Certified Ethical

Hacker - CEH
https://www.safaribooksonline.com/library/view/learning-path-certified/9780134677552/

Authors: Serena Mancini & Ander Schiavella

1
 Table of contents

Module 1 - Security Essentials

Lesson 1: Course Overview …………………………………………………………3
Lesson 2: Introduction to Ethical Hacking …………………………………………5
Lesson 3: Footprinting and Recon …………………………………………………7
Lesson 4: Scanning Networks……………………………………………………...10
Module 2 - System Security
Lesson 5: Enumeration……………………………………………………………...16
Lesson 6: System Hacking………………………………………………….………20
Lesson 7: malware Threats………………………………………………………....29
Lesson 8: Sniffing…………………………………………………………………....34
Lesson 9: Social Engineering …………………………………………………...…38
Module 3 - Network Security
Lesson 10: Denial of Service (DoS) ………………………………………………42
Lesson 11: Session Hijacking………………………………………………..…....45
Module 4 - Web Service
Lesson 12: Hacking Webservers…………………………………………………..49
Lesson 13: Hacking Web Applications ……………………………………………52
Lesson 14: SQL Injection …………………………………………………………..54
Module 5 - Wireless and Internet Security
Lesson 15: Hacking Wireless ……………………………………………………...57
Lesson 16: IDS, Firewalls and Honeypots …………………………………….....60
Lesson 17: Cloud Computing ……………………………………………………...63
Lesson 18: Cryptography …………………………………………………………..64

2
 Lesson 1: Course Overview

Learn everything you need to know to pass the Certified Ethical Hacker exam in under
10 hours. Understand the basics of network and Internet accessible application
technologies, common discovery, and analysis techniques as well as more advanced
security concepts such as malware and cryptography.

Description
The Certified Ethical Hacker (CEH) Complete Video Course provides a complete
overview of the topics contained in the EC-Council Blueprint for the CEH exam. With 5
modules containing more than 10 hours of training, this course covers all concepts in
the objectives so you can master the knowledge you need to pass the exam. The
course begins with a general overview of security essentials. You then explore system,
network, and web services security before diving into wireless and Internet security.
This course provides the breadth of coverage necessary to learn the full security
concepts behind the CEH exam. It also helps prepare you for a career as a security
professional.

Topics include
Module 1: Security Essentials
Module 2: Systems Security
Module 3: Network Security
Module 4: Web Services Security
Module 5: Wireless and Internet Security

Course Requirements
Anyone interested in earning a Certified Ethical Hacker (CEH) certification must attend
training through EC-Council or show that they have 5 years of information security
experience in each of the 5 CCISO domains via the application form. Please go to the
EC-Council website for more information.

3
Areas of focus

4
 Lesson 2: Introduction to Ethical Hacking

Hacking: illegally exploiting vulnerabilities to gather information for whatever reason.

Ethical Hacking: use the same tools to validate the system security.

2.2 Attack vectors: path by which a hacker can gain access to a host in order to deliver
a payload or malicious malware.

5
2.4 Ethical Hacking: Attack Phases

2.5 Attack Types

Classified into 4 buckets:

1- Operating System: access exploiting a flaw in the operating system itself.

2- Application Attacks: access exploiting a flaw in an application on a system.
3- Shrinkwrap Code: attack a system by using a vulnerability in a product directly after
the it’s been installed.
4- Misconfiguration: gaining access to a system by exploiting a misconfiguration.

6
 Lesson 3: Footprinting and Recon

The goal of footprinting is gathering information about:

- Network (DNS, IP, systems, IDS, protocols)
- Organization (structure, websites, names)
- Hosts (ports, using OS)

How to gather information:

- 3.4 Search engines (google, use google search operators, wikipedia, google
maps for geo-info)

- 3.5 Finding people (Linkedin is an excellent tool for finding people in a

company; from the name you can then find phone-numbers, websites,
addresses, social network pages)

- 3.6 Competitive intelligence (gain info from victim competitors)

- 3.7 Websites analysis (using packet sniffer and developer tools, hacker can
gain info about content types, OS, software version and cookies)

- 3.8 Email tracking (tools: YesWare, HubSpot, BananaTag, GetNotify,

ReadNotify, WhoReadMe, MsgTag, DidTheyReadIt)

- 3.9 Network discovery

Items to discover:
- IP addresses → discover the IPs of an organization
In Kali: host apple.com
Then more info on the RIR (ARIN for North America, RIPE NCC for
Europe)
- Host OS → info about host Operating System using:
Netcraft (app online)

7
 Shodan (app online)
Nmap (to scan yourself)
in Kali: nmap -A -TS scanme.nmap.org
- Routing Paths → to know the packet route through a network
UDP trace route (*nix systems): traceroute 8.8.8.8
ICMP trace route (windows): tracert 8.8.8.8
TCP trace route: tctrace
Graphical Applications: OPEN VISUAL TRACE ROUTE, VISUAL
ROUTE

- 3.10 DNS/Whois
Info about a domain: dig ANY google.com
More domain info: whois google.com

- 3.11 Social engineering (gather info from a target through the act of physical or
verbal interaction: e.g using trick questions)
- 3.12 Employees online activities (analysis of social networks: employees love
sharing & analysis of online company info: open positions, services, ..)

