Whitehat Hacking

Introduction
1. What you shloud expect?
  1. Topics Coverd
    1. Footprinting & Reconnaissance
    2. Networking Fundementals
    3. Cryptography
    4. Scanning & Enumeration
    5. Penetration
    6. Malware
    7. DoS
    8. Web Apps Hacking
    9. Wireless Networking
    10. Detection Evasion
    11. Programming Attacks
  2. Approach
    1. Where Possible, Hands on
    2. Theoretical where necessary
2. What is Hacking?
  1. Early Days
    1. A person who delights in having an intimate understanding of the internal working of a system,computers and computers networks in particular
    2. Tech Model Railroad Club @ MIT
    3. Detailed in Steven Levy's book Hackers
  2. Morphing
    1. Robert T Morris - Morris Worm in 1988
    2. Kevin Mitnick - Various acts of computer crime over decades
  3. In popular Culture
    1. War Games
    2. Hackers
    3. Matrix movies (use of nmap)
    4. Sneakers
    5. Swordfish
    6. NCIS (regularly crack complex crypro in minutes)
  4. What is hacking, REALLY?
    1. Deep Understanding
    2. Exploration
    3. Joy of learning new things
    4. Digging into problems to find solutions
    5. Sometimes finding problems where there weren't problems previously
3. Why Hack?
  1. Sometimes just fo fun
  2. Sometimes to make a social or political point
  3. Sometimes just for the challenge
  4. To prevent theft
  5. To get there before the bad guys
  6. To protect yourself
4. Types of hacking
  1. Ethical Hacking = Whtehat Hacking
  2. Blackhat Hacking
  3. Gray hat Hacking
  4. Hacktivism
5. Legal Issues Around Hacking
6. Methodology
  1. OSSTMM 2.1
  2. Penetration Testing Methodology (OISSG)
7. Types of Attacks
  1. Defacing
    1. Making alternations to something
    2. Primatily a web site thing
  2. Buffer Overflows
    1. Pices of data in memory called buffers
    2. When too much data is sent, it can overflow
    3. Because of stack memory & storig return addresses, a buffer overflow can lead to cntro of program flow
  3. Format String Attacks
    1. The C programming language makes use of format string to determine how data is going to be input/output
    2. Leaving off the format string from I/O functions can lead to attackers providing
    3. This can yield information off the stack being pressented to the user
  4. Denial of Service
    1. Prevents a service from being available to its legitimate authorized users
    2. SYN flood, PING flood, SMURF attack, malformed packets
  5. Distributed Denial of Service
    1. Coordinated denial of service making use of several hosts on several locations
    2. Overwhelming use of resources
    3. Often botnets
    4. First known DDoS attack used a tool called Stacheldraht (Barbed Wire)
8. Skills
  1. Computing
    1. Basic understanding of OSs
    2. Understanding of basic system software
    3. Basic understanding of how to use command line
  2. Networking
    1. Cables, Switches, hubs
    2. How systems are networked
  3. Life skills
    1. Ability to accept failure & persevere
    2. Ability to problem solve
    3. Abilit to be creative
    4. Ability to think out of the box
9. Penetration testing
  1. Testing to see if you can get in
