0% found this document useful (0 votes)

21 views80 pages

Ethical Textbook 2

This document covers system hacking techniques, focusing on password attacks and privilege escalation. It details non-technical and technical password attacks, including methods like brute force, dictionary, and rainbow table attacks, as well as countermeasures for protecting passwords. Additionally, it discusses privilege escalation techniques and tools, emphasizing the importance of securing user credentials and account policies.

Uploaded by

vee

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

21 views80 pages

Ethical Textbook 2

Uploaded by

vee

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 80

8.

System Hacking

8.1 As you study this section, answer the following questions:

• What non-technical password attacks do organizations need to guard themselves

against?
• What are the main types of technical password attacks?
• What are rainbow table attacks?
• What is password salting?
• What can an organization do to protect passwords?

In this section, you will learn to:

• Spoof MAC addresses with SMAC

• Analyze USB keylogger attacks
• Crack a password with rainbow tables
• Crack a password with John the Ripper
• Configure account password policies

Key terms for this section include the following:

Term Definition
Brute A password cracking technique that tests every possible keystroke for each
force character in a password until the correct one is found.
attack
Rainbow A password hash cracking technique that uses pre-computed word lists and
attack their hashes in tables for quick comparison using the cracked hashes for
authentication.
Dictionar A password cracking technique that tests for words from a dictionary, but
y attack can include additional common password phrases and symbol substitutions
that are added to the database.
Passwor Adding random bits of data to a password before it is stored as a hash to
d salting make password cracking much more difficult.
Keylogge Hardware or software that captures every keystroke on the computer.
r

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 1.1 Perform reconnaissance

• Perform reconnaissance with operating system tools

2.1 Obtain login credentials

• Crack passwords

4.1 Cover up access

• Change MAC address

5.1 Defend systems and devices

• Configure account policies and account control

EC-Council 1. Background

• Information Security Threats and Attack Vector

3. Security

• Information Security Attack Detection

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

Introduction to Hacking Facts

One of easiest ways a hacker gains access to a system or network is through passwords.
Creating strong passwords and protecting them seems easy enough, but cracking and
stealing passwords often leads to success for hackers. One of the main reasons is lack
of education. The two simplest and most important safeguards are to teach employees to
create strong passwords and to help them understand the importance of secrecy.

This lesson covers the following topics:

• Non-technical password attacks

• Technical password attacks
• RainbowCrack
• Password cracking countermeasures

Non-Technical Password Attacks

The following table describes three non-technical ways a hacker can gain access to
passwords.

Attack Description
Dumpster This non-technical method of attack relies on finding sensitive information
diving that has been discarded in garbage cans, dumpsters, or other unsecure
places that a hacker has access to.
Social The social engineering attack relies on human error. The hacker convinces
engineerin an employee or other authorized person to give him a password.
g
Shoulder This technique involves watching and recording a password, pin, or access
surfing code that is being entered by someone in close proximity.

Technical Password Attacks

It's natural for people to want easy-to-remember passwords or to use the same password
for multiple systems and websites. A surprising number of people use the password
abc123, a pet's name, or a hobby as a password. The weakness in this convenience is
that these are all easy for an hacker to guess. The following tables describes common
types of technical password attacks.

Attack Description
Diction In a dictionary attack, word lists, often taken straight from dictionaries, are
ary tested against password databases. Besides all the standard words you find
in a dictionary, these lists usually include variations on words that are common
for passwords, such as pa$$word. Lists can also include simple keyboard
finger rolls like q-w-e-r-t1234. The down side to this attack is this process can
take a very long time to crack the passwords. Two common tools for dictionary
attacks are Brutus and Hydra.
Brute In a brute force attack, every password will eventually be found because its
force technique is to test every possible keystroke for each single key in a password
until the correct one is found. The disadvantages of this type of attack are that
it takes a large amount of processing power to execute and it is very time
consuming.
Pass Pass the hash is a hacking technique where an hacker uses an underlying
the NTML or hash of a user's password to gain access to a server without ever
hash using the actual plain text password. Pass the hash is dangerous to an
organization because once a hacker gains access, the entire organization can
be compromised very quickly.

To execute a pass the hash attack, first, a hacker gains access to an individual
computer through malware or another technique. Then the hacker can access
the system's memory and find stored hashes from other users that have used
that workstation. The hacker can then gain access to other workstations in the
network and search each workstation for stored hashes until it finds a hash
that gives access to a high-level administrator account. Once that happens,
the hacker has access to the entire network as an administrator.
Sniffin Sniffing is a passive way for a hacker to gain access to an account. The sniffer
g collects data that is in transit in a LAN. If access is gained on one system in a
LAN, then more data can be gathered from data transmissions to any other
system in the network. The sniffer runs in the background, making it
undetectable to the victim. Sniffing tools include Wireshark, TCPDump, and
Recon-ng.
Keylog Keystrokes on the computer keyboard are logged or recorded to obtain
ger passwords and other important data. This can be done through either
hardware devices or software programs on an individual computer or on a
whole network. The user cannot detect the keylogger software, and the
information can be recorded before it is encrypted.

• A hardware keylogger is a physical device that looks like a regular USB drive.
It is installed between a keyboard plug and a USB port. Every stroke of the
keyboard is stored on the device, and a hacker has to retrieve it to get the
data that is stored. The advantage of this type of keylogger is that it is
undetectable by desktop security, as well as antispyware and antivirus
programs. The disadvantage is that it is easy to find it because it is physically
plugged into the computer. Tools include PC Activity Monitor, RemoteSpy,
Veriato, Investigator, and KeyStrokeSpy.
• Software keyloggers are installed through an opened email attachment or
remotely through a network. An advantage of this type of keylogger is that it
has no memory limitations because the data is stored on a remote computer
hard drive.
Rainb Rainbow attacks are like dictionary attacks, but instead of endlessly testing
ow dictionary lists, this method uses tables that are precomputed with word lists
and their hashes. This is much quicker than a dictionary attack or a brute force
attack. When a plain text password is stored, it is processed through a one-
way function and converted into a hash. Hashes are then converted into plain
text through another one-way function called reduction. This new plain text is
not the same plain text that was originally hashed.

Passwords often go through this encryption process multiple times, making a

chain. Rainbow tables store only the starting plain text and the final hash of
these chains. A hacker searches the table for a possible hash and tries to
retrieve the password that it was converted from. The rainbow table gets its
name from having a different reduction function in each column in the chain.
This allows the hacker to quickly crack the password by passing through tables
which will work backwards through the chain to identify the original password.

RainbowCrack

RainbowCrack is software that cracks hashes by rainbow table lookup. The rtgen program
generates rainbow tables, and the rtsort program sorts them. The following table
describes these two programs.

Prog Description
ram
rtgen rtgen generates rainbow tables based on parameters specified by user.
The command line syntax of rtgen program is:

rtgen hash_algorithm charset plaintext_len_min plaintext_len_max

table_index chain_len chain_num part_index

An example of commands used to generate a rainbow table set with 6 rainbow

tables is:

rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0

rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0

rtsort A rainbow table is an array of rainbow chains. Each rainbow chain has a start
point and an end point. The rtsort program sorts the rainbow chains by end point
to make a binary search possible. Use the rtsort . command to sort all .rt
rainbow tables in current directory. Please be aware that after rtsort , the
command includes a space and then a period.

Program options for rtgen are described in the following table.

Option Description
hash_algorith A rainbow table is hash algorithm specific. A rainbow table for a
m certain hash algorithm helps to crack only hashes of that type. The
rtgen program natively support lots of hash algorithms, like lm, ntlm,
md5, sha1, mysqlsha1, halflmchall, ntlmchall, oracle-SYSTEM, and
md5-half. In the example above, we generated md5 rainbow tables
that speed up the cracking of md5 hashes.
charset The charset includes all possible characters for the plain text.
Loweralpha-numeric is represented by
abcdefghijklmnopqrstuvwxyz0123456789, which is defined in
configuration file charset.txt.
plaintext_len_ These two parameters limit the plain text length range of the rainbow
min table. In the example above, the plain text length range is 1 to 7. So
plaintext_len_ plain texts such as abcdefg are likely contained in the rainbow table
max generated. But plain text abcdefgh with length 8 will not be contained.
table_index The table_index parameter selects the reduction function. Rainbow
tables with a different table_index parameter use different reduction
functions.
chain_len The rainbow chain length. A longer rainbow chain stores more plain
texts and requires longer time to generate.
chain_num The number of rainbow chains to generate. A rainbow table is simply
an array of rainbow chains. The size of each rainbow chain is 16
bytes.
part_index To store a large rainbow table in many smaller files, use a different
number for each part, and keep all other parameters identical.

The following table shows the hash types and their possible characters or values.

Hash Possible Values

Type
numeric [0123456789]
alpha [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
alpha- [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
numeric
lower [abcdefghijklmnopqrstuvwxyz]
alpha
lower [abcdefghijklmnopqrstuvwxyz0123456789]
alpha-
numeric
mix alpha [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
mix alpha- [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ012
numeric 3456789]
ascii-32- [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVW
95 XYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]
ascii-32- [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVW
65-123-4 XYZ[\]^_`{|}~]
alpha- [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-
numeric- _+=~`[]{}|\:;"'<>,.?/]
symbol32-
space

Password Cracking Countermeasures

There are several things you can do to counter password cracking attempts:

• Password salting is a strategy used to make cracking passwords more difficult by adding
random bits of data to a password before it is stored as a hash. This is made possible
by a one-way function that makes it almost impossible to return the hashed password
back to the original password.
• The more complex a password, the harder it is to crack. Use 8 to 12 characters
combining numbers, uppercase and lowercase letters, and special symbols.
• Never share your passwords.
• If asked to routinely change your password, do not reuse your current password.
• Never use words from a dictionary as your password.
• Change your passwords every 30 days.
• Never store a password in an unsecure location.
• Never use a default password.
• Never store passwords in a protocol with weak encryption or clear text.

8.2 Privilege escalation

As you study this section, answer the following questions:

• What is privilege escalation?

• How do attackers escalate privileges?
• What are escalation tools?
• How can you protect against privilege escalation?

In this section, you will learn to:

• Crack the SAM database with John the Ripper

• Enforce user account control

Key terms for this section include the following:

Term Definition
Kerberoasting An offline brute force to crack a Kerberos ticket to reveal the
service account password in plain text. There is no risk of
detection and no need for escalated privileges, and the attack
is easy to perform.
DLL hijacking Loading a malicious DLL in the application directory so that
when the application executes, it will choose the malicious DLL.
cPasswords The attribute that stores passwords in a Windows group policy
preference item. This attribute can be exploited because
Microsoft publishes a public key for the account credentials.
Security Account The database that authenticates local and remote users. In
Manager (SAM) Windows, this database stores user passwords as an LM hash
database or an NTLM hash.
Local Security The Local Security Authority Subsystem Service is a Windows
Authority Subsystem service that performs the system's security protocol.
Service (LSASS)

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 2.2 Gain administrative access and escalate privileges

• Escalate privileges

5.1 Defend systems and devices

• Configure account policies and account control

EC-Council 1. Background

• Information Security Threats and Attack Vector

3. Security

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

5. Procedures/Methodology

• Information Security Procedures

Privilege Escalation in Windows Facts

<<<<<<< refs/remotes/origin/en-us
Every computer network has levels of privileges that give each user appropriate access
for the user's function in the organization and the security of the network. Privilege
escalation occurs when an attacker accesses the network as a non-administrator level
user and gains access to administrative-level privileges. An attacker seeks privilege
escalation in order to access sensitive information, to delete files, or to install programs
like worms, viruses, or Trojan horses.

This lesson covers the following topics:

• Privilege escalation techniques

• Tools
• Countermeasures

Privilege Escalation Techniques

Hackers can escalate privileges in the following ways:

Method
cPassword cPassword is the name of the attribute that stores passwords in a Group
Policy preference item in Windows. This attribute is easy to exploit
because Microsoft publishes the public key for the Group Policy
preferences account credentials. These preferences allow domain
admins access to create and change any local user or local admin
account. Cpasswords are stored in an encrypted XML file in the SYSVOL
folder on the domain controllers. This allows any domain authenticated
user access to decrypt the password.
Clear text Data transferred unencrypted or in clear text is vulnerable to hackers.
credentials Beware, however, most domain controllers allow clear text credentials to
in LDAP be transmitted over the network, even to and from the local directory. You
can check for clear text transfers by using the unsecure LDAP bind script
in PowerShell. PowerShell will deliver a CSV file as output, showing you
which accounts are vulnerable.
Kerberoast Kerberos is a protocol that allows authentication over a non-secure
ing network by using tickets or service principal names (SPNs). A user
authenticates to the server, which forwards the user name to the key
distribution center (KDC). The KDC issues a ticket-granting ticket (TGT)
that is encrypted using the ticket granting service (TGS). An encrypted
ticket will be returned. A brute force can be used offline to crack this ticket
to reveal the service account password in plain text. This process is called
Kerberoasting. There is no risk of detection and no need for escalated
privileges, and the process is easy to perform.
Credentials In Microsoft Windows, the local security authority sub-system service
in LSASS (LSASS) is a file in the directory that performs the system's security
protocol. It's an essential part of the security process as it verifies user
logins, creates access tokens, and handles password changes.

