QF
Uploaded byQ Fadlan
PPTX, PDF1,133 views

Web hacking 1.0

The document provides an overview of web hacking, including: 1. An agenda that outlines reconnaissance, scanning, exploitation, maintaining access, and covering tracks in a web hacking process. 2. Descriptions of different types of hackers like white hat and black hat hackers, and classifications like script kiddies and hacktivists. 3. Explanations of the reconnaissance, scanning, and exploitation phases of web hacking, including common tools used in each phase like Whois, Nmap, and Nessus.

Embed presentation

Downloaded 30 times
Web Hacking 1.0 root@localhost# whoami Q Fadlan Information Security Engineer root@localhost# whereis q.fadlan /PT GLOBAL DIGITAL NIAGA/IT/INFRASTRUCTURE/q.fadlan
AGENDA 1.Goal 2.Introduction Web Hacking 3.Step by Step Web Hacking - Reconnaissance - Scanning - Exploitation - Maintaining Access - Covering Tracks 4. Q & A
1. GOAL SECURITY AWARNESS
2. INTRODUCTION WEB HACKING Who is a hacker? Hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment, or to evaluate those weaknesses to assist in removing them
2. INTRODUCTION WEB HACKING White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers. Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid. Hacker Classification
Script Kiddies: This is a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves. Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment. State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments. Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.
Cyber Terrorists: These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.
3. Step by Step Web Hacking Reconnaissance Scanning Exploitation Maintaining Access Information Gathering (about the system, Environment, etc) • Scan the system • Threat Analysis • Usage the static analyzer (Nessus, nmap, Appscan, etc) • Vulnerability Analysis • Fuzz Testing • Penetration Testing • Use/Develop right set of tools to attack Raise Defect
Reconnaissance Reconnaissance is the act of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).
Reconnaissance There are two main goals in this phase: • First, we need to gather as much information as possible about the target. • Second, we need to sort through all the information gathered and create a list of attackable IP addresses.
Reconnaissance Reconnaissance Output : • Identifying IP Addresses and Sub-domains — usually one of the first steps in passive reconnaissance, it’s important to identify the net ranges and sub-domains associated with your target(s) as this will help scope the remainder of your activities. • Identifying External/3rd Party sites — although they may not be in scope for any active penetration testing activities, it is important to understand the relationships between your target and other 3rd party content providers. • Identifying People — Identifying names, email addresses, phone numbers, and other personal information can be valuable for pretexting, phishing or other social engineering activities. • Identifying Technologies — Identifying the types and versions of the systems and software applications in use by an organization is an important precursor to identifying potential vulnerabilities. • Identifying Content of Interest — Identifying web and email portals, log files, backup or archived files, or sensitive information contained within HTML comments or client-side scripts is important for vulnerability discovery and future penetration testing activities. • Identifying Vulnerabilities — it’s possible to identify critical vulnerabilities that can be exploited with further active penetration testing activities soley by examining publicly available information
Reconnaissance Reconnaissance Tools : • Whois - performs the registration record for the domain name or IP address that you specify • Shodan - a search engine that lets the user find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters. • Google – Search engine • Netcraft - tool for identifying subdomains • HTTrack – Website Copier • Social Engineering - process of exploiting the “human” weakness that is inherent in every organization • etc
Scanning The phase of scanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.
Scanning 1. Checking whether the target is alive: Use the Internet Control Message Protocol (ICMP) to ping the target system and check whether the target is alive. 2. Scanning the ports: Check for open ports that can be attacked. Perform the scan in stealth mode for a particular period of time. Test the ports by sending them harmful information. 3. Identifying the potential vulnerabilities and generating a report: Use a network vulnerability scanner to identify the potential vulnerabilities and to obtain a report about these vulnerabilities. 4. Classifying vulnerabilities and building responses: Classify vulnerabilities and build responses accordingly. Many times, the response chosen for a vulnerability is nonactionable because of complexities and risks. The assessment process gives complete information about these issues, and this information is helpful during the risk management process.
Scanning 5. Classifying key assets and performing risk management: The vulnerability assessment process classifies the key assets and makes a hierarchy of the key assets, which helps to drive the risk management process.
Scanning Determining if a system is alive • Ping - ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway • Fping - fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping.
Scanning Port scanning the system Nmap - security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
Scanning Scanning the system for vulnerabilities Nessus – popular vulnerability scanning tool. It detects and identifies software bugs in computers. It is an open-source tool that determines security threats. Nessus contains some specific measures to minimize the chance of a system crash. The two parts of this tool are a server (nessusd) and a client (nessus). • Nikto - • ZAP - • Acunetix -
Scanning The following are some of the classifications of vulnerabilities: • Misconfigurations: Disabling security settings and features, due to lack of adequate knowledge about their functions, leads to vulnerabilities in network devices. Incorrect device configuration can also cause vulnerabilities. • Default installations: Not changing the default settings when deploying software or hardware allows an attacker to easily guess the settings in order to break into the systems. • Buffer overflows: Buffer overflows occur when a system’s applications write content that is beyond the allocated buffer size. • Unpatched servers: Hackers identify vulnerabilities in servers that are not patched and exploit them. Servers should be updated by applying patches.
Scanning • Default passwords: Default passwords are common to various operating systems and applications. During configuration, the passwords need to be changed. Passwords should be kept secret; failing to protect the confidentiality of a password allows an attacker to easily compromise a system. • Open services: Open services are insecure and are open to attacks such as DoS. • Application flaws: Applications should be secured using user validation and authorization. Applications pose security threats such as data tampering and unauthorized access to configuration stores. If applications are not secured, sensitive information may be lost or corrupted. • Operating systems flaws: Due to vulnerabilities in operating systems, Trojans, worms, and viruses pose serious threats. Flaws lead to system crashes and instabilities. • Design flaws: Design flaws can leave a piece of hardware or software open to attack if these flaws are discovered.
Exploit Exploit is an attack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders.
Exploit 1. Compare vulnerability finding with risk rating framework. - National Vulnerability Database (NVD) - Common Vulnerability Scoring System (CVSS) - Common Vulnerabilities and Exposure (CVE) - Common Weakness Enumeration (CWE) - Bugtraq ID (BID) - Open Source Vulnerability Database (OSVDB) 2. Compare vulnerability finding with exploit db. - https://www.exploit-db.com/ - http://www.hackersforcharity.org/ghdb/ - etc 3. Intercepting request to webserver 4. Exploite the vurnerablity with your style
Exploit Common Vulnerability* : * : OWASP Top 10 2013 1. Injection example : SQL Injection, LDAP Injection, XPATH 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards
Maintaining Access Maintaining access requires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.
Maintaining Access 1. Netcat - an incredibly simple and unbelievably flexible tool that allows communication and network traffic to flow from one machine to another 2. Rootkit – Rootkits are computer programs that are designed by attackers to gain root or administrative access to your computer. Once an attacker gains admin privilege, it becomes a cakewalk for him to exploit your system 3. ssh tunnel 4. Create user on system 5. Put backdoor script 6. Install malicious software on server 7. etc
Covering Tracks The final phase of covering tracks simply means that the attacker must take the steps necessary to remove all semblance of detection. Any changes that were made, authorizations that were escalated etc. all must return to a state of non-recognition by the host network’s administrators.
Covering Tracks 1. Clearing Event Logs 2. Erasing the Command History 3. Sherding the history file
Q & A

