Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
- Introduction
- Scanning Networks
- Enumeration
Certified Ethical Hacking
- System Hacking
- Trojans Backdoors +
- Viruses Worms +
- Sniffer
Certified Ethical Hacking
- Social Engineering
- Denial of Sevices
- Session hijacking
- Wireless Hacking
- Buffer Overflow
- Cryptography
- Pen Testing
Introduction - CEH
- No legal advice
- Expansive Exam
Introduction - CEH
- Current Situation
News Suglia cyber attacks
Criminal activities
- Anonymous Activities
- Cyber Terrorism
- In Italy
Hacking
Hackers
Black Box Testing
White Box Testing
Gray Box Testing
Security
Vulnerability
Exploit / Proof of concept
Zero Day
Vulnerability Scan
Penetration Test
Introduction - CEH
- Origin threats
Gray Hats
Suicide Hecker
Step 1: Patrol
Step 2: Scanning
a. Port Scan
b. Networks scan
c. Extract useful information on which versions and service
Introduction - CEH
- How does a Hacker? (2/3)
a. Exploit
b. Weak Password
c. Buffer Overflow
d. Denial of service
a. Keylogger
b. Backdoor
c. Rootkits
d. Trojan / Worm
Introduction - CEH
- Why do you need the Ethical hacking?
Vulnerability Testing and Security Audit does not ensure that our
infrastructure is safe
Risk Assessment
Auditing
Mitigate fraud
Best Practies
Risk Assessment
Auditing
Mitigate fraud
Best Practies
Good infrastructure management
Safety
Questions?
Footprinting and
Reconnaissaince - CEH
- Information gathering
- Exposure
Footprinting and
Reconnaissaince - CEH
- Information gathering
a. Registered domains
b. IP range used
c. Services Provided
Additional Information
a. Waiting Rooms
b. Chiosci
c. Shared networks
a. DNS / WHOIS
b. Internic
c. Physical location
d. RF (Wi-Fi, Bluetooth) monitoring - WarDriving
Analysis Traceroute
Mirroring the site of the target company
Tracking email communications
Using Google Hacking
Nessus Scan
Nikto Scan
Footprinting and
Reconnaissaince - CEH
- Perimeter attack
Search information via search engines (eg google, bing, yahoo, etc..),
Job sites, financial services, etc..
Traceroute Tools
a. VisualRoute Trace (http://viualroute.visualware.com)
b. Visual IP Trace (http://www.visualiptrace.com)
c. vTrace (http://vtrace.pl)
Footprinting and
Reconnaissaince - CEH
- Mirroring the corporate website
a. MetaGoofil (http://www.edge-security.com)
b. SiteDigger (http://www.foundstone.com)
c. Google Hacks (http://code.google.com)
d. GMapCatcher (http://code. Google.com)
e. Goolink Scanner (http://www.ghacks. Net)
f. etc ...
Footprinting and
Reconnaissaince - CEH
- Nessus Scan
Picture of nessus
Picture of Nikto
Configure the web server so that it does not provide useful information
Split - DNS
Honeypot
Footprinting and
Reconnaissaince - CEH
Questions?
Scanning - CEH
- CEH scanning methodology
- Types of Scan
- Firewalking
- 3 way handshake
- Closing Sessions
- Scanning techniques
- War Dialing
- Scan tool
Scanning - CEH
- CEH scanning methodology
Network scanning
a. ICMP scanning
b. Ping Sweep scanning
Port scanning
Vulnerability scaning
a. Identification of services
b. Identifying versions of applications
c. Identification Applications
Scanning - CEH
- Firewalking
a. Icmp_time_exceded
b. Drop Package
Computer3-way Computer
A handshake B
SYN = 1, SEQ # 10
ACK = 1, SEQ # 11
Time Time
Scanning - CEH
- Chiusira sessions
FIN
ACK,
ACK
ACK
Time Time
Scanning - CEH
- Scanning techniques
Indicates whether the port is open only after completing three way handshake
- Sequence packages:
SYN
SYN, ACK,
ACK, RST
SYN
SYN
SYN, ACK
RT
D RTD
- XMAS Scan
forge a packet with the URG, ACK, RST, SYN and FYN settati
The FIN flag works only for systems that have
implemented the TCP stack according to RFC 793
Often does not work for some systems Microsoft Windows
FIN, URG, PUSH FIN, URG, PUSH
None
RTD
reply
Open Door Closed Door
Scanning - CEH
- NULL Scan
- FIN Scan
A PC receives a response to SYN, ACK, it did not send any request will
respond with RST
Each RTD is not required ignored
Each packet on the network contains a number of "fragment
identification" (IPID)
The Idle scan + is a scanning technique that spoofed packets are
sent to check the status of the ports on a target.