  2. This may involve social engineering
  3. chnical approach
  4. Physical access
  5. Goal
    1. Assessing weaknesses in a security posture
    2. Understanding risk position better
    3. Accessing systems to find weaknesses
  6. Results
    1. Report detailing findings
    2. Should include remediation activities to fix vulnerabilities
  7. Scope
    1. How bih is the bread box?
    2. Any exclusions? Any areas of no-touch?
    3. Must get sign-off from target organiwation
    4. Always get approval from the RIGHT people
10. Security Assessment
  1. Hand-in-hand approach
  2. Goal isn't penetrate but to fully assess risk
  3. Provide more detail about fixes
  4. May look at process issues in addition to technical issues
  5. Review policies where appropriate
Footprinting & Reconnaissance
1. What is footprinting
  1. Domain names
  2. Network blocks
  3. Specific IP for critical systems
    1. Web server
    2. email server
    3. Databases
  4. System architecture
    1. Intel
    2. Windows
    3. UNIX
  5. Access Control Lists
    1. port scans
  6. IDS
  7. System enumeration
    1. User names
    2. group nales
  8. System banners
    1. Routing tables
    2. SNMP info
    3. DNS hostnames
  9. Networking prorocls
    1. TCP/IP
    2. Ipx/Spx
    3. Appletalk
    4. Internal DNS
  10. Remote Acess possibilties
    1. VPN
    2. Dialup
  11. Extranet
    1. Connection point
    2. Access control
    3. Public or private?
2. History lessons :Way back Machine
  1. Archive.org/web/web.php
  2. netcraft.com
3. Using ressources
  1. www.monster.com
  2. LinkedIn
4. Using Whois Lookups
  1. Regional Internet Registies
    1. ARIN
    2. LACNIC
    3. RIPE NCC
    4. AFRINIC
    5. APNIC
  2. ex : whois 129.35.47.17
  3. ex : whois -h whois.arin.net 129.35.47.17
  4. ex : whois infiniteskills.com
  5. geektools.com
  6. Whois for windows (download it)
5. Using DNS to Extract information
  1. nslookup
  2. host
  3. dig
6. Finding Netwrok Ranges
7. Hacking Google
  1. "index of/"
  2. +
  3. filetype:config
  4. allintitle:sensitive
  5. inurl
  6. intext
8. Mining For Information Using Google
  1. intitle:error intext:mysql
  2. intex:apache/2
Networking Funddmdntals
1. History of TCP/IP
  1. The Internet began in 1969
    1. ARPA commissioned a network in 1968
    2. BBN
    3. First connection was in 1969
  2. First Protoclos
    1. 1822 protocol named for BBN Report 1822 defining communications
    2. Network Control Program took over afterwards
    3. NCP consisted of Arpanet Host-Host Protocol and initial Connection Protocol
  3. First Router
    1. Interface Message Processor
    2. Ruggedized Honeywell computer with special interfaces & software
  4. Birth of IP
    1. In 1973, Vinton Cerf & Robert Kahn reworked the existing ideas
    2. By 1974, a paper had been published proposing new protocols
    3. Proposed a central protocol called TCP
    4. Later; TCP was broken into TCP & IP
  5. Getting to V4
    1. Between 1977 & 1977 versions 0 to 3 were in use
    2. V4 became the de facto protocol on the internet in 1983 when NCP was finally shut down
    3. in 1992, work began on IP Next Generation
    4. IPng became IPv6