More Related Content

PPTX
Cyber security
bySabir Raja
 
PDF
Ceh v5 module 10 session hijacking
byVi Tính Hoàng Nam
 
PPTX
Phishing
bySouganthikaSankaresw
 
PPTX
Different types of attacks in internet
byRohan Bharadwaj
 
PDF
What is malware
byMalcolm York
 
PDF
Cyber Security Awareness
byRamiro Cid
 
PPTX
Dos attack
byManjushree Mashal
 
PPT
Web Hacking
byInformation Technology
 
Cyber security
bySabir Raja
 
Ceh v5 module 10 session hijacking
byVi Tính Hoàng Nam
 
Phishing
bySouganthikaSankaresw
 
Different types of attacks in internet
byRohan Bharadwaj
 
What is malware
byMalcolm York
 
Cyber Security Awareness
byRamiro Cid
 
Dos attack
byManjushree Mashal
 
Web Hacking
byInformation Technology
 

What's hot

PPTX
Ethical hacking : Its methodologies and tools
bychrizjohn896
 
PPTX
Reconnaissance
byn|u - The Open Security Community
 
PPTX
Introduction to penetration testing
byNezar Alazzabi
 
PPTX
HACKING
byShubham Agrawal
 
PPTX
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
PPTX
Cyber security
byManjushree Mashal
 
PPT
Trojan horse
byGaurang Rathod
 
PPTX
Hacking
bySharique Masood
 
PPTX
Web security
byPadam Banthia
 
PDF
Ceh v5 module 07 sniffers
byVi Tính Hoàng Nam
 
PPTX
Footprinting and reconnaissance
byNishaYadav177
 
PDF
What is Open Source Intelligence (OSINT)
byMolfar
 
PDF
Introduction to Web Application Penetration Testing
byNetsparker
 
PDF
What is Hacking? AND Types of Hackers
byinfosavvy
 
PPTX
Phishing
bySagar Rai
 
PDF
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
PPTX
Social Networking Security
byS. M. Shakib Limon
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPTX
zero day exploits
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
PPTX
Network forensic
byManjushree Mashal
 
Ethical hacking : Its methodologies and tools
bychrizjohn896
 
Reconnaissance
byn|u - The Open Security Community
 
Introduction to penetration testing
byNezar Alazzabi
 
HACKING
byShubham Agrawal
 
VAPT PRESENTATION full.pptx
byDARSHANBHAVSAR14
 
Cyber security
byManjushree Mashal
 
Trojan horse
byGaurang Rathod
 
Hacking
bySharique Masood
 
Web security
byPadam Banthia
 
Ceh v5 module 07 sniffers
byVi Tính Hoàng Nam
 
Footprinting and reconnaissance
byNishaYadav177
 
What is Open Source Intelligence (OSINT)
byMolfar
 
Introduction to Web Application Penetration Testing
byNetsparker
 
What is Hacking? AND Types of Hackers
byinfosavvy
 
Phishing
bySagar Rai
 
Ceh v5 module 04 enumeration
byVi Tính Hoàng Nam
 
Social Networking Security
byS. M. Shakib Limon
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
zero day exploits
byAdv. Prashant Mali ♛ [Bsc(Phy),MSc(Comp Sci), CCFP,CISSA,LLM]
 
Network forensic
byManjushree Mashal
 

Viewers also liked

PDF
Web Hacking (basic)
byAmmar WK
 
PDF
Gunadarma workshop security
byRungga Reksya Sabilillah
 
PDF
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
byJeremiah Grossman
 
PDF
Web hacking 개요
byJongseok Choi
 
PPTX
Web Hacking Series Part 1
byAditya Kamat
 
PPTX
Web Hacking series part 2
byAditya Kamat
 
PPTX
Web Hacking Intro
byAditya Kamat
 
Web Hacking (basic)
byAmmar WK
 
Gunadarma workshop security
byRungga Reksya Sabilillah
 
2010: A Web Hacking Odyssey - Top Ten Hacks of the Year
byJeremiah Grossman
 
Web hacking 개요
byJongseok Choi
 
Web Hacking Series Part 1
byAditya Kamat
 
Web Hacking series part 2
byAditya Kamat
 
Web Hacking Intro
byAditya Kamat
 

Similar to Web hacking 1.0

PPTX
Tools and Methods of Reconnaissance in Cybersecurity: A Comprehensive Guide b...
byBoston Institute of Analytics
 
PPTX
Phases of penetration testing
byAbdul Rahman
 
PPTX
Offensive Security basics part 1
bywharpreet
 
PDF
M1-02-HowCriminalsPlan.pdf
byShylesh BC
 
PPTX
Introduction ethical hacking
byVishal Kumar
 
PDF
What is ethical hacking and complete cyber security presentation on this file
byAyushSrivastava673855
 
PPT
Ethical hacking
bySourabh Badve
 
PDF
Ethical hacking-guide-infosec
byCMR WORLD TECH
 
PPTX
Hacking and Penetration Testing - a beginners guide
byPankaj Dubey
 
PPTX
Hacking - penetration tools
byJenishChauhan4
 
PDF
Ethical hacking
byKhairi Aiman
 
PPT
unit 2. cyber offences_how criminals plan them.ppt
byDimple Relekar
 
PDF
Ethical hacking at warp speed
bySreejith.D. Menon
 
PPT
Unit-2 ICS.ppt
by20ME1A4607YANAMADALA
 
PPT
Hacking Presentation
byAnimesh Behera
 
PDF
Ethical hacking-guide-infosec
byErfan Mallick
 
PDF
ethical-hacking-guide
byMatt Ford
 
PPT
Hacking 1224807880385377-9
byGeoff Pesimo
 
DOCX
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
bywillcoxjanay
 
PDF
Owasp modern information gathering
byKZA
 
Tools and Methods of Reconnaissance in Cybersecurity: A Comprehensive Guide b...
byBoston Institute of Analytics
 