3.13 Footprinting tools

8
3.14 Footprinting countermeasures
- Disable unnecessary services
- Approach the system(s) as an attacker to determine what info in exposed
- Consider using a Host Intrusion Prevention System
- Use IPSec VPN when outside enterprise network
- Have a security policy
- Audit yourself
- Educate employees

3.15 Footprinting steps

9
 Lesson 4: Scanning Networks

Network scanning is the use of a computer system to systematically probe a target

network to gather information regarding system.

Port scanning: search for available services

Vulnerability scanning: check if the system is actually vulnerable

4.2 Network scanning techniques

There are 2 main scanning techniques:

Discover Live Systems:

To discover an alive host: ping 10.1.1.1
Not only ping, also ECHO REQUEST & ECHO REPLY
PING SWEEP to ping an entire network, using nmap command:
nmap -sP IP NET ADDRESS /NETMASK

10
Discover Open Ports:
In order to establish a connection and exchange data using TCP, host must first
complete a three-way handshake (to synchronize sequence numbers): SYN/SYN-
ACK/ACK
4.4 & 4.5 TCP scan techniques

Network scanning - tools:

Network Tools Pro Netifera
Nmap SoftPerfect Network Scanner
PRTG Network Monitor Advanced port Scanner

4.6 NMAP (scanning tool)

nmap -sT IP-ADDRESS → -sT stays for TCP-Connect Scan

nmap -sT -p 1-2000 -P0 IP-ADDRESS → -p 1-2000 to scan only this range of ports
-P0 to not ping each address (by default it
does ping)
nmap -V -A IP-ADDRESS → -A for OS detection
e.g. try: nmap -V -A scanme.nmap.org

11
4.5 Countermeasures
- Use stateful firewalls
- Update Intrusion Detection Systems/ Intrusion Prevention Systems
- Scan your assets, from inside and outside
- Filter ICMP
- Employ HIPS with behaviour monitoring

4.7 IDS Evasion

- Packet fragmentation
- IP spoofing (e.g. IDLE scan)
- Use proxy server → still detected, source concealed
- Source Routing → still detected, source concealed

4.8 Banner Grabbing

Active → probe the system (nmap, telnet, netcat)
Passive → find info from other source (netcraft)

4.9 Vulnerability Scanning

Checking for the existence of vulnerabilities in a system.
Several tools:
- Saint (comercial)
- Nessus (comercial)
- GFI LanGuard (comercial)
Other tools:

In the exam you don’t have to use them but you must be aware of they exist and their
names.

4.10 Network diagramming

Drawing the network is a crucial step for understanding deeply the target.
Tools:
- Solarwinds (comercial)
- ManageEngine (comercial)
12
 - The Dude (free)

4.11 Proxies
A proxy is someone who is forwarding for you. Proxies are used to hide the source IP.
Chaining proxies consists on using several successive proxies in order to obfuscate
more the source.
Tools:
- Proxy Workbench
- Proxifier
- Proxy Switcher
- TOR project (onion routing)
Other tools:

4.12 HTTP and SSH tunneling

Tools: Super Network Tunnel, HTTP-Tunnel

13
In kali: ssh -L 5900:10.1.1.20:5900 nick@10.1.1.10
In Windows: Bitvise, Putty

4.13 Anonymizers
For hiding SRC traffic
For the exam, you should just be aware that they exist (you don’t have to use them).
Tools:
- Psiphon
- Your Freedom
Other tools:

4.14 IP Spoofing
IP Spoofing is the technique of modifying the source IP address of a packet to appear
to be a different host.
Spoofing source IPs is easy, getting a response is hard..

How to detect spoofing:

- Time To Live (TTL) check
- IP ID check
- TCP flow control

14
4.15 Scanning steps

15
 Lesson 5: Enumeration

After footprinting and the scanning phase, a hacker has to gain more specific
information about hosts and devices in the network. → ENUMERATION.
Enumeration techniques:
- Default passwords
- User group extraction
- Username from email
- SNMP walking
- Active directory
- DNS zone transfer

5.2 NetBios Enumeration

Hacker can get information from the NetBIOS (commonly running on Windows system)
using the following tools:

5.3 Users and default passwords

There are tools which are able to gather info from remote hosts (for example which
application are running). One of this is PsExec.

16
Routers often have default passwords configured: a good method to find these
passwords is just google them.

5.4 SNMP (Simple Network Management Protocol) Enumeration

SNMP runs on network devices and it is a protocol for managing and monitoring
network devices. The protocol is used for both gather info about configuration and
change this configuration.
The command used to obtain info is snmpwalk: with this you can gather information
about the device (which is running SNMP!).

For example with this command you can get the version of the OS running on a
particular device:
snmpwalk -v2c -c public IP-ADDRESS | grep Version

5.5 Linux Enumeration

Some commands to use on Linux. They can reveal information about the users.

finger @IP-address → info about users on the system

rpc info -p IP-address → info about RPC end-point on the system

rpcclient $> netsharenum → get a list of hosted shares

showmount -e IP-address → displays NFS (Network File System) shares available

17
Enum4linux -v IP → Enum4linux is a script for Linux that automatically run all the
previous commands (and other commands as well)

5.6 LDAP, NTP, SMTP, DNS enumeration

LDAP (Lightweight Directory Access Protocol) → for maintaining and directory

information. It allows to gather names, manager, telephone numbers, ...
Tools:

Countermeasures:
- Authenticate queries to only domain users
- Use LDAPS
- Disable File/Printer Sharing

NTP (Network Time Protocol) → for networks synchronization

Tools:
ntptrace, ntpdc, ntpq, ntpdate

SMTP (Simple Mail Transfer Protocol) → For sending emails

Tools:
- Netscan Tools Pro

Countermeasures:
- Silently ignore unknown recipients
- Disable relay for other domains

DNS (Domain Name System) → for translating domain names to IP addresses

Tool:
- dig axfr @NOMESERVER *.com
Countermeasures:
- Disable Zone Transfer
- Don’t share internal IP addresses

18
- Don’t use personal names when registering domains

19
 Lesson 6: System Hacking

6.2 Password Cracking

This video is a Demo of cracking Windows passwords with the tool OFHCRACK. This
tool is available for both Windows and Kali Linux.

