Webinar: 5 Amazing Ethical Hacking Techniques
To be an EC Council Certified Ethical Hacker, you have to be thorough with the EC Council course materials. You should not only master the theoretical aspect of it but also the step by step implementation of all the processes.
Here’s a webinar video hosted on 21st of November 2017 by Mr. Joe Davis, Business Manager, Americas and presented by Mr.Syama Prasad a Certified Ethical Instructor by EC Council.
Mr. Syama gives you a feel of working on iLabs. The access to this is provided along with the Training and Certification course provided by GreyCampus.
In the video Mr. Syama covers:
-
Collecting information from target websites ( eg. session id, platform, technologies, organization details like email, phone number and fax) using firebug & web data extractor which demonstrate steps of Reconnaissance.
-
UDP & TCP packet crafting techniques using hping3.
-
Gaining windows 8 machine access using the Metasploit exploitation toolkit.
-
Maintaining access to system using spytech spyagent.
<div">GreyCampus offers CEH V9 Training and certification live-online, instructor-led course that will train you in detail regarding various concepts & applications of ethical hacking. We are an EC-Council accredited training center. You will get an 4 days live over the web training, EC-Council official e courseware, access to EC-Council iLab, and EC-Council exam voucher</div">
<div">It is mentioned in the website about the newly introduced</div"> Payment Plan having 3 installments with a gap of 30 days each. This payment plan will solve the budget problem of the masses and gives access to the highest quality skills to be an Ethical Hacker.
You can check a press release on this new offering here - https://www.greycampus.com/blog/latest-updates/how-to-become-an-ethical-hacker-with-our-easy-payment-plan
Transcript of the webinar:
We’re discussing Cybersecurity or Information security or data security you can say with NIST framework. Then I’ll be proceeding with the 5 amazing steps and the first one is reconnaissance, where we’ll see some tools like firebug, web data extractor and we’ll also see scanning tools like hping3 and at the end we’ll discuss system hacking tools like hacking Windows 8 machine with Metasploit or how you can track any machine or maintaining access to any machine using SpyTech spy agent and we’ll also see how to cover malicious files using NTFS stream.
All this I’m going to show on top of iLabs which will be provided to you at the time of your training. Let’s go with the first thing of what Cybersecurity is or what does NIST framework do with Cybersecurity (Also check out the cyber security certification that guides you through the course).
Cyber Security talks about the Data security or the Information Security where your data will in process, The server systems or you data will be in motion in the Network resources like Routers or Switches or Data will be in Rest like the Storage Boxes and these 3 resources are the part of the Data center may it be Physical Data center or the Virtual Data center.
Now there are devices like data in use which are the sensor devices or the smart devices which connects to the Cybersecurity environment and we need to protect them. So, Cybersecurity provides different elements like confidentiality, integrity and availability. That’s where the NIST framework came into picture which is slowly working all the security postures with the organization(here's some resource to help you navigate through cyber security jobs).
There are steps like:-
-
Identifying the risk or Identifying the business criticality
-
To protect it.
-
To detect where Ethical Hacker works basically. Risk assessment/ Penetration Testing/Vulnerability Assessment.
-
Response, where people work on Incident handling or Forensics. After the system has been recognised it has to bring back to normal.
-
Then there will be the Recovery.
As a Ethical Hackers, the first thing is “How to think like a Hacker.” What Hackers do? They follow five steps. They follow Information Gathering, they follow reconnaissance, footprinting. The second thing they follow scanning, third thing they gain access and hack into the system. They hack into the network. Then they maintain access to the victim machine and then cover the tracks.
So, now we’ll understand what reconnaissance is and I’m going to show you some particular things on how we can collect the information from the websites or emails, phone numbers, which can be used for Social Engineering or technical information related to the servers, or application level cookies which will help us to get into a particular web application.
Reconnaissance
Reconnaissance is basically about collecting the network information, host information and organizational information which all together comes under Information Gathering/ Footprinting/Reconnaissance.
