ITT Certified Ethical Hacker

Certification Study Group

Week 2 – Scanning, Enumeration

and Password Cracking
CEH Study Group – Week 2
Overview
 Review of Week 1 Objectives
 CEH Exam Objectives
 Study Group Meeting Schedule
 Chapter 1 – Intro to Ethical Hacking
 Chapter 2 – Footprinting & Social Engineering
 Week 2 Learning Objectives (Ch 3 & 4)
 Chapter 3 – Scanning and Enumeration
 Chapter 4 – System Hacking
 Week 2 Homework
 Read Chapters 3 & 4 of CEH Review Guide
 Study for Quiz 1 covering Chapters 1 - 4
Certified Ethical Hacker Exam
(312-50) Objectives
 Ethics and Legality  Web-Based Password
 Footprinting Cracking
 Scanning  SQL Injection
 Enumeration  Wireless Hacking
 System Hacking  Viruses and Worms
 Trojans and Backdoors  Physical Security
 Sniffers  Linux Hacking
 Denial of Service  Evading IDS’s, Honeypots,
and Firewalls
 Social Engineering
 Buffer Overflows
 Session Hijacking
 Hijacking Web Servers
 Cryptography
 Web Application
 Penetration Testing Methods
Vulnerabilities
Study Group Meeting
Frequency and Location
 Study Group Location: ITT-Omaha,
Main Conference Room
 Frequency: Once a Week
 Day: Wednesday Night
 Time: 6:00pm
 Duration: 3 hours (1.5 Lecture/1.5 Lab)
Certification Text and
Schedule
 Certification Text(s):
 Official Certified Ethical Hacker Review Gui
de (Available on the ITT Virtual Library)
 CEH Prep Guide
 Certified Ethical Hacker Exam Prep
 Certification Schedule:
 We will cover two to three chapters of the
Study Guide Per Week and plan to sit for
the exam in 5 – 9 Weeks
Week 1 Learning Objectives
 Chapter 1 – Introduction to Ethical Hacking, Ethics,
and Legality
 Understanding Ethical Hacking Terminology
 Identifying Different Types of Hacking Technologies
 Understanding the different “Phases” and Five Stages of
Ethical Hacking
 What is Hackivism?
 List the Different Types of hacker Classes
 Define the skills required to become an ethical hacker
 What is vulnerability research?
 Describe the ways to conduct ethical hacking
 Understand the legal implications of hacking
 Understand 18 U.S.C. 1029 and 1030 U.S. Federal law
Week 1 Learning Objectives
(con’t)
 Chapter 2 – Foot printing and Social Engineering
 Footprinting
 Define the Term Footprinting
 Describe Information Gathering Methodology
 Describe Competitive Intelligence
 Understand DNS Enumeration
 Understand ARIN and WHOIS Lookup
 Identify the types of DNS Records
 Understand how TRACEROUTE is used in footprinting
 Understand how E-mail Tracking Works
 Understand how Web Spiders work
 Social Engineering
 What is Social Engineering?
 What are the common types of Attacks?