This file is susceptible to corruption by viruses or Trojan horses. LSASS

is a critical component of domain authentication, Active Directory
management on the domain system, and the initial security authentication
procedure. If it's compromised, an attacker can easily escalate privileges
in the network.
SAM Security Account Manager (SAM) is a database that stores user
database passwords in Windows as an LM hash or an NTLM hash. This database
is used to authenticate local users and remote users. It doesn't store the
domain system user credentials like the LSASS database does; rather, it
stores the system's administrator recovery account information and
passwords. While the SAM file can't be copied to another location, it is
possible to dump the hashed passwords to an offsite location where the
passwords can be decrypted with a brute force method.
Unattende While it is convenient and sometimes necessary, to install a program
d throughout a network without having to sit at every computer, there are
installation risks. If the administrator fails to clean up after the installation, a file called
Unattended is left on the individual workstations. The Unattended file is
an XML file and has configuration settings used during the installation that
can contain the configuration of individual accounts including admin
accounts. This makes privilege escalation easy.
To avoid additional risks:

• Give only the privileges needed for the installation when creating the
answer file for an unattended installation.
• Ensure credentials are encrypted when a network admin is installing
over a network.
• Secure the image created for the installation.
DLL DLL hijacking can happen during an application installation. When loading
hijacking an external DLL library, Windows usually searches the application
directory from which the application was loaded before attempting a fully
qualified path. If an attacker has installed a malicious DLL in the
application directory before the application installation has begun, then
the application will choose the malicious DLL.

Tools

The following table identifies tools hackers can use to elevate privileges.

Tool Description
Trinity Trinity Rescue Kit (TRK) helps with repair and recovery operations on
Rescue Windows machines. It is a great tool for maintenance. It has many
Kit functions, including resetting passwords, scanning for viruses, running a
disk cleanup, and fixing bugs.
ERD ERD Commander software is designed to correct problems that can occur
Comman when rebooting after you install new software on a Windows NT system. It
der allows users access to the command prompt to perform basic system
maintenance tasks during the boot process.
OPH A tool for cracking Windows login passwords. It uses rainbow tables and
Crack has the capability to crack hashes from many formats. It is an open-source
program and free to download.
Countermeasures

The most effective way to protect against privilege escalation is to tighten privileges to
make sure that users have only the privileges that they need. This prevents escalation if
an attacker gains access to an account that has higher privileges than it needs. Once
privileges are tightened, focus on these steps:

• Encrypt sensitive information.

• Implement multi-factor authentication and authorization.
• Restrict interactive logon privileges.
• Scan the operating system and application coding regularly for bugs and errors.
• Frequently perform updates on the operating system and applications.
• Install auditing tools to continuously monitor file system permissions.
• Use fully qualified paths in Windows applications.
• Select Always Notify in the UAC settings.
=======

Every computer network has levels of privileges that give each user appropriate access
for the user's function in the organization and the security of the network. Privilege
escalation occurs when an attacker accesses the network as a non-administrator level
user and gains access to administrative-level privileges. An attacker seeks privilege
escalation in order to access sensitive information, to delete files, or to install programs
like worms, viruses, or Trojan horses.

This lesson covers the following topics:

• Privilege escalation techniques

• Tools
• Countermeasures

Privilege Escalation Techniques

Hackers can escalate privileges in the following ways:

Method
cPassword cPassword is the name of the attribute that stores passwords in a Group
Policy preference item in Windows. This attribute is easy to exploit
because Microsoft publishes the public key for the Group Policy
preferences account credentials. These preferences allow domain
admins access to create and change any local user or local admin
account. Cpasswords are stored in an encrypted XML file in the SYSVOL
folder on the domain controllers. This allows any domain authenticated
user access to decrypt the password.
Clear text Data transferred unencrypted or in clear text is vulnerable to hackers.
credentials Beware, however, most domain controllers allow clear text credentials to
in LDAP be transmitted over the network, even to and from the local directory. You
can check for clear text transfers by using the unsecured LDAP bind script
in PowerShell. PowerShell will deliver a CSV file as output, showing you
which accounts are vulnerable.
Kerberoast Kerberos is a protocol that allows authentication over a non-secure
ing network by using tickets or service principal names (SPNs). A user
authenticates to the server, which forwards the user name to the key
distribution center (KDC). The KDC issues a ticket-granting ticket (TGT)
that is encrypted using the ticket granting service (TGS). An encrypted
ticket will be returned. A brute force can be used offline to crack this ticket
to reveal the service account password in plain text. This process is called
Kerberoasting. There is no risk of detection and no need for escalated
privileges, and the process is easy to perform.
Credentials In Microsoft Windows, the local security authority sub-system service
in LSASS (LSASS) is a file in the directory that performs the system's security
protocol. It's an essential part of the security process as it verifies user
logins, creates access tokens, and handles password changes.

This file is susceptible to corruption by viruses or Trojan horses. LSASS

The following table identifies tools hackers can use to elevate privileges.

Countermeasures

• Encrypt sensitive information.

As you study this section, answer the following questions:

• How do hackers maintain access to the systems they exploit?

• What are writable services?
• How do hackers leave the back door open for themselves?

In this section, you will learn to:

• Create a backdoor with Metasploit

• Create a backdoor with Netcat

Key terms for this section include the following:

Term Definition
Path When a malicious file name is added to a service path without quotation
interceptio marks and includes spaces in the code.
n
Backdoor An installed program that grants continued access to a previously hacked
system.
Spyware Malware that works by stealth to capture information and send it to a
hacker to help them gain remote access.
Crackers Software programs that crack code and passwords to gain unauthorized
access to a system.
Writable A service with permissions that allow anyone to change the service's
services execution.

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro Gain administrative access and escalate privileges

• Gain access through a backdoor

EC-Council 4. Tools/Systems/Programs

• Information Security Tools

5. Procedures/Methodology

• Information Security Procedures

Exploit Systems to Maintain Access Facts

Hackers like to keep access to the systems they have gained admin or root access to.
They also work hard to keep other hackers out of the system. At the admin or root level,
they have the ability to download or upload anything, capture and manipulate data, and
configure applications and services. They can also use the system to exploit other
systems.

The following table lists a few ways a hacker can maintain access:

Method Description
Path When an executable such as an app, service, or process is started, the
interceptio system looks for a path for the file that runs it. There is no problem if the
n path is written within quotation marks and has no spaces. However, if the
path name doesn't have quotation marks around it and there are spaces
in the path name, there is an opportunity for a hacker to add a path that
routes to a malicious file.

Executables called on a regular basis can provide continued access to a

system. Executables started by a higher privileged process can give the
hacker elevated privileges, allowing the hacker to create a new user in the
system with administrator rights providing ongoing system access.

Here is an example:

Trusted Path:
Path to executable: “c:\programfiles\subdirectory\programname.exe”
Exploitable Path:
Unquoted path with spaces: c:\program files\sub directory\program
name.exe
Writable Another way to exploit a service is to search for admin level accounts that
services have services that are writable. Services with weak permissions allow
anyone to alter the execution of the service. This may include creating a
new admin user account that gives the hacker rights to do whatever the
admin account can do.
Unsecure Older versions of Windows allow administrators to access the files and
file and folders of any non-admin user. This can lead to DLL hijacking and
folder malicious file installations on a non-admin targeted user.
permissio
ns

The following table describes additional ways a hacker can establish continued access to
the systems they hack.

Method Description
Backdo When hackers gain access to a system, often they establish a way to get
ors back into it again later. This is referred to as a backdoor. Typically, a hacker
will install a rootkit, Trojan horse, or a remote access Trojan (RAT). Rootkits
have access at the operating system level and Trojans have access at the
application level. As previously discussed, a hacker may create a new user
to obtain access.
Cracker Crackers are software programs that crack code and passwords to gain
s unauthorized access to a system. There are many methods and tools
available for this approach such as dictionary, brute force, and rainbow
attacks.
Spywar Spyware is malware that works by stealth to capture information and sends
e it to a hacker to gain access. Spyware can be keystroke logging, activity
tracking, screen captures, or file operations. Spyware can be unintentionally
installed by a user through normal web activity and it is often undetected.
Hackers may install backdoors into the system to maintain access to the
spyware.
Schedu When processing task files, Windows Task Scheduler has a vulnerability in
led its validation of the files. It has a default configuration that allows regular
Tasks users to write task files. An attacker can modify a task file to execute
malicious commands. This method can be used to escalate privileges,
maintain access, perform remote execution, and implement malicious
programs at system startup.

8.4 Cover your tracks

As you study this section, answer the following questions:

• How can an attacker prevent being detected?

• How is evidence such as files, data, and programs hidden?
• What are rootkits? How can you detect them? And how can you protect systems from
them?
• What is steganography? Why is it so difficult to detect?

In this section, you will learn to:

• Clear Windows log files on Server 2016

• Clear audit policies
• Hide files with OpenStego

Key terms for this section include the following:

Term Definition
Rootkit A software program that attackers use to establish root-level privileges
to a system.
Steganogra A method of embedding data into legitimate files like graphics, music,
phy video, and plain text messages to hide it from everyone except the
intended receiver.
NTFS data One data stream stores the attributes, another stores the data.
streams Additional data streams, which can be hidden, are allowed.
Slack space The unused portion of an existing file that has been defined.
System file Files that are continuously recording when files are created, accessed,
logs or modified.

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 4.1 Cover up access

• Disable auditing
• Clear logs
• Remove or hide files and folders
EC-Council 4. Tools/Systems/Programs

• Information Security Programs

• Information Security Tools

5. Procedures/Methodology

• Information Security Assessment Methodologies

Cover Your Tracks Facts

Covering tracks is an important phase in hacking to prevent being traced and to remain
undetected during continued access. There are many methods hackers use to remove
traces of their attacks.

This lesson covers the following topics:

• Erase or modify evidence

• Hide evidence
• Modify timestamps
• Disable auditing
• Tools to cover tracks
Erase or Modify Evidence

System log files are the first place to check for questionable activity. Typically, hackers
erase only the parts of the logs that show hacking actions. To the extent possible, a
hacker makes the log appear as it did before the attack. This can be done without admin
privileges. Hackers commonly delete the following logs in Windows files:

• SECEVENT.EVT logs failed logins and file access without privileges.

• SYSEVENT.EVT logs anomalies in system operations and driver failure.
• APPEVENT.EVT logs application variants.

These files are continuously open, running, and logging activity. A good hacker will
remove any unnecessary files that were added during the hack and remove information
in the files that were generated by the attack.

Hide Evidence

Another way to cover tracks is to hide the evidence. Following are methods a hacker can
use to hide files.

• Choosing the hidden option in the file attributes menu will hide the file from directory
listings and from browsing in Windows Explorer.
• Placing a period at the beginning of a Linux, Unix, and OS X file name hides the file.
• Placing the file in the unused or slack space of an existing file can hide a file. Because
the file size was defined previously, there will be no indication that data was added to
the file, and the data doesn't typically show up when opening the file.
• Incorporating the file in the ADS can hide it. ADS was created to allow compatibility with
Macintosh files. One of its features is the ability to have multiple streams of data
simultaneously. The alternate stream of data isn't seen in Windows Explorer.
• Using executables that can be activated from the command line, but will remain unseen.
This allows the hacker to actively run programs undetected.
Modify Timestamps

Another method to cover tracks is to alter the timestamp on files. Each file gets stamped
with a time and date each time it is created, accessed, or modified. You can use the
following tools to do this:

Tool Description
Timest Timestomp is a tool for modifying or deleting a file's timestamp in order to
omp hide when the file was created, accessed, or modified. Hackers change times
and dates to blend in with existing timestamps so as to not alert digital
forensic investigators of access or exploitation.
Touch The touch command in Linux, Unix, and OSX can be used to alter the
timestamp as well. It can change the time to the current time or to any specific
time.
ctime ctime is a header file that contains definitions of functions to get and
manipulate date and time information.
Meterpr Meterpreter is Metasploit's payload. It has many features for covering tracks,
eter including the ability to launch a fileless attack.

