Hands-On Ethical Hacking and Network Defense Chapter 1 Ethical Hacking Overview Last modified 12-14-16 -jw

Objectives Describe the role of an ethical hacker Describe what you can do legally as an ethical hacker Describe what you cannot do as an ethical hacker Hands-On Ethical Hacking and Network Defense

Introduction to Ethical Hacking

Introduction to Ethical Hacking Ethical hackers Employed by companies to perform penetration tests Penetration test Legal attempt to break into a company’s network to find its weakest link Tester only reports findings, does not solve problems Hands-On Ethical Hacking and Network Defense

Introduction to Ethical Hacking Vulnerability assessment Tester attempts to enumerate all vulnerabilities found in an application or on a system Security test More than an attempt to break in; also includes analyzing company’s security policy and procedures Tester offers solutions to secure or protect the network Hands-On Ethical Hacking and Network Defense

The Role of Security and Penetration Testers Hackers Access computer system or network without authorization Breaks the law; can go to prison Crackers Break into systems to steal or destroy data U.S. Department of Justice calls both hackers Ethical hacker Performs most of the same activities but with owner’s permission Hands-On Ethical Hacking and Network Defense

The Role of Security and Penetration Testers Script kiddies or packet monkeys Young inexperienced hackers Copy codes and techniques from knowledgeable hackers Experienced penetration testers write programs or scripts using these languages Practical Extraction and Report Language (Perl), C, C++, Python, Ruby, JavaScript, Visual Basic, SQL, and many others Script Set of instructions that runs in sequence to perform tasks Hands-On Ethical Hacking and Network Defense

The Role of Security and Penetration Testers Hacktivist A person who hacks computer systems for political or social reasons The Role of Security and Penetration Testers Hacktivist A person who hacks computer systems for political or social reasons Penetration testers usually have: A laptop computer with multiple OSs and hacking tools Hands-On Ethical Hacking and Network Defense, 3rd Edition

The Role of Security and Penetration Testers Job requirements for a penetration tester might include: Perform vulnerability, attack, and penetration assessments in Intranet and wireless environments Perform discovery and scanning for open ports Apply appropriate exploits to gain access Participate in activities involving application penetration Produce reports documenting discoveries Debrief with the client at the conclusion The Role of Security and Penetration Testers Job requirements for a penetration tester might include: Perform vulnerability, attack, and penetration assessments in Intranet and wireless environments Perform discovery and scanning for open ports Apply appropriate exploits to gain access Participate in activities involving application penetration Produce reports documenting discoveries Debrief with the client at the conclusion

It Takes Time to Become a Hacker This class alone won’t make you a hacker, or an expert It might make you a script kiddie It usually takes years of study and experience to earn respect in the hacker community It’s a hobby, a lifestyle, and an attitude A drive to figure out how things work Hands-On Ethical Hacking and Network Defense

The Role of Security and Penetration Testers Penetration testers usually have: A laptop computer with multiple OSs and hacking tools Tiger box Collection of OSs and hacking tools Usually on a laptop Helps penetration testers and security testers conduct vulnerabilities assessments and attacks Hands-On Ethical Hacking and Network Defense

Penetration-Testing Methodologies White box model Tester is told everything about the network topology and technology Network diagram Tester is authorized to interview IT personnel and company employees Makes tester’s job a little easier Hands-On Ethical Hacking and Network Defense

Network Diagram From ratemynetworkdiagram.com Hands-On Ethical Hacking and Network Defense

This is a Floor Plan Figure 1-1 A sample floor plan Hands-On Ethical Hacking and Network Defense

Penetration-Testing Methodologies Black box model Company staff does not know about the test Tester is not given details about the network Burden is on the tester to find these details Tests if security personnel are able to detect an attack Hands-On Ethical Hacking and Network Defense

Penetration-Testing Methodologies Gray box model Hybrid of the white and black box models Company gives tester partial information Hands-On Ethical Hacking and Network Defense

Certification Programs

Certification Programs for Network Security Personnel Basics: Windows and Linux skills Network+ or Cisco CCNA CompTIA Security+ Hands-On Ethical Hacking and Network Defense

Certified Ethical Hacker (CEH) Need additional Advanced Ethical Hacking

Certified Ethical Hacker Developed by the International Council of Electronic Commerce Consultants (EC-Council) Based on 22 domains (subject areas) Web site: www.eccouncil.org Most likely be placed on a team that conducts penetration tests Called a Red team Conducts penetration tests Composed of people with varied skills Unlikely that one person will perform all tests Certified Ethical Hacker Developed by the International Council of Electronic Commerce Consultants (EC-Council) Based on 22 domains (subject areas) Web site: www.eccouncil.org Most likely be placed on a team that conducts penetration tests Called a Red team Conducts penetration tests Composed of people with varied skills Unlikely that one person will perform all tests

