Introduction to Ethical Hacking

Foot Printing and Enumeration

As the first steps in hacking process, Foot Printing/Reconnaissance is intended for information gathering of the target organization using publicly accessible information without being intrusive. It may include information such as: DNS information, DNS zones, IP ranges, host names, services/ports/protocols used, potential applications, email address aliases to reveal usernames, publicly accessible internal network resources, identifying potential resources and systems in the network, read HTML codes of target web site pages. Simply reading news and reading online articles about security postures related to targeted organization may reveal a lot of potential vulnerabilities. Collect as much as information as possible to find weaknesses and act upon them. Various tools should be used in order to obtain such information such as: google content hacking with certain commands, whois, dig, nslookup, ping, traceroute, usenet, Teleport Pro, wget, Foca for Windows, Linux Kali as greatest collection of hacking tools and commands.

As the next step, Enumeration process would involve scanning system and networks to reveal detailed information, such as: user accounts, host names, OS types. It is done by querying database of target’s Registrar, then Organizational Queries, Domain Queries, Network Queries and POC Queries.  Some of the tools used here are: nslookup, trace route, enum, finger, nmap, fping, hping, TCP and UDP Scans, Ping Sweeps, strobe, superscan, IPeye, SATAN, NetCAT, WArDialing tools, nbtstat, nbtscan, nltest, ruser, telnet, tftp, rpcdump, rpcinfo.

Gaining Access to targeted systems would involve using Vulnerability scanners such as Nessus or Armitage exploit analysis in KALI Linux. Crack passwords using hash crackers such as NghashCrack. Sniff Data using WireShark or TCP Dump tools.

Bottom line is that in order to maximally protect organization against different hacking threats it is important to design multi-layered enterprise architecture to create multi-leveled traffic filtering and access control approach.  Therefore, it is important to act and think as a “white” hacker!

Question to the Class:

What multilayered solution would be optimal for various types of businesses?

In the News:

The hackers embedded the malicious code in Apple apps by convincing developers of legitimate software to use a tainted, counterfeit version of Apple’s software for creating iOS and Mac apps, which is known as Xcode, Apple said.

http://www.cnbc.com/2015/09/20/apples-ios-app-store-suffers-first-major-attack.html

Reading Summary: Enumeration and Footprinting

The Enumeration process identifies valid user accounts or any weak component/resource. Some of the key areas of information include user and groups, network resources, and applications and banners. There are various tools used for this process such as Windows NT/2000 Enumeration which contains remote admin tools and port assignments for common UNIX utilities. Another tool is called NetWare Enumeration which is a Novell based tool that checks the status of all the servers on the opponent’s network as well browse he NDS trees all the way to the end lead using this tool. UNIX Enumeration displays user’s home directory, login and idle time, office location, etc. via the “finger” command.

Footprinting is the initial step in hackers information gathering which displays critical information regarding remote access capabilities, profile of the company’s Intranet/extranet, etc.  This will then allow hackers to build a database with all of the company’s security weaknesses. Footprinting is accomplished various ways such as via open source searching, network enumeration, DNS interrogation and network reconnaissance. Companies are struggling and in need of protection their infrastructure against Denial of Service attacks. The installation of an anti-virus is no longer as critical as having a holistic approach in place that provides layers of security posture (attributes ranging from policy, procedures, awareness, and technology) which will prevent the hacker to footprint the company’s network, if not, make it a harder process of obtaining critical information.
Article: Military Battles to Man its Developing Cyber Force

The U.S. Defense Department is assembling 133 Cyber Mission Force teams to defend military networks, protect critical U.S. infrastructure, and strike back in cyberspace when necessary. This team was to be in place by the end of 2016, however, with the requirements of fully manned, trained, and equipped it will now be extended by fiscal year 2018. In addition, there will be 5,825 cyber personnel to join by 2018 ranging in each division: army, air power, navy, and marines. The last resource of seeking civilians is within the reserve where six of the Air Forces cyber teams will reside, as well as up to 2,000 Reserve and National Guard personnel. It is important to note that these are people who currently work in the cyber field which means their skills and training are current.

Interested in reading more about this article? If so, you can do so here.

Question for the class:

Have you previously been exposed, or are currently, in using an enumeration tool for your company? If so, what have you found to be the weakest components of the company’s infrastructure?

Reading Summary

This week’s reading was about vulnerability scanning. The reading talked about how scanning for vulnerabilities is a better and more proactive solution than using a password to protect files and waiting until something bad happens. The product used to talk about vulnerability scanning was Nessus. Nessus is free, open-source and powerful remote vulnerability scanner. Nessus needs to be updated with its latest library of plugins along with other tools such as firewalls, IDS, IPS .etc. to proactively protect systems. The article also contains instructions on how to install, configure and setup Nessus to run scans.

