Certified Ethical Hacking - Book Summary

Certified Ethical Hacking
- Introduction
- Footprinting and Reconnaissaince
- Scanning Networks
- Enumeration

- System Hacking
- Trojans Backdoors +
- Viruses Worms +
- Sniffer

- Social Engineering
- Denial of Sevices
- Session hijacking
- Hacking Web Servers
- Hacking Web Apps

- SQL Injection
- Wireless Hacking
- Evading IDS, Firewalls, Honeypots
- Buffer Overflow
- Cryptography
- Pen Testing

Introduction - CEH
- No legal advice
• The legal framework is not very clear about what is actually lawful or not
• Be authorized in advance by those in power.
• Demonstrate and highlight how you can access the data without accessing it.
• In Italy, use a document created with the help of Indemnity of Legal possibly
- It may be illegal to make PenTest on propia network
• No prior authorization
• Access to sensitive data
- Most are unsuccessful Hack
- Expansive Exam

Introduction - CEH
- Current Situation
• News Suglia cyber attacks
• Criminal activities
- Anonymous Activities
- Cyber Terrorism
- Companies must necessarily have and implement security policies
• Management of utilities
• Access Management
• Authentication and security levels
• Delegation: rules for delegation
• Authoritative sources of data

Introduction - CEH
- Overview of legislation
• Computer Misuse Act 1990 (UK)
• CANspam Act (2003)
- In Italy
• Law 48/2008: European Convention on Cybercrime.
• Law 196/2003
• DPS (Document Security)
• Measures of protection commissioner 27/11/2008
• The Indemnity

Introduction - CEH
- Terminology
• Hacking
• Hackers
• Black Box Testing
• White Box Testing
• Gray Box Testing
• Security
• Vulnerability
• Exploit / Proof of concept
• Zero Day
• Vulnerability Scan
• Penetration Test

Introduction - CEH
- Origin threats
• Within the company
a. Licensed physical access
b. Logins via the network
c. Directors
d. Employees
• Outside the company
a. External Consultants
b. External Collaborators
c. Its affiliates, subsidiaries of company
d. External maintenance, visitors, etc..

Introduction - CEH
- Who is a Hacker? (1/2)
• Black Hats / Crackers / Malicious
Individuals with high computer skills used for malicious activity or destructive
• White Hats / Ethical Hacker / pentester
Individuals with expertise in the field of computer hacking who use their knowledge to improve the safety of the environment and are often identified with the term Security Analyst

Introduction - CEH
- Who is a Hacker? (2/2)
• Gray Hats
Individuals with high computer skills used, as appropriate, both for business "offensive", and "defensive"
• Suicide Hecker
Individuals that use their computer skills to create inefficiencies in companies victims or critical infrastructure, not caring if possible iripercussioni of legal they face.
• Hactvism / Script Kiddie / Phreak / Red Team

Introduction - CEH
- How does a Hacker? (1/3)
• Step 1: Patrol
a. Research information about the victim
b. Connections on a large scale for possible points of attack
c. Looking for any information about customers, employees, networks, systems employed, etc..
• Step 2: Scanning
a. Port Scan
b. Networks scan
c. Extract useful information on which versions and service

Introduction - CEH
- How does a Hacker? (2/3)
• Step 3: Obtain access
a. Exploit
b. Weak Password
c. Buffer Overflow
d. Denial of service
• Step 2: Maintain access
a. Keylogger
b. Backdoor
c. Rootkits
d. Trojan / Worm

Introduction - CEH
- Why do you need the Ethical hacking?
• Vulnerability Testing and Security Audit does not ensure that our infrastructure is safe
• Need to implement defense strategies taking advantage of targeted Pentest
• The Ethical Hacking is necessary in order to anticipate the moves of any malicious people who would compromise our systems

Introduction - CEH
- Benefits Ethical Hacking?
• Risk Assessment
• Auditing
• Mitigate fraud
• Best Practies
• Good infrastructure management

Introduction - CEH
- Benefits Ethical Hacking
• Risk Assessment
• Auditing
• Mitigate fraud
• Best Practies
• Good infrastructure management
- Disadvantages Ethical Hacking
• Despite the intentions of companies in hiring external people to test their systems, does not guarantee that this leads to a positive contribution in raising the level of security of the company.
• An Ethical Hacker can only help to understand the levels of security in place in the company. It will be the latter that must be put in place proper countermeasures

Introduction - CEH
- What is an Ethical Hackers?
• Sniffing out Vulenaribilità
• Verify the effectiveness of the strategies implemented safety
• Head found in any vulnerbilità systems and network
• Test the ability to access sensitive data

Introduction - CEH
- The triangle of safety, functionality, ease of use
Safety
Functionality Ease of use

Introduction - CEH
Introduction Virtual Lab + Linux

Introduction - CEH
Questions?

Footprinting and Reconnaissaince - CEH
- Information gathering
- Rating Size of attack
- Exposure

- Information gathering
• Search technical information
a. Registered domains
b. IP range used
c. Services Provided
• Additional Information
a. IT administrators of groups, forums, etc..
b. Instruments used, and software versions
c. Hardware devices and technologies

- Attack Surface
• Discover the machines and services used
• Discover any open wireless networks
• Other types of network access:
a. Waiting Rooms
b. Chiosci
c. Shared networks
• Ability to use in the attack malware

- Exposure
• Check for services found and the cars reach:
a. Exploit for the optional field
b. Potential for abuse services
• Organize the information collected
• Create a plan of attack
a. An attack can 'be performed using more' weaknesses in a coordinated manner
• Testing diving the posture (position) before the attack

- Footprinting
• Delimit the scope of attack
a. DNS / WHOIS
b. Internic
c. Physical location
d. RF (Wi-Fi, Bluetooth) monitoring - WarDriving
• Analysis Traceroute
• Mirroring the site of the target company
• Tracking email communications
• Using Google Hacking
• Nessus Scan
• Nikto Scan

- Perimeter attack
• Analysis of DNS records
a. IP Assigned
b. MX Record
c. etc. ..
• Sniffing out the company's website
a. Public or restricted WebSite
• Search information via search engines (eg google, bing, yahoo, etc..), Job sites, financial services, etc..
• Research staff on Social Networks, Chat services, etc..
• Physical location of the office

- Analysis Traceroute
• Identification devices routers, firewalls, etc..
es. # traceroute 10.10.10.10
traceroute to 10.10.10.10, 64 hops max, 52 byte packets
1 10.10.10.1 (10.10.10.1) 1.427 ms 1.160 ms 0956 ms
2 10.10.10.3 (10.10.10.3) 33,266 ms 34.849 ms 33,298 ms
3 * * * *
...
• By correlating the information obtained it is possible to draw the network topology
• Traceroute Tools
a. VisualRoute Trace (http://viualroute.visualware.com)
b. Visual IP Trace (http://www.visualiptrace.com)
c. vTrace (http://vtrace.pl)

- Mirroring the corporate website
• Create a copy of the entire site azinedale in order to obtain information on the structure as CSS, images, flash files, video, html code, etc..
• Website mirroring tools:
a. Wget (http://www.gnu.org)
b. BlackWidow (http://softbytelabs.com)
c. WinWSD (http://winwsd.uw.hu)
d. etc..

- Tracking email communications
• The Tracking of Email is a valid method for monitor and spy on the emails sent to recipients
a. When an email has been read or received
b. Possibility to send email destructive
c. Phishing attack
d. Find the endpoints of e-mail communication
e. Tracking of documents, etc.
• E-mails Tracking tool:
a. Trout (http://www.foundstone.com)
b. 3d Visual Trace Route (http://www.3dsnmp.com)
c. etc..