 Understand dumpster diving
 Understand Reverse Social Engineering
 Understand Insider Attacks
 Describe Phishing Attacks
 Understand Online Scams
 Understand URL Obfuscation
 Social Engineering Countermeasures
Week 2 Overview
 Lecture
 Chapter 3 – Scanning and Enumeration
 Chapter 4 – System Hacking
 Lab
 NMAP Fundamentals
 NMAP Switch Practice
 Banner Grabbing and OS Fingerprinting
CEH Week 2
 Chapter 3 – Scanning and Enumeration
 Scanning
 Port Scanning, Network Scanning, Vulnerability
Scanning
 CEH Scanning Methodology
 Ping Sweep Techniques
 *NMAP Command Switches
 SYN, Stealth, XMAS, NULL, IDLE, FIN Scan
 WAR Dialing
 Banner Grabbing and OS Fingerprinting
 Proxy Servers and Anonymizers
Port, Network, & Vulnerability
Scanning
 Port Scanning
 Definition: Determining Open Ports and
Services
 Know the Services for these Well-Known
Ports: 21, 25, 23, 80, 110, 443
 Know the Well-Known ports for these
services: FTP, Telnet, HTTP, SMTP, POP3,
HTTPS
Port, Network, & Vulnerability
Scanning
 Network Scanning
 Definition: Determining “live” Hosts, by
pinging or other means
 Vulnerability Scanning
 Definition: Determining the Presence of
Known Weaknesses
CEH Scanning Methodology
1. Check for Live Systems
2. Check for Open Ports
3. Service identification
4. Banner Grabbing/OS Fingerprinting
5. Vulnerability Scanning
6. Draw Network Diagrams of Vulnerable
Hosts
7. Prepare Proxies (Why?)
8. Attack
Ping Sweep Techniques
 Simplest Technique: Ping Sweep IP
Range assigned to “Target”
 Tools: Pinger, Friendly Pinger,
WS_Ping_Pro, Solarwinds Ping Sweep
 Use of Tools covered on the Exam
Port Scanning with NMAP
 Types of Scans:
 TCP Connect: Attacker makes full TCP Connection
to Target (SYN, SYN-ACK, ACK)
 XMAS Tree: Sets TCP URG, PSH, and FIN flags
 SYN Stealth Scan: Sends TCP SYN Packet, waits
only for SYN-ACK (full connection NOT made)
 NULL Scan: All flags off or not set; works only on
UNIX systems
 ACK Scan: Used to map firewall rules; Only works
on UNIX systems
 Windows Scan: Similar to ACK Scan and can
detect open ports.
Port Scanning with NMAP
 NMAP Scan Switches:
 -ST: TCP Connect Scan
 -sS: SYN Scan
 -sF: FIN Scan
 -sX: Xmas Scan
 -sN: NULL Scan
 -sP: Ping Scan
 -sU: UDP Scan
Port Scanning with NMAP
 NMAP Scan Switches (con’t):
 -sO: Protocol Scan
 -sA: ACK Scan
 -sW: Windows Scan
 -sR: RPC Scan
 -sL: List/DNS Scan
 -sI: Idle Scan
Port Scanning with NMAP
 NMAP Output Switches:
 -oN: Normal
 -oX: XML output
 -oG: Greppable Output
 -oA: All output
 NMAP Scan Parameter Switches:
 -T Paranoid: Serial Scan; 300 sec between scans
 -T Sneaky: Serial Scan; 15 Seconds between scans
 -T Polite: Serial Scan; 0.4 Seconds between scans
 -T Normal: Parallel Scan
 -T Aggressive: Parallel Scan; 300 Sec Timeout; 1.25
sec/probe
 -T Insane: Parallel Scan; 75 Sec Timeout; 0.3 sec/probe
SYN, Stealth, XMAS, NULL,
IDOL, & FIN Scan
 SYN: Half-Open Scan does not complete three-way
handshake; RST received back if port is closed
 XMAS: Sets PSH, URG, FIN Flags; RST received back
if port is closed
 FIN: Sets FIN Flag; RST received back if port is
closed
 NULL: Sends packet with no flags set; RST received
back if port is closed
 IDLE: Uses Spoofed IP Address to send SYN packet
to target; depending on response, port can be
assumed opened or closed. Determines port
response by monitoring header sequence numbers
War Dialing
 In the “Olden Days” companies used to
connect to the Internet and the “Outside
World” with Dial-Up Modems
 War Dialing was a technique used to rapidly
dial thousands of numbers in a pool of
numbers hoping a modem would answer.
 Security was more lax from the “Modem End”
and presented a nicer target
 War Driving, due to our reliance on Wireless
Communications, has almost replaced War
Dialing as the “entrance of choice”
Banner Grabbing and OS
Fingerprinting
 Banner Grabbing: Many web servers will
respond to certain HTTP Requests with the
version and patch level of the Web Server,
which will provide clues as to potential
vulnerabilities.
 OS Fingerprinting:
 Active TCP Stack Fingerprinting: Sending TCP
Data to a system to see how the system responds.
Windows and Unix Systems respond differently
 Passive RCP Stack Fingerprinting: Sniffing the
network to determine responses to TCP requests.
Proxy Servers & Anonymizers
 How can an attacker disguise
him/herself? By using a Proxy Server or
Anonymizer, which will “conduct the
attack” for him/her
CEH Week 2
 Chapter 3 – Scanning and Enumeration
 Enumeration
 What is Enumeration?
