CEH V9 Notes - Grok Designs
CEH Certification NotesTable of ContentsModule 1: Introduction to Ethical HackingModule 2: Footprinting and ReconnaissanceModule 3: Scanning NetworksModule 4: EnumerationModule 5: System HackingModule 6: Malware ThreatsModule 7: SniffingModule 8: Social EngineeringModule 9: Denial of ServiceModule 10: Session HijackingModule 11: Hacking Web ServersModule 12: Hacking Web ApplicationsModule 13: SQL InjectionModule 14: Hacking Wireless NetworksModule 15: Hacking Mobile PlatformsModule 16: Evading IDS, Firewalls, and HoneypotsModule 17: Cloud ComputingModule 18: CryptographyPost Module: Extra ResourcesModule 1: Introduction to Ethical HackingInformation Security Overview Terminology Hack Value: Notion among hackers that something is worth doing or interesting Vulnerability: Existence of a weakness, design, or implementation error that can lead to an expected eventcompromising the security of the system Exploit: A breach of IT system security through vulnerabilities Payload: Part of an exploit code that perform the intended malicious action Zero-Day Attack: An attack that exploits computer app vulnerabilities before the software developer releases apatch for the vulnerability Daisy Chaining: Gaining access to one network and/or computer and then using the same info to gain access tomultiple networks and computer that contains desirable info Doxing: Publishing personally identifiable information Bot: software app that can be controlled remotely to execute or automate pre-defined tasks Elements of Information SecurityNon-Repudiation: Sender of a message cannot later deny having sent the messageConfidentiality: Only authorized users able to view contentIntegrity: Trustworthiness of data or resource in prevention of unauthorized changesAvailability: assurance systems are accessibleAuthenticity: The quality of being genuineInformation Security Threats and Attack Vectors Cloud computing: is an on-demand delivery of IT capabilities, and stores data. Must be secureAdvanced Persistent Threats: APT focus on stealing info from victim machine w/o user awareViruses and Worms: Capable of infecting a network within secondsMobile Threats: Many attackers see mobile phone as a way to gain accessBotnet: huge network of compromised systemsInsider Attack: an attack performed on a corporate network by an entrusted person w/ access Threat categories: Network Threats, Host Threats, App ThreatsTypes of Attacks: OS Attacks, Mis-Config attacks, App Level Attacks, Shrink Wrap Code AttacksHacking Concepts, Types, and Phases
Hacking: Exploiting system vulnerabilities and compromising securityFive Phases of Hacking: Reconnaissance, Scanning, Gaining Access, Maintaining Access, Clearing Tracks Reconnaissance: Preparation phase when an attacker seeks to gather information. Does not directly interact with thesystem, and relies on social engineering and public info Scanning: Identify specific vulnerabilities (in-depth probing). Using Port scanners to detect listening ports (companiesshould shut down ports that are not required) Gaining Access: Using vulnerabilities identified during reconnaissance [DoS, Logic/Time Exploit, reconfiguring/crashingsystem] Maintaining Access: Keeping a low profile, keeping system as a launch pad, etc. Clearing Tracks: Hiding malicious acts while continuing to have access, avoiding suspicionEthical Hacking Concepts and ScopeEthical Hacking: Using tools and techniques to identify vulnerabilities w/ permissionInformation Security Controls Information Assurance: Assurance for integrity, availability,confidentiality, and authenticity of infoThreat Modeling: Risk Assessment approach for analyzing security. 1) Identify Security Objectives 2) Application overview3) Decompose Application 4) Identify Threats 5) Identify Vulnerabilities Network Security Zoning (High to Low): Internet Zone - Internet DMZ - Production Network Zone - Intranet Zone Management Network Zone Security Policies are the foundation of security infrastructure Info security policy defines basic requirements and rules to be implemented in order to protect and secure organizationsinformation systems 4 types of security policies Promiscuous Policy Permissive Policy Prudent Policy Paranoid Policy Incident Management: set of defined processes to identify, analyze, prioritize, and resolve security incidents Types of Vulnerability Assessments: Active Assessments Passive Assessments Host-Based assessment Internal Assessment External Assessment Application Assessments Network Assessments Wireless Network Assessments Methodology of Assessment: - Acquisition - Identification - Analyzing - Evaluation - Reports Penetration Testing: Simulating an attack to find out vulnerabilitiesBlue Team: Detect and Mitigate Red Team: Attack w/ limited access w/ or w/o warning