Sometimes systems use an additional parameter (Salt) to store password in database:

20
6.3 KeyLoggers and Anti-KeyLoggers

Hardware Keystroke logger

- PC/BIOS
- Keyboard
- External

The External keystroke logger are listed here:

21
Keylogger Defense (Hardware-based):

Software Keystroke loggers

Some type of thing on the system able to log keystrokes:

The defense against Software Keystroke loggers:

Anti KeyLoggers tools:

CoDefender, GuardedID, PrivacyKeyboard, KeyScrambler, Anti-KeyLogger, SpyShelter

6.4 Microsoft authentication

Credentials stored in SAM (Security Accounts Manager) and in the Active Directory
Database.
22
Authentication methods:
- NTLM → challenge response protocol
- Kerberos → use tickets for the authentication

6.6 Privilege Escalation

2 types of escalation:

- Horizontal: get access to another user’s account

- Vertical: get access to admin (windows) or root (linux)

It is accomplished by inserting malware on DLLs (automatically executed when

application initializes), exploiting software vulnerabilities, bypassing User Access
Control (running programs as administrator → see sudo for Linux)

Tools:

23
Escalation defense:

6.7 Executing Applications

The execution of applications by a hacker is often accomplished remotely

Goals:
- Gather more information (spyware: video, audio, USB-launched, GPS)
- Create backdoors
- Launch additional attacks

Execution tools (you get access to the system and then install them to have remote
access):
- PsExec
- Remote-Exec
- PDQ Deploy
- Dame-ware

6.8 Rootkits & Anti-Rootkits

Rootkit is a software that allows the attacker to have further advantages after the attack
is accomplished:
- Gain admin privileges
- Gain additional data
- Monitor network traffic
- Launch attacks to other hosts

Some examples of Rootkit actions:

24
Defense against Rootkits:
- Avoid untrusted downloads
- Use Firewalls
- Verify all software before installing (install only the necessary one)
- Choose antivirus that protects from Rootkits

6.9 NTFS stream manipulation

It’s possible to determine if a critical file has been changed thank to the file metadata.
NTFS Alternative Data Stream (NTFS ADS) allows a file’s content to be changes
without changing the file metadata.
It allows the injection of malicious code.

Some tools to detect NTFS ADS:

25
6.10 Steganography
It’s the art of hiding a message or information within another data
(doc,txt,img,audio,video...).
It’s used when the attacker accesses the information and he won’t make use that info
right-away: so he hides it for further use.

Cover mediums and respective tools in the next table:

On the other hand, steganalysis is the art of discovering these hidden messages and is
typical done by statistical analysis of files.
Tools for steganalysis:

26
6.11 Covering tracks

The most common techniques for covering tracks are:

- Delete log entries (Windows Event Viewer or /var/log in Linux
- Change log entries (better than deleting because you don’t leave any “hole” in
the entries
- Disable auditing processes (no logs at all)
- Delete command history (clear MRU in Windows and shred -
zu/root/.bash_history in Linux)

Tools:
- clearlogs.exe
- meterpreter
- CCleaner
- MRU-Blaster
- BleachBit
- ClearProg

6.12 System Hacking

Some steps for hacking a system:
1) Cracking password

2) Escalate privilege

27
3) Execute applications

4) Hide files

5) Cover tracks

28
 Lesson 7: Malware threats

- Trojan (appears to be normal program, but is destructive; may provide

unauthorized access to hacker; does not replicate itself; spread via social
engineering)
Types of Trojans:

- Virus (malicious software code attached to another program; designed to

replicate itself; infect data files; spread via social engineering)
Types of Virus:

- Worm

29
 - Adware (advertising products)
- Backdoor (allow the attacker to get access in the future by other ways)
- Spyware
- Botnet (it’s not software)
- Crypter (use encryption technology for bad purposes)
- Rootkit (provide more access to an already compromised system)

Malware actions:

7.2 Indications of infection

30
7.3 Common Ports for Malware
The range of ports (0-66535) is divided in 3 main blocks:
- WELL-KNOWN PORTS (0-1023) → basic services from a long time
- REGISTERED PORTS (1024-49151) → assigned to other services but you could
use them for other services
- PRIVATE PORTS (49152-66535) → not assigned to any specific service

Port scanning tools can be used to determine open ports: once infected, a host may
open additional ports.
At www.anti-trojan.org/port_opened.html you can find a list of Trojans and the ports that
they use for attacking.