- Using Google Hacking (1/2)
• What a hacker can do with the techniques of Google Hacking
a. Find errors that contain sensitive information
b. File containing password
c. Warnings or safety vulenrabilità
d. Pages containing the login form
e. Pages containing data regarding the configuration or network vulnerabilities
• Examples of some operators used for advanced searches of google:
a. [Cache:] - shows the version of the site that is cached by google
b. [Inurl:] - restricts the search of the given string only if present in the URL
c. [Intitle:] - narrows the search to documents that contain the specified string in the title
d. etc ...

- Using Google Hacking (2/2)
• Google Hacking Tool:
a. MetaGoofil (http://www.edge-security.com)
b. SiteDigger (http://www.foundstone.com)
c. Google Hacks (http://code.google.com)
d. GMapCatcher (http://code. Google.com)
e. Goolink Scanner (http://www.ghacks. Net)
f. etc ...

- Nessus Scan
• Nessus is a tool that allows of find and possibly identify the services exposed by a particular server
Picture of nessus
• Nessus Site (http://www.tenable.com/products/nessus)

- Nikto Scan
• Nikto is a tool that allows of Identify a webserver and make crowling of the sites configured in it.
• Nikto is in degrees also identify any known vulnerabilities present on that webserver on the basis of its own internal DB
Picture of Nikto
• Nikto Site (http://www.cirt.net/nikto2)

- Countermeasures Footprinting (1/2)
• Secure destruction of documents
• Configuring Router / IDS
a. Reject any suspicious traffic
b. Identify patterns of footprinting
c. Close access to the ports that are not strictly necessary for the provision of the service and filter any unused protocols from their applications.
• Configure the web server so that it does not provide useful information
• Perform tests to verify footprinting countermeasures

- Countermeasures Footprinting (2/2)
• Removal of any sensitive data on the DMZ
• Prevention of spider and loading of copies cache (robots.txt)
• Split - DNS
• Honeypot

Questions?

Scanning - CEH
- CEH scanning methodology
- Types of Scan
- Firewalking
- 3 way handshake
- Closing Sessions
- Scanning techniques
- War Dialing
- Scan tool

Scanning - CEH
- CEH scanning methodology
1) Check the Live systems
2) Check open ports on the system
3) Identify the types of services and versions
4) Vulnerability Scanning
5) Design diagram network
6) Using Proxy

Scanning - CEH
- Types of Scan
• Network scanning
a. ICMP scanning
b. Ping Sweep scanning
• Port scanning
a. Check open ports on a system
• Vulnerability scaning
a. Identification of services
b. Identifying versions of applications
c. Identification Applications

Scanning - CEH
- Firewalking
• Identifies the ACL (Access Control Lists) configured on the Firewall
• It uses the TTL (Time To Live) of a package to find "hop"
• Forwarding packets to the open services
a. Icmp_time_exceded
b. Drop Package
• It is not necessary to reach the destination

3-way handshake
Scanning - CEH
- 3 way handshake
Computer Computer
A B
SYN = 1, SEQ # 10
SYN = 1, ACK = 1 ACK # 11
ACK = 1, SEQ # 11
Time Time

Scanning - CEH
- Chiusira sessions
Computer Computer Computer Computer
A B A B
FYN, ACK
RTD
FIN ACK, ACK
ACK
Time Time

Scanning - CEH
- Scanning techniques
• TCP Connect Scan
• Stealth Scan
• XMAS Scan
• SYN / ACK / FIN Scan
• NULL Scan
• IDLE Scan
• UDP Scan

Scanning - CEH
- TCP Connect Scan
• Indicates whether the port is open only after completing three way handshake
- Sequence packages:
SYN
SYN, ACK, ACK, RST
• TCP Connect scan uses a RST packet to terminate the communication

Scanning - CEH
- Stealth Scan
• Used to bypass firewall rules, logging mechanisms or hide their activities as normal traffic
SYN
SYN SYN, ACK
RTD RTD
Open Door Closed Door

Scanning - CEH
- XMAS Scan
• forge a packet with the URG, ACK, RST, SYN and FYN settati
• The FIN flag works only for systems that have implemented the TCP stack according to RFC 793
• Often does not work for some systems Microsoft Windows
FIN, URG, PUSH FIN, URG, PUSH
None RTD
reply

Scanning - CEH
- NULL Scan
No Flags settati No Flags settati
None RST, ACK
reply

Scanning - CEH
- FIN Scan
• Send packets with the FIN flag set
FIN FIN
None RST, ACK
reply

Scanning - CEH
- Idle Scan
• To verify an open door just send a SYN packet
• The target responds with SYN, ACK, RST if it is open or closed if
• A PC receives a response to SYN, ACK, it did not send any request will respond with RST
• Each RTD is not required ignored
• Each packet on the network contains a number of "fragment identification" (IPID)
• The Idle scan + is a scanning technique that spoofed packets are sent to check the status of the ports on a target.

Scanning - CEH
- Idle Scan: Step 1
• Send SYN, ACK to Zombie PC to check on the IPID
• Each packet on the network has its own IP ID, consisting of 4 digits and is incremented each time a PC sends a packet
• The PC Zombie not expecting the SYN, ACK, it responds with an RST by adding your own
IPID probe package SYN, ACK

Zombie
Scanning - CEH
- Idle Scan: Step 2.1 Open Door
• Send SYN to port 80 for example of the target with spoofed ip of Zoombie
Striker SYN on port 80 IP = Zoombie
Target SYN, ACK Open Door
RTD IPID = xxxx +1

Scanning - CEH
- Idle Scan: Step 2.2 port Close
• If the door is closed, the target will send a RST packet to the zombie who will not follow response.
Striker SYN on port 80 IP = Zoombie
Target
RTD
Zombie

Scanning - CEH
- Idle Scan: Step 3
• The attacker sends a request to the zombie
• If the IPID is incremented by one stage the door is open, otherwise not
SYN, ACK
Striker Zombie
RTD IPID = xxxx +2

Scanning - CEH
- SYN / FYN IP Fragments Scan:
• Is not a method different from the previous scan
• Involves sending fragmented packets with the TCP header so that any systems "Packet filtering" fail to intercept
- ACK Scan:
• The attacker sends packets with the ACK flag active and random number sequences
• No response means that the port is filtered
• RST packet response indicates that the port is not filtered

Scanning - CEH
- UDP Scan:
• For the UDP port scan is not required 3 way TCP handshake
• When a packet is sent to a port in the state Open, the target system does not send any return package
• If a UDP request is sent to a port in a state close, the target system risposnde with an ICMP port unreachable message
• Spyware, Trojan horses and other malicious applications using the UDP port to propagate between systems

Scanning - CEH
- War-Dialing
• One of the attack techniques used in the past (Mitnick)
• Was to call a range of phone numbers looking for an EndPoint that responds to initiate a connection.
• Often automated
a. They use the range of random numbers
• The response by an EndPoint, often detects the presence of an access of "emergency" reserved for system administrators

Scanning - CEH
- Scan tool
• Nmap (http://nmap.org/)
• Nesus (http://www.tenable.com/products/nessus)
• OpenVAS (http://www.openvas.org/)
• Hping (http://www.hping.org/)
• Netcat (http://netcat.sourceforge.net/)
• SuperScan (http://www.foundstone.com)
• Free Port Scanner (http://www.nsauditor.com)
• THC-Scan (http://freeworld.thc.org)
• iWar (http://www.softwink.com)