Types of Pen Test: black-box (no prior knowledge) white-box (complete knowledge) grey-box(limited knowledge) Lots of open source security testing methodologies (OWASP, NIST , etc)Information Security Laws & Standards Payment card Industry Data Security Standard (PCI-DSS) - Payment SystemsSarbanes Oxley Act (SOX) - Protect investors and public by increasing reliability of corporate disclosures.Module 2: Footprinting and ReconnaissanceSections1.2.3.4.5.Footprinting ConceptsFootprinting MethodologyFootprinting ToolsFootprinting CountermeasuresFootprinting Penetration TestingFootprinting Concepts Footprinting is process of collecting as much information as possible about a target networkFootprinting Threats: social engineering, system and network attacks, information leakage, privacy loss, corporateespionage, business lossFootprinting Methodology1.Footprinting through search enginesa. Google, Netcraft (restricted URL’s, Determine OS), SHODAN Search Engine,GMAPS, Google Finance, etc2. Footprinting using advanced Google Hacking Techniquesa. Using technique to locate specific strings of text within search results using an advanced operator in the searchengine (finding vulnerable targets), Google Operators to locate specific strings of text, GHDB3. Footprinting through social networking sitesa. Fake identifies of co-workers, finding personal info, tracking their groups, etc, Facebook, Twitter, LinkedIn etc4. Website Footprintinga. Looking at system information from websites, personal information, examining HTML source comments, WebSpiders, archive.org, mirroring sites etc5. Email Footprintinga. Can get recipient's IP address, Geolocation, Email Received and Read, Read Duration, Proxy Detection, Links,OS and Browser info, Forward Email6. Competitive Intelligencea. Competitive Intelligence gathering is the process of identifying, gathering, analyzing, and verifying, and usingthe information about your competitors from sources such as the internet. Monitoring web traffic etc.b. Non-interfering and subtle in naturec. This method is legal7. WHOIS Footprintinga. WHOIS databases are maintained by regional internet registries and contain PI of domain owners8. DNS Footprintinga. Attacker can gather DNS information to determine key hosts in the network9. Network Footprintinga. Network range information assists attackers to create a map of the target networkb. Find the range of IP addresses using ARIN whois database searchc. Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMPpackets to discover on the path to a target host10. Footprinting through Social Engineeringa. Art in exploiting human behaviour to extract confidential information
b.Footprinting Toolsa.Social engineers depend on the fact that people are unawareMaltego, Recon-NG (Web Reconnaissance Framework)Footprinting Countermeasuresa.b.c.d.e.f.g.Restrict the employees to access social networking sitesConfigure web servers to avoid information leakageEducate employees to use pseudonymsLimit the amount of information that you are publishingUse footprinting techniques to discover and remove sensitive informationUse anonymous registration servicesEnforce security policiesFootprinting penetration testinga. Footprinting pen testing is used to determine organization’s public available informationb. Tester attempts to gather as much information as possible from the internet and other publicly accessible sourcesc. Define scope and then use footprint search enginesd. Report TemplatesModule 3: Scanning Networks-Overview of Network ScanningUnderstanding different techniques to check for live systemsUnderstanding different techniques to check for open portsUnderstanding various scanning techniquesUnderstanding various IDS evasion techniquesUnderstanding banner grabbingOverview of vulnerability scanningDrawing Network DiagramsUsing proxies and anonymizers for attackUnderstanding IP spoofing and various detection techniquesOverview of Scanning Pen TestingOverview of Network Scanning Network scanning refers to a set of procedures for identifying hosts, ports, and services in a networkNetwork scanning is one of the components of intelligence gathering and attacker uses to create a profile of the targetorganizationTypes of scanningi.Port scanning (list the open ports and services)ii.Network Scanning (lists IP addresses)iii.Vulnerability Scanning (shows presence of known weaknesses)TCP communication Flags (controls transmission of data)1. URG(urgent): Data contained in packet should be processed immediately2. PSH(push): Sends all buffered data immediately3. FIN(Finish): There will be no more transmissions4. ACK(Acknowledgement): Acknowledges receipts of a packet5. RST(Reset): Resets a connection6. SYN(Synchronization): Initiates a connection between hosts
