ANS Quiz - List the four components of security Confidentiality Authentication Availability Integrity 2. Define the terms: Threat, Vulnerability, Exploit Threat: Situation wherein human or natural occurrences can cause undesirable outcome. Vulnerability: Presence of fault in the design or implementation that lead to an unanticipated compromise of security. Exploit: A defined way to breach the security of an IT through vulnerabilities.
ANS Quiz - List the four components of security Confidentiality Authentication Availability Integrity 2. Define the terms: Threat, Vulnerability, Exploit Threat: Situation wherein human or natural occurrences can cause undesirable outcome. Vulnerability: Presence of fault in the design or implementation that lead to an unanticipated compromise of security. Exploit: A defined way to breach the security of an IT through vulnerabilities.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
ANS Quiz - List the four components of security Confidentiality Authentication Availability Integrity 2. Define the terms: Threat, Vulnerability, Exploit Threat: Situation wherein human or natural occurrences can cause undesirable outcome. Vulnerability: Presence of fault in the design or implementation that lead to an unanticipated compromise of security. Exploit: A defined way to breach the security of an IT through vulnerabilities.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
• Confidentiality • Authentication • Availability • Integrity 2. Define the terms: Threat, Vulnerability, Exploit • Threat: Situation wherein human or natural occurrences can cause undesirable outcome • Vulnerability: Presence of fault in the design or implementation of the system that lead to an unanticipated compromise of security • Exploit: A defined way to breach the security of an IT through vulnerabilities 3. Who is a hacker? Differentiate between malicious and ethical hacker Ethical Hacker • Information security professionals engaged in evaluating threats from attackers. • Use their hacking skills for defensive and protective purposes • Test the network and systems security for vulnerabilities using the same tools that a hacker might use to compromise the network • Three categories o Former black hats o White hats o Consulting firms 4. Discuss the steps to conduct ethical hacking. • Talk to the client and discuss the needs to be addressed during the testing • Prepare and sign the nondisclosure agreement • Organize an ethical hacking team and prepare a schedule for testing • Conduct the test • Analyze the results of the testing and prepare a report • Present the report to the client 5. Explain different types of network security testing • Black box o Performing a security evaluation and testing without any prior knowledge of the infrastructure or the system o Simulates an attack by a malicious attacker outside the network • White box o Performing a security evaluation and testing with complete knowledge of the infrastructure or the system such as a network administrator • Grey box o Performing a security evaluation and testing internally o Examines the extent of access by insiders within the network. 6. What are the phases of hacking • Phase1 - Reconnaissance • Phase2 - Scanning • Phase3 – Gaining access • Phase4 – Maintaining access • Phase5 – Covering tracks 7. What are the information gathered during foot printing • Domain name • Network services and applications • System architecture • Intrusion detection systems • Specific IP address • Access control mechanisms • Authentication mechanisms • Phone numbers and contact lists 8. Various methods of information gathering in the footprinting phase • Unearthing initial information o Domain name lookup o HTML source code of website o Dumpster diving o Physical access o Search engines • Locate the network range o Locate the network range of the target system using tools such as nslookup and whois • Ascertain active machines o Find the active machines by pinging to them • Discover open ports / access points o Identify the open ports and access points in active machines using port scanner • Detect operating systems o Detect the operating systems by querying using telnet • Uncover services on ports • Map the network 9. Steps on how to perform footprinting • Finding companies external and internal URL • Perform whois lookup for personal details • Extract DNS information • Mirror the entire website and lookup names • Extract archives of the websites • Google search for personal information of employees • Find the physical location of the webserver using the tool Neotracer • Analyze company’s infrastructure details from job postings • Track email using “readnotify.com” 10. Types of DNS records • A : host IP address • MX : Host mail Exchange • NS : Host name server • SOA : authority of the domain • HINFo : host info with CPU type and operating system 11. What is competitive