Scanning - CEH
Target
Target
RTD
Zombie
Scanning - CEH
Striker Zombie
- ACK Scan:
The attacker sends packets with the ACK flag active and random
number sequences
No response means that the port is filtered
RST packet response indicates that the port is not filtered
Scanning - CEH
- UDP Scan:
- War-Dialing
- Scan tool
Nmap (http://nmap.org/)
Nesus (http://www.tenable.com/products/nessus)
OpenVAS (http://www.openvas.org/)
Hping (http://www.hping.org/)
Netcat (http://netcat.sourceforge.net/)
SuperScan (http://www.foundstone.com)
Questions?
Enumeration - CEH
- Enumeration
- Tecnihce enumeration
- NetBIOS Enumaration
- Enumerating User Account
- SNMP Enumeration
- Unix / Linux Enumeration
- SMTP Enumeration
Enumeration - CEH
- What is an enumeration?
a. VRFY / EXPN
b. RCPT TO
Enumeration - CEH
- User Account Enumeration
a. Null Session
b. SID to User
Enumeration - CEH
Questions?
System Hacking - CEH
Dictionary attack
a. Use a file containing common passwords
Attack Offline
Replay
System Hacking - CEH
Predictability of passwords
Hash injection
System Hacking - CEH
- Attack Offline
Precalculated hash
Rainbow tables
Distributed
networks
System Hacking - CEH
Social Engneering
Vunlnerabilit software
Errors in programming
a. Data buffer overflow
b. No distinction between data and code executive
c. Failure to check user input Etc. ..
Methods of propagation
a. Masquerading as anti-spyware
b. Downloaded from the internet
c. Exploit vulenrabilit browser
d. Add-on fictitious
e. Software installations containing macros specifically designed
System Hacking - CEH
- Keylogger (Keystroke Logger)
- RootKit
Hardware / Firmware
He hides in physical devices or firmware updates that do not
check code integrity
Hypervisor level
Change the boot sequence so as to put himself before the operating
system virtual
Kernel level
Replaces or adds malicious code parts of the kernel of the operating
system or device
Library level
Replaces the libraries of the operating system in order to obfuscate the
information of the attacker
Application level
Replaces the executives of regular applications with Trojans or malicious
pieces of code
System Hacking - CEH
Kernel level
Replaces or adds malicious code parts of the kernel of the operating
system or device
Library level
Replaces the libraries of the operating system in order to obfuscate the
information of the attacker
Application level
Replaces the executives of regular applications with Trojans or malicious
pieces of code
System Hacking - CEH
ADS is the system that allows you to add attributes to the file
without changing its functionality or how they appear in the file
manager
- Steganography (1/2)
There are several free programs that allow the use of the
techniques stenogragrafiche
System Hacking - CEH
- Steganography (2/2)
Remove all WEB activities such as MRU (Most Recently Used), cookies, cache,
history and temporary
files
Disable auditing systems
Close all possible ports used, apply patches to the system, to prevent others
from entering Hacker
System Hacking - CEH
Questions?
Trojans Backdoors + -
- What is a Trojan?
- What is a Virus?
Financial Benefits
How fun
Acts of vandalism
Cyber terrorism
File Virus
Cluster Virus
Multipart Virus
Macro Virus
Encryption Virus
Polymorphic Virus
Shell Virus
Tunneling Virus
Viruses Worms + - CEH
- What is a Worm?
