ITT Certified Ethical Hacker Certification Study Group

1
ITT Certified Ethical HackerCertification Study
Group

• Wk 4 -DoS, Session Hijacking, and Hacking
  Webservers
• (Chapters 7 8 of CEH Study Guide)

2
CEH Study Group Week 4 Overview

• Review Week 3 Learning Objectives
• Chapter 5 Trojans, Backdoors, Viruses, and
  Worms
• Chapter 6 - Sniffers
• Week 4 Learning Objectives
• Chapter 7 DoS Session Hijacking
• Chapter 8 Hacking Webservers
• Week 4 Homework
• Read Chapters 9 10 of CEH Review Guide

3
Certified Ethical Hacker Exam (312-50) Objectives
(Wk 1)

• Ethics and Legality
• Footprinting
• Scanning
• Enumeration
• System Hacking
• Trojans and Backdoors
• Sniffers
• Denial of Service
• Social Engineering
• Session Hijacking
• Hijacking Web Servers
• Web Application Vulnerabilities

• Web-Based Password Cracking
• SQL Injection
• Wireless Hacking
• Viruses and Worms
• Physical Security
• Linux Hacking
• Evading IDSs, Honeypots, and Firewalls
• Buffer Overflows
• Cryptography
• Penetration Testing Methods

4
Study Group Meeting Frequency and Location

• Study Group Location ITT-Omaha, Main Conference
  Room
• Frequency Once a Week
• Day Wednesday Night
• Time 600pm
• Duration 3 hours (1.5 Lecture/1.5 Lab)

5
Certification Text and Schedule

• Certification Text(s)
• Official Certified Ethical Hacker Review Guide
  (Available on the ITT Virtual Library)
• CEH Prep Guide
• Certified Ethical Hacker Exam Prep
• Certification Schedule
• We will cover two to three chapters of the Study
  Guide Per Week and plan to sit for the exam in 5
  9 Weeks

6
CEH Scanning Methodology

• Check for Live Systems
• Check for Open Ports
• Service identification
• Banner Grabbing/OS Fingerprinting
• Vulnerability Scanning
• Draw Network Diagrams of Vulnerable Hosts
• Prepare Proxies (Why?)
• Attack

7
Port Scanning with NMAP

• Types of Scans
• TCP Connect Attacker makes full TCP Connection
  to Target (SYN, SYN-ACK, ACK)
• XMAS Tree Sets TCP URG, PSH, and FIN flags
• SYN Stealth Scan Sends TCP SYN Packet, waits
  only for SYN-ACK (full connection NOT made)
• NULL Scan All flags off or not set works only
  on UNIX systems
• ACK Scan Used to map firewall rules Only works
  on UNIX systems
• Windows Scan Similar to ACK Scan and can detect
  open ports.

8
Port Scanning with NMAP

• NMAP Scan Switches
• -ST TCP Connect Scan
• -sS SYN Scan
• -sF FIN Scan
• -sX Xmas Scan
• -sN NULL Scan
• -sP Ping Scan
• -sU UDP Scan

9
Port Scanning with NMAP

• NMAP Scan Switches (cont)
• -sO Protocol Scan
• -sA ACK Scan
• -sW Windows Scan
• -sR RPC Scan
• -sL List/DNS Scan
• -sI Idle Scan

10
Port Scanning with NMAP

• NMAP Output Switches
• -oN Normal
• -oX XML output
• -oG Greppable Output
• -oA All output
• NMAP Scan Parameter Switches
• -T Paranoid Serial Scan 300 sec between scans
• -T Sneaky Serial Scan 15 Seconds between scans
• -T Polite Serial Scan 0.4 Seconds between
  scans
• -T Normal Parallel Scan
• -T Aggressive Parallel Scan 300 Sec Timeout
  1.25 sec/probe
• -T Insane Parallel Scan 75 Sec Timeout 0.3
  sec/probe

11
Steps in Enumeration

• Extract usernames using enumeration
• Gather information about the host using null
  sessions
• Perform Windows enumeration using Superscan Tool
• Acquire the user accounts using the tool GetAcct
• Perform SNMP Port Scanning