Offensive Security Certified Professional OSCP An advanced certification that requires students to demonstrate hands-on abilities to earn their certificates Covers network and application exploits Gives students experience in developing rudimentary buffer overflows, writing scripts to collect and manipulate data, and trying exploits on vulnerable systems Offensive Security Certified Professional OSCP An advanced certification that requires students to demonstrate hands-on abilities to earn their certificates Covers network and application exploits Gives students experience in developing rudimentary buffer overflows, writing scripts to collect and manipulate data, and trying exploits on vulnerable systems Hands-On Ethical Hacking and Network Defense, 3rd Edition

OSSTMM Professional Security Tester (OPST) Designated by the Institute for Security and Open Methodologies (ISECOM) Based on Open Source Security Testing Methodology Manual (OSSTMM) Written by Peter Herzog Five main topics (i.e., professional, enumeration, assessments, application, and verification) Web site: www.isecom.org

Certified Information Systems Security Professional (CISSP) Issued by the International Information Systems Security Certifications Consortium (ISC2) Tests security-related managerial skills Usually more concerned with policies and procedures than technical details Consists of ten domains Web site: www.isc2.org

SANS Institute SysAdmin, Audit, Network, Security (SANS) Institute Offers training and IT security certifications through Global Information Assurance Certification (GIAC) Top 25 Software Errors list One of the most popular SANS Institute documents Details most common network exploits Suggests ways of correcting vulnerabilities Web site: www.sans.org Hands-On Ethical Hacking and Network Defense

Which Certification is Best? Penetration testers and security testers Need technical skills to perform duties effectively Must also have: A good understanding of networks and the role of management in an organization Skills in writing and verbal communication Desire to continue learning Danger of certification exams Some participants simply memorize terminology Don’t have a good grasp of subject matter Which Certification is Best? Penetration testers and security testers Need technical skills to perform duties effectively Must also have: A good understanding of networks and the role of management in an organization Skills in writing and verbal communication Desire to continue learning Danger of certification exams Some participants simply memorize terminology Don’t have a good grasp of subject matter

What You Can Do Legally

What You Can Do Legally Laws involving technology change as rapidly as technology itself Find what is legal for you locally Laws change from place to place Be aware of what is allowed and what is not allowed Hands-On Ethical Hacking and Network Defense

Laws of the Land Tools on your computer might be illegal to possess Contact local law enforcement agencies before installing hacking tools Laws are written to protect society Written words are open to interpretation Governments are getting more serious about punishment for cybercrimes US State Law summary http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws Hands-On Ethical Hacking and Network Defense

The Security Circus & DoS Attacks Recent Hacking Cases The Security Circus & DoS Attacks Hands-On Ethical Hacking and Network Defense

http://www.theonion.com/articles/after-checking-your-bank-account-remember-to-log-o,32260/?ref=auto

Namecheap Hit by 100 Gbps DDoS Attack (February 20, 2014) Webhosting company Namecheap says it was targeted by a huge 100 Gbps distributed denial-of-service (DDoS) attack. Namecheap said the attack bombarded its DNS servers with traffic measured at up to 100 Gbps. http://news.cnet.com/8301-1009_3-57619235-83/namecheap-targeted-in-monumental-ddos-attack/ http://www.csoonline.com/article/748570/namecheap-fends-off-ddos-attack-restores-services

KrebsOnSecurity Hit With 600+ Gbps DDoS KrebsOnSecurity website was targeted by a huge 620Gbps distributed denial-of-service (DDoS) attack. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

150,000 IoT Devices Abused for Massive 1.5 Tbps DDoS Attacks on OVH The hosting provider OVH continues to be targeted by massive distributed denial-of-service (DDoS) attacks powered by a large botnet capable of generating significant attack traffic. http://www.securityweek.com/150000-iot-devices-abused-massive-ddos-attacks-ovh

Recent Credit Card Reader Hacks 2013 Target 2014 Home Depot Michael’s Craft Stores Goodwill Dairy Queen Jimmy John’s UPS Stores Jewel Grocery Stores Staples http://money.cnn.com/2015/04/29/technology/credit-card-machine-hack/

Recent Credit Card Reader Hacks 2015 Trump Hotels Sally Beauty http://www.nytimes.com/interactive/2015/07/29/technology/personaltech/what-parts-of-your-information-have-been-exposed-to-hackers-quiz.html http://money.cnn.com/2015/04/29/technology/credit-card-machine-hack/

Wikileaks Published <1000 US Gov't diplomatic cables from a leak of 250,000 Distributed an encrypted "Insurance" file by BitTorrent Widely assumed to contain the complete, uncensored leaked data Encrypted with AES-256--no one is ever getting in there without the key Key to be released if Assange is jailed or killed. Since June 2012, he has been inside the Ecuadorian embassy in London, where he has been granted diplomatic asylum.