Let me show you the practical on top of Firebug Mozilla plugins. It is one of the plugins on the Mozilla browser. Not only that it’s also supported by Chrome and other browsers. We’ll also see the data extraction using one of the Web Spidering tools like Web Data Extractor.
This is iLabs. Here the machines are available the Client and Server machines which are connected with each other over network. Here you can do full-fledged ethical hacking techniques. Let me move to the first technique which is Firebug.
Firebug
Firebug is that tool that will collect information from the web applications. Let me log in to the machine. Once I’m inside I’ll move to the Browser, Mozilla Firefox and I’ll move on to the application given by EC_Council. You can see here, there’s a tool called Firebug 2.0 and 11. Once you click on it, it will take you to one of the panel below to the scree. And you can see there’s a view called console view. You can click on that to enable it to see all the context. So, what I want to do here, by using this tools is, this tool will help me to see what kind of vulnerability this website has. So I’ll just refresh the website and it has been warning me that there is some kind of vulnerability. It’s an insecure connection, the network connectivity in application level, i.e. the http port level is insecure and it’s a plain text of data connection.
You’ll find other information related to that too, here you can see it’s not able to make the content visible. Apart from the you can also collect the information from the page itself, the web application the kind of content it has, what kind of source code it has, what kind of character set it uses and many more. Let me move to a few things forward like scripts. You can also enable the scripts and the number of scripts has been given on the particular panel. You can check what this application is going the use here. By going through this script we’re going to see what kind of vulnerabilities are going to be in this website or maybe you’ll mostly the buffer overflow kind of things here or the loop kind of things here and you can find the vulnerability out of it. There will be some DOMs and NETs. NET is something which will give you the platform information about the application , on top of which web server it is running. Or what kind of platform its using. Now if I do a refresh here you can see multiple things that is open here.
If you look into the header closely you can see here it's using Windows NT machine 6.3 and apart from this one of the information you can collect is it is using ASP.NET programming language. We have also gathered information about the server, what kind of servers are they using which is Microsoft IIS. From here I can find out the vulnerability of the particular server. Apart from this information , this particular FIrebug tool will give you many more information related things like html tag, css, javascript etc. images and multiple login information and media information and cookies. Which you can enable and if anyone is sending any login credentials, let me show you here. Suppose someone has put in the login credentials like “SAM” and password is “TEST”. You can see the cookies have some value. This value can be used to access to the particular website. So that will be something where you don't need the user id and password to log in to this particular website. That’s what we’re going to see now. Even later in the classes you’ll se. The topic name will be “Sessions Hijacking’ where we can see this type of tools which we can use to get into any other website.
Web Data Extractor for Information Gathering
Let me move to the other tool, i.e. Web Data Extractor. Let me also show you the iLabs, you can see the other things on the right side kernel, you can see it’s guiding you one by one, step by step on how to do the particular Lab. I’m going to use one of the Web Spider tools now. I’m going to use the Web Data Extractor. Let me install it.Now we’ll go to the particular tool. So I want to create a new project here. I’ll put the website, www.goodshopping.com and I want to extract the metadata, urls, emails , side body, phone numbers etc.
Now we can start the extraction process. Now, you can see here, on top, there are multiple tags, which is collecting information like emails, you can see multiple emails being collected on this particular websites. Two phone number have been collected. This information will be helpful with Social Engineering and to do hacking and collecting information. The url with aspx extension will help you to find what kind of programming language has been used or what kind of backend programming language has been used to run this particular web application. So this information you can tag, save and use it next time.
Scanning
Scanning is one of the important phase in the whole Ethical Hacking. Here we do live host checking, port scanning, banner grabbing, vulnerability assessment and using this vulnerabilities later we can do a system hack. So these are the information you need to collect and build the network topology. You need to find out what kind of environment it is and how the systems are connected together, what kind of ports are open, whether it is open or close. If it is open whether it is filtered with any firewalls. Whether it is the software firewall or hardware firewall, some motoring devices are used or not or whether there’s a honeypot installed there.
Banner grabbing is something related to the operating system information. Whether the information has been in collected in a technological way or whether the information will help us find out the version of the operating system and to enter into the platform.