intelligence gathering and why you need it • Process of gathering information about your competitor from the freely available resources • NEEDS: o Compare your products with that your competitors o Analyze your market positioning compared to the competitors o Pull up list of competing companies in the market o Extract sales person stories on how deals are won or lost in this arena o Study the resumes/ skills et of the CEO, management and technical teams o Predict the competitors tactics and methodology based on their previous track record 12. State of the objectives of scanning • To detect live systems running on the network • To discover which ports are active/running • To discover the operating system running on the target system • To discover the services running/listening on the target system • To discover the IP address of the target system 13. Types of scanning • Port scanning o open ports and services o Series of messages sent with well-known port numbers • Network scanning o Identifies active hosts on the network o IP address: used for attack or network security assessment. • Vulnerability scanning o Identify the presence of known weaknesses 14. Scanning methodology • Check for live systems • Check for open ports • Identify service • OS identification • Scan for vulnerability • Draw network diagram of vulnerable hosts • Prepare proxies • Active probe / silently monitor the traffic 15. TCP based scanning • Manipulation of TCP 3-way handshake is the basis for TCP based scanning • 3-way handshake o SYN sent from client o SYN/ACK sent from server o ACK sent from client 16. Banner grabbing • Provides info about the type and version of software that is running 17. State the services for the following port numbers PORT # SERVICE 21 ftp 23 telnet 25 Smtp 53 Dns 80 http 161 Snmp 194 Irc 119 nntp 2049 nfs 18. Scanning countermeasures • Firewall of a particular network should be good enough to detect the probes of an attacker • Network intrusion detection systems should be used to find out the OS detection methods • Only necessary ports should be kept open • All sensitive information that is not to be disclosed to the public over the internet should not be displayed 19. Enumeration – definition, information gathered • Definition: o Process of discovering logon accounts and passwords and gaining access to network resources o Next step after scanning phase that identifies the live hosts and their OS in the network. o Active phase as it involves connecting to the system • Information Gathered: o Information gathered in this phase are o Resources and shares on the network o Usernames or groups on assigned networks o The last time a user logged on as well as the logon password 20. Enumerating Microsoft windows OS ( learn in detail) 21. Enumeration countermeasures • Null sessions o Null sessions require to access ports TCP 139 or 445. These ports can be disabled o If possible system administrator can disable SMB services o Restrict anonymous user by editing the registry o Open regedt32 o Navigate to HKLM\SYSTEM\CurrentControlSet\LSA o Choose edit | add value o Value name: RestrictAnonymous o Datatype: REG_WORD o Value: 2 • SNMP o Simplest way is to turn off the SNMP service o Change the default “ publc” community name o Implement Group policy security restriction “ additional restrictions for annonymous connections” o Access to null session pipes, IPsec filtering should be restricted 22. Password cracking & countermeasures Four types of attack • Passive online attack o Get access to the communication channel and record raw network traffic o Wait until authentication sequence o Brute force credentials / proxy authentication-traffic o Relatively hard to penetrate o Tools: wire sniffing / Main-in-middle and replay attacks • Active online attack o Try different passwords until one works o Succeeds with Bad passwords Open authentication points o Takes long time o Tools: password guessing • Offline attack o Encrypted passwords are readable by the attacker o Dictionary attack Checks the password and detects the correct password by the hash functions and hash value is compared with encrypted value Try different passwords from the list Succeeds only with poor passwords o Hybrid attack Starts with a dictionary list Insert an entropy ( append a symbol / number) Relatively fast o Brute force method Try all possible combinations Implemented with progressive complexity LM “hash” is attacked first Very slow o Pre-computed Hashes Generate all possible ashes Compare to database values Storing hashes require huge space • Non-electronic attacks o Shoulder surfing o Keyboard sniffing o Social engineering Password mitigation • Smart cards • Biometrics Password cracking countermeasures • Enforce 8-12 bit character alphanumeric passwords • Set the password change policy to 30 days • Physically isolate and protect the server • Monitor