 NULL Sessions and their Countermeasures
 SNMP Enumeration and Countermeasures
 Windows 2000 DNS Zone Transfer &
Counternmeasures
 What steps are involved in Enumeration?
Enumeration
 What is Enumeration?
 Answer: The process of connecting to the target
system and gathering and compiling user names,
machine names, network resources, shares, and
services
 What are Built in tools we can use to
Enumerate a Windows Platform?
 Answer: Net View, Net Use, NBTStat
 What are some other tools we can use?
 Answer: DumpSec, Hyena, SMB Auditing Tool,
NetBios Auditing Tool
NULL Sessions &
Countermeasures
 What is a NULL Session?
 Answer: Gaining access to a system without
Logging On
 C:\> net use \\192.168.0.10\IPC$ “” /u: “”
 After the NULL Session is established, the
hacker has a channel over which to operate
 NULL Sessions are Windows NetBios
Vulnerabilities
NULL Sessions &
Countermeasures
 How can I prevent a NULL Session from
being established?
 Answer: Hack the registry
 Registry Key:
HKLM\SYSTEM\CurrentControlSet\LSA
 Add Value
 Value Name: RestrictAnonymous
 Data Type: Reg_Word
 Value: 2
SNMP Enumeration &
Countermeasures
 What is SNMP?
 Answer: Simple Network Management
Protocol. Used to manage Network devices
 What is the Vulnerability?
 Default SNMP “Read” passwords
(community string), public, and “Write”
passwords, private, are sometimes not
changed from their default values
SNMP Enumeration &
Countermeasures
 What is the Countermeasure?
 Answer: Change the Read and Read/Write
community strings to something other than
the default values or disable the SNMP
protocol
W2K DNS Zone Transfers &
Countermeasures
 What is a Zone transfer?
 Answer: Complete list of Host Names and
IP Addresses is transferred to an attacker.
The Utility NSLookup can be used
 What is the Vulnerability?
 The Host names and IP Addresses of all
Network Hosts are known by the Attacker,
which will allow easier access for the
purpose of scanning and enumereation.
W2K DNS Zone Transfers &
Countermeasures
 What is the Countermeasure?
 Answer: Configure the DNS Server
Properties to allow Secure DNS Transfer
only (to another DNS on the Network, by
IP Address, if necessary).
Steps in Enumeration
1. Extract usernames using enumeration
2. Gather information about the host
using null sessions
3. Perform Windows enumeration using
Superscan Tool
4. Acquire the user accounts using the
tool GetAcct
5. Perform SNMP Port Scanning
CEH Week 2
 Chapter 4 – System Hacking
 Password Hacking Techniques
 LanManager hash
 Cracking Windows 2000 Passwords
 Redirecting SMB Logon
 NetBIOS Dos Attacks
 Password Cracking Countermeasures
 Online Password Attacks
 Offline Password Attacks
LanManager Hash
 Hash is 14 bytes
 Hash is based on two 7 byte segments and a
segment less than 7 bytes is passed to 7 with
spaces
 Each is segment is hashed separately and
then combined into a single hash value
 Passwords that are 7 characters or fewer
always hash to AAD3B435B51404EE and
takes less than 60 seconds
Cracking Windows 2000
Passwords
 Usernames and Passwords stored in
windows\system\config\SAM file, which is locked
while windows is running
 Files can be copied if the system is booted to an
alternate OS such as DOS or LINUX
 SAM file is also copied to a backup file called SAM._
when RDISK utility is used to bacup windows
 The SAM._ can be expanded by using c:\expand
sam._ sam
 Once obtained, the SAM file can be subjected to a
dictionary, hybrid, or brute force attack using a tool
such as LOphtCrack
Redirecting SMB Logon
 Vulnerability:
 Passwords can also be captured when SMB logon
requests (passing user ID and password to
connect a network share)
 Type of man-in-the-middle attack
 SMBRelay and SMBRelay2 are two tools that will
redirect SMB requests and capter ID’s and
passwords.
