Although the only 100% secure network is the one that is disconnected, we may take defensive measures that help us minimize security risks in our infrastructure during the scan.
Here are some precautions that we can take:
To start, you cannot scan an application that is not installed. This means that before putting a target on production we should do a “hardening” of the operating system, applications and services.
Hardening means “minimize”. Therefore, for a server to perform a specific function there is no point to enable unnecessary services, neither should be installed applications that do not serve the intended purpose. For example, if the target would be only a Web server (HTTP/HTTPS), then why the service IRC (chat) have to be enabled?
By preventing unnecessary applications remaining active on the equipment, we prevent that potential vulnerabilities become a point for future exploitation.
Enable automatic update of the operating system patches that fix security issues so they are installed in a timely manner.
Keep up support contracts with the hardware/software providers, to reach them in case of an eventuality, for example; a zero-day vulnerability (for which there is no patch yet).
Redesigning the network to include security measures such as segmentation to separate security zones by intelligent next generation firewalls.
Set rules in firewalls to filter unauthorized access from the Internet and internal subnets ports.
Install intrusion prevention systems (IPS) that can work with firewalls and other network devices to detect threats (such as ping sweeps, mass scanning, etc.) and block them immediately.
Perform periodic analysis of vulnerabilities to detect any possible threats to the security of our network and take appropriate corrective actions.
Reconnaissance is the first phase in the implementation of a hacking. The aim of this phase is to discover as much relevant information as we can from the client’s organization or victim.
Now, depending on whether the interaction with the target is direct or indirect, the reconnaissance can be active or passive. Passive reconnaissance We say the reconnaissance is passive when we have no direct interaction with the client or victim. For example, we use a search engine like Google and inquire the name of the audited company, in the results we get the name of the client’s website and discover that the web server name is www.enterprisex.com, then we do a DNS search and get that the IP address of that server is 200.20.2.2
Active Reconnaissance In this type of reconnaissance there is a direct interaction with the target or victim. Examples of active reconnaissance:
Ping sweeps to determine the active public computers within a range of IP’s. Connecting to a service port in order to gather a banner and try to determine the software version. Using social engineering to obtain confidential information.
Reconnaissance tools
The hacker’s platform it’s up to you, but if you ask my opinion I prefer to use Kali Linux.
Footprinting with Google
Google is undoubtedly the most widely used due to its classification technology web pages (Page Rank), which allows us to search quickly and accurately. For our reconnaissance example with Google we will begin with the most simple: searching for the company’s name.
In this example we’ll use as victim the Project Scanme by Nmap8. Scanme is a free site maintained by Fyodor, the creator of NMAP port scanner.
Google operators:
(plus symbol): is used to include words that because they are very common are not included on Google search results. For example, say that you want to look for company The X, given that the article “the” is very common, it is usually excluded from the search. If we want this word to be included, then we write our search text like this: Company +The X
(minus symbol): is used to exclude a term from results that otherwise could include it. For example, if we are looking for banking institutions, we could write: banks -furniture
”” (double quotes): if we need to find a text literally, we framed it in double quotes. Example: “Company X”
~ (tilde): placing this prefix to a word will include synonyms thereof. For example, search by ~company X will also include results for organization X
OR: This allows you to include results that meet one or both criteria. For example, “Company X General Manager” OR “Company X System Manager”
site: allow to limit searches to a particular Internet site. Example: General Manager site:companyX.com
link: list of pages that contain links to the url. For example, searching for link:companyX.com gets pages that contain links to company X website.
filetype: or ext: allows you to search by file types. Example: Payment roles + ext:pdf site:empresax.com
allintext: get pages that contain the search words within the text or body thereof. Example: allintext: Company X
inurl: shows results that contain the search words in the web address (URL). Example: inurl: Company X
Of course there are more operators that can be used with Google, but I think these are the most useful. Returning to our reconnaissance example, we found among the results some pages about the NMAP organization. The one that catches our attention is scanme.nmap.org, this brings us to our next tool: DNS name resolution.
Determining names with nslookup
Now that we know the main site of our client, we can make a DNS query obtain its IP address. In a real case it is possibly to find more than one customer site referenced by Google and therefore we’ll get several IP addresses. Actually, the idea behind getting this first translation is to estimate the range of IP’s that we will need to scan in order to identify additional hosts that could belong to the client. Assuming that our target is using IPv4 addresses, we could test the whole range of hosts inside the subnet. The latter is impractical if you try to address Class A or B, since the scanning process could last longer. To determine the range more accurately, we can use other means as looking in Who-Is directories or performing socia engineering attacks. In this example we will made a name query using the nslookup command
DNS resolution with nslookup on Windows
Note: During an audit of any kind it is important to be organized and take notes of our findings. This will allow us to tie up loose ends while revealing more information as we go. Returning to the nslookup command, we still can learn more from our target. We will use some useful options: set type = [NS | MX | ALL] to set the query type, NS name service, MX mail service (mail exchanger) and ALL to show everything. ls [-a | -d] domain enables you to list the addresses for the specified domain (for which the DNS server for that domain must have this option enabled) -a canonical names and aliases, -d all records in the DNS zone.
Maltego Maltego is a tool that allows collecting data from an organization easily, through the use of graphic objects and contextual menus that let you apply “transformations”
You can also collect all the artifacts in the form of pdf reports ....like
Visual IP Trace route
During the execution of an external black box hacking is useful to know the geographical location of a particular target. Imagine for example that we have obtained the names of the mail server and web server of our client and want to know if these services are hosted on the public network managed by the company itself or if instead, they are located in an external hosting as Yahoo Small Business , Gator, or similar. Why do we want to know this? Very simple, if the target servers happen to be held on an external hosting, in the event we managed to break into such equipment, we would actually be hacking the hosting provider, not our client, in which case we could face a possible lawsuit. Because of this, it is strongly recommended to perform a trace route to discover the geographical location of a target host. That way we would be able to decide “to hack or not to hack”. There are several applications on the market that perform visual traceroute, to name a few: Visual IP Trace, Visual Route. Some of them are free or have paid versions with additional features such as the likelihood of generating reports.
E-mail tracking tools It is possible that during the execution of an external hacking we come across a case in which our client has outsourced DNS, E-mail and Web services, and everything we do only lead us to the hosting provider.
This implies that at least the ISP has assigned to our client one public IP for outbound Internet, so there has to be a router or a firewall doing NAT so that internal users can navigate – I’m assuming the client uses IPv4. If this is the case, then getting this public IP address is now our target, let’s see how we can get this through the analysis of an email.
Raised this new goal now we would make our customer send us an email, and only then we will be able to analyze data from the email header in order to determine the source IP address. This is pretty simple since we have been hired by them to run an ethical hacking, so we could send e-mail pretending to show them how the audit is progressing and wait for the response. For this analysis we can use any email tracking tool or we can manually review the email header; but the use of automated tools has the advantage of obtaining a report. It should be mentioned that the email analysis tools not only help to identify an email source IP address, but also show whether the sender is indeed who he says he is, we can use these applications to determine if we’re dealing with a false email or a phishing email.
When we talk about ethical hacking, we mean the act of making controlled penetration tests on computer systems; it means that the consultant or pentester, acting from the point of view of a cracker, will try to find vulnerabilities in the audited computers that can be exploited, providing - in some cases - access to the affected system; but always in a controlled environment and never effect the operation of the computer services being audited.
Phases of hacking
Both the auditor and the cracker follow a logical sequence of steps when conducting a hacking. These grouped steps are called phases. There is a general consensus among the entities and information security professionals that these phases are 5 in the following order: 1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Maintaining Access 5-> Erasing Clues Usually these phases are represented as a cycle that is commonly called “the circle of hacking” with the aim of emphasizing that the cracker can continue the process over and over again.
Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:
1-> Reconnaissance 2-> Scanning 3-> Gaining Access 4-> Writing the Report 5-> Presenting the Report In this way, ethical hackers stop at Phase 3 of the “circle of hacking” to report their findings and make recommendations to the client. Subsequent posts will explain each phase in detail, and how to apply software tools and common sense, coupled with the experience, to run an ethical hacking from start to finish in a professional manner.
Types of hacking When we execute an ethical hacking is necessary to establish its scope to develop a realistic schedule of work and to deliver the economic proposal to the client. To determine the project extent we need to know at least three basic elements: the type of hacking that we will conduct, the modality and the additional services that customers would like to include with the contracted service. Depending on where we execute the penetration testing, an ethical hacking can be external or internal.