12
LanManager Hash

• Hash is 14 bytes
• Hash is based on two 7 byte segments and a
  segment less than 7 bytes is padded to 7 with
  spaces
• Each is segment is hashed separately and then
  combined into a single hash value
• Passwords that are 7 characters or fewer always
  hash to AAD3B435B51404EE and takes less than 60
  seconds

13
Password Cracking Countermeasures

• Never keep a default password
• Never use a password that can be found in a
  dictionary
• Never use a password that can be related to a
  host name, domain name, or anything else that can
  be found in whois
• Never use a password related to your hobbies,
  pets, relatives, or date of birth
• Use a word that has more than 21 characters from
  a dictionary (pass phrase) as a password
• Change passwords at least every 30 days
• Use Complex passwords

14
Rootkits Countermeasures

• Types of Rootkits
• Kernel-Level Add or replace a portion of the
  Kernel (Core part of the OS). Accomplished via a
  driver install, or loadable kernel module
• Library-Level Commonly patch, hook, or replace
  system calls with infected versions of the same
  code.
• Application-Level Replace application binaries
  (executables) with infected versions
• Planting Rootkits
• Attacker gains access to the system
• Copies _root_.sys and deploy.exe to the target
  system
• Attacker executes deploy.exe to install rootkit
• Attacker deletes deploy.exe
• Countermeasures
• Password Security
• Use MD5 Checksum Utility to add Checksum to
  executable code
• Checksum ensures code has not been modified
• Tripwire provides integrity checking to
  Unix/Linux systems

15
Steganography Technologies

• Definition Hiding data within images or text
  files
• Tools to Hide Data ImageHide, Blindside,
  MP3Stego, Snow, etc
• Countermeasures Stegdetect, DskProbe

16
Review of Week 3 Learning Objectives

• Chapter 5
• Trojans and Backdoors
• What is a Trojan?
• What are Overt and Covert Channels?
• List Different Types of Trojans
• Reverse-Connecting Trojans
• The NetCat Trojan
• Indications of a Trojan Attack
• What is Wrapping?
• Trojan Countermeasures
• Trojan Evading Techniques

17
Review of Week 3 Learning Objectives

• Chapter 5 (cont)
• Viruses and Worms
• Differences between a Virus and a Worm
• Types of Viruses
• How Viruses Spread and Infect
• Antivirus Evasion Techniques
• Virus Detection Techniques

18
Review of Week 3 Learning Objectives

• Chapter 6
• Sniffers
• Protocols Susceptible to Sniffing
• Active and Passive Sniffing
• ARP Poisoning
• Ethereal Captures and Display Filters
• MAC Flooding
• DNS Spoofing Techniques
• Sniffing Countermeasures

19
Week 3 Lab

• NetCat Practice
• EtherReal Filters

20
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Denial of Service
• Understand the types of DoS
• Understand how a DDoS Attack works
• Understand how BOTs/BOTNETS work
• What is a Smurf attack?
• What is SYN Flooding?
• Describe DoS/DDoS Countermeasures
• Session Hijacking
• Understand Spoofing vs Hijacking
• List the Types of Session Hijacking
• Understand Sequence Prediction
• What are the steps in performing Session
  Hijacking?
• Describe how to prevent Session Hijacking

21
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Hacking Web Servers
• List Types of Web Server Vulnerabilities
• Understand attacks against Web Servers
• Understand IIS Unicode Exploit
• Understand Patch Management Techniques
• Understand Web Application Scanner
• What is Metasploit Framework?
• Describe Web Server Hardening Methods
• Web Application Vulnerabilities
• Understand how web applications work
• Objectives of Web Application Hacking
• Anatomy of an Attack
• Web Application Threats
• Understand Google Hacks
• Understand Web Application Countermeasures
• Web-Based Password Cracking Techniques
• List the Authentication Types
• What is a password cracker?

22
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Denial of Service
• Understand the types of DoS
• Flood Network with Traffic
• Disrupt Connections between Machines
• Prevent User from accessing a Network Service
• Disrupt Service to a particular system or person
• Understand how a DDoS Attack works
• Definition Denial of Service Directed at target
  from Multiple Directions
• Three Components
• Master/Handler
• Slave/Secondary victim/zombie/BOT/BOTNET
• Victim/Primary Victim
• Understand how BOTs/BOTNETS work
• Definition of BOT Short for Web robot and is
  automated software program that behaves
  intelligently Spam, Automated Responses, Posts
  to NewsGroups, etc
• Definition of BOTNET Group of compromised
  systems running a BOT for the purpose of
  conducting a coordinaterd DDoS.

