Hacking Methodology Lab

Professional. Proactive. Protective.
h4X0R
Know Your Enemy
Hacking Methodology & Tools:
Network Reconnaissance
Ted Mac Daibhidh, C.D.

Special Operations Analyst
DND CIRT INCIDENT HANDLING &

ADVANCED ANALYSIS TEAM
MacDaibhidh.EL@forces.gc.ca
h4X0R
Know Your Enemy
Hacking Methodology & Tools:

Network Reconnaissance
Classification
This briefing has no

class at all - in fact…
The briefing is
UNCLASSIFIED
in its entirety.
Network Operations Centre
The Canadian Forces Network Operations

Centre consolidates the following DND
network assets:
a. NSMC - National Systems Management
Centre;
b. NVAT - Network Vulnerability
Assessment Team;
c. TSIT - Techinical Security Inspection
Team;
d. NCAS - National Centralized Attended
Service;
e. CSG – Computer Support Group; and
f. CIRT – Computer Incident Response
Team.
DND CIRT Responsibilities
• Monitoring of Intrusion Detection Systems (IDSs) and other devices providing

24/7 Computer Security and Incident Handling.
• Functional and centralized authority for computer incident data collection &
reporting.
• Provision of technical security incident reports for ISSOs and other authorities
within the department.
• Monitoring of open source intelligence assets for indications and warnings of

potential threats to DND network assets.
• Provision of technical support to criminal and counterintelligence agencies

investigating computer crimes (e.g. CFNIS).
• Assessment of selected computer and network security tools.
• Liaise with the CERT/CIRT teams of Allied, Quintqeupartite, government and

industrial agencies.
• Perform assessment of emerging threats and new technologies in a lab

environment.
Briefing Goals
The goal of this briefing is five-fold:
a. acquaint the analyst with the hacker’s methodology (“The Anatomy of a

Hack”) with respect to network reconnaissance;
b. introduce the some of the methods and tools used during the network
reconnaissance process;
d. drive home the requirement for continuing professional development;
d. demonstrate the benefits of a personal lab and the methods used in lab
construction; and
e. introduce some tools that can be utilized in a personal lab environment.

The Anatomy of a Hack

The “Anatomy of a Hack” summarizes the steps a
cracker undertakes prior to and during a network
Footprinting attack. This process consists of two distinct phases:
Scanning
• Reconnaissance and Target Acquisition
Footprinting
Enumeration
Scanning
Gaining Access Enumeration
Privilege
Escalation
• Assault
Gaining access
Pilfering
Privilege escalation
Covering Tracks
Pilfering
Back Door Covering tracks
Creation
Back door creation
Denial of
Service Denial of Service (DoS)
Footprinting
Footprinting refers to the systematic process by which an

attacker attempts to compile as much information as possible
regarding a targeted network, including:
• Domain name
• Network blocks
• Overall security posture
• Specific IP addresses
Types of Footprinting:
• Active – The target may be alerted to the activity
(traceroutes, social engineering, zone transfers).
• Passive - The target is unaware of the reconnaissance
activity (Whois searches, other open source information).
Footprinting Techniques & Tools
Techniques –
• DNS zone transfer/interrogation
• Online Tools
• Open source search
• Route tracing
• Social Engineering
• Whois lookup
Tools –
• nslookup
• p0f
• “Sam Spade”
• Search engines
• traceroute
• Usenet
• whois (Internic, ARIN, etc.)
• WinNSlookup
DNS Interrogation
nslookup
h4X0R
DNS Server
DNS Interrogation
DNS Interrogation
DNS Resource Record Type Codes
Most DNS RR types are defined in RFCs 1034, 1183, 1876, and 2782.
DNS RR Type Codes:

• A (Assigned) - Associates an IP with a canonical hostname.
• CNAME (Canonical Name) - Associates an alias with its canonical hostname.
• HINFO (Host Information) – Specifics regarding an individual host.
• LOC (Location Brief) – The geographical location of a host.
• MINFO (Mail Information) – Mail related resource information.
• MX (Mail Exchange) – Identifies a mail exchange resource.
• NS (Name Server) - Points to a master name server of a subordinate zone.
• RP (Responsible Person) – Identifies the individual responsible for a host.
• SOA (Start of Authority) - Identifies the start of a zone of authority.
• SRV (Server) – Designates any host providing a network service.
• WKS (Well Known Service) – Information services offered on a host.
DNS Interrogation
DNS Record Examples
DOMAIN DNS RR TYPE RECORD ENTRY
IMISSTECH.TV. A 10.1.1.1 imisstech.tv.

