1.

Introduction

So, what the heck is a Network?

A network consists of two or more computers that are linked in order to share resources. Computer
networks are the basis of communication in IT. They are used in a huge variety of ways and can include
many different types of network. A computer network is a set of computers that are connected together
so that they can share information. The earliest examples of computer networks are from the 1960s, but
they have come a long way in the half-century since then.

LAN Network Topology - SOHO / Small Home Network

Two very common types of networks include: LAN (Local Area Network) and WAN (Wide Area
Network)

Topologies

There are many different types of network, which can be used for different purposes and by different
types of people and organization. Here are some of the network types that you might come across:

LAN - Local Area Network

 A LAN is a network that has a logical and physical borders that a computer can broadcast

WAN - Wide Area Network

  WAN is a multiple LANs or additional WANs with routing functionality for interconnectivity.

MAN - Metropolitan Area Network

Internet

Connecting WANs through WANs until complete the entire world = Internet.

 The protocol which runs the internet is TCP/IP

 As long you're using legitimate IPv4 address or IPv6

Intranet

If you're using the TCP/IP stack and making your own LAN or WAN = Intranet.

 Intranet is a private network which still runs TCP/IP

Common Terms in Networking

 IP (internet protocol) address: the network address of the system across the network, which is
also known as the Logical Address).

 MAC address: the MAC address or physical address uniquely identifies each host. It is associated
with the Network Interface Card (NIC).

 Open system: an open system is connected to the network and prepared for communication.

 Closed system: a closed system is not connected to the network and so can't be communicated
with.

 Port: a port is a channel through which data is sent and received.

 Nodes: nodes is a term used to refer to any computing devices such as computers that send and
receive network packets across the network.

 Network packets: the data that is sent to and from the nodes in a network.

 Routers: routers are pieces of hardware that manage router packets. They determine which
node the information came from and where to send it to. A router has a routing protocol which
defines how it communicates with other routers.

 Network address translation (NAT): a technique that routers use to provide internet service to
more devices using fewer public IPs. A router has a public IP address but devices connected to it
are assigned private IPs that others outside of the network can't see.

 Dynamic host configuration protocol (DHCP): assigns dynamic IP addresses to hosts and is
maintained by the internet service provider.

 Internet service providers (ISP): companies that provide everyone with their internet
connection, both to individuals and to businesses and other organizations.

2. IP & MAC Address

What is an IP Address (Internet Protocol)?

An IP address is a unique address that identifies a device on the internet or a local network. IP stands for
"Internet Protocol," which is the set of rules governing the format of data sent via the internet or local
network.

Check your local IP address

1. If you are using Linux or MacOS you can open your terminal and type ifconfig command
2. For Windows machine you can open up the cmd prompt or powershell, then type ipconfig /all

 inet IPv4: 192.168.64.3

o inet --> The inet (Internet protocol family) show the local IP address. This is IP version 4
(IPv4) Using 32-bit decimal number.
 inet6 IPv6: fe80::c83b:ccff:fe0e:1069
o inet6 --> Is a new version of IP (IPv6), using 128 bits hexadecimal value.
 ether --> MAC address - unique identifier assigned to a network interface controller (NIC)

Social Engineering

Social engineering is the art of manipulating people so they give up confidential information. The types
of information these criminals are seeking can vary, but when individuals are targeted the criminals are
usually trying to trick you into giving them your passwords or bank information, or access your computer
to secretly install malicious software–that will give them access to your passwords and bank information
as well as giving them control over your computer.

McAfee's whitepaper "Hacking the Humanos Operating System" focuses on the use of social engineering
to attack home and business users and finds once again that people are the weakest link. The McAfee
report points out that there are many organizations who develop and deliver user awareness programs
into their business areas, but the effectiveness of such programs varies, and in some identified cases,
even after the security training has been delivered, it has done very little to educate their end users with
any valued security awareness to mitigate the threat of the social engineering attack.
Phishing types

Vishing

Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called
vishing → voice + phishing = vishing.

Considering the ease and enormity of data available in social networks, it is no surprise that phishers
communicate confidently over a call in the name of friends, relatives or any related brand, without
raising any suspicion.

Smishing

SMS phishing or SMiShing is one of the easiest types of phishing attacks.

The user is targeted by using SMS alerts.

In SMiShing, users may receive a fake DM or fake order detail with a cancellation link.

The link would actually be a fake page designed to gather personal details.