 Countermeasure:
 Windows 2000 and beyond can be configured to
use SMB signing, which validates the SMB request
is from the correct source and not a relay
NetBIOS Denial of Service
(DoS)
 Description of Attack:
 NetBIOS Denial of Service (DoS) Attack sends a
NetBIOS Release Message to the NetBIOS Name
Service (WINS) on a target Windows System,
which causes the system to place that name in
conflict (duplicate name) to that name cannot be
used, preventing the system from connecting to
resources
 Resolution:
 Replace WINS resolution with DNS Resolution
Password Cracking
Countermeasures
1. Never keep a default password
2. Never use a password that can be found in a
dictionary
3. Never use a password that can be related to a host
name, domain name, or anything else that can be
found in whois
4. Never use a password related to your hobbies,
pets, relatives, or date of birth
5. Use a word that has more than 21 characters from
a dictionary (pass phrase) as a password
6. Change passwords at least every 30 days
7. Use Complex passwords
Online Password Attacks
 Passive Online Password Attack:
 Network sniffing, wired or wireless
 Man in the middle
 Relay Attack
 Active Online Password Attack:
 Password Guessing, manual or automated
Offline Password Attacks
 Obtain the Password File, SAM or
etc/Passwd, and conduct Dictionary,
Hybrid, or Brute Force attack against it
 Conduct Dumpster Diving, Shoulder
Surfing, Social Engineering, and
Keyboard Sniffing to obtain User
ID/Password combinations
CEH Week 2
 Chapter 4 – System Hacking
 Keyloggers and Spyware Technologies
 Escalating Privledges
 Buffer Overflows
 Rootkits & Countermeasures
 NTFS Streams & Countermeasures
 Steganography Technologoes
 Covering Your Tracks
Escalating Privileges
 Definition: Adding more rights or
permissions to a user account
 Ways to Escalate Privilege:
 Windows: Use Runas after logging on and
attempt to guess privileged account and
password
 UNIX: su
 Use GetAdmin.exe utility
Buffer Overflows
 Question:
 Remember the old saying “Garbage in, Garbage
out”?
 Answer:
 Yes. Buffer overflows, caused by a failure on the
part of a developer to validate input field size,
could cause Denial of Service (system crashes) or
input to be “forced” into the incorrect variable,
leading to unpredictable results
Rootkits & Countermeasures
 Types of Rootkits
 Kernel-Level: Add or replace a portion of the Kernel (Core part of the OS).
Accomplished via a driver install, or loadable kernel module
 Library-Level: Commonly patch, hook, or replace system calls with “infected” versions
of the same code.
 Application-Level: Replace application binaries (executables) with infected versions
 Planting Rootkits
 Attacker gains access to the system
 Copies _root_.sys and deploy.exe to the target system
 Attacker executes deploy.exe to install rootkit
 Attacker deletes deploy.exe
 Countermeasures
 Password Security
 Use MD5 Checksum Utility to add Checksum to executable code
 Checksum ensures code has not been modified
 Tripwire: provides integrity checking to Unix/Linux systems
NTFS Streams &
Countermeasures
 NTFS Streams are used to Hide malicious code in the
“slack space” of existing files to prevent detection
 The makestrm.exe utility moves data from the original file to
an alternate data stream linked to the original file
 The attrib +h command will hide the malicious file without
using NTFS Streams
 NTFS Streams Countermeasures
 Move the NTFS file to a FAT partition and then back
 LNS.exe will detect NTFS streams
Steganography Technologies
 Definition: Hiding data within images
or text files
 Tools to Hide Data: ImageHide,
Blindside, MP3Stego, Snow, etc
 Countermeasures: Stegdetect,
DskProbe
Covering Tracks
 Disable Auditing: On Windows NT-Based
systems, the Auditpol utility is contained on
the Windows NT Resource Kit and can be
installed on the system. An Attacker can run
the utility to disable Auditing
 Clear Event Logs
 Eslave.exe, WinZapper
 Erase all other evidence
 Evidence Eliminator – Cleans recycle bin, system
files, temp folders, etc
Week 2 Lab
 NMAP Practice
 Download Command Line Version of NMAP
(Unix Version Preferred)
 Perform SYN, XMAS, NULL, and FIN Scan
on Test Workstation/Laptop
 See Command Switches for Clues
 Banner Grabbing and OS Fingerprinting
 Download HTTrack and Fingerprint Test
Workstation/Laptop Operating System
Week 2 Homework
 Read CEH Study Guide Chapters 5 & 6
 Study Chapters 1 – 4 for Quiz 1, next
week