HINFO HP-UX UNIX
SRV DMZ Server
WKS 10.1.1.1 tcp ftp telnet smtp pop3
RP ted.macdaibhidh.imisstech.tv.
IAMACUTEC.AT. A 192.168.1.1 iamacutec.at

MX 10 iamacutec.at
HINFO WINDOWS 2003 SERVER
WKS 192.168.1.1 udp domain
WKS 192.168.1.1 tcp ftp telnet smtp domain
RP wallie.the.tabby.cat.admin.iamacutec.at.
RP murphy.the.mainecoon.tech.iamacutec.at
Online Tools – Sam Spade

Open Source Search – Search Engine

Open Source Search – Search Engine

UseNet Search
Lookup - ARIN Whois

Lookup - InterNIC Whois

Traceroute
c:\>tracert server.target.net
• Traceroute is a utility available
OR in both Windows and *nix OSes.
c:\>tracert 4.3.4.2 • This utility records the the
specific gateway computers at
Hop 1 Hop 2 each hop between the source
TTL 100 TTL 99 host and a specified destination
host.
Source Host Gateway Internet Router
host1.source.net gateway.source.net 2.3.4.6 • Allows the attacker to determine
1.2.3.2 1.2.3.1 some basic network topology and
Hop 3
TTL 98
determine the location of routers
and packet filtering devices.
• As a general rule of thumb, the last
host before the live target host is

Hop 5 Hop 4
TTL 96 TTL 97 performing routing/packet filtering
Target Webserver Gateway Internet Router functions.

server.target.net gateway.target.net 3.3.4.7
4.3.4.2 4.3.4.1 • Use of the “-p” switch to specify a
specific destination port may allow
tracerouting beyond packet
filtering devices.
Traceroute
C:\WINDOWS\Desktop>tracert 1.2.61.100
Tracing route to host bb2-web1.xxx.net [1.2.61.100]
1 3 ms 9 ms 9 ms Ubergeek [xxx.xxx.xxx.xxx]
2 70 ms 49 ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138]
3 116 ms 99 ms 99 ms bb2.gw4.xxx.xxx.net [1.2.60.1]
4 117 ms 100 ms 100 ms bb2-gw2-60-22.xxx.net [1.2.60.2]
6 198 ms 109 ms 110 ms bb2-fw-2-dmz.xxx.net [1.2.61.1]
7 237 ms 179 ms 220 ms bb2-web1.xxx.net [1.2.61.100]
Trace complete.
C:\WINDOWS\Desktop>
XXX.net Network Topology

Internet
• With one simple traceroute

to a web server, we have
determined the basic topology
External Network Gateway
of the XXX.net network. bb2.gw4.xxx.xxx.net [1.2.60.1]
• Armed with a basic knowledge
of network design, we can Internal Network?
surmise that:
Router
a. another firewall is in place bb2-gw2-107-66.xxx.net [1.2.60.2]
between the internal
network cloud and the
router; and
DMZ
b. other possibly vulnerable 1.2.61.x subnet
services and applications
(e.g. FTP, databases,
e-mail)are running in the DMZ Firewall
DMZ cloud. bb2-fw-2-dmz.xxx.net [1.2.61.1]
• Now that the basic network

topology has been resolved,
more intrusive methods can
be used to footprint other
network resources. XXX.net Webserver
bb2-web1.xxx.net [1.2.61.100]
Traceroute
C:\WINDOWS\Desktop>tracert
Tracing route to host bb2.fw1.xxx.xxx.net [1.2.60.3]
• We now have an initial
1 2ms 6 ms 8 ms Ubergeek [xxx.xxx.xxx.xxx]
map of the network
2 68 ms 47ms 69 ms gw01.phub.cable.rogers.com [xxx.xxx.82.138] and an insight into the
3 111 ms 92 ms 100 ms bb2.gw4.xxx.xxx.net [1.2.60.1] its naming conventions.
4 123ms 101 ms 103 ms bb2.gw2.xxx.xxx.net [1.2.60.2]
• An educated guess and
5 138 ms 107 ms 109 ms bb2.fw1.xxx.xxx.net [1.2.60.3]
another traceroute
Trace complete.
yields another firewall.
C:\WINDOWS\Desktop>
Firewalking
• Firewalking is a technique that Internet
allows an attacker to covertly

map the ACLs of packet
filtering devices. External Network Gateway
bb2.gw4.xxx.xxx.net [1.2.60.1]
• Sends TCP or UDP packets to Internal Network?