Disable Auditing

After gaining administrative access to a system, a hacker will typically install

reconnaissance tools such as keyloggers to obtain logins and passwords. This action will
be recorded in either the event login Windows or the syslog of Linux and other systems.
These logs can be programmed to alert system administrators. To disable auditing, a
hacker can use the Auditpol.exe command line utility to remotely change the audit
security settings. AuditPol can be used to disable security auditing on either local or
remote systems. It can also be used to enable auditing after the attack is over to avoid
suspicion. A hacker can use Auditpol.exe to alter the audit criteria for categories of
security procedures.
Cover Tracks

There are many ways to clear online tracks:

• Browse in private mode

• Delete history in address field and stored history
• Clear cookies and caches
• Delete downloads, saved sessions, and user JavaScript
• Disable the password manager and clear its data
• Create multiple users
• Clear Most Recently Used and toolbar data

There are additional tools available to help cover tracks:

Tool Description
Cclean Ccleaner is a cleaning tool that can remove files and clears internet browsing
er history. It also frees up hard disk space. It clears the temporary files, history,
and cookies from each of the six major search engines.
Clear Clear My History is software that can clear cookies, stored data like
My passwords, browser history, and temporary cached files. It can clear the
History recycling bin, clipboard data, and recent documents lists as well.
Dump The dump event log command line tool in Windows 2000 dumps an event
event log remotely or on a local system into a tab-separated text file. It can also be
log used to filter specific types of events.
Hide Programs Facts

Hackers use a variety of techniques to hide the programs and data they have used.

This lesson covers the following topics:

• Rootkits
• NTFS data streaming
• Steganography
Rootkits

A rootkit is a software program that hackers use to establish root- or admin-level privileges
to a system. Rootkits are a set of programs designed to covertly access a system and
allow the hacker to control its functions. Using a rootkit, a hacker can hide added
applications and processes, obtain sensitive data, and set up the system to act as a server
for bot updates.

Rootkits can modify the operating system and the utilities of the target system. Rootkits
contain packet sniffers, utilities that remove logs, DDoS programs, IRC bots, and
backdoor programs. The following table describes two tools to create rootkits:

Tool Description
Gray A rootkit tool that runs within the Windows operating system. It contains hidden
Fish storage and has invisible command execution. GrayFish isn't flagged in anti-
rootkit scans because it sets no hooks on Window kernel functions and doesn't
register callback functions.
Siref Sirefef, also known as ZeroAccess, has virus, Trojan horse, and rootkit
ef components. As a rootkit, it is unseen by antivirus and anti-spyware programs.
It hides by changing the internal process of the target operating system. Sirefef
is difficult to remove and can create problems with Windows Firewall and
Defender Service, remote hosts, and browser settings. It creates a folder to
store additional malware.

Several methods used to detect and identify rootkits include:

Detection
Description
Method
Integrity- Integrity-based detection works by running a tool to scan a clean system
based to create a database. The integrity-based detection scans the system
detection and compares the current scan to the clean database. Any dissimilarities
between the clean baseline database and the current scan are flagged
and a notification is sent.
Signature- Signature-based detection scans a system's processes and executable
based files looking for byte sequences of known malicious rootkit programs.
detection
Heuristic or Heuristic or behavior-based detection searches for deviations in normal
behavior- behaviors and patterns of an operating system. One of the patterns it
based searches for is execution path hooking which allows a function value in
detection an accessible environment to be changed. This is a behavior used by
rootkits.
Runtime Runtime execution path profiling checks for variations in the runtime
execution execution path of all executable files and system processes.
path
profiling
Cross view- Cross view-based detection uses an algorithm as it goes through the
based system files, processes, and registry keys to create a baseline that is
detection compared to the data returned by the operating system's APIs.

To prevent rootkits, take the following steps:

• Back up critical data and reinstall the OS and applications.

• Install and routinely update firewalls.
• Patch and regularly update the OS and applications.
• Keep a record of automated installation procedures.
• Harden servers and network stations.
• Train users to confirm that downloads are from a trusted source.
• Check for rootkits through a kernel memory dump analysis.

NTFS Data Streaming

Another way that hackers can hide programs is through NTFS alternate data streams
(ADS). When a file is created or copied to NTFS, one data stream stores the attributes,
and a second stores the data. NTFS allows each file an unlimited number of data streams
with unlimited size. Because they are hidden, a hacker can inject malicious code into
these alternate data streams and execute the code without being detected by the user or
system administrator.

To get rid of malicious alternate data streams, move suspect files to a partition or device
that is formatted using FAT. Since FAT doesn't support alternate data streams, the
alternate file streams will be removed when the file is moved. Remember to keep your
antivirus software updated. Some tools that detect and remove infected ADS include
LADS, Stream Detector, LNS, and Forensic Toolkit.

Steganography

Steganography is the method of embedding data into legitimate files like graphics, banner
ads, or plain text messages to hide it and then extracting the data once it reaches its
destination. It is very difficult to detect and has become a very popular method for hackers.
Steganography can hide identities, communication, code, and content. Hackers can use
steganography as an alternative to encryption because data hidden in steganography
doesn't have to be encrypted. However, encrypted steganographic information is even
more difficult to decipher.

The following table describes several types of steganography.

Steganography Description
Type
Image The most common form of steganography is hiding information in
steganography image files.
Video Files with extensions can be hidden in video files such
steganography as .MPG4, .AVI, and .WMV.
Document or The data is hidden in added white spaces and tabs at the end of
whitespace lines.
steganography
Audio The data is hidden in a digital sound format through least
steganography signification bit (LSB) manipulation.
Web The data is hidden behind a web object when uploaded to the
steganography server.
C++ source A set of tools is hidden in the C++ code.
code
steganography
Spam/email Data is embedded in an email.
steganography

The following table lists tools used to create steganography.

Tool Description
StegoSti A steganography tool that allows a file to be hidden within any image, audio,
ck or video file, even in PDFs and EXE files.
OpenSte A tool for hiding data in a cover file or watermarked files. It can be used to
go trace file copying.
OmniHid OmniHide Pro can hide files in photos, movies, documents, and music. It
e Pro allows the user to create a password to make the hidden file more secure.
DeepSo A tool for hiding data in audio files and extracting files from audio tracks. It
und also has the option to encrypt the files.
Spam Spam Mimic encodes data into emails and has the ability to decode the
Mimic messages.

While it is difficult to detect steganography, there are some actions you can take. The
table below identifies where to look for steganography files.

Steganograp Description
hy Type
Text Check for extra spaces and invisible characters. Look for unusual
patterns in spacing, fonts, line heights, and even in the language.
Image Check for changes in format, size, the color palette, and the last
modified timestamp.
Audio Look for distortions and patterns in frequencies that are above or below
the human range of hearing.
Video Use a combination of the methods used for audio and image files to
search for hidden information.

The following tools aid in steganography detection:

Steganography Description
Detection Tool
Discover the Scans for known steganography and encryption programs.
Hidden
StegoHunt Searches for carrier files through statistical analysis techniques,
scans for data hiding tools;,and can crack password-protected
data to extract the payload.
Gargoyle Scans for known steganography files created by tools such as
BlindSide, S-tool, and WeavWav.
StegAlyzerSS Scans media or forensic images for uniquely identifiable byte
patterns or known signatures left inside files when a
steganography application is used to embed hidden information
in them.
Virtual Uses, tests, and adjusts different steganographic techniques in a
Steganographic simple GUI. VSL is free image steganography and steganalysis
Laboratory (VSL) software.
Stegdetect Detects steganographic content in images.

9. Malware

9.1 As you study this section, answer the following questions:

• What are the different types of malware?

• Which component of malware actually causes damage?
• What is the purpose of a Trojan horse?
• What are some ways malware can infect a system?
• What is the best way to analyze malware?
In this section, you will learn to:

• Create a virus
• Create a HTTP Trojan
• Use ProRat to create a Trojan

Key terms for this section include the following:

Term Definition
Malware Any software that is designed to perform malicious and disruptive
actions.
The Computer This law was originally passed to address federal computer-related
Fraud and Abuse offenses and the cracking of computer systems.
Act
The Patriot Act This act expanded on the powers already included in the Computer
Fraud and Abuse Act.
CAN-SPAM Act This law was designed to thwart the spread of spam.
Crypter Software that protects the malware code from being analyzed and
reverse engineered. It also helps prevent detection from anti-virus
software.
Exploit The act of taking advantage of a bug or vulnerability to execute
malware.
Injector A program that injects malware into vulnerable running processes.
Obfuscator The act of concealing malware through different techniques.
Packer The act of compressing malware to help hide it.
Payload The main piece of malware. The payload is the part that performs
the malware's intended activity.
Malicious code Code that defines the malware's basic functionality, such as
deleting data or opening backdoors into the target.
Sheep dipping The process of analyzing emails, suspect files, and systems for
malware.

This section helps you prepare for the following certification exam objectives:
Exam Objective
EC-Council 2. Analysis/Assessment

• Information Security Assessment and Analysis

3. Security

• Information Security Attack Detection

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

5. Procedures/Methodology

• Information Security Procedures

6. Regulation/Policy

• Information Security Policies/Laws/Acts

Malware Overview Facts

As long as computers have been around, people have been creating malware programs.
The term malware is short for malicious software. These are programs that are designed
to perform malicious and destructive functions.

This lesson covers the following topics:

• Malware related laws

• Malware components
• Viruses
• Worms
• Virus and worm countermeasures
Malware Related Laws

The follow table lists the regulations that apply to malware:

Law Description
Computer The Computer Fraud and Abuse Act (CFAA) was first introduced in 1984
Fraud and has been updated many times since. The CFAA essentially defines
and what computer related crimes are and ensures that these crimes can be
Abuse punished.
Act
USA The Uniting and Strengthening America by Providing Appropriate Tools
Patriot Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act)
Act expanded on the powers already included in the CFAA.
CAN- The Controlling the Assault of Non-Solicited Pornography And Marketing
SPAM (CAN-SPAM) Act was signed into law in 2003. The CAN-SPAM Act
Act established the rules and guidelines for commercial emails efforts to curb
the assault of spam emails. According to the FTC, these guidelines are as
follows:
1. Don’t use false or misleading header information. The From, To, Reply-
To, and routing information, including the originating domain name and
email address, must be accurate and identify the person or business who
initiated the message.
2. Don’t use deceptive subject lines. The subject line must accurately reflect
the content of the message.
3. Identify the message as an ad. The law gives you a lot of leeway in how
to do this, but you must disclose clearly and conspicuously that your
message is an advertisement.
4. Tell recipients where you’re located. Your message must include your
valid physical postal address. This can be your current street address, a
post office box you’ve registered with the U.S. Postal Service, or a private
mailbox you’ve registered with a commercial mail receiving agency
established under Postal Service regulations.
5. Tell recipients how to opt out of receiving future email from you. Your
message must include a clear and conspicuous explanation of how the
recipient can opt out of getting email from you in the future. Guidelines
include:
o Craft the notice in a way that’s easy for an ordinary person to recognize,
read, and understand.
o Creative use of type size, color, and location can improve clarity.
o Give a return email address or another easy internet-based way to allow
people to communicate their choice to you.
o You may create a menu to allow a recipient to opt out of certain types of
messages, but you must include the option to stop all commercial
messages from you.
o Make sure your spam filter doesn’t block these opt-out requests.
6. Honor opt-out requests promptly. Guidelines for this rule include:
o Any opt-out mechanism you offer must be able to process opt-out
requests for at least 30 days after you send your message.
o You must honor a recipient’s opt-out request within 10 business days.
o You can’t charge a fee, require the recipient to give you any personally
identifying information beyond an email address, or make the recipient
take any step other than sending a reply email or visiting a single page on
an internet website as a condition for honoring an opt-out request.
o Once people have told you they don’t want to receive more messages
from you, you can’t sell or transfer their email addresses, even in the form
of a mailing list.
o The only exception is that you may transfer the addresses to a company
you’ve hired to help you comply with the CAN-SPAM Act.
7. Monitor what others are doing on your behalf. The law makes clear that
even if you hire another company to handle your email marketing, you
can’t contract away your legal responsibility to comply with the law. Both
the company whose product is promoted in the message and the company
that actually sends the message may be held legally responsible.
Malware Components

Malware is made up of different components that allow it to achieve its goals. These
components are:

Compon Description
ent
Crypter Basically a shell around the malware code that keeps the malware from
being analyzed and reverse engineered. This also helps prevent detection
by anti-malware programs.
Exploit This takes advantage of a bug or vulnerability to execute the malware.
Injector The program that injects, or places, the malware into vulnerable running
processes.
Obfuscat Uses different techniques to conceal the malware.
or
Packer Compresses the malware to reduce its size and also helps hide it.
Payload This is the main piece of the malware. The payload is what performs the
intended activity of the malware.
Maliciou The programming that performs the malware's basic functionality.
s code

Viruses

A virus is the most well-known type of malware. People often interchange the terms
malware and virus. A virus is self-replicating malware that attaches itself inside a
legitimate program. It must be attached to another program to run. Hackers will often use
a virus making tool to create a virus or will write their own. A virus making tool allows the
hacker to define what they want the virus to do and how to replicate itself. Writing a unique
virus will make the virus harder for antivirus software to detect, but does require
programming knowledge. There are many types of viruses. How the virus is executed
and what it does will define the virus type. The following table describes common viruses.