It 'a malicious program that can replicate, run and propagate itself through
the network without internvento of a human being
Most Worm created are able to replicate and spread to the network in order to
consume computing resources
Acluni Worm may contain code that can harm the infected ssitema
The attackers use to install Backdoor Worm on infected systems in such a way
as to create zombies or botnets. Botnets are used for future cyber attack
Viruses Worms + -
CEH
- How to avoid infections Worm and Virus
Questions?
Sniffer - CEH
- ARP
- Techniques sniffing
- Sniffing active
- Countermeasures
Sniffer - CEH
- ARP
ARP tables
Passive Sniffing
Active Sniffing
MAC duplication
a. Substitute your own MAC address with that of the target
machine
Sniffer -
CEH
- Sniffing active (3/3)
MAC Flooding
a. Generate a quantity of elevta Spoofed ARP reply
b. Saturates the memory and the ability to refresh the switches
c. Turn the switch in the HUB
ARP attacks
a. Ettercap (http://ettercap.github.io/ettercap/)
b. Cain & Abel (http://www.oxid.it/cain.html)
c. SMAC (http://www.klcconsulting.net/smac-cl/)
Sniffing tools
Questions?
Social Engineering - CEH
- Social Engineering
Suppliers company
System Administrators
b. Select a victim
Identifying such as a disgruntled employee
Human-based
a. Dumpster Diving (Research in the trash)
b. Featuring a user attempts to crystallize
c. Presenting itself as a company VIP
d. By posing as a technical support person
e. Interception of telephone conversations
f. Spy on people behind (Shoulder Surfing)
g. Entering the sly
h. Presenting himself as a third party
i. etc ...
Social Engineering - CEH
- Techniques of Social Engineering (2/2)
Computer-based
a. Using pop-up windows that appear during
navigation (gifts, sweepstakes millionaire, etc.).
b. Through letters buffaloes (Hoax)
c. Through chain letters
d. Chat via message (dates of birth, names bachelors /
bachelorettes, household names, etc.)
e. Via email Spam
f. Phishing
g. Sending fake SMS requesting banking information
Social Engineering - CEH
- Countermeasures
Questions?
Denial of Sevices - CEH
- What is a Denial of Service?
SYN Flood
a. Exploits the normal operation of the 3 way Handshakiing
b. Saturate the available memory
c. Leave hung connections for up to 75 seconds
Denial of Sevices - CEH
- Why use DoS attack
Vandalism
Questions?
Session hijacking - CEH
- What is Session Hijacking?
Enable
a. Is to replace the host to which it was unearthed session
Passive
a. Is to turn the traffic through the attacker who merely
observe and record
Hybrid
a. Similar to the passive less than find important information
Session hijacking - CEH
- Key Techniques Session Hijacking
Brute forcing
a. An attacker tries different valid session ID
Stealing
a. An attacker uses different techniques to steal session IDs
valid
Caluclating
a. An attacker tries to calculate the value of a valid session ID
Session hijacking - CEH
- Brute Forcing
The nature of the TCP Session from the possibility of continuous access
Hamster / Ferret
Firesheep
Ettercap
Juggernaut
Hunt
T-Sight
Metasploit
SSL Strip
Session hijacking - CEH
- Countermeasures
Questions?
Hacking Web Servers -
CEH
- Suppliers Webserver current
Apache
Microsoft IIS
Lighttpd
Nginx
Hacking Web Servers -
CEH
- Architecture of a WebServer
Potentially vulnerable
a. GET / POST malformed
b. SQL Injection
c. Configuration Errors
d. Etc. ..
Hacking Web Servers -
CEH
- Impact of attacks on WebServer
Abduction of information
e. Etc. ..
Hacking Web Servers -
CEH
- Some types of attack on the WebServer
Directory Traversal
URL Obfuscation
Password
b. Dictionary attack
c. Attack hybrid
d. Simple passwords
Hacking Web Servers -
CEH
- Meotodologia to attack the WebServer (1/2)
Collection information
a. Collection of information about the target company
b. Search news groups, forums, etc.
c. Whois, Traceroute, etc. structure systems victim
Session Hijacking
a. Sniffing valid session ID for unauthorized access
b. Burp Suite, Paros Proxy, Hamster, FireSheep
Questions?