7.4 How malware gets into a system

31
7.5 How to detect
Scan for suspicious:
1) Open ports
Port scanner: CurrPorts, nmap, TCPView
2) Processes
Process scanner: HijackThis, Security task Manager, Microsoft Process Explorer,
Autoruns, OpManager, YAPM
3) Registry entries
Registry scanners: Registry Viewer, Alie Registry Viewer, Active Registry
Monitor, RegScanner
4) Startup programs
Startup Program Scanners: WinPatrol, Startup Manager, Startup Booster,
ActiveStartup
5) Services
Windows service scanners: Process Hacker, Service+, Nagios XI, SMART,
ServiWin, SrvMan
6) Drivers
Drivers scanner: Driver Reviver, My Drivers, Driver-View, Driver-Easy
7) Folder & Files
Folder & File scanners: Tripwire, FastSum, FCIV, SIGVERIF, WinMD5
8) Network activity

7.6 Trojan Horse Construction with Metasploit Demo

7.8 Malware Analysis

1) Use reverse engineering (break down the code) to determine what the malware
is doing
2) Use online tools that examine the code for you and compare with other malwares
already known:
a) Akana
b) Detux
c) Joe Sandbox
d) Binary Guard
e) Threat Expert

32
7.9 Countermeasures

7.10 Penetration Testing

Procedure for Backdoors and Trojans:

SCAN → ISOLATE → RESOLVE

Procedure for Virus:

ANTI-VIRUS → SCAN → ISOLATE & RESOLVE

33
 Lesson 8: Sniffing

Sniffing is about watching traffic on the network for both legitimate and illegitimate uses.
Wiretapping is also considered a sniffing technique.
Packets can be sniffed for law-purposes (an authorization is needed).

8.2 Sniffing Attack types

PASSIVE SNIFFING: when the sniffer is silent. Use of Hubs or Taps.

With Hubs all hosts in a network see all traffic. They replicate to every port except for
the source one.
Taps are hardware devices that sit in line with communication media and replicate bits
on the wire.

ACTIVE SNIFFING: it’s primarily used on networks that use Layer 2 switches where the
attacker poisons protocols to redirect traffic to himself. This kind of sniffing is detectable
on a network.
Switches are different from Hubs because they do an intelligent routing looking at MAC
addresses.
Active sniffing techniques → MAC flood, MAC duplication, ARP spoof, DHCP starvation

Sniffing packets is crucial for a hacker background: he can see what’s going on the
network but he can also steel a lot of sensitive information. Many protocols provide
usernames and passwords in clear text → Telnet, POP, IMAP, SMTP, HTTP, NNTP,
FTP.

8.3 Protocol analyzers

Tools able to capture traffic and analyze it: tcpdump, wireshark, softperfect network
protocol analyzer.

8.4 MAC Flooding

MAC Flooding is an attack to CAM tables of switches which can have a maximum
number of entries. We have a flood when the number of entries is higher than this
maximum. An attacker can then send a lot of ARP requests to induce this flood. When
flooding, the switches starts sending traffic to every port and the attacker can capture
the traffic if he is listening at least to one port.
Tools for MAC flooding:
Macof, Yersihia
Defense for MAC flooding:
Operate on ports → establish a max number if MAC address for every port

34
8.5 DHCP attacks
DHCP can be used to influence a switch/host to send traffic to us. The method consists
on spoofing a DHCP offer by “winning the race” with the DHCP server when a request is
sent. If the attackers anticipate the server with the reply, he can set himself as the
default gateway and receive all traffic by that particular switch/host.

DHCP starvation is another method for DoS attacks. We spoof the src address and ask
for many addresses with the goal of finishing the available IPs addresses. This is not a
sniffing technique.

8.6 ARP spoofing and poisoning

Another sniffing method is to manipulate the ARP cache of a host in a network. When a
host sends an ARP request (for example for the default Gateway), the attacker sends
an unsolicited ARP reply declaring he is the gateway. If he spoof the gateway as well,
he becomes a perfect man-in-the-middle. From this point he can modify traffic in flight,
sniffing packets, hijacking sessions.

Attack tools: Ettercap

Countermeasure tool: XArp

8.7 MAC spoofing

It’s the impersonation of another user using her/his MAC address.

Tools: Technitium MAC Address Changer, used for modifying the MAC address

8.8 DNS spoofing

Method to get people to send us traffic.
Three areas of focus:
- Man-in-the-middle → like in DHCP the goal is winning the race with the DNS
server in asking to a request. The attacker has to be sure the victim will accept
the reply.
- Cache poisoning → manipulate the cache on a resolver that uses the recursive
DNS queries. If the attacker responds to this process before the authoritative
name server he can resolve the domain himself.
- Proxy server → is more about manipulating a host proxy server settings to get it
to send traffic to you.

To protect yourself against DNS spoofing:

- Use iACL to filter DNS request/responses

35
 - Use IDS and firewalls
- Use host protection software
- Use DNSSEC → DNS security with authenticated requests and responses

8.9 Sniffing tools

- Wireshark (graphical tool) + demo

- Tcpdump (command line tool) + demo
tcpdump -i eth0 → display traffic
tcpdump -i eth0 -nn → display traffic (no names)
tcpdump -i eth0 -nnvv → display traffic (no names + verbose)
tcpdump -i eth0 -nnvvX → display traffic (no names + verbose + data info)
tcpdump -i eth0 -nnvvX tcp port 23 → display only TCP traffic (no names +
verbose + data info)
- Riverbed SteelCentral (commercial sniffer)
- Omnipeek Network Analyzer (from Savvius, commercial sniffer)
- Capsa Network Analyzer (from Colasoft, commercial sniffer)
- Observer Analyzer (from Viavi Solution, commercial sniffer)
- Colasoft Packet Builder (free & commercial options)

8.10 Sniffing detection and defense

A few techniques can be used to detect active sniffing:
- Ping Method: craft echo request to suspect sniffer
- DNS Method: it relies on a common default setting of sniffing applications:
Reverse DNS IP/Name resolution
- ARP Method: send non-broadcast ARP Reply to a bogus MAC address,
promiscuous NIC receives and passes to kernel, ARP cache entry created, send
ICMP Echo Request

36
8.11 Penetration testing

37
 Lesson 9: Social Engineering

Goal: Compromise security by tricking people into breaking security policy.