External pentesting This type of hacking is done from the Internet against the client’s public network infrastructure; that is, on those computers in the organization that are exposed to the Internet because they provide a public service. Example of public hosts: router, firewall, web server, mail server, name server, etc.
Internal pentesting As the name suggests, this type of hacking is executed from the customer’s internal network, from the point of view of a company employee, consultant, or business associate that has access to the corporate network.
In this type of penetration test we often find more security holes than its external counterpart, because many system administrators are concerned about protecting the network perimeter and underestimate the internal attackers.
Black box hacking This mode is applicable to external testing only. It is called so because the client only gives the name of the company to the consultant, so the auditor starts with no information, the infrastructure of the organization is a “black box”. While this type of audit is considered more realistic, since the external attacker who chooses an X victim has no further information to start that the name of the organization that is going to attack, it is also true that it requires a greater investment of time and therefore the cost incurred is higher too. Additionally, it should be noted that the ethical hacker - unlike the cracker - does not have all the time in the world to perform penetration testing, so the preliminary analysis cannot extend beyond what is possible in practical terms because of cost/time/benefit.
Gray box hacking This method is often refer to internal pentestings. Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited. Example: a list of data such as IP address and type/function of the equipment (router, web-server, firewall, etc.). When the term is applied to internal testing, it is given that name because the consultant receives the same access that an employee would have like having his laptop connected to the internal network and the NIC configured properly (IP address, subnet mask, gateway and DNS server); but does not obtain additional information such as: username/password to join a domain, the existence of related subnets, etc.
White box hacking White-box hacking is also called transparent hacking. This method applies only to internal pentestings and is called this way because the client gives complete information to the auditor about its networks and systems. This means, that besides providing a connection to the network and configuration information , the consultant receives extensive information such as network diagrams, detailed equipment audit list including names, types, platforms, main services, IP addresses, information from remote subnets, etc. Because the consultant avoids having to find out this information, this kind of hacking usually takes less time to execute and therefore also reduces costs.
Additional hacking services
There are additional services that can be included with an ethical hacking; among the popular ones are: social engineering, wardialing, wardriving, stolen equipment simulation and physical security. Social engineering Social engineering refers to the act of gathering information through the manipulation of people, it means that the hacker acquire confidential data using the wellknown fact that the weakest link in the chain of information security is the human component. Wardialing During the early years of Internet, access to it was mostly made by using modems, so it was common for companies to have a group of these devices (modem pool) connected to a PBX to answer the calls that required access to the company’s local network. These modems were connected to a remote access server (RAS), which through a menu entry (username/password) and using protocols such as SLIP or PPP, allowed authorized users to connect as if they were on the local network and have access to resources as applications, shared folders, printers, etc. At that time security was not something that managers meditated much, so many of these modems were not adequately protected, which made them easy prey for the first wardialing programs. What these programs did was dial phone numbers, based on the initial value provided by the user, and record those in which a modem answered instead of a person; then the cracker called these numbers manually and executed AT3 commands to gain access to the modem or ran brute force programs to overcome the key set by the system administrator. Afterward, these programs became more sophisticated and from the same application they could discover modems automatically and execute brute force password attacks. Today, our way of connecting to the Internet has changed, yet, is a fact to notice that many system and network managers still use modems as a backup strategy to provide remote support in the event of a network failure. It should, therefore, not be dismissed as an entry point into the customer network. Wardriving The term wardriving is derived from its predecessor wardialing, but is applied to wireless networks. The hacker strikes up a wireless war from the vicinity of the client/victim company, usually from his parked car with a laptop and a signal booster antenna.The aim is to detect the presence of wireless networks that belong to the client and identify vulnerabilities that could allow entry to the hacker. expertise with customer to back up the devices prior to the audit. Physical security audit Although physical security is considered by many experts as an independent subject from ethical hacking, specialized companies can integrate it as part of the service. This type of audit involves difficulties and risks that you must be aware with the aim of avoiding situations that endanger those involved. I point this because a physical security audit could be as simple as an inspection accompanied by customer staff filling out forms, a little bit more complex when we try getting to the boardroom to place a spy device pretending to be a lost customer, or something as delicate as attempting to circumvent armed guards and enter through a back door.
Finally, once you have obtained the required customer information - type of hacking, mode and optional services - we are ready to prepare a proposal that clearly defines: the scope of the service, the time it takes us to perform the ethical hacking, the deliverable (a report of findings and recommendations), costs and payment.