Search Engine Phishing

Search engine phishing is the type of phishing that refers to the creation of a fake webpage for targeting
specific keywords and waiting for the searcher to land on the fake webpage.

Once a searcher clicks on the page link, s/he will never recognize that s/he is hooked until it is too late.

Spear Phishing

Unlike traditional phishing – which involves sending emails to millions of unknown users – spear
phishing is typically targeted in nature, and the emails are carefully designed to target a particular user.

These attacks have a greater risk because phishers do a complete social profile research about the user
and their organization – through their social media profile and company website.

Out of the different types of phishing attacks, Spear phishing is the most commonly used type of
phishing attack – on individual users as well as organizations.

Whaling

Whaling is not very different from spear phishing, but the targeted group becomes more specific and
confined in this type of phishing attack.

This technique targets C-suite posts like CEO, CFO, COO – or any other senior management positions –
who are considered to be big players in the information chain of any organization, commonly known as
“whales” in phishing terms.
Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because
of two main factors: a huge number of users and higher dependency on data.

Using Social Engineering Toolkit (SET)

The Social Engineering Toolkit (SET) is an open-source Python-driven tool designed for pentesting. The
SET is specifically designed to perform advanced attacks against human by exploiting their behavior. The
attacks built into the toolkit are designed to be targeted and focused attacks against a person or
organization used during a penetration test.

SET Manual by TrustedSec: https://github.com/trustedsec/social-engineer-

toolkit/raw/master/readme/User_Manual.pdf

Objectives

 Clone a website
 Obtain username and password
 Generate reports for conducted pentesting

Requisites

 Kali Linux virtual machine

 Any Windows virtual machine

Launch SET

Log in to Kali Linux; Remember every Kali version comes with pre installed SET, to launch (on Kali
2019.4) go to Kali Menu > 13 - Social Engineering Tools > SET (Social Engineering Toolkit).

Accept the Terms of Services by typing y.

Clone a Website

On the SET Main menu, select the first option 1) Social-Engineering Attacks by typing the number:

Select from the menu:

1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

Next, choose 2) Website Attack Vectors:

Select from the menu:

1) Spear-Phishing Attack Vectors

2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
 6) Arduino-Based Attack Vector
7) Wireless Access Point Attack Vector
8) QRCode Generator Attack Vector
9) Powershell Attack Vectors
10) Third Party Modules

99) Return back to the main menu.

The Web Attack Vector is a unique way of utilizing multiple web-based attacks in order to compromise
the intended target.

In the next menu, select 3) Credential Harvester Attack Method.

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) HTA Attack Method

99) Return to Main Menu

The Credential Harvester Method will utilize web cloning of a website that has a login input(username
and password field) and harvest all the information posted to the website.

Next, select the 2) Site Cloner:

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

The site cloner is used to clone a website of your choice.

Next, type the IP address of Kali Linux and the URL to be cloned, on this example we will
use facebook.com as shown below:

After that, leave this terminal tab running.

Send a Crafted Email

Now you must send the IP address of your Kali machine to a target, and trick him to click.

For this demo, we will use Gmail; Launch the web browser on your Kali and login to a Gmail account to
compose an email.

This example will demonstrate just the technical aspect of this technique.
To create a proper link, click edit link and first type the actual address under Link to, and then type the
fake URL in the Text to display field.

You can verify the fake URL by clicking one time, it will display the actual URL.

Log in to the Cloned Website

Log in to Windows as a victim, launch the web browser and sign in to your email (the account that you
sent the phishing email).
When the victim clicks the URL, will be presented with a replica of facebook.com. The victim will be
prompted to enter his/her username and password into the form fields. After the victim enters the
Username and Passwords and clicks log in, it does not allow logging in; instead, it redirects to the
legitimate Facebook login page, observe the URL.

Obtain the Credentials

The SET on Kali Linux fetches the typed username and password, which can be used by the attacker to
gain unauthorized access to the victim's account.

Denial of Service
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to
make a machine or network resource unavailable to its intended users by temporarily or indefinitely
disrupting services of a host connected to the Internet. Denial of service is typically accomplished by
flooding the targeted machine or resource with superfluous requests in an attempt to overload systems
and prevent some or all legitimate requests from being fulfilled.

DoS attacks typically fall in 2 categories:

Buffer overflow attacks

An attack type in which a memory buffer overflow can cause a machine to consume all available hard
disk space, memory, or CPU time. This form of exploit often results in sluggish behavior, system crashes,
or other deleterious server behaviors, resulting in denial-of-service.

