Reconnaissance

 Reconnaissance is the first step of ethical hacking “In this process the main purpose is to gather information about the target through passive method “

Information like which company is it, what are technology they use, who own the company, email address, etc.

Ethical hacking phase

Footprinting & Reconnaissance – this is the first and the most important phase of hacking in this process we gather information about the target before exploiting.

Networking hacking – in this process we gain access or entering the network off the target. (hacking performs in the target network)

Scanning – in this process we scan the target network to gain some information regarding target. For example – how many hosts are connected to the target network, what technologies they are using, OS, open port, vulnerabilities regarding that target etc.

Gaining access – in this process we compromise with the target system to gain access through the vulnerability regarding that target

Maintaining access – in this process our main thing is to main the connection with the target.

For example – backdoors

Clearing tracks – is the most and the last phase of hacking where we clear all the logs generated by the hacker in the recent phase.

Scanning

scanning After foot printing and reconnaissance, scanning is the second phase of information gathering that hackers use to size up a network. Scanning is where they dive deeper into the system to look for valuable data and services in a specific IP address range.

In scanning part identify the Live system, open ports, Services, OS, Network Scan, Vulnerability scan

Types of scanning in ethical hacking 

The transmission control protocol (TCP) was made for reliable communication. It is used for a

wide variety of protocols on the Internet and contributes toward reliable communication with the

help of the three-way handshake.

Before understanding how port scanning works, we need to understand how the TCP threeway

handshake works.

SYN

ACK

SYN/ACK

◾ The first host sends a SYN packet to the second host.

◾ The second host responds with a SYN/ACK packet; it indicates that the packet was received.

◾ The first host completes the connection by sending an acknowledgment packet.

TCP Flags in ethical hacking course

SYN—Initiates a connection.

ACK—Acknowledges that the packet was received.

RST—Resets the connections between two hosts.

FIN—Finishes the connection.

Port Status Types cyber security

With nmap you would see one of four port status types:

Open—It means that the port is accessible and an application is listening on it.

Closed—It means that the port is inaccessible and no application is listening on it.

Filtered—It means that nmap is not able to figure out if the port is open or closed, as the packets

are being filtered, which probably means that the machine is behind a firewall.

Unfiltered—It means that the ports are accessible by nmap but it is not possible to figure out if

they are open or closed.

TCP SYN Scan

The TCP SYN scan is the default scan that runs against the target machine. It is the fastest scan.

You can tweak it to make it even faster by using the –n option, which would tell the nmap to skip

the DNS resolution.

◾ The source machine sends a SYN packet to port 80 in the destination machine.

◾ If the machine responds with SYN/ACK packet, Nmap would know that the particular port

is open on the target machine.

◾◾ The operating system would send a RST (Reset) packet in order to close the connection,

since we already know that the port is open.

◾ However, if there is no response from the destination after sending the SYN packet, the

nmap would know that the port is filtered.

◾ If you send a SYN packet and the target machine sends a RST packet, then nmap would

know that the port is closed.

Command: The command/syntax for the TCP SYN scan is as follows:

nmap –sS <target IP>

TCP Connect Scan

The TCP connect scan is similar to the SYN scan, with a slight difference in that it completes

the three-way handshake. The TCP connect scan becomes the default scan if the SYN scan is not

supported by the machine. A common reason for that could be that the machine is not privileged

to create its own RAW packet.

◾ The source machine sends a SYN packet at Port 80.

◾ The destination machine responds with a SYN/ACK.

◾ The source machine then sends an ACK packet to complete the three-way handshake.

◾ The source machine finally sends the RST packet in order to close the connection.

NULL, FIN, and XMAS Scans in ethical hacking 

NULL, FIN, and xmas scans are similar to each other. The major advantage of using these scans

for pentest is that many times they get past firewalls and IDS and can be really beneficial against

Unix-based OS as all three of these scans do not work against Windows-based operating systems,

because they send a reset packet regardless of whether the port is open or closed. The second disadvantage

is that it cannot be exactly determined if the port is open or filtered. This leaves us to

manually verify it with other scan types.

 

 NULL Scan

A null scan is accomplished by sending no flags/bits inside the TCP header. If no response

comes, it means that the port is open; if a RST packet is received, it means that the port is closed

or filtered.

XMAS Scan in cyber security 

The XMAS scan sends a combination of FIN, URG, and PUSH flags to the destination. It

lightens the packet just like a Christmas tree and that is why it is called an XMAS scan. It works

just like the FIN and null scans. If there is no response, the port is open; if the target machine

responds with a RST packet, the port is closed.

Command:

nmap –sX <target Ip Address>

 TCP ACK Scan

TCP ACK + Port 6969

The TCP ACK scan is not used for port scanning purposes. It is commonly used to determine

the firewall and ACL rules (access list) and whether the firewall is able to keep track of the connections

that are being made.

The way this works is that the source machine sends an acknowledge (ack) packet instead of a

syn packet. If the firewall is stateful, it would know that the there was no SYN packet being sent

and will not allow the packet to reach the destination.

