CEH Important

Certified Ethical Hacking
- Introduction
- Footprinting and Reconnaissaince
- Scanning Networks
- Enumeration
- System Hacking
- Trojans Backdoors +
- Viruses Worms +
- Sniffer
- Social Engineering
- Denial of Sevices
- Session hijacking
- Hacking Web Servers
- Hacking Web Apps

- SQL Injection
- Wireless Hacking
- Evading IDS, Firewalls, Honeypots
- Buffer Overflow
- Cryptography
- Pen Testing
Introduction - CEH
- No legal advice
The legal framework is not very clear about what is

actually lawful or not
Be authorized in advance by those in power.
Demonstrate and highlight how you can access the data
without accessing it.
In Italy, use a document created with the help of
Indemnity of Legal possibly
- It may be illegal to make PenTest on propia network

No prior authorization
Access to sensitive data
- Most are unsuccessful Hack
- Expansive Exam
Introduction - CEH
- Current Situation
News Suglia cyber attacks
Criminal activities
- Anonymous Activities
- Cyber Terrorism
- Companies must necessarily have and implement

security policies
Management of utilities
Access Management
Authentication and security levels
Delegation: rules for delegation
Authoritative sources of data
Introduction - CEH
- Overview of legislation
Computer Misuse Act 1990 (UK)

CANspam Act (2003)
- In Italy
Law 48/2008: European Convention on

Cybercrime.
Law 196/2003
DPS (Document Security)
Measures of protection commissioner 27/11/2008
The Indemnity
Introduction - CEH
- Terminology
Hacking
Hackers
Black Box Testing
White Box Testing
Gray Box Testing
Security
Vulnerability
Exploit / Proof of concept
Zero Day
Vulnerability Scan
Penetration Test
Introduction - CEH
- Origin threats
Within the company
a. Licensed physical access

b. Logins via the network
c. Directors
d. Employees
Outside the company

a. External Consultants
b. External Collaborators
c. Its affiliates, subsidiaries of company
d. External maintenance, visitors, etc..
Introduction - CEH
- Who is a Hacker? (1/2)
Black Hats / Crackers / Malicious
Individuals with high computer skills used for malicious activity or

destructive
White Hats / Ethical Hacker / pentester
Individuals with expertise in the field of computer hacking who use

their knowledge to improve the safety of the environment and are
often identified with the term Security Analyst
Introduction - CEH
- Who is a Hacker? (2/2)
Gray Hats
Individuals with high computer skills used, as appropriate, both for

business "offensive", and "defensive"
Suicide Hecker
Individuals that use their computer skills to create inefficiencies in

companies victims or critical infrastructure, not caring if possible
iripercussioni of legal they face.
Hactvism / Script Kiddie / Phreak / Red Team

Introduction - CEH
- How does a Hacker? (1/3)
Step 1: Patrol
a. Research information about the victim

b. Connections on a large scale for possible points of attack
c. Looking for any information about customers, employees, networks,
systems employed, etc..
Step 2: Scanning
a. Port Scan
b. Networks scan
c. Extract useful information on which versions and service
Introduction - CEH
- How does a Hacker? (2/3)
Step 3: Obtain access
a. Exploit
b. Weak Password
c. Buffer Overflow
d. Denial of service
Step 2: Maintain access
a. Keylogger
b. Backdoor
c. Rootkits
d. Trojan / Worm
Introduction - CEH
- Why do you need the Ethical hacking?
Vulnerability Testing and Security Audit does not ensure that our
infrastructure is safe
Need to implement defense strategies taking advantage of

targeted Pentest
The Ethical Hacking is necessary in order to anticipate the moves

of any malicious people who would compromise our systems
Introduction - CEH
- Benefits Ethical Hacking?
Risk Assessment
Auditing
Mitigate fraud
Best Practies
Good infrastructure management

Introduction - CEH
- Benefits Ethical Hacking
Risk Assessment
Auditing
Mitigate fraud
Best Practies
Good infrastructure management
- Disadvantages Ethical Hacking
Despite the intentions of companies in hiring external

people to test their systems, does not guarantee that this
leads to a positive contribution in raising the level of security
of the company.
An Ethical Hacker can only help to understand the levels

of security in place in the company. It will be the latter
that must be put in place proper countermeasures
Introduction - CEH
- What is an Ethical Hackers?
Sniffing out Vulenaribilit
Verify the effectiveness of the strategies implemented safety
Head found in any vulnerbilit systems and network
Test the ability to access sensitive data

Introduction - CEH
- The triangle of safety,
functionality, ease of use
Safety
Functionality Ease of use

Introduction - CEH
Introduction Virtual Lab + Linux

Introduction - CEH
Questions?
Footprinting and
Reconnaissaince - CEH
- Information gathering
- Rating Size of attack
- Exposure
Footprinting and
- Information gathering
Search technical information
a. Registered domains
b. IP range used
c. Services Provided
Additional Information
a. IT administrators of groups, forums, etc..

b. Instruments used, and software versions
c. Hardware devices and technologies
Footprinting and
- Attack Surface
Discover the machines and services used
Discover any open wireless networks
Other types of network access:
a. Waiting Rooms
b. Chiosci
c. Shared networks
Ability to use in the attack malware

Footprinting and
- Exposure
Check for services found and the cars reach:
a. Exploit for the optional field

b. Potential for abuse services
Organize the information collected
Create a plan of attack
a. An attack can 'be performed using more' weaknesses in a

coordinated manner
Testing diving the posture (position) before the attack

Footprinting and
- Footprinting
Delimit the scope of attack
a. DNS / WHOIS
b. Internic
c. Physical location
d. RF (Wi-Fi, Bluetooth) monitoring - WarDriving
Analysis Traceroute
Mirroring the site of the target company
Tracking email communications
Using Google Hacking
Nessus Scan
Nikto Scan
Footprinting and
- Perimeter attack
Analysis of DNS records

a. IP Assigned
b. MX Record
c. etc. ..
Sniffing out the company's website

a. Public or restricted WebSite
Search information via search engines (eg google, bing, yahoo, etc..),
Job sites, financial services, etc..
Research staff on Social Networks, Chat services, etc..
Physical location of the office

Footprinting and
- Analysis Traceroute
Identification devices routers, firewalls, etc..

es. # traceroute 10.10.10.10
traceroute to 10.10.10.10, 64 hops max, 52 byte packets
1 10.10.10.1 (10.10.10.1) 1.427 ms 1.160 ms 0956 ms
2 10.10.10.3 (10.10.10.3) 33,266 ms 34.849 ms 33,298 ms
3 * * * *
...
By correlating the information obtained it is possible to draw the network

topology
Traceroute Tools
a. VisualRoute Trace (http://viualroute.visualware.com)
b. Visual IP Trace (http://www.visualiptrace.com)
c. vTrace (http://vtrace.pl)
Footprinting and
- Mirroring the corporate website
Create a copy of the entire site azinedale in order to obtain

information on the structure as CSS, images, flash files,
video, html code, etc..
Website mirroring tools:

a. Wget (http://www.gnu.org)
b. BlackWidow (http://softbytelabs.com)
c. WinWSD (http://winwsd.uw.hu)
d. etc..
Footprinting and
- Tracking email communications
The Tracking of Email is a valid

method for monitor and spy on the emails sent to
recipients
a. When an email has been read or received

b. Possibility to send email destructive
c. Phishing attack
d. Find the endpoints of e-mail communication
e. Tracking of documents, etc.
E-mails Tracking tool:

a. Trout (http://www.foundstone.com)
b. 3d Visual Trace Route (http://www.3dsnmp.com)
c. etc..
Footprinting and
- Using Google Hacking (1/2)
What a hacker can do with the techniques of Google Hacking

a. Find errors that contain sensitive information
b. File containing password
c. Warnings or safety vulenrabilit
d. Pages containing the login form
e. Pages containing data regarding the configuration or network
vulnerabilities
Examples of some operators used for advanced searches of google:

a. [Cache:] - shows the version of the site that is cached by google
b. [Inurl:] - restricts the search of the given string only if present in the URL
c. [Intitle:] - narrows the search to documents that contain the specified
string in the title
d. etc ...
Footprinting and
- Using Google Hacking (2/2)
Google Hacking Tool:
a. MetaGoofil (http://www.edge-security.com)
b. SiteDigger (http://www.foundstone.com)
c. Google Hacks (http://code.google.com)
d. GMapCatcher (http://code. Google.com)
e. Goolink Scanner (http://www.ghacks. Net)
f. etc ...
Footprinting and
- Nessus Scan
Nessus is a tool that allows of find and possibly

identify the services exposed by a particular server
Picture of nessus
Nessus Site (http://www.tenable.com/products/nessus)