Enumeration - CEH
- Enumeration
- Tecnihce enumeration
- NetBIOS Enumaration
- Enumerating User Account
- SNMP Enumeration
- Unix / Linux Enumeration
- SMTP Enumeration

Enumeration - CEH
- What is an enumeration?
• By enumerating the process of extracting username, machine name, network resources, shared resources and services of a system
• Enumeration techniques are applied in an intranet environment or for more '

Enumeration - CEH
- Enumeration techniques
• Remove users from the email ID
• Pull user names through the SNMP service
• Remove groups from Windows macchien
• Extracting data using the Default Password
• Brute forcing Active Directory
• Extract information using DNS Zone Transfer

Enumeration - CEH
- NetBIOS Enumeration
• An attacker exploits the enumeration of NetBIOS
a. The list of computers that belong to a domain
b. The list of the Share network that exposes single host on the network
c. Policies
d. Password

Enumeration - CEH
- Enumeration systems using default password
• Apparatus as HUB, switches, routers, are often used with the default password
• An attacker can 'get access and the information contained in these systems using default credentials
• Default Password Site (http:// www.defaultpassword.com)

Enumeration - CEH
- SNMP Enumeration
• The SNMP (Simple Network Management Protocol) is a protocol used to monitor and maintain hosts, routers, and in general any device on the network that supports
• An attacker uses the SNMP enumeration to extract information about the resources of the network devices
• The SNMP consists of a manager and an agent; the agent is directly integrated in the apparatus and the manager is usually an installed system apart and dedicated.
• The default string is used to monitor and read access to the information is "public", while maintaining and write access is "private"
• The technique uses SNMP enumeration of these strings to extract useful information on the equipment

Enumeration - CEH
- Unix / Linux enumeration
• For Unix / Linux, there are several commands to enumarare resources on the network
a. Showmount: provides a list of the share exposed by the system
b. Finger: the possibility to enumerate users and hosts, providing detailed information such as home directories, etc..
c. Rpcclient: Provides a list of users on Linux and OS X
d. Rpcinfo: helps to enumerate RPC (Remote Procedure Call) protocol. RPC protocol allows communication via network applications.

Enumeration - CEH
- SMTP Enumration
• Service that enables iterating through the direct command "Telnet"
• Allows enumeration of users through the normal commands available
a. VRFY / EXPN
b. RCPT TO

Enumeration - CEH
- User Account Enumeration
• You can 'try to get through interrgoazione anonymous LDAP Server
• On Windows systems using the SID (Security Identifier)
a. Null Session
b. SID to User

System Hacking - CEH
- Password Cracking / Attack
- Privileges Escalation
- Running programs Spyware / Keylogger / rootkits
- NTFS Data Stream
- Steganography
- Covering the tracks

- Password Cracking / Attack
• Password Cracking Techniques are used to recover the password of a given system
• Attackers use this type of techniques to obtain unauthorized access to vulnerable systems
• The use of this type of techniques work for the simplicity of the passwords used by the users

- Password Cracking Techniques
• Dictionary attack
a. Use a file containing common passwords
• Brute force attack (Brute Forcing Attack)
a. Combination of numbers and characters until the password
• Attack Hybrid (Hybrid Attack)
a. All'ìattacco similar to the dictionary, adds numbers and letters to the words used in the dictionary
• Attack syllable (Syllable Attack)
a. Combine the dictionary attack and brute Forzza
• Attack du based rules (Rule-Based Attack)
a. It is based on information that the attacker has previously found regarding the password (Business Policy, the amount of special characters, etc.)

- Types of attack on Password
• Passive Online Attack
• Attack Active Online
• Attack Offline
• Attack is not computerized

- Passive Online Attack
• Sniffing the network
• MIM (Man in the Middle)
• Replay

- Attack Active Online
• Predictability of passwords
• Trojan / Spyware / Keylogger
• Hash injection

System Hacking
- Attack Offline
• Precalculated hash
• Rainbow tables
• Distributed networks
-
CEH

- Attack is not computerized
• Spying on behind those who are typing password (Shoulder Surfing)
• Social Engneering
• Rummage in garbage (dumpster diving)

- Privileges Escalation
• Exploits vulnerabilities in the operating system
• Vunlnerabilità software
• Errors in programming
a. Data buffer overflow
b. No distinction between data and code executive
c. Failure to check user input Etc. ..
• Often used with Exploit shellcode

- Spyware
• Program that records user actions that are performed on your computer and surfing the Internet without the user knowing anything
a. It hides its process
b. It hides their files, and other objects
c. Difficult to remove
• Methods of propagation
a. Masquerading as anti-spyware
b. Downloaded from the internet
c. Exploit vulenrabilità browser
d. Add-on fictitious
e. Software installations containing macros specifically designed

- Keylogger (Keystroke Logger)
• Software or hardware components that allow the recording of what the user types on the keyboard
• All the recorded will be saved in a file and sent to a remote destination
• The Keylogger meddle in the communication between the keyboard and the operating system
• Some companies use this type equipment or software to monitor their employees, as well as for a more home for the purpose of monitoring children or whatever.

- RootKit
• These are programs that reside at the kernel level to hide themselves and cover the tracks of their attivià
• Replace specific routines or operating system components with modified versions of the ad hoc
• The RootKit allow an attacker to maintain access to the system path

- Types RootKit (1/2)
• Hardware / Firmware
• He hides in physical devices or firmware updates that do not check code integrity
• Hypervisor level
• Change the boot sequence so as to put himself before the operating system virtual
• Boot Loader level
• Replaces the original boot with one controlled by a remote attacker

• Kernel level
Replaces or adds malicious code parts of the kernel of the operating system or device
• Library level
Replaces the libraries of the operating system in order to obfuscate the information of the attacker
• Application level
Replaces the executives of regular applications with Trojans or malicious pieces of code

- NTFS Data Stream
• NTFS Alternative Data Streams (ADS) is a system of hidden flow of information in windows which contains the metadata of a file (attributes, word count, author name, etc ...
• ADS is the system that allows you to add attributes to the file without changing its functionality or how they appear in the file manager
• ADS can be exploited by an attacker to inject code into a corrupt system and execute commands without being detected by the user

- Steganography (1/2)
• The shorthand is the technique of hiding secret messages and extract the same joints at the destination while maintaining the confidentiality of the message
• Utilizziare graphic images as a cover to hide data, coordinates, secret plans is one of the most widely used methods
• There are several free programs that allow the use of the techniques stenogragrafiche

- Steganography (2/2)
• Example with ImageHide (http://www.dancemammal.com/ imagehide.htm)

history and temporary files
- Covering the tracks
• Remove all WEB activities such as MRU (Most Recently Used), cookies, cache,
• Disable auditing systems
• Edit the log file, do not delete!
a. Operating System
b. Applications
c. Access to DB
d. Administrative
e. UTMP / lastlog / WTMP
• Close all connections to the target machine
a. Use tools or alter files to obfuscate its presence
b. Windows Watcher, Tracks Eraser Pro Evidence Eliminator, etc.
• Close all possible ports used, apply patches to the system, to prevent others from entering Hacker

Questions?

Trojans Backdoors + -
- What is a Trojan?
• It 'a program containing malicious code within itself, that allows you to take control and cause damage to the system
• With the help of a Trojan attacker is able to gain access to the password registered on the system, but in general what is all this about it as personal documents, deleted files, images, messages, etc..