Virus Type Description Example

Direct action Infects a program and runs only when that program is VCL.428
run. The virus stops when program is closed. The goal
is to infect as many files and folders as possible.
Logic bomb Triggered by an event, such as specific date/time or a AgentBase.
program being executed. If triggered by date/time, it is exe
referred to as a time bomb.
Overwrite Overwrites the contents of an infected file or folder. The Loveletter
only way to get rid of this virus is to delete infected files.
Browser Infects web browsers so when the user attempts to go Onewebse
hijacker to a web page, the virus will redirect the browser to a arch
fake website that can harm the computer.
Web scripting Resides in ads, videos, or the background of a website. JS.fornight
When a user visits, the virus will infect the computer
automatically through client-side scripting. There are
two types of this virus, persistent and non-persistent.
Persistent is when the user's cookies are stolen and can
lead to session hijacking. Non-persistent is when the
user is attacked without knowing.
Boot sector Moves the MBR to another location on the hard drive Polyboot.B
and embeds itself in the original location. When the
computer boots, the virus runs first, then passes control
to the MBR.
Cavity Also known as an overwriting virus. This virus fills in Lehigh
empty space in a file or program without increasing the Virus
length of the file. It preserves the file or program's
functionality.
Email A virus that is sent as an email attachment. This can be (almost any
any type of virus. virus)
Sparse- Attempts to hide itself from antivirus by infecting at Dark
infector random times or by random triggers. These triggers can Avenger
be a specific file size, name, date, or when a particular
program is executed.
Polymorphic Contains a mutating engine that changes the code Elkern
every time the virus is replicated while keeping the
original malware algorithm intact. This makes the virus
extremely difficult to detect.
Encryption Also known as a cryptovirus, this virus infects the user Cryptolock
files and folders and encrypts them. A decryption key is er
required to recover the data.
Macro Infects files created by Microsoft Office or similar Melissa
programs. These viruses will typically infect a template
file and keep the appearance of a normal file.
Cluster Also known as a directory virus. The virus changes file Dir-2
paths of programs. When an infected program is run,
the virus will also run in the background. These can be
difficult to trace.
File infector Infects executable files so when the file is run, the virus Cascade
executes.
Companion Also known as a camouflage virus. The virus creates a Stator
companion file for the infected file/program. When the
user runs the legitimate program, the virus is also run in
the background.
FAT Attacks the File Allocation Table destroying the index, The Link
making it impossible for files to be found. This is a very Virus
destructive virus.
Multipartite Combines the approach of a File and Boot Sector virus Ghostball
and attempts to infect files and the boot sector
simultaneously.
Stealth/tunneli Tricks the antivirus software by appearing to be a real Frodo
ng program or Windows service. When the AV software
scans files, the virus will intercept the request and send
the original, uninfected file to be scanned.
Metamorphic Rewrites itself completely each time it infects a new file. Zmist
This virus type is similar to a polymorphic virus, but is
more complex and effective.
Armored Wraps itself in code to hide its characteristics, protecting Whale
itself from being detected.
Terminate and This virus will reside in the system's RAM until the MrKlunky
stay resident computer is shut down or rebooted. This virus can
(TSR) interrupt anything being run on the system and infect
files or programs that are opened or closed.

Regardless of the type, all viruses have the same life cycle:

8. Design – virus is created.

9. Replication – virus replicates and spreads within victim machine.
10. Launch – virus is launched and executes payloads.
11. Detection – virus is detected and identified as a threat.
o Slow system
o Frequent Blue Screen of Death (BSOD)
o Deleted files
o Operating system won’t load
12. Incorporation – antivirus software developers design defenses against virus.
13. Execute the damage routine – users update antivirus software and eliminate virus threat.

Worms

Unlike viruses, worms are entirely self-replicating. Worms effectively use the power of
networks, malware, and speed to spread. These malware programs are generally not
destructive in nature, but do consume a large amount of bandwidth and can take down a
network system quickly if not caught. Worms can also carry additional payloads, such as
viruses, which will be destructive.

The following table compares worms and viruses:

Worms Viruses
Standalone malware program. Requires a file or executable program
to infect.
Generally does not modify files or folders. Can be destructive and modify files
including system files.
Can replicate through a network with no Can spread to other computers only
human interaction. through email or other media.
Consume network and system resources, such Changes the way a computer
as CPU cycles and network bandwidth. operates without the user's
knowledge.
Can spread through a network extremely Spreads and replicates as
quickly. programmed.

Virus and Worm Countermeasures

Use these countermeasures to combat viruses and worms:

• Install antivirus software that detects and removes infections as they appear.
• Generate an antivirus policy for safe computing and distribute the policy to the staff.
• Pay attention to the instructions while downloading files or any programs from the
internet.
• Update antivirus software regularly.
Trojan and Backdoor Facts

A hacker's goal is to gain and maintain access to a system. One method for maintaining
access is to have a Trojan horse installed on the target system. The Trojan horse can
open backdoors into the system it infects, providing the hacker with covert remote access.
Backdoor programs are embedded and hidden inside legitimate programs. When the user
runs that program, the Trojan horse runs in the background without the user’s knowledge,
giving the hacker remote access.

This lesson covers the following topics:

• Symptoms of an infection
• Types of Trojan horses
• Trojan horse creation
• Capabilities
• Communication channels
• Detection
• Countermeasures

Symptoms of an Infection

Trojan infection may be indicated by some of the following behaviors:

• Screen settings change by themselves.

• Chat boxes appear.
• Account passwords are changed.
• Legitimate accounts are accessed without authorization.
• Unknown purchase statements appear on credit card bills.
• Ctrl+Alt+Del stops working.

These are just a few of the symptoms. A general rule of thumb is that if a system begins
experiencing weird abnormal actions, there's a decent chance it might be infected and
should be examined.

Types of Trojan Horses

There are different types of Trojan horses. The resources that the Trojan attacks define
the type it is. Some of the more common Trojan types are listed in the following table:

Trojan Type Description Example

Remote RATs are one of the most prevalent types of Trojan FatRat
access horses. They provide a hacker with remote desktop
Trojan GUI access to the victim machine and complete control
(RAT) over the system.
Backdoor A backdoor Trojan is very similar to the RAT. This PoisonIvy
Trojan also provides complete administrative access
to the remote system and can bypass security such as
a firewall or IDS. The main difference between the
backdoor and a RAT is the backdoor does not provide
a remote desktop GUI access, only a shell.
Botnet A botnet controls a large number of computers to carry Kraken
out an attack. Once installed on a system, the Trojan
reports back to its command and control (C&C) center.
From the C&C center, the hacker can control the
machines to carry out attacks.
Distributed Computers infected with a DDoS Trojan become ElectrumDoSMi
Denial of zombies and listen for the command to attack. When ner
Service the command is given, all infected computers attack
(DDoS) the target simultaneously. The attacks system is
almost identical to a botnet; the only difference is the
function.
Destructive These Trojans are designed to delete files on the W32.DisTrack
target machine. Once a destructive Trojan infects the (Shamoon)
system, it will randomly delete files.
Banker Banker Trojans are also called e-Banking Trojans. Backswap
These malware programs monitor the victim's
computer and steal information related to financial
records such as bank account, credit cards, and bill
pay data.
IoT Internet of Things devices are the target of IoT Trojans. Mirai
Smart thermostats, lighting systems, HVAC systems
are examples of IoT devices that are are vulnerable to
this type of Trojan horse.
Proxy The proxy server Trojan is a standalone application Proxy (Linux
server that allows the remote hacker to use the victim's Trojan)
machine as a proxy to access the internet.
Defacement The defacement Trojan has the ability to change the Restorator
code and modify the contents of a database or a
website. These Trojans can change the way a website
or program looks and functions, making them
extremely destructive.
Gaming A gaming Trojan focuses on stealing user account GameThief
information from online gamers.
Mobile These Trojans target mobile devices. With the Hummer
increase in mobile device usage, the use of this
Trojans type is increasing rapidly.
Security The security software disabler stops the security Certlock
software programs, such as the firewall and IDS, from working.
disabler These Trojans are known as entry Trojans, as they
provide access so the hacker can perform the next
level of attack.
Command The command shell Trojan gives remote control of a Netcat
shell command shell on the target. It does not necessarily
provide full system access like a backdoor Trojan.

Trojan Horse Creation

The most common way to create a Trojan horse is to use a construction kit. These
programs allow the hacker to customize their Trojan. Most Trojan horse creation kits will
perform all steps in the Trojan creation process. Once the Trojan horse has been created,
it can be distributed using a variety of methods, including email, USB drives, and websites.
The steps to create a Trojan horse are:

14. Create the server. This is the file that is dropped into the target machine and what the
hacker will connect to.
15. Create the dropper. This is the part of the packet that will install the malicious code onto
the target's machine.
16. Wrap the dropper and server into a genuine application file. A program called a Wrapper
performs this function.
Capabilities

Once the Trojan horse has been installed on the victim’s machine, the hacker can perform
all sorts of activities, including:

• Stealing data
• Installing other software
• Creating backdoors
• Recording from the webcam
• Modifying files

Communication Channels

There are two methods of communication for a Trojan horse, overt and covert. Overt
communication is obvious, legitimate communication by the system. HTTP and TCP/IP
are examples of overt communication. A channel can be exploited to create a covert
channel by hiding communication inside of it. Covert communication is any method of
conveying information in a hidden or illegitimate manner. Covert channels violate the
security policy on the system. An example of covert communication is the Trojan horse
communicating with its command and control center.

Detection

Detecting a Trojan horse can be difficult. The best way is to monitor network traffic and
look for any suspicious network activity and open ports. The table below shows the most
common ports and which Trojan horse programs use them.

Por Trojans Por Trojans Port Trojans Port Trojans

t t
2 Death 149 FTP99CM 8080 Zeus 1777 Java RAT,
2 P Agent.BTZ/ComR
at, Adwind RAT
20 Senna 160 Shivka- 5569 Robo-Hack 2154 Girlfriend 1.0,
Spy 0 Burka 4 Beta-1.35
21 Blade 180 SpySende 6670 DeepThroa 2222 Prosiak
Runner, 7 r -71 t
Doly
Trojan,
Fore,
Invisible
FTP,
WebEx,
WinCrash
22 Shaft, 198 Shockrave 6969 GateCrash 2345 Evil FTP, Ugly FTP
SSH RAT 1 er, Priority 6
23 Tiny 199 BackDoor 7000 RemoteGra 2627 Delta
Telnet 9 1.00-1.03 b 4
Server
25 Antigen, 200 Trojan 7300 NetMonitor 3010 NetSphere 1.27a
Email 1 Cow -08 0-02
Password
Sender,
Haebu
Coceda,
Shtrilitz
Stealth
31 Hackers 202 Ripper 7789 ICKiller 3133 Back Orifice,
Paradise 3 7-38 DeepBO
80 Poison 211 Bugs 8787 BackOfrice 3133 NetSpy DK
Ivy, 5 2000 9
Executor
421 TCP 214 Deep 9872 Portal of 3166 BOWhack
Wrappers 0 Throat, - Doom 6
Trojan 9875
The
Invasor
456 Hackers 215 Illusion 9989 iNi-Killer 3333 Prosiak
Paradise 5 Mailer, 3
Nirvana
555 Ini-Killer, 312 Masters 1060 Coma 1.0.9 3432 BigGluck, TN
Phase 9 Paradise 7 4
Zero,
Stealth
Spy
666 Satanz 315 The 1100 Sennsa 4041 The Spy
Backdoor 0 Invasor 0 Spy 2
100 Silencer, 409 WinCrash 1122 Progenic 4042 Masters Paradise
1 WebEx 2 3 Trojan 1-26
101 Doly 456 File Nail 1 1222 Hack´99 4726 Delta
1 Trojan 7 3 KeyLogger 2
109 RAT 459 ICQTrojan 1234 GabanBus, 5050 Sockets de Troie
5- 0 5-46 NetBus 5
98
117 Psyber 500 Bubbel 1236 Whack-a- 5076 Fore
0 Stream 0 1-62 mole 6
Server,
Voice
123 Ultors 500 Sockets 1696 Priority 5300 Remote Windows
4 Trojan 1 de Troie 9 1 Shutdown
124 Subseven 532 Firehotcke 2000 Millennium 5432 SchoolBus .69-
3 1.0-1.8 1 r 1 1 1.11
124 VooDoo 540 Blade 2003 NetBus 2.0, 6146 Telecommando
5 Doll 0- Runner 4 Beta- 6
02 0.80 Alpha NetBus
2.01
117 njRAT 160 DarkCom 1863 XtremeRA 6500 Devil
7 4 et RAT, T 0
Pandora
RAT,
HellSpy
RAT
485 WannaCr 666 KillerRat, 5000 SpyGate
y, Petya 6 HoudiniR RAT,
AT PunisherR
AT

Countermeasures

The best countermeasure to Trojan horse malware programs is to avoid getting them in
the first place. Some basic guidelines to prevent infection are:

• Avoid opening email attachments

• Block unnecessary ports on firewall
• Do not install unknown programs
• Monitor network traffic
• Install and maintain malware software

If a system is infected, run in-depth scans with updated antivirus and anti-Trojan software.
Additional steps may be needed, depending on the infection.
Malware Concern Facts

Aside from viruses, worms, and Trojan horses, there are other types of malware that can
be cause for concern. These malware programs can be just as destructive, if not more
than, a virus or Trojan horse. No matter the type of malware, there are multiple methods
for infecting systems.