the packet filter that have a 1.2.60.x or NAT?
Another router?
TTL set at one hop greater Router
than the target. bb2-gw2-60-22.xxx.net [1.2.60.2]
Internal Firewall
bb2.fw1.xxx.xxx.net [1.2.60.3]
• Should the packet make it
through the gateway, it is
forwarded to the next hop DMZ
1.2.61.x subnet
where the TTL equals zero
and the packet is discarded. DMZ Firewall
bb2-fw-2-dmz.xxx.net [1.2.61.1]
• Using this method, the ACL
rules of a packet filter can
be determined without actually
touching any hosts behind the XXX.net Webserver

bb2-web1.xxx.net [1.2.61.100]
device.
Firewalking
Fire, walk with me…
• In this example, firewalk will
scan ports 1-1024 using TCP
packets directed at the firewall
(1.2.61.1) using the previously Ubergeek:#firewalk -n -S 1–1024 TCP 1.2.61.1 1.2.61.100
mapped host at 1.2.61.100 as a
Firewalking through 1.2.61.1 (towards 1.2.60.100) with a
metric.
maximum of 25 hops.
• The packet filter is found after
three hops and firewalk begins Ramping up hopcounts to binding host...
scanning using TCP packets with
a TTL of 4. probe: 1 TTL: 1 port 33434: <response from> [1.2.60.1]
probe: 2 TTL: 2 port 33434: <response from> [1.2.60.2]
• In this case, the ports shown probe: 3 TTL: 3 port 33434: Bound scan: 3 hops <Found gateway
were allowed by the ACL and at 3 hops> [1.2.61.1]
passed successfully through the
packet filter. Scanning...

• The attacker can therefore port 20: open
surmise in this case that at port 21: open
least one web server, an ssh server port 22: open
and an ftp server are running in port 53: open
the DMZ. port 80: open
• Armed with this information, the 1027 packets sent, 5 replies received.
attacker can plan any further actions
appropriately.
VisualRoute
Social Engineering
Social engineering is a form of hacking that target’s people

(wetware) instead of their networks.
The most successful hackers also successful social engineers

because there is no patch for human stupidity.
Types of social engineering include:

● Tainting Trust
● Dumpster Diving
● Shoulder Surfing
● Proxy Probing

Scanning
Footprinting
Enumeration
Scanning
Privilege
Escalation
• Assault
Gaining access
Pilfering
Covering Tracks
Pilfering
Creation
Back door creation
Denial of
Scanning Techniques & Tools
Techniques –
• Ping sweep
• TCP/UDP port scan
• Stealth scans
Tools –
• Nmap
• SuperScan
• Internet Toolkit
• Hping
• Grim’s Ping
Scanning
Scanning is the process by which the attacker performs bulk target assessment,
identifies listening services and locates possible points of ingress.
Types of scans include the following:
• Ping Sweep – Attempts to determine which hosts on a network are reachable.
• Vanilla – Attempts to connect to all 65535 ports.
• Stealth – Attempts to connect to ports using various techniques, including

half-open connections (FIN/SYN) in order to avoid detection.
• Reflex – Attempts to connect using fragmented packets, XMAS (all TCP flags
set) or NULL (no TCP flags set) in order provoke a specific response.
• Strobe – Attempts to connect to a few known ports.
• UDP – Attempts to locate open UDP ports.

• Horizontal Sweep – Scanning the same port across multiple hosts; attacker is
planning target a particular service.
• Vertical Sweep – Scanning multiple ports on a single host; attacker is attempting
to locate a vulnerable service.
NMap (Network Mapper)
NMap is a powerful scanning tool that

is available in both *nix and Win32
versions.
● Employs multiple TCP scan facilities

(Null, XMAS, FIN, SYN).
● Capable of remote OS fingerprinting.
● Implements specialized stealth

scanning techniques (FTP bounce,
idle scan, etc.).
Internet Toolkit
One of many similar tools available today, these toolkits are
capable of performing simple ping, port and service scans.
• Although quite functional,

the scanning techniques
utilized by Internet Toolkit
and similar scanning tools

(e.g. SuperScan) are quite
noisy.
• Tools such as this are

popular with skiddies as
they are easy to use and
readily available.
SuperScan
• SuperScan is a scanning
tool available free from
Foundstone.
• In addition to its scanning
ability, SuperScan
incorporates an automated
banner grabbing facility
(banner grabbing will
be discussed later).
HPing
Hping is a very powerful command line based packet crafting tool

that allows the user to craft packets of virtually any type desired.
• Firewall testing
• Advanced port scanning
• Network testing, using

different protocols, TOS,
fragmentation
• Manual path MTU discovery
• Advanced traceroute, under

all the supported protocols
• Remote OS fingerprinting
• Remote uptime guessing
• TCP/IP stacks auditing

HPing
# hping2 --scan known 192.168.1.103
Scanning 192.168.1.103 (192.168.1.103), port known

245 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
• The latest stable release 9 discard : .S..A... 64 0 32767 44
of HPing has implemented 13 daytime : .S..A... 64 0 32767 44
a scanning function. 21 ftp : .S..A... 64 0 32767 44

22 ssh : .S..A... 64 0 32767 44
• Even in scanning mode, it is 25 smtp : .S..A... 64 0 32767 44

37 time : .S..A... 64 0 32767 44
80 www : .S..A... 64 0 32767 44
possible to utilize most of 111 sunrpc : .S..A... 64 0 32767 44
the tool’s functionality. 113 auth : .S..A... 64 0 32767 44

631 ipp : .S..A... 64 0 32767 44
3306 mysql : .S..A... 64 0 32767 44
6000 x11 : .S..A... 64 0 32767 44
6667 ircd : .S..A... 64 0 3072 44
All replies received. Done.
No responding ports:
Grim’s Ping
A Weapon of Mass Distribution
• Scans en masse for live

hosts, FTP and web
proxy servers.
• Capable of TCP SYN port
scanning.
• Scans for FTP public
shares (pubs).
• Plug-ins (Ping Companion,
etc.) add even more
functionality.

Scanning
Footprinting
Enumeration
Scanning
Privilege
Escalation
• Assault
Gaining access
Pilfering
Covering Tracks
Pilfering
Creation
Back door creation
Denial of
Enumeration
Definition of Enumeration:
A mathematical set with a total ordering and no infinite descending chains.
A total ordering "<=" satisfies x <= x; x <= y <= z => x <= z; x <= y <= x
=> x=y; and for all x, y, x <= y or y <= x. In addition, if a set W is well-
ordered then all non-empty subsets A of W have a least element, i.e. there
exists x in A such that for all y in A, x <= y.
Fortunately, man invented computers and

quickly discovered that mathematics
was no longer necessary.
Definition of Enumeration
Enumeration refers to the process by which the attacker makes use of more
intrusive probing in order to identify resource shares, user accounts,
operating systems and applications associated with the targeted network.
Enumeration Techniques & Tools
Techniques –
• List user accounts
• List file shares
• Application/OS identification
Tools –
• Telnet
• Netcat
• SuperScan
• NAT
• NMap
• p0f
• VisualRoute
Banner Grabbing
Banner Grabbing – Telnet

• Telnet may be utilized as a rudimentary tool to grab server banners.
• This is accomplished by opening a telnet session to the service you wish to enumerate.
• A successful telnet session should yield the server’s banner.
In the example above, telnetting into a web server on port

80 reveals that the server is running Microsoft IIS v5.0.
Banner Grabbing - Netcat
• The much vaunted TCP/IP “Swiss

Army Knife”; every network security
professional should have Netcat in
their toolbox.
• Useful for creating custom stimuli
using “nudge files” to capture more
information in a banner reply than
would normally be provided.
• Armed with RFCs and a working
knowledge of TCP based protocols,
“nudge file” creation is easily
accomplished using a standard text
editor.
Banner Grabbing - Netcat

Ubergeek:#nc -vv 10.1.1.1 80 < /home/usr/bin/nudge.txt
A nudge file consists of a couple of hard

carriage returns at a minimum; the nudge file
is redirected to the netcat command's stdin
using a hoinkie as demonstrated above.
Netcat is a powerful tool with many uses – this

demonstrates just one of them; you are highly
encouraged to experiment with netcat further
in your lab enviroment.
Banner Grabbing - VisualRoute
• VisualRoute is capable of
performing banner grab
enumeration of targeted
hosts.
• By directing traces at a
specific port useful
information may be obtained
about the target.