Hacking Web Apps - CEH
- Defining a Web Application
Data Access
Hacking Web Apps - CEH
- Funionamento a Web App
User request
User Web Server
Output DBMS
...
Web Application
... OS Command
...
...
Hacking Web Apps - CEH
- Types of attacks Web App (1/2)
SQL Injection
a. The most common attacks and the more functional
b. Sfruttta input modules present in web pages
c. Forca login requests to obtain valid credentials
d. interface to the DB (alter, insert, delete table)
Automated tools
a. SQL Map
b. SQL Ninja
c. Havis
d. Etc. ..
Hacking Web Apps - CEH
- Types of attacks Web App (2/2)
Questions?
SQL Injection - CEH
- What is SQL Injection?
SQL Union
SQL Error
b. Blind Injection
SQL Injection - CEH
- Simple SQL Injection Attacks
b. UNION Query
SELECT * FROM user WHERE name = ' 'OR '1' = '1 ';
SELECT * FROM user WHERE name = 'x' AND userid IS NULL; - ';
e. Understanding the structure of the DB via requests with parameters that are not allowed
SQL Injection - CEH
- Blind SQL Injection
It 'a technique used when the Web application is subject to SQL
injection but but the answers are not visible to the attacker
a. Collection information
d. Absinthe (https://github.com/HandsomeCam/Absinthe)
e. SqlNinja (http://sqlninja.sourceforge.net/)
f. Sqlmap (http://sqlmap.org/)
SQL Injection - CEH
- Countermeasures
Questions?
Hacking Wireless - CEH
- Wireless LAN
- Bluethoot
Hacking Wireless - CEH
- Wireless LAN
3G Hotspot
Hacking Wireless - CEH
- Wireless Standard
802.11a: bandwidth up to 54 Mbps, 5 GHz frequency used
WPA
a. Use 48 BIT IV
b. 32 Bit CRC
c. TKIP encryption
WPA2
a. Use AES encryption (128 bit) and CCMP
WPA2 Enterprice
a. It integrates with the standard WPA EAP
Hacking Wireless - CEH
- How to decrypt the WEP
WPA PSK
WPA PSK it uses a user-selected key to initialize the TKIP that can not be violated as a
precompiled package, but it can 'be unearthed with a dictionary attack Brute-Forced
Brute-Force WPA
Use a program such as aircrack, aireplay, KisMAC to try to find the key
Attack Offline
Collect a considerable number of packets so as to obtain WPA/WPA2 authentication
handshake
GPS mapping
Easy to use
Easy to detect
Types of Attack
a. BlueSmacking
b. Bluejacking
c. BlueSniffing
d. Bluesnarfing
Hacking Wireless - CEH
Questions?
Evading IDS, Firewalls,
Honeypots - CEH
- IDS
- Firewall
- Snort
- HoneyPot
Evading IDS, Firewalls,
Honeypots - CEH
- IDS
An Intrusion Detection System (IDS) is a system that
collects and analyzes information from a computer or
a network, in order to identify possible violations of
security policies
This type of system attempts to identify the events that improper use of the
system.
The models used for this type of recognition are based on the specifications
of the protocol used. For example, the TCP / IP
Evading IDS, Firewalls,
Honeypots - CEH
- Types of Intrusion Detection System (1/2)
Based on the Network
a. This system typically consists of a blackbox placed inside the
network, which captures traffic in promiscuous mode and tries to
identify threats based on preset patterns
Host-based
a. This system is based on listening to the events generated by a
specific host
b. Tripwire (http://www.tripwire.com/)
Evading IDS, Firewalls,
Honeypots - CEH
- Firewall
Packet Filter
a. It works at the network layer of the OSI model
b. Each packet is analyzed according to established rules before being
forwarded
c. The rules can be specified IP address, source port or destination and the type
of protocol
Circuit-Level Gateway
a. It works at the level of the OSI Model Session
b. To identify a legitimate connection monitors TCP handshaking
c. The information passed to the remote computer have as their origin the
Gateway / Firewall
d. This type of firewall is able to macherare the information about the network
that protects but does not filter the packets individually
Evading IDS, Firewalls,
Honeypots - CEH
- Types of Firewall (2/2)
Applicaiton-Level
a. It works at the Application layer of the OSI model
b. It does not allow access to services that are not proxati the Firewall
c. When configured as a Web Proxy services like FTP, telnet, and
others are not allowed
d. Acting on the application level this kind of devices are able to filter
the specific application commands. For example, GET or HTTP Post
Open source IDS can analyze traffic in real-time and to log any
problems of a network
And 'able to analyze the protocols and contents of the package to
detect attempted attacks, buffer overflow, Port Scan, attacks to CGI
scripts, etc..