Footprinting and
- Nikto Scan
Nikto is a tool that allows of Identify a webserver and

make crowling of the sites configured in it.
Nikto is in degrees also identify any known vulnerabilities present on that

webserver on the basis of its own internal DB
Picture of Nikto
Nikto Site (http://www.cirt.net/nikto2)

Footprinting and
- Countermeasures Footprinting (1/2)
Secure destruction of documents
Configuring Router / IDS
a. Reject any suspicious traffic

b. Identify patterns of footprinting
c. Close access to the ports that are not strictly necessary for the
provision of the service and filter any unused protocols from their
applications.
Configure the web server so that it does not provide useful information
Perform tests to verify footprinting countermeasures

Footprinting and
- Countermeasures Footprinting (2/2)
Removal of any sensitive data on the DMZ
Prevention of spider and loading of

copies cache (robots.txt)
Split - DNS
Honeypot
Footprinting and
Questions?
Scanning - CEH
- CEH scanning methodology
- Types of Scan
- Firewalking
- 3 way handshake
- Closing Sessions
- Scanning techniques
- War Dialing
- Scan tool
Scanning - CEH
- CEH scanning methodology
1) Check the Live systems

2) Check open ports on the system
3) Identify the types of services and versions
4) Vulnerability Scanning
5) Design diagram network
6) Using Proxy
Scanning - CEH
- Types of Scan
Network scanning
a. ICMP scanning
b. Ping Sweep scanning
Port scanning
a. Check open ports on a system
Vulnerability scaning
a. Identification of services
b. Identifying versions of applications
c. Identification Applications
Scanning - CEH
- Firewalking
Identifies the ACL (Access Control Lists) configured on the Firewall
It uses the TTL (Time To Live) of a package to find "hop"
Forwarding packets to the open services
a. Icmp_time_exceded
b. Drop Package
It is not necessary to reach the destination

Scanning - CEH
- 3 way handshake
Computer3-way Computer
A handshake B
SYN = 1, SEQ # 10
SYN = 1, ACK = 1 ACK # 11
ACK = 1, SEQ # 11
Time Time
Scanning - CEH
- Chiusira sessions
Computer Computer Computer Computer

A B A B
FYN, ACK
RTD
FIN
ACK,
ACK
ACK
Time Time
Scanning - CEH
- Scanning techniques
TCP Connect Scan

Stealth Scan
XMAS Scan
SYN / ACK / FIN Scan
NULL Scan
IDLE Scan
UDP Scan
Scanning - CEH
- TCP Connect Scan
Indicates whether the port is open only after completing three way handshake
- Sequence packages:
SYN
SYN, ACK,
ACK, RST
TCP Connect scan uses a RST packet to terminate the

communication
Scanning - CEH
- Stealth Scan
Used to bypass firewall rules, logging mechanisms or hide their

activities as normal traffic
SYN
SYN
SYN, ACK
RT
D RTD
Open Door Closed Door

Scanning - CEH
- XMAS Scan
forge a packet with the URG, ACK, RST, SYN and FYN settati
The FIN flag works only for systems that have
implemented the TCP stack according to RFC 793
Often does not work for some systems Microsoft Windows
FIN, URG, PUSH FIN, URG, PUSH
None
RTD
reply
Scanning - CEH
- NULL Scan


No Flags settati No Flags settati
None
RST, ACK
reply
Scanning - CEH
- FIN Scan
Send packets with the FIN flag set

FIN FIN
None
RST, ACK
reply
Scanning - CEH
- Idle Scan
To verify an open door just send a SYN packet
The target responds with SYN, ACK, RST if it is open or closed if
A PC receives a response to SYN, ACK, it did not send any request will
respond with RST
Each RTD is not required ignored
Each packet on the network contains a number of "fragment
identification" (IPID)
The Idle scan + is a scanning technique that spoofed packets are
sent to check the status of the ports on a target.
Scanning - CEH
- Idle Scan: Step 1
Send SYN, ACK to Zombie PC to check on the IPID
Each packet on the network has its own IP ID,

consisting of 4 digits and is incremented each
time a PC sends a packet
The PC Zombie not expecting the SYN, ACK, it
responds with an RST by adding your own
IPID probe package SYN, ACK
Scanning - CEH
- Idle Scan: Step 2.1 Open Door
Send SYN to port 80 for example of the target with spoofed

ip of Zoombie
Striker SYN on port 80 IP = Zoombie
Target
SYN, ACK Open Door
RTD IPID = xxxx +1

Zombie
Scanning - CEH
- Idle Scan: Step 2.2 port Close
If the door is closed, the target will send a RST packet to

the zombie who will not follow response.
Striker SYN on port 80 IP = Zoombie
Target
RTD
Zombie
Scanning - CEH
- Idle Scan: Step 3
The attacker sends a request to the zombie

If the IPID is incremented by one stage the door is open,
otherwise not
SYN, ACK
Striker Zombie
RTD IPID = xxxx +2

Scanning - CEH
- SYN / FYN IP Fragments Scan:
Is not a method different from the previous scan

Involves sending fragmented packets with the TCP header so that any
systems "Packet filtering" fail to intercept
- ACK Scan:
The attacker sends packets with the ACK flag active and random
number sequences
No response means that the port is filtered
RST packet response indicates that the port is not filtered
Scanning - CEH
- UDP Scan:
For the UDP port scan is not required 3 way TCP

handshake
When a packet is sent to a port in the state Open, the target

system does not send any return package
If a UDP request is sent to a port in a state close, the target

system risposnde with an ICMP port unreachable message
Spyware, Trojan horses and other malicious applications

using the UDP port to propagate between systems
Scanning - CEH
- War-Dialing
One of the attack techniques used in the past (Mitnick)
Was to call a range of phone numbers looking for an EndPoint

that responds to initiate a connection.
Often automated
a. They use the range of random numbers
The response by an EndPoint, often detects the presence of an

access of "emergency" reserved for system administrators
Scanning - CEH
- Scan tool
Nmap (http://nmap.org/)
Nesus (http://www.tenable.com/products/nessus)
OpenVAS (http://www.openvas.org/)
Hping (http://www.hping.org/)
Netcat (http://netcat.sourceforge.net/)
SuperScan (http://www.foundstone.com)
Free Port Scanner (http://www.nsauditor.com)

THC-Scan (http://freeworld.thc.org)
iWar (http://www.softwink.com)
Scanning - CEH
Questions?
Enumeration - CEH
- Enumeration
- Tecnihce enumeration
- NetBIOS Enumaration
- Enumerating User Account
- SNMP Enumeration
- Unix / Linux Enumeration
- SMTP Enumeration
Enumeration - CEH
- What is an enumeration?
By enumerating the process of extracting

username, machine name, network resources,
shared resources and services of a system
Enumeration techniques are applied in an

intranet environment or for more '
Enumeration - CEH
- Enumeration techniques
Remove users from the email ID