• In this case, the trace was
directed at port 80 on the
target host.
• VisualRoute has determined
that the target is an Apache
1.3.27 http server with
mod_throttle 3.1.2 and
mod_perl 1.26 installed
running on Unix.
Banner Grabbing - SuperScan
• In addition to its scanning
ability, is able to grab

banners from a targeted
network.
• This feature allows the
attacker to perform
banner grab enumeration
en masse.
• In this case, the scanner
has captured the banner
of the target’s SMTP
server.
p0f - Passive OS Fingerprinting
• P0f is a passive OS
fingerprinting tool.
• Runs in the background
and sniffs traffic on the
wire.
• The packet’s parameters
are compared against
fingerprint tables and
the program makes a
“best guess” regarding
the OS type in real time.
OS Fingerprinting
OS Version Platform TTL Window DF TOS
Free BSD 3.x Intel 64 17520 Y 16
Open BSD 2.x Intel 64 17520 N 16
Linux 2.2 Intel 64 32120 Y 0
Solaris 8 Intel/SPARC 64 24820 Y 0
Windows 9x/NT Intel 32/128 5000-9000 Y 0
Windows 2000 Intel 128 17000-18000 Y 0
• TTL (Time To Live)

Time to live is a value in an IP packet that communicates to a network router whether or not the packet has
been on the network too long and should be discarded.
• Window
Window size is the amount of outstanding (unacknowledged by the recipient) data a host can transmit on a
single network connection before it receives an acknowledgement from the destination host.
• DF (Don’t Fragment Bit)
Located in bit two of an IP header’s sixth octet; the DF bit, if set, indicates that the packet is not to be
fragmented.
• TOS (Type of Service Byte)
The TOS byte is used for for internet service quality selection. Various fields within the byte specify
parameters for precedence, delay, throughput, and reliability.
NMap – Active OS Fingerprinting
• NMap has the capability to

fingerprint a remote host’s
operating system, allowing
the attacker to enumerate
the target’s OS.
• Unlike p0f, NMap performs
active OS fingerprinting by
sending unusual and invalid
TCP packets to the target
host, then monitors the
wire for the target host’s
responses.
• In this case, NMap correctly
enumerated the target’s OS
as a Linux 2.4 x86 distro.
Building Your Lab

Because there’s no place like /home
Why build a personal lab?

• Continuing professional development is a
necessary evil.
• This process can be greatly enhanced if one has
access to a personal computer lab.
• Maintaining a personal lab also provides excellent
bullets for performance reviews and résumés.
Besides, building a lab is easy and fun – and
the ladies dig guys with computer labs!
Building Your Lab
Constructing a lab is a fairly easy process and can be

accomplished utilizing two methods:
a. hard network: one or more actual hosts
connected through a crossover cable or
switch/routing device; or
b. soft network: a single host running virtual
machines (this is the preferred configuration).
In either case, it is highly recommended that the lab

network be contained as a standalone implementation
vice being connected to a live network.
My Lab Configuration – “Arda”
• PALANTIR is connected to the

wire via a hub and a receive-
only CAT5 cable.
DSL Modem
• PALANTIR is isolated from the
lab network by MORANNON; the
firewall is only opened when
necessary to transfer files from Receive-only
CAT5
PALANTIR. Hub Firewall
• MELKOR serves as the primary "Morannon"
analysis station and attack IDS/Sniffer
platform; this host is directly "Palantir"
connected to SAURON with a
CAT5 crossover cable.
Gateway
• In addition to its native "Hornburg"
environment, SAURON is
capable of running
multiple VMWare virtual
machines to simulate
larger networks. Standalone Lab Box Lab Box
Lab Box Source Target
• GOLLUM is a standalone host "Gollum" "Melkor" "Sauron"
utilized for malware analysis Primary Box
"Aragorn"
running a VMWare Player
virtual machine. Yes, the naming convention theme was inspired by
the Tolkien legendarium and yes, I am a Geek…
Building Your Lab

KVM Switch
• Should you choose a hard or hard/soft combo configuration for
your lab network, multiple input/display devices are not
necessary.
• KVM switches allow you to use a single keyboard, mouse and
video display with multiple hosts.
Building Your Lab

VMWare Player
• Run any single virtual machine.