Phases of penetration testing
byAbdul Rahman
 
Offensive Security basics part 1
bywharpreet
 
M1-02-HowCriminalsPlan.pdf
byShylesh BC
 
Introduction ethical hacking
byVishal Kumar
 
What is ethical hacking and complete cyber security presentation on this file
byAyushSrivastava673855
 
Ethical hacking
bySourabh Badve
 
Ethical hacking-guide-infosec
byCMR WORLD TECH
 
Hacking and Penetration Testing - a beginners guide
byPankaj Dubey
 
Hacking - penetration tools
byJenishChauhan4
 
Ethical hacking
byKhairi Aiman
 
unit 2. cyber offences_how criminals plan them.ppt
byDimple Relekar
 
Ethical hacking at warp speed
bySreejith.D. Menon
 
Unit-2 ICS.ppt
by20ME1A4607YANAMADALA
 
Hacking Presentation
byAnimesh Behera
 
Ethical hacking-guide-infosec
byErfan Mallick
 
ethical-hacking-guide
byMatt Ford
 
Hacking 1224807880385377-9
byGeoff Pesimo
 
UMUC Monitoring, Auditing, Intrusion Detection, Intrusion Prev.docx
bywillcoxjanay
 
Owasp modern information gathering
byKZA
 

Recently uploaded

PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
PDF
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
PDF
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
PDF
January Patch Tuesday
byIvanti
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
PDF
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
PDF
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
PPTX
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PPTX
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PPTX
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
PDF
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
PPTX
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Full course that Prymehat uploads for you version 2
byOhenebaManu1
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
AI Data Analyst: Smarter Insights for Modern Real Estate Decisions
byLeni Analyst
 
UiPath Coded Agents - A Developer Driven Agentic Automation Era
byUiPathCommunity
 
January Patch Tuesday
byIvanti
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
Building Voice Agents with Google Agent Development Kit
bySuresh Peiris
 
P6 Presentation basics for project control managers and planners
byNebojsaPavlovic9
 
Basics-of-Electronics-and-Core-Components-of-IoT-Systems.pptx
byMuhammedNihal54
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Building Real-Time Voice AI — Udaiappa Ramachandran
byUdaiappa Ramachandran
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
Grade 8 LESSON 7 - VIDEO EDITING lessonb
byclarizzairahmanansal
 
Presentation on Four Stroke Engine of Ic engine
bySonam Sherpa
 
Visual Foxpro-VFP9-Access-Report-Variable-Outside-the-report.pptx
bymanojbkalla
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 