CEH Scanning Methodology1.2.Check for live systemsa. ICMP Scanning: Ping scans involves ICMP ECHO requests to a host. If the host is live, it will return an ICMPECHO replyb. Useful for locating active devices and if ICMP is passing through firewallc. Ping sweep is used to determine the live hosts from a range of IP addressesd. Attackers calculate subnet masks using Subnet Mask Calculatorse. Attackers then use the Ping Sweep to create an inventory of live systems in the subnetCheck for Open Portsa. Simple Service Discovery protocol (SSDP) works in conjunction with UPnP to detect plug and play devices on anetworksb. Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacksc. Scanning IPv6 networks are computationally less feasible due to larger search space (128 bits)d. Network admins can use Nmap for network inventory, managing service upgrade schedules, and monitoringhost or service uptimee. Attacker uses Nmap to extract info such as live hosts on the network, services, type of packet filters/firewalls,operating systems and OS versionsf.Hping2/Hping3: command line network scanning and packet crafting tools for the TCP/IP protocoli.It can be used for network security auditing , firewall testingg. TCP connect scan detects when a port is open by completing the three-way handshakei.TCP connect scan establishes a full connection and tears it down sending a RST packetii.It does not require superuser privilegesh. Attackers send TCP probe packets with a TCP flags (FIN,URG,PSH) set or with no flags. No responses meansport is open, RST means the port is closedi.In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags seti.Won’t work against any current version of Microsoft Windowsj.Attackers can an ACK probe packet with random sequence number, no responses means the port is filtered(stateful firewall is present) and RST response means the port is not filteredk. A port is considered open if an application is listening on the porti.Most web servers are on port 80 and mail servers on 25ii.One way to determine whether a port is open is to send a “SYN” (session establishment) packet tothe port
1.3.4.5.6.7.The target machine will then send back a SYN ACK packet is the port is open, and a RST(reset) packet if the port is closediii.IDLE Scan1. Attack a zombie computer. A zombie machine is one that assigns IPID packetsincrementally.2. Can retrieve IPID number for IP address spoofingl.UDP Scanning: When UDP port is open ---There is not three-way TCP handshake for UDP scan. System doesnot respond with a me. The system does not respond with a message when the port is open. When UDP port isclosed -- the system responds with ICMP port unreachable message. Spywares, Trojan Horses, and other appsuse UDP portsm. There are port scanners for mobile as welln. Port scanning counter measuresi.Configure firewall, IDS rules to detect/block probesii.Run port scanning tools against hosts to determine firewall properly detects port scanning activityiii.Ensure mechanism used for routing and filtering at the routers and firewalls respectively cannot bebypassediv.Ensure sure the router, IDS, and firewall firmware are updatedv.Use custom rule set to lock down the network and block unwanted portsvi.Filter all ICMP message at the firewalls and routersvii.Perform TCP and UDP scanningviii.Ensure that anti scanning and anti spoofing rules are configuredScanning Beyond IDSa. Evasion techniques: fragmented IP packets, spoofing IP address, source routing, connect to proxy serversb. Lower the frequency of packets, split into partsBanner Grabbinga. An attacker uses banner grabbing techniques to identify network hosts running versions of applications andOSs with known exploits.b. Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remotetarget system. There are two typesi.Active Banner Grabbing: specifically crafted packets are sent to remote OS and responses are noted,then compared with a database to determine OS.ii.Passive Banner Grabbing: Sniffing the network traffic. Banner grabbing from error message, andbanner grabbing from page extensions (stealthy)c. Identifying OS’s allow an attack to figure out the vulnerabilities running on a remote target systemd. An attacker uses banner grabbing to identify the OS used on the target host and thus determine the systemvulnerabilitiese. Tools like Netcat reads and writes data across network connectionsf.Countermeasures for banner grabbingi.Display False Bannersii.Turn off unnecessary servicesiii.Use ServerMaskg. Hiding file extensions from web pagesScan for Vulnerabilitya. Vulnerability scanning identifies vulnerabilities and weaknesses of a systemb. Nessus is the vulnerability and configuration assessment productDraw Network Diagramsa. A network diagrams helps in analyzing complete network topology.b. Drawing target’s network diagram shows logical or physical path to a potential target. Shows network and itsarchitecture to attackerPrepare Proxiesa. Proxy servers serves as an intermediary for connecting with other computersi.Hides the source IPii.Chain multiple proxies to avoid detectionb. Many hackers use proxies to hide his/her identity so they cannot be traced. Logs record proxy’s address ratherthan the attacker’sc. Burp suite includes an intercepting proxy, which lets you inspect and modify traffic between your browser andtarget app. Popular.d. Anonymizers removes all identifying information from a user’s computer while user surfs internete. Tails is a live operating system, that user can start on any computer from a DVD, USB stick, or SD cardf.Can use HPING2 to IPSpoofg. IP spoofing counter measures
i.ii.iii.iv.v.8.Encrypt all network trafficUse multiple firewallsDo not rely on IP-based authenticationUse random initial sequence numberIngress filtering: use routers and firewalls at network perimeter to filter incoming packets that appearto come from an internal IP addressvi.Egress filtering: Filter all outgoing packets with an invalid local IP address as source addressScanning Pen Testinga. Pen testing a network determines the network's security posture by identifying live systems, discovering openports, associating services and grabbing system banners to simulate a network hacking attemptb. Here’s how to conduct a pen-test of a target networki.Host Discovery: detect live hosts on the target network. It is difficult to detect live hosts behind afirewall (Nmap, Angry IP scanner, colasoft)ii.Port Scanning: Check for open ports (Nmap, Netscan)iii.Banner Grabbing or OS fingerprinting: determine the OS running on the target hostiv.Scan the network for vulnerabilities (nessus)v.Draw Network Diagrams that help you understand the logical connectionvi.Prepare Proxies: Hides yourself from detectionvii.Document all findingsModule 4: EnumerationModule ObjectivesUnderstanding Enumeration ConceptsUnderstanding different techniques for NetBIOS enumerationUnderstanding Different Techniques for SNMP enumerationUnderstanding different techniques for LDAP enumerationUnderstanding different techniques for NTP enumerationUnderstanding different techniques for SMTP and DNS EnumerationEnumeration countermeasuresOverview of enumeration pen testingEnumeration Concepts In the enumeration phase, attacker creates active connections to system and performs directed queries to gain moreinformation. Uses this information to identify system attack points and perform password attacks Conducted in an intranet environment Techniques for Enumeration Extract user names using email IDs Extract user names using SNMP Extract user groups from windows Extract information using the default passwords Brute force active directions Extract information using DNS Zone Transfer Popular Ports to Enumerate TCP/UDP 53 - DNS Zone Transfer TCP/UDP 135 - Microsoft EPC Endpoint Manager UDP 137 - NetBIOS Name Service (NBNS) TCP 139 - SMB over NetBIOS TCP/UDP 445 - SMB over TCP (direct host) UDP 161 - Simple Network Management Protocol (SNMP) TCP/UDP 389 - Lightweight Directory Access Protocol (LDAP) TCP/UDP 3268 - Global Catalog Service TCP 25 - Simple Mail Transfer Protocol (SMTP) TCP/UDP 162 - SNMP TrapNetBIOS Enumeration NetBIOS name is a unique 16 ASCII string used to identify the network devices (15 of it are device name, 16 is reservedfor service or name record type)Nbtstat utility displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables/cacheNet View utility is used to obtain a list of all the shared resources of remote hosts or workgroup