Pull user names through the SNMP service
Remove groups from Windows macchien
Extracting data using the Default Password
Brute forcing Active Directory
Extract information using DNS Zone
Transfer
Enumeration - CEH
- NetBIOS Enumeration
An attacker exploits the enumeration of

NetBIOS
a. The list of computers that belong to a

domain
b. The list of the Share network that exposes
single host on the network
c. Policies
d. Password
Enumeration - CEH
- Enumeration systems using default password
Apparatus as HUB, switches, routers, are

often used with the default password
An attacker can 'get access and the
information contained in these systems
using default credentials
Default Password Site (http://
www.defaultpassword.com)
Enumeration - CEH
- SNMP Enumeration
The SNMP (Simple Network Management Protocol) is a

protocol used to monitor and maintain hosts, routers,
and in general any device on the network that supports
An attacker uses the SNMP enumeration to extract
information about the resources of the network devices
The SNMP consists of a manager and an agent; the
agent is directly integrated in the apparatus and the
manager is usually an installed system apart and
dedicated.
The default string is used to monitor and read access to
the information is "public", while
maintaining and write access is "private"
The technique uses SNMP enumeration of these strings
to extract useful information on the equipment
Enumeration - CEH
- Unix / Linux enumeration
For Unix / Linux, there are several commands to

enumarare resources on the network
a. Showmount: provides a list of the share exposed by

the system
b. Finger: the possibility to enumerate users and
hosts, providing detailed information such as home
directories, etc..
c. Rpcclient: Provides a list of users on Linux and OS X
d. Rpcinfo: helps to enumerate RPC (Remote Procedure Call)
protocol. RPC protocol allows communication via network
applications.
Enumeration - CEH
- SMTP Enumration
Service that enables iterating through

the direct command "Telnet"
Allows enumeration of users through the
normal commands available
a. VRFY / EXPN
b. RCPT TO
Enumeration - CEH
- User Account Enumeration
You can 'try to get through

interrgoazione anonymous LDAP
Server
On Windows systems using the SID

(Security Identifier)
a. Null Session
b. SID to User
Enumeration - CEH
Questions?
System Hacking - CEH
- Password Cracking / Attack

- Privileges Escalation
- Running programs Spyware / Keylogger / rootkits
- NTFS Data Stream
- Steganography
- Covering the tracks
- Password Cracking / Attack
Password Cracking Techniques are used

to recover the password of a given system
Attackers use this type of techniques to
obtain unauthorized access to vulnerable
systems
The use of this type of techniques work for
the simplicity of the passwords used by the
users
- Password Cracking Techniques
Dictionary attack
a. Use a file containing common passwords
Brute force attack (Brute Forcing Attack)

a. Combination of numbers and characters until the password
Attack Hybrid (Hybrid Attack)

a. All'attacco similar to the dictionary, adds numbers and letters to the
words used in the dictionary
Attack syllable (Syllable Attack)

a. Combine the dictionary attack and brute Forzza
Attack du based rules (Rule-Based Attack)

a. It is based on information that the attacker has previously found
regarding the password (Business Policy, the amount of special
characters, etc.)
System Hacking -
CEH
- Types of attack on Password
Passive Online Attack
Attack Active Online
Attack Offline
Attack is not computerized

- Passive Online Attack
Sniffing the network
MIM (Man in the Middle)
Replay
- Attack Active Online
Predictability of passwords
Trojan / Spyware / Keylogger
Hash injection
- Attack Offline
Precalculated hash
Rainbow tables
Distributed
networks
- Attack is not computerized
Spying on behind those who are typing

password (Shoulder Surfing)
Social Engneering
Rummage in garbage (dumpster diving)

- Privileges Escalation
Exploits vulnerabilities in the operating system
Vunlnerabilit software
Errors in programming
a. Data buffer overflow
b. No distinction between data and code executive
c. Failure to check user input Etc. ..
Often used with Exploit shellcode

System Hacking -
CEH
- Spyware
Program that records user actions that are performed on your

computer and surfing the Internet without the user knowing
anything
a. It hides its process
b. It hides their files, and other objects
c. Difficult to remove
Methods of propagation
a. Masquerading as anti-spyware
b. Downloaded from the internet
c. Exploit vulenrabilit browser
d. Add-on fictitious
e. Software installations containing macros specifically designed
- Keylogger (Keystroke Logger)
Software or hardware components that allow the

recording of what the user types on the keyboard
All the recorded will be saved in a file and sent to a

remote destination
The Keylogger meddle in the communication between

the keyboard and the operating system
Some companies use this type equipment or software to

monitor their employees, as well as for a more home for
the purpose of monitoring children or whatever.
- RootKit
These are programs that reside at the kernel

level to hide themselves and cover the tracks
of their attivi
Replace specific routines or operating system

components with modified versions of the ad
hoc
The RootKit allow an attacker to maintain

access to the system path
- Types RootKit (1/2)
Hardware / Firmware
He hides in physical devices or firmware updates that do not
check code integrity
Hypervisor level
Change the boot sequence so as to put himself before the operating
system virtual
Boot Loader level

Replaces the original boot with one controlled by a remote attacker
Kernel level
Replaces or adds malicious code parts of the kernel of the operating
system or device
Library level
Replaces the libraries of the operating system in order to obfuscate the
information of the attacker
Application level
Replaces the executives of regular applications with Trojans or malicious
pieces of code
Kernel level
Replaces or adds malicious code parts of the kernel of the operating
system or device
Library level
Replaces the libraries of the operating system in order to obfuscate the
information of the attacker
Application level
Replaces the executives of regular applications with Trojans or malicious
pieces of code
- NTFS Data Stream
NTFS Alternative Data Streams (ADS) is a system of hidden flow of

information in windows which contains the metadata of a file
(attributes, word count, author name, etc ...
ADS is the system that allows you to add attributes to the file
without changing its functionality or how they appear in the file
manager
ADS can be exploited by an attacker to inject code into a corrupt

system and execute commands without being detected by the user
- Steganography (1/2)
The shorthand is the technique of hiding secret messages

and extract the same joints at the destination while
maintaining the confidentiality of the message
Utilizziare graphic images as a cover to hide data,

coordinates, secret plans is one of the most widely used
methods
There are several free programs that allow the use of the
techniques stenogragrafiche
- Steganography (2/2)
Example with ImageHide

(http://www.dancemammal.com/ imagehide.htm)
- Covering the tracks
Remove all WEB activities such as MRU (Most Recently Used), cookies, cache,
history and temporary
files
Disable auditing systems
Edit the log file, do not delete!

a. Operating System
b. Applications
c. Access to DB
d. Administrative
e. UTMP / lastlog / WTMP
Close all connections to the target machine

a. Use tools or alter files to obfuscate its presence
b. Windows Watcher, Tracks Eraser Pro Evidence Eliminator, etc.
Close all possible ports used, apply patches to the system, to prevent others
from entering Hacker
Questions?
Trojans Backdoors + -
- What is a Trojan?
It 'a program containing malicious code within itself, that

allows you to take control and cause damage to the system
With the help of a Trojan attacker is able to gain access to the

password registered on the system, but in general what is all
this about it as personal documents, deleted files, images,
messages, etc..
- What is the purpose of a Trojan?
Steal information important, which password

secret codes, informaizoni on credit cards, bank details, etc.
Registration of activities on the PC victim
Modify or replace operating system files
DOS Attack
Download spyware, keyloggers
Disable protection systems, anti-virus, anti-spyware, etc.
Use your PC victim to propagate the infection of Trojan
- Against which method to infect a system used by

a Trojan?
1. Create a package modified by using a Trojan Horse Constructor Kit

2. Create the procedure ("droppers") that will be the heart of the Trojan
and execute malicious code on the target system
3. Create a container ("wrapper") through the tool containing the Trojan,
which will be used to install everything on the victim's PC
4. Propagate the Trojan
5. Run the dropper
6. Perform routine harmful
Trojans Backdoors +
-
- Ways by which a Trojan is able to infect a
system
Software packages created by employees not satisfied

