Tag: security

CEH Module5 – Vulnerability Analysis

Reason for the existence of Vulnerabilities

  • Hardware or software misconfiguration
  • Insecure or poor design of network and application
  • Inherent technology weakness
  • End-user carelessness
  • Intentional end-user acts

Examples of vulnerabilities

TCP/IP protocol vulnerabilities– HTTP, FTP,ICMP, SNMP inherently insecure
Operating Systems vulnerabilities– inherently insecure
– not patched with the latest updates
Network Device Vulnerabilitiesrouter, firewall, switch
– lack of password protection
– authentication
– insecure routing protocols
User account vulnerabilities– originating from the insecure transmission of user account details over the network
System account vulnerabilities– setting of weak passwords
Internet service misconfigurateion– misconfiguration of services
Default password and settings– leaving the devices/products with their default passwords and settings
network device misconfiguration– misconfiguring the network device

Vulnerability Research

Process of analyzing protocols, services, and configurations to discover vulnerabilities and design flaws.
Vulnerabilities are classified based on severity levels (low, medium, high, critical) and exploit range (local or remote)

1. To gather information concerning security treads, attack surface, attack vector and techniques
2. To discover weaknesses in the OS and applications, and alert the network administrator before a network attack
3. To gather information to aid in the prevention of security issues
4. To know how to recover from a network attack

Resources for vulnerability Research
– Microsoft security response center
– Packet storm
– Dark Reading
– Trend Micro
– Security Magazine
– PenTest Magazine

Vulnerability Assessment

An in-depth examination of the ability of a system or application, including current security procedures and controls, to withstand the exploitation
It recognizes, measures and classified security vulnerabilities in a computer system, network and communication channels

Used to
– identify weakness that can be exploited
– Predict the effectiveness of additional security measures in protecting information resources from attacks
Information obtained from the vulnerability scanner includes:
– Network vulnerabilities – Active (directly scanning the network) and passive scanning (indirectly interacting with the targeted network)
– open ports and running services
– Application and services vulnerabilities
– Application and services configuration errors

Vulnerability Scoring Systems and Databases

  • Common Vulnerability Scoring System (CVSS)
  • Common Vulnerabilities and Exposures (CVE)
  • National Vulnerability Database (NVD)
  • Common Weakness Enumeration (CWE)
SeverityBase Score Range
None0.0
Low0.1-3.9
Medium4.0-6.9
High7.0-8.9
Critical9.0-10.0

Vulnerability-Management Life Cycle

Pre-Assessment Phase
Identify and understand business process
Identify application, data and services
Identify approved software and basic configurations
Create inventory and prioritize/rank assets
Understand network architecture and map network infrastructure
Identify controls
Policy and standard compliance
Scope
information protection procedures

Asset Identification: Create a list of assets, including applications, systems, and services.
– Baseline Creation: Establish baseline configurations and policies for assessing deviations.
– Scope Definition: Clearly define the boundaries of the assessment, ensuring all critical areas are covered.
Network Mapping: Document the architecture and infrastructure to identify weak points.

Assessment Phase
Physical security,
Check misconfiguration,
Run Vulnerability scan,
Select scan compliance requirements,
Prioritize vulnerabilities,
Identified false positives and false negatives,
Apply business and technology context to the scanner results,
Perform OSINT information gathering to validate vulnerabilities,
Create report

– Scanning: Use tools like Nessus or OpenVAS to identify vulnerabilities in networks, applications, and configurations.
Vulnerability Classification: Distinguish between misconfigurations, legacy vulnerabilities, zero-days, and other weaknesses.
Result Validation: Check for false positives or negatives by cross-referencing data with real-world conditions.

Post-Assessment Phase
Risk Assessment: Categorize risks based on their potential impact (e.g., critical, high, medium, low).
Remediation: Apply fixes such as patches, reconfigurations, or software updates.
Verification: Rescan the system to confirm vulnerabilities have been addressed.
Continuous Monitoring: Implement ongoing security checks using tools like SIEM or intrusion detection systems.

Types of Vulnerabilities

Configuration Vulnerabilities: Weak settings, default configurations, or unused open ports.
– Application Vulnerabilities: Software flaws like buffer overflows, injection vulnerabilities, or race conditions.
– Patch Management Issues: Unpatched systems or outdated software leaving exploitable gaps.
– Third-Party Risks: Dependencies on third-party software or cloud services that could expose sensitive data.
– Zero-Day Vulnerabilities: Newly discovered exploits not yet patched by the vendor.
– Legacy Systems: Older, unsupported systems prone to attacks.

Types of Vulnerability Assessment

Active assessmentnetwork scanner
passive assessmentsniff the network traffic
external assessmentAccesses the network from the hackers’ perspective to discover exploit and vulnerbilities
internal assessmentscan internal infrastructure
host-base assessmentconfiguration level checks
network-base assessmentdetermines network security attacks
application assessmentanalyze web infrastructure for misconfiguration, outdated content and known vulnerabilities
database assessmentMYSQL, MSSQL… data exposure or injection
wireless network assessmentvulnerabilities in the wireless networks
distributed assessmentassesses the distributed assets, client, server application, simultaneously through synchronization techniques
credential assessmentassesses the network by obtaining the credentials
none-credential assessmentassesses the network without acquiring any credentials
Manual assessmentethical hacker manually assesses the vulnerability, ranking and score
Automated assessmentethical hacker used vulnerability assessment tools – nessus, Qualys

Vulnerability Assessment Tools

  • Product-based solutions – installed in the internal network, behind, cannot detect outside attacks
  • Service-based solutions – third parties, hosted into the internal network or outside. Attackers can the network from outside
  • Tree-based solutions – auditors select different strategies for each machine or component. Relies on the administrator to provide a starting piece of intelligence
  • Inference-based solutions – scanning start by building an inventory of the protocols found on the machine. After finding a protocol, the scanning process starts to detect which ports are attached to services. After finding services, it selects vulnerabilities on each machine and starts to execute only those relevant tests.

Types of Vulnerability Assessment Tools

Host-Based – Scan host, OS and application
Depth – discover and identify previously unknown vulnerabilities
Application layer – designed to serve the needs of all kinds of operating system types and applications.
Scope – provide an assessment of the security by testing vulnerabilities in the applications and operating system. These tools provide standard controls and a reporting interface that allows the user to select a suitable scan.
Active/Passive – perform vulnerability checks on the network functions that consume resources on the network./ Only observe system data and perform data processing on a separate analysis machine.
A passive scanner first receives system data that provide complete information on the processes that are running and then assesses that data against a set of rules.
Location/Data Examination tool – network-based scanner, Agent-Based scanner, Proxy scanner, cluster scanner.

Examples:
Qualys Vulnerability Management – cloud based, updated, identification of threats and monitoring of unexpected changes
Nessus Professional – assessment solution, identifying vulnerabilities, configuration issues and malware
GFI LanGuard – scans, detects and rectifies security vulnerabilties
OpenVAS- framework of services, scanning, vulnerability management solution
Nikto – webserver assessment tool.
More names: beSECURE, Network Security Scanner, Nexpose
Vulners scanner – mobile
SecurityMetrics Mobile mobile

Vulnerability Assessment Reports

Executive Summary
– assessment scope and objectives
– testing narrative
– findings summary
– Remediation summary
Assessment Overview
– Assessment methodology
– scan information
– target information
Findings
– scanned hosts
– type of vulnerabilities identified
– detailed information on identified vulnerabilities
– Noted describing additional details of scan results
Risk Assessment
– Classification of vulnerabilities based on the risk level
– Potential vulnerabilities that can compromise the system or application
– Critical hosts with severe vulnerabilities
Recommendations
– Prioritization of remediation based on risk rankings
– Action plan to implement the recommendations for each identified vulnerability
– Root cause analysis
– Application of patches/fixes
– Lessons learnt
– Awareness training
– Implementation of periodic vulnerability assessment
– implementation of polices, procedures and controls

Vulnerability Classification

Misconfigured/ weak config– allows attacker break into a network and gain unauthorized access to systemsnetwork misconfigurations
– insecure protocols, open ports, weak encryption
host misconfigurations
– open permissions and unsecured root accounts
Application flawsdata tempering and unauthorized accessBuffer overflow, memory leaks, resource exhaustion, integer overflow, null pointer, DLL injection, improper input/output handling,
Poor patch managementsubjected to exploitation
vulnerable to various attacks		unpatched servers, firmware, OS, applications
Design flawsbypass the detection mechanismincorrect encryption and poor validation of data
Third-party risksexternal services have access to privileged systems and applicationsvendor management, supply chain risks, outsourced code development, data storage, cloud based vs on prem
Default installation/ configurationsattacker can guess the settings
OS flawsOwing to OS vulnerabilities and application such as trojan, worms and viruses
Default passwordGG
Zero-Day vulnerabilitiesexposed but not yet found
Legacy Platform vulnerabilitiesobsolete code/ patching no supported
System sprawl/ undocumented assetsincreased number of system or server connection without proper documentation
Improper cert and key managementallow attackers to perform password cracking and data exfiltration attacks
– outdated keys

CEH Module2 – Footprinting and Recon

Footprinting is the first step of any attack on information systems in which an attacker collects information about a target network to identify various ways to intrude into the system.

Passive Active
without direct interactionwith direct interaction

Information Obtained in Footprinting

Organization InformationNetwork InformationSystem Information
– Employee details
– phone numbers
– location details
– organization background
– web technologies
– News articles, press release etc
– domain, sub-domain
– network blocks
– topology, trusted routers, firewall
– IP addresses of reachable systems
– whois
– DNS		– Webserver OS
– location of webserver
– publicly available email
usernames and passwords
– The information is available on its website.
– query whois database to get information		– whois database analysis
– trace routing		– network
– DNS
– website and emails footprinting

Footprinting techniques

Footprinting through Search Engines
– Advanced Google hacking techniques


– Google hacking database and google advanced search
https://www.exploit-db.com – The Exploit Database is a Common Vulnerabilities and Exposures (CVE) compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

– Video, Meta, FTP and IoT search engines

TechniquesTools
Google advanced searchGoogle advanced search
Advanced image searchGoogle advanced image search
Reverse image searchGoogle image search
TinEye reverse image search
– Yahoo image search
Video Search enginesYoutube metadata
Youtube dataviewer
Meta search engineStartpage
MetaGer
FTP search engineNAPALM FTP indexer
FreewebFTP files search
IoT search engineShodan.io
Censys
– Thingful (pay)

Footprinting through Web services
– People search services

Facebook.com
Spokeo.com
theHarvester – theHarvester – d microsoft – 1 200 -b linkedin (search people)
theharvester -d microsoft . com -1 200 -b baidu (search email)
Job sites are also good source of information about what technology the organization is using

– Financial Services and Job Sites
– Deep and Dark web footprinting
– Competitive Intelligence and Business Profile sites

– Determine the OS

netcraft.com – information about the site
shodan.io – searches the Internet for connected devices (routers, servers, and loT.
censys.io – monitors the infrastructure and discovers unknown assets anywhere on the Internet. It provides a full view of every server and device exposed to the Internet.

– Finding Top level domain and sub-domains

Google / Bing – Powerful search engines
netcraft.com – provides Internet security services, including anti-fraud and anti-phishing services, application testing, and PCI scanning.
Sublist3r – Sublist3r is a Python script designed to enumerate the subdomains of websites using
OSINT
https://pentest-tools.com – Find Subdomains is an online tool used for discovering subdomains and their IP addresses, including network information and their HTTP servers.
techniquetools
Location of the target– Google earth
– google map
– wikimapia
Gathering financial Information– Google finance
– MSN money
– Yahoo finance
Gathering information from business profile sites– opencorporates
– crunchbase
– corporationwiki
– linkedln
Monitoring targets using alerts– google alerts, X(twitter)
– Mention, online reputation tool
Gathering information from groups, forums and blogs– Google groups
– yahoo groups
Gathering information from NNTP Usenet Newgroup– newshosting
– eweka
– supernews
Public source code repositoriesRecon-ng

Footprinting through Social media sites
– social engineering

Sherlock – search a vast number of social networking sites for a target username. This tool helps the attacker locate the target user on various social networking sites, along with the complete URL. pytthon3 sherlock victim
sociaI-searcher.com – search for content on social networks in real time and provides deep analytics data.

– social media sites

buzzsumo.com – advanced social search engine finds the most shared content for a topic, author, or domain. It shows the shared activity across all the major social networks including Twitter, Facebook, Linked In, Google Plus, and Pinterest.
https://followerwonk.com – Followerwonk helps you explore and grow your social graph: Dig deeper into Twitter analytics: Who are your followers? Where are they located? When do they tweet?

– analyzing social network graphs

https://gephi.org – visualization and exploration tool for all types of graphs and networks. It allows
the easy creation of social data connectors to map community organizations and small world networks.

Website footprinting
Looking for Software used and its version, OS used, Sub-directories and parameters, Filename, path, database field name or query, scripting platform, technologies used, contact details, CMS details.

Burp Suite – platform for performing security testing of web applications. Its various tools work together to support the entire testing process, from initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities.

Burp Proxy allows attackers to intercept all requests and responses between the browser and the
target web application and obtain information such as web server used, its version, and webapplication-related vulnerabilities.
Examining the HTML source code – indentifying CMS
Examining Cookies – identifying software running, scripting platform

– Web spidering

Webspiders – Web data extractor, Parsehub

– Website mirroring

HTTrack Web Site Copier – offline browser utility. It downloads a website from the Internet to a local directory and recursively builds all the directories including HTML, images, and other files from the web server on another computer.
https://archive.org – Internet Archive Wayback Machine that explores archived versions of websites.
Photon to retrieve archived URLs of the target website from archive.org
– python photon.py -u -1 3 -t 200 –wayback
– python photon.py -u – 1 3 -t 200 -only-urls
Extracting Website linksoctoparse
– netpeak spider
– link extractor
gathering wordlist from the target websiteCeWL
cewl http://www.certifiedhacker.com
Extracting metadata from public documentsExifTool
– Web data extrator
metafoofil
Monitoring webpages for updates and changesWebsite-watcher
– visual ping
– follow that page
Searching for contact info, email address, telephone etc– target website
Searching for webpage posting patterns and revision numbers– websearch
Monitoring website traffic of the target company– web-stat
– ranktracker
– goingup.com
– opentracker
– google analytics

Email footprinting
– Tracking Email communications
Collecting information from the email header

infoga – for gathering email account information (IP, hostname, country, etc.) from different public sources (search engines, pgp key servers, and Shodan), and it checks if an email was leaked using the haveibeenpwned.com API
– python infoga.py –domain microsoft.com –source all –breach -v2 –report . . /microsoft .txt
– python infoga .py –info m4ll0k@protorunail . com –breach -v 3 -report . . /m4110k.txt
eMailTrackerPro – analyze email headers and extract information such as the sender’s geographical location, IP address, and so on. It allows an attacker to review the traces later by saving past traces.

DNS footprinting
– DNS interrogation – These tools can extract a range of IP addresses using IP routing lookup.

SecurityTrails – advanced DNS enumeration tool capable of creating a DNS map of the
target domain network. It can enumerate both current and historical DNS records such as
A, AAAA, NS, MX, SOA, and TXT, which helps in building the DNS structure.

– Reverse DNS lookup

DNSRecon – perform a reverse DNS lookup on the target host:
dnsrecon -r 162.241 . 216 . 0-162.241.216.255
Reverse Lookup – performs a reverse IP lookup by taking an IP address and locating a DNS PTR record for that IP address

Network footprinting
– locate network range
– traceroute

ARIN – enter the server IP into the SEARCH Whois text box. This yields the network range of the target network.
Traceroute – Finding the route of the target host on the network is necessary to test against man-in-the-middle attacks and other related attacks.
ICMP traceroute
TCP traceroute
UDP traceroute
Path Analyzer Pro – performs network route tracing with performance tests, DNS, Whois, and network resolution to investigate network issues.
Visualroute.com – is a traceroute and network diagnostic tool. Attackers use VisualRoute to identify the geographical location of routers, servers, and other IP devices in the target network.

Footprinting through social engineering
– Eavesdropping
– Shoulder surfing
– Dumpster diving
– Impersonation

Maltego – automated tool that can be used to determine the relationships and realworld links between people, groups of people, organizations, websites, Internet infrastructure, documents, etc.
Recon-ng– reconnaissance framework with independent modules for database interaction that provides an environment in which open-source web-based reconnaissance can be conducted.
FOCA – find metadata and hidden information in the documents that its scans. FOCA is capable of
scanning and analyzing a wide variety of documents, with the most common ones being Microsoft Office, Open Office, or PDF files.
OSRFramework – related to username checking, DNS lookups, information leaks research, deep web search, and regular expression extraction.
Recon-Dog – all-in-one tool for all basic information gathering needs. It uses APls to collect information about the target system.
Bill Cipher – information gathering tool for a website or IP address. It can work on any
operating system that supports Python 2, Python 3, and Ruby. This tool includes various
options such as DNS lookup, Whois lookup, port scanning, zone transfer, host finder, and
reverse IP lookup, which help to gather critical information.
Spyse – collect and analyze information about devices and websites available on the Internet. It probes every public IP address, crawls every website, curates and enriches the resulting data, and makes the data intelligible through an interactive search engine and application programming interface (API).
Grecon
theHarvester
Th31nspector
Raccoon
Orb

Footprinting Countermeasures

Develop and enforce security polices
Restrict zone transfer
Disable directory listings
Educate social engineering tricks and risks
privacy Whois Lookup database
Avoid domain-level cross linking
Encrypt and password-protect sensitive information
Place critical documents offline
Train employee of social engineering and attacks
Hide the direct contact details
Disable geo-tagging functionality
Avoid reviewing location or travel plans
Turn off geolocation access
Ensure no critical information on notice boards

CEH Module1 – Intro, Concepts, Standards

Elements of Information Security – CIA

ConfidentialityAssurance that the information only to those authorized to have access
IntegrityThe trustworthiness of data and resources in terms of preventing improper or unauthorized changes
AvailabilityAssurance that the systems reponsible for delivering, storing and procress information are accessible when required by the authorized users
AuthenticityRefers to the characteristic of a communication, document or any data that ensures the quality of being genuine
Non-RepudiationA guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

Classification of Attacks

Passive– do not tamper with the data and involve intercepting and monitoring network traffic and data flow on the target network
– Sniffing and eavesdropping
Active– tamper with data in transit or disrupt the communication or services between the systems to bypass or break into secured systems
– DoS, Man in middle, session hijacking, SQL injection
Close in– performed when attacker is in close physical proximity with the target systems or network in order to gather, modify or disrupt access to information
– eavesdropping, shoulder surfing, dumper diving
Insider– using privileged access to violate rules or intentionally cause a threat to the organization’s information or information systems
– theft of physical devices, planting keyloggers, back door and malware
Distribution– tamper with hardware or software prior to installation
– tamper hardware or software at its source or in transit

Information Warfare

C2possess a compromised systems or network
Intelligence-basedsensor-based
Electronicradio-electronic and cryptographic techniques
PsychologicalPropaganda and terror to demoralize
Hackershutdown systems, data errors, theft of services, false messaging, system monitoring access to data
– used virus, logic bombs, Trojan horses, and sniffers to perform these attacks
Economicaffect economy of a business by blocking flow of information
Cyberuse of information systems against the virtual personas of individuals or groups

CEH Hacking Methodology (CHM)

Cyber Kill Chain Methodology

Tactics, Techniques, and Procedures (TTPs)

TacticsTechniquesProcedures
way an attacker preforms the attacktechnical methods used by an attackerorganizational approaches that threat actors follow
tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other purposesInitial exploitation, setting up and maintaining command and control channels, accessing the target infra, covering tracks of data exfiltrationthe number of actions usually differs depending on the objectives of the procedure and threat actor group

Adversary Behavioral Identification

Internal Reconaissanceenumeration of systems, hosts, processes, execute commands to get local user context, system config, hostname, IP address, active remote systems and programs running.
Use of powershellautomating data exfiltration and launching further attacks.
Unspecified proxy activitiesadversary create and configure multiple domains pointing to the same host, allowing them to switch quickly between domains to avoid detection
Use of Command line interfaceinteract with the target system, browse files, read file content, modify files, create new users, connect to remote systems, download and install malicious code.
HTTP User AgentThe server identifies the connected HTTP client using the user agent field. Adversary can modify the content of the HTTP user agent field to communicate with the compromised system and to carry further attacks.
Command and control servercommunicate remotely with compromised system through encrypted session. Using this encrypted channels to steal data, delete data and launch further attacks
Use of DNS tunnelingUse to obfuscate malicious traffic in the legit traffic carried by common protocols. Use for communication with c2 server, bypass security controls and perform data exfiltration
Use of web shellmanipulate the webserver by creating a shell within a website. Use to gain remote access to functionalities of a server, data exfiltration, file transfer and uploads.
Data stagingtechniques to collect and combine as much data possible.

Indicators of Compromise (IoCs)

Email email service to send malicious data
NetworkC2, malware delivery and identifying details of the OS, browser type and other computer specific information
Host-Basedfilenames, file hashes, registry keys, DLLs and mutex
Behavioralidentify specific behavior related to malicious activities such as code injection into the memory or running the scripts of an application.

MITRE ATT&CK Framework

Diamond Model of Intrusion Analysis

Additional Event Meta-Features

AdversaryHacker
VictimTarget
Capabilitystrategy, methods, procedure, malware, tools
Infrastructurehardware and software connection
Timestamptime and date of the event
Phaseprogress of the attack
Resultoutcome of the event
Directiondirection of the attack, route to victim
Methodologytechniques used to perform the attack
Resourcetools/ technology used to perform the attack
Socio-political relationship between the adversary and victim
Technologyrelationship between infra and capability

Continual/ Adaptive Security Strategy

Defense-in-Depth

Risk Level

Risk levelConsequenceAction
Extreme or HighSerious or imminent danger– immediate measures are required
– identify and impose controls to reduce the risk to a reasonably low level
Mediummoderate danger– immediate action is not required but action should be implement quickly
– identify and impose controls to reduce the risk to a reasonably low level
LowNegligible – Take preventive steps to mitigate the effects of the risk

Risk Matrix

Risk Management

Risk Identificationidentifies the sources
Risk AssessmentAssess the organization’s risk
Risk TreatmentSelects and implements appropriate controls
Risk TrackingEnsures appropriate controls are implemented
Risk ReviewEvaluates the performance

Cyber Threat Intelligence

StrategicHigh-level information on changing risksHigh level executives and management
TacticalInformation on attackers TTPIT service and SOC managers and Administrators
Operational information on specific incoming attackConsumed by Security managers and network defenders
Technicalinformation on specific indicators of compromiseSOC staff and IR team

Threat Intelligence Lifecycle

Threat Modeling

Incident Management

Incident Handling and Response

Role of AI and ML in Cyber Security

Information Security Laws and Standards

Payment Card Industry Data Security Standard (PCI DSS)– Information security standard for organization
– applies to all entitles involved in payment card processing
1S0/IEC 27001:2013– establishing, implementing, maintaining information security management system
– many types of use
Health Insurance Portability and Accountability Act (HIPAA)– use the same health care transactions, code sets and identifiers
– federal protections for the personal health information
– confidentiality, integrity, and availability of electronically protected health information
– standard transaction
– administration simplification rules
Sarbanes Oxley Act (SOX)protect investors and the public
-1 public company accounting oversight board
-2 auditor independence
-3 corporate responsibility
-4 enhanced financial disclosures
-5 analyst conflict of interest
-6 commission resources and authority
-7 studies and reports
-8 corporate and criminal fraud accountability
-9 white collar crime penalty enhancement
-10 corporate tax returns
-11 corporate farud accountability
The Digital Millennium Copyright Act (DMCA) and the Federal– World intellectual property organization
– defines the legal prohibitions
Information Security Management Act (FISMA)– effectiveness of information security controls
General Data Protection Regulation (GDPR)– data privacy and security standard especially on cloud
Data Protection Act 2018 (DPA)– protects individuals
– personal data to be processed lawfully
– conferring rights to obtain and process and to require inaccurate personal data to be rectified
– conferring functions on the commissioner, giving holder of that office responsibility to monitor and enforce their provisions