Ethical Hacking Series: 0x01 - Hacking Methodologies JaxHax Makerspace Travis Phillips
About Me Member of Jax Hax since it opened. Specializes in Ethical Hacking, IT Security, and penetration testing. Formerly a programmer. Enjoys electronics, Linux, embedded systems, anything hackery-ish, small physical projects from time to time to keep hands-on skills honed, puzzles, Open Source everything, and lock picking. Easy to find. Big dude dressed in black or grey. Seek me out anytime you are here.
Intended Audience This is intended as an intro class as part of a series of classes. This is a class that is for people who are interested in security and require proof it's working! This first class covers methodologies and doesn't really go into the technical side of things just yet DON'T BE AFRAID TO STOP ME TO ASK QUESTIONS! The only stupid question is the question never asked.
What is Ethical Hacking? Ethical Hacking is the practice of using the same tools and techniques of hackers to evaluate security of systems we own or have permission of the system owner to test. An ethical hacker will always obey the law and will not leverage what they gain knowledge of for personal gain. This is very important as your clients have to be able to trust you with their data, so your reputation as honest cannot be compromised.
Why Should it Exist? How do you know if a defense works if it's never been attacked? (Think wargame drills) Best for you to think offensively a bit against your defenses. A great way to detect those "well we opened it up for debugging and forgot to close it after we were done." Attacks are on the rise. You are ALWAYS under attack; by an actual hacker or by an automated piece of malware.
Is There Actually a Market For This? *YES!!!* There are lots of companies that have to engage in these activities due to government or industry regulation. Other companies engage in penetration testing to relieve liability of the words Negligent Network Security Practices when in a lawsuit. Not a bad idea to run this on your own systems, especially before traveling or moving your machine into a network you don't control (wifi networks, School LANs, etc)
Just Ask These Guys...
Or These Guys...
Taking in Account Side Channel Cost:
Or These Guys...
Or These Guys...
Or These Guys...
Or These Guys...
Or These Guys...
Or These Guys...
Or These Guys...
Or These Guys...
And Yes, Even These Guys...
So Why a Methodology? Uniform and consistent. Reproducible results. Easier to document finding. Ensures you don't skip steps, especially in the begin during the information gathering stages. Ensures things don't get overlooked. Information is important if you want a good successful, surgical attack.
So what is the Methodology? Varies from field of technology and also by group conducting the test. The approach I use is a modified version of the model from Foundstone Security. Used because they were one of the most published models when I started out with learning hacking and there weren't many at that time.
My Methodology
Step 1: Footprinting
Footprinting Footprinting is the stage of passive recon. SINGLE MOST IMPORTANT STEP! Think of it to the likes of movies where bank robbers "case the joint" before a heist. This is a process for trying to learn about the target in a passive manner (That is in a manner that doesn't draw attention or seems innocent at a glance.)
Information to Footprint What is the size of the target? How large is their technological footprint? How strongly does the culture of the target foster security? IP ranges? Hosting servers in-house or via a hosting provider? Sister companies? Try to find domains and sub-domains via Google
Information to Footprint (con't) Download files offered by a company and look through the metadata in the file for hostnames, usernames, groups, etc. Contacts? Email naming conventions? find any forums showing compromised accounts with these addresses? Contacts we should be aware of? IT admins, HR Personal, etc Watching these people to learn about the target. Different departments have different priorities. Perhaps security falls lower in a few.
Information to Footprint (con't) Any interesting news about the target? Mergers with other companies? An exciting new contract with another Vendor? Office locations? Any nearby? Google streetview available; Employee uploaded photos from location on social media? Good lunchspots nearby employees may frequent? Smoking policies?
Step 2: Scanning
Scanning Scanning is getting into a more active form of recon. Trying to locate domains and sub-domains via DNS techniques. can sometimes reveal more then it should (remote.example.com, vpn.example.com, test.example.com, etc) Port scanning their hosts and subnets to attempt to discover hosts and services being provided by their servers.
Step 3: Enumeration
Enumeration Enumeration by it's definition is: A collection of items that is a complete, ordered listing of all of the items in that collection. This is the most intrusive step of recon. This is where we will try to detect services that are actually running, versions, how they are configured, and any information that can be obtained via these services (OS details, usernames, shares, etc).
Enumeration (con't) Use some of the services and dump packet captures to review how it works. On web servers, check robots.txt and crossdomain.xml. On FTP servers check if they allow anonymous logins. On SMB check to see if they allow LookupSID or enumeration of Shares.
Step 4: Data Review & Research
Data Review and Research At this point the recon should have given you a lot of data. Time to review what it shows us for potential attack vectors and surfaces. Research the software versions for vulnerabilities and common misconfiguration mistakes. If software is open source and no vulnerabilities exist, perhaps it's time for a code audit. ;-)
Data Review and Research (con't) If you've found any know vulnerabilities keep notes on that, those sound like a great start. Spend a day to think about this information. No need to rush I personally suggest you think about it away from your machine, go for a walk, get some coffee, find a quite spot to think, and review the facts in your head about what you know about your target. Once you've thought about it, order your attack surfaces by success probability
Step 5: Exploitation/ Gaining Access
Exploitation Research should give you a few ideal attack vectors you will pursue. The best part of the hacking compromising the machine and gaining access to the system of interest. Methods used here depending on what your trying to gain access to. Tons of tools out there for a lot of already know bugs. Knowing a programming language like Python helps when there aren't any tools.
Step 5a: Escalation of Privileges
Privilege Escalation This is optional and should only be pursued if really needed. If you can get what your after without, skip it. If it is needed, go for it. Universal Options: keyloggers and packet sniffers. Windows: scheduler exploit, process token hijacking, process injection. Unix: varies privilege exploits come from time to time.
Step 5b: Backdooring
Backdooring Systems This is optional and should only be pursued if really needed. Keep in mind counter-defenses host may have deployed (anti-virus, firewalls, tripwire, etc) Backdoor can be malicious RATs (Remote Admin Tools) or simply adding a user account and enabling remote access. Up to you how you want to proceed, but minimal is usually best practice, skip this if possible.
Step 6: Data Ex-filtration/ Pilfering
Data Ex-filtration / Pilfering This is the step where you do what you came for Extract the data you want or modify the system as you need to. Usually involves finding the data you and a valid channel that enables you to get it out of their network and into your hands. DLP (Digital Loss Prevention) can be a thorn in your side but seldom an issue. Steganography and encryption can help here.
Step 7: Housekeeping
Housekeeping / Covering Tracks This step is where you finish up with the host. If you are supposed to go undetected, then delete logs and apply other anti-forensics techniques. If this is a normal pentest then it's more housekeeping then anything; cleaning up after yourself. Deleting tools you may have pushed to the system during the attack, etc.
Wrapping It Up - Reporting Should be several sections: Explaining your testing methods Executive summary of findings Technical details of findings providing details on how to exploit, probablity of exploitation, risk of whats to be lost at the exploit attempt. Suggested remedies to the findings
Wrapping It Up Reporting (con't) Why are you testing if it's not to document the issues and attempt to remedy them? Important but boring part of the testing. Is the deliverable you give to the clients.
Recap
Questions?
Next Presentations Rolling Your Own Hacking Lab for Legal Target Practice. Using OSINT (Open Source Intelligence) For Footprinting and Passive Recon Scanning For Host and Services Common Networking Protocols, Sniffing, and The Joys of RFCs
Thanks For Coming Out!