Impact of social engineering hack: financial loss, physical damage, loss of property,
loss of data, loss of reputation, loss of privacy, lawsuits, business shut down.
Life cycle:

Target: everyone!
Common targets:

38
9.3 Techniques
There are 3 primary types:
- Computer-based

- Human-based

(NLP = Neuro Linguistic Programming & RSE = Reverse Social Engineering)

- Mobile-based

39
9.4 Social engineering sites
Social sites allow to collect user data.
1) Facebook (fake companies pages, fake group pages, fake profiles)
2) Twitter
3) Linkedin
4) Google+

9.5 Identity theft

Identity theft steps:
1) Research info
(with social media, web search and dumpster diving)
2) Gather info
(with DMV, SSA and other government orgs)
3) Apply
(at banks, credit card companies and department stores)
4) Damage
(financial damage, the ability of borrow goes down, bankruptcy)

Some advices to minimize the risks:

- Keep personal information secure
- Use advanced security techniques offered by bank
- Check credit reports regularly
- Avoid signing up for mailing or phone lists
- Avoid sensitive data storage on remote locations
- Shred doc that contain sensitive info
- Verify all request for personal/company info

9.6 Countermeasures

40
41
 Lesson 10: Denial-of-Service (DoS)

Purposeful attack on a network or resource to prevent legitimate access.

Distributed denial of Service (DDoS) = similar to DoS, it uses many sources

(zombies, often not aware)
Symptoms: network unavailable, abnormally slow connectivity, IP-based Services
unavailable
Effects: financial loss, loss of customers, network disabled and organization disabled

10.2 DoS Techniques

- SYN Flooding
Use of spoofed sources → server connections maxed-out → server cannot
accept new connection
- Service Request Floods
Use valid sources → create many connections to a service
- Application Level DoS
DoS to an application by exploiting a vulnerability
- Bandwidth Overload
Distributed system of computers (attackers)
- ICMP Flooding
Many ICMP Requests
- Permanent DoS
A.K.A. Phlashing; intent: permanent Disable Service

42
10.3 Botnet
Network of compromised hosts running software that automates tasks through remote
Command&Control.

10.4 DoS Attack Tools

- PHP DoS (DDoS Script written in PHP)
- XOIC (website DoS)
- DDOSIM (Linux tool)
- LOIC (Low Orbit Ion Cannon)
- HULK (HTTP Unbearable Load King)
- Tor’s Hammer (HTTP DoS, it anonymize source)

10.5 Detection and Countermeasures

Detection methods:
- Activity profiling → monitoring solution
- Wavelet-based Signal Analysis → detect unknown anomalies
Countermeasures strategies:

- Protect “zombies”
- Neutralize Handlers
- Detect Potential Attacks
- Deflect Attack (honeypots)
- Mitigate Attacks (bandwidth increase during the attack)

43
 - Forensics (after DoS)
- Protect devices from botnet
- Perimeter Security
- Contact IPS
- Hardware (several vendors offer DDoS mitigation appliances)

10.6 DoS Protection Tools

- DDoSDefend
- DOSarrest
- FortGuard DDoS Firewall
- Anti-DDoS Guardian
- DefensePro
- WanGuard

44
 Lesson 11: Session Hijacking

The purpose of session hijacking is to compromise a valid session between a client and
a server (also called TCP session hijacking).
There are many techniques for hijacking: brute force, application level hijacking, MiTM,
predict session ID, session ID replay, reset, blind injection.
These techniques are classified as:
- ACTIVE when the hacker takes over the session; the victim is then “frozen” and
he knows something is wrong;
- PASSIVE when the hacker just watches; the session is recorded and the victim is
unaware of the attack.

These attack techniques are Application-based or Network-based.

11.3 Application level session hijacking

The session IDs are alphanumeric strings (that should be randomly generated) used to
establish a stateful connection. These IDs are typically stored in cookies, in URLs or in
hidden fields. When the ID is compromised, the attacker can gain access to the session.

SESSION REPLAY → it’s reusing a valid session ID to spoof the client

SESSION PREDICTING → the attacker watches IDs looking for patterns and tries then
to predict the next one (that’s why they should be randomly generated). A variation of
this type of attack is using brute-force trying many session IDs.

SESSION FIXATION → the attacker uses an established connection with the server
trying to get victim to use this connection. In this way the client’s traffic passes through
the attacker.

MAN-IN-THE-MIDDLE attacks (11.4) → the attacker is in between the client and the
server forcing all the traffic through him/her. Man-in-The-Browser is a variation: the
malicious entity is not a separate system, but a client-side program used for capturing
data or inserting scripts into web-pages.

CROSS-SITE ATTACKS (11.5) → in this category we find:

- Cross-Site Scripting (XSS) that is exploiting a valid existing
session to inject malicious scripts on the client side
- Cross-Site Request Forgery similar to the previous but
exploits existing session to provide a 3rd party script.

