Search

Strengthening the Attack by Effective “Scanning”

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.What is hacking and ethical hacking?Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.Steps in Ethical HackingTo successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.Types of scanning in ethical hackingScanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:Port Scanning – Detecting open ports and running services on the target hostNetwork Scanning – Discovering IP addresses, operating systems, topology, etc.Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a targetPort scanning could be further divided into 5 types:Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.What is network scanningNetwork is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.How is Network Scanning different from Reconnaissance?Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.Network Scanning tool – NMAP with examplesLet us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:HOST DISCOVERY:a. -sL: List Scan - simply list targets to scanb. -sn: Ping Scan - disable port scanc. -Pn: Treat all hosts as online -- skip host discoverySCAN TECHNIQUES:a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scansb. -sU: UDP Scanc. -sN/sF/sX: TCP Null, FIN, and Xmas scansd. --scanflags <flags>: Customize TCP scan flagsPORT SPECIFICATION AND SCAN ORDER:a. -p <port ranges>: Only scan specified portsb. --exclude-ports <port ranges>: Exclude the specified ports from scanningc. -F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTIONa. -sV: Probe open ports to determine service/version infoOS DETECTION:a. -O: Enable OS detectionSome examples are given below:nmap -v -A knowledgehut.comnmap -v -sn 192.168.0.1-100nmap -v -O 192.168.1.200-210nmap -v -iR 10000 -Pn -p 443You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.Some common scanning tools used in the industryWith the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).Concluding remarksScanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.
Strengthening the Attack by Effective “Scanning”
Vatsal
Vatsal

Vatsal Jain

Author

Vatsal Jain is an Information Security professional with close to 3 years of experience. He has worked with multiple MNCs and has exposure in Information Security Auditing, creating and maintaining InfoSec Policies and Procedures, Network Security and Risk Management. He has cracked exams like CISA, CISM and CEH. He also holds certifications like ISO 27001 LA, ITIL Foundation, ISO 22301 LI and AZ-900. He has done B.Tech. in CSE with a specialization in Cyber Security and Forensics.

Posts by Vatsal Jain

Strengthening the Attack by Effective “Scanning”

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.What is hacking and ethical hacking?Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.Steps in Ethical HackingTo successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.Types of scanning in ethical hackingScanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:Port Scanning – Detecting open ports and running services on the target hostNetwork Scanning – Discovering IP addresses, operating systems, topology, etc.Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a targetPort scanning could be further divided into 5 types:Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.What is network scanningNetwork is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.How is Network Scanning different from Reconnaissance?Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.Network Scanning tool – NMAP with examplesLet us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:HOST DISCOVERY:a. -sL: List Scan - simply list targets to scanb. -sn: Ping Scan - disable port scanc. -Pn: Treat all hosts as online -- skip host discoverySCAN TECHNIQUES:a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scansb. -sU: UDP Scanc. -sN/sF/sX: TCP Null, FIN, and Xmas scansd. --scanflags : Customize TCP scan flagsPORT SPECIFICATION AND SCAN ORDER:a. -p : Only scan specified portsb. --exclude-ports : Exclude the specified ports from scanningc. -F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTIONa. -sV: Probe open ports to determine service/version infoOS DETECTION:a. -O: Enable OS detectionSome examples are given below:nmap -v -A knowledgehut.comnmap -v -sn 192.168.0.1-100nmap -v -O 192.168.1.200-210nmap -v -iR 10000 -Pn -p 443You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.Some common scanning tools used in the industryWith the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).Concluding remarksScanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.
Strengthening the Attack by Effective “Scann...

As per the Oxford dictionary, “Scanning” is de... Read More

Exploiting the Weakest Link in Security Through Social Engineering

Social engineering, as per Wikipedia, is the psychological manipulation of people into performing actions or divulging confidential information. In simpler terms, social engineering is taking advantage of a victim’s natural tendencies and emotional reactions. Social engineering is more interesting than it sounds! It involves various techniques including tricking the victim into sharing the OTP, Debit Card PIN, or their computer passwords. There have been attacks in the past where the attacker simply called up the data center, posing as a high-ranking official of the company, and manipulated the data center administrator into telling him the exact models of the servers residing in the data center.  Social engineering can be done at various steps of hacking, but typically, it is done at the time of information gathering or the reconnaissance phase. In the above example, the attacker may have likely got the server details like model number and maybe the operating system running on it. Once the attacker has this basic information, it is very easy to find the vulnerabilities in the OS and hardware using online sources like NVD (National Vulnerabilities Database) and CVE (Common Vulnerabilities and Exposures by Mitre). In this article, we will briefly look at what is ethical hacking to set the context for social engineering, various steps of ethical hacking and then take a deep dive into various techniques of social engineering. We will have a look at some recent data breaches where social engineering was used and finally some tips to safeguard your organization and yourself from social engineering attacks. What is ethical hacking? Hacking is a word which raises eyebrows every time someone mentions it. A hacker is not a person with a hoodie, sitting in a dark room, with multiple screens in front of him. That is what we see in the movies, right? In real life, a hacker is an individual with deep domain expertise of the domain he works in. So a cyber hacker is a person with deep domain expertise on computers and related infrastructure like networks, servers, etc.  Hacking a cyber system would involve overcoming the security mechanisms deployed to protect the confidential data by exploiting various vulnerabilities present in the system or network and gaining unauthorized access to the confidential information.Steps of hacking To understand social engineering, we need to first understand the various steps of hacking. Any hacker would follow these steps in order to successfully penetrate a system. Reconnaissance or Foot printing – As defined and used for military purposes, reconnaissance is the activity of gathering information about an area using soldiers, planes, etc. Similar to that, reconnaissance in hacking means gathering all the information about your target which you would use in the next steps of hacking. This step lays the foundation for your attack. More the information, easier the attack will be. Reconnaissance could be active or passive in nature. Active reconnaissance would involve the attacker scanning the network and websites of the target organization or individual directly. However, in the passive reconnaissance, the attacker would never get in direct touch with the target and would use various “social engineering” techniques to gather information. Scanning – After the attacker has some basic details, he or she starts scanning the network and websites of the target much more intensively and gathers information like active hosts, OS running on them, open ports and others which could be used to launch an attack. Gaining Access – Now the attacker has a lot of information like the IP ranges, key people of the organization, OS running on key servers, active hosts. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) to get into the network of the target. This is generally done by using some social engineering techniques like phishing. Maintaining Access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. He would generally do this by creating a backdoor, which no one else is aware of. This backdoor will ensure that even if the main gate has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system. Covering tracks – Once the attacker is in the system and has access to all the data, his next step would be to remain undetected and anonymous. This would generally be done by deleting the logs and using a VPN or a Virtual Private Network to access the target network and systems. Taking a deeper dive into Social Engineering As we briefly discussed in the sections above, Social Engineering is getting information from the target by manipulating them. However, information gathering and social engineering goes hand in hand. Throughout this section, we will have a look at various techniques to gather information about an organization via online tools and social engineering methods. Who.is – You have a website name and you want to know all the basic details of the website, you can simply visit who [dot] is. You get the following details here: Name of the registrant Address and contact information Expiry date of the domain registration Name servers Registrar information Server type  With all this information, you will at least know the contact number and the address of company where the domain is registered. Command Prompt (Terminal for Linux users) – You must be thinking why we are talking about a Windows utility. Try and do this on command prompt, “ping knowledgehut.com”. What do you see? 4 packets sent, 4 received, but you got the IP address of the website. This is a very useful information when you are targeting an organization. Cisco Talos – Cisco Talos is a utility from Cisco and has many different components. For now, we would be focusing on the “IP Reputation” center. It helps you find the reputation of a domain or an IP address. Now how does this help in hacking? The answer is simple, once you have the IP address from the above step, you can now look at who this IP belongs to and mostly you will find the details of the platform where the website is hosted.Fake email domains or fake mailers – This is a very interesting process. You can actually send a mail from any email! Yes, you read that right. Let’s take an example. You can send a mail to any random person using an ID HR@facebook.com. How cool is that? These fake email domains also give you the liberty of getting a reply on your own mail box by setting up a “reply to” option. These kinds of domains are very widely used in phishing scams and a few of them are not even stopped by well-known email providers like Gmail. Emkei.cz is one such domain which allows you to send a fake mail. This is what the console would look like:  You get an option to choose a name and email ID you want to send an email from. For demonstration purpose, you can use the name Alex Johnson, and the email ID alex.johnson@facebook.com. You get advanced features like “reply to”, priority setting and even encrypting the email. What “reply to” will help us do, is, once the victim (whom we are sending this fake mail for a phishing attempt) replies, we get the mail in a legitimate email box (not a fake one!). This will ensure that the email sent looks like a legitimate mail even though it is a fake and you still get a reply. This fake mailer is largely used by attackers to lure job candidates into sending fake offers from an email ID which looks authentic and seek money for jobs. Attackers can also send a legitimate looking mail from the company HR and ask the users to fill in sensitive information. Temp Mailers – This is another tool on the internet widely used by attackers. This utility allows anyone to create a “temporary” email, which is valid for a very short duration (10 mins to 30 mins, depending on the website). You get an email address with a temporary inbox. People also use this to register on different websites where they do not want any promotional material landing in their personal mail boxes. Temp-mail.org is one such domain, you can find hundreds of such domains online. Social Media – Are we forgetting the social media? Social media gives you the maximum amount of information you want about an individual. You must be thinking how? Let us look at an example:  What all information did you get to know about Anne from this image?  Possible passwords,  maxthedog,  alexandrichard,  smith,  03181918;  Possible security questions and answers (remember setting up a few security questions in your bank account or even FB account?) Pet name: Max Best Friend: John Date of Birth: 18 Mar 1981 Maiden Name: Smith Address: from the link! When is the house vacant: 18th March 2016, Half term Other miscellaneous information: changing house, marital status (divorced), two sons, etc. Now you understand the humongous amount of information we have on our social media. Not to forget our regular social media updates, be it on Facebook, Instagram, Snapchat, Telegram or WhatsApp! Fake Calling – Something very common these days, where you get a call from a person posing to be a bank official. They generally try to get the OTP or the One Time Password from you, Credit card or Debit card PIN or CVV. This is among the most common types of social engineering attacks and is commonly referred to as phishing attacks. They are categorized as frauds under law. Phishing – Where we are the weakest link Phishing, as defined by Wikipedia, is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication. It is generally done by using one or more techniques we discussed above. Let us take a few examples: Sending a fake mail, looking just like a bank email. It will generally ask you to click on a link and redirects you to a web page. This web page would look exactly like the Bank Page and you would be asked to enter your user ID and password. Now this being a fake page would either give an error message or redirect you to the authentic website after you enter your user ID and password. In the backend, the attacker gets the login credentials for your bank portal. Similar to this are lottery mails you get, in which every day you win $10,000. Cybersquatting is a fraudulent act of registering, selling or using a domain name which has resemblance to a known brand with an intent of profiting using the name of the already established brand. For example, creating a website goggle.com which is similar to google.com. This could have a serious impact if you register a website as annazon.com (notice the double n) instead of amazon.com. They look alike in the first glance. Now imagine 20% of the traffic of amazon.com going on annazon.com. It’s a huge loss for Amazon! Sending SMS on mobiles with links to upgrade the PayTM app or entering a lucky draw or even changing your “expiring” bank account. These links will either ask the victim to enter some confidential information like banking details or OTP or install an app or a software in the background. Now the installed app or software is designed to spy on the victim’s mobile device and send confidential information like SMS, photos, bank credentials, etc. to the attacker. Can we do anything about it? Simple answer is, not much. Social engineer, as the title of the article says, talks about exploiting the weakest link in security, which is us or the user. Unless the user is vigilant and aware, no amount of investment in the security tools and technologies can save the organization or the individual data from hackers. Organizations generally run Information Security Awareness campaigns, mandate the user to attend trainings, and even carry out phishing assessments. This gives the organization a direction to enhance its security program and train users to be better protected against cyber threats. As a part of this article, let us have a look at how we can detect a fake email. Email header analysis helps us identify whether the mail is authentic or not. It is very simple to analyze an email header in Gmail. 1. Open the email for which you want to analyze the header. Click on “Show Original” as shown below in the image.  2. Copy the header to clip board.  3. Open https://mxtoolbox.com/EmailHeaders.aspx and paste the header.  4. Click on analyze header. You will get all the details like email domain, sender, who will get the replies, SPF values, etc. Now you can actually know whether a mail was sent by an authentic domain or by a fake mailer service like emkei.cz! Recent attacks including social engineering fThe Sony Pictures Hack – November 2014 Target Data Breach – 2013 (Phishing) 2016 Democratic National Committee Email Leak – July 2016 (Spear Phishing) Associated Press Twitter Accounts – April 2013 (fake email) RSA SecurID Cybersecurity Attack – March 2011 (infected attachment in email) Concluding remarks Social engineering, coupled with information gathering is one of the easiest and efficient way of doing reconnaissance. Attackers make use of these techniques to make sure they are equipped with enough knowledge before they carry out any attack. User awareness and due diligence is the only way to prevent an organization or individual from a social engineering attack. 
9137
Exploiting the Weakest Link in Security Through So...

Social engineering, as per Wikipedia, is the psy... Read More

Learn Ethical Hacking From Scratch

Despite the appealing title, ethical hacking or in more technical terms, “Penetration Testing” is not something you can master by reading an article or doing a crash course. There is much more to ethical hacking! In this article, we would have a look at what hacking is, the different types of hackers, steps involved in a hacking or penetration testing activity including common tools and techniques, how the industry looks at ethical hacking and the common certifications related to hacking. Before we jump into the details, let us understand what a vulnerability is, because we would be using this term again and again. Vulnerability is any loophole or a weakness in the system that could be exploited by a hacker. What is hacking and ethical hacking? To understand hacking, let us first understand what a hacker does. Whenever we think of a hacker, we imagine a guy with a hood, sitting in a dark room, having multiple computer screens in front of him and typing something at a blazing speed! We hate to burst your bubble, but most hackers do not fit that preconceived stereotype! A computer hacker is a person with deep domain expertise in computer systems, who is well versed in various methods of overcoming defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker could be financially or politically motivated or could be working with an organization to help them strengthen their infrastructure. Hacking refers to the activities that can overpower/derail the security mechanisms of digital devices like computers, smartphones, tablets, and even entire networks. It exploits the vulnerabilities present in the system or network to gain unauthorized access to confidential information. Hacking could be for personal benefit or with malicious intent. However, in ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or uses it for personal or professional gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, ethical hackers have explicit permission to exploit the target from the owner. Who are the different types of hackers? Hackers can be generally categorized into three types based on the kind of work they do and the intent behind their hacking. Black Hat Hackers – These are hackers who attempt to bypass security mechanisms to gain unauthorized access with a malicious intent. Generally, these hackers work with the intent of financial gain and/or causing damage to the target. They may be individuals, self-motivated groups (also known as hacktivists who aim to bring political or social change) or politically motivated groups (state sponsored hackers). White Hat Hackers – These are professionals generally working with or for a company to help strengthen its digital security systems. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix potential vulnerabilities before the black hat hackers could exploit them. Grey Hat Hackers – These individuals operate either as   white hat hackers or black hat hackers, hence the nomenclature. What are the steps involved in hacking? Let us take a deeper dive into ethical hacking and understand the steps involved. Throughout this section, we will look at the steps involved in ethical hacking, and some commonly used tools and techniques which hackers generally use. To illustrate our explanation, let us assume an attacker, Mr. X is targeting an organization TaxiCompany Inc. 1. Reconnaissance or Foot-printing – As per the Oxford dictionary, reconnaissance means, “the activity of getting information about an area for military purposes, using soldiers, planes, etc.”. Similarly, in hacking, reconnaissance means gathering information about your target. This information includes IP address ranges, Network, DNS Records, Websites, or people working with the organization. So, in this step, Mr. X would try to find the details of the key people working for TaxiCompany Inc., its website, etc. Reconnaissance could be active or passive in nature. In active foot printing, Mr. X would directly be scanning the network of TaxiCompany, or its websites using various tools. In passive foot printing, the Mr. X would not directly interact with any infrastructure or person. He would rather look at publicly available information from social media, public websites, etc. Commonly used tools/techniques for reconnaissance:  Who Is: Who is lookup tells you details about the website, the owner, contact number of the owner, and the address where the website is registered? You can simply visit who.is and enter the domain you wish to search for. NMAP: NMAP or the Network Map is a tool widely used for recon and scanning. Hackers can use this tool to find details like IP range, active hosts, open ports, etc. A simple command is nmap to find active hosts is “nmap -sn 192.168.1.1-100”. This command will find all active hosts in the provided IP range. Social Engineering: This is a technique, whereby the attacker engages directly or indirectly with the staff of the target organization and manipulates them psychologically to reveal confidential information. Some other tools which are used for footprinting include social media sites, Nessus, Acunetix, lullar.com 2. Scanning – Once Mr. X has some basic information about the TaxiCompany, he would start to collect in-depth information which could help him penetrate the network and access confidential information. Mr. X is most likely to use port scanners, sweepers and vulnerability scanners of different types. Mr. X could now be targeting the website or the network of the organization. For websites, using scanners like Nessus and Acunetix could give loads of information about the server where the website is hosted, open ports, server version, hosting platform, etc. In case of a network, network mapping and scanning tools will help Mr. X understand the active hosts, services (ports) running on them and with some intense scans, the OS running on the active hosts and even the vulnerabilities present! Kali Linux is a distribution of Linux operating system which is widely used by hackers around the globe for hacking and penetration testing. It contains almost every tool one would need for various steps of hacking. NMAP, wireshark, ncap, metasploit, etc. are pre-loaded in Kali Linux. Now based on the information gathered in the scanning phase, Mr. X can now easily look for vulnerabilities in the OS or the hardware using databases like NVD or CVE. Commonly used tools/techniques for scanning: Apart from NMAP, the below tools are used to perform vulnerability scanning: Nessus: The most famous vulnerability scanner from Tenable, it has 100s of plugins which allows you to make sure all vulnerabilities and misconfigurations are identified. Acunetix: Acunetix is known for its features and capabilities for web application scanning. 3. Gaining Access – Now Mr. X knows the network, active hosts, services running, details of the operating system and the vulnerabilities present. Next, Mr. X would gain access to the assets of TaxiCompany. Mr. X now has several options to penetrate the network. He can send a “Phishing Mail” to some key people (contacted using social engineering) and trick them into clicking a malicious link (and seek username and password). Alternately, he could try tricking them into downloading a malicious attachment and installing a keylogger to get all the keystrokes. This is a fairly easy task. There are certain fake-mailers like zmail or emkei.cz which allow you to send email to anyone using any email ID as the source email. Emkei is a very popular and useful tool for sending fake email and running phishing campaigns. One can design a mail looking exactly like the original one from the same email ID and trick someone into clicking or downloading something. Designing a phishing page or creating a malicious file is also possible using “Metasploit”. Metasploit allows you to create an exploit and using msfvenom (or any similar tool) you can attach this exploit to an innocent looking pdf or excel file! Once the target user inside TaxiCompany opens this attachment, Mr. X gets the meterpreter shell and can now access almost everything on the target machine. Mr. X has now successfully gained the access of a system within TaxiCompany. Now he is free to navigate the system and the network to get the information he is looking for or infect more devices! Commonly used tools/techniques for gaining access: Kali Linux: A fully loaded operating system with all the tools starting from wireshark to Metasploit to burp suite, it contains everything! Phishing: A technique where the users are lured into clicking or downloading something on their computers. It is also possible by phone calls; a common example is fraudsters pretending to be from Bank and asking card details and OTP. 4. Maintaining Access – Once Mr. X has gained access; he would probably like to secure that access or create another one to ensure that he has a persistent access to that machine. This could be done by using Trojans, Rootkits and backdoors. This is generally done to ensure that more information could be gained or to launch attacks using this machine. In a case where attacker controls a machine and uses it to launch further attacks, the machine is said to be a bot. An attacker uses several of these bots, called ‘botnet’, to launch attacks such as Distributed Denial of Service (DDoS) wherein thousands of requests are sent to a server at a time, potentially consuming all the bandwidth and forcing the legitimate traffic to drop. 5. Covering Tracks – Now Mr. X has the access to the TaxiCompany’s confidential information and one of the computer systems. He now wants to make sure that he is not caught! This is generally done by corrupting or deleting the logs. While this is done at the end, some precautions need to be taken from the onset, such as using a Virtual Private Network or a VPN. VPN is a tool which encrypts any data between the source and the destination, hence making it very difficult to intercept the data. Also, VPN ensures that your actual public IP address is not visible to the target. There is always a dummy IP address which is visible to the target. So even if someone gets to know the IP of the attacker, that would actually be only the IP address of the VPN service provider! Some common free VPN tools are Hide my Ass, Nord VPN and Express VPN. How does the industry view ethical hacking? Ethical hacking is not only about CTF, HTB and bug bounties. It is much more than that. These days every company hires ethical hackers to make sure that their network, applications and data are secure from cyberattacks. Penetration testers are highly paid within an organization and they play a key role in identifying the security vulnerabilities and helping to fix them. There are various sub domains for ethical hacking which include mobile security, web application security, network penetration testing, API security and system security. Certifications related to ethical hacking If you want to pursue a career in Cyber Security, or to be more precise, in ethical hacking, having a credential is helpful. It affirms your prowess in cyber security and gives you an edge over your counterparts during the hiring process. Below are a few certifications in the field of ethical hacking that are globally acknowledged: EC-Council Certified Ethical Hacker (CEH) – The CEH, or Certified Ethical Hacker credential is the number one certification that any aspiring ethical hacker should aspire towards. The most common certification in the field of cyber security, it provides in-depth working knowledge about ethical hacking and the concepts related to it. CompTIA Security+  –  A little less technical than the CEH, CompTIA Security+ aims at imparting fundamental knowledge of security concepts and offers less focus on practical, hands-on skills. Offensive Security’s OSCP – One of the toughest and most reputed certifications in this sector that necessitates passing a 24-hour exam, it aims to test your skill set and understanding of cyber security. KnowledgeHut offers in-depth training that can help you to prep for these sought-after certification exams. Get guidance from the experts—click here to explore ways to crack these exams at your very first attempt!  
7373
Learn Ethical Hacking From Scratch

Despite the appealing title, ethical hacking or... Read More