23
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Denial of Service
• What is a Smurf attack?
• Numerous ICMP pings sent to a broadcast IP
  Address from a spoofed source address, which will
  then receive the multiple replies
• What is SYN Flooding?
• Multiple TCP SYN packets sent to a victim, from
  a spoofed IP address, causing the victim to open
  multiple TCP connections with the bogus
  originator, causing the connection never to
  complete.
• The Victims connection table fills and
  legitimate connections cannot be made, causing a
  DoS.
• Describe DoS/DDoS Countermeasures
• Network-Ingress Filtering from the ISP
• Rate-Limit Network traffic Limit bandwidth
• IDS detects attack and shuts it down
• Host-Auditing Tool to detect attack on host
• Network-Auditing Tools top detect attack on the
  network.
• DoS Scanning Tools
• Find_ddos
• SARA
• RID
• ZombieZapper

24
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Session Hijacking
• Understand Spoofing vs Hijacking
• IP Address Spoofing is simply borrowing the
  address of a legitimate system which can then be
  used to direct an attack at the ip address that
  was borrowed
• Session Hijacking is when the TCP session of a
  legitimate user is actually taken over by the
  attacker and the victim actually begins
  conversing with the attacker and the initial
  partner believes the conversation has ended or
  has abruptly ended for an unknown reason
• Session Hijacking has three phases
• Track the Session Identify open session and
  predict next Sequence Number
• Desynchronize the session Reset Session (send
  RST) with partner B
• Inject attackers packet Send TCP Packet with
  predicted sequence number to partner A and
  resume normal TCP conversation
• List the Types of Session Hijacking
• Passive Hijacking Attacker hijacks session but
  only records the traffic and passes it from A
  to B and B to A. Man-in-the-middle.
• Active Hijacking Attacker takes over session by
  using tools to predict next sequence number.

25
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Session Hijacking
• Understand Sequence Prediction
• An attacker must first be able to sniff network
  traffic and capture enough TCP packets to enable
  the attacker to predict the next sequence number
  (which will be its first sequence number used
  after the session is hijacked)
• Initial Sequence numbers (to start a session) are
  pseudorandom and successive ones increment the
  previous sequence number by 1, when establishing
  the session
• When data is being transmitted, the sequence
  number increments by the size of the data (in
  bytes) that was transmitted
• What are the steps in performing Session
  Hijacking?
• Track the Session (Sniff Data)
• Desynchronize the connection Send RST or FIN to
  one end of the conversation
• Inject Attackers Packet Resume conversation
  as the party disconnected in step 2

26
Week 4 Learning Objectives

• Chapter 7 DoS and Session Hijacking
• Session Hijacking
• Describe how to prevent Session Hijacking
• Use Encryption
• Use Secure Protocol
• Limit Incoming Connections
• Minimize Remote Access
• Strong Authentication
• Educate Employees
• Maintain different user names and passwords for
  different accounts

27
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Hacking Web Servers
• List Types of Web Server Vulnerabilities
• Misconfiguration of Web Server Software
• Operating System, Application Bug, or Flaw in
  code
• Vulnerable Default Configuration of Operating
  System and/or Web Server Software, Lack of Patch
  Management, etc
• Lack of or not following Security Procedures
• Understand attacks against Web Servers
• Capture Administrator Credentials through
  man-in-the-middle attack
• Revealing Admin password through Brute Force
  Attack
• Using DNS Attack to redirect users to different
  server
• Compromising and Email or FTP Server
• Exploiting Web Application Bugs
• Misconfiguring Web Shares
• Taking advantage of weak permissions
• Re-routing a client after a firewall or router
  attack
• Using SQL Injection Attacks (if web server is
  also a SQL server)
• Using Telnet or Secure Shell (SSH) Intrusion
• Carrying out URL poisening