SNMP Enumeration (simple network Management protocol enumeration) SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMPSNMP contains a manager and agent. Agends are embedded on every network, manager installed on a seperatecomputerSNMP has two passwords Attacker uses default community strings to extract info Uses it to extract information about network resources such as hosts, routers, devices, sharesManagement Information Base (MIB) MIB is a virtual database containing formal description of all the network objects managed using SNMPLDAP Enumeration LDAP is an internet protocol for accessing distributed directory services Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etcNTP Enumeration Network Time Protocol (NTP) is designed to synchronize clocks of networked computersUses UDP port 123Can use it to find important information on a networkCan use Nmap, WiresharkSMTP and DNS Enumeration SMTP has 3 built-in commands VRFY - Validates users EXPN - Tells actual delivery addresses of aliasses and mailing lists RCPT TO - Defines the recipients of the messageSMTP servers respond differently to these commandsAttackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP ServerEnumeration Countermeasures SNMP countermeasures Remove SNMP agent on turn off the SNMP service (block 161) Change default community string name Upgrade to SNMP3, which encrypts passwords/messages Implement additional security option called “additional restrictions for anonymous connections” Ensure that the access to null session pipes, null session shares, and IPsec filtering are restrictedDNS countermeasures Disable
Ethical Hacking Concepts and Scope Ethical Hacking: Using tools and techniques to identify vulnerabilities w/ permission Information Security Controls Information Assurance: Assurance for integrity, availability,confidentiality, and authenticity of info Threat M
This example will explain how the grok filter_type can used for filtering. Grok is a plugin that is used by Logstash for making specific filters using regular expressions and matching. The grok documentation explains it as: "Grok is currently the best way in logstash to parse crappy unstructured log data into something structured and queryable".
Contain all hacking tools from the CEH v6 Lab Files DVD-ROMs resident on the hard drive in CEH tools folder at the Desktop (The lab files DVD-ROMs are available from CEH v6 courseware kit) Contain all Windows 2003 source files in c:\i386 Have PowerPoint, Word and Ex
1 ur Approach4 O 5 CRP-10 Designs 7 Shaker Designs 9 Solid Panel Designs 11 Engineered Panel Designs 13 Mitered Designs 15 Applied Moulding Designs 17 MDF Designs 19 Mullion Designs 21 Slab Designs 22 Decorative Laminate Veneers 23 Thermo Structured Surfaces 25 High Gloss Surfaces 27 Interior Access 28 Drawer Construction 29 Range Hoods 30 Mouldings 31 Incomparable Integration 32 Architectural .
to the CEH pump's exceptional performance is an integrated first-stage centrifugal pump impeller that makes low-NPSHR operation possible. This combination side channel-centrifugal pump design enables SIHI CEH pumps to move gas-entrained fluids at net positive suction heads less than 0.5 m (1.64 ft).
note in a beautiful card shows the sender spent time and money to pick out , write and send a card – how much more valuable is that . 4 Thank You/Appreciation Designs 4 Sympathy Designs 4 Thinking of you/Encouragement Designs 3 Praying for You Designs 3 Get Well Designs 2 Wedding Designs 2 New Baby Designs 2 Anniversary Designs 2 .File Size: 1MB
MAX SCREEN SIZE: 2400 x 1200mm NOTE: Most designs can be customised to different screen sizes and shapes and can be fabricated to allow for various fixing requirements. The designs shown are based on a ratio of 1:2 (i.e. 900 x 1800mm) so screen designs outside of this ratio may vary slightly to suit. LASER CUT SCREEN DESIGNS Designs may vary for
All-in-1 /CEH Certified Ethical Hacker Exam Guide / Walker / 229-4/ blind folio: vii About the Contributing Editor Angie Walker is currently an Information Systems Security Engineer for Harris Corpo- ration, located in Melbourne, Florida. Among the many positions she has filled over the course of her 20-plus years in Information Technology and Information Assurance
WiFi, with all of the basic details of the authentication (user, venue and device details). This can be useful if you want to trigger real-time events or load data to your CRM without making repeated requests to BT Wi-Fi’s RESTful company API. To use Webhooks, you will need to create your own listener that receives and parses JSON in the format specified in the instructions below. The .