Question

What kind of protection will you use to protect smartphones and mobile devices given to employees by your organization from information security breaches?

Article

http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/

I found this article interesting because it talks about how Android 5.x OS phones could be “hacked” by adding enough characters in the password field to crash the lockscreen process.

The importance of vulnerability scanning cannot be minimized.  The attack vectors routinely target systems which are vulnerable from an upgrade, patch or security perspective.   Organizations which have implemented vulnerability scanners such as Nessus provide themselves with some protection for known vulnerabilities and ensuring their configurations are up to date.  The only downside is the vulnerability engines are limited to the vulnerabilities it is aware and has a plug-in for.  This type of solution works best when coupled with firewall and IDS systems to add layers of defense to your organization while proactively protecting your systems.

This weeks article illustrates the risk associated with email specifically in the health care industry.

http://www.databreachtoday.com/sutter-health-incident-illustrates-email-risks-a-8533

Week Four Reading:  Mitchel, J. (2002). Proactive Vulnerability Assessments with Nessus, SANS Institute.  Once setup and configured, Nessus is a powerful tool for applying signatures for detecting known vulnerabilities in a computer system.  I found the author’s instruction about saving time with operating systems and databases by proactively setting up the system’s security configuration settings prior to running the first Nessus scan particularly useful: “If you don’t spend the time to properly harden a system before putting it on the network, you’ll spend countless hours tracking down the numerous vulnerabilities that Nessus will detect.”

Question for the class: The article suggests great caution in particular aspects of using Nessus. In which specific ways can Nessus specifically threaten operation of a target computer system being scanned?

News of the Week: Apache Spark Cluster 1.3.X –Arbitrary Code Execution https://www.exploit-db.com/exploits/36562/   Apache Spark is an open source cluster computing framework with multi-stage in-memory processing primitives provides performance up to 100 times faster than Hadoop’s two-stage disk-based MapReduce paradigm https://www.sigmoid.com/securing-apache-spark-cluster/.  Spark clusters which are not secured with a proper firewall, however, do not have any authentication mechanism and can be taken over easily.  The exploit described in the Exploit Database articles illustrates how to take over and run arbitrary code over an unprotected cloud-based Apache Spark cluster resource.

Vulnerability scanning is important one can find the weaknesses and avenues of approach an enemy can find. You are finding those weaknesses out first in order to fix them, before an enemy can find the weaknesses and exploit them. Nessus is a great yet expensive vulnerability scanner. You must have the permission of the security team and senior management before scanning, since Nessus is viewed as a hacker recon tool. You can scan for one host, or your whole network if desired. The results will be included in a text document, with the indicated vulnerabilities and CVEs. One must keep this document secret from outside eyes, since information about company vulnerabilities would be saving your enemies the work of recon. You must combine other vulnerability scanners in with your assessment to truly uncover all the weaknesses in your network or hosts.

News Article:

http://www.bbc.com/news/world-us-canada-34229439

Obama states that Chinese hacking of American assets is unacceptable, and that he will not be staying at any Chinese funded hotels. In terms of cyber warfare, Obama stated, “I guarantee you, we will win if we have to.” MURICAH!

Reading Summary:

Many business in nowadays forget about critical asset of their business; that is, Protecting Business Data. Unfortunately, most owners and management take care only about customers and business processes that directly generate revenue versus enterprise network that only provides tools to support business. For so many years, vulnerabilities have become more and more sophisticated alerting many companies of required precautions, but despite thousands of hacks, only some business owners really understand the importance of protecting data at all costs. While auditors and external consultants may be expensive service to perform proactive vulnerability scans, there are many free tools, such as Nessus, Qualisys and a few others that are free and help to build a vulnerability report that would help to assess networks and help to create mitigation reports as well as build a baseline framework for all systems to improve security hardening. While Nessus would be a good choice for network scan, it reports only what it finds in its plug-in database. Therefore, vulnerability scan internally within local network using others tools such as MBSA, Nmap, RapidFire, Nexpose/Rapid7, OpenVAS and a few others would be important to have diversity of vulnerability reports.

Question to the Class:

What solution did you use in the past? Which tool you find most comprehensive?

In the News:

New Apple products released on Wednesday Sept. 9th, will include enhanced security feature by requiring dual-factor authentication: 6-digit code + Fingerprint scan to various Apps. This new security feature should lead Enterprise Businesses to upgrade their devices in order to minimize risk of attacks.

Posted by CNBC on Friday, 11 Sep 2015 | 1:16 PM ET

http://www.cnbc.com/2015/09/11/apple-ramps-up-its-cybersecurity-game.html