Introduction to Ethical Hacking

Reading Summary: NetCat

NetCat is a tool built by Hobbit and made available in a Windows platform by Weld Pond.  It is recommended to test the firewall and router configurations in a test environment and not in a production network.  This utility allows security professionals to test the operating system lockdown procedures by allowing them to write and read data across TCP and UDP network connections. In addition, some other features include the ability to use any local source port, built-in loose source-routing, full DNS forward/reverse checking, etc. Lastly, security professionals use NetCat in their environment for file transfers, firewall testing, proxy gatewaying, script backends, spoofing tests, protecting X servers, etc.
Question for the class:

Have you previously used NetCat and if so, how did you  utilize this tool to its full potential?
In the News:  Trump hotels hacked, credit card data at risk

Trump hotels across the US and Canada were impacted by a computer virus where hackers had access to customer credit card data for an entire year.  Anyone who visited a Trump hotel in New York, Chicago, Honolulu, Las Vegas, Toronto, and Miami between May 19, 2014 and June 3, 2015 were impacted by the malicious software placed on the hotel’s payment systems which allowed any sensitive information to be exposed, such as credit card numbers, expiration dates, and security codes on the back of the cards. As a result of this hack, the hotel is offering one year of free identity fraud protection to any affected customer.

Click here to find out more information regarding this article.

Intro-to-Ethical-Hacking-Week-6 [Autosaved]

You have been invited to attend a Mediasite presentation.

Presentation Details:
Title: =MIS 5211.001_9/30/2015
Date: Wednesday, September 30, 2015
Time: 5:30 PM (UTC-05:00) Eastern Time (US & Canada)
Duration: 2:30:00
Link: http://tucapture.fox.temple.edu/Mediasite/Play/88148794df1642649b8ee1bd50aae3251d

There are different sniffing techniques that can be applied within a switched and non-switched environment; ARP spoofing techniques and tools are available that allows an attacker to conduct network reconnaissance. This method has been proven very effective in a switched environment with fairly good accuracy built-in logic allowing many network protocols to be decoded, they have the capability to filter the sniffed traffic on the fly, and highlight sensitive information such as usernames and passwords which has dangerous implications.

There are more challenges to eavesdrop on network traffic in a switched environment because switches will only send network traffic to the machine that it is destined for; this ability can be seized with the right tool.

Packet sniffing in a non-switched environment is vulnerable if the organization is not employing strong encryption to slow down and even stop certain sniffing and password cracking attacks. For example, the most widely used encrypted protocol, which happens to be vulnerable to sniffing and cracking attacks is Microsoft’s LAN Manager Protocol. Multiple MS LM iterations have been released in an effort to address this vulnerability but it is penetrable and data can be infiltrated and/or exfiltrated.

There are ways to mitigate the risk of sniffing tools however, it starts by Locking down the network environment. Locking down the environment is one of the more holistic way to secure the network. Software applications, virtual LANs attempt to control and segment a network into logical segments is one way. That being said, they are still vulnerable to sniffing; therefore the most viable solution to protect against packet sniffing is encryption using IPSec33.

What’s in the News:
Attackers have developed a botnet capable of 150+ gigabit-per-second (Gbps) distributed denial of service (DDoS) attack campaigns using XOR DDoS, a Trojan malware used to hijack Linux systems.

To find out more, please click on the link below:
http://www.infosecurity-magazine.com/news/xor-ddos-botnet-20-attacks-per-day

Sniffing is when one uses tools to track the traffic going on in your network. There are two types of sniffing: active and passive.

Passive sniffing involves observing traffic across the network, such as sniffing the traffic from a hub, since a hub broadcasts all traffic out to all their ports.

Active sniffing involves touching a switch to manipulate it to do what you want it to do. Some ways of touching the switch would include ARP poisoning or MAC flooding. These techniques would turn the switch into a hub and have the switch broadcast all traffic out of all their ports and make it easier to listen in on traffic. Usually switches only broadcast traffic to the intended receipt and not to the whole network. They also have port security so no random IP addresses or MAC addresses can plug in and listen. Spoofing a MAC address would also be a way to listen in on a switch’s traffic.

Passive sniffing is not easily detected, whereas active sniffing can be detected. In order to sniff, one must set their NIC on promiscuous mode. Sniffing is useful since finding unencrypted protocols such as FTP, telnet, SMTP, HTTP, POP3 or IMAP can be easily captured and read.

