Ethical Hacking Series: 0x01 - Hacking Methodologies. JaxHax Makerspace Travis Phillips

Similar documents
You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

CISSP CEH PKI SECURITY + CEHv9: Certified Ethical Hacker. Upcoming Dates. Course Description. Course Outline

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Curso: Ethical Hacking and Countermeasures

CPTE: Certified Penetration Testing Engineer

Principles of ICT Systems and Data Security

CEH: CERTIFIED ETHICAL HACKER v9

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

CYBER SECURITY AND MITIGATING RISKS

Certified Ethical Hacker

AURA ACADEMY Training With Expertised Faculty Call Us On For Free Demo

Penetration Testing with Kali Linux

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

Certified Ethical Hacker (CEH)

Introduction to Ethical Hacking. Chapter 1

EC-Council C EH. Certified Ethical Hacker. Program Brochure

68 Insider Threat Red Flags

Metasploit: The Penetration Tester's Guide PDF

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

10 Hidden IT Risks That Might Threaten Your Business

A practical guide to IT security

Hello, and welcome to a searchsecurity.com. podcast: How Security is Well Suited for Agile Development.

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

ANATOMY OF AN ATTACK!

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

TexSaw Penetration Te st in g

This ethical hacking course puts you in the driver's seat of a hands-on environment with a systematic process.

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Ethical Hacking and Prevention

Tiger Scheme QST/CTM Standard

Cyber Security Audit & Roadmap Business Process and

ctio Computer Hygiene /R S E R ich

CSWAE Certified Secure Web Application Engineer

The Crossed Swords wargame: Catching NATO red teams with cyber deception

EC-Council C EH. Certified Ethical Hacker. Program Brochure

Wireless Security Algorithms

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

10 FOCUS AREAS FOR BREACH PREVENTION

Hands-On Hacking Course Syllabus

Windows. Not just for houses

Hands-On Ethical Hacking and Network Defense Chapter 6 Enumeration

Course 831 EC-Council Certified Ethical Hacker v10 (CEH)

2. INTRUDER DETECTION SYSTEMS

CoreMax Consulting s Cyber Security Roadmap

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Ethical Hacking & Information Security. Justin David G. Pineda Asia Pacific College

How to Build a Culture of Security

Is Your Web Application Really Secure? Ken Graf, Watchfire

Instructor: Eric Rettke Phone: (every few days)

How NOT To Get Hacked

Home/Network Computing

A Model for Penetration Testing

Course 831 Certified Ethical Hacker v9

Penetration Testing Scope

Scanning. Introduction to Hacking. Networking Concepts. Windows Hacking. Linux Hacking. Virus and Worms. Foot Printing.

CIRT: Requirements and implementation

Windows. Not just for houses

New Jersey Association of School Business Officials Information Security K-12. June 5, 2014

CompTIA Security+ Malware. Threats and Vulnerabilities Vulnerability Management

how dtex fights insider threats

ECCouncil Exam v8 Certified Ethical Hacker v8 Exam Version: 7.0 [ Total Questions: 357 ]

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Computer Network Vulnerabilities

Ransomware A case study of the impact, recovery and remediation events

DIS10.1 Ethical Hacking and Countermeasures

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

STUDENT LEARNING OUTCOMES Beacom College of Computer and Cyber Sciences

How Breaches Really Happen

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

PRACTICAL NETWORK DEFENSE VERSION 1

ASSURANCE PENETRATION TESTING

Wireless LAN Security (RM12/2002)

locuz.com SOC Services

Computer Information Systems (CIS) CIS 105 Current Operating Systems/Security CIS 101 Introduction to Computers

Managing an Active Incident Response Case. Paul Underwood, COO

Attackers Process. Compromise the Root of the Domain Network: Active Directory

Chapter 5: Vulnerability Analysis

The Rise of the Purple Team

CHCSS. Certified Hands-on Cyber Security Specialist (510)

Cyber Security Stress Test SUMMARY REPORT

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

ADDRESSING TODAY S VULNERABILITIES

Hands-On Ethical Hacking and Network Defense 3 rd Edition

Practical SCADA Cyber Security Lifecycle Steps

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

ECCouncil Exam v9 Certified Ethical Hacker Exam V9 Version: 7.0 [ Total Questions: 125 ]

Vulnerability Assessments and Penetration Testing

5 IT security hot topics How safe are you?

Kevin Mandia MANDIANT. Carnegie Mellon University Incident Response Master of Information System Management

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Top 10 Considerations for Securing Private Clouds

Hackveda Training - Ethical Hacking, Networking & Security

Cyber Liability Preventive Services & Tools Specific & Pre-Emptive Considerations BEFORE the Inevitable Cyber Event.

