number attacks.
    • Session hijacking.
    • SYN flood attacks.
    • Altering the checksum to appear valid.
  • RULE : UDP doesn’t perform the handshake process like TCP.
  • RULE : UDP is not a reliable protocol, but it has the benefit of speed due to not having the overhead of TCP.

Topic 102.6 – The TCP/IP Internet Layer

  • RULE : The TCP/IP Internet Layer has 2 protocols, which are:
    • Internet Protocol (IP) version 4 and 6.
    • Internet Control Messaging Protocol (ICMP) .
  • RULE : IP version 4 is covered in RFC 791.
  • RULE : IP version 6 is covered in RFC 2460.
  • RULE : IP version 4 has a 32-bit address space and IP version 6 has a 128-bit address space.
  • RULE : IP version 4 uses the Option field and IP version 6 does not.
  • RULE : In IP version 6, broadcast traffic is not supported, but uses a link-local scope as an all-nodes multicast.
  • RULE : IP version 4 uses decimals and IP version 6 uses hex addresses.
  • RULE : IP version 6 has built-in support for IPSEC.
  • RULE : IP version 4 addresses have 4 bytes which each byte numbering from 0-255.
  • RULE : IP version 4 addresses are divided into classes by the first byte, which are:
    • Class A addresses start a 1 and go to 127.
    • Class B addresses range from 128 to 191.
    • Class C addresses range from 192 to 223.
    • Class D addresses range from 224 to 239.
    • Class E addresses range from 240 to 255.
  • RULE : Of the IP version 4 address space, some address blocks have been reserved for private use.  The private blocks are:
    • 10.0.0.0 thru 10.255.255.255, which is a Class A address with an 8-bit subnet mask.
    • 172.16.0.0 thru 172.31.255.255, which is a Class B address with a 12-bit subnet mask.
    • 192.168.0.0 thru 192.168.255.255, which is a Class C address with a 16-bit subnet mask.
  • RULE : The private address space is covered in RFC 1918.
  • RULE : IP can do source routing.
  • RULE : IP is responsible for datagram fragmentation.  Fragmentation happens when data exceeding the Maximum Transfer Unit (MTU) setting.
  • RULE : If fragmentation must occur, the datagram is divided and each packet will have a length, the offset, and the more-fragments flag set to 1 if it’s packet isn’t the last packet.
  • RULE : Besides IP, ICMP also lives in the TCP/IP Internet Layer.
  • RULE : The first byte of an ICMP header is the type.
  • RULE : The second byte of an ICMP header in the code.
  • RULE : The most common ICMP types are from RFC 792 are:
    • Type 0 is for Echo Reply.  Type 0 is the reply to a type 8 request.  Ping uses this.
    • Type 3 is for Destination Host Unreachable.
    • Type 4 was for Source Quench, but has been deprecated.  See RFC 6633.
    • Type 5 is for Redirect.
    • Type 8 is for Echo Request.  The reply with be a type 0.  Ping uses this.
    • Type 11 is for Time Exceeded.  Trace route programs use this.
    • Type 12 is for Parameter Problem.
  • RULE : Ping uses ICMP types 0 and 8 if the target is reachable.
  • RULE : If you ping (or send an ICMP type 8) and the target is unreachable, you will get a type 3 back with a code.  Type 3 codes are:
    • Type 3, Code 0 is a “Net Unreachable” message.
    • Type 3, Code 1 is a “Host Unreachable” message.
    • Type 3, Code 2 is a “Protocol Unreachable” message.
    • Type 3, Code 3 is a “Port Unreachable” message.
    • Type 3, Code 4 is a “Fragmentation Needed but the Don’t Fragment Bit Was Set” message.
    • Type 3, Code 5 is a “Source Route failed” message.
    • Type 3, Code 6 is a “Destination Network Unknown” message.
    • Type 3, Code 7 is a “Destination Host Unknown” message.
    • Type 3, Code 8 is a “Source Host Isolated” message.
    • Type 3, Code 9 is a “Communication with Destination Network is Administratively Prohibited” message.
    • Type 3, Code 10 is a “Communication with Destination Host is Administratively Prohibited” message.
    • Type 3, Code 11 is a “Destination Network Unreachable for Type of Service” message.
    • Type 3, Code 12 is a “Destination Host Unreachable for Type of Service” message.
    • Type 3, Code 13 is a “Communication Administratively Prohibited” message.
    • Type 3, Code 14 is a “Host Precedence Violation” message.
    • Type 3, Code 15 is a “Precedence cutoff in effect” message.
  • RULE : ICMP Type 3 codes are covered in RFC 792, RFC 1122, and RFC 1812.
  • RULE : Attacks at the TCP/IP Internet Layer include:
    • Total Length field and Don’t Fragment (DF) bit manipulated for a Ping-Of-Death attack.
    • Smurf DoS packets.
    • Query the timestamp of a system with ICMP.
    • Query the subnet mask of a system with ICMP.
    • ICMP type 5 packets that redirect traffic.
    • Fragmentation overlapping.  Which was used in Tear Drop, which crashes older Windows NT and 2000 servers.