- What is the purpose of a Trojan?
• Steal information important, which password secret codes, informaizoni on credit cards, bank details, etc.
• Registration of activities on the PC victim
• Modify or replace operating system files
• DOS Attack
• Download spyware, keyloggers
• Disable protection systems, anti-virus, anti-spyware, etc.
• Use your PC victim to propagate the infection of Trojan

- Against which method to infect a system used by a Trojan?
1. Create a package modified by using a Trojan Horse Constructor Kit
2. Create the procedure ("droppers") that will be the heart of the Trojan and execute malicious code on the target system
3. Create a container ("wrapper") through the tool containing the Trojan, which will be used to install everything on the victim's PC
4. Propagate the Trojan
5. Run the dropper
6. Perform routine harmful

- Ways by which a Trojan is able to infect a system
• Software packages created by employees not satisfied
• Fake programs (AV pop-ups, rogue security)
• Files downloaded from the internet (games, music, screen savers, etc.)
• Systems messaging (IM, IRC, AOL, etc.)
• Sugeriti links or attachments provided in the e-mail address
• File Sharing
• Vulnerability of browsers or mail clients used
• Physical access to the PC

- As a Trojan virus evades controls
• Subdivide the code of Trojan in small parts separate and tablets
• Change the content, the checksum and encrypt the code of the Trojan using hex editor
• Do not use Trojan downloaded directly from the internet
• Use different types of common extensions to convert the esegutivo of Torjan

- Some types of Trojans
• Command Shell Trojan
• Covert Channel Trojan
• Botnet Trojan
• Proxy Server Trojan
• Remote Access Trojan (backdoor)
• E-Mail Trojan
• FTP Trojans
• E-Bancking Trojan
• Mobile Trojan
• Spam Trojan
• MAC OSX Trojan
• etc ...

- Methods for detecting the presence of Trojans within a system compromise
• Scanning open ports
• Scan active processes
• Scan of the drivers installed
• Scan Windows Services
• Scanning of the programs that start at boot
• Scan for suspicious files or cartelel
• Monitoring network activity
• Scan of any file of system operating last modified
• Using Trojan Scanner

Viruses Worms + - CEH
- What is a Virus?
• It ' a program self-replicating that modification the inserting its code in other executive programs
• Some Virus infect the computer a time performed the program that contains
• Other forms of Virus riamangono Dormant as long as a triggering event makes them active

- Why are created Virus?
• Damage to society competitors
• Financial Benefits
• Progietto to research climate
• How fun
• Acts of vandalism
• Cyber terrorism
• For the distribution of political messages

- How can a virus infect a computer?
• The DB of the tracks viragli the antivirus is not updated
• Plugin outdated versions of installed
• By installing pirated software or crackkato
• Opening infected e-mails
• When a user downloads files without verifying the source

- Some examples of Type Virus
• System or Boot Sector Virus
• File Virus
• Cluster Virus
• Multipart Virus
• Macro Virus
• Encryption Virus
• Polymorphic Virus
• Shell Virus
• Tunneling Virus

- What is a Worm?
• It 'a malicious program that can replicate, run and propagate itself through the network without internvento of a human being
• Most Worm created are able to replicate and spread to the network in order to consume computing resources
• Acluni Worm may contain code that can harm the infected ssitema
• The attackers use to install Backdoor Worm on infected systems in such a way as to create zombies or botnets. Botnets are used for future cyber attack

- How to avoid infections Worm and Virus
• Install an Antivirus and keep updated LDB of the tracks
• Aggionrare steadily the systems with the Latest Patch of available safety
• Pay particular attention to files or programs downloaded from the Internet
• Avoid of perform attachments of e-mail the which sender not is known
• Always keep backup of the data so that you can restore in case of infection
• Regularly scan your PC
• Do not use administrative accounts
• Using programs that control connections (personal firewalls, etc.)
• Use programs such as tripware, sigverif, widnows file protection

Questions?

Sniffer - CEH
- ARP
- Using the sniffing
- Techniques sniffing
- Sniffing active
- Countermeasures

Sniffer - CEH
- ARP
• It 'a network protocol, whose task is to provide a mapping between IP address and MAC address in the Ethernet network, a PC
• Specifc according to RFC 826
• ARP tables
• System requst ARP / ARP Reply

Sniffer - CEH
- Using the sniffing
• To identify the elements of a network
a. Router
b. DNS Server
c. Addressing type used
d. Network equipment
• Get MAC address and IP address of a computer on the network
• Obtaining sensitive data
a. Credentials traveling on criptatti channels (HTTP, FTP)
b. Confidential documents
c. Password hashes
d. Etc.

Sniffer - CEH
- Techniques sniffing
• Passive Sniffing
a. Applicable only in a network where there are "HUB"
b. Is to monitor the number of packets traveling over the network
c. HUB obsolete today
• Active Sniffing
a. A technique used on networks where there are "Switch"
b. Consists of injecting packets (ARP) to the network that generates requests

Sniffer - CEH
- Sniffing active (1/3)
• It is used where it is not possible to passive listening of the network, the presence of Switch
• Fictitious involves injecting packets in the network in order to divert traffic to the attacker
• Exploits the weaknesses of the ARP protocol
• And 'lawful if used for monitoring or control of the network
a. SPAN Port: Reserved for duplication of traffic in the switch
b. Monitoring Port
c. Port Mirroring

Sniffer - CEH
• ARP Spoofing (Poison)
a. Inject ARP Reply modified (e.s. Gateway MAC)
b. It requires consistency and frequency
c. Easily identifiable
d. Easy to prevent enabling the "port security" on the equipment
• MAC duplication
a. Substitute your own MAC address with that of the target machine

Sniffer - CEH
• MAC Flooding
a. Generate a quantity of elevta Spoofed ARP reply
b. Saturates the memory and the ability to refresh the switches
c. Turn the switch in the HUB
• Attack in the DHCP
a. IP is sending requests to the DHCP server in order to saturate the available addressing
b. And 'considered a DoS (Denial of Service)

Sniffer - CEH
- Countermeasures
• Enable port security on the switches available
a. Prevents the presence of duplication of MAC addresses
b. Maintains mapping of MAC addresses and the ports to which they are connected
• Using IDS (Intrusion Detection System)
a. Allow the immediate detection of MAC Flood, MAC Duplicates, high amounts of ARP traffic
• Use static ARP tables
• Enable the DHCP Snooping
a. Prevents attcchi DHCP

Sniffer - CEH
- Some useful programs
• ARP attacks
a. Ettercap (http://ettercap.github.io/ettercap/)
b. Cain & Abel (http://www.oxid.it/cain.html)
c. SMAC (http://www.klcconsulting.net/smac-cl/)
• Sniffing tools
a. TCP Dump (http://www.tcpdump.org/)
b. Wireshark (http://www.wireshark.org/)
c. Dsniff (http://www.monkey.org/ dugsong ~ / dsniff /)
d. Aircrack-ng (http://www.aircrack-ng.org/doku.php?id=airodump-ng)

Social Engineering - CEH
- Social Engineering
• The "Social Engineering" is the art of fooling people into revealing confidential information
• This kind of technique has the strength of the value unaware that cover the information in the possession of people and the lack of care in keeping this information confidential

- Victims of such attacks Social Engineering
• Secretaries or help desk personnel
• Users or customers of the company
• Suppliers company
• System Administrators
• Technical support staff

- Phases of an attack type of Social Engineering
a. Search information on the company target
• Dumpster diving
• Website
• Information about the employee
• Inspections to the premises of the company
• etc.
b. Select a victim
• Identifying such as a disgruntled employee
c. Develop relationship with the victim
• Begin a relationship with / the employee selected as a victim
d. Exploit the relationship
• Get information such as user names, financial information, technologies used, etc..