server logs for brute force attacks 23. Rootkits and rootkit detectors Rootkits • Replaces OS system files with its own Countermeasures • Detecting rootkit is difficult • If detected, shutdown the computer and check its storage by booting from an alternative reliable media Rootkit detectors • Backlight • Rootkit revealer • Malicious software removal tool ( from Microsoft) 24. Steganography • Process of hiding data in images • Hide data files into the graphic files • Embedded information include o Source code for hacking o List of compromised servers o Plans for future attacks Tools • Merge streams ( Word / excel) • Invisible secrets ( www.freedownloadcenter.com) • Invisible folders • Image hide • Stealth files ( www.programurl.com/stealth-files.htm) • Stenography ( www.soft32.com) Stenography detection • Stegdetect – automated tool for detecting stenographic content in images
25. Covering tracks
• Once intruder gained access, they will try to cover this detection of their presence • Intruder installs backdoor programs on the victim’s system for easy access in future Methods • Disabling auditing • Clearing event log (elsave) • Evidence eliminator 26. Definition of sniffers • A packet sniffer is a program that eavesdrops on the network traffic. • It captures data as it passes across the network. 27. How sniffers work 28. What sniffer can do • Determine the local gateway of an unknown network via passive sniffing. • Become a simple password sniffer o Parsing each application protocol and saving interesting information. • Output all requested URLs sniffed from http traffic and analyze them offline. • Send URLs sniffed from a client to your local Netscape browser for display. • Intercept packets from a target host by forging ARP replies. • Flood the local network with random MAC addresses o Causes some switches to fail. 29. Detection of a malicious sniffer 30. Sniffer countermeasures • Use switches instead of hubs. • Encrypt the data • Use ssh instead of telnet • Use https instead of http • Use scp and sftp for file transfer 31. Session hijacking – definition, steps, types, sequence number prediction, TCP/RST hijacking • TCP session hijacking is when a hacker takes over a TCP session between two machines • Steps FOR session hijacking o Tracking the connection o Desynchronizing the connection o Injecting the attacker’s packet o Synchronize back the connection to the client Steps IN session hijacking • Place yourself between the victim and the target • Monitor the flow of packets • Predict the sequence number • Kill the connection to the victim’s machine • Take over the session • Start injecting packets to the target server Types of Session hijacking • Active o Attacker finds an active session and takes over it. • Passive o Attacker hijacks a session but sits back and watches and records all the traffic. Sequence number predictions • Accurate prediction is important for successful take over • Client sends SYN to the server, server responds with SYN-ACK with a sequence number of choosing, which the client must respond with ACK • The attacker first connects to the service with its own IP, records the sequence number and opens a second connection with a forged IP address. • The attacker doesn’t see the SYN-ACK but still can predict the sequence number. TCP/IP hijacking • Hacking technique that uses spoofed address to take over a connection between a victim and target machine • The victim’s connection hangs and the hacker is then able to communicate with the host machine as if the victim is an attacker • To launch TCP/IP hijacking attack, the hacker must be on the same network as the victim • The target victim can be anywhere • Most computers are vulnerable as they are using TCP/IP RST hijacking • Involves injecting an authentic-looking reset (RST) packet • Spoof the source address and predict the acknowledgement • The victim will believe the source actually sent the reset packet and will reset the session 32. Diff. between spoofing and hijacking • In spoofing, the attacker does not actively take over another user offline to perform the task • He just pretends to be another user to gain access • In hijacking, an attacker takes over an existing session, which means he relies on the legitimate user to make an authentic connection • Subsequently the attacker takes over the session 33. Session hijacking countermeasures • Use encryption • Use a secure protocol (IPSec) • Limit incoming connection • Minimize remote access • Educate employees 34. How web servers are compromised • Misconfigurations o In Os or network o In web server software • Bugs o OS bugs o Flaws in programming code • Installing server / OS with defaults o Service packs not applied properly leaving holes behind • Lack of proper security policy, procedures and maintenance 35. Web server hacking risks Server side • Steal classified info • Execute command on server machine and alter system configuration • Retrieve host based information • Launch DOS attacks – make website unavailable Client side • Crash the browser • Damage user system • Breach user privacy • Misuse of personal information that user provides on active web pages Network eavesdropping • Capturing network data transmitted from browser or server / vice-versa • Can be done from o Browser side network connection o Server side network connection o End user ISP o Server side ISP 36. Web server hardening methods • Rename the administrator account using a strong password • Disable default websites and ftp sites • Remove unused applications from the server • Disable directory browsing in the web page configuration settings • Disable remote administration • Enable auditing and logging • Use a script to map unused file extensions to a 404 error message “File not found” • Add a legal notice to the site to make the potential hackers aware of legal implications 37. Web server hacking – countermeasures • Scanning for existing vulnerabilities • Applying patches • Anonymous access restriction • Incoming traffic request screening and filtering 38. Introduction to firewalls • The main purpose of a firewall system is to control access to or from a protected network. • It helps implement an organizational security policy for a given network. • Firewalls let the network administrators define the services and resources to which access is permitted. • A firewall implements a network access policy by forcing connections to pass through particular computer(s) – designed as firewalls – where they can be examined and evaluated. • A firewall system can be a router, a PC, a host or a collection of these. 39. Types of firewalls services • Packet filtering to prevent unauthorized access to services or from a certain set of external computers. • Protection from routing-based attacks, such as source routing and other attempts to manipulate packets in the ICMP protocol. • Control access to certain sites on the network. This allows administrators to seal off unwanted access from specific hosts, but still allows certain hosts like mail servers and information server to run unhindered. • Block DNS information about a network • Log any connections made with foreign hosts or just log statistics about users with in the network. These log files are very important because they can be reviewed and a system administrator can detect any attempts of intruding, misuse by legitimate members of the network. 40. Firewall components • Network policy • Advanced authentication mechanisms • Packet filtering • Application gateways 41. Honeypot – definition and types of implementation • A honeypot is a resource which pretends to be a real target. • A honeypot is expected to be attacked or compromised. • The main goals are the distraction of an attacker and the gain of information about an attacker, his methods and tools. Level of involvement • Low Involvement: Port listeners • Mid Involvement: Fake Daemons • High Involvement: Real Services Risk increases with the level of involvement 42. Introduction of penetration testing • A penetration test simulates methods that intruders use to gain unauthorized access to an organization's networked systems and compromise them. • In the context of penetration testing, the tester is limited by resources – namely time, skilled resources, and access to equipment – as outlined in the penetration testing agreement. • Pen Test involves using proprietary and open source tools to test for known and unknown technical vulnerabilities in networked systems. • It also involves manual testing for conducting targeted testing on specific systems to ensure that there are no security flaws that may have gone undetected earlier. 43. Types of pen testing External Testing • Involves analysis of publicly available information, a network enumeration phase and the behavior of security devices analyzed. Internal Testing • Typically performed from a number of network access points, representing each logical and physical segment. 44. Pen test tools • Appscan • Hackershield • Cerberus Internet scanner • Cybercop scanner • Foundscan • Nessus • NetRecon • SAINT • Securenet PRO 45. Phases of pen test Pre-attack Phase • Passive Reconnaissance • Active Reconnaissance • Best Practices o Maintain a log o Timestamp of all communications o Reason out the strategic choices to the input/ output o Develop or acquire tools based on your strategy • Results interpretation Attack Phase • Penetrate perimeter • Acquire target • Escalate privileges • Execute, implant and retract Post Attack Phase • This phase is to restore the system to their pre-test states • Activities o Removing all files uploaded o Cleaning all the registry entries o Removing all tools and exploits o Removing the shares and connections o Analyzing the results and presenting to the organization