IDLE Scan in ethical hacking

The IDLE scan is a very effective and stealthy scanning technique. The idea behind the IDLE

scan is to introduce a zombie to scan another host. This technique is stealthy because the victim

host would receive packets from the zombie host and not the attacker host. In this way, the victim

would not be able to figure out where the scan originated.

However, there are some prerequisites for launching the idle scan, which are as follows:

1. Finding a good candidate whose IP ID sequence is incremental and recording its IP ID.
2. The host should be IDLE on the network.

ICMP – The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

# ping 192.168.0.1

A traceroute uses a TTL (time to live) field from the IP header, and it increments the IP packet

in order to determine where the system is. The time to live value decreases every time it reaches a

hop on the network (i.e. router to server is one hop).

There are three different types of traceroutes:

1. ICMP traceroute (which is used in Windows by default)
2. TCP traceroute
3. UDP traceroute

ICMP Traceroute

TCP Traceroute cyber security 

UDP Traceroute

Tools for scanning

Superscan3.0 – windows base tools to gather information about the target on the network to scan.

AngryIPscanner – Both available for Linux and windows

NMAP – tool is used to identify the target server like OS, open ports, service, vulnerability of the individual server.

Zenmap – Graphical version of Nmap

Scanning your target network through NMAP

Timing Technique

Advanced Network Technique

what is Denial of service (DOS) in ethical hacking 

In computing, a denial of service attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend service of a host connected to the internet.

the signs of a potential DoS attack? Here are a few that may indicate that a DoS attack is in effect:

■ Unavailability of a resource

■ Loss of access to a website

■ Slow performance

■ Increase in spam emails

DoS Targets

DoS attacks result in a multitude of consequences. Let’s look at some common examples of

what is seen in the real world and what you’ll most likely see on the exam:

Web Server Compromise A Successful DoS attack and subsequent compromise of a web

server constitutes the widest public exposure against a specific target. What you see mostoften is a loss of uptime for a company web page or web resource.

Back-End Resources Back-end resources include infrastructure items that support a

public-facing resource such as a web application. DoS attacks that take down a backend

resource such as a customer database or server farm essentially render all front-end

resources unavailable.

Network or Computer Specific DoS attacks are also launched from within a local area

network, with intent to compromise the network itself or to compromise a specific node

such as a server or client system.

Cryptography in cyber security

in ethical hacking course you will learn Cryptography or cryptology is the practice and study of techniques for secure communication in the presence of third parties called adversaries.

cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages, various aspects in information security such as data confidentiality, data integrity, authentication, and non-repudiation are central to modern cryptography.

Definition: Cryptography is associated with the process of converting ordinary plain text into unintelligible text and vice-versa. It is a method of storing and transmitting data in a particular form so that only those for whom it is intended can read and process it. Cryptography not only protects data from theft or alteration, but can also be used for user authentication.

Description: Earlier cryptography was effectively synonymous with encryption but nowadays cryptography is mainly based on mathematical theory and computer science practice.

Modern cryptography concerns with:

Confidentiality – Information cannot be understood by anyone

Integrity – Information cannot be altered.

Non-repudiation – Sender cannot deny his/her intentions in the transmission of the information at a later stage

Authentication – Sender and receiver can confirm each

Cryptography is used in many applications like banking transactions cards, computer passwords, and e- commerce transactions.

Three types of cryptographic techniques used in general.

1. Symmetric-key cryptography

2. Hash functions.

3. Public-key cryptography

Symmetric-key Cryptography: Both the sender and receiver share a single key. The sender uses this key to encrypt plaintext and send the cipher text to the receiver. On the other side the receiver applies the same key to decrypt the message and recover the plain text.

Public-Key Cryptography: This is the most revolutionary concept in the last 300-400 years. In Public-Key Cryptography two related keys (public and private key) are used. Public key may be freely distributed, while its paired private key, remains a secret. The public key is used for encryption and for decryption private key is used.

Hash Functions: No key is used in this algorithm. A fixed-length hash value is computed as per the plain text that makes it impossible for the contents of the plain text to be recovered. Hash functions are also used by many operating systems to encrypt passwords.

Types of Hashing

There are many different types of hash algorithms such as RipeMD, Tiger, xxhash and more, but the most common type of hashing used for file integrity checks are MD5, SHA1 and CRC32.

MD5 – An MD5 hash function encodes a string of information and encodes it into a 128-bit fingerprint. MD5 is often used as a checksum to verify data integrity. However, due to its age, MD5 is also known to suffer from extensive hash collision vulnerabilities, but it’s still one of the most widely used algorithms in the world.

SHA1 – SHA1, developed by the National Security Agency (NSA), is a cryptographic hash function. Results from SHA1 are expressed as a 160-bit hexadecimal number. This hash function is widely considered the successor to MD5.

CRC32 – A cyclic redundancy check (CRC) is an error-detecting code often used for detection of accidental changes to data. Encoding the same data string using CRC32 will always result in the same hash output, thus CRC32 is sometimes used as a hash algorithm for file integrity checks.

Enumeration:

you will learn  in this ethical hacking course following below

Enumeration phase attacker creates active connection to system and performs directed quires to gain more information about the target.

Attackers use extracted information to identify system attack points and perform password attack to gain unauthorized access to information system resources.

Enumeration techniques are conducted an intranet environment.

Techniques for enumeration

Extract user names using email IDs.

Extract information using the default passwords.

Extract user names using SNMP.

Brute force active Directory.

Extract user groups from windows.

Extract information using DNS Zone transfer.

 

SMB

The Server Message Block Protocol (SMB protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network. It can also carry transaction protocols for interprocess communication.

o SMB1 – Windows 2000, XP and Windows 2003.

o SMB2 – Windows Vista SP1 and Windows 2008

o SMB2.1 – Windows 7 and Windows 2008 R2

o SMB3 – Windows 8 and Windows 2012.

 

NetBIOS (Network Basic Input/output System) is a program that allows applications on different computers to communicate within a local area network (LAN).

What is the use of NetBIOS over TCP IP?

 

NetBT uses the following TCP and UDP ports:

 

Scanning for the NetBIOS Service

 

DNS enumeration

DNS Zone transfer is the process where a DNS server passes a copy of part of it’s database (which is called a “zone“) to another DNS server. … It’s worth stopping zone transfer attacks,

Other methods to DNS enumeration Zone transfer

Null Session

Enum4linux

what type of Evading Firewall, IDS, IPS and Honeypots. learn in ethical hacking course 

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

Firewalls have been a first line of defense in network security for over 25 years. They establish a barrier between secured and controlled internal networks that can be trusted and untrusted outside networks, such as the Internet.

Mobile Hacking

Phone hacking is the practice of manipulating or gaining unauthorized access to mobile phones, such as by intercepting telephone calls or accessing voicemail messages.

Can someone hack your cell phone?

 

Sure, someone can hack your phone and read your text messages from his phone. But the person using this cell phone must not be a stranger to you. No one is allowed to trace, track or monitor someone else’s text messages. … Using cell phone tracking apps is the most well-known method of hacking someone’s smartphone.

Can a mobile number be hacked?

 

All hackers need your cell phone is just your cell number. A hacker can hack your phone with just your phone number in many different ways: Hacker can send you spam send via text. … If a hacker gets into SS7, then it is very easy to track the incoming & outgoing conversation.

Session hijacking

Session hijacking is synonymous with a stolen session, in which an attacker intercept

and takes over a legitimately established session between a user and a host. The user–host

relationship can apply to access of any authenticated resource, such as a web server, Telnet

session, or other TCP-based connection. Attackers place themselves between the user and

host, thereby letting them monitor user traffic and launch specific attacks. Once a successful

session hijack has occurred, the attacker can either assume the role of the legitimate

user or simply monitor the traffic for opportune times to inject or collect specific packets to

create the desired effect.

 

In its most basic sense, a session is an agreed-upon period of time under which the connected

state of the client and server is vetted and authenticated. This simply means that

both the server and the client know (or think they know) who each other are, and based

on this knowledge, they can trust that data sent either way will end up in the hands of the

appropriate party.

If a session hijack is carried out successfully, what is the danger? Several events can take

place at this point, including identity theft and data corruption.

Sniffing && Network Hacking

Sniffing is the process of monitoring and capturing all the packets passing through a given network using sniffing tools. It is a form of “tapping phone wires” and get to know about the conversation. It is also called wiretapping applied to the computer networks.

Network Interface Card, the NIC is also referred to as an Ethernet card and network adapter. It is an expansion card that enables a computer to connect to a network; such as a home network, or the Internet using an Ethernet cable with an RJ-45 connector.

Promiscuous mode

In a network, promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. This mode of operation is sometimes given to a network snoop server that captures and saves all packets for analysis (for example, for monitoring network usage).

In an Ethernet local area network (LAN), promiscuous mode is a mode of operation in which every data packet transmitted can be received and read by a network adapter. Promiscuous mode must be supported by each network adapter as well as by the input/output driver in the host operating system. Promiscuous mode is often used to monitor network activity.

Promiscuous mode is the opposite of non-promiscuous mode. When a data packet is transmitted in non-promiscuous mode, all the LAN devices “listen to” the data to determine if the network address included in the data packet is theirs. If it isn’t, the data packet is passed onto the next LAN device until the device with the correct network address is reached. That device then receives and reads the data.

Module: Hacking Web Application

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

https://portswigger.net/burp/documentation/desktop/penetration-testing

 

The Burp tools you will use for particular tasks are as follows:

• Scanner– This is used to automatically scan websites for content and security vulnerabilities.
• Intruder– This allows you to perform customized automated attacks, to carry out all kinds of testing tasks.
• Repeater– This is used to manually modify and reissue individual HTTP requests over and over.
• Collaborator client– This is used to generate Burp Collaborator payloads and monitor for resulting out-of-band interactions.
• Click bandit– This is used to generate clickjacking exploits against vulnerable applications.
• Sequencer– This is used to analyze the quality of randomness in an application’s session tokens.
• Decoder– This lets you transform bits of application data using common encoding and decoding schemes.
• Comparer– This is used to perform a visual comparison of bits of application data to find interesting differences.