28
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Hacking Web Servers
• Understand IIS Unicode Exploit
• Windows 2000 severs running IIS were suseptable
  to a directory traversal attack, a.k.a. Unicode
  exploit. The attack is valid only on Windows
  2000 servers that have not been patched and
  affects CGI scripts and ISAPI extensions such as
  .ASP
• The IIS parser did not proerly interpret the
  UNICODE, allowing hackers system level access
• Understand Patch Management Techniques
• Patch management is the process through which
  patches and hotfixes are applied to a system.
• Patches and hotfixes are made available by the
  manufacturer to correct known system
  vulnerabilities and should be applied at the
  earliest opportunity
• Understand Web Application Scanner
• Web application scanners allow you to assess a
  web application for a large number of
  vulnerabilities including SQL injection (if it is
  also a SQL Server), cross-site scripting, buffer
  overflow, and parameter tampering attacks
• What is Metasploit Framework?
• The Metasploit framework is a freeware tool used
  to hack (test) web servers and operating system
  software

29
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Hacking Web Servers
• Describe Web Server Hardening Methods
• Rename admin account and use strong passwords
• Disable default website and ftp site
• Remove unused applications, such as WEBDAV
• Disable directory browsing
• Add legal notice to make hackers aware of
  penalties relevant to hacking site
• Apply most current patches and hotfixes
• Perform input validation and bounds checking on
  all web applications
• Disable remote administration
• Enable Auditing and logging
• Use firewall between web server and the Internet
  and only open necessary ports
• Replace Get with POST method when sending data to
  web server

30
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Web Application Vulnerabilities
• Understand how web applications work
• Web applications use a client/server architecture
  with the Web browser acting as the client and the
  web server acting as the Application Server
• JAVA Script is the language of choice for most
  web applications
• Objectives of Web Application Hacking
• Gain access to confidential data
• Anatomy of an Attack
• Scanning
• Information Gathering
• Testing
• Planning the Attack
• Launching the Attack

31
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Web Application Vulnerabilities
• Web Application Threats
• Cross-Site Scripting Script entered into text
  box on web form, causing arbitrary execution
• SQL Injection Inserting SQL Commands into the
  URL causes the database server to dump
• Command Injection Commands inserted into a web
  form
• Cookie Poisening and Snooping Hacker Corrupts
  or Steals Cookies
• Buffer Overflow
• Authentication hacking Hacker steals a session
  once it has been established
• Directory Traversal/Unicode Hacker is able to
  browse folders on the web server

32
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Web Application Vulnerabilities
• Understand Google Hacks
• http//johnny.ihackstuff.com contains a list of
  Google Hacking Terms
• Many times Google can pull information directly
  from Databases or documents
• Understand Web Application Countermeasures
• Cross-Site Scripting Validate cookies, query
  strings, form fields, hidden fields
• SQL Injection Validate user variables
• Command Injection Use Language-specific
  libraries for the programming language
• Cookie Poisoning and Snooping Dont store
  passwords in a cookie. Implement cookie
  timeouts. Authenticate cookies.
• Buffer Overflow Validate input and perform
  bounds checking
• Authentication hacking Use SSl to encrypt
  traffic
• Directory Traversal/Unicode Define access
  rights to private folders. Apply patches and
  hotfixes

33
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Web-Based Password Cracking Techniques
• List the Authentication Types
• HTTP Authentication
• Basic
• Digest
• NTLM
• Certificate-Based
• Token-Based
• Biometric
• What is a password cracker?
• Program designed to decrypt passwords or disable
  password protection
• How does a password Cracker Work?
• Generate list of possible passwords (dictionary
  or hybrid)
• Hash or encrypt password list
• Compare hashed list of passwords to password
  being cracked
• Continue until success or password list exhausted
• Understand Password Attacks Classifications
• Dictionary

34
Week 4 Learning Objectives

• Chapter 8 Hacking Webservers
• Web-Based Password Cracking Techniques
• Understand Password Cracking Countermeasures
• Implement Strong Passwords at least 8 characters
  long, include Upper and Lower Case letters, and a
  Special Character
• Usernames and passwords should be different
• Implement Strong Authentication via Kerberos,
  Tokens, etc

35
Week 4 Lab (Subject to Change)

• Backtrack 4 Beta
• RID
• Metasploit Framework

36
Week 4 Homework

• Read CEH Study Guide Chapters 9 10