Web hacking 1.0

  • 1.
    Web Hacking 1.0 root@localhost#whoami Q Fadlan Information Security Engineer root@localhost# whereis q.fadlan /PT GLOBAL DIGITAL NIAGA/IT/INFRASTRUCTURE/q.fadlan
  • 2.
    AGENDA 1.Goal 2.Introduction Web Hacking 3.Stepby Step Web Hacking - Reconnaissance - Scanning - Exploitation - Maintaining Access - Covering Tracks 4. Q & A
  • 3.
  • 4.
    2. INTRODUCTION WEBHACKING Who is a hacker? Hacker is someone who seeks and exploits weaknesses in a computer system or computer network. Hackers may be motivated by a multitude of reasons, such as profit, protest, challenge, enjoyment, or to evaluate those weaknesses to assist in removing them
  • 5.
    2. INTRODUCTION WEBHACKING White Hat Hackers: These are the good guys, computer security experts who specialize in penetration testing and other methodologies to ensure that a company’s information systems are secure. These IT security professionals rely on a constantly evolving arsenal of technology to battle hackers. Black Hat Hackers: These are the bad guys, who are typically referred to as just plain hackers. The term is often used specifically for hackers who break into networks or computers, or create computer viruses. Black hat hackers continue to technologically outpace white hats. They often manage to find the path of least resistance, whether due to human error or laziness, or with a new type of attack. Hacking purists often use the term “crackers” to refer to black hat hackers. Black hats’ motivation is generally to get paid. Hacker Classification
  • 6.
    Script Kiddies: Thisis a derogatory term for black hat hackers who use borrowed programs to attack networks and deface websites in an attempt to make names for themselves. Hacktivists: Some hacker activists are motivated by politics or religion, while others may wish to expose wrongdoing, or exact revenge, or simply harass their target for their own entertainment. State Sponsored Hackers: Governments around the globe realize that it serves their military objectives to be well positioned online. The saying used to be, “He who controls the seas controls the world,” and then it was, “He who controls the air controls the world.” Now it’s all about controlling cyberspace. State sponsored hackers have limitless time and funding to target civilians, corporations, and governments. Spy Hackers: Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid.
  • 7.
    Cyber Terrorists: Thesehackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists ultimate motivation is to spread fear, terror and commit murder.
  • 8.
    3. Step byStep Web Hacking Reconnaissance Scanning Exploitation Maintaining Access Information Gathering (about the system, Environment, etc) • Scan the system • Threat Analysis • Usage the static analyzer (Nessus, nmap, Appscan, etc) • Vulnerability Analysis • Fuzz Testing • Penetration Testing • Use/Develop right set of tools to attack Raise Defect
  • 9.
    Reconnaissance Reconnaissance is theact of gathering preliminary data or intelligence on your target. The data is gathered in order to better plan for your attack. Reconnaissance can be performed actively (meaning that you are directly touching the target) or passively (meaning that your recon is being performed through an intermediary).
  • 10.
    Reconnaissance There are twomain goals in this phase: • First, we need to gather as much information as possible about the target. • Second, we need to sort through all the information gathered and create a list of attackable IP addresses.
  • 11.
    Reconnaissance Reconnaissance Output : •Identifying IP Addresses and Sub-domains — usually one of the first steps in passive reconnaissance, it’s important to identify the net ranges and sub-domains associated with your target(s) as this will help scope the remainder of your activities. • Identifying External/3rd Party sites — although they may not be in scope for any active penetration testing activities, it is important to understand the relationships between your target and other 3rd party content providers. • Identifying People — Identifying names, email addresses, phone numbers, and other personal information can be valuable for pretexting, phishing or other social engineering activities. • Identifying Technologies — Identifying the types and versions of the systems and software applications in use by an organization is an important precursor to identifying potential vulnerabilities. • Identifying Content of Interest — Identifying web and email portals, log files, backup or archived files, or sensitive information contained within HTML comments or client-side scripts is important for vulnerability discovery and future penetration testing activities. • Identifying Vulnerabilities — it’s possible to identify critical vulnerabilities that can be exploited with further active penetration testing activities soley by examining publicly available information
  • 12.
    Reconnaissance Reconnaissance Tools : •Whois - performs the registration record for the domain name or IP address that you specify • Shodan - a search engine that lets the user find specific types of computers (routers, servers, etc.) connected to the internet using a variety of filters. • Google – Search engine • Netcraft - tool for identifying subdomains • HTTrack – Website Copier • Social Engineering - process of exploiting the “human” weakness that is inherent in every organization • etc
  • 13.
    Scanning The phase ofscanning requires the application of technical tools to gather further intelligence on your target, but in this case, the intel being sought is more commonly about the systems that they have in place. A good example would be the use of a vulnerability scanner on a target network.
  • 14.
    Scanning 1. Checking whetherthe target is alive: Use the Internet Control Message Protocol (ICMP) to ping the target system and check whether the target is alive. 2. Scanning the ports: Check for open ports that can be attacked. Perform the scan in stealth mode for a particular period of time. Test the ports by sending them harmful information. 3. Identifying the potential vulnerabilities and generating a report: Use a network vulnerability scanner to identify the potential vulnerabilities and to obtain a report about these vulnerabilities. 4. Classifying vulnerabilities and building responses: Classify vulnerabilities and build responses accordingly. Many times, the response chosen for a vulnerability is nonactionable because of complexities and risks. The assessment process gives complete information about these issues, and this information is helpful during the risk management process.