Vulnerability Assessment
Vulnerability assessment is not only the application level vulnerability. It may be the hardware level vulnerability or kernel level vulnerability. As a Ethical Hacker, our task is to let the company know the kinds of vulnerabilities in their resources and how soon to patch them or what kind of bad scenario can happen pertaining to those vulnerabilities. So this information you can submit as a penetration tester. So now I'll show you some packet grafting techniques. It is required for you to have some networking knowledge. When I start the CEH training I basically start with the network concepts. Let’s go to iLab again.
Now, UDP and TCP are two different protocols of TCP/IP, we call it the transport layer protocol. They are the logical end-to end connectivity protocol. They are transmitting all the our data from the application layer to the end points. The User Datagram protocols are called as connectionless protocols.They do not use any connection to transmit data. But on the other hand TCP - Transmit Control Protocol. There’s something called as 3-way handshake that happens during the connectivity and that is where the hacker uses the flag like multiple flags like syn, ack, reset, urgent, boost. Hackers use this flag to check whether the port is open or not. There are multiple ways to find out whether a particular port I open or not.
So there are multiple techniques to know whether the ports are open or closed. We can use the syn scan or some of the advance scanning techniques like xmas scanning, inverse scanning. So now let me show you a few scanning techniques using UDP and TCP protocol and Wireshark.
Wireshark
Wireshark is one of the hacking tool. Whatever you do on hping3 will be monitored by the Wireshark. Only to understand how the communication happens. I’ll tell you here how you can go for the protocol analysis or the scanning. I’ll connect to the Kali linux where we’ll use the hping3. Let me move to the application where you’ll find all the open source tools which are included in the Kali linux machine. From here I’ll go for information gathering or one of the related tool for live host gathering using hping3 tool.
You can also get the help section to get the help. Let me log in to the victim machine that is the windows machine. Where i want to do some scanning. Then i’ll run the wireshark to see whatever I'm scanning.
Let’s quickly is install the Wireshark. Once the installation is over, run the Wireshark tool. This tool is going to use one of the packets in promiscuous mode to which you can do the packet analysis.Let me just put start and move back to the Kali Linux machine. I’m going to put hping3 because they are ping packet. I’m going to scan the ports of the Windows machine. There are multiple ports that you’ll find. There are 65535 ports available. We’re going to scan 3-4 ports right now. You can see here that it tells what are the ports open right now,what kind of service it’s running like http, netbios etc. You can see that the syn, ack flag has been set and the ttl value is showing, the number of hops isn’t showing because it’s in the same network.
IP id is one of the identification Id, it says that how many requests and responses have already been done. Window size that will be for flow control and the length of the byte that is the size. You can similarly perform a UDP packet grafting over the machine by putting hping3 and this time I’m going to use a technique of hacking. I’m not going to use my own IP add, i.e. the address of the Kali Linux machine. I’m going for random source of IP. Let it run, let’s examine it in the Windows Machine.
What I can do is, I can stop all the packets and examine one particular request packet. You can see here, if you’re familiar with the TCP/IP protocol suite you will find the application layer here.You can see that over 500 bytes of data has been sent. After the Transport layer we’ve started with the UDP and we it has a length of 508 and there are some checksums which if false as of now. On top of that it has internet layer which has IPV4 version on top of it. The source ip, it’s a random IP. It’s not my Kali Linux machine’s IP and the destinations IP is one of the Windows IP address.
Some flags are not set here. UDP you’ll not find any of the flags here, but TCP you’ll find the flags. Apart from that you’ll find the Ethernet protocol layer, where you’ll find the MAC address.You can see the source MAC, the destination. You can see the flow control, the checksums and all that information here. This is where we can do the protocol analysis or the packet analysis or the TCP/IP analysis. Let me go for one more particular tool, in the same things. Let me restart the things and stop the previous session. Let me move back to Windows just to rephrase the Wireshark.