This lesson covers the following topics:

• Malware infection methods

• Additional types of malware

Malware Infection Methods

A system can be infected by malware in many ways. Some of the more common methods
are:

• USB drives
• Phishing emails
• Downloading and installing from website

Additional Types of Malware

Rootkits, spyware, adware, scareware, and ransomeware are also concerns, as the follow

Type Description
Rootkit Rootkits are a very dangerous type of malware. The term comes from
combining the words root, the equivalent of an administrator on Linux, and
kit, the software being executed. A rootkit consists of different programs that
give the hacker root, or administrator, access to the target machine, allowing
the hacker to perform exploits such as installing keyloggers.

A famous rootkit was distributed by Sony BMG (now Sony Music) in 2005.
In an attempt to enforce copyright protection, Sony installed Extended Copy
Protection and MediaMax CD-3 software on millions of music discs. This
software prevented users from copying the CDs and also sent data to Sony
about the user’s actions. Unfortunately, the rootkits Sony installed also
opened vulnerabilities, which other malware programs took advantage of.
Spyware Spyware is a type of malware that is designed to collect and forward
information regarding a victim’s activities to someone else. While this type
of malware doesn’t usually cause damage to a machine, it is extremely
invasive. Spyware can be especially dangerous because it can spy on
everything the user is doing. People often associate spyware with web
browsing activities, but spyware will also report on applications being run,
instant messaging activity, and almost anything else the user does on the
system.
Adware Adware causes pop-up and pop-under advertisements on the infected
system. Users often install adware as a bundle with freeware programs or
when visiting a website that stealthily installs adware in the background.
Scarewa Scareware shows the user warnings about potential harm that could happen
re if they don’t take some sort of action, such as purchasing a specific program
to clean their system. If the user falls for the attack, the software that is
purchased will often contain other malware, and the hacker has the user's
credit card information.
Ransom When ransomware infects a system, it will scan the computer for user files
ware and encrypt them. To recover the files, there are usually instructions on how
to pay a ransom using cryptocurrency to receive the decryption key. There
is no guarantee that the user will receive the decryption key.
Malware Analysis Facts

One of a penetration tester's roles is to understand malware and how it operates. The
penetration tester needs to know how the malware works in order to utilize it in testing
and make recommendations for combating threats.

Malware analysis is the process of reverse-engineering a specific piece of malware in

order to determine its origin, functionality, and potential impact. There are two methods
of malware analysis, static and dynamic.

This lesson covers the following topics:

• Sheep dipping
• Static analysis
• Dynamic analysis
Sheep Dipping

The process of analyzing emails, suspect files, and systems for malware is known as
sheep dipping. The term comes from the process sheep farmers use to dip sheep in
chemical solutions to clear them of parasites. A special computer that is used for analysis
is called a sheep dip computer. This computer is isolated from all networks, and it has
port monitors, file monitors, network monitors, and anti-virus software. This system
connects to a network only under extremely strict conditions. Along with the sheep dip
computer, an anti-virus sensor system is used. This is a collection of software that detects
and analyzes malware.

Static Analysis

Static analysis is also known as code analysis. This involves going through the actual
code of the malware without executing it. This is done using a variety of tools and
techniques in order to understand the malware's function and purpose. Because the
malware itself is not being run, this method is relatively safe. There are several static
analysis techniques:

Technique Description
File File fingerprinting is the process of identifying unique malware
fingerprinting programs through generating a hash for the program. This hash can
be checked throughout the analyzing process to see if it has
changed. MD5 or SHA1 are the two most common hash functions
used in file fingerprinting. File fingerprinting does not work well with
encrypted files, password-secured files, or media files.
Scanning This process involves scanning the malware with a local anti-
malware program or using an online scanner.
String When the malware's code is not obfuscated, the analyzer can search
searching for strings of plain text in the code. These strings may show the
malware's purpose and some of its functions.
Identify Hackers use obfuscation techniques and packers to compress and
obfuscation/pac encrypt their malware. Part of the analyzing process is to determine
king the method that was used. If the method is determined, the analyzer
should be able to unpack the code without damaging or changing it,
which allows for deeper analysis.
Malware Disassembling the malware allows the analyzer to learn everything
disassembly about the program and what it's designed to do. Loading the program
into a disassembler or debugging program will generate the raw
code, which can be analyzed to determine everything about the
malware.

Dynamic Analysis

Dynamic analysis is the process of analyzing the malware by running it and observing
how it behaves and its effects on the system. This type of analysis can be done only on
the sheep dip computer.

The first step in this process is to create a system baseline. System baselining refers to
the process of creating a snapshot of the system before the malware is run. This allows
the analyzer to determine the changes the malware has on the system.

The process of studying the malware and its effects is known as Host Integrity Monitoring.
This involves using the same tools and processes to take a snapshot of the system before
and after the malware is executed. Host Integrity Monitoring includes monitoring many
components, as explained in the following table.

Technique Description
Ports Malware often opens ports on the computers. Using tools such as
Netstat will show any open ports the malware is using.
Processes Malware can hide itself by posing as genuine Windows services or
processes. Using a tool like Process Monitor can help determine if any
processes are actually malware.
Registry Monitoring the registry for any changes by the malware is important, as
malware will often create registry keys. Scanning the registry for
suspicious keys can aid in tracking the malware infection.
Windows Malware can spawn additional Windows services or rename malicious
services processes to look like a Windows service and evade detection.
Windows Service Manager can detect changes in services and can also
scan for suspicious Windows services.
Startup Malware can set itself to load with Windows in startup programs.
programs Verifying the startup programs can be done manually or with a tool like
WinPatrol or Autoruns.
Event logs Event logs should be analyzed to identify malicious or suspicious
activities.
Installation When software is installed or uninstalled, traces of the application data
can be left on the system. You can install monitor programs such as
SysAnalyzer to help track anything being installed or uninstalled.
Files and Malware will normally modify a system's files and folders. Use file and
folders folder integrity checkers such as Tripwire or SigVerif, which is the built-
in Windows file verifier.
Device Malware can hide itself inside untrusted or invalid device drivers. Verify
drivers that device drivers are valid and trusted.
Network Most malware will generate network traffic. Analyzing network traffic
traffic with programs like Wireshark will help you see what the malware is
doing and track it down.
DNS Some malware is capable of changing a system's DNS information.
DNSQuerySniffer, DNSstuff, and similar programs can monitor DNS
requests and settings of the system. The analyzer should use these
tools to monitor DNS requests and identify whether the malware can
change those settings.
Application APIs are parts of the Windows OS that allow external applications to
Program access OS information such as file systems, threads, and errors. A
Interface program like API Monitor can help the analyzer see how the malware is
(API) calls interacting with the operating system.

9.2 Combat Malware

As you study this section, answer the following questions:

• What are the best methods for detecting malware?

• What steps should you take when penetration testing for malware?
• What actions should be taken when malware is discovered?

In this section, you will learn to:

• Detect open ports with nmap

• View open ports with netstat
• Counter malware with Windows Defender

Key terms for this section include the following:

Term Definition
Heuri Heuristic algorithms generate fairly accurate results in a short amount of time
stic by focusing on speed instead of accuracy and completeness.
algori
thm

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 1.2 Perform scanning

• Identify open ports

5.1 Defend systems and devices

• Use malware protection

EC-Council 3. Security

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

Anti-Malware Software Facts

Malware programs are one of the tools and methods attackers use to gain access to
systems. Utilizing anti-malware software is one of the more important steps you can take
to protect a system.

This lesson covers the following topics:

• Anti-malware software
• Malware detection methods
• Penetration testing malware
• Malware removal

Anti-Malware Software

Anti-malware is an umbrella term that encompasses several types of programs that

prevent malicious software from infecting a system. Anti-malware includes anti-Trojan
and antivirus software. Anti-Trojan software is designed specifically to counterattack
Trojan horse programs. Anti-Trojan programs utilize scanning methods specifically
designed to detect and clear a system of Trojans, rootkits, backdoors, and similar types
of damaging software.

Antivirus software is designed specifically to counterattack viruses and worms. Antivirus

programs usually have a live monitoring system to immediately detect and stop viruses
and worms from running.

Often, the antivirus and anti-Trojan software is combined into a single anti-malware
program. Some of the more popular anti-malware programs include:
• Bitdefender
• McAfee
• Webroot
• Symantec Norton 360
• Kaspersky
• AVG
• Avira
• ClamAV (Open Source Program)

The development of an anti-malware program typically follows these steps:

1.Identify unique characteristics of malicious software. Malware programs have unique

signatures or characteristics.
Write the scanning process. Developers write the program that scans for the identified
signatures and characteristics.
2.Update the anti-malware program. Anti-malware software typically stores the signatures
and characteristics of known threats in a database that is part of the anti-malware program.
Anti-malware software installed at client sites is typically automatically updated to include
the database changes to detect and deal with the latest threats.
3.Scan the system. The anti-malware scans the system and identifies any malware found
in the system. Anti-malware typically either quarantines or deletes the malware.

Malware databases must be updated regularly. They cannot detect unknown threats.

Malware Detection Methods

Anti-malware software uses a variety of methods to detect malware. Some of the best
methods for detecting are described in the following table:

Method Description
Scannin A malware scanner is a vital piece of the anti-malware software. The
g scanner should have live system monitoring to immediately detect malware.
The anti-malware database should be updated on a regular basis to ensure
that it can protect systems from newly devised threats. If not, the system is
vulnerable to attack by new malware.
Integrity Integrity checking establishes a baseline of the system and will alert the user
checking if any suspicious system changes occur. Integrity checkers cannot
determine if the change is from malware, a system failure, or some other
cause.
Intercept Interception is mainly used against logic bombs and Trojans. If a request for
ion network access or any request that could damage the system is made, the
interceptor will notify the user and ask if they wish to approve and continue.
Code The anti-malware software opens a virtual environment to mimic CPU and
emulatio RAM activity. Malware code is executed in this environment instead of the
n physical processor. This method works well against polymorphic and
metamorphic viruses.
Heuristic Heuristic analysis aids in detecting new or unknown malware. The heuristic
analysis analysis is based on other known malware. Every malware program has a
fingerprint, or signature. If an anti-malware program detects similar code, it
marks it as malware and alerts the user.

Penetration Testing Malware

Part of a penetration test is checking for malware vulnerabilities. When performing a

penetration test, the penetration tester follows a set of steps:

Scan for open ports.

1.Scan for running processes.

2.Check for suspicious or unknown registry entries.
3.Verify all running Windows services.
4.Check startup programs.
5.Look through event log for suspicious events.
6.Verify all installed programs.
7.Scan files and folders for manipulation.
8.Verify device drivers are legitimate.
9.Check all network and DNS settings and activity.
10.Scan for suspicious API calls.
11.Run anti-malware scans.

All results and finding must be documented. The anti-malware program documentation
should help you determine the next steps if malware is detected.

Malware Removal

If malware is found on a system, follow these steps

1.Isolate the system from the network immediately.

2.Verify that the anti-malware software is updated and running. If its not, update it and
scan the system.

3.Sanitize the system using updated anti-malware software and appropriate techniques.

10. SNIFFERS, SESSION HIJACKING, AND DENIAL OF SERVICE

10.1 Sniffing

As you study this section, answer the following questions:

• What is network sniffing?

• Which tools can be used for network sniffing?
• How can sniffing methods be used to exploit switched networks?
• What are some countermeasures to network sniffing?

In this section, you will learn to:

• Capture traffic with TCPDump

• Poison ARP
• Poison DNS
• Filter and analyze traffic with Wireshark
• Analyze ARP poisoning with Wireshark
Key terms for this section include the following:

Term Definition
Sniffing Sniffing is the process of collecting information as it crosses the network.
Promiscuo Turning on promiscuous mode gives the network interface permission to
us mode grab every frame that comes its way, even if it’s addressed to someone
else.
MAC MAC spoofing is the process of changing the MAC address of the interface
spoofing driver in an attempt to impersonate another host on the network.
MAC MAC flooding is the process of overloading a switch’s CAM table in hopes
flooding that it will respond by broadcasting all traffic across the network.
ARP ARP poisoning is the process of sending spoofed messages onto a
poisoning network in an attempt to associate your MAC address with the IP address
of another host so the target machine will send frames to your system.
Port Port mirroring creates a duplicate of all network traffic on a port and sends
mirroring it to another device.