  • 15.
    Scanning 5. Classifying keyassets and performing risk management: The vulnerability assessment process classifies the key assets and makes a hierarchy of the key assets, which helps to drive the risk management process.
  • 16.
    Scanning Determining if asystem is alive • Ping - ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway • Fping - fping differs from ping in that you can specify any number of targets on the command line, or specify a file containing the lists of targets to ping.
  • 17.
    Scanning Port scanning thesystem Nmap - security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich) used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.
  • 18.
    Scanning Scanning the systemfor vulnerabilities Nessus – popular vulnerability scanning tool. It detects and identifies software bugs in computers. It is an open-source tool that determines security threats. Nessus contains some specific measures to minimize the chance of a system crash. The two parts of this tool are a server (nessusd) and a client (nessus). • Nikto - • ZAP - • Acunetix -
  • 19.
    Scanning The following aresome of the classifications of vulnerabilities: • Misconfigurations: Disabling security settings and features, due to lack of adequate knowledge about their functions, leads to vulnerabilities in network devices. Incorrect device configuration can also cause vulnerabilities. • Default installations: Not changing the default settings when deploying software or hardware allows an attacker to easily guess the settings in order to break into the systems. • Buffer overflows: Buffer overflows occur when a system’s applications write content that is beyond the allocated buffer size. • Unpatched servers: Hackers identify vulnerabilities in servers that are not patched and exploit them. Servers should be updated by applying patches.
  • 20.
    Scanning • Default passwords:Default passwords are common to various operating systems and applications. During configuration, the passwords need to be changed. Passwords should be kept secret; failing to protect the confidentiality of a password allows an attacker to easily compromise a system. • Open services: Open services are insecure and are open to attacks such as DoS. • Application flaws: Applications should be secured using user validation and authorization. Applications pose security threats such as data tampering and unauthorized access to configuration stores. If applications are not secured, sensitive information may be lost or corrupted. • Operating systems flaws: Due to vulnerabilities in operating systems, Trojans, worms, and viruses pose serious threats. Flaws lead to system crashes and instabilities. • Design flaws: Design flaws can leave a piece of hardware or software open to attack if these flaws are discovered.
  • 21.
    Exploit Exploit is anattack on a computer system, especially one that takes advantage of a particular vulnerability that the system offers to intruders.
  • 22.
    Exploit 1. Compare vulnerabilityfinding with risk rating framework. - National Vulnerability Database (NVD) - Common Vulnerability Scoring System (CVSS) - Common Vulnerabilities and Exposure (CVE) - Common Weakness Enumeration (CWE) - Bugtraq ID (BID) - Open Source Vulnerability Database (OSVDB) 2. Compare vulnerability finding with exploit db. - https://www.exploit-db.com/ - http://www.hackersforcharity.org/ghdb/ - etc 3. Intercepting request to webserver 4. Exploite the vurnerablity with your style
  • 23.
    Exploit Common Vulnerability* : *: OWASP Top 10 2013 1. Injection example : SQL Injection, LDAP Injection, XPATH 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards
  • 24.
    Maintaining Access Maintaining accessrequires taking the steps involved in being able to be persistently within the target environment in order to gather as much data as possible. The attacker must remain stealthy in this phase, so as to not get caught while using the host environment.
  • 25.
    Maintaining Access 1. Netcat- an incredibly simple and unbelievably flexible tool that allows communication and network traffic to flow from one machine to another 2. Rootkit – Rootkits are computer programs that are designed by attackers to gain root or administrative access to your computer. Once an attacker gains admin privilege, it becomes a cakewalk for him to exploit your system 3. ssh tunnel 4. Create user on system 5. Put backdoor script 6. Install malicious software on server 7. etc
  • 26.
    Covering Tracks The finalphase of covering tracks simply means that the attacker must take the steps necessary to remove all semblance of detection. Any changes that were made, authorizations that were escalated etc. all must return to a state of non-recognition by the host network’s administrators.
  • 27.
    Covering Tracks 1. ClearingEvent Logs 2. Erasing the Command History 3. Sherding the history file
  • 28.

Editor's Notes

  • #10 Active reconnaissance includes interacting directly with the target. It is important to note that during this process, the target may record our IP address and log our activity. Passive reconnaissance makes use of the vast amount of information available on the web. When we are conducting passive reconnaissance, we are not interacting directly with the target and as such, the target has no way of knowing, recording, or logging our activity.
  • #12 IP : ping, whois 3rd party : Identify People : Identify Technology : Identify Vulnerability :
  • #13 Passive reconnaissance : http://www.securitysift.com/passive-reconnaissance/ Shodan : http://colesec.inventedtheinternet.com/passive-reconnaissance-with-shodan/ Google hacking db : http://www.hackersforcharity.org/ghdb/
  • #15 Determining system alive : ping Port scanning : nmap Vurnerability scan : nessus, ZAP Proxy, Acunetix,
  • #22 Source : https://www.exploit-db.com
  • #24 https://www.owasp.org/index.php/Top_10_2013-Top_10