NSA Backdoors Cisco and Juniper http://www.theprohack.com/2014/01/Cisco-Exploits-Juniper-Exploits-hack-firewalls-router-exploits-hacked-by-NSA-prohack.html

SSL / TLS Vulnerabilities SSL Strip The Beast Heartbleed Shellshock SSL 3.0 Poodle http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html

Hacktivism  Act of hacking, or breaking into a computer system, for a politically or socially motivated purpose

Anonymous http://www.indybay.org/newsitems/2011/08/16/18687809.php

Operation Payback 4chan's Anonymous group Attacked Scientology websites in 2008 Attacked the RIAA and other copyright defenders Using the Low Orbit Ion Cannon with HiveMind (DDoS) "Opt-in Botnet"

HB Gary Federal Aaron Barr Developed a questionable way to track people down online By correlating Twitter, Facebook, and other postings Announced in Financial Times that he had located the “leaders” of Anonymous and would reveal them in a few days

HB Gary Federal In 2011, HBGary Federal’s CEO Aaron Barr found his e-mail hacked, and 50,000 internal business messages posted online, an event that led to Barr stepping down from the company. The hackers from the LulzSec group detailed how they exploited weak passwords and unpatched servers at HBGary Federal, but they were eventually caught, among them Jake Davis, who confessed to the crime in a London court.

Social Engineering & SQLi http://tinyurl.com/4gesrcj

Leaked HB Gary Emails For Bank of America For the Chamber of Commerce Discredit Wikileaks Intimidate Journalist Glenn Greenwald For the Chamber of Commerce Discredit the watchdog group US Chamber Watch Using fake social media accounts For the US Air Force Spread propaganda with fake accounts http://tinyurl.com/4anofw8

Drupal Exploit

OpBART Dumped thousands of commuter's email addresses and BART passwords on the Web http://www.djmash.at/release/users.html Defaced MyBart.org http://www.dailytech.com/Anonymous%20Targets%20Californias%20Infamous%20BART%20Hurts%20Citizens%20in%20the%20Process/article22444.htm

Booz Allen Hamilton "LulzSec" hacked it in July 2011 Dumped 150,000 US Military email addresses & passwords http://www.forbes.com/sites/andygreenberg/2011/07/11/anonymous-hackers-breach-booz-allen-hamilton-dump-90000-military-email-addresses/

Booz Allen Hamilton Government contractor Booz Allen Hamilton was supposed to be providing security support for the National Security Agency, but was shocked to discover last June that one of its contactors, Edward Snowden, had leaked reams of stop-secret NSA information to the press.

Missouri Sheriff's Association Hacked by AntiSec, another part of Anonymous Published credit cards, informant personal info, police passwords, and more https://vv7pabmmyr2vnflf.tor2web.org/

Th3j35t3r "Hacktivist for Good" Claims to be ex-military Originally performed DoS attacks on Jihadist sites Bringing them down for brief periods, such as 30 minutes Announces his attacks on Twitter, discusses them on a blog and live on irc.2600.net

Th3j35t3r v. Wikileaks He brought down Wikileaks single-handed for more than a day

Wikileaks Outage One attacker, no botnet ???

Westboro Baptist Outage 4 sites held down for 8 weeks From a single 3G cell phone???

LulzSec The "skilled" group of Anons who hacked US Senate AZ Police Pron.com Booz Hamilton Sony NATO Infragard The Sun PBS Fox News H B Gary Federal Game websites

Ryan Cleary Arrested June 21, 2011 Accused of DDoSing the UK’s Serious Organised Crime Agency http://www.dailymail.co.uk/news/article-2007345/Ryan-Cleary-Hacker-accused-bringing-British-FBI-site.html Released June 2013 http://www.informationweek.com/security/attacks/lulzsec-hacker-ryan-cleary-to-be-release/240156590

T-Flow Arrested July 19, 2011 http://www.foxnews.com/scitech/2011/07/19/leading-member-lulzsec-hacker-squad-arrested-in-london/