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 2.3 Gain access by cracking

• Obtain credentials through sniffing

EC-Council 3. Security

• Information Security Attack Detection

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

Sniffer Facts

This lesson covers the following topics:

• Sniffing
• Switched network sniffing
• Wireshark
• TCPDump
• Additional sniffing tools

Sniffing

Sniffing is the process of collecting information as it crosses the network. Sniffing is similar
to eavesdropping or wiretapping and can be active or passive. If you’re simply monitoring
traffic, that is passive sniffing. If you alter traffic in any way, that is active sniffing. For
sniffing to be effective, you want to put your network interface into promiscuous mode.
Normally, an interface is set to only grab onto frames that are directed to its MAC address.
Turning on promiscuous mode gives the interface permission to grab onto every frame
that comes its way, even if it’s addressed to someone else. A lot of information can be
gathered during this process, so you will need to examine each packet closely to see
which ones are useful.

Thankfully, there are tools that can help make this job much easier, but it’s still important
to know what to keep an eye out for. First, you’ll want to focus on packets that are being
sent with less-secure protocols. Luckily for you, the hacker, some protocols weren't
designed to be overly secure. SMTP, for example, was designed to deliver an email
message with the hopes that encryption happened at another layer. Similarly, POP3 was
simply designed to retrieve emails; passwords and usernames are easy to intercept from
it. FTP was designed to transmit files, all of which are sent in clear form. Other vulnerable
protocols include IMAP, HTTP, and Telnet. Passwords and data are sent over clear text,
once again in hopes that encryption is happening at a different layer. Second, when
examining packets, you’ll want to keep an eye on the source and destination IP addresses.
The IP addresses will, most likely, be listed in hexadecimal format, so you’ll want to
refresh your hex to standard conversion skills if you haven’t done so in a while.
Switched Network Sniffing

Networks that include switches can provide an initial challenge. You won’t be able to sniff
an entire network, but in the table below, you will find a few methods that can help you
sniff out portions of the network.

Metho Description
d
MAC A common low-level security measure is port security. Port security allows only
spoofi specific MAC addresses access to a switch. The goal is to ensure that only
ng authorized devices have access to the network. A MAC address for a network
interface card (NIC) is assigned by the manufacturer. This address is hard-
coded directly into the NIC and can’t be changed. However, it is possible to
change the MAC address of the interface driver. Let’s say you want to access
a network, but the administrator has implemented port security measures.
Thanks to your previous reconnaissance and scanning, you know that your
target computer has access to the network, and you even know the MAC
address. Using one of several software tools, you can spoof your computer’s
MAC address to look like the target’s MAC address, and you can connect
directly to the network with minimal effort.
MAC When a switch is initially turned on, it doesn’t know which devices it’s going to
floodi be supporting. A switch tracks MAC addresses in a content addressable
ng memory (CAM) table. As it receives packets from various MAC addresses, it
adds the addresses to its CAM table and associates each one with a physical
port on the switch. This process allows data to be sent directly to the port where
the intended recipient is located instead of sending all data across the entire
network like a hub. Although one port can have multiple MAC addresses
associated with it, the CAM table is only so big. As a hacker, you can use a
method called MAC flooding to intentionally flood the CAM table with Ethernet
frames, each originating from different MAC addresses. Once the table starts
to overflow, the switch responds by broadcasting all incoming data to all ports,
basically turning itself into a hub instead of a switch. Since your MAC address
is now connected to one of the ports, you are able to capture all traffic as it is
broadcast across the network.
ARP Address Resolution Protocol (ARP) maps IP addresses to MAC addresses and
poiso provides the most efficient path for data transmission. ARP broadcasts are
ning permitted to freely roam around the network. You can use this free flow of traffic
to your advantage. By sending spoofed messages onto a network, you can
associate your MAC address with the IP address of another host, preferably
the default gateway. As a result, the target machine will send frames to your
system, thinking that you are their gateway, before you forward them on to the
original destination.
Port Port mirroring can be challenging to set up, but is possible depending on the
mirrori level of access you’ve been able to obtain to a network. The concept behind
ng port mirroring, also known as SPAN port, is actually pretty simple. Port
mirroring creates a duplicate of all network traffic on a port and sends it to
another device. If all traffic from a target machine is directed through the switch
to the server, you can implement port mirroring. Port mirroring ensures that
any time the data comes through, it is duplicated and sent out to the attacker’s
machine as well.

Wireshark

Wireshark is one of the most well-known packet analyzers. It is available for Windows,
Mac, and Linux operating systems. Wireshark has numerous tools that can be used to
capture and analyze traffic. It includes search and filtering capabilities that make it a very
powerful resource. These filtering commands can be typed into the filter window, and the
screen will only display what you have selected. The following table lists the filters you
are most likely to use:

Operato Description
r
== Equal (example: ip.addr == 192.168.1.3)
eq Equal (example: tcp.port eq 161)
contains Contains a specific value (example: http contains “http://www.stuff.com”
ne Not equal (example: ip.src ne 192.168.1.3)
!= Not equal (example: ip.addr != 192.168.1.3
&& And (example ip.addr==192.168.1.3&&tcp.port=23)
or Or (example ip.addr==192.168.1.3 or ip.addr ==192.168.1.4)

TCPDump

TCPDump is a command line sniffer designed for the Linux environment. This tool
provides information on the contents of packets on a network interface that match a given
filter. TCPDump has several switches and options, a few of which you’ll find in the table
below:

Oper Description
ator
-i Puts an interface into listening mode.
-w Specifies which file the data should be saved in.
-a Requests that ascii strings are included in the output.
-x Requests that ascii and hexadecimal strings are included in the output.
dst Requests that all traffic going to a specified destination is captured.
src Requests that all information coming from a specified source is captured.
host Requests that all traffic going to a specified destination and from a specified
source is captured.
pcap Requests that captured content be saved to a specified file.

Additional Sniffing Tools

Tool Description
Cain and Cain and Abel is a collection of tools including ARP poisoning. Cain and
Abel Abel redirects packets from a target by forging ARP replies.
Ufasoft Snif Ufasoft Snif is a network sniffer used to capture, decrypt, and analyze
packets as they travel across the network.
WinARPAtt WinARPAttacker can scan, detect, and even attack computers on a LAN.
acker
Ettercap Ettercap is a sniffing tool. It has multiple functions and can be used for
ARP poisoning, passive sniffing, packet grabbing, and protocol decoding.
Etherflood Etherflood is a tool that can flood a switched network with random MAC
addresses.
SMAC SMAC is a spoofing tool that allows an attacker to spoof a MAC address
to any value.
WinDump WinDump is the Windows version of TCPDump.

Sniffer countermeasures and Detection Facts

This lesson covers the following topics:

• Network intrusion detection systems

• Secure network traffic
• Switched networks

Network Intrusion Detection Systems

Network intrusion detection systems (NIDSs) are used to prevent intrusion and alert
network administrators of active attacks. These systems search for anomalies in network
traffic. They can detect network cards running in promiscuous mode and flag MAC
addresses that are not a part of the internal network. An NIDS uses promiscuous mode
to capture and analyze packets. It collects data on the packets received and labels them
based on their potential threat level. A notable fact about an NIDS is that it can identify
both external and internal threats, reducing the potential for insider abuse.

Secure Network Traffic

Two areas that are frequently overlooked by administrators are physical security and
wireless access points. The best network security won’t mean much if an attacker can
walk right in and plug into a physical port. The same is true for a wireless access points.
By nature, wireless traffic is more susceptible to sniffing, so you’ll want to be strategic
when you determine where to put these on your network and what type of access they
provide.

There are a few additional things to keep in mind when locking down your network:

• Use the more secure IPv6 instead of IPv4.

• Replace clear text protocols like FTP and Telnet with more secure options such as SSH,
SSL, and IPsec.
• Use encryption for all sensitive traffic using protocols, end-to-end encryption, and VPNs.

Switched Networks

Switched networks provide a natural barrier for an attacker, so you’ll want to segment a
network in a way that isolates sensitive traffic. Of course, switches alone are not going to
be enough. You’ll want to enable port security on your switches to ensure that only
specific MAC addresses and only a specific number of MAC addresses can access a port.
Be sure to configure settings so the switch shuts down a port when the max number of
MAC addresses is reached so that MAC flooding isn’t possible. DHCP snooping is
another feature that can be enabled on the switch to prevent ARP poisoning and spoofing
attacks. DHCP snooping is built into most switches and blocks DHCP servers, that are
not under the organization’s control from assigning IP addresses to DHCP clients.

10.2 Session Hijacking

As you study this section, answer the following questions:

• What is session hijacking? How can it be used to gather sensitive information?

• What are some methods that can be used for session hijacking at the application and
network layers?
• What actions can be taken to prevent session hijacking?

In this section, you will learn to:

• Perform a DHCP spoofing man-in-the-middle attack
• Hijack a web session

Key terms for this section include the following:

Term Definition
Session The process of taking over an established connection between a host and
hijacking a web server. The session token can be stolen or a predicted session token
can be used.
Session A combination of numbers and letters assigned to an open connection
ID between a user and a server.

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 2.2 Gain administrative access and escalate privileges

• Hijack a web session

3.1 Perform passive online attacks

• Examine hidden web form fields

• Conduct a man-in-the-middle attack
EC-Council 3. Security

• Information Security Attack Detection

• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

Session Hijacking Facts

As you study this section, answer the following questions:

• What is session hijacking? How can it be used to gather sensitive information?

• What are some methods that can be used for session hijacking at the application and
network layers?
• What actions can be taken to prevent session hijacking?

In this section, you will learn to:

• Perform a DHCP spoofing man-in-the-middle attack

• Hijack a web session

Key terms for this section include the following:

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 2.2 Gain administrative access and escalate privileges

• Hijack a web session

3.1 Perform passive online attacks

• Examine hidden web form fields

• Conduct a man-in-the-middle attack
EC-Council 3. Security

• Information Security Attack Detection

• Information Security Attack Prevention

4. Tools/Systems/Programs
• Information Security Tools
Unlike spoofing, where you pretend to be someone else, session hijacking involves taking
over a session that has already been authenticated.

Topic Description
Passiv With passive hijacking, an attacker uses a sniffer to monitor traffic between a
e victim and a host.
hijacki
ng
Active With active hijacking, the attacker manipulates the client’s connection to boot
hijacki the real client and allow the server to think that the attacker is the
ng authenticated user.
Sessio The key to session hijacking lies in session IDs. Once a client is authenticated,
n IDs the server provides a period of time that the client can maintain an open
connection. The server assumes that information sent and received during
this session is being done by the appropriate user. Each reservation, or
session, is assigned an alphanumeric session ID, also known as a session
token. This token serves as the key--and this is where the opportunity lies for
an attacker. If an attacker can capture or even calculate the ID, they can hijack
a session.

Once a hacker is able to take over a session, they can gather data, enter
commands, and complete transactions that they wouldn't have been able to
do without the level of authorization gained from the hijacked session. This
could result in corrupted data, leakage of sensitive information, or identity
theft. It probably goes without saying that the less secure an environment is,
the more successful an attacker will be. The ideal scenario for a hacker would
be simple, easy-to-guess session ID algorithms, short session IDs, unlimited
session times, clear text transmissions, and a lack of account lockouts for
invalid session IDs.
Sessio Session hijacking is usually done in one of three ways. Brute force hijacking
n is done by guessing an ID. This method is usually used if the hacker has some
hijacki knowledge about the IDs being used by the server. An attacker could steal an
ng ID using sniffing, or they could calculate an ID by looking at current session
metho IDs and determining the sequencing algorithm being used.
ds
Sessio The session hijacking process has five steps. The first step is sniffing the
n traffic between the target computer and the server. The second step is to
hijacki monitor traffic with the goal of predicting the packet sequence numbers. The
ng third step involves desynchronizing the current session so you can move onto
proces the fourth step of predicting the session ID and take over the session. The
s final step is where you start injecting commands targeted at the server.

Client-Side and Network Attack Facts

This lesson covers the following topics:

• Application level hijacking

• Network level hijacking

Application Level Hijacking

At the application level, the session ID lets the server knows who they are communicating
with. This permits the user to progress to a different page on a website without having to
log in again. You can imagine it would be hard for a company to sell much of anything if
a user had to log in every time they wanted to look at another product or another page.
Session IDs can be found in various places. By reviewing a user's browsing history, you
may be able to enter a previously used URL to gain access to an open session. If a user
recently completed a form, you may be able to find a session ID in a hidden field in the
HTTP POST command. The most notorious location of session IDs is in the HTTP cookies.