- Techniques of Social Engineering (1/2)
• Human-based
a. Dumpster Diving (Research in the trash)
b. Featuring a user attempts to crystallize
c. Presenting itself as a company VIP
d. By posing as a technical support person
e. Interception of telephone conversations
f. Spy on people behind (Shoulder Surfing)
g. Entering the sly
h. Presenting himself as a third party
i. etc ...

- Techniques of Social Engineering (2/2)
• Computer-based
a. Using pop-up windows that appear during navigation (gifts, sweepstakes millionaire, etc.).
b. Through letters buffaloes (Hoax)
c. Through chain letters
d. Chat via message (dates of birth, names bachelors / bachelorettes, household names, etc.)
e. Via email Spam
f. Phishing
g. Sending fake SMS requesting banking information

- Countermeasures
• Adopt corporate policies of behavior clear and enforce them
• Enhance the physical security
• Train staff to respond to such threats
• Implement control measures and verification of the same constants
• Draw the possible recipients and dangerous content of the e-mail

Questions?

Denial of Sevices - CEH
- What is a Denial of Service?
• Denial of Service (DoS) attack is an attack on a computer or a computer network designed to inhibit the normal delivery of services available
• In a DoS attack the attacker floods the victim richeiste the system up to the saturation of the available resources

- Techniques DoS attack
• Ping of Death (ICMP Flood)
a. Submit a large number of ICMP requests
b. It affects the saturation of available memory
c. The modern OS have a system of prevention Ping of Death
• SYN Flood
a. Exploits the normal operation of the 3 way Handshakiing
b. Saturate the available memory
c. Leave hung connections for up to 75 seconds

- Why use DoS attack
• Vandalism
• As a method monitivo or activist
• As anti-tracking method (Mitnick, Shimomura)

Denial of Sevices
- Joint programs DoS
• Trinity - IRC DDOS
• r-u-dead-yet (Rudy) - HTTP POST DDOS
• Tribe - Network flood
• Slowloris - HTTP DoS
• Low Orbit Ion Cannon (LOIC) - DoS tool
-
CEH

Questions?

Session hijacking - CEH
- What is Session Hijacking?
• With the Session Hijacking refers to the exploitation and compromise of a valid session between two computers
• An attacker steals a valid session ID to gain access to the system and the dti contained in it
• With TCP Session Hijacking is meant when an attacker takes control of a TCP session between two computers

- Types of Session Hijacking?
• Enable
a. Is to replace the host to which it was unearthed session
• Passive
a. Is to turn the traffic through the attacker who merely observe and record
• Hybrid
a. Similar to the passive less than find important information

- Key Techniques Session Hijacking
• Brute forcing
a. An attacker tries different valid session ID
• Stealing
a. An attacker uses different techniques to steal session IDs valid
• Caluclating
a. An attacker tries to calculate the value of a valid session ID

- Brute Forcing
• Try to indivduare the session Id in the clear (no SSL)
• Try to identify multiple sessions of valid ID
• Sessions that do not have expiration times
• Accounts that do not have the credentials Lokout

- Man in the Middle
• Based on Sniffing traffic
• Since the ability to add packages to an existing session
• It can be used to change the sequence number for groped to maintain the active user session for the purpose of inettare malicious code
• you can change the payload of the packets sent by adding

- Session Fixation
• The attacker determines the session ID
• In the case of log already made attempts to keep the session active
• Phishing exploits techniques to send the session ID of the user
• Once authenticated attacker is able to access the target user's data

- What are the advantages of Session Hijacking
• Access to the server as an authenticated user
• Often the access remains hidden
a. Keeping a session ID exists, replacing the orignal client
b. The Hijacking is difficult to trace
c. The credentials are valid
• The nature of the TCP Session from the possibility of continuous access
• No need to re-authenticate or alteration of the security package

- Programs for Hijacking
• Hamster / Ferret
• Firesheep
• Ettercap
• Juggernaut
• Hunt
• T-Sight
• Metasploit
• SSL Strip

- Countermeasures
• Be used wherever possible communications on secure channels (SSL)
• Cookie exchange through encrypted channels (HTTPS)
• Implement systems for deauthenticate Logout user sessions
• Use session ID generated only after Authorized Access
• Use sequences of random numbers and letters for the generation of session keys
• Use only encrypted data is exchanged between the user and webserver

Questions?

Hacking Web Servers - CEH
- Suppliers Webserver current
• Apache
• Microsoft IIS
• Lighttpd
• Google
• Nginx

- Architecture of a WebServer
• Communication ports and protocols used
a. HTTP (Hypertext Transfer Protocol) Port 80
b. HTTPS (Hyper-Text Transfer Protocol over Secure Socket Layer) Port 443
• Manages requests received from clients with various methods
a. GET
b. POST
c. TRACE
• Potentially vulnerable
a. GET / POST malformed
b. SQL Injection
c. Configuration Errors
d. Etc. ..

- Impact of attacks on WebServer
• Compromise of user accounts
• Tampering with data managed
• As a bridge to other web attacks
• Abduction of information
• Administrative access to the server or other applications
• Site managed defacement

- Some types of attack on the WebServer
• Configuration errors WebServer
a. Administrative capabilities enabled
b. Error messages or debug information-rich
c. Backup, old copies of configuration files, scripts
d. Anonymous user test with password or easily ascertainable enabled
e. Etc. ..

• Directory Traversal
a. Access to confidential directory of the system
b. Running external commands to the WebServer
c. Access to confidential information
d. Use UNICODE encoding to mask requests

• Tampering with the parameters of the request (URL)
a. Changing the parameters exchanged between client and serves
b. Example: http://www.example.com/sample? a = 1234 & b = 456 & admin = 1
• URL Obfuscation
a. UNICODE encoding, Binary, Decimal, etc ...

• Source Code Analysis
a. Discovery of DIrectory sensitive, any servers or services
b. Users and Passwords
c. ID preconfigured sessions or defualt
• Password
a. Brute Force Attack
b. Dictionary attack
c. Attack hybrid
d. Simple passwords

- Meotodologia to attack the WebServer (1/2)
• Collection information
a. Collection of information about the target company
b. Search news groups, forums, etc.
c. Whois, Traceroute, etc. structure systems victim
• Identification of the type of WebServer
a. Type of server, operating system, etc ...
• Copy of the structure of Website
a. Create a copy of the site structure
b. Find useful comments within the code

- Meotodologia to attack the WebServer (2/2)
• Scanning for known vulnerabilities
a. Identify any weaknesses in the system
b. HP WebInspect, Nessus, etc ...
• Session Hijacking
a. Sniffing valid session ID for unauthorized access
b. Burp Suite, Paros Proxy, Hamster, FireSheep
• Hacking Passwords used by the WebServer
a. Groped to find passwords with various techniques useful
b. Brutus, THC-Hydra, etc ...

- Countermeasures
• Regular scanning and patch systems
• Apply any update provided by the manufacturers of the software
• Ensure that all systems have the same versions of Service Pack, Hotfixes and Security Patches
• Provide a plan for disaster recovery and backup systems in the event of a recovery is required

Questions?

Hacking Web Apps - CEH
- Defining a Web Application
• It 'a communication interface between the user and the Web Server consists of several server-generated pages that contain the same scripts or commands to be executed dynamically dul Browser User
• Businesses rely on web applications, but in general on web technology as a key support for business processes and improvements of the same

- Components of a Web App
• The Web Server
• The application Content
• Data Access

User
Web Server
OS Command
- Funionamento a Web App
User request
Output DBMS
Web Application
...
...
...
...

- Types of attacks Web App (1/2)
• SQL Injection
a. The most common attacks and the more functional
b. Sfruttta input modules present in web pages
c. Forca login requests to obtain valid credentials
d. interface to the DB (alter, insert, delete table)
• Automated tools
a. SQL Map
b. SQL Ninja
c. Havis
d. Etc. ..

- Types of attacks Web App (2/2)
• Cross Site Scripting (XSS)
a. Forces the execution of the script actions not foreseen
b. Executing commands or software installation
c. Based on an incorrect handling by the application of user input
d. The tag for excellence to indicate an XSS "<script>"
• Cross Site Request Forgery (CSRF)
a. Force the user's browser to send malicious requests without the control of the latter
b. The victim uses a valid active session on a site "Trusted" while visiting a malicious site, which injects a malformed HTTP request that is turned over to the main site and carried out in a lawful manner

- Methodology for attack on a Web App
• Get a scheme infrastructure WEB
• Attack on Web Servers
• Analysis of the Web
• Attempting to bypass authentication mechanisms
• Attempting to bypass the authorization mechanisms
• Attack of the session control mechanisms
• Attempted injection of packets
• Attack of the possible client Web App
• Attack Web services used by the application

- Web Application Firewall (WAF)
• Firewall with Advanced Features
• Specializing in defending web applications
• It allows the analysis of the HTTP / HTTPS traffic to intercept and possibly dangerous lock requests
• It allows you to block SQL injection attacks, buffer overflows, XSS, etc.

Questions?

SQL Injection - CEH
- What is SQL Injection?
• SQL injection is a technique that exploits the wrong part of the application from user input validation WEB, to execute SQL commands on the DB BackEnd
• The SQL Injection is an attack aimed at obtaining unauthorized access to the DataBase or the information contained in it

SQL Injection - CEH
- Types of SQL Injection attack
• Bypass Authentication Methods
• Disclosure of sensitive information
• Compromised the integrity of the data managed
• Impairment of the availability of data managed
• Run remote commands

SQL Injection - CEH
- Meotdi detecting SQL Injection
a. Check to see if the web application accesses the DB server
b. Enumerate POSSIBLE INPT user exploitable to execute sql commands
c. Simulate the insertion of code into user input fields
d. Simulate entering numbers in the fields reserved for strings
e. The operator UNION is used in techniques of SQL Injection to concatenate SQL statements
f. Check the level of information content within error messages

SQL Injection - CEH
- Types of SQL Injection
a. Simple SQL Injection
• SQL Union
• SQL Error
b. Blind Injection

SQL Injection - CEH
- Simple SQL Injection Attacks
• Store System procedures
a. Attacks are based on the use of "store procedures" already in the DB
b. UNION Query
SELECT name, phone, address FROM Users WHERE ID = 1 UNION ALL SELECT CreditCardNumber, 1, 1, from creditcardtable
c. Tautology (true by definition Affirmation)
SELECT * FROM user WHERE name = ' 'OR '1' = '1 ';
d. Commenting on the end of the line
SELECT * FROM user WHERE name = 'x' AND userid IS NULL; - ';
e. Understanding the structure of the DB via requests with parameters that are not allowed

SQL Injection - CEH
- Blind SQL Injection
• It 'a technique used when the Web application is subject to SQL injection but but the answers are not visible to the attacker
• the Blind SQL Injection exploit the same philosophy of normal SQL Injection except for the fact that the attacker is not able to see the specific error generated
• This type of attack can become very expansive in terms of time because of the excessive amount of requests from having to send for every single bit of information obtained

SQL Injection - CEH
- Methodology SQL Injection attack
a. Collection information
b. Sniffing out a vulenrabilità SQL Injction
c. Exploit the vulnerability found
d. Extract data from the Data Base
e. Interacting with the Operating System
f. Compromise the entire network

SQL Injection - CEH
- Programs for SQL Injection
a. SQL Power Injection (http://www.sqlpowerinjector.com/)
b. BSQLHAcker (http://labs.portcullis.co.uk/tools/bsqlhacker /)
c. Marathon Tool (http://marathontool.codeplex.com/)
d. Absinthe (https://github.com/HandsomeCam/Absinthe)
e. SqlNinja (http://sqlninja.sourceforge.net/)
f. Sqlmap (http://sqlmap.org/)

SQL Injection - CEH
- Countermeasures
a. Use account with minimum privileges on the DB
b. Disable the functions or procedures not necessary to the performance of the application
c. Monitor connections with IDS, WAF, etc.
d. Use custom error messages
e. Filtering Data Client
f. Provide of controls of safety in data passed by the application to make requests to the Data Base

SQL Injection - CEH
Questions?

Hacking
Wireless
-
CEH
- Wireless LAN
- Bluethoot

Hacking Wireless - CEH
- Wireless LAN
• The Wi-Fi was developed according to the IEEE
802.11 and is widely used in wireless communication, as it provides access to applications and data over the wireless network
• The standardized Wi-Fi set nuemrosi ways to use a connection between the transmitter and the receiver, such as DSSS, FHSS, Infrared (IR) and OFDM

- Types of Wireless
• As an extension of a wired network
• Multiple Access Points
• LAN-to-LAN Wireless Network (Bridge Mode)
• 3G Hotspot

- Wireless Standard
• 802.11a: bandwidth up to 54 Mbps, 5 GHz frequency used
• 802.11b bandwidth up to 11 Mbps, 2.4 GHz frequency used
• 802.11g: up to 54 Mbps bandwidth, use higher frequency of 2.4 GHz
• 802.11i is a standard that goes back 802 .11a/b/g inserting an improvement in cryptography for networks
• 802.11n: 100Mbps bandwidth over the
• 802.16: A standard for wireless broadband developed for the MAN (Metropolitan Area Network)
• Bluethoot: standard range with very small (<10 m) and low-low speed (1-3 Mbps), developed for low-power network devices such as PDAs

- Types of encryption used in wireless
• WEP
a. It 's the first and the old standard used in wireless communications
• WPA
a. Use 48 BIT IV
b. 32 Bit CRC
c. TKIP encryption
• WPA2
a. Use AES encryption (128 bit) and CCMP
• WPA2 Enterprice
a. It integrates with the standard WPA EAP

- How to decrypt the WEP
• Configure the interface wireless into monitor mode on a specific channel of the access point
• Verify the ability to inject packets to the AP
• Use a program like aireplay-ng to simulate false authentication to the AP
• Run a sniffer to collect unique IV
• Use a tool to extract the encryption key from the collected IV

- How to decrypt the WPA/WPA2
• WPA PSK
WPA PSK it uses a user-selected key to initialize the TKIP that can not be violated as a precompiled package, but it can 'be unearthed with a dictionary attack Brute-Forced
• Brute-Force WPA
Use a program such as aircrack, aireplay, KisMAC to try to find the key
• Attack Offline
Collect a considerable number of packets so as to obtain WPA/WPA2 authentication handshake
• Attack deautentica that clients connected
Is to force the client already connected to the AP disconnect and reconnect in order to collect authentication packets for subsequent cracking

- Methodology attacks Wireless
• Locating the Wi-Fi network target
• GPS mapping
• Wireless Network Traffic Analysis
• Attack on the Wi-Fi network
• Cracking the encryption used
• Impaired Wi-Fi network

- Bluetooth
• Easy to use
• Easy to detect
• Types of Attack
a. BlueSmacking
b. Bluejacking
c. BlueSniffing
d. Bluesnarfing

Questions?