Catching up with today's malicious actors. Current security posture and future possible actions. OWASP EEE Bucharest Event 2015 Adrian Ifrim

Ethical Hacking. Content Outline: Session 1

BUSINESS LECTURE TWO. Dr Henry Pearson. Cyber Security and Privacy - Threats and Opportunities.

CS 356 Operating System Security. Fall 2013

Transcription:

Ethical Hacking Series: 0x01 - Hacking Methodologies JaxHax Makerspace Travis Phillips

About Me Member of Jax Hax since it opened. Specializes in Ethical Hacking, IT Security, and penetration testing. Formerly a programmer. Enjoys electronics, Linux, embedded systems, anything hackery-ish, small physical projects from time to time to keep hands-on skills honed, puzzles, Open Source everything, and lock picking. Easy to find. Big dude dressed in black or grey. Seek me out anytime you are here.

Intended Audience This is intended as an intro class as part of a series of classes. This is a class that is for people who are interested in security and require proof it's working! This first class covers methodologies and doesn't really go into the technical side of things just yet DON'T BE AFRAID TO STOP ME TO ASK QUESTIONS! The only stupid question is the question never asked.

What is Ethical Hacking? Ethical Hacking is the practice of using the same tools and techniques of hackers to evaluate security of systems we own or have permission of the system owner to test. An ethical hacker will always obey the law and will not leverage what they gain knowledge of for personal gain. This is very important as your clients have to be able to trust you with their data, so your reputation as honest cannot be compromised.

Why Should it Exist? How do you know if a defense works if it's never been attacked? (Think wargame drills) Best for you to think offensively a bit against your defenses. A great way to detect those "well we opened it up for debugging and forgot to close it after we were done." Attacks are on the rise. You are ALWAYS under attack; by an actual hacker or by an automated piece of malware.

Is There Actually a Market For This? *YES!!!* There are lots of companies that have to engage in these activities due to government or industry regulation. Other companies engage in penetration testing to relieve liability of the words Negligent Network Security Practices when in a lawsuit. Not a bad idea to run this on your own systems, especially before traveling or moving your machine into a network you don't control (wifi networks, School LANs, etc)

Just Ask These Guys...

Or These Guys...

Taking in Account Side Channel Cost:

Or These Guys...

Or These Guys...

Or These Guys...

Or These Guys...

Or These Guys...

Or These Guys...

Or These Guys...

Or These Guys...

And Yes, Even These Guys...

So Why a Methodology? Uniform and consistent. Reproducible results. Easier to document finding. Ensures you don't skip steps, especially in the begin during the information gathering stages. Ensures things don't get overlooked. Information is important if you want a good successful, surgical attack.

So what is the Methodology? Varies from field of technology and also by group conducting the test. The approach I use is a modified version of the model from Foundstone Security. Used because they were one of the most published models when I started out with learning hacking and there weren't many at that time.

My Methodology

Step 1: Footprinting

Footprinting Footprinting is the stage of passive recon. SINGLE MOST IMPORTANT STEP! Think of it to the likes of movies where bank robbers "case the joint" before a heist. This is a process for trying to learn about the target in a passive manner (That is in a manner that doesn't draw attention or seems innocent at a glance.)

Information to Footprint What is the size of the target? How large is their technological footprint? How strongly does the culture of the target foster security? IP ranges? Hosting servers in-house or via a hosting provider? Sister companies? Try to find domains and sub-domains via Google

Information to Footprint (con't) Download files offered by a company and look through the metadata in the file for hostnames, usernames, groups, etc. Contacts? Email naming conventions? find any forums showing compromised accounts with these addresses? Contacts we should be aware of? IT admins, HR Personal, etc Watching these people to learn about the target. Different departments have different priorities. Perhaps security falls lower in a few.