Flood attacks

By saturating a targeted server with an overwhelming amount of packets, a malicious actor is able to
oversaturate server capacity, resulting in denial-of-service. In order for most DoS flood attacks to be
successful, the malicious actor must have more available bandwidth than the target.

Historically, DoS attacks typically exploited security vulnerabilities present in network, software and
hardware design. These attacks have become less prevalent as DDoS attacks have a greater disruptive
capability and are relatively easy to create given the available tools. In reality, most DoS attacks can also
be turned into DDoS attacks.

A few common historic DoS attacks include:

Smurf attack

a previously exploited DoS attack in which a malicious actor utilizes the broadcast address of vulnerable
network by sending spoofed packets, resulting in the flooding of a targeted IP address.

Ping flood

this simple denial-of-service attack is based on overwhelming a target with ICMP (ping) packets. By
inundating a target with more pings than it is able to respond to efficiently, denial-of-service can occur.
This attack can also be used as a DDoS attack.

Ping of Death

often conflated with a ping flood attack, a ping of death attack involves sending a malformed packet to a
targeted machine, resulting in deleterious behavior such as system crashes.
DDoS

In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim
originates from many different sources. This effectively makes it impossible to stop the attack simply by
blocking a single source. What are some historically significant DoS attacks?

DoS utilizes a single connection, while a DDoS attack utilizes many sources of attack traffic, often in the
form of a botnet. Generally speaking, many of the attacks are fundamentally similar and can be
attempted using one more many sources of malicious traffic.

Detecting DoS Attack traffic

KFSensor is a Windows-based honeypot IDS. It acts as a honeypot to attract and detect hackers and
worms by simulating vulnerable system services and Trojans. By acting as a decoy server, it can divert
attacks form critical system and provides a higher level of information than firewalls and NIDS alone.

KFSensor Free Trial: http://www.keyfocus.net/kfsensor/

Wireshark: https://www.wireshark.org/

Objectives

 Detect DoS attack using KFSensor

 Analyze the incoming packet dump using Wireshark

Requisites

 Windows 10 virtual machine

 Windows Server 2012 or 2016 virtual machine
 Kali Linux virtual machine

Setting up

1. Install KFSensor and Wireshark on Windows 10 virtual machine.

2. Launch the KFSensor as Administrator.

3. Click on Settings on the top menu and Set Up Wizard:

 Leave the options as default until and stop on DoS options.

4. Select Cautious from Denial of Service Options drop-down list, and select Enable packet dump
files from the Network Protocol Analyzer drop-down list:
 5. Click next and Finish the wizard:

On the left panel you will see the FTP icon is green, and the FTP section is empty, it means currently
there is no traffic through port 21.

Now, the KFSensor is configured to detect the DoS attacks.

Perform DoS Attack

Switch to the Kali Linux and open a new terminal window.

1. Check if the port 21 is open:

nmap -p 21 <Windows 10 IP address>

Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-22 14:02 EST

Nmap scan report for 10.0.2.45
Host is up (0.00051s latency).

PORT STATE SERVICE

21/tcp open ftp
As you can see above, the port 21 is open.

Let's use this port to flood the target:

 2. Perform SYN flooding by typing:

hping3 -d 100 -S -p 21 --flood <Windows 10 IP Address>

Parameter Description

-S SYN Flooding

-p 21 Port 21

-d 100 Data size of each packet (bytes)

After you enter the command, switch to the Windows 10, observe that the machine is almost frozen,
which means that the resources of Windows are completely exhausted. This means that the DoS attack
is being successfully performed.

Switch back to the Kali Linux and press Ctrl+C to terminate SYN flooding.

Detecting DoS Attack

Switch to the Windows 10, you should now be able to access it.

Now the FTP icon in the left pane changes to red, and the FTP section in the right pane is flooded with
events.
Scroll down and try to find an event named DOS Attack

This concludes that KFSensor has detected the DoS attack.

Choose another random event and double click it to show the event details.

On the Event window, which contains the event summary, you can see the severity level of the
event (High), the description of the event (Syn Scan), the visitor of the event (Attacker machine's IP
address), sensor name (FTP), and so on as you can see below.

Analyze Packet Dump on Wireshark

Next, analyze the packet dump file containing the traffic captured during the DoS attack. KFSensor
stores the packet dump file on C:\kfsensor\dumps by default.

Open the Wireshark and click File > Open and open the packet dump stored in C:\kfsensor\dumps
Wireshark loads the file and displays the packet's details, as show above.

You can analyze the packets to get information related to headers of the packets, source IP addresses,
and so on.

What is Footprinting and Reconnaissance?

Footprinting (also known as reconnaissance) is the technique used for gathering information about
computer systems and the entities they belong to. To get this information, a hacker might use various
tools and technologies. This information is very useful to a hacker who is trying to crack a whole system.

When used in the computer security lexicon, "Footprinting" generally refers to one of the pre-attack
phases; tasks performed before doing the actual attack. Some of the tools used for Footprinting are Sam
Spade, nslookup, traceroute, Nmap and neotrace.

Footprinting helps to:

Know Security Posture – The data gathered will help us to get an overview of the security posture of the
company such as details about the presence of a firewall, security configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets
only. This will greatly reduce the number of systems we are focussing on.

Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats,
loopholes available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target organization covering
topology, trusted routers, presence of server and other information.
3. Session Hijacking

The Session Hijacking attack consists of the exploitation of the web session control mechanism, which is
normally managed for a session token.

Because http communication uses many different TCP connections, the web server needs a method to
recognize every user’s connections. The most useful method depends on a token that the Web Server
sends to the client browser after a successful client authentication. A session token is normally
composed of a string of variable width and it could be used in different ways, like in the URL, in the
header of the http requisition as a cookie, in other parts of the header of the http request, or yet in the
body of the http requisition.

The Session Hijacking attack compromises the session token by stealing or predicting a valid session
token to gain unauthorized access to the Web Server.

The session token could be compromised in different ways; the most common are:

 Predictable session token

 Session Sniffing
 Client-side attacks (XSS, malicious JavaScript Codes, Trojans, etc)
 Man-in-the-middle attack

Using ZAP (Zed Attack Proxy)

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the
umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing
web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser
and the web application so that it can intercept and inspect messages sent between browser and web
application, modify the contents if needed, and then forward those packets on to the destination. It can
be used as a stand-alone application, and as a daemon process.

Objectives

 Intercept the Traffic between server and client

Requisites
  Windows Server 2012 or 2016 virtual machine (Attacker)
 Windows 10 virtual machine (Target)

 Man-in-the-browser attack

Intercepting HTTP Traffic

BetterCAP is a powerful, easily extensible and portable framework written in Go which aims to offer to
security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the
features they might possibly need for performing reconnaissance and attacking WiFi networks,
Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.

Bettercap Official Documentation: https://www.bettercap.org/intro/

Official Repo: https://github.com/bettercap/bettercap

Objectives

 Intercept Traffic and sniff out user credentials (HTTP and HTTPS).

Requisites

 Kali Linux virtual machine (Attacker)

 Any Windows virtual machine (Target)

Scanning a Target Network

Network Scanning refers to a set of procedures performed to identify hosts, ports, and services running
in a network.

The purpose of network scanning is as follows:

 Recognize available UDP and TCP network services running on the targeted hosts.
 Recognize filtering systems between the user and the targeted hosts.
 Determine the operating systems (OSs) in use by assessing IP responses.
 Evaluate the target host's TCP sequence number predictability to determine sequence
prediction attack and TCP spoofing.
Vulnerability Scanning

Vulnerability Scanning refers to auditing hosts, ports, and services running in a network to assess the
security posture and search for security loopholes.

It determines the possibility of network security attacks, evaluating the organization's systems and
network for vulnerabilities such as missings patches, unnecessary services, weak authentication, and
weak encryption. Vulnerability scanning is a critical component of any penetration testing assignment.

Nessus

Nessus allows to remotely audit a network and determine if it has been broken into or misued in some
way. It also provides the ability to locally audit a specific machine for vulnerabilities.

Official website: https://www.tenable.com/downloads/nessus

GFI LanGuard

GFI LanGuard is a software similar to Nessus, it scans networks and ports to detect, assess, and correct
any security vulnerabilities found.

Official website: https://www.gfi.com/products-and-solutions/network-security-solutions/gfi-languard

Nikto
Nikto Web Scanner is a Web server scanner that tests Web servers for dangerous file/CGIs, outdated
server software and other problems.

Nikto is an Open Source (GPL) web server which performs comprehensive tests against web servers for
multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of
over 1200 servers, and version specific problems on over 270 servers. It also scans server configuration
items such as the presence of multiple index files, HTTP server options, and attempts to identify
installed web servers and software. Scan items and plugins are frequently updated and can be
automatically updated. Nikto is not a stealth tool, it scans a webserver in the shortest time but gets
logged in an IDS.