Evasion Techniques

Here’s what I’ve used in the past for evasion techniques; very slow and steady scanning, scanning for only one or two ports at a time, spoofing an IP addresses, encryption to avoid IDS’s, clearing traffic logs, fragmenting payloads and packets, pivoting and using another machine to do the scanning for you. You could also try ARP poisoning and MAC spoofing.

In the news:
The Army wants to put cyber Soldiers in the mud with the Infantry. For what practical purpose? Not too sure.
http://breakingdefense.com/2015/11/army-puts-cyber-soldiers-in-the-mud/

SQL injection is a SQL vulnerability in the database that allows certain queries to be typed in or exploited to reveal the contents of the database. One way of doing this is going into a user input page and typing ” any’ 1=1#; ” which would tell the database, if 1=1, then reveal the database contents. One can tamper with the URL if the URL reveals the user input, and put SQL queries in the URL, such as “order by 1” to test how many rows or entries are in the database.

Some SQL injection tools are Tamper Data and Cookie functions. One can find the cookie session for the logins, and as long as the user is logged in, you can use the cookie session pasted into the URL to catch the login session. Tamper Data is if the code will not allow you to tamper with the input. Tamper Data, on Mozilla Firefox or Iceweasel will allow you to modify the input type to test for SQL vulnerabilities or gain database contents.

SQL Map will automate most SQL attacks for you, test if the website is vulnerable, and run the SQL injection attack on, returning the results.

News article:

Canada wants to hack its own trucks to find vulnerabilities.
http://www.popularmechanics.com/military/research/a18071/the-canadian-military-wants-to-hack-their-own-trucksbefore-someone-else-does/

Web Application vulnerabilities are a significant threat to websites and companies in which an attack can exploit a weakness on the website to gain access to sensitive information. XSS is the most common type of web app attack, with SQL injection coming in second. For XSS attack, an attacker can exploit badly written code in the website by inputting their own code into an input box. The code will allow the attacker to either test if the website is open to a XSS vulnerability, or will submit the code in an attempt to display sensitive information. In SQL injection, the attacker can input certain code into an input box in order to either test for a SQL injection vulnerability, or to view the contents of the database of sensitive information. Other types of web app attacks include URL tampering, and using unicode to avoid IDS’s. Prevention includes looking over and fixing faulty code, web application firewalls or scanners.

News story for the week:

US Naval Academy teaches celestial navigation due to fears of hacking of navigation systems.
http://www.dailymail.co.uk/news/article-3273519/US-Naval-Academy-returns-celestial-navigation-amid-fears-computer-hacking.html

What is Malware?

Malware is a software that makes your computer do undesirable things, but are desirable to malicious actors. Malware can provide a backdoor or reverse shell of your computer to the bad guys, install keyloggers to capture passwords or sensitive information. Hackers could also charge a fee to fix the computer that they infected as a ransom. Malware can infect phones and tablets as well as all types of operating systems. Malware can be created by anyone from script kiddies to experts who write their own code to create the malware from scratch. Malware can reach your computer in the form of social engineering, client side attacks, phishing, or stenography.

Viruses

Malware is a blanket term that can include viruses, worms, trojans, bots, or rootkits. These tools are all malicious tools that can control your computer to the whims of a remote controller many miles away with unauthorized access. When malware is detected on your system, the recommended SANS incident response plan is to prepare a plan, identify when a an incident has occurred, contain and get rid of the threat, recover systems back to normal, and learn from the past to help prevent breaches in the future, or to build a better response plan.

News Story:
Facebook will alert you if a government entity is trying to hack your account
http://qz.com/528169/facebook-will-now-tell-you-if-a-state-government-is-hacking-your-account/

Social Engineering

Social Engineering is bad, mm’kay? It takes advantage of the weakest link in security, which are the people. Th systems can be secure, but people have the need and desire to help others or follow the rules of authority. Social engineering has the malicious actor act as either someone in need, someone in authority, or they can act as tech support in a reverse social engineering attack. This forces the average hacker to be social instead of a lurking troll in their basement who lacks people skills.

A reverse social engineering attack occurs when the malicious actor advertises his false credentials and skills as tech support. After an attack from the hacker, people will call the hacker thinking he is tech support, and thus give him their passwords.

Non technical social engineering involves dumpster diving, piggy backing, tailgating, should surfing, or just talking to employees at the smoke pit. Technical social engineering involves phishing, and creating fake websites for employees to foolishly enter their credentials. The strongest counter measure against social engineering is user education, policies, incident response strategy, and strong physical security.

News Article: China arrests hackers that were wanted by the US.
http://techti.me/2015/10/10/china-arrests-hackers-of-us-government-on-behalf-of-the-us/

There are many uses for netcat. One of its primary uses can be for file transfers, but it can also be used for checking port connections on remote hosts, port scanning, firewall testing, address spoofing, as a proxy, and much more. It can execute executables such as a command shell. For telnet like connections, netcat can be used in either client mode or server mode. Netcat is not encrypted, and all traffic on netcat can be read through a sniffer or analyzer. Encrypted forms of netcat include cyptcat or ncat. Netcat can be used for malicious purposes if you are able to install the executable on a remote host as a means of a back door for file transfers, if netcat is not already installed. The reason one should not have netcat installed is for the potential for misuse by a malicious actor.