Use language for writing their own rules
Uses of Snort
a. Dirattamente as simple as sniffer TCP Dump
b. Recorder of packets (for any network problems)
c. As IPS (Intrusion Prevention System)
Evading IDS, Firewalls,
Honeypots - CEH
- The Snort rules
Questions?
Buffer Overflow - CEH
Controls are ineffective or absent in many cases with regard to the data managed
Prograami and applications are developed following the Best Practies safety
Functions such as strcat (), strcpy (), sprintf (), vsprintf (), gets (), scanf (), used
in "C" may be subject to buffer overflow in that they do control the length of
the buffer
Buffer Overflow - CEH
- The Stack and Buffer Overflow
f. Writing the exploit that exploits the buffer overflow found just
Buffer Overflow - CEH
- Countermeasures to Buffer Overflow
Tecnihce Compilation
Questions?
Cryptography - CEH
- What is Encryption?
Objectives of cryptography
a. Discretion
b. Integrity
c. Non-repudiation
d. Authenticity
Cryptography - CEH
- Types of Encryption
Symmetric Cryptography
Symmetric encryption uses the same key to encrypt and decrypt a given data
(secret-key, shared-key, private-key)
Asymmetric encryption
Asymmetric encryption uses different keys for encryption and
decryption. These keys are identified as public and private key (public-
key)
Hash Functions
the hash function does not use any key to encrypt or decrypt
Cryptography - CEH
- Encryption Algorithms
Modern algorithms
a. Based on types of keys used
Private key: the same key to encrypt and decrypt
Public key: two different keys to encrypt or decrypt
b. Based on the types of input
Block cipher: encryption of data blocks according to a fixed length
Stream cipher: Encryption of a continuous data stream
Cryptography - CEH
- Symmetric encryption
- Asymmetric encryption
- Hash
Algortmi hash:
a. MD5
b. SHA-1,
c. Etc..
Cryptography - CEH
Certificates
Digital Signature
Authentication (Strong Autentication)
- Use:
GSM
SSL
Etc. ..
Cryptography - CEH
Questions?
Pen Testing - CEH
- Penetration Test
a. Security Audit
b. Vulnerability Assessment
c. Penetration Testing
Network Scanning
Scanning tools
Security Errors
- Penetration Testing
The testers are differentiated by attackers only by the end of their actions
Pen Testing - CEH
From
The tests simulate the actions committed by employees of the company evenutali
b. Type of network
Phase preattacco
a. This phase deals with the ways in which it will be tested and the
objectives to be achieved
b. The portion of the acquisition of information about dental on the
target is considered essential in this phase of initial
c. He formulates a plan of attack to follow
d. Can be of two types:
Reconnaissance passive collect target information from the
information public
Active Reconnaissance: Collect information through
publications on social-network, social engineering, web sites
visited, interviews, questionnaires, etc..
Pen Testing - CEH
Attack phase
d. Escalating privileges
Pen Testing - CEH
- Stages of a Penetration Testing (3/3)
Phase postattacco
b. Is to "clean up" the traces of the action taken by the tester, in order to
bring the systems before testing
Questions?
Make a basic course on "Penetration test".
Hacking Basic Professional Penetration Test
Price lowered to $ 8
https://www.udemy.com/basic-professional-
penetration-tests/?couponCode=HACKING%
408
Thank you