Fake programs (AV pop-ups, rogue security)
Files downloaded from the internet (games, music, screen savers, etc.)
Systems messaging (IM, IRC, AOL, etc.)
Sugeriti links or attachments provided in the e-mail address
File Sharing
Vulnerability of browsers or mail clients used
Physical access to the PC
- As a Trojan virus evades controls
Subdivide the code of Trojan in small

parts separate and tablets
Change the content, the checksum and encrypt the code of

the Trojan using hex editor
Do not use Trojan downloaded directly from the internet
Use different types of common extensions to convert the

esegutivo of Torjan
- Some types of Trojans
Command Shell Trojan

Covert Channel Trojan
Botnet Trojan
Proxy Server Trojan
Remote Access Trojan (backdoor)
E-Mail Trojan
FTP Trojans
E-Bancking Trojan
Mobile Trojan
Spam Trojan
MAC OSX Trojan
etc ...
- Methods for detecting the presence of

Trojans within a system compromise
Scanning open ports

Scan active processes
Scan of the drivers installed
Scan Windows Services
Scanning of the programs that start at boot
Scan for suspicious files or cartelel
Monitoring network activity
Scan of any file of system operating last
modified
Using Trojan Scanner
Viruses Worms + - CEH
- What is a Virus?
It ' a program self-replicating that modification the

inserting its code in other executive programs
Some Virus infect the computer a

time performed the program that contains
Other forms of Virus riamangono Dormant as long as a

triggering event makes them active
- Why are created Virus?
Damage to society competitors
Financial Benefits
Progietto to research climate
How fun
Acts of vandalism
Cyber terrorism
For the distribution of political messages

- How can a virus infect a computer?
The DB of the tracks viragli the antivirus is not updated
Plugin outdated versions of installed
By installing pirated software or crackkato
Opening infected e-mails
When a user downloads files without verifying the source

- Some examples of Type Virus
System or Boot Sector Virus
File Virus
Cluster Virus
Multipart Virus
Macro Virus
Encryption Virus
Polymorphic Virus
Shell Virus
Tunneling Virus
- What is a Worm?
It 'a malicious program that can replicate, run and propagate itself through
the network without internvento of a human being
Most Worm created are able to replicate and spread to the network in order to
consume computing resources
Acluni Worm may contain code that can harm the infected ssitema
The attackers use to install Backdoor Worm on infected systems in such a way
as to create zombies or botnets. Botnets are used for future cyber attack
Viruses Worms + -
CEH
- How to avoid infections Worm and Virus
Install an Antivirus and keep updated LDB of the tracks

Aggionrare steadily the systems with the Latest
Patch of available safety
Pay particular attention to files or programs downloaded from the Internet
Avoid of perform attachments of e-mail the which
sender not is known
Always keep backup of the data so that you can restore in case of
infection
Regularly scan your PC
Do not use administrative accounts
Using programs that control connections (personal firewalls, etc.)
Use programs such as tripware, sigverif, widnows file protection
Questions?
Sniffer - CEH
- ARP
- Using the sniffing
- Techniques sniffing
- Sniffing active
- Countermeasures
Sniffer - CEH
- ARP
It 'a network protocol, whose task is to provide a mapping

between IP address and MAC address in the Ethernet
network, a PC
Specifc according to RFC 826
ARP tables
System requst ARP / ARP Reply

Sniffer -
CEH
- Using the sniffing
To identify the elements of a network

a. Router
b. DNS Server
c. Addressing type used
d. Network equipment
Get MAC address and IP address of a computer on the network
Obtaining sensitive data

a. Credentials traveling on criptatti channels (HTTP, FTP)
b. Confidential documents
c. Password hashes
d. Etc.
Sniffer -
CEH
- Techniques sniffing
Passive Sniffing
a. Applicable only in a network where there are "HUB"

b. Is to monitor the number of packets traveling over the network
c. HUB obsolete today
Active Sniffing
a. A technique used on networks where there are "Switch"

b. Consists of injecting packets (ARP) to the network that generates
requests
Sniffer - CEH
- Sniffing active (1/3)
It is used where it is not possible to passive listening of the network,

the presence of Switch
Fictitious involves injecting packets in the network in order to

divert traffic to the attacker
Exploits the weaknesses of the ARP protocol
And 'lawful if used for monitoring or control of the network

a. SPAN Port: Reserved for duplication of traffic in the switch
b. Monitoring Port
c. Port Mirroring
Sniffer - CEH
ARP Spoofing (Poison)

a. Inject ARP Reply modified (e.s. Gateway MAC)
b. It requires consistency and frequency
c. Easily identifiable
d. Easy to prevent enabling the "port security" on the equipment
MAC duplication
a. Substitute your own MAC address with that of the target
machine
Sniffer -
CEH
MAC Flooding
a. Generate a quantity of elevta Spoofed ARP reply
b. Saturates the memory and the ability to refresh the switches
c. Turn the switch in the HUB
Attack in the DHCP
a. IP is sending requests to the DHCP server in order to

saturate the available addressing
b. And 'considered a DoS (Denial of Service)
Sniffer - CEH
- Countermeasures
Enable port security on the switches available
a. Prevents the presence of duplication of MAC addresses

b. Maintains mapping of MAC addresses and the ports to which they are connected
Using IDS (Intrusion Detection System)

a. Allow the immediate detection of MAC Flood, MAC Duplicates, high
amounts of ARP traffic
Use static ARP tables

Enable the DHCP Snooping
a. Prevents attcchi DHCP
Sniffer - CEH
- Some useful programs
ARP attacks
a. Ettercap (http://ettercap.github.io/ettercap/)
b. Cain & Abel (http://www.oxid.it/cain.html)
c. SMAC (http://www.klcconsulting.net/smac-cl/)
Sniffing tools
a. TCP Dump (http://www.tcpdump.org/)

b. Wireshark (http://www.wireshark.org/)
c. Dsniff (http://www.monkey.org/ dugsong ~ / dsniff /)
d. Aircrack-ng (http://www.aircrack-ng.org/doku.php?id=airodump-ng)
Sniffer - CEH
Questions?
Social Engineering - CEH
- Social Engineering
The "Social Engineering" is the art of fooling

people into revealing confidential
information
This kind of technique has the strength of the

value unaware that cover the information in
the possession of people and the lack of care
in keeping this information confidential
Social Engineering -
CEH
- Victims of such attacks Social Engineering
Secretaries or help desk personnel
Users or customers of the company
Suppliers company
System Administrators
Technical support staff

- Phases of an attack type of Social
Engineering
a. Search information on the company target

Dumpster diving
Website
Information about the employee
Inspections to the premises of the company
etc.
b. Select a victim
Identifying such as a disgruntled employee
c. Develop relationship with the victim

Begin a relationship with / the employee selected as a victim
d. Exploit the relationship