  6. IPv6 vs IPv4
    1. IPv6 has 128 bit addresses
    2. IPv4 has 32 bit addresses
    3. IPv6 attempted to fix some of the inhernet issues in IP
2. Using WIRESHARK
3. OSI & TCP/IP Models
  1. OSI
    1. Application
    2. Presentaion
    3. Session
    4. Transport
    5. Network
    6. Data Link
    7. Physical
  2. TCP/IP
    1. Application Layer
    2. Transport Layer
    3. Internet Layer
    4. Network Access layer
4. Addressing
  1. IP Address -- 192.168.1.24
  2. 4 Octets (each octet seperated by a dot)
  3. Each octet is 8 bits
  4. 0 to (2^8 - 1) to 255
  5. Subnet mask -- 255.255.255.0
  6. 192.168.1 = Network portion
  7. .24 = Host Portion
  8. .0 = Network Address
  9. .255 = Broadcast address
  10. .1 - .254 available for hosts, so 245 host adresses available in this subnet
5. UDP
6. TCP
7. Services
  1. ls /etc/init.d
8. Using Wireshark for Deep Analysis
  1. Telepphony
  2. Statistics
  3. Decode as
  4. Folllow TCP stream
9. DHCP
10. ARP
Cryptography
1. History
  1. Caesar Cipher
    1. Rotation Cipher
    2. Two rows of letters in alphabetical order, second row is shifted
  2. Enigma Cipher
    1. Germans developed a cipher and a machine to encrypt & decrypt messages
    2. Lots of energy was spent trying to decrypt the messages
    3. Alan Turing, famous mathematician & computer scientist was involved in breaking
  3. Digital Encryption Standard
    1. National Institutes of Standards & Technology had a roposal for a Digital Encryption Standard
    2. In 1977 IBM won the proposal with an algorithm on the Lucifer Cipher
  4. 3 DES
    1. 56 bit key for DES was inadequate
    2. To get time a new one, 3DES was developed
    3. Uses 3 keys
      1. First Key used to encrypt plaintext
      2. Second key used to decrypt the ciphertext from first round
      3. Third key used to encrypt the cipher text from the second text
  5. Advanced Encryption Standard
    1. Again, NIST requested proposals to replace the Digital Encryption Standards
    2. In 2001, NIST selected an algo called Rijndael to become the Advanced Encryption Standard
    3. Supports multiple key lengths
2. Types of Cryptography
  1. Symetric
    1. cat text.txt
    2. aescrypt -e -p password text.txt
    3. ls text*
    4. text.txt text.txt.aes
  2. Asymetric
    1. openssl genrsa -des3 -out private.key 4096
    2. openssl rsa -in private.key -pubout -out public.key
    3. openssl -encrypt rsault -encrypt -pubin -inkey public.key -in text.txt -out encrypted.txt
3. Public Key Cryptography
4. PGP
5. Certificates
  1. Validate your identity
  2. Encrypt
6. Hashing
  1. One way function
  2. Used in
    1. File integrity
    2. Hashing Passwords
7. Ciphers
  1. DES : Digital Encryption Standard
    1. Developed by IBM in1970s
    2. Originally a cryptographic cipher named Lucifer
    3. NSA requested changes
    4. Concern over changes ... controversy wondring if NSA requested backdoor
    5. Technical Details
      1. 56 bit keys
      2. Block cipher
      3. Uses 64 bit blocks
    6. DES Cracked
      1. In 1998, a DES-encrypted message was cracked in 3 days
      2. in 1999, a network of 10,000 desktop systems cracked a DES-encrypted message in less than 1 day