• Real to virtual machine copy/paste and drag/drop.
• Multiple networking options.
• 32 and 64 bit OS support.
• User adjustable memory management.
• Easily and safely evaluate applications distributed in
virtual machines without any installation or
configuration.
VMware Player is a free download from the VMWare website.
Although this version supports only one virtual machine and

lacks the facility to generate virtual machine images, this
distro is adequate for most purposes where only a single
target is required.
http://www.vmware.com/products/player/
Building Your Lab

Linux LiveCD Distros
• A LiveCD is an OS distro stored on a bootable CD-ROM that can

run without installation on a hard drive.
• Loads necessary system files into a RAM disk.
• The system returns to its previous OS/state when the LiveCD is
ejected and the computer is rebooted.
• Knoppix based distros can set up a “Persistent Home Directory”
on a Thumb Drive for storage and retrieval of files.

P S K
Building Your Lab

Linux LiveCD Distros
General Toolkits:
Knoppix STD (Security Tools Distribution)
http://www.knoppix-std.org/
P.H.L.A.K. (Professional Hacker’s Linux Assault Kit)

http://www.phlak.org/modules/news/
Forensic Toolkits:
Helix
http://www.e-fense.com/helix/
PSK (Penguin Sleuth Kit)

http://www.linux-forensics.com/
Pen-Testing Toolkits:
KCPentrix
http://kcpentrix.net/
WHAX
ftp://ftp.belnet.be/packages/whoppix/whax-3.0-200705.iso
Building Your Lab

Malware Analysis Tools
• All malware analysis should take place on a standalone
host, preferably one running a virtual machine.
• Once analysis is complete, the VM image can simply be
reloaded.
• Several free analysis tools are available from various
sources on the internet.
Building Your Lab

Malware Analysis Tools
Autoruns – Displays programs configured to run during system bootup or login.
http://www.sysinternals.com/Utilities/Autoruns.html
Ethereal – Packet capture & protocol analysis.
http://www.ethereal.com
Filemon – Displays file system activity on a system in real-time.
http://www.sysinternals.com/Utilities/Filemon.html
ListDLLs – Displays which DLLs are loaded.
http://www.sysinternals.com/Utilities/ListDlls.html
Ollydbg - Assembler level analysing debugger.
http://www.ollydbg.de/
RegMon – Displays in Registry activity in real time.
http://www.sysinternals.com/Utilities/Regmon.html
Rootkit Revealer – Detects registry and API anomalies.
http://www.sysinternals.com/Utilities/RootkitRevealer.html
VICE -
WinDump/TCPDump – Pcap (sniffer) tools.
http://www.winpcap.org/windump
http://www.tcpdump.org/
Building Your Lab

Compilers, Debuggers & Decompilers
Most exploits are made available as source code will have to be compiled in
order to be made executable; executable exploits can be decompiled and the
recovered code analyzed.
#include <stdio.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
// Use for find the ASM code

#define PROC_BEGIN __asm _emit 0x90 __asm
_emit 0x90\
__asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90\
__asm _emit 0x90 __asm _emit 0x90
#define PROC_END PROC_BEGIN
#define SEARCH_STR
"\x90\x90\x90\x90\x90\x90\x90\x90\x90"
#define SEARCH_LEN 8
#define MAX_SC_LEN 2048
#define HASH_KEY 13
// Define Decode Parameter

#define DECODE_LEN 21
#define SC_LEN_OFFSET 7
#define ENC_KEY_OFFSET 11
#define ENC_KEY 0xff
// Define Function Addr

#define ADDR_LoadLibraryA [esi]
#define ADDR_GetSystemDirectoryA [esi+4]
Building Your Lab

Compilers
Bloodshed C/C++ IDE (Integrated Development Enviroment)
http://bloodshed.net
Digital Mars C+/C++ compiler
http://digitalmars.com
MinGW32 C/C++/ObjC compiler
http://mingw.org
Open Watcom C/C++ compiler

http://openwatcom.org
Decompilers
REC Multi format binary decompiler
http://www.backerstreet.com/rec/rec.htm
CHM Encoder MS compiled HTML Help Format (CHM) decompiler
http://www.gridinsoft.com/chm.php
DJ Java Decompiler Java demcompiler
http://mingw.org
Building Your Lab

Metasploit Framework
The Metasploit Framework is an open source

computer security tool for developing and
executing exploit code against a remote
target machine.
The Framework is easily implemented on a

Windows host and incorporates a web
interface for ease of use; this makes it an
ideal tool for the neophyte to utilize in a lab
enviroment.
http://www.metasploit.com
Building Your Lab

Metasploit Framework
“The Metasploit Framework. Point. Click. Pwn.”