Get information such as user names, financial information, technologies used,
etc..
Social Engineering -
CEH
- Techniques of Social Engineering (1/2)
Human-based
a. Dumpster Diving (Research in the trash)
b. Featuring a user attempts to crystallize
c. Presenting itself as a company VIP
d. By posing as a technical support person
e. Interception of telephone conversations
f. Spy on people behind (Shoulder Surfing)
g. Entering the sly
h. Presenting himself as a third party
i. etc ...
- Techniques of Social Engineering (2/2)
Computer-based
a. Using pop-up windows that appear during
navigation (gifts, sweepstakes millionaire, etc.).
b. Through letters buffaloes (Hoax)
c. Through chain letters
d. Chat via message (dates of birth, names bachelors /
bachelorettes, household names, etc.)
e. Via email Spam
f. Phishing
g. Sending fake SMS requesting banking information
- Countermeasures
Adopt corporate policies of behavior clear and

enforce them
Enhance the physical security
Train staff to respond to such threats
Implement control measures and verification of the

same constants
Draw the possible recipients and dangerous

content of the e-mail
Questions?
Denial of Sevices - CEH
- What is a Denial of Service?
Denial of Service (DoS) attack is an attack on a computer or a

computer network designed to inhibit the normal delivery of
services available
In a DoS attack the attacker floods the victim richeiste the

system up to the saturation of the available resources
- Techniques DoS attack
Ping of Death (ICMP Flood)

a. Submit a large number of ICMP requests
b. It affects the saturation of available memory
c. The modern OS have a system of prevention Ping of Death
SYN Flood
a. Exploits the normal operation of the 3 way Handshakiing
b. Saturate the available memory
c. Leave hung connections for up to 75 seconds
- Why use DoS attack
Vandalism
As a method monitivo or activist
As anti-tracking method (Mitnick, Shimomura)

- Joint programs DoS
Trinity - IRC DDOS
r-u-dead-yet (Rudy) - HTTP POST DDOS
Tribe - Network flood
Slowloris - HTTP DoS
Low Orbit Ion Cannon (LOIC) - DoS tool

Questions?
Session hijacking - CEH
- What is Session Hijacking?
With the Session Hijacking refers to the exploitation and

compromise of a valid session between two computers
An attacker steals a valid session ID to gain access to

the system and the dti contained in it
With TCP Session Hijacking is meant when an attacker takes

control of a TCP session between two computers
- Types of Session Hijacking?
Enable
a. Is to replace the host to which it was unearthed session
Passive
a. Is to turn the traffic through the attacker who merely
observe and record
Hybrid
a. Similar to the passive less than find important information
- Key Techniques Session Hijacking
Brute forcing
a. An attacker tries different valid session ID
Stealing
a. An attacker uses different techniques to steal session IDs
valid
Caluclating
a. An attacker tries to calculate the value of a valid session ID
- Brute Forcing
Try to indivduare the session Id in the clear (no SSL)
Try to identify multiple sessions of valid ID
Sessions that do not have expiration times
Accounts that do not have the credentials Lokout

- Man in the Middle
Based on Sniffing traffic
Since the ability to add packages to an existing session
It can be used to change the sequence number for groped to

maintain the active user session for the purpose of inettare
malicious code
you can change the payload of the packets sent by adding

- Session Fixation
The attacker determines the session ID
In the case of log already made attempts to keep the

session active
Phishing exploits techniques to send the session ID of the user
Once authenticated attacker is able to access the target user's

data
- What are the advantages of Session Hijacking
Access to the server as an authenticated user
Often the access remains hidden

a. Keeping a session ID exists, replacing the orignal client
b. The Hijacking is difficult to trace
c. The credentials are valid
The nature of the TCP Session from the possibility of continuous access
No need to re-authenticate or alteration of the security package

- Programs for Hijacking
Hamster / Ferret
Firesheep
Ettercap
Juggernaut
Hunt
T-Sight
Metasploit
SSL Strip
- Countermeasures
Be used wherever possible communications on secure channels (SSL)

Cookie exchange through encrypted channels (HTTPS)
Implement systems for deauthenticate Logout user sessions
Use session ID generated only after Authorized Access
Use sequences of random numbers and letters for the
generation of session keys
Use only encrypted data is exchanged between the user and webserver
Questions?
Hacking Web Servers -
CEH
- Suppliers Webserver current
Apache
Microsoft IIS
Lighttpd
Google
Nginx
CEH
- Architecture of a WebServer
Communication ports and protocols used

a. HTTP (Hypertext Transfer Protocol) Port 80
b. HTTPS (Hyper-Text Transfer Protocol over Secure Socket Layer) Port 443
Manages requests received from clients with various methods

a. GET
b. POST
c. TRACE
Potentially vulnerable
a. GET / POST malformed
b. SQL Injection
c. Configuration Errors
d. Etc. ..
CEH
- Impact of attacks on WebServer
Compromise of user accounts
Tampering with data managed
As a bridge to other web attacks
Abduction of information
Administrative access to the server or other applications
Site managed defacement

CEH
- Some types of attack on the WebServer
Configuration errors WebServer
a. Administrative capabilities enabled

b. Error messages or debug information-rich
c. Backup, old copies of configuration files, scripts
d. Anonymous user test with password or easily

ascertainable enabled
e. Etc. ..
CEH
Directory Traversal
a. Access to confidential directory of the system
b. Running external commands to the WebServer
c. Access to confidential information
d. Use UNICODE encoding to mask requests

CEH
Tampering with the parameters of the request (URL)
a. Changing the parameters exchanged between client and serves

b. Example:
http://www.example.com/sample? a =
1234 & b = 456 & admin = 1
URL Obfuscation
a. UNICODE encoding, Binary, Decimal, etc ...

CEH
Source Code Analysis
a. Discovery of DIrectory sensitive, any servers or services
b. Users and Passwords
c. ID preconfigured sessions or defualt
Password
a. Brute Force Attack
b. Dictionary attack
c. Attack hybrid
d. Simple passwords
CEH
- Meotodologia to attack the WebServer (1/2)
Collection information
a. Collection of information about the target company
b. Search news groups, forums, etc.
c. Whois, Traceroute, etc. structure systems victim
Identification of the type of WebServer

a. Type of server, operating system, etc ...
Copy of the structure of Website

a. Create a copy of the site structure
b. Find useful comments within the code
CEH
- Meotodologia to attack the WebServer (2/2)
Scanning for known vulnerabilities

a. Identify any weaknesses in the system
b. HP WebInspect, Nessus, etc ...
Session Hijacking
a. Sniffing valid session ID for unauthorized access
b. Burp Suite, Paros Proxy, Hamster, FireSheep
Hacking Passwords used by the WebServer

a. Groped to find passwords with various techniques useful
b. Brutus, THC-Hydra, etc ...
CEH
- Countermeasures
Regular scanning and patch systems
Apply any update provided by the manufacturers of

the software
Ensure that all systems have the same versions of Service

Pack, Hotfixes and Security Patches
Provide a plan for disaster recovery and backup systems in

the event of a recovery is required
CEH
Questions?
Hacking Web Apps - CEH
- Defining a Web Application
It 'a communication interface between the user and the

Web Server consists of several server-generated pages that
contain the same scripts or commands to be executed
dynamically dul Browser User
Businesses rely on web applications, but in general on web

technology as a key support for business processes and
improvements of the same
- Components of a Web App
The Web Server
The application Content
Data Access
- Funionamento a Web App
User request
User Web Server
Output DBMS
...
Web Application
... OS Command
...
...
- Types of attacks Web App (1/2)
SQL Injection
a. The most common attacks and the more functional
b. Sfruttta input modules present in web pages
c. Forca login requests to obtain valid credentials
d. interface to the DB (alter, insert, delete table)
Automated tools
a. SQL Map
b. SQL Ninja
c. Havis
d. Etc. ..
- Types of attacks Web App (2/2)
Cross Site Scripting (XSS)

a. Forces the execution of the script actions not foreseen
b. Executing commands or software installation
c. Based on an incorrect handling by the application of user input
d. The tag for excellence to indicate an XSS "<script>"
Cross Site Request Forgery (CSRF)

a. Force the user's browser to send malicious requests without the control of
the latter
b. The victim uses a valid active session on a site "Trusted" while visiting a
malicious site, which injects a malformed HTTP request that is turned over
to the main site and carried out in a lawful manner
- Methodology for attack on a Web App
Get a scheme infrastructure WEB

Attack on Web Servers
Analysis of the Web
Attempting to bypass authentication mechanisms

Attempting to bypass the authorization mechanisms
Attack of the session control mechanisms