Several different methods are available for finding session IDs:

Method Description
Session Session sniffing is basically just an extension of sniffing efforts that we've
sniffing discussed in the past, except now, we're specifically on the lookout for
session IDs.
Predictin The easiest way to predict session tokens is to collect several session IDs
g session that have been used before and then analyze them to determine a pattern.
tokens Once you know the pattern or algorithm being used, you may be able to
predict a future ID.
Man-in- We'll talk about this more in the network hijacking presentation, but it's worth
the- noting that man-in-the-middle is a viable method for obtaining a session ID.
middle
attack
Cross- Cross-site scripting attacks (XSS) involves the injection of malicious Java,
site- Flash, or HTML script into web applications. This is usually done through
scripting user entered content that has not gone through any validation checks. A
stored XSS attack is dangerous because it targets web applications that
allow users to store data on the site for retrieval by other users.
Session Session fixation attacks target websites where session IDs are provided in
fixation the hyperlink. URLs are sent to a user with session IDs already embedded
into them. When a user logs in using this URL, their user information
becomes aligned with that session ID. An attacker following the same URL
would have the same level of access as the targeted user.

Network Level Hijacking

There are also several methods for hijacking session IDs at the network level:

Metho Description
d
TCP/IP As the name suggests, TCP/IP session hijacking is an attack on a TCP
sessio session. The first phase in a TCP/IP hijack is to have a successful sniffing tool
n in place to capture traffic between two machines. Second, you'll want to
monitor the existing traffic so you can predict the packet sequence numbers.
hijacki Third, you'll want to carry out a denial-of-service attack on the target machine
ng or manipulate their connection in some way that you're able to effectively take
over the client role. Lastly, you'll begin injecting packets into the server as if
you were the authenticated client.
UDP Unlike TCP, UDP is a connectionless protocol. In other words, there is not a
sessio verified connection between the server or host machine and the client.
n Because of this, you don't need to predict a packet sequence. Instead, you
hijacki just need to convince the victim that you're the server. The best way to do this
ng is to get a response back to the client before the actual server responds and
take over the server's role. Given the high level of vulnerability and the low
number of error recovery options of UDP, it's primarily used for DNS queries
and network broadcast messages.
DNS DNS spoofing, also known as DNS cache poisoning, targets Active Directory
spoofin or other DNS-reliant networks. In DNS spoofing, an attacker alters the DNS
g server to redirect traffic to a malicious website that can gather sensitive
information about a user or that can install malware onto the target machine.
Man- A man-in-the-middle attack is probably one of the most well-known attacks.
in-the- This attack starts with the attacker sniffing traffic between the target machine
middle and the server or the host machine. They will then use ARP poisoning to
attacks strategically redirect communication through their machine. At this point, the
attacker can forward manipulated and potentially malicious traffic to either the
victim or the host machine.

Session Hijacking Countermeasure Facts

Session hijacking can be difficult to detect. As a result, prevention is a group effort. The
penetration tester, the network administrators, the web developers, and even the users
have a part in this defense plan.

This lesson covers the following topics:

• Penetration tester's role

• Administrator's role
• Developer's role
• User's role

Penetration Tester's Role

As a penetration tester, the first step to securing your network is to understand potential
threats. The more you understand what could happen, the better prepared you are to
prevent bad things from happening. Frequent penetration testing will go a long way
toward discovering the weaknesses in your network. (That is, after all, the primary idea
behind ethical hacking.) In most situations, you begin session hijacking penetration
testing by sniffing packets for an active session. You then sniff the session traffic as it’s
sent from one machine to the other. If there is no encryption, you can retrieve the session
ID. If there is encryption, you should still be able to retrieve the session ID; you just need
to crack the encryption. Once you have the session ID, you can use the session fixation
method to connect to the victim machine and take action as an authorized network user.
At this point, you are able to gather additional session IDs, making it easier to guess
additional IDs as needed.

Administrator's Role

A network administrator can configure gateways and other appliances to look for spoofed
IP addresses. They can also implement intrusion detection systems and intrusion
prevention systems to aid in the detection and prevention of suspicious network activity.
Encrypting network traffic can help to prevent attacks from both inside and outside your
network. The down side, of course, is that it also limits your ability to monitor your own
network. There are several methods to encrypt and authenticate packets, but Internet
Protocol Security, IPsec, is one of the most common methods used to protect packet
information and to defend against network attacks. IPsec is a set of protocols that
provides encrypted communication between computers over an unsecured network. The
data sent from one computer is encrypted before it is sent across an unsecured network
to the receiving computer. IPsec negotiates an access key with the receiving computer
so that only that computer can access and decrypt the data being sent.

There are several protocols within the IPsec architecture, including:

• The Internet Key Exchange (IKE), which creates the encryption keys.
• The Authentication Header (AH), which authenticates the sender of the packets.
• The Encapsulating Security Payload (ESP), which provides sender authentication and
encryption.

In tunnel mode, the security is provided from one gateway to another. In this mode, the
entire packet is protected. Tunnel mode, or Virtual Private Networks, are the most
commonly used IPsec method.

Developer's Role

Most forms of session hijacking rely heavily on the ability to read packets and predict
session IDs. Web developers can create session keys that incorporate long strings or
random numbers, making it more difficult to guess or predict a session key. Additionally,
they could regenerate the session ID after a user logs in, encrypt the key being transferred
between the web server and the user, and stop the session after a period of time or as
soon as the user logs off.

User's Role

User education is an important part of security. Because attacks like session fixation rely
on a user clicking on a link in an email or instant message, users should be trained not to
click on these links. Additionally, session hijacking can be prevented at the browser level
by restricting cookies, clearing the history of temporary cookies, using log files, using
session IDs, and restricting offline content.

10.3 Denial of Service

As you study this section, answer the following questions:

• What is the difference between a denial-of-service attack and a distributed denial-of-

service attack?
• What are the four categories of denial-of-service attacks?
• What types of devices can be used in a denial-of-service attack?
• What measures can be taken to prevent your network or devices from a denial-of-service
or distributed denial-of-service attack?

In this section, you will learn to:

• Perform and analyze a SYN flood attack

• Analyze ICMP traffic in Wireshark
• Perform a DoS attack
• Analyze a DDoS attack

Key terms for this section include the following:

Term Definition
Denial-of -service A denial-of-service attack occurs when a computer is used to flood
attack a server with more packets than it can handle.
Distributed denial- Distributed denial-of-service attacks use numerous computers and
of-service attack internet connections across the globe to overload target systems.

This section helps you prepare for the following certification exam objectives:

Exam Objective
TestOut Ethical Hacker Pro 3.2 Perform active online attacks

• Execute a DoS or DDoS attack

EC-Council 3. Security

• Information Security Controls

• Information Security Attack Detection
• Information Security Attack Prevention

4. Tools/Systems/Programs

• Information Security Tools

5. Procedures/Methodology
• Information Security Procedures

Denial of Service (DoS) Facts

A denial of service (DoS) attack occurs when a computer is used to flood a server with
more packets than it can handle. Once a server is overloaded, the server becomes
unavailable to other users and devices that are attempting to connect.

This lesson covers the following topics:

• DoS attacks
• DDoS attacks
• Damage of DoS and DDoS attacks
• Motivation for DoS and DDoS attacks

DoS Attacks

DoS attacks use a single connection to attack a single target. The attacker sends a large
number of legitimate-looking requests to the server in a way that the server cannot
determine which requests are valid and which are not. This barrage of requests
overwhelms the system to the point that the server can't manage the capacity, resulting
in the server being inaccessible by other users.

DDoS Attacks

The DoS attacks that you probably hear the most about are distributed denial of service
attacks. These attacks use numerous computers and numerous internet connections
across the world to overload the target systems. DDoS attacks are usually executed
through a network of devices that the attacker has gained control of. The attacker uses
compromised websites and emails to distribute specially designed malware to poorly
secured devices. This malware provides an access point the attacker uses to gain control
over the device at will. These zombie devices are recruited to cooperative teams called
botnets. The attacker’s goal is to recruit as many zombie machines as possible, often
creating botnets of thousands of computers. When an attacker is ready to strike, he will
command his army of machines to launch a coordinated attack on a target system.
Damage of DoS and DDoS Attacks

DoS attacks can have a damaging impact on the victim. Many companies rely heavily, if
not solely, on their web presence to operate their businesses. A targeted DoS attack will
often result in slowed access, if not complete downtime for the victim’s web servers.
Behind the scenes, a DoS attack can take down servers, databases, or other
infrastructure critical to daily operations. For a business, the most painful impact can be
the loss of revenue and the potential loss of customers. Depending on the size of the
company, a DoS attack could result in thousands if not millions of dollars of lost revenue.

Motivation for DoS and DDoS Attacks

DoS and DDoS attacks do not provide the attacker with access to a resource. Instead,
they prevent an authorized user from obtaining access to information or services. So, if
the attacker doesn’t get access to the network, why would they even bother with a denial-
of-service attack? There are several reasons:

Motivatio Description
n
Distracti If the network team is distracted by a denial-of-service attack, there may be
on an opportunity for an attacker to infiltrate the network, download sensitive
data, or cause damage without being noticed right away.
Damage Whether for revenge or competition, an attacker may want to embarrass the
reputatio victim or tarnish their reputation.
n
Hacktivis DDoS attacks are commonly used politically or morally driven hacktivists
m who want to stop the flow of information from a target website.
Fun Sometimes hackers execute attacks for fun or out of boredom.
Profit Attackers frequently try to exploit their victims for money. Their goal is to
hold a network or web server hostage. Once-the-denial of service attack has
been successfully implemented, the attackers request a ransom to stop the
attack. DDoS services and botnets are available for rent at an hourly or daily
rate.
DoS Attack Type Facts
This lesson covers the following topics:

• DoS attack categories

• DoS and DDoS attack types
• DoS tools

DoS Attack Categories

There are four general categories of denial-of-service attacks. Although all DoS attacks
involve an increase in traffic, an attacker may need to use one or more strategies to work
around countermeasures that have been put in place.

Category Description
Fragmentat Fragmentation attacks target a system's ability to reassemble fragmented
ion attacks packets. UDP and ICMP fragmentation attacks involve sending fake UDP
or ICMP packets that are larger than the maximum transmission unit for
the network. In order to accommodate this overage, the system
disassembles the packets. Because these packets are fake and,
therefore, cannot be reassembled, the target's resources are eaten up,
and the server becomes unavailable.
Volumetric Volumetric attacks block traffic by taking up all available bandwidth
attacks between the target and the internet.
Amplificatio Amplification attacks exploit vulnerabilities in protocols and broadcast
n attacks networks. The name is derived from the idea that the attacker uses
intermediary computers and networks to amplify their attack's impact.
Application Application-level attacks use all of the resources needed for an
level application to run, making it unavailable to other users.
attacks
Protocol Protocol attacks target the connection state tables of firewalls, load
attacks balancers, and application servers.
DoS and DDoS Attack Types

The following table lists the types of DoS attacks.

Attack Description
TCP TCP fragmentation attacks, also known as Teardrop attacks, prevent
fragmenta TCP/IP packets from being reassembled. This is done by setting the flags
tion on all frames to indicate that that they are fragments and providing
instructions to connect to another frame that doesn't actually exist.
Ping flood A ping is designed to test connectivity between two computers. Several
commands are available to customize the ping command, making it a
useful tool for network administrators. A ping flood attack is used to flood a
target computer with large amounts of packets in an attempt to overload it.
The default number of times a ping request is set is four. However, this can
be changed using the –n command. The default size of a packet is usually
around 64 bytes, but the –l command can request that additional data be
sent for each packet. With a maximum of around 65,000 bytes, you can
see how this traffic could add up very quickly.
Smurf The Smurf attack is a DoS attack that targets ICMP protocol weaknesses,
attack and has three steps. First, the attacker creates ICMP echo request packets
using the spoofed IP address of the target machine. Then they send the
packets to the broadcast address of a network, resulting in large number
of devices sending the requested replies to the target's IP address. This
attack's goal is to flood the target computer with traffic, making it difficult, if
not impossible, to use.
Fraggle A Fraggle attack is a DoS attack that targets UDP protocol weaknesses. A
attack large number of UDP packets from a spoofed IP address are broadcast to
a network in an attempt to flood the target computer.
Phlashing Phlashing, also known as bricking, involves pushing incorrect updates to a
system's firmware, causing irreversible damage, and rendering the
computer about as useful as a brick.
SYN flood A SYN Flood exploits the TCP three-way handshake. An attacker creates
SYN packets with a non-existent source address. When the target machine
responds with a SYN-ACK, it goes to the non-existent address, causing the
target machine to wait for a response that it will never get.
Ping of The maximum size of a ping packet is 65,535 bytes. The TCP/IP rules do
death not allow for a ping over this max. However, a classic attack known as the
ping of death circumvents this rule by fragmenting the packets. When they
are reassembled, the packet size is too large, causing a buffer overflow
and a system crash.
Land A land attack is a DoS attack that involves sending a modified SYN packet
attacks to a target. The packet is altered to reflect the host IP address as both the
destination and source IP address. As a result, the target machine replies
to itself over and over.

DoS Tools

The following table lists DoS tools you can use.