Building Your Lab

Reference Material
“The more you read, the more you learn and the less your adversary will know."
Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.
Reference material can be a valuable asset to the InfoSec

professional, both in the lab and in the workplace.
• Many InfoSec related titles are available from both the public and
CIRT libraries.
• Deeply discounted computer books can be purchased at any
“Computer Books for Less” outlet in the Ottawa area.
Words of Wisdom
“Know the enemy and know yourself and you need not fear the result of a hundred battles…
Sun Tzu, Chinese General,
“The Art of War”, c. 500 B.C.E.
Fight the Networks, Neo!

Questions
For sooth, thus endeth the brief…
Questions?
Acknowledgments
Mr. John Ronald Reuel Tolkien

For the damned good reads and the inspiration for my lab’s naming convention. Yessss –
my lab – my preciousssss.
http://www.tolkien.co.uk/frame_nf.htm
Mr. J.D. “Iliad” Frazer
For his kind permission to use “User Friendly” cartoons in my briefs.
http://www.userfriendly.org
Hacking Exposed, McGraw-Hill Publishing
http://www.foundstone.com
Inside Network Perimeter Security, Sams Publishing
http://www.samspublishing.com
Infosec Career Hacking, Syngress Press
http://www.syngress.com
Intrusion Signatures and Analysis, Sams Publishing
My Friends
For continuing to support my delusions of grandeur – as long as the cheques continue to clear.
Network Intrusion Detection, Sams Publishing

Hacking Methodology Lab

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Hacking Methodology Lab

Uploaded by

Copyright:

Available Formats

Professional. Proactive. Protective.

Ted Mac Daibhidh, C.D.

DND CIRT INCIDENT HANDLING &

Hacking Methodology & Tools:

This briefing has no

Network Operations Centre

The Canadian Forces Network Operations

DND CIRT Responsibilities

• Monitoring of Intrusion Detection Systems (IDSs) and other devices providing

• Monitoring of open source intelligence assets for indications and warnings of

• Provision of technical support to criminal and counterintelligence agencies

• Assessment of selected computer and network security tools.

• Liaise with the CERT/CIRT teams of Allied, Quintqeupartite, government and

• Perform assessment of emerging threats and new technologies in a lab

a. acquaint the analyst with the hacker’s methodology (“The Anatomy of a

d. drive home the requirement for continuing professional development;

e. introduce some tools that can be utilized in a personal lab environment.

The Anatomy of a Hack

Footprinting refers to the systematic process by which an

• Overall security posture

Footprinting Techniques & Tools

DNS RR Type Codes:

DOMAIN DNS RR TYPE RECORD ENTRY

IMISSTECH.TV. A 10.1.1.1 imisstech.tv.

IAMACUTEC.AT. A 192.168.1.1 iamacutec.at

Online Tools – Sam Spade

Open Source Search – Search Engine

Open Source Search – Search Engine

Lookup - ARIN Whois

Lookup - InterNIC Whois

host before the live target host is

Target Webserver Gateway Internet Router functions.

XXX.net Network Topology

• With one simple traceroute

• Now that the basic network

• Firewalking is a technique that Internet

allows an attacker to covertly

• Sends TCP or UDP packets to Internal Network?

touching any hosts behind the XXX.net Webserver

Social engineering is a form of hacking that target’s people

The most successful hackers also successful social engineers

Types of social engineering include:

The Anatomy of a Hack

Scanning Techniques & Tools

• Vanilla – Attempts to connect to all 65535 ports.

• Stealth – Attempts to connect to ports using various techniques, including

• Strobe – Attempts to connect to a few known ports.

• UDP – Attempts to locate open UDP ports.

NMap (Network Mapper)

NMap is a powerful scanning tool that

● Employs multiple TCP scan facilities

● Capable of remote OS fingerprinting.

● Implements specialized stealth

• Although quite functional,

and similar scanning tools

• Tools such as this are

Hping is a very powerful command line based packet crafting tool

• Advanced port scanning

• Network testing, using

• Manual path MTU discovery

• Advanced traceroute, under

• Remote uptime guessing

• TCP/IP stacks auditing