Attempted injection of packets
Attack of the possible client Web App
Attack Web services used by the application

- Web Application Firewall (WAF)
Firewall with Advanced Features
Specializing in defending web applications
It allows the analysis of the HTTP / HTTPS traffic to intercept

and possibly dangerous lock requests
It allows you to block SQL injection attacks, buffer

overflows, XSS, etc.
Questions?
SQL Injection - CEH
- What is SQL Injection?
SQL injection is a technique that exploits the wrong part of the

application from user input validation WEB, to execute SQL
commands on the DB BackEnd
The SQL Injection is an attack aimed at obtaining unauthorized

access to the DataBase or the information contained in it
SQL Injection - CEH
- Types of SQL Injection attack
Bypass Authentication Methods
Disclosure of sensitive information
Compromised the integrity of the data managed
Impairment of the availability of data managed
Run remote commands

SQL Injection - CEH
- Meotdi detecting SQL Injection
a. Check to see if the web application accesses the DB server
b. Enumerate POSSIBLE INPT user exploitable to execute sql commands
c. Simulate the insertion of code into user input fields
d. Simulate entering numbers in the fields reserved for strings
e. The operator UNION is used in techniques of SQL

Injection to concatenate SQL statements
f. Check the level of information

content within error messages
SQL Injection - CEH
- Types of SQL Injection
a. Simple SQL Injection
SQL Union
SQL Error
b. Blind Injection
SQL Injection - CEH
- Simple SQL Injection Attacks
Store System procedures

a. Attacks are based on the use of "store procedures" already in the DB
b. UNION Query
SELECT name, phone, address FROM Users WHERE ID = 1 UNION ALL

SELECT CreditCardNumber, 1, 1, from creditcardtable
c. Tautology (true by definition Affirmation)
SELECT * FROM user WHERE name = ' 'OR '1' = '1 ';
d. Commenting on the end of the line
SELECT * FROM user WHERE name = 'x' AND userid IS NULL; - ';
e. Understanding the structure of the DB via requests with parameters that are not allowed
SQL Injection - CEH
- Blind SQL Injection
It 'a technique used when the Web application is subject to SQL
injection but but the answers are not visible to the attacker
the Blind SQL Injection exploit the same philosophy of normal

SQL Injection except for the fact that the attacker is not able to
see the specific error generated
This type of attack can become very expansive in terms of time

because of the excessive amount of requests from having to
send for every single bit of information obtained
SQL Injection - CEH
- Methodology SQL Injection attack
a. Collection information
b. Sniffing out a vulenrabilit SQL Injction
c. Exploit the vulnerability found
d. Extract data from the Data Base
e. Interacting with the Operating System
f. Compromise the entire network

SQL Injection - CEH
- Programs for SQL Injection
a. SQL Power Injection (http://www.sqlpowerinjector.com/)

b. BSQLHAcker (http://labs.portcullis.co.uk/tools/bsql-
hacker /)
c. Marathon Tool (http://marathontool.codeplex.com/)
d. Absinthe (https://github.com/HandsomeCam/Absinthe)
e. SqlNinja (http://sqlninja.sourceforge.net/)
f. Sqlmap (http://sqlmap.org/)
SQL Injection - CEH
- Countermeasures
a. Use account with minimum privileges on the DB

b. Disable the functions or procedures not necessary to
the performance of the application
c. Monitor connections with IDS, WAF, etc.
d. Use custom error messages
e. Filtering Data Client
f. Provide of controls of safety in data passed

by the application to make requests to the Data Base
SQL Injection - CEH
Questions?
Hacking Wireless - CEH
- Wireless LAN
- Bluethoot
- Wireless LAN
The Wi-Fi was developed according to the IEEE

802.11 and is widely used in wireless
communication, as it provides access to applications
and data over the wireless network
The standardized Wi-Fi set nuemrosi ways to use

a connection between the transmitter and the
receiver, such as DSSS, FHSS, Infrared (IR) and
OFDM
- Types of Wireless
As an extension of a wired network
Multiple Access Points
LAN-to-LAN Wireless Network (Bridge Mode)
3G Hotspot
- Wireless Standard
802.11a: bandwidth up to 54 Mbps, 5 GHz frequency used
802.11b bandwidth up to 11 Mbps, 2.4 GHz frequency used
802.11g: up to 54 Mbps bandwidth, use higher frequency of

2.4 GHz
802.11i is a standard that goes back 802 .11a/b/g inserting an

improvement in cryptography for networks
802.11n: 100Mbps bandwidth over the
802.16: A standard for wireless broadband developed for the

MAN (Metropolitan Area Network)
Bluethoot: standard range with very small (<10 m) and low-low

speed (1-3 Mbps), developed for low-power network devices such
as PDAs
- Types of encryption used in wireless
WEP
a. It 's the first and the old standard used in wireless
communications
WPA
a. Use 48 BIT IV
b. 32 Bit CRC
c. TKIP encryption
WPA2
a. Use AES encryption (128 bit) and CCMP
WPA2 Enterprice
a. It integrates with the standard WPA EAP
- How to decrypt the WEP
Configure the interface wireless into monitor

mode on a specific channel of the access point
Verify the ability to inject packets to the AP
Use a program like aireplay-ng to simulate

false authentication to the AP
Run a sniffer to collect unique IV
Use a tool to extract the encryption key

from the collected IV
- How to decrypt the WPA/WPA2
WPA PSK
WPA PSK it uses a user-selected key to initialize the TKIP that can not be violated as a
precompiled package, but it can 'be unearthed with a dictionary attack Brute-Forced
Brute-Force WPA
Use a program such as aircrack, aireplay, KisMAC to try to find the key
Attack Offline
Collect a considerable number of packets so as to obtain WPA/WPA2 authentication
handshake
Attack deautentica that clients connected

Is to force the client already connected to the AP disconnect and reconnect in order
to collect authentication packets for subsequent cracking
- Methodology attacks Wireless
Locating the Wi-Fi network target
GPS mapping
Wireless Network Traffic Analysis
Attack on the Wi-Fi network
Cracking the encryption used
Impaired Wi-Fi network

- Bluetooth
Easy to use
Easy to detect
Types of Attack
a. BlueSmacking
b. Bluejacking
c. BlueSniffing
d. Bluesnarfing
Questions?
Evading IDS, Firewalls,
Honeypots - CEH
- IDS
- Firewall
- Snort
- HoneyPot
Honeypots - CEH
- IDS
An Intrusion Detection System (IDS) is a system that
collects and analyzes information from a computer or
a network, in order to identify possible violations of
security policies
With IDS identifies a system of "packet-sniffer", which

intercepts packets traveling, for example, a wild TCP
/ IP network
The packets are analyzed after they were caught
An IDS evaluates a suspected intrusion once it has

taken place and signals an alarm
Honeypots - CEH
- Methods for the identification of an intrusion
Identification by signatures (Signaure Recognition)
This type of system attempts to identify the events that improper use of the
system.
Identification of anomalies (Anomaly Detection)

You try to identify threats based on analysis of behavior characteristic of a
user or a fixed component in a system
Identification of abnormalities in the communication protocol (Protocol