LulzSec spokesman Topiary Arrested On 7-27-11 http://www.dailymail.co.uk/news/article-2021332/Free-Radicals-The-Secret-Anarchy-Science-sales-rocket-Jake-Davis-seen-clutching-copy.html Released from Prison http://www.theregister.co.uk/2013/06/25/former_lulzsec_spokesman_davis_released_from_jail/

http://mpictcenter. blogspot http://mpictcenter.blogspot.com/2011/08/how-i-out-hacked-lulzsec-member.html

Stay Out of Anonymous http://mpictcenter.blogspot.com/2011/08/stay-out-of-anonymous.html

Sabu, LulzSec co-founder, Hacker "God" to "Snitch”, pleads guilty August 2011 http://www.dailytech.com/Betrayed+by+Their+Chief+LulzSec+Don+Helps+FBI+Take+Down+his+Underlings/article24175.htm Served 7 months in prison

Sony aftermath http://www.cnet.com/news/sony-agrees-to-settle-psn-hack-lawsuit-with-freebies/

Many Attackers – One Target Bandwidth Consumption Layer 4 DDoS Many Attackers – One Target Bandwidth Consumption

Companies that Refused Service to Wikileaks Amazon Paypal Mastercard Visa Many others

Low Orbit Ion Cannon Primitive DDoS Attack, controlled via IRC Sends thousands of packets per second from the attacker directly to the target Like throwing a brick through a window Takes thousands of participants to bring down a large site They tried but failed to bring down Amazon http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon

Low Orbit Ion Cannon

Operation Payback v. Mastercard December 2012 Brought down Visa, Mastercard, and many other sites Easily tracked, and easily blocked High bandwidth, cannot be run through anonymizer Dutch police have already arrested two participants

Mastercard Outage 3,000 to 30,000 attackers working together

Operation Megaupload In retaliation for the shut down of the file sharing service Megaupload and the arrest of four workers, Anonymous DDoSed the websites of UMG, the United States Department of Justice, the United States Copyright Office, the FBI, the MPAA, Warner Brothers Music and the RIAA, and HADOPI, all on the afternoon of January 19, 2012

http://news. softpedia http://news.softpedia.com/news/Anonymous-Initiates-Operation-Wall-Street-Threatens-to-Dox-CEOs-and-Executives-333425.shtml

One Attacker – One Target Exhausts Server Resources Layer 7 DoS One Attacker – One Target Exhausts Server Resources

Layer 7 DoS Subtle, concealable attack Can be routed through proxies Low bandwidth Can be very difficult to distinguish from normal traffic

HTTP GET

SlowLoris Send incomplete GET requests Freezes Apache with one packet per second

R-U-Dead-Yet Incomplete HTTP POSTs Stops IIS, but requires thousands of packets per second http://code.google.com/p/r-u-dead-yet/

Keep-Alive DoS HTTP Keep-Alive allows 100 requests in a single connection HEAD method saves resources on the attacker Target a page that is expensive for the server to create, like a search http://www.esrun.co.uk/blog/keep-alive-dos-script/ A php script pkp keep-dead.php

keep-dead

XerXes Th3j35t3r's DoS Tool Routed through proxies like Tor to hide the attacker's origin No one knows exactly what it does Layer 7 DoS? Video Demo - http://vimeo.com/17268609

XerXes

IPv6 - The Ping of Death returns http://www.infoworld.com/d/security/microsoft-patch-tuesday-the-ping-of-death-returns-ipv6-style-224867

IPv6 Router Advertisements Link-Local DoS IPv6 Router Advertisements http://www.hotforsecurity.com/blog/denial-of-service-attack-through-ipv6-router-advertisement-vulnerability-4362.html

IPv4: DHCP PULL process Client requests an IP Router provides one I need an IP Use this IP Host Router

IPv6: Router Advertisements PUSH process Router announces its presence Every client on the LAN creates an address and joins the network JOIN MY NETWORK Yes, SIR Host Router

Router Advertisement Packet

RA Flood

Windows Vulnerability It takes a LOT of CPU for Windows to process those Router Advertisements 5 packets per second drives the CPU to 100% And they are sent to every machine in the LAN (ff02::1 is Link-Local All Nodes Multicast) One attacker kills all the Windows machines on a LAN

Responsible Disclosure Microsoft was alerted by Marc Heuse on July 10, 2010 Microsoft does not plan to patch this Juniper and Cisco devices are also vulnerable Cisco has released a patch, Juniper has not

Defenses from RA Floods Disable IPv6 Turn off Router Discovery Block rogue RAs with a firewall Get a switch with RA Guard

Defending Websites

Attack > Defense Right now, your website is only up because Not even one person hates you, or All the people that hate you are ignorant about network security