Information to Footprint (con't) Any interesting news about the target? Mergers with other companies? An exciting new contract with another Vendor? Office locations? Any nearby? Google streetview available; Employee uploaded photos from location on social media? Good lunchspots nearby employees may frequent? Smoking policies?

Step 2: Scanning

Scanning Scanning is getting into a more active form of recon. Trying to locate domains and sub-domains via DNS techniques. can sometimes reveal more then it should (remote.example.com, vpn.example.com, test.example.com, etc) Port scanning their hosts and subnets to attempt to discover hosts and services being provided by their servers.

Step 3: Enumeration

Enumeration Enumeration by it's definition is: A collection of items that is a complete, ordered listing of all of the items in that collection. This is the most intrusive step of recon. This is where we will try to detect services that are actually running, versions, how they are configured, and any information that can be obtained via these services (OS details, usernames, shares, etc).

Enumeration (con't) Use some of the services and dump packet captures to review how it works. On web servers, check robots.txt and crossdomain.xml. On FTP servers check if they allow anonymous logins. On SMB check to see if they allow LookupSID or enumeration of Shares.

Step 4: Data Review & Research

Data Review and Research At this point the recon should have given you a lot of data. Time to review what it shows us for potential attack vectors and surfaces. Research the software versions for vulnerabilities and common misconfiguration mistakes. If software is open source and no vulnerabilities exist, perhaps it's time for a code audit. ;-)

Data Review and Research (con't) If you've found any know vulnerabilities keep notes on that, those sound like a great start. Spend a day to think about this information. No need to rush I personally suggest you think about it away from your machine, go for a walk, get some coffee, find a quite spot to think, and review the facts in your head about what you know about your target. Once you've thought about it, order your attack surfaces by success probability

Step 5: Exploitation/ Gaining Access

Exploitation Research should give you a few ideal attack vectors you will pursue. The best part of the hacking compromising the machine and gaining access to the system of interest. Methods used here depending on what your trying to gain access to. Tons of tools out there for a lot of already know bugs. Knowing a programming language like Python helps when there aren't any tools.

Step 5a: Escalation of Privileges

Privilege Escalation This is optional and should only be pursued if really needed. If you can get what your after without, skip it. If it is needed, go for it. Universal Options: keyloggers and packet sniffers. Windows: scheduler exploit, process token hijacking, process injection. Unix: varies privilege exploits come from time to time.

Step 5b: Backdooring

Backdooring Systems This is optional and should only be pursued if really needed. Keep in mind counter-defenses host may have deployed (anti-virus, firewalls, tripwire, etc) Backdoor can be malicious RATs (Remote Admin Tools) or simply adding a user account and enabling remote access. Up to you how you want to proceed, but minimal is usually best practice, skip this if possible.

Step 6: Data Ex-filtration/ Pilfering

Data Ex-filtration / Pilfering This is the step where you do what you came for Extract the data you want or modify the system as you need to. Usually involves finding the data you and a valid channel that enables you to get it out of their network and into your hands. DLP (Digital Loss Prevention) can be a thorn in your side but seldom an issue. Steganography and encryption can help here.

Step 7: Housekeeping

Housekeeping / Covering Tracks This step is where you finish up with the host. If you are supposed to go undetected, then delete logs and apply other anti-forensics techniques. If this is a normal pentest then it's more housekeeping then anything; cleaning up after yourself. Deleting tools you may have pushed to the system during the attack, etc.

Wrapping It Up - Reporting Should be several sections: Explaining your testing methods Executive summary of findings Technical details of findings providing details on how to exploit, probablity of exploitation, risk of whats to be lost at the exploit attempt. Suggested remedies to the findings

Wrapping It Up Reporting (con't) Why are you testing if it's not to document the issues and attempt to remedy them? Important but boring part of the testing. Is the deliverable you give to the clients.

Recap

Questions?

Next Presentations Rolling Your Own Hacking Lab for Legal Target Practice. Using OSINT (Open Source Intelligence) For Footprinting and Passive Recon Scanning For Host and Services Common Networking Protocols, Sniffing, and The Joys of RFCs

Thanks For Coming Out!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback