Monday, January 6, 2014

Security ethical hacking checklist

Security ethical hacking checklist


We can define an Ethical Hacking Expert as a person who has many skills in many segments of Information Technology. On behalf of the owners of the Information Technology Systems an expert in Network and Systems attacks the complete organization. The main goal is to find vulnerabilities that would a malicious person use to exploit to gain important informations. 


These tasks include Penetration testing, risk assessment and intrusion testing. Many companies also involve some code reviewers to scan the web application code. Complete set of tasks that are involved in, for example a penetration test, are useful to find weaknesses in open source code that is used often in application development. Developers often are too busy in creating the applications and contributing to the opensource community, so the security concerns are not always highlighted. 
These situations require an expertise from people that can objectively look at the code and to verify the completion of the cycles needed for application implementation.

I will explain some basic steps in my White Hat general checklist that every IT security concerned people should know and use. 


RECONNAISSANCE

This is a military term that was used to seek out the intentions and plans of the enemy, using various methods to find out capabilities and composition of the enemy. In ethical hacking world this word is used for information gathering of the target. This is useful to find the weakest spot in the target Information Technology system to exploit and use it for the final goal.
There is also another side of  footprinting that is used for protecting the system instead of attacking it. First of the basic methods of information gathering is:

PING the remote target system to gather basic IP info.
For example Start-Run-CMD>  ping www.google.com  
Or some other range of public IP addresses to see if there are some hosts that are alive on the other side. This is a good starting point for every information gathering. 

PORT scanning of the remote services running on the target system. These TCP scans can be individual or we can scan a range of ports to identify different services. We can use a great tool found on www.nmap.org 
An example of a command line scan:   NMAP -T4 -A -v scanme.nmap.org

Target public information such as company info, telephone numbers, email addresses and many other are very useful to create a big picture. This can be done via whois lookups of the company domain and gathering info from DNS protocol. There are some great online sites for this http://www.uwhois.com/

EMAIL tracking is a good way to analyze the email header which will provide us the informations on the IP stack of the mail servers and other gateway functionalities. A good application that can be used for this is the EmailTracker that can be found on http://www.emailtrackerpro.com/

Network Connections from your computer or from the target systems can be useful to find out incoming and outgoing connections that are persistent and important for the target users. A free command utility called netstat is the best and fastest way to achieve this. 
An example command line:   netstat -ano

Explore the internet libraries to find out the history of the web page is sometimes important. Some URLs are useful in this information gathering.

Company location can be found using Google Earth. This is important if the company has IT storage rooms in many countries and from a network standpoint, a clear picture on GeoIP locations.

Network nodes displaying will show us the information on various path we can get to the target system. This is useful to find out the most optimized way to enumerate services in the target systems. A cool application for this is called NeoTrace and can be found on this link: http://neotrace-pro.en.softonic.com/

DNS Enumeration
By Enumerating DNS it is possible to get some important public (May be sometime Private information too) information such as Server name, Server IP address, Sub-domain etc.
Useful PERL script called dnsenum.pl can be found on this URL


SCANNING

In general we have three types of scanning:
  • Port scanning
  • Network scanning
  • Vulnerability scanning
Active information gathering produces more details about your network and helps you see your systems from an attacker’s perspective. We can see which server systems are alive and what services they are providing for the target users. The important fact is the system operating systems and the architecture that they are using. 

I can number some types of PORT scanning methods:

- Vanilla: the scanner attempts to connect to all 65,535 ports
- Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
- UDP: the scanner looks for open UDP ports
- Sweep: the scanner connects to the same port on more than one machine
- Stealth scan: the scanner blocks the scanned computer from recording the port scan activities

Network Scanning is the process of examining the activity on a network, which can include monitoring data flow as well as monitoring the functioning of network devices. Network Scanning serves to promote both the security and performance of a network. Network Scanning may also be employed from outside a network in order to identify potential network vulnerabilities.

Vulnerability scanning employs software that seeks out security flaws based on a database of known flaws, testing systems for the occurrence of these flaws and generating a report of the findings that an individual or an enterprise can use to tighten the network's security.

SUBNET Information whether public or private is very important for time consuming security testing methods. A very useful tool for gathering the subnet information is the AngryIP application. This application is available on this location http://angryip.org/w/Home

There are some useful tools used for target system scannings:

Mcafee superscan tool
http://www.mcafee.com/us/downloads/free-tools/superscan.aspx

Network port scanning
Scan network ports with NetScanTools Pro or Nmap.

UDP ports scanner, very fast and powerfull WUPS

Unicornscan is an attempt at a User-land Distributed TCP/IP stack for information gathering and correlation
The app can be found on http://www.unicornscan.org/


ENUMERATION


Using the previous gathered information the attacker usually start scanning against the victim such as Port scanning, Banner Grabbing, Vulnerability Scanning, Finding Username/Emails address. This is usually active attack(May get detected by IDs or may get blocked by Firewalls.
Enumeration is the first attack on target network; Enumeration is a process to gather the information about user names, machine names, network resources, shares and services ; Enumeration makes a fixed active connection to a system

Null session - exploitation of Windows SMB communications network protocols.
We can exploit a remote machine without any credentials using: net use \\ip address\\IPC$ ""/u:""
If we have only one authenticated user credentials we can use this exploit for many machines in the domain. Also a good tool for enumeration these weak spots is enum4linux.pl found on this url 

NetBios/over/TCP/IP can be used with a integrated tool nbtstat that will display protocol statistics and current TCP/IP connections. We can also provide our information database with the MAC address. 
Usage:   nbtstat -A 192.168.1.1

FTP Enumeration - a crafty tool on NIX is useful for enumerating the TCP port 21 with useful information like server version and the list of users on the target system.
# perl -MCPAN -e shell
 cpan> install Getopt::Std  
This is used for the installation. And the usage on the target system
Usage: ftp-user-enum.pl [options] (-u username|-U file-of-usernames) (-t host|-T file-of-targets) 

TELNET to a service on different number of ports to see if a service is running on the remote server.
Usage: telnet <IP or FQDN> <port>
List of ports for services can be found on this URL.

A list of some useful tools used for enumeration:

IP Tools

SoftPerfect Network Scanner is a free multi-threaded IP, NetBIOS and SNMP scanner with a modern interface and many advanced features. It is intended for both system administrators and general users interested in computer security. The program pings computers, scans for listening TCP/UDP ports and displays which types of resources are shared on the network, including system and hidden ones.

SomarSoft's DumpSec is a (free) security auditing program for Microsoft Windows NT/2000. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information. DumpSec is a must-have product for Windows NT systems administrators and computer security auditors.

Enumerate some devices like routers, printers, servers, backup devices and similar with default passwords. Many useful passwords can be found on google searches, and one of the list can be found on this URL.

Netcat is a simple networking utility which reads and writes data across network connections using the TCP/IP protocol. It's a wonderful tool for debugging all kinds of network problems. It allows you to read and write data over a network socket just as simply as you can read data from stdin or write to stdout. I have put together a few examples of what this can be used to accomplish.

Establishing a connection and getting some data over HTTP:# 
nc example.com 80
GET / HTTP/1.0
<HTML>
<!-- site's code here -->
</HTML>


HACKING

When above steps has be done the attacker start exploiting the all found vulnerability which may lead to compromise the System or an website. 

There are of four types of password attack:

1. Passive online attack - man in the middle, sniffing and similar
2. Active online attack - password guessing
3. Offline attack - brute force attack, directory attack and hybrid attacks
4. Non technical attack - social engineering

A rootkit is a stealthy type of software, typically malicious, designed to hide the existence of certain processes or programs from normal methods of detection and enable continued privileged access to a computer.[1] The term rootkit is a concatenation of "root" (the traditional name of the privileged account on Unix operating systems) and the word "kit" (which refers to the software components that implement the tool.

Steganography (Listen) is the art and science of encoding hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message. It is a form of security through obscurity.

An ethical hacker should equip himself with a database and dictionaries of default password. Some useful URLs can be a good starting point.

http://www.defaultpassword.com/?char=&action=dpl
http://www.cirt.net/passwords
http://www.virus.org/default-password%20

LOPTHCRACK can be used as a useful tool to recover passwords
Can be found on this URL

HACKING Windows Server administrator password is a powerful method of gaining access of target systems. Windows servers use the SAM database to encrypt and store passwords. There are many tools to exploit these passwords. One of them is offline NT password recovery tool that can be found on this URL

Keyloggers are useful software tools that log every keystroke that a user generates on the keyboard. These stealth tools are useful to capture credentials on target systems.
Free versions can be found on this URL More stealthy keyloggers are USB ones that hold the keylogger software on the USB stick, that can be manipulated inside the organization and can send credentials outside the corporate networks. Useful software can be downloaded from this URL

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.

Openpuff is a opensource stganography tool that can be used to create hidden scripts and apps inside cool extensions like PDF and JPG. Can be found on this URL

Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.

Yersinia is a network hacking tool designed to take advantage of the weaknesses in some network protocols. It pretends to be a framework for analyzing deployed networks and systems. It implements a number of attacks for the following protocols: STP, CDP, DTP, DHCP, VTP, ISL and etc.

The Metasploit Framework is an open-source development platform for creating security tools and exploits. The framework is used to test systems, verify patch installations, and perform regression testing. The framework allows users to configure exploit modules and test systems against attack.

The PsEXEC tool allows white hat people to remote execute applications and processes on target systems. It can launch interactive command prompts on remote computers.
Syntax:       psexec \\computer[,computer[,..] [options] command [arguments]

Core Impact is a penetration-testing tool for testing security threats. It allows systems administrators to test
security patches, network infrastructure, and system upgrades before an attacker does. It is frequently updated,so it is likely to stay ahead of new exploits.

Ratproxy is a semiautomated and largely passive Web application security audit tool. It detects and annotates potential problems and security-relevant design patterns based on the observation of existing and user-initiated traffic. It does not generate a high volume of traffic, taking very little bandwidth.


In this blog I tried to create a small checklist of tools I use , and some of the I have skipped (to be continued). Also the checklist methodology I think will be a good starting point for enthusiastic people that are concerned for the security of their IT systems.

To be continued ...