45
11.6 Network Level Hijacking

TCP/IP hijacking happens after the second message of the 3-way handshake (SYN &
ACK & ISN): the attacker responds to the server instead of the client with the 3rd
message.

RESET or RST hijacking → RST packet is sent from the server to the client for reset the
connection: the attacker can send this packet to the client who re-authenticate himself
but with the attacker.
Others attacks with TCP/IP:

UDP hijacking → UDP is connection-less and UDP requests can contain DNS queries.
If the attacker wins the race with the server to respond to an UDP request, he can also
respond to a DNS query with a fake web-server.

46
11.7 Session Hijacking Tools

SURF JACK → hijack HTTP connections to steal cookies (works on both ethernet and
wifi)
COOKIE CATCHER → for Cross-Site Scripting
FIRESHEEP → HTTP sessions hijacking
WHATSUP GOLD ENGINEER TOOL → it’s a network diagnostic tool
ZAPROXY → it’s a penetration testing tool that searches for vulnerabilities on web
applications

Additional tools:

11.8 Hijacking protection

47
About network security, use secure networks with firewalls, limit incoming connections,
minimize remote access, use HTTPS and not HTTP, send encrypted data, utilize
Certification Authorities.

48
 Lesson 12: Hacking webservers

Why hacking a webserver? → accessible via internet, several attack vectors available,
gain access to user accounts

Web Server vulnerabilities → server setting, poor user security (passwords),

applications, misconfigured security settings, no authentication, unpatched servers,
unnecessary services, poor file/directory permissions

Results of a successful web hack → access to sensitive data and to user account,
defacement of web site, launch secondary attacks, compromise other systems

12.2 Webserver attacks

- DNS attacks → DNS server hijacking attack (redirect web queries to imposter
webserves) and DNS amplification attack (DoS or DDoS)
- HTTP-based attacks → HTTP response splitting attack (insert content into HTTP
header section, this split response into 2 responses) and HTTP cache poisoning
attack (place invalid data within the browser’s cache, so browser queries rogue
web server)
- Other attacks: MitM, phishing, password cracking, SQL injection, Application-
based attack, Misconfiguration of webserver

12.3 Attack methodology

Different method:
- Information gathering:
Some tools →

49
 Footprinting Tools →

- Mirroring:
Tools → wget, HTTrack, rsync, BlackWindow, WebCopier

- Vulnerability Scanning:
Tools → Scan My Server, SUCURI, Detectify, Web Inspector, SiteGuarding

- Session Hijacking:
Techniques → Cross-site scripting, Sidejacking, Fixation, Malware
Examples → Firesheep, WhatsApp sniffer, CookieCadger
Tools → Firesheep, CookieCatcher, Wireshark, Burp Suite, JHijack

- Password Hacking

12.4 Countermeasures
- Mainteing patches
- Securing the Web Server
- Monitor web server for changes (use tool as WebsiteCDS)
- General policies → pay attention to permissions for your file, audit your system
(look log files), look session ID tracking, make use of ACL, tray to make your
machine stand alone, be careful with script, have a secure DB

50
12.5 System patch management
Patching Policies:

Tools to patch your system: GFI LanGuard, Secunia CSI, MaaS360 Patch Analyzer,
Security manager Plus, Prism Suite, Microsoft Baseline Security Analyzer

12.6 Security tools

- Scanners → Nscan, SAINTscanner, N-Stalker
- Compliance → NetIQ, retinaCS
- Testing → WebInspect, W3af

51
 Lesson 13: Hacking Web Applications

Vectors to attack a Web Applications: unvalidated input, form tampering, directory

traversal, misconfiguration, XSS

A web application injection provides attacker with access to “back end” of web
application. There are several types: LDAP, File, XML, XPath, OS Command, HTML
and SQL injection.

Some additional web application attacks: CSRF, DoS, Cookie poisoning, session
poisoning, session fixation, buffer overflow, storage, error handling, transport layer,
redirects, CAPTCHA and Authentication.

Web Application methodology:

- Footprinting and Analize(13.2 & 13.3)

1) Determine server type → tool: whois
2) Discover web services → tool: DNS interrogation
3) Extract server info → tool: port scanning
4) Discover hidden content (content not accessible via visible web link) →
Discovered by Brute force probe or spidering
5) Footprinting the web server itself → tools: Nessus, HP Webinspect, Acunetix
Web vulnerability scanner

- Authentication process (13.4) → several possible weak spots:

- user account names → hacker can gather info from contents of error message,
be aware of common name → hacker can gain info with brute force (using user
name dictionary)
- password → weak spots: password guessing, common password, “remember
me”; it’s recommended to change password
- cookies → stolen cookie can provide user and password → tools: Burp Suite,
Zed Attack Proxy
- session itself

- Session process (13.5) → attack methods: Token generation (prediction or

tampering) and Token handling (session replay, session hijacking and MitM
attack)
- Injection attack
- Data (try to access to DB) (13.6) → web application often connect to backend DB
software that can contain sensitive data. A hacker can gain access to DB in order

52
 to: steal or modify data or block access to the DB itself.
Methods:
- connection pool DoS (block the access)
- connection string injection (pass info into the DB in order to have access to DB)
- connection string parameter pollution (modify existing parameters in DB)
- Client (try to attack the client side)
- Services

13.8 Web Application security tools

1) Vulnerability scanners

2) Full Audit and testing

3) Other tools: x5s, SPIKE Proxy, Ratproxy, Web Site Security Audit, VampireScan,
N-Stalker

13.10 Penetration testing techniques

1) Probe the system
2) Test the system
3) Probe authentication
4) Session management
5) Test data validation

53
 Lesson 14: SQL injection

SQLi is when the attacker executes malicious SQL statements to your database: these
statements are also called “malicious payload”.
SQLi attacks are used for:
- Bypass authentication
- Retrieve DB contents
- Modify DB contents
- Deface websites

14.2 Attacks using SQLi

Three categories of attacks:

1st order attacks → directly insert payloads and the code is immediately executed
2nd order attacks → the payload is inserted in the DB and then executed by another
application
Lateral injection attacks → use of TO_CHAR() function to inject payload

Several attack methods:

Tautology → inject parameters conditional statements to evaluate “true” conditions. It’s
often used to bypass authentication (for example setting user_id and password as ‘a’
OR ‘1=1’)
Illegal/Logically incorrect queries → gain info about backend DB to use this info in the
future: injects illegal queries to produce error messages and find useful info in these
messages
UNION query → inject an UNION command to obtaining a second table of data beyond
a legitimate one in the first SELECT
Stored procedure → execute procedures stored in the DB (often possible if you know
the DB type). The procedure can be run after the semicoloncharacter: SELECT
legitimate-commands; PROCEDURE
End of line comment → at the end of malicious code we add “--” to disable any
legitimate code that follows
Time-based → use WAITFOR statements to determine if an operation was successfull
by response times
Boolean exploitation → inject statements to evaluate true & false; results will tell if
injection was successfull

54
14.3 Methodology

Steps:
1) Gather Information: probe application for DB connection, attempt SQLi to
generate errors (with these you can determine DB engine, functionalities,
acceptable commands, data types and structure), insert string when numeric is
requested, try to use UNION statements
2) Launch simple attacks: try UNION statements, stored procedure, try to bypass
logins, blind SQLi
3) Launch advanced attacks: data enumeration, create accounts, gather
passwords, execute OS commands, access the file system

14.4 SQLi tools

SQLmap → insert injection flaws

SQLninja → to gain remote access to DB (it can be integrated with Metasploit)
Safe3 SQLinjector → support both HTTP and HTTPS, support multiple authentication
methods

Other tools:

14.5 SQLi defense methods

- Turn off error messages or use customized ones

- Filter data input
- Monitor all access attempts
- Limit DB accounts access
- Run operations as non-privileged user
- Verify all data for size and type
- Reject comments and binary data
- Limit access to sensitive data

55
 - Use hashed passwords in the DB

14.6 SQLi detection tools

dotDefender, snort, SQLiX Project

Others:

56
 Lesson 15: Hacking Wireless

Wireless Local Area Networks (WLAN) are based on the 802.11 standard.

SSID → is the name of the wireless network

BSS → is the name of the Access Points

Different security algorithms have been used for WLANs: WEP (not secure), WPA (not
secure), WPA2 (more secure and used today).

15.2 Wireless encryption

WEP is a stream cipher which uses a key and a random initialization vector of 24 bit. It’s
very un-secure because the number of bits is too low: there is the 50% probability of
repeating the IV in 4096 frames.
It’s very easy to break, but there still exist wireless networks using it.
There is a tool designed to break WEP → Wifite

How to break it:

WPA and WPA2 use a block encryption instead and brought a lot of security
improvements.

To defend your wireless network:

- Use WPA2 and not WEP
- Use complex passphrases
- Use AES (block cipher)
- Use a higher level of encryptions as IPsec

57
15.4 Wireless attack methods

Footprinting → it’s basically scanning the air with antennas searching for available
wireless networks. Several tools give you more detailed information on used channels,
frequency, received power etc. (airodump-ng,inSSIDer, NetStambler, Vistumbler).

MAC spoofing attack → it’s using someone’s else MAC address. It has not so much to
do with wireless itself, but there is a command in Linux to impersonate the victim
configuring its MAC address:
ifconfig wlan0 down
ifconfig wlan0 hw aa:bb:cc:dd:ee:ff
ifconfig wlan0 up

Deauthentication attack → deauthenticate a user from the network

Evil Twin attack → a laptop is going to impersonate the AP and then proxy all the traffic

15.5 Bluetooth and Bluejacking

The attacks to bluetooth are not very common, but they still exist.
These are the attack types:
- BLUEJACKING, sending a message over bluetooth and gain info on the
response back;
- BLUESNIFF, “watch the air” for bluetooth data
- BLUESNARF, stealing info from a device through bluetooth technology
- BLUESMACKING, DoS sending random packets.

Tools:

58
15.6 Wireless Attack Defense

- Scan the air for APs (don’t forget you have neighbours!)
- Providers often offer Rogue AP detection capabilities
- Change SSID from the default one and remember this is not a password
- Change username/password from the default
- Use WPA2 and not WEP
- IPsec for data encryption

15.7 Wireless IPS (WIPS)

Intrusion Prevention Systems for Wireless:

CISCO provides “Cisco Adaptive WIPS”
Aruba provides “RFProtect WIPS”

59
 Lesson 16: IDS, Firewalls and Honeypots

Intrusion Detection System → design to analyze network traffic to discover intruders.

It monitors the activity of users and the system.
There are 3 components: Network IDS (parses network traffic), Network Node IDS
(similar to NIDS but monitors single host traffic), Host IDS (discovers changes to
filesystem)
IDS looks for:

How to choose an IDS:

- Identify your security needs and the purpose of IDS
- Network/Host - based?
- Features - what does it monitor?
Highly rated IDS software:
- CISCO secure IDS, snort, AIDE, OSSEC, Check Point

Firewalls → can be hardware/software- based. Itallows or disallows access to network

or port, it can filter by any information in the network packet header.
Types: Packet-filtering, Circuit-level, State inspection, Application-level, Multilayer.
How to choose a firewall:
- Hardware or Software?
- Info about vendor (e.g. support or update the vendor provide)
- Type of firewall you need
- Features
Highly rated firewall: Fortinet FortiGate, CISCO ASA, pfSense, Cyberoam UMT,
FireEye, WatchGurad, Sohos UTM, Check Point VSX, Juniper SRX

Honeypot → system design to trap would-be attackers. It has no access to other

system or data. (honeynet = many honeypot in the same network).
How to choose a Honeypot:

60
 - Determine purpose of your honeypot
- Features
Highly rated honeypot:
- HoneyBOT (Windows-based)
- LaBrea (multiple platform)
- Google Hack Honeypot (multiple platform, protect against social engineer
attacks)
- Kojoney (multiple platform, written in Python)
- CONPOT (multiple platform, Python-based)

16.5 Evading IDS and Firewalls

There are 3 techniques to evade IDS:
- Payload obfuscation → design to confuse IDS to hide the payload.
3 methods: encoding, encryption, polymorphism
- Insertion / evasion → IDS doesn’t recognize packets as malignant.
Techniques: protocol ambiguities, low-bandwidth (Time-To-Live), fragmentation
(session splicing), overlapping fragments.
- DoS → if IDS is discovered, a DoS attack can prevent it from doing its job.
Techniques: operator DoS, CPU DoS, Memory DoS

You should know your firewall very well!

Techniques to identify the firewall type:
- Port scanning
- Firewalking
- Banner output
Techniques to evade the firewalls:
- Tunneling
- Changing the source
- Other: MitM, have user initiate connection, discover firewall “holes”

16.5 Evading IDS and Firewalls tools

Port scanners tool: nmap, SuperScan, Angry IP Scanner, Unicornscan
Tunneling tools: HTTPort, Super Network Tunnel, HTTP-Tunnel, Bitvise, AckCmd, Loki
ICMP Tunneling
Packet Fragmentation tools: NetScanTool, fping, pktgen, MGEN, hping3, Packet
Generator

16.6 Detecting Honeypot

Honeypot are hard to discover, so:
- easy “break into” → “honeypot”

61
 - too many port = suspicious.
You should be aware of how different honeypot software works, use detection tools
(nessus or check list of proxies) and seek for unusual responses.

62
 Lesson 17: Cloud Computing

On-demand delivery of hosted IT resources via internet.

There are several types:

And different models: Public, Private and Hybrid.

One of the most popular cloud computer platform is Amazon Web Service.
Other providers:
- Microsoft Azure
- Google Compute Engine
- IBM Cloud
- DigitalOcean
- VMware vCloud

17.3 Detection
How does an attacker know if the target is hosted in a public cloud?
- DNS names can reveal use of a public cloud
- IP Addresses for cloud providers will be registered (use ARIN to gather info)

63
 Lesson 18: Cryptography

Cryptography is the practice of securing messages.

It is based on:
- Confidentiality: only intended recipients can read it
- Authentication: the senders is who they say they are
- Integrity: the message hasn’t been modified
There are 2 encryption types:
- Symmetric key (single key for both encryption and decryption)
- Asymmetric key (2 keys: public key to encrypt and private key to decrypt)

18.2 Algorithms
The cryptography algorithms use a very complex math where the main goal is having a
good cipher for encryption and decryption. A block cipher works on blocks (or chunks)
of data, while a stream cipher operates on streams of data.

Some of the most popular algorithms:

- DES (Data Encryption Standard) → a symmetric key algorithm that uses a block
cipher with 64-bit blocks and a 56 bit key (short and insecure for today);
- 3DES → applying DES 3 times with 3 different keys (more secure);
- AES (Advanced Encryption Standard) → a symmetric key algorithm that uses a
block cipher with 128-bit blocks and multiple key lengths (more secure);
- RC (Rivest Cipher) → it was the finalist for AES competition and it’s widely used
today (RC6);
- RSA algorithms → it’s the asymmetric key algorithms;
- Hash functions → functions that compress an input in a fixed-size output
(random) also called digest. The output must be different for different inputs and
from the output must be computationally hard to reverse the function and find out
which is the input. Popular hash functions are MD5 (produce a 128-bit hash
value using blocks of 512 bits) and SHA (digest of 160 bits and a block size of
512 bits. Today SHA2 and SHA3 are used).

18.3 Tools
Advanced Encryption Package 2016 is a good tool for encryption.
In Linux, you can generate hash of contents using md5sum, sha1sum, sha256sum
commands.
Other tools:

64
18.4 Public Key Infrastructure
The goal of PKI is to create and manage certificates used for authentication.
The PKI components are:
- Certification Authority → it’s the certificate issuer;
- Registration Authority → accept the certificate request and validate identity of
requester;
- Certificate → CA issued, authenticity validated. It’s tied to a private/public key
pair;
- Users → the certificate holders.

18.7 Attacks against cryptography

18.8 Cryptoanalysis tools

Cryptool 2(CT2) is an open-source tool for cryptoanalysis.
Other tools:

65
66