  2. Triple DES
    1. DES algo used three times
    2. K1 is used to encrypt a message (P) resulting in C1 cipher text
    3. K2 is used to decrypt C1 resulting in C2 cipher text
    4. K3 is used to encrypt C2 rsulting in C3 cipher text
    5. Technical Details
      1. 56 bit keys
      2. Yields effective key length of 168 bits
  3. AES : Advanced Encryption Standard
    1. NIST requested proposal for AES
    2. In 2001, NIST published an algo called Rijndael as AES
    3. AES Technical Specifications
      1. Rijndael specifies variable block sizes and key lengths, multipes of 32 bits
      2. AES specifies a fixed 128 bit block size but key lengths of 128, 192 & 256 bits
8. SSL & TLS
9. SSH
  1. Encrypted version of Telnet
10. Disk Encryption
  1. Cryptolcker
    1. Windows Ultimate
    2. Windows Entreprise
  2. FileVault
    1. Mac
  3. Tructypt
11. Cryptographic Analysis
Scanning & Enumeration
1. Types of Scans
  1. Ping
  2. sudo nmap -sT 192.168.1.0/24
  3. Vulnerability Scan
  4. Port Scanners
2. Using Nmap
  1. It's a port scanner
  2. sudo nmap -p0-65535 -sS -O -v 192.168.1.0/24
3. Other Types of Scans
  1. Idle scan
  2. -sX scan
  3. -sF Scan
4. Using hping and its uses
5. packeth
6. War Dialing
  1. www.iss.net
  2. www.thc.org
7. IDS Evasion
  1. Use packeth
  2. IP spoofing
  3. Fragmented Packets
  4. Nikto
8. Banner Grabbing
  1. telnet
  2. netcat
  3. dig mx
9. Vulnerability Scanning
  1. Nessus
  2. Nexpose
  3. QualysGuard
10. Enumeration Techniques
  1. Banner Grabbing
  2. Net view (On windows)
11. SNMP
  1. snmpwalk -v -1 punlic 192.168.1.12
  2. iReasoning MIB browser
12. LDAP
13. Using Proxies
14. Tor & And Anonymizers
15. Tunneling
Penetration
1. Goals
  1. Depends on the needs of your target
  2. Malicious attacker will have specific goals: acces, information, êrsistant access & control
2. Access
  1. Could you break in?
  2. How easy was it?
  3. Can you repeat it?
  4. How?
3. Information
  1. Usernames
  2. Passwords
  3. Information about other systems
  4. Credentials for other systems
  5. Credit card number, ect
4. Persistent Access
  1. Can log inany time
  2. May involve back doors, depending on the channel used
5. Control
  1. Participation in botnet
  2. Use as a leaping off point to other systems
  3. Access to internal systems as needed
  4. Could be used as tunnel point to other systems
Viruses, Trojans ...
1. Definitions & History
  1. History
    1. 1947 - First bug is found - a moth inside a system causing a system failure
    2. 1961 - Researchers at Bell Labs create a game where programs can kill other progras
    3. 1971 - Creeper virus on the ARPANet
    4. 1974 - Rabbit virus on the ARPANet
  2. PC History
    1. 1982 - Elk Cloner on the Apple2. Boot sector virus
    2. 1986 - Brain virus. Worldwide. Fisrt IBM PC-based virus
    3. 1987 - Vienna virus. First virus to destroy data
    4. 1989 - IBM introduces Viruscan. First commercial Antivirus offering
  3. Virus
    1. First Theoretical work done in 1947
    2. Self-replicating - can make copies of itself and find new hosts to move to by doing so
    3. May or may not be destructive in nature
    4. Uses other programs (attached)
  4. Worm
    1. Also self-replicating
    2. Standalone
  5. Trojan Horse
    1. Malicious software that looks like something else
  6. Root Kit
    1. Hides existence of certain other types software
    2. May be used to maintain privileged access to a system
2. Detection Of Malware
3. Anti-virus Evasion
  1. Make a unique backdoor
  2. Encode it
4. Deployement of Malware
5. WIndows ADS & Hiding Malware
6. Debugging
  1. OllyDbg
  2. Immunity
7. Packing and Automated A V Maker Tools
  1. Free UPX
DoS
1. What is Dos DDoS
2. Cyber Crime
3. Botnets
  1. Zeus
  2. Tride Flood Network
4. Attack Countermeasures
Web Apps Hacking
1. Web Apps Testing?
  1. Burp Suite Pro
2. Web App Architecture
3. Web Testin Tools
  1. Burp Suite Pro
  2. ZAP
  3. Addons (Browser)
4. Cross Site Scripting
5. SQL Injection
6. Cross Site Request Forgery
7. Session Hijacking And Attacks And Cookies
8. Password Attacks
9. Encoding
Wireless Networking
1. Wireless Networking
2. Encryption Techniques
  1. WEP
  2. WPA
  3. WPA2
3. Hospots
4. Breaking WEP
  1. sudo airmon-ng
    1. Show the different interfaces installed in my system
  2. sudo airmon-ng start wlan0
  3. sudo airodump-ng mon0
  4. aircrack-ng
5. Rogue Access Points And Attacks
6. Wireless Sniffing
7. Protcting Wireless network
  1. Change the SSID to some random letters
  2. Disable the SSID broadcast
  3. Mac Authentication
Detecting Evasion
1. Evasion
  1. What is Evasion
    1. Evade - get away from something
    2. Evasion is to avoid getting caught
    3. Might want to avoid a firewall or an intrusion detection system
  2. Using Evasion
    1. Lots of diggerent techniques
    2. Log alteration
    3. Hding amidst noise
  3. Why?
    1. Avoiding detection
    2. Similar strategies to malicious attackers
    3. If you can avoid detection (evade) it exposes additional weaknesses
2. Steganography
  1. Hiding info in something else
  2. steghide (linux)
Programming Attacks
1. Stacks & Heaps
2. BufferOverFlows
3. Protecting against BO Attacks
4. Format String
5. De-Compliation
6. Reverse Engineering