Tool Description
Trinoo Trinoo, or trin00, is a set of programs that are used to for DDoS
attacks. Trinoo uses UDP flooding to attack IP addresses.
Low Orbit Ion A free and simple DoS attack tool.
Cannon (LOIC)
DoSHTTP DoSHTTP uses HTTP flooding to attack URLs. It can be run on any
Windows system.
UDPFlood The UDPFlood tool creates UDP packets for a network target.
Targa Targa is a multi-functional tool that can perform land, WinNuke, and
teardrop attacks.
Jolt2 Jolt2 is a DoS tool that sends numerous fragmented packets to a
Windows machine.
Shark Shark is a tool that is used to create botnets.
PlugBot PlugBot is a tool that is used to create botnets.
Poison Ivy Poison Ivy is used to create botnets.

DoS Countermeasure Facts

Unlike many of the other attacks we've discussed, denial-of-service attacks are not
frequently used by ethical hackers. So, why study them? Well, because it's hard to fight
against something you don't know about. Understanding how the denial-of-service
attacks work will help you to provide countermeasure recommendations to your clients.

This lesson covers the following topics:

• DoS and DDoS attack prevention

• DoS and DDoS attack protection
• DoS and DDoS attack response

DoS and DDoS Attack Prevention

There are two ways to prevent DoS and DDoS attacks:

Method Description
Limit access Limit the number of servers that are accessible from outside the
points network.
Limit services Disable unnecessary services on live systems.

DoS and DDoS Attack Protection

Method Description
Enable router throttling Router throttling limits the potential impact of a DoS attack
and can provides a bit of additional response time for
administrators to respond to an attack.
Reverse proxy All traffic is redirected to the reverse proxy before being
forwarded to the real server. In the event of an attack, the
proxy takes the impact.
Threat management Threat management and intrusion prevention systems
systems and intrusion provide numerous protections, including VPNs, anti-spam,
prevention systems and load balancing.
Anti-malware tools Anti-malware tools help to reduce the risk of Trojan
infections and bot installations.
Anti-spoofing measures Anti-spoofing measures ensure that spoofed packets are
unable to infiltrate your network.
RFC 3704 Blocks packets from IP addresses that are not being used
(typically performed by the ISP).
Black hole filtering Creates an area of the network, also known as a black
hole, where offending traffic is forwarded and dropped.

DoS and DDoS Attack Response

It is important to be prepared for a DoS attack. These attacks are becoming more common,
and although the large-scale attacks against large companies catch the spotlight, small
and mid-sized companies are also seeing an increase in attacks.

Method Description
Respon Your response plan should include a checklist of all threat assessment tools
se plan and hardware protections you have in place. This way, you know where to
go to find information about what exactly you're up against.

You'll want to have a pre-determined group of people defined as your

response team. All members of this team should know what their role is in
the response and where to find the information they need. You'll also want
a communication plan. Who needs to know what information? When do they
need this information? Some attacks may have a quick and simple fix, but
others may escalate quickly, so you'll want to have an escalation plan in
place. At what point do you switch over to your redundant systems? At what
point do you decide to completely shut everything down? Response plans
are extremely important, and as an ethical hacker, you'll probably play a
large part in helping companies develop their response plans.
Attack Add extra services such as load balancing and excess bandwidth so that
absorpti you have too much for the attacker to be able to flood. Of course, this is a
on pricey option, as it requires extensive resources and planning.
Service Set services to throttle or even shut down in the event of an attack.
degrada
tion
Backup Have more than one upstream connection to use as a failover in the event
provider of a flooding attack.

Unit No. 2 Part 3 System Hacking
No ratings yet
Unit No. 2 Part 3 System Hacking
45 pages
System Hacking
No ratings yet
System Hacking
109 pages
MSEI 021 Noqsoh
No ratings yet
MSEI 021 Noqsoh
34 pages
Hackers S S Sfdfdgfgfgfgfgfregular-2
No ratings yet
Hackers S S Sfdfdgfgfgfgfgfregular-2
20 pages
System Hacking
No ratings yet
System Hacking
18 pages
1 Password Cracking
100% (1)
1 Password Cracking
19 pages
PT CH 7 Password Cracking Ready
No ratings yet
PT CH 7 Password Cracking Ready
17 pages
Chapter Four
No ratings yet
Chapter Four
50 pages
3rd Module Cyber Security
No ratings yet
3rd Module Cyber Security
30 pages
Eth CHP2
No ratings yet
Eth CHP2
9 pages
Week 3
No ratings yet
Week 3
33 pages
CEHv9 Module 05 System Hacking
No ratings yet
CEHv9 Module 05 System Hacking
139 pages
Ethical Hacking UNIT-3
No ratings yet
Ethical Hacking UNIT-3
32 pages
CH 07
No ratings yet
CH 07
24 pages
Week 3
No ratings yet
Week 3
23 pages
Chapter 4 - Cyber Security
No ratings yet
Chapter 4 - Cyber Security
31 pages
Password Attacks 1726305552
No ratings yet
Password Attacks 1726305552
25 pages
U A N L Facultad de Ciencias Fisico Matematicas
No ratings yet
U A N L Facultad de Ciencias Fisico Matematicas
6 pages
Cyberunit 1 CH 4&5 Students
No ratings yet
Cyberunit 1 CH 4&5 Students
57 pages
Password Cracking and Bruteforce Tools - Compress
No ratings yet
Password Cracking and Bruteforce Tools - Compress
24 pages
Password Cracking and BruteForce Tools
100% (6)
Password Cracking and BruteForce Tools
24 pages
Cyber Security
No ratings yet
Cyber Security
23 pages
PASSWORD CRACKING - JJRPT
100% (1)
PASSWORD CRACKING - JJRPT
16 pages
CE Word
No ratings yet
CE Word
29 pages
HJ Cyber Security
No ratings yet
HJ Cyber Security
14 pages
System Hacking
No ratings yet
System Hacking
9 pages
Cyberunit 1 CH 4
No ratings yet
Cyberunit 1 CH 4
44 pages
Unit II - Cyber Security (PE732IT)
No ratings yet
Unit II - Cyber Security (PE732IT)
24 pages
CS Unit 4
No ratings yet
CS Unit 4
55 pages
Cis Unit5
No ratings yet
Cis Unit5
39 pages
PT-unit 3 4 Notes
No ratings yet
PT-unit 3 4 Notes
25 pages
Password Cracking Technique: A Survey: Himanshu Kumar, Neelam Mathur
No ratings yet
Password Cracking Technique: A Survey: Himanshu Kumar, Neelam Mathur
3 pages
Case Study - T2 - 22 - INTRUDERS
No ratings yet
Case Study - T2 - 22 - INTRUDERS
4 pages
PT-unit 3 Notes
No ratings yet
PT-unit 3 Notes
16 pages
2025.02 - Three Password Cracking Techniques and How To Defend Against Them
No ratings yet
2025.02 - Three Password Cracking Techniques and How To Defend Against Them
3 pages
Chapters 3: Methods and Tools Used in Cyber Line
No ratings yet
Chapters 3: Methods and Tools Used in Cyber Line
125 pages
Sy0-701 1
No ratings yet
Sy0-701 1
32 pages
Hacking Techniques
100% (1)
Hacking Techniques
9 pages
Chapter 3 Tools and Methods Used in Cyber Crime
No ratings yet
Chapter 3 Tools and Methods Used in Cyber Crime
64 pages
R20-Csf-Unit-2-Tools and Methods
No ratings yet
R20-Csf-Unit-2-Tools and Methods
152 pages
Cyber Security Unit - V
No ratings yet
Cyber Security Unit - V
67 pages
PenTest 05 2014 Teaser
No ratings yet
PenTest 05 2014 Teaser
30 pages
Unit 4
No ratings yet
Unit 4
96 pages
U A N L Facultad de Ciencias Fisico Matematicas
No ratings yet
U A N L Facultad de Ciencias Fisico Matematicas
4 pages
Network Security Case Study
No ratings yet
Network Security Case Study
2 pages
An Assessment of Cybersecurity Awareness
No ratings yet
An Assessment of Cybersecurity Awareness
13 pages
Metoda Rainbow D Tradus
No ratings yet
Metoda Rainbow D Tradus
13 pages
Lecture-20 Phishing, Password Cracking: Unit 4 Tools and Methods Used in Cybercrime
No ratings yet
Lecture-20 Phishing, Password Cracking: Unit 4 Tools and Methods Used in Cybercrime
23 pages
Cloud GCP Storage
No ratings yet
Cloud GCP Storage
28 pages
Ethics Lect7 System Hacking
No ratings yet
Ethics Lect7 System Hacking
14 pages
Unit 5 CS
No ratings yet
Unit 5 CS
27 pages
Other Issues in Access Control
No ratings yet
Other Issues in Access Control
17 pages
Class Password Hacking 2023
No ratings yet
Class Password Hacking 2023
38 pages
Chapter 4 - Cyber Security
100% (2)
Chapter 4 - Cyber Security
17 pages
Unit - II Tools and Methods Used in
No ratings yet
Unit - II Tools and Methods Used in
8 pages
Pwning ADCS
No ratings yet
Pwning ADCS
38 pages
User Authentication: Password MD5 Hash Cpanel Strength Indicator
No ratings yet
User Authentication: Password MD5 Hash Cpanel Strength Indicator
2 pages
Email Hacking (06 Cse 036)
50% (2)
Email Hacking (06 Cse 036)
22 pages
Password Attacks
0% (1)
Password Attacks
22 pages
Hacking Techniques
No ratings yet
Hacking Techniques
9 pages
Security Measures
No ratings yet
Security Measures
10 pages
Nis MCQ QB1
100% (1)
Nis MCQ QB1
34 pages
CISA Exam Prep Domain 5 - 2019
No ratings yet
CISA Exam Prep Domain 5 - 2019
89 pages
Establishing A Management Framework For Security and Control
No ratings yet
Establishing A Management Framework For Security and Control
12 pages
Reserach Paper On Cyber Security
No ratings yet
Reserach Paper On Cyber Security
8 pages
Steganography
No ratings yet
Steganography
13 pages
Cyber Security Workshop LAB Manual
No ratings yet
Cyber Security Workshop LAB Manual
24 pages
Fraud in Internet Banking
No ratings yet
Fraud in Internet Banking
31 pages
Cyber Safety and Security Presentation
No ratings yet
Cyber Safety and Security Presentation
12 pages
Edx Cybersecurity Syllabus
No ratings yet
Edx Cybersecurity Syllabus
14 pages
Introduction To Intrusion
No ratings yet
Introduction To Intrusion
25 pages
Excise 325 326
No ratings yet
Excise 325 326
2 pages
Approov Threats To Mobile Apps and APIs
No ratings yet
Approov Threats To Mobile Apps and APIs
19 pages
Niagara4 Hardening Guide 2023
No ratings yet
Niagara4 Hardening Guide 2023
50 pages
27.2.16 Lab - Investigating An Attack On A Windows Host - Docx-1
No ratings yet
27.2.16 Lab - Investigating An Attack On A Windows Host - Docx-1
11 pages
Cryptography Fundamentals: Basic Network Security Itwelec6
No ratings yet
Cryptography Fundamentals: Basic Network Security Itwelec6
36 pages
Bybit Interim Investigation Report
No ratings yet
Bybit Interim Investigation Report
8 pages
Assessment Questions of Each Module: Cyber Security Awareness: Key Security Terms & Concepts
No ratings yet
Assessment Questions of Each Module: Cyber Security Awareness: Key Security Terms & Concepts
8 pages
Kidschatgpt Problem
No ratings yet
Kidschatgpt Problem
11 pages
6 Phases in The Incident Response Plan
No ratings yet
6 Phases in The Incident Response Plan
5 pages
Crimes by The Convention of Cyber Crime On Budapest
No ratings yet
Crimes by The Convention of Cyber Crime On Budapest
9 pages
LGESGUERRAComputer Forensic Laboratory Exercise No. 1 OVERVIEW OF CYBERCRIME
100% (1)
LGESGUERRAComputer Forensic Laboratory Exercise No. 1 OVERVIEW OF CYBERCRIME
4 pages
JotForm Security
No ratings yet
JotForm Security
3 pages
Report
No ratings yet
Report
12 pages
Us Cloud and Identity and Access Management
No ratings yet
Us Cloud and Identity and Access Management
8 pages
Webtechnologyexpert View Forum Message Reply To Message: Page 1 of 4 - Generated From by Fudforum 3.0.1
No ratings yet
Webtechnologyexpert View Forum Message Reply To Message: Page 1 of 4 - Generated From by Fudforum 3.0.1
4 pages
What Is Authentication?
No ratings yet
What Is Authentication?
3 pages
Hacker’s Guide to Machine Learning Concepts
From Everand
Hacker’s Guide to Machine Learning Concepts
Trilokesh Khatri
No ratings yet
Top Networking Terms You Should Know
From Everand
Top Networking Terms You Should Know
JOHN SMITH
No ratings yet
Kali Linux, Ethical Hacking And Pen Testing For Beginners
From Everand
Kali Linux, Ethical Hacking And Pen Testing For Beginners
BHARAT NISHAD
No ratings yet