TCP Flood scan
This time I want to do the TCP flood scan. I want to do the attack where it will hang the machine.Let me do the flood attack. Let me go to Kali Linux once again and try to run the program. Type in the IP address and this time I’ll put in the -flood attack.
Now in a few secs. The Windows 8.1 machine, it’s kind of DoS attack you can say, it’ll stop providing the services. It’s going to hang. You can see it’s not responding now. Now, let me stop the attack just to analyse it. Let me move back to Windows. Can you see here, there are some handshakes happening here. You can see there are huge amounts of packets being sent here within a short time. It is just stopping the service. Now after sometime you can see that it is providing some information. This information is from the Kali Linux machine. You can see how many TCP requests have been sent. Let’s analyse one of the particular packets or frame. Let me click on it. I just want to show you the Transmission Control Protocol flags.
Now, there's an ack flag here.This is an acknowledgement given from Windows machine. There is a listening time. Listening time means if at given time if there are more number of packets/requests being sent, the system cannot handle those requests so the system started hanging like the DoS attack( Denial of Service) attack. You can see the source and the destination port where the attack has been taking place. The flag which is enabled here is the ack flag.
Gaining Access
This is the last stage, after gathering lots of information from Scanning, enumeration and after finding out the vulnerabilities from those we go for hacking as a penetration tester. We gain access and maintain access using rootkit or spy kit and clear the logs once we’re in the victim machine. Let me brief you out here with what exactly happens with gaining access. With the tools available which will help you crack the Rainbow Tables.
Once you done the gaining aces, you want to maintain it. You can keep track whether the particular victim has understood that we are spying on his machine.
Let me show you some of the tools related to this. I’ll move to System Hacking. TIll the lab is running I’ll give you an idea about what I’m going to do now. So, I have the access to the victim machine right? I want whatever malicious things I’ve deployed in the machine, should not be identified by the user. Suppose, I want to do a scan on the victim’s machine without he finding out I can go for NTFS streaming.
NTFS stream demonstration
So, I’m going to show you how the NTFS stream works. So you can go to the victim’s machine and save it and the user will not come to know it’s a NTFS stream, he’ll think it’s a text file.
So let’s see how it works. I’ll log in to the Windows 2008 machine. Let me put the password. Now, let me move to the C drive just to check the kind of file system it has. I’m going to create a folder here where I’ll give the name as “NTFS”. Inside this folder I’m going to hide one of the scanning tool. I’ll copy the tool and go for NTFS and paste it here. Now go to NTFS and paste it here and go for console and then I’ll run few commands. I’ll type notepad and create a file called “Read Me”. Let me put some content here saying, this is one of the system generated file, by deleting it can crash your system”. Save It.
Once you’ve done that,go for list directory. You can see there’s a text file called “Read Me”. What you can do now is, you can hide the scanning tool inside the text file. This is only possible when you are inside the system. I will use the tool “Super scan”.
Now, I’m going to delete my tool, which I don’t need right now. Because if the user finds it out he will be suspicious whether his system has been hacked. The tool is completely deleted from the system.
Now, let me do a link, something called windows.exe file. This is one of the files that I want to keep. I’ll give the link to Read.txt. The link has been created. Now, even if you go to the particular folder you’ll find there’s a file called windows.exe. So now your victim will see there’s some Windows related file that has been created and try to open it and reads the message which says,”This is a system generated….” and doesn’t delete it thinking it’s a System generated file. He doesn’t know what exactly it can do. But the hacker knows what exactly it can do. So the hacker will just run the file “Windows.exe” . So, here we go, we have the scanning tool ready. You can go for Windows enumeration and enumerate any number of machines. Now, I’ll go to one of the Windows machine. So, this is how it helps. This is how we do covering tracks, maintaining access, gaining access. But the thumb rule is that your scanning must be perfect, you should know how to figure out vulnerabilities. As a Ethical Hacker we do not exploit any vulnerabilities. We directly report it to the company and make a report out of it.
Please drop an email to support@greycampus.com if you are interested in this training program. Alternatively, you can visit our website GreyCampus to get more details.
<div"> </div">