Article:

Police tell residents to stop calling whenever Facebook goes down.
http://www.independent.co.uk/life-style/gadgets-and-tech/facebook-down-don-t-ring-us-when-site-stops-working-say-police-a6672081.html

Packet sniffing is largely an internal threat which must be mitigated.  Packet sniffing is susceptible in both a non-switched and switched network.  Many off the shelf tools today allow insider threats to easily capture information deemed sensitive.  Packet sniffers were intended for “good” use but inevitably have become a tool for malicious activity.  A switched network considered to be more secure is also vulnerable to sniffing with a laptop and implementation of a man in the middle attack.   There are a variety of mitigation steps that can be put in place that are more and less successful, but ultimately encryption is the most viable solution.

In the news: Beware of cash out attacks, banking Trojans via Malvertising and POS Memory-Scraping Malware

http://www.databreachtoday.com/malware-warning-banks-customers-atms-under-fire-a-8551

Reading Summary: SNIFFERS

In The News:

New Botnet Hunts for Linux — Launching 20 DDoS Attacks/Day at 150Gbps

http://thehackernews.com/2015/09/xor-ddos-attack.html

1 Key Point:

The reading for this week discusses Packet Sniffing in both switched and non-switched environments. It explained ARP Spoofing that is done mainly through the main in the middle attach where the attacker poisons the ARP cache with their own information, intercepting data between the target machines. Tools such as ettercap and cain were also mentioned, specifically how they highlight sensitive areas of sniffed traffic, specifically usernames and passwords.

Steps to mitigate threats from packet sniffing mentioned include detection of packet sniffers (using software), locking down the network environment (ie. vlan) and encryption or IPsec. The latter is the most viable.

Question:

Why is replacing insecure protocols not feasible in some settings? Do the benefits of using insecure protocols weigh more than the security risk it poses?

Article:

Security firm discovers Linux botnet that hits with 150 Gbps DDoS attacks

http://www.engadget.com/2015/09/29/linux-botnet-hits-with-150-gbps-ddos/

Linux-based botnet spreads via malware through embedded devices and gains SSH access. It will then pull down botnet software and propagate.

The botnet is capable of driving very high volume of  traffic every minute at its targets, bringing it down as a result. Linux machines need to be hardened more than ever.

The reading for this week covered packet sniffing. The article covered aspects of sniffing switched, non-switched and wireless environments. It also talked about common applications used for sniffing as well as decryption of encrypted traffic. Some of the common methods and terminologies covered are ARP spoofing and man in the middle attacks. The article concluded by providing strategies to mitigate sniffing by either detection or locking down networks.

Articles I found interesting are:

http://www.dailydot.com/technology/tor-anonymous-os-tails-freitas/

http://thehackernews.com/2014/06/tails-operating-system-website-has-beed.html

This article is interesting because neither TAILS nor Tor can’t stop an ISP from monitoring your company’s entry and exit nodes and selling/giving data to competing firms – provided that the ISP is willing to do this and the competitor would be willing to pay for your packets which might have to decrypted.

Since there is no such thing as an anonymous Internet connection, what can firms to do prevent ISPs from providing entry and exit node packets to all entities except for the law enforcement? – From the perspective of a US firms conducting business in countries with corruption, lack of regulation, audits.etc.

Reading Summary:

Packet sniffing can exists in a switched or non-switched environment. Packet sniffing usually arises from an internal threat and it is shares the same concept as the man-in-the-middle attack where the attacker uses various ways to re-route the network traffic from the person’s machine to his own machine. As a result, re-configuring the IT infrastructure, such as replacing hubs with newer switches, can mitigate such an attack. ARP (Address Resolution Protocol) spoofing” allows a hacker to access and monitor the network traffic in a switched environment. However, there are third party tools that allow sniffing on a switched network and alert the company of any potential threats. Packet sniffing in a non-switched environment is very popular with repeating passwords or any other significant information from the network. There are many free sniffing tools, such as “dsniff” which is used for plaintext protocols.  Even though packet sniffing continuously occurs, companies must adapt to a better encryption policy. This will replace insecure protocols and mitigate any threats on its environment.

Question for the class:

Can you think of any cheaper solutions to prevent packet sniffing given the fact that encryption is very expensive and companies tend to choose speed over money (a solution/tool that allows them to encrypt data at a fast rate but not have best security in place)?

Article:

The US Securities and Exchange Commission (SEC)is investigating two former Capital One data analysts who allegedly used insider information associated with their jobs to trade stocks—in this case, a $150,000 investment allegedly turned into $2.8 million. The challenge arises when these defendants believe that the Fifth Amendment protects them and does not allow to turn over their mobile devices passcodes. As a result to protecting against self-incrimination, Judge Mark Kearny, federal judge in Pennsylvania ruled that the defendants cannot be forced to divulge their smartphone passwords to SEC.
Click here for additional information regarding this article.