Topic 102.7 – The TCP/IP Network Access Layer

  • RULE : The Network Layer is the bottom Layer of the TCP/IP stack.
  • RULE : The TCP/IP Network Layer is responsible for the physical delivery of IP packets via frames.
  • RULE : Ethernet is the most common Local Area Network (LAN) frame type.
  • RULE : Ethernet frames are addresses with Media Access Control (MAC) addresses.
  • RULE : MAC addresses are 6-bytes long and are burned into each Network Interface Card (NIC) which was designed to be globally unique.  Spoofing a MAC address breaks this rule.
  • RULE : The first 3 bytes of the MAC address is to uniquely identify the NIC manufacturer, like Cisco, Belkin, Dell, or Netgear for instance.
  • RULE : The second 3 bytes of the MAC address is to uniquely identify the NIC itself.
  • RULE : Universally administered and locally administered addresses are distinguished by setting the second-least-significant bit of the most significant byte of the address.  The most significant byte would look like 0000 00#0 or 1111 11#1.  Where # is a 0 or 1.
  • RULE : If the universal/local address bit (U/L bit) is a 0, then the address is Universally administered.  Like #### ##0#.
  • RULE : If the U/L bit is a 1, then the address is Locally administered.  Like #### ##1#.
  • RULE : You can tell if the address is a Unicast, if the very least significant bit of the most significant byte of an address is set to 0, the frame is meant to reach only one receiving NIC, like #### ###0.
  • RULE : You can tell is the address is a Multicast address if the least significant bit of the most significant byte of an address is set to 1, like #### ###1.
  • RULE : Broadcast have every bit set to a 1.
  • RULE : Address Resolution Protocol (ARP) is used to resolve known IP addresses into unknown MAC addresses.
  • RULE : Hackers can use ARP spoofing to bypass the functionality of a network switch.
  • RULE : Proxy ARPs can be used to extend the network.
  • RULE : ARP attacks play a key role in the ability to pull of Man-In-TheMiddle, spoofing, and session hijacking attacks.
  • RULE : MAC addresses can be a unicast, multicast, or broadcast address.

Topic 102.8 – Domain Name System (DNS)

  • RULE : Domain Name System (DNS) is  TCP/IP Application Layer protocol.
  • RULE : DNS works on both TCP port 53 and UDP port 53.
  • RULE : The DNS queries are sent as UDP .
  • RULE : DNS zone transfers are sent with TCP.
  • RULE : The DNS database has 1 or more zone files.
  • RULE : Each DNS zone file has some common record types, they are:
    • One Start of Authority (SOA) record.  It describes the zone’s namespace.
    • Several “A” records for IP version 4, it’s the most common and it contains IP addresses and the names of hosts.
    • Several “AAAA” records for IP version 6, it contains the new IP version 6 addresses and the names of hosts.
    • Several “CNAME” records which are aliases.
    • “NS” records list the IP addresses of other Name Servers.
    • “MX” records list the IP addresses of the Mail eXchange server for email.
  • RULE : In DNS there is only one Start of Authority (SOA) record for a zone record database file.
  • RULE : DNS cache poisoning is an attack directed at a DNS name server, in which fake entries are sent to the DNS server to corrupt it.
  • RULE : DNS is susceptible to Denial of Service attacks.
  • RULE : Unauthorized zone transfers is something that you should try to prevent.
  • RULE : The Internet Engineering Task Force (IETF) developed DNS Security Extensions (DNSSEC) to authenticate the origin of the DNS data in response to the vulnerabilities in DNS.