News Article: FBI states anti-marijuana policy hinders ability to hire Cyber Experts
http://arstechnica.com/tech-policy/2014/05/fbi-chief-says-anti-marijuana-policy-hinders-the-hiring-of-cyber-experts/

Sniffing is when one uses tools to track the traffic going on in your network. There are two types of sniffing: active and passive.

Passive sniffing involves observing traffic across the network, such as sniffing the traffic from a hub, since a hub broadcasts all traffic out to all their ports.

Active sniffing involves touching a switch to manipulate it to do what you want it to do. Some ways of touching the switch would include ARP poisoning or MAC flooding. These techniques would turn the switch into a hub and have the switch broadcast all traffic out of all their ports and make it easier to listen in on traffic. Usually switches only broadcast traffic to the intended receipt and not to the whole network. They also have port security so no random IP addresses or MAC addresses can plug in and listen. Spoofing a MAC address would also be a way to listen in on a switch’s traffic.

Passive sniffing is not easily detected, whereas active sniffing can be detected. In order to sniff, one must set their NIC on promiscuous mode. Sniffing is useful since finding unencrypted protocols such as FTP, telnet, SMTP, HTTP, POP3 or IMAP can be easily captured and read.

Article:

Police tell residents to stop calling whenever Facebook goes down.
http://www.independent.co.uk/life-style/gadgets-and-tech/facebook-down-don-t-ring-us-when-site-stops-working-say-police-a6672081.html

The War Is On:
Enumeration can help with discovering network resources, users, groups, banner grabbing, and operating system footprinting. There are different enumeration techniques depending on if your target is a Windows box or a Linux box. The enumeration tools assist in gathering the target’s NetBIOS name, what ports are open, what operating system is running, what users have been logging into the box, locations, and view the registry. Enumeration is useful since it gathers additional information on the target that is essential for selecting the right exploit and post exploitation techniques.

Footprinting:

Open source information is one of the easiest way to start footprinting. Information available online includes phone numbers, locations, types of systems, email addresses, physical addresses, and any carelessly posted documents. Network enumeration involves mapping out the target network through DNS zone transfers, matching IP addresses of computers, servers, domain controllers and websites to IP addresses, identifying the operating systems on the machines, seeing what machines are alive and can respond to TCP, UDP, or ICMP requests, and what the firewall will accept or block. Also useful is taking advantage of SNMP to discover their whole network map and activity.

Question for the class:

Are there any tools besides Enum4Linux that wraps up many enumeration tools into one tool?

Article:

The federal government claims it is not their responsibility to warn OPM when OPM had been hacked.
http://www.cnn.com/2015/09/17/politics/opm-hack-director-national-intelligence-response-wyden/index.html

Vulnerability scanning is important one can find the weaknesses and avenues of approach an enemy can find. You are finding those weaknesses out first in order to fix them, before an enemy can find the weaknesses and exploit them. Nessus is a great yet expensive vulnerability scanner. You must have the permission of the security team and senior management before scanning, since Nessus is viewed as a hacker recon tool. You can scan for one host, or your whole network if desired. The results will be included in a text document, with the indicated vulnerabilities and CVEs. One must keep this document secret from outside eyes, since information about company vulnerabilities would be saving your enemies the work of recon. You must combine other vulnerability scanners in with your assessment to truly uncover all the weaknesses in your network or hosts.

News Article:

http://www.bbc.com/news/world-us-canada-34229439

Obama states that Chinese hacking of American assets is unacceptable, and that he will not be staying at any Chinese funded hotels. In terms of cyber warfare, Obama stated, “I guarantee you, we will win if we have to.” MURICAH!

Open Source Recon Tools:

Conducting active recon with permission from the company would be considered illegal. Only passive forms of recon, such as open source information or social engineering, are considered legal to do without permission. Any piece of information, whether available to the public or not, can help an attacker piece together the puzzle that gives them enough information to decide how to exploit systems. Conducting Google hacking will be sensed by Google, and makes one enter a CAPCHA code to prove one is not a bot, since Google hacking is considering malicious. One must also be very careful when conducting a port scan, since intense scans can take up a lot of bandwidth on the network and may crash services and disrupt daily operations. Some ways of recon can include DNS zone transfers, port scans via Google searches, searching archived versions of websites, netcraft, and then looking up website or company vulnerabilities on the CVE list.

Art of Recon:

The first step of recon would be to perform a DNS zone transfer, or DNS enumeration of the target to discover any possible IP addresses for servers, computers, or websites. DNS enumeration can also turn server or computer names into IP addresses, and retrieving the contents of DNS servers unlocks this treasure trove. You can check if hosts are active and live with a ping sweep, although these are unreliable because firewalls may block ICMP. A noisy way to check alive hosts are with a full TCP scan. Fingerprinting allows one to discover what operating system the target is running, which is important in selecting more enumeration, vulnerability scanning, or exploits. Port scanning allows one to see what services are running, and which doors are open, and if any versions of the services have any vulnerabilities or missing patches. Options in the hping3 or nmap scan can help make the scan more quiet, or mask your IP address during a port scan.

News Article:

http://www.wired.com/2015/08/uber-hires-hackers-wirelessly-hijacked-jeep/

Uber hires two hackers who were able to hack into cars. They will be helping to prevent future cars from getting attacked and penetrated.

Question for the class:

What are some NSE scripts that can be used with Nmap to help acts as useful vulnerability scanners?