Defense Mod Security--free open-source defense tool Latest version has some protections against Layer 7 DoS Akamai has good defense solutions Caching DNS Redirection Javascript second-request trick

Load Balancer

Counterattacks Reflecting attacks back to the command & control server Effective against dumb attackers like Anonymous' LOIC Will lose effect if they ever learn about Layer 7 DoS, which is happening now

Free DDoS Protection Uses a network of proxy servers Stopped th3j35t3r in real attack

Is Port Scanning Legal? Some states consider it legal Not always the case Be prudent before using penetration-testing tools Federal government does not see it as a violation Allows each state to address it separately Research state laws Hands-On Ethical Hacking and Network Defense

Is Port Scanning Legal? Read your ISP’s “Acceptable Use Policy” Comcast http://www.comcast.com/Corporate/Customers/Policies/Hig hSpeedInternetAUP.html?SCRedirect=true AT&T http://www.att.com/esupport/article.jsp?sid=KB400169 More than likely – NO from ISP prospective Remember - Big Brother may be watching! Hands-On Ethical Hacking and Network Defense

Is Port Scanning Legal? IRC “bot” Program that sends automatic responses to users Gives the appearance of a person being present Some ISP’s may prohibit the use of IRC bots Is Port Scanning Legal? IRC “bot” Program that sends automatic responses to users Gives the appearance of a person being present Some ISP’s may prohibit the use of IRC bots Hands-On Ethical Hacking and Network Defense, 3rd Edition

COD Student Code of Conduit http://www.cod.edu/people/faculty/wagnerju/cit2640q/conduct.pdf Hands-On Ethical Hacking and Network Defense

Federal Laws Federal computer crime laws are getting more specific Cover cybercrimes and intellectual property issues Computer Hacking and Intellectual Property (CHIP) New government branch to address cybercrimes and intellectual property issues Hands-On Ethical Hacking and Network Defense

Federal Laws (continued) The Cyber Security Enhancement Act of 2002 Mandates life sentences for hackers who “recklessly” endanger the lives of others. Securely Protect Yourself Against Cyber Trespass Act of 2007 (SPY ACT) Defines popups spyware and spam as illegal 18 USC §1029 and 1030 (US Code) Defines unauthorized access and malicious software Strict penalties for hacking, no matter what the intent. Hands-On Ethical Hacking and Network Defense

Federal Laws (continued) ADA Section 508 all users, regardless of disability status, can access technology. Children's Online Privacy Protection Act of 1998 (COPPA) Computer Security Act of 1987 Provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes. Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense

What You Cannot Do Legally Accessing a computer without permission Destroying data without permission Copying information without permission Installing malicious software Denial of Service attacks Denying users access to network resources Be careful your actions do not prevent customers from doing their jobs Hands-On Ethical Hacking and Network Defense

Get It in Writing Using a contract is just good business Contracts may be useful in court Books on working as an independent contractor Getting Started as an Independent Computer Consultant by Mitch Paioff and Melanie Mulhall The Consulting Bible: Everything You Need to Know to Create and Expand a Seven-Figure Consulting Practice by Alan Weiss Internet can also be a useful resource Have an attorney read over your contract before sending or signing it Hands-On Ethical Hacking and Network Defense

Ethical Hacking in a Nutshell What it takes to be a security tester Knowledge of network and computer technology Ability to communicate with management and IT personnel Understanding of the laws Ability to use necessary tools Hands-On Ethical Hacking and Network Defense

Summary Companies hire ethical hackers to perform penetration tests Penetration tests discover vulnerabilities in a network Security tests are performed by a team of people with varied skills Penetration test models White box model Black box model Gray box model Summary Companies hire ethical hackers to perform penetration tests Penetration tests discover vulnerabilities in a network Security tests are performed by a team of people with varied skills Penetration test models White box model Black box model Gray box model

Summary Security testers can earn certifications CEH CISSP OPST As a security tester, be aware What you are legally allowed or not allowed to do ISPs may have an acceptable use policy May limit ability to use tools Summary Security testers can earn certifications CEH CISSP OPST As a security tester, be aware What you are legally allowed or not allowed to do ISPs may have an acceptable use policy May limit ability to use tools Hands-On Ethical Hacking and Network Defense, 3rd Edition

Summary Laws should be understood before conducting a security test Federal laws State laws Get it in writing Use a contract Have an attorney read the contract Understand tools available to conduct security tests Learning how to use them should be a focused and methodical process Summary Laws should be understood before conducting a security test Federal laws State laws Get it in writing Use a contract Have an attorney read the contract Understand tools available to conduct security tests Learning how to use them should be a focused and methodical process