Anomaly Detection)
The models used for this type of recognition are based on the specifications
of the protocol used. For example, the TCP / IP
Honeypots - CEH
- Types of Intrusion Detection System (1/2)
Based on the Network
a. This system typically consists of a blackbox placed inside the
network, which captures traffic in promiscuous mode and tries to
identify threats based on preset patterns
Host-based
a. This system is based on listening to the events generated by a
specific host
b. It is not commonly used due to the excessive workload for

monitoring
Honeypots - CEH
- Types of Intrusion Detection System (2/2)
Monitoring of log files

a. This type of system is based on a program that scans
the log files looking for events that have already
happened
Checking file integrity

a. This type of system checks for the presence of any Trojan
Horse present or changed files that indicate the possible
presence of an intrusion.
b. Tripwire (http://www.tripwire.com/)
Honeypots - CEH
- Firewall
It 'a system hardware, software designed to prevent

unauthorized access to or from a private network
And 'placed at strategic points such as junctions or as a

network gateway
A firewall monitors all messages entering and leaving the private

network, blocking those that do not meet specific security criteria
Firewalls only care about the type of traffic, addresses and

destination ports
Honeypots - CEH
- DeMilitarized Zone (DMZ)
The DMZ is an isolated segment of the LAN, accessible from

both internal and external networks, but characterized by the
fact that the hosts on the DMZ certificates have limited
possibilities of connection to specific hosts on the internal
network
It is created using a Firewall with at least 3 physical network

adapters, which are assigned specific rules as Trusted
Network, Network and Network DMZ Un-Trusted External
(Internet)
Honeypots - CEH
- Types of Firewall (1/2)
Packet Filter
a. It works at the network layer of the OSI model
b. Each packet is analyzed according to established rules before being
forwarded
c. The rules can be specified IP address, source port or destination and the type
of protocol
Circuit-Level Gateway
a. It works at the level of the OSI Model Session
b. To identify a legitimate connection monitors TCP handshaking
c. The information passed to the remote computer have as their origin the
Gateway / Firewall
d. This type of firewall is able to macherare the information about the network
that protects but does not filter the packets individually
Honeypots - CEH
- Types of Firewall (2/2)
Applicaiton-Level
a. It works at the Application layer of the OSI model
b. It does not allow access to services that are not proxati the Firewall
c. When configured as a Web Proxy services like FTP, telnet, and
others are not allowed
d. Acting on the application level this kind of devices are able to filter
the specific application commands. For example, GET or HTTP Post
Stateful Multilayer Inspection

a. This kind of Firewall and combines the functionality of previous models
b. They work by filtering packets at the network layer to identify a
legitimate session and pass the inspection of the content for the
application
Honeypots - CEH
- Intrusion Detection System: Snort
Open source IDS can analyze traffic in real-time and to log any
problems of a network
And 'able to analyze the protocols and contents of the package to
detect attempted attacks, buffer overflow, Port Scan, attacks to CGI
scripts, etc..
Use language for writing their own rules
Uses of Snort
a. Dirattamente as simple as sniffer TCP Dump
b. Recorder of packets (for any network problems)
c. As IPS (Intrusion Prevention System)
Honeypots - CEH
- The Snort rules
The rules engine allows you to create personal rules and

specifications for the various types of network and use that if you
want to do
The Snort rules allow distunguere between normal browsing activity,
network activity lawful, and activities such as "mischievous"
The rules must be contained in a single line, the parser does not
allow the preparation of more 'lines
The Snort rules are logically divided into two parts:
a. Header of the rule (Rule Header): identifies the action that the
rule will execute. For example, alert, log, pass, activate, etc..
b. options of the rule (Rule Option): identifies the message alert rule
Evading IDS,
Firewalls, Honeypots
- CEH
- HoneyPot
It 'a system used and configured specifically to attract and

trap those who attempt to penetrate our network
Simulates a system or service vulnerable and easily hackerabile
Uses:
a. Sutdio of attack methods used
b. Study of the sources of attack
c. How effective palliative to protect the real target systems
Must be positioned so im segregated compared to the production

environment
Verify the legality of use of this type of systems
Honeypots - CEH
- Preventing IDS
Identify any interfaces in promiscuous mode

a. AntiSniff program
b. NEPAD program antisniffer
Intercepting the IDS alerts sent
Use techniques of evasion or polymorphic shellcode
Attach the IDS:

a. Snort Vulnerability
b. Vulenrabilit OS or in exposed services
Honeypots - CEH
Questions?
Buffer Overflow - CEH
- Defining Buffer Overflow
- Method Buffer Overflow
- Identify a Buffer Overflow
- Countermeasures to Buffer Overflow

- Defining Buffer Overflow
It 'a security vulnerability that occurs when a program does

not properly check the length of the incoming data, but
merely write down their value in a baffer fixed length,
trusting that the data do not exceed more than previously
allocated
- Why do the programs and applications are vulnerable?
Controls are ineffective or absent in many cases with regard to the data managed
In many cases, the same programming languages used are subject to

vulnerability
Prograami and applications are developed following the Best Practies safety
Functions such as strcat (), strcpy (), sprintf (), vsprintf (), gets (), scanf (), used
in "C" may be subject to buffer overflow in that they do control the length of
the buffer
- The Stack and Buffer Overflow
A stack buffer overflow occurs when a buffer is overwritten

on the stack space
An attacker can exploit this issue, coming into possession of the

control flow of the stack and execute arbitrary code
- The Heap Buffer Overflow and the
When a program copies data in memory, without having carried

out the necessary checks, it can be exploited by an attacker to
gain control of the information managed heap
An attacker creates a buffer to fill the bottom of the heap and

overwrite the other dynamic variables with unexpected effects
from the normal execution of the program
- Method Buffer Overflow
Find the presence of a possible buffer overflow and what is

the condition triggering
Send more data than the program can handle
Overwrite the return address of a function
Run your own malicious code (Shellcode)

- How to Identify a Buffer Overflow?
a. Run a program on your own machine
b. Insert large amounts of data with control characters identifiable.

For example, "$ $ $ $" at the end of a string
c. In the event of a crash program
d. Look in the dump of the program the control character used to

identify the trigger point of Buffer Overflow
e. Setup using a debugger (gdb, OllyGdb, etc.). Analyze the

behavior of the program
f. Writing the exploit that exploits the buffer overflow found just
- Countermeasures to Buffer Overflow
Manual code review
Tecnihce Compilation
Use Libraries for developing secure
Disabling stack execution
Use destination randomiche Stack
Implement controls in real-time

Questions?
Cryptography - CEH
- What is Encryption?
Encryption is the conversion of a given data into encrypted code
Encryption can be used to protect:

a. E-mail messages
b. Information on credit cards
c. Sensitive Data
d. etc..
Objectives of cryptography
a. Discretion
b. Integrity
c. Non-repudiation
d. Authenticity
Cryptography - CEH
- Types of Encryption
Symmetric Cryptography
Symmetric encryption uses the same key to encrypt and decrypt a given data
(secret-key, shared-key, private-key)
Asymmetric encryption
Asymmetric encryption uses different keys for encryption and
decryption. These keys are identified as public and private key (public-
key)
Hash Functions
the hash function does not use any key to encrypt or decrypt
Cryptography - CEH
- Encryption Algorithms
The encryption algorithms are used to encrypt and decrypt data

Algortmi classic
a. Replacing figures
It consists in the replacement of bits, characters, or blocks of characters with
different bits, characters, or blocks
b. Transposition of digits
The letters of the plaintext are moved tot positions to create the ciphertext
Modern algorithms
a. Based on types of keys used
Private key: the same key to encrypt and decrypt
Public key: two different keys to encrypt or decrypt
b. Based on the types of input
Block cipher: encryption of data blocks according to a fixed length
Stream cipher: Encryption of a continuous data stream
Cryptography - CEH
- Symmetric encryption
Same key to encrypt and decrypt
ECB / CBC and other variants
The key is difficult to distribute
Since DES AES
a. NIST Competition 1995-2001

b. Originally called Rijndael
Cryptography - CEH
- Asymmetric encryption
ECDSA: based dulle ellipses
RSA is based on prime numbers
Two public and private keys
a. If encrypted with Private, Public deciphered with

b. If encrypted with the Public, Private deciphered with
Cryptography - CEH
- Hash
From a text a "number" unique and irreversible
The limits of hash collisions
Algortmi hash:
a. MD5
b. SHA-1,
c. Etc..
Cryptography - CEH
- Symmetric Asymmetric + + Hash
Certificates
Digital Signature
Authentication (Strong Autentication)
- Use:
GSM
SSL
Etc. ..
Cryptography - CEH
Questions?
Pen Testing - CEH
- Penetration Test
A Pentest simulates the methods used by intruders to

gain unauthorized access to the network and resources
of an organization, for the purpose of compromising
data and information
When carrying out safety tests, the tester is limited by

available resources, such as time, expertise and access
to equipment as specified in the indemnity
Many attacks follow a common approach to violate the

security of a system
Pen Testing - CEH
- Security Assessments
Every organization uses different types of security

assessment to validate the security level of resources
within the network
Categories of Security Assessment:
a. Security Audit
b. Vulnerability Assessment
c. Penetration Testing
Each type of Security Assessment requires on the part of

those who lead testing different skill levels
Pen Testing - CEH
- Vulnerability Assessment
Network Scanning
Scanning tools
Security Errors
Test systems and network

