Introduction to Ethical Hacking

Reading Summary:

The enterprise often contains firewalls and an intrusion detection system (IDS) to keep the organization secure. However, that is not enough to detect vulnerabilities or web attacks on an external web server or BIND exploits on a DNS server. There are different approaches when it comes supplementing the security model. Proactive vulnerability is done various ways, depending on the organization, such as proactive vulnerability assessments with Nessus, a low cost automated vulnerability scanner. If the enterprise chooses Nessus, first it will need to configure it properly and then scan the network. After  the scan is complete, interpretation and analysis of the reports is crucial, such as identifying what is a false positive.

Article:

Law firms are willing to spend more than $6.9 million on information security or 1.92% of their gross annual revenues.  This industry contains very sensitive client data and they will take whatever it takes to keep that client data secure. How will they achieve that goal? Law firms are strengthening in-house security skills, identifying gaps through internal and external security assessments, transferring risk with new insurance policies by investing in cyber-liability insurance, and providing training to attorneys and staff on electronic communications risks and phishing e-mails.

For more information regarding this article, please click here.

Question for the class:
Law firms are a growing industry and in the need of more cyber security analysts. Do you see yourself being part of such industry, and if so, how would you contribute on client’s data security?

The reading this week discusses using Nessus as a scanning tool to find potential vulnerabilities in a system. Nessus is used to test a number of vulnerabilities in a system in one scanning swoop rather than testing them individually by hand to see if they exist. While Nessus can identify potential vulnerabilities it can’t identify why they exist, like company policies, or false positives from the scan. Another important takeaway about Nessus is that it only finds the potential vulnerabilities, it doesn’t actually fix them. It is still up to the IT department and management to use these findings as the proof needed to spark organizational change to close these security holes.

My question for the class comes from a classic example from the reading. Do you think it is best to enable all the plugins for a scan or disable the non-dangerous ones and run the rest? Are there situations where one method is better than the other?

My news article ties back to last week’s topic about public information. http://www.zdnet.com/article/microsofts-project-sonar-malware-detonation-as-a-service/

This is a story about a new malware detonation service from Microsoft. The technology itself is interesting but I thought the noteworthy thing here is that this story lead was found simply by scanning Microsoft job postings, which was one of the examples of public information we talked about in class.

Intro-to-Ethical-Hacking-Week-3

Google Hacking

It is really interesting post related to background information processing or in other words, behind the scene actions that allow to tweak search field and get various results. It is done using special keywords and commands in search field that would narrow down search to specific query. It is great tool for mapping out internet-connected networks. For example, using certain operators it is possible to perform DNS query for domain enumeration, get hints for application information and other useful info of targeted network corresponding to reconnaissance technique.

Also, note that when doing search with certain commands/operators, you may get an alert as shown below;

///// – Google Search Alert

About this page

Our systems have detected unusual traffic from your computer network. This page checks to see if it’s really you sending the requests, and not a robot.  Why did this happen?

IP address: (Your IP Address)
Time: 2015-09-09T22:39:18Z
URL: https://www.google.com/search?sclient=psy-ab&biw=1440&bih=768&q=nbme.org+&oq=nbme.org+&gs_l=serp.3..35i39j0i20j0i30.1253.3253.7.3515.16.16.0.0.0.0.210.943.15j0j1.16.0….0…1c.1.64.psy-ab..8.8.449.jk_rxLaFJVM&pbx=1&bav=on.2,or.r_cp.&bvm=bv.102022582,d.dmo&ech=1&psi=SLTwVfaCI8XrefjEuqAI.1441838153668.13&ei=1rTwVaalKcvOeKuFnOAC&emsg=NCSR&noj=1

For Reconnaissance, there are many Linux commands that are easy and useful to perform enumeration and fingerprinting. One of tools is Nmap is really great for scanning applications, ports, IP Addresses and DNS info. Also, TelePort is great tool for sniffing web site content in codes that would reveal web server versions and web site script content.

Ref. Resource: http://resources.infosecinstitute.com/nmap-cheat-sheet/

In the News

http://www.nbcnews.com/tech/tech-news/whatsapp-hack-attack-puts-200-000-risk-n424101

This article talks about a security vulnerability in WatsApp Web which allows attackers to disguise malicious content as vcfs. Vcfs files are used to share contact information. Attackers can send vcfs which will run malicious code after the receiver opens the vcf.

The key facts I got from the reading are that public information will always be available as the internet will always be instrumental in finding customers which in turn will always make you vulnerable or a candidate for an attack if you are not properly protected.  Ensuring that your configurations, patches and security are up to date or hardened will go a long way in making attackers choose another target. Simple queries or scans that are within the law can open a window into your environment which gives an attacker the bread crumbs necessary to begin their attack strategy.

In the News:

http://www.databreachtoday.com/hackers-exploit-stolen-firefox-bug-information-a-8525?rf=2015-09-08-edbt&mkt_tok=3RkMMJWWfF9wsRojuq3OZKXonjHpfsX66OgpUa6g38431UFwdcjKPmjr1YYIRct0aPyQAgobGp5I5FEIT7HYRrhpt6cOXA%3D%3D

Hackers exploit stolen Firefox bug information attacker.  Mozilla is warning that at least one year ago, an attacker infiltrated the repository that it uses to log bugs pertaining to its Firefox browser, began stealing information relating to unpatched vulnerabilities in Firefox and other Mozilla products, and actively targeted at least one unpatched flaw in Firefox for a period of at least three weeks. Officials at the free-software community say they have also alerted law enforcement to the theft, and say they have taken steps to improve their internal security practices, to help block such attacks in the future.

Open Source Recon Tools:

Conducting active recon with permission from the company would be considered illegal. Only passive forms of recon, such as open source information or social engineering, are considered legal to do without permission. Any piece of information, whether available to the public or not, can help an attacker piece together the puzzle that gives them enough information to decide how to exploit systems. Conducting Google hacking will be sensed by Google, and makes one enter a CAPCHA code to prove one is not a bot, since Google hacking is considering malicious. One must also be very careful when conducting a port scan, since intense scans can take up a lot of bandwidth on the network and may crash services and disrupt daily operations. Some ways of recon can include DNS zone transfers, port scans via Google searches, searching archived versions of websites, netcraft, and then looking up website or company vulnerabilities on the CVE list.

Art of Recon:

The first step of recon would be to perform a DNS zone transfer, or DNS enumeration of the target to discover any possible IP addresses for servers, computers, or websites. DNS enumeration can also turn server or computer names into IP addresses, and retrieving the contents of DNS servers unlocks this treasure trove. You can check if hosts are active and live with a ping sweep, although these are unreliable because firewalls may block ICMP. A noisy way to check alive hosts are with a full TCP scan. Fingerprinting allows one to discover what operating system the target is running, which is important in selecting more enumeration, vulnerability scanning, or exploits. Port scanning allows one to see what services are running, and which doors are open, and if any versions of the services have any vulnerabilities or missing patches. Options in the hping3 or nmap scan can help make the scan more quiet, or mask your IP address during a port scan.

News Article:

http://www.wired.com/2015/08/uber-hires-hackers-wirelessly-hijacked-jeep/

Uber hires two hackers who were able to hack into cars. They will be helping to prevent future cars from getting attacked and penetrated.

Question for the class:

What are some NSE scripts that can be used with Nmap to help acts as useful vulnerability scanners?