Evading IDS, Firewalls, Honeypots - CEH
- IDS
- Firewall
- Snort
- HoneyPot

- IDS
• An Intrusion Detection System (IDS) is a system that collects and analyzes information from a computer or a network, in order to identify possible violations of security policies
• With IDS identifies a system of "packet-sniffer", which intercepts packets traveling, for example, a wild TCP / IP network
• The packets are analyzed after they were caught
• An IDS evaluates a suspected intrusion once it has taken place and signals an alarm

- Methods for the identification of an intrusion
• Identification by signatures (Signaure Recognition)
This type of system attempts to identify the events that improper use of the system.
• Identification of anomalies (Anomaly Detection)
You try to identify threats based on analysis of behavior characteristic of a user or a fixed component in a system
• Identification of abnormalities in the communication protocol (Protocol Anomaly Detection)
The models used for this type of recognition are based on the specifications of the protocol used. For example, the TCP / IP

- Types of Intrusion Detection System (1/2)
• Based on the Network
a. This system typically consists of a blackbox placed inside the network, which captures traffic in promiscuous mode and tries to identify threats based on preset patterns
• Host-based
a. This system is based on listening to the events generated by a specific host
b. It is not commonly used due to the excessive workload for monitoring

- Types of Intrusion Detection System (2/2)
• Monitoring of log files
a. This type of system is based on a program that scans the log files looking for events that have already happened
• Checking file integrity
a. This type of system checks for the presence of any Trojan Horse present or changed files that indicate the possible presence of an intrusion.
b. Tripwire (http://www.tripwire.com/)

- Firewall
• It 'a system hardware, software designed to prevent unauthorized access to or from a private network
• And 'placed at strategic points such as junctions or as a network gateway
• A firewall monitors all messages entering and leaving the private network, blocking those that do not meet specific security criteria
• Firewalls only care about the type of traffic, addresses and destination ports

- DeMilitarized Zone (DMZ)
• The DMZ is an isolated segment of the LAN, accessible from both internal and external networks, but characterized by the fact that the hosts on the DMZ certificates have limited possibilities of connection to specific hosts on the internal network
• It is created using a Firewall with at least 3 physical network adapters, which are assigned specific rules as Trusted Network, Network and Network DMZ Un-Trusted External (Internet)

- Types of Firewall (1/2)
• Packet Filter
a. It works at the network layer of the OSI model
b. Each packet is analyzed according to established rules before being forwarded
c. The rules can be specified IP address, source port or destination and the type of protocol
• Circuit-Level Gateway
a. It works at the level of the OSI Model Session
b. To identify a legitimate connection monitors TCP handshaking
c. The information passed to the remote computer have as their origin the Gateway / Firewall
d. This type of firewall is able to macherare the information about the network that protects but does not filter the packets individually

- Types of Firewall (2/2)
• Applicaiton-Level
a. It works at the Application layer of the OSI model
b. It does not allow access to services that are not proxati the Firewall
c. When configured as a Web Proxy services like FTP, telnet, and others are not allowed
d. Acting on the application level this kind of devices are able to filter the specific application commands. For example, GET or HTTP Post
• Stateful Multilayer Inspection
a. This kind of Firewall and combines the functionality of previous models
b. They work by filtering packets at the network layer to identify a legitimate session and pass the inspection of the content for the application

- Intrusion Detection System: Snort
• Open source IDS can analyze traffic in real-time and to log any problems of a network
• And 'able to analyze the protocols and contents of the package to detect attempted attacks, buffer overflow, Port Scan, attacks to CGI scripts, etc..
• Use language for writing their own rules
• Uses of Snort
a. Dirattamente as simple as sniffer TCP Dump
b. Recorder of packets (for any network problems)
c. As IPS (Intrusion Prevention System)

- The Snort rules
• The rules engine allows you to create personal rules and specifications for the various types of network and use that if you want to do
• The Snort rules allow distunguere between normal browsing activity, network activity lawful, and activities such as "mischievous"
• The rules must be contained in a single line, the parser does not allow the preparation of more 'lines
• The Snort rules are logically divided into two parts:
a. Header of the rule (Rule Header): identifies the action that the rule will execute. For example, alert, log, pass, activate, etc..
b. options of the rule (Rule Option): identifies the message alert rule

- HoneyPot
• It 'a system used and configured specifically to attract and trap those who attempt to penetrate our network
• Simulates a system or service vulnerable and easily hackerabile
• Uses:
a. Sutdio of attack methods used
b. Study of the sources of attack
c. How effective palliative to protect the real target systems
• Must be positioned so im segregated compared to the production environment
• Verify the legality of use of this type of systems

- Preventing IDS
• Identify any interfaces in promiscuous mode
a. AntiSniff program
b. NEPAD program antisniffer
• Intercepting the IDS alerts sent
• Use techniques of evasion or polymorphic shellcode
• Attach the IDS:
a. Snort Vulnerability
b. Vulenrabilità OS or in exposed services

Questions?

Buffer Overflow - CEH
- Defining Buffer Overflow
- Method Buffer Overflow
- Identify a Buffer Overflow
- Countermeasures to Buffer Overflow

- Defining Buffer Overflow
• It 'a security vulnerability that occurs when a program does not properly check the length of the incoming data, but merely write down their value in a baffer fixed length, trusting that the data do not exceed more than previously allocated

- Why do the programs and applications are vulnerable?
• Controls are ineffective or absent in many cases with regard to the data managed
• In many cases, the same programming languages used are subject to vulnerability
• Prograami and applications are developed following the Best Practies safety
• Functions such as strcat (), strcpy (), sprintf (), vsprintf (), gets (), scanf (), used in "C" may be subject to buffer overflow in that they do control the length of the buffer

- The Stack and Buffer Overflow
• A stack buffer overflow occurs when a buffer is overwritten on the stack space
• An attacker can exploit this issue, coming into possession of the control flow of the stack and execute arbitrary code

- The Heap Buffer Overflow and the
• When a program copies data in memory, without having carried out the necessary checks, it can be exploited by an attacker to gain control of the information managed heap
• An attacker creates a buffer to fill the bottom of the heap and overwrite the other dynamic variables with unexpected effects from the normal execution of the program

- Method Buffer Overflow
• Find the presence of a possible buffer overflow and what is the condition triggering
• Send more data than the program can handle
• Overwrite the return address of a function
• Run your own malicious code (Shellcode)

- How to Identify a Buffer Overflow?
a. Run a program on your own machine
b. Insert large amounts of data with control characters identifiable.
For example, "$ $ $ $" at the end of a string
c. In the event of a crash program
d. Look in the dump of the program the control character used to identify the trigger point of Buffer Overflow
e. Setup using a debugger (gdb, OllyGdb, etc.). Analyze the behavior of the program
f. Writing the exploit that exploits the buffer overflow found just

- Countermeasures to Buffer Overflow
• Manual code review
• Tecnihce Compilation
• Use Libraries for developing secure
• Disabling stack execution
• Use destination randomiche Stack
• Implement controls in real-time

Questions?

Cryptography - CEH
- What is Encryption?
• Encryption is the conversion of a given data into encrypted code
• Encryption can be used to protect:
a. E-mail messages
b. Information on credit cards
c. Sensitive Data
d. etc..
• Objectives of cryptography
a. Discretion
b. Integrity
c. Non-repudiation
d. Authenticity

Cryptography - CEH
- Types of Encryption
• Symmetric Cryptography
Symmetric encryption uses the same key to encrypt and decrypt a given data (secret-key, shared-key, private-key)
• Asymmetric encryption
Asymmetric encryption uses different keys for encryption and decryption. These keys are identified as public and private key (public- key)
• Hash Functions
the hash function does not use any key to encrypt or decrypt

Cryptography - CEH
- Encryption Algorithms
• The encryption algorithms are used to encrypt and decrypt data
• Algortmi classic
a. Replacing figures
It consists in the replacement of bits, characters, or blocks of characters with different bits, characters, or blocks
b. Transposition of digits
The letters of the plaintext are moved tot positions to create the ciphertext
• Modern algorithms
a. Based on types of keys used
Private key: the same key to encrypt and decrypt
Public key: two different keys to encrypt or decrypt
b. Based on the types of input
• Block cipher: encryption of data blocks according to a fixed length
• Stream cipher: Encryption of a continuous data stream

Cryptography - CEH
- Symmetric encryption
• Same key to encrypt and decrypt
• ECB / CBC and other variants
• The key is difficult to distribute
• Since DES AES
a. NIST Competition 1995-2001
b. Originally called Rijndael

Cryptography - CEH
- Asymmetric encryption
• ECDSA: based dulle ellipses
• RSA is based on prime numbers
• Two public and private keys
a. If encrypted with Private, Public deciphered with
b. If encrypted with the Public, Private deciphered with

Cryptography - CEH
- Hash
• From a text a "number" unique and irreversible
• The limits of hash collisions
• Algortmi hash:
a. MD5
b. SHA-1,
c. Etc..

Cryptography - CEH
- Symmetric Asymmetric + + Hash
• Certificates
• Digital Signature
• Authentication (Strong Autentication)
- Use:
• GSM
• SSL
• Etc. ..

Cryptography - CEH
Questions?

Pen Testing - CEH
- Penetration Test
• A Pentest simulates the methods used by intruders to gain unauthorized access to the network and resources of an organization, for the purpose of compromising data and information
• When carrying out safety tests, the tester is limited by available resources, such as time, expertise and access to equipment as specified in the indemnity
• Many attacks follow a common approach to violate the security of a system

Pen Testing - CEH
- Security Assessments
• Every organization uses different types of security assessment to validate the security level of resources within the network
• Categories of Security Assessment:
a. Security Audit
b. Vulnerability Assessment
c. Penetration Testing
• Each type of Security Assessment requires on the part of those who lead testing different skill levels

Pen Testing - CEH
- Vulnerability Assessment
• Network Scanning
• Scanning tools
• Security Errors
• Test systems and network

Pen Testing - CEH
- Limitations of Vulnerability Assessment
• The scanning programs used to identify vulnerabilities are limited to a given point of time
• Need to be updated when they come new vulnerabilities or funzinoalità
• This affects the result of the evaluation
• The methodologies used by the various softaware and options used may give different results in tests

Pen Testing - CEH
- Penetration Testing
• The pentest not carried out in a professional manner, can cause serious disruption to normal service delivery
• The pentest verify the security model of the company as a whole
• Detect potential threats that would be exploited in a real attack
• The testers are differentiated by attackers only by the end of their actions

Pen Testing - CEH
- What should be tested?
• Communication errors, abuse of e-commerce, loss of credentials, etc.
• Public systems exposed; websites, mail servers, platforms, remote access (RDP, VPN, etc.).
• Mail, DNS, Firewalls, passwords, FTP, IIS, and webserver

Pen Testing - CEH
- What makes a pentest reliable?
• Establish a perimeter precise PenTest; objectives, limitations, gisutificazione of the procedures used
• Relying on experienced professionals and competent to perform the tests
• Choose a suitable test set that balances costs and benefits
• Follow methodologies planned and well-documented
• Document the results in a complete and asaustiva, but most clearly understood by the final customer
• Highlight chairamente in the final report of the potential risks and vulnerabilities solutions

Pen Testing - CEH
- Types of Penetration Testing (1/2)
• From the outside
a. The external PenTest provide this information by analyzing the full public tiguardanti the target (eg email server, web server, firewall, router, etc.)
b. And 'the traditional approach to penetration testing
c. The tests are focused only on the server, the infrastructure and the basic software of the target
d. The tests may be done:
• without any prior information of the target (Black Box)
• with comprehensive information about the type and environment that you will be tested (Gray / White box)

Pen Testing - CEH
- Types of Penetration Testing (2/2)
• From
a. The tests are efettuati from every possible point of access
b. Within an object, test access from external locations, branch offices, DMZ, etc..
c. The tests basically follow from the methods used for testing but add an external point of view much more comprehensive infrastructure

Pen Testing - CEH
- Black-box Penetration Testing
• No knowledge of the infrastructure to be tested
• It comes usually just the name of the company
• The tests faithfully simulate an attack real
• Provides a considerable amount of time spent on information retrieval and understanding of the infrastructure to be tested
• It 'a kind of test expensive and time-consuming

Pen Testing - CEH
- Gray-box Penetration Testing
• Limited knowledge of the infrastructure to be tested
• Perform internal security assessment and testing
• Focused on the security of the applications that head all the possible vulnerabilities that an attacker could exploit
• It runs mostly 'when starting from a Black box testing, we need a deeper understanding of a well-protected system for further investigation of possible vulnerabilities

Pen Testing - CEH
- White-box Penetration Testing
• Complete knowledge of the infrastructure to be tested
• The tests simulate the actions committed by employees of the company evenutali
• The preliminary information provided:
a. The infrastructure of the company
b. Type of network
c. The security measures taken
d. Firewall, Indirizzamneto network, IDS, etc..
e. The company policy on what and what not to do

Pen Testing - CEH
- Stages of a Penetration Testing (1/3)
• Phase preattacco
a. This phase deals with the ways in which it will be tested and the objectives to be achieved
b. The portion of the acquisition of information about dental on the target is considered essential in this phase of initial
c. He formulates a plan of attack to follow
d. Can be of two types:
Reconnaissance passive collect target information from the information public
Active Reconnaissance: Collect information through publications on social-network, social engineering, web sites visited, interviews, questionnaires, etc..

Pen Testing - CEH
• Attack phase
a. Penetrate the perimeter to gain unauthorized access to the network
b. Capturing | Costasur.com safety of the various target
c. Compromised systems, access to data managed, running exploits, etc..
d. Escalating privileges

Pen Testing - CEH
• Phase postattacco
a. Being more 'criticism of the whole process
b. Is to "clean up" the traces of the action taken by the tester, in order to bring the systems before testing
c. The actions include:
• Removal of the copied files on the systems
• Cleaning of the registers or vulnerabilities created
• Exploit or removal of any programs used
• Disable any share or unauthorized connections
• Analysis of the results found and presentation of the same customer

Th ank you
Make a basic course on "Penetration test".
https://www.udemy.com/basic-professional-penetration-
tests/?couponCode=HACKING%
408
Hacking Basic Professional Penetration Test
Designed to perform in penetration testing and web
security, a good way to become a Certified Ethical
Hacking!
Price lowered to $ 8

Certified Ethical Hacking - Book Summary

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Certified Ethical Hacking - Book Summary

Similar to Certified Ethical Hacking - Book Summary (20)

Recently uploaded

Recently uploaded (20)

Certified Ethical Hacking - Book Summary