Pen Testing - CEH
- Limitations of Vulnerability Assessment
The scanning programs used to identify vulnerabilities are limited

to a given point of time
Need to be updated when they come new vulnerabilities or

funzinoalit
This affects the result of the evaluation
The methodologies used by the various softaware and options

used may give different results in tests
Pen Testing - CEH
- Penetration Testing
The pentest not carried out in a professional manner, can cause

serious disruption to normal service delivery
The pentest verify the security model of the company as a

whole
Detect potential threats that would be exploited in a real attack
The testers are differentiated by attackers only by the end of their actions
Pen Testing - CEH
- What should be tested?
Communication errors, abuse of e-commerce, loss of

credentials, etc.
Public systems exposed; websites, mail servers, platforms,

remote access (RDP, VPN, etc.).
Mail, DNS, Firewalls, passwords, FTP, IIS, and webserver

Pen Testing - CEH
- What makes a pentest reliable?
Establish a perimeter precise PenTest; objectives, limitations,

gisutificazione of the procedures used
Relying on experienced professionals and competent to perform the tests
Choose a suitable test set that balances costs and benefits
Follow methodologies planned and well-documented
Document the results in a complete and asaustiva, but most

clearly understood by the final customer
Highlight chairamente in the final report of the potential risks and
vulnerabilities solutions
Pen Testing - CEH
- Types of Penetration Testing (1/2)
From the outside
a. The external PenTest provide this information by analyzing the full

public tiguardanti the target (eg email server, web server, firewall,
router, etc.)
b. And 'the traditional approach to penetration testing
c. The tests are focused only on the server, the infrastructure and the
basic software of the target
d. The tests may be done:
without any prior information of the target (Black Box)

with comprehensive information about the type and environment
that you will be tested (Gray / White box)
Pen Testing - CEH
- Types of Penetration Testing (2/2)
From
a. The tests are efettuati from every possible point of access

b. Within an object, test access from external locations,
branch offices, DMZ, etc..
c. The tests basically follow from the methods used for

testing but add an external point of view much more
comprehensive infrastructure
Pen Testing - CEH
- Black-box Penetration Testing
No knowledge of the infrastructure to be tested
It comes usually just the name of the company
The tests faithfully simulate an attack real
Provides a considerable amount of time spent on

information retrieval and understanding of the
infrastructure to be tested
It 'a kind of test expensive and time-consuming

Pen Testing - CEH
- Gray-box Penetration Testing
Limited knowledge of the infrastructure to be tested
Perform internal security assessment and testing
Focused on the security of the applications that head all the

possible vulnerabilities that an attacker could exploit
It runs mostly 'when starting from a Black box testing, we

need a deeper understanding of a well-protected system
for further investigation of possible vulnerabilities
Pen Testing - CEH
- White-box Penetration Testing
Complete knowledge of the infrastructure to be tested
The tests simulate the actions committed by employees of the company evenutali
The preliminary information provided:
a. The infrastructure of the company
b. Type of network
c. The security measures taken
d. Firewall, Indirizzamneto network, IDS, etc..
e. The company policy on what and what not to do

Pen Testing - CEH
- Stages of a Penetration Testing (1/3)
Phase preattacco
a. This phase deals with the ways in which it will be tested and the
objectives to be achieved
b. The portion of the acquisition of information about dental on the
target is considered essential in this phase of initial
c. He formulates a plan of attack to follow
d. Can be of two types:
Reconnaissance passive collect target information from the
information public
Active Reconnaissance: Collect information through
publications on social-network, social engineering, web sites
visited, interviews, questionnaires, etc..
Pen Testing - CEH
Attack phase
a. Penetrate the perimeter to gain unauthorized access to

the network
b. Capturing | Costasur.com safety of the various target
c. Compromised systems, access to data managed,

running exploits, etc..
d. Escalating privileges
Pen Testing - CEH
Phase postattacco
a. Being more 'criticism of the whole process
b. Is to "clean up" the traces of the action taken by the tester, in order to
bring the systems before testing
c. The actions include:
Removal of the copied files on the systems
Cleaning of the registers or vulnerabilities created
Exploit or removal of any programs used
Disable any share or unauthorized connections
Analysis of the results found and presentation of the same customer

Pen Testing - CEH
Questions?
Make a basic course on "Penetration test".
Hacking Basic Professional Penetration Test
Designed to perform in penetration testing and web

security, a good way to become a Certified Ethical
Hacking!
Price lowered to $ 8
https://www.udemy.com/basic-professional-
penetration-tests/?couponCode=HACKING%
408
Thank you

CEH Important

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CEH Important

Caricato da

Copyright:

Formati disponibili

Certified Ethical Hacking

Certified Ethical Hacking

- Footprinting and Reconnaissaince

- Hacking Web Servers

- Hacking Web Apps

- Evading IDS, Firewalls, Honeypots

The legal framework is not very clear about what is

- It may be illegal to make PenTest on propia network

- Most are unsuccessful Hack

- Companies must necessarily have and implement

Computer Misuse Act 1990 (UK)

Law 48/2008: European Convention on

Within the company

a. Licensed physical access

Outside the company

- Who is a Hacker? (1/2)

Black Hats / Crackers / Malicious

Individuals with high computer skills used for malicious activity or

White Hats / Ethical Hacker / pentester

Individuals with expertise in the field of computer hacking who use

- Who is a Hacker? (2/2)

Individuals with high computer skills used, as appropriate, both for

Individuals that use their computer skills to create inefficiencies in

Hactvism / Script Kiddie / Phreak / Red Team

a. Research information about the victim

Step 3: Obtain access

Step 2: Maintain access

Need to implement defense strategies taking advantage of

The Ethical Hacking is necessary in order to anticipate the moves

- Benefits Ethical Hacking?

Good infrastructure management

- Disadvantages Ethical Hacking

Despite the intentions of companies in hiring external

An Ethical Hacker can only help to understand the levels

- What is an Ethical Hackers?

Sniffing out Vulenaribilit

Verify the effectiveness of the strategies implemented safety

Head found in any vulnerbilit systems and network

Test the ability to access sensitive data

Functionality Ease of use

Introduction Virtual Lab + Linux

- Rating Size of attack

Search technical information

a. IT administrators of groups, forums, etc..

Discover the machines and services used

Discover any open wireless networks

Other types of network access:

Ability to use in the attack malware

Check for services found and the cars reach:

a. Exploit for the optional field

Organize the information collected

Create a plan of attack

a. An attack can 'be performed using more' weaknesses in a

Testing diving the posture (position) before the attack

Delimit the scope of attack

Analysis of DNS records

Sniffing out the company's website

Research staff on Social Networks, Chat services, etc..

Physical location of the office

Identification devices routers, firewalls, etc..

By correlating the information obtained it is possible to draw the network

Create a copy of the entire site azinedale in order to obtain

Website mirroring tools:

The Tracking of Email is a valid