Chapter 2. The Technical Foundations of Hacking

This chapter covers the following topics:

  • The Hacking Process: An ethical hacker should understand the goals, motivations, and techniques used by hackers. Consider this phrase: The best way to beat hackers is to understand the way they think.

  • The Ethical Hackers Process: Although the process is similar to what’s used by hackers, there are key differences. One difference is that the ethical hacker operates with permission of the organization. Second, the ethical hacker’s ultimate goal is to secure systems.

  • Information Security Systems and the Stack: Many attacks are based on the misuse of the protocols that are part of the TCP/IP suite of protocols. Therefore, an ethical hacker should have a good understanding of the primary protocols, such as IP, TCP, UDP, ICMP, ARP, DNS, and others.

The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is so dominant and important to ethical hacking that it is given wide coverage in this chapter. Many tools, attacks, and techniques discussed throughout this book are based on the use and misuse of the TCP/IP protocol suite. Understanding its basic functions will advance your security skills. This chapter also spends time reviewing the attacker’s process and some of the better-known methodologies used by ethical hackers.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 2-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Review Questions.”

Table 2-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

The Attacker’s Process

1–3

The Ethical Hacker’s Process

4, 5

Security and the Stack

6–10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.

1. After gaining access to a system, what is the hacker’s next step?

a. Scanning

b. Covering of tracks

c. Escalation of privilege

d. Denial of service

2. What are the two types of reconnaissance?

a. Active and proactive

b. Internal and external

c. Inside and outside

d. Passive and active

3. Phishing, social engineering, and buffer overflows are all typically used at what point in the attacker’s process?

a. Gaining access

b. Backdoors

c. Covering tracks

d. Port scanning

4. Which of the following addresses network security testing?

a. NIST 800-33

b. NIST 800-42

c. NIST 800-115

d. NIST 800-30

5. The OSSTMM is used for which of the following?

a. Open social engineering testing

b. Security training

c. Audits

d. Security assessments

6. A TCP SYN flood attack uses the three-way handshake mechanism. The attacker at system A sends a spoofed SYN packet to the victim at system B. System B responds by sending a SYN/ACK packet to the spoofed system. System A does not reply to system B, leaving victim B hung waiting for a response. Which of the following best describes the status of victim B?

a. Fully open

b. Half open

c. Session fully established

d. Half closed

7. IPv6 addresses are how long?

a. 2 bytes

b. 4 bytes

c. 64 bytes

d. 128 bits

8. You have been asked to analyze the SOA record from a targeted company and identify how long any DNS poisoning would last. The values from the SOA record are 2003080: 172800: 900: 1209600: 3600. Which of the following describes how long DNS poisoning would last?

a. 3600

b. 900

c. 1209600

d. 2003080

9. An ICMP type 8 is which of the following?

a. Ping message

b. Unreachable message

c. TTL failure message

d. Redirect message

10. The four steps of the IPv6 DHCP process can be abbreviated as which of the following?

a. SORA

b. DOSA

c. SARR

d. DORA

Foundation Topics

The Hacking Process

Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it’s important to understand the methodology. The steps a hacker follows can be broadly divided into six phases, which include pre-attack and attack phases:

Image
  • Performing reconnaissance and footprinting

  • Scanning and enumeration

  • Gaining access

  • Escalation of privilege

  • Maintaining access

  • Covering tracks and placing backdoors

Note

A denial of service (DoS) might be included in the preceding steps if the attacker has no success in gaining access to the targeted system/network or simply seeks to extort money or cause an outage.

Let’s look at each of these phases in more detail so that you better understand the steps.

Performing Reconnaissance and Footprinting

Reconnaissance is considered the first pre-attack phase and is a systematic attempt to locate, gather, identify, and record information about the target. The hacker seeks to find out as much information as possible about the victim. This first step is considered passive information gathering. For example, many of you have probably seen a detective movie in which the police officer waits outside a suspect’s house all night and then follows him from a distance when the suspect leaves in the car. That’s reconnaissance; it is passive in nature, and if done correctly, the target never even knows it is occurring.

Hackers can gather information in many ways, and the information they obtain allows them to formulate a plan of attack. Some hackers might dumpster dive to find out more about the victim. Dumpster diving is the act of going through the victim’s trash. If the organization does not have good media control policies, many types of sensitive information will probably go directly into the trash. Organizations should instruct employees to shred sensitive information or dispose of it in an approved way. Don’t think that you are secure if you do not take adequate precautions with paper documents.

Another favorite of the hacker is social engineering. A social engineer is a person who can smooth talk other individuals into revealing sensitive information. This might be accomplished by calling the help desk and asking someone to reset a password or by sending an email to an insider telling him he needs to reset an account.

If the hacker is still struggling for information, he can turn to what many consider the hacker’s most valuable reconnaissance tool: the Internet. That’s right; the Internet offers the hacker a multitude of possibilities for gathering information. Let’s start with the company website. The company website might have key employees listed, technologies used, and job listings (probably detailing software and hardware types used), and some sites even have databases with employee names and email addresses.

Note

Good security policies are the number one defense against reconnaissance attacks. They are discussed in more detail in Chapter 1, “An Introduction to Ethical Hacking.”

Scanning and Enumeration

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth information about the target, such as open shares and user account information.

At this step in the methodology, the hacker is moving from passive information gathering to active information gathering. Hackers begin injecting packets into the network and might start using scanning tools such as Nmap. The goal is to map open ports and applications. The hacker might use techniques to lessen the chance that he will be detected by scanning at a very slow rate. For example, instead of checking for all potential applications in just a few minutes, the scan might be set to run slowly and take days to verify what applications are running. Many organizations use intrusion detection systems (IDS) to detect port scans. Don’t think that the hacker will be content with just mapping open ports. He will soon turn his attention to grabbing banners. He will want to get a good idea of what type or version of software applications the organization is running. And he will keep a sharp eye out for down-level software and applications that have known vulnerabilities. An example of down-level software is Windows XP. Down-level software is of interest to the attacker because it’s old. The older something is, the more likely that many vulnerabilities have been found. If they have not been patched, they represent a juicy target for the attacker. A quick visit to a site such as the exploit database at http://www.exploit-db.com can reveal potential exploitable code.

Note

Applying the concept of deny all means that by default all services and applications are blocked. Only after a service is approved is it allowed. This concept can help reduce the effectiveness of the hacker’s activities at this step.

Unlike the elite nation-state hacker who attempts to remain stealthy, script kiddies might even use vulnerability scanners such as OpenVAS to scan a victim’s network. Programs such as OpenVAS are designed to find vulnerabilities but are not designed to be a hacking tool; therefore, they generate a large amount of detectable network traffic.

Tip

One disadvantage of vulnerability scanners is that they are very “noisy” and can be detected.

Gaining Access

As far as potential damage, gaining access could be considered one of the most important steps of an attack. This phase of the attack occurs when the hacker moves from simply probing the network to actually attacking it. After the hacker has gained access, he can begin to move from system to system, spreading his damage as he progresses.

Access can be achieved in many ways. A hacker might find an open wireless access point that allows him a direct connection, or he might trick the help desk into giving him the phone number for a modem used for out-of-band management. Access could be gained by finding a vulnerability in a web application that he knows the organization uses. The hacker may then infect the web application with malware, knowing that eventually some member of the targeted group will get infected. This particular technique is known as a watering-hole attack, because the hacker knows that victims routinely go to the web application like animals routinely go to a watering hole.

If the hacker is confident in her social engineering abilities, she might even walk in the front door and tell the receptionist that she is late for a meeting and will wait in the conference room, hoping that it has network access. Pity the poor receptionist who unknowingly provides network access to a malicious hacker. These things do happen to the company that has failed to establish good security practices and procedures.

The factors that determine the method that hackers use to access the network ultimately come down to their skill levels, amount of access they achieve, network architecture, and configuration of the victim’s network.

Escalation of Privilege

Although the hacker is probably happy that he has access, don’t expect him to stop what he is doing with only a “Joe user” account. Just having the access of an average user probably won’t give him much control or access to the network. Therefore, the attacker will attempt to escalate himself to domain administrator or root privilege. After all, these are the individuals who control the network, and that is the type of power the hacker seeks.

Privilege escalation can occur because a bug, misconfiguration, or vulnerability in an application or operating system enables a hacker to gain access to resources that normally would have been protected from an average user. The end result of privilege escalation is that the application performs actions that are running within a higher security context than intended by the designer, and the hacker is granted full access and control.

Maintaining Access

Would you believe that hackers are paranoid people? Well, many are, and they worry that their evil deeds might be uncovered. They are diligent at working on ways to maintain access to the systems they have attacked and compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that they can access other users’ accounts.

Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his access to the system and use it for malicious purposes. Rootkits have the capability to mask the hacker, hide his presence, and keep his activity secret.

Sometimes hackers might even fix the original problem that they used to gain access so that they can keep the system to themselves. After all, who wants other hackers around to spoil the fun? Sniffers are yet another option for the hacker and can be used to monitor the activity of legitimate users. At this point, hackers are free to upload, download, or manipulate data as they see fit.

Covering Tracks and Planting Backdoors

Nothing happens in a void, and that includes computer crime. Hackers are much like other criminals in that they would like to be sure to remove all evidence of their activities. This might include using rootkits or other tools to cover their tracks. Other hackers might hunt down log files and attempt to alter or erase them.

Hackers must also be worried about the files or programs they leave on the compromised system. File-hiding techniques, such as hidden directories, hidden attributes, and alternate data streams (ADS), can be used. An attacker may grep log files on a Linux computer to remove suspicious entries or use software to remove log files on Windows computers. As an ethical hacker, you need to be aware of these tools and techniques to discover their activities and to deploy adequate countermeasures.

Backdoors are methods that the hacker can use to reenter the computer at will. At this point, what is important is to identify the steps.

The Ethical Hacker’s Process

As an ethical hacker, you will follow a similar process to one that an attacker uses. The stages you progress through will map closely to those the hacker uses, but you will work with the permission of the company and will strive to “do no harm.” The ethical hacking steps usually include the following:

Image
  • Permission: Obtaining written permission from the person authorized to provide it.

  • Reconnaissance: Can be both passive and active.

  • Scanning: Can include the use of port-scanning tools and network mappers.

  • Gaining access: The entry point into the network, application, or system.

  • Maintaining access: Techniques used to maintain control such as escalation of privilege.

  • Covering tracks: Covering tracks and clearing logs are activities normally performed at this step.

  • Reporting: Writing the report and listing your findings.

By ethical hacking and assessing the organization’s strengths and weaknesses, you will perform an important service in helping secure the organization. The methodology used to secure an organization can be broken down into five key steps. Ethical hacking is addressed in the first step:

Step 1. Assessment: Ethical hacking, penetration testing, and hands-on security tests.

Step 2. Policy development: Development of policy based on the organization’s goals and mission. The focus should be on the organization’s critical assets.

Step 3. Implementation: The building of technical, operational, and managerial controls to secure key assets and data.

Step 4. Training: Employees need to be trained to follow policy and how to configure key security controls, such as IDSs and firewalls.

Step 5. Audit: Auditing involves periodic reviews of the controls that have been put in place to provide good security. Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) specify that this should be done yearly.

All hacking basically follows the same six-step methodology discussed in the previous section: reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining access (placing backdoors), and covering tracks.

Is this all you need to know about methodologies? No, different organizations have developed diverse ways to address security testing, and you should be aware of some basic variations. These include

  • National Institute of Standards and Technology (NIST) Special Publication 800-115, Technical Guide to Information Security Testing and Assessment

  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

  • Open Source Security Testing Methodology Manual (OSSTMM)

Each is discussed in turn next.

NIST SP 800-15

NIST has developed many standards and practices for good security. The NIST SP 800-115 method of security assessment is divided into four basic stages:

  1. Planning

  2. Discovery

  3. Attack

  4. Reporting

NIST SP 800-115 is just one of several documents available to help guide you through an assessment. Find out more at https://www.nist.gov/publication-type/nist-pubs.

Operationally Critical Threat, Asset, and Vulnerability Evaluation

OCTAVE focuses on organizational risk and strategic practice-related issues. OCTAVE is driven by operational risk and security practices. OCTAVE is self-directed by a small team of people from the organization’s operations and business units, and the IT department. The goal of OCTAVE is to get departments to work together to address the security needs of the organization. The team uses the experience of existing employees to define security, identify risks, and build a robust security strategy. The three versions of OCTAVE are OCTAVE Original, OCTAVE-S, and OCTAVE Allegro (which was developed by the Software Engineering Institute [SEI]). Find out more at www.cert.org/octave.

Open Source Security Testing Methodology Manual

One well-known open source methodology is the OSSTMM. The OSSTMM divides security assessment into six key points known as sections:

  • Defining a security test

  • Data networks security testing

  • Human security testing

  • Physical security testing

  • Telecommunications security testing

  • Wireless security testing

The OSSTMM gives metrics and guidelines as to how many man-hours a particular assessment will require. Anyone serious about learning more about security assessment should review this documentation. The OSSTMM outlines what to do before, during, and after a security test. Find out more at http://www.isecom.org/osstmm. Version 3 is currently available and version 4 is in draft.

Information Security Systems and the Stack

To really understand many of the techniques and tools that hackers use, you need to understand how systems and devices communicate. Hackers understand this, and many think outside the box when planning an attack or developing a hacking tool. For example, TCP uses flags to communicate, but what if a hacker sends TCP packets with no flags set? Sure, it breaks the rules of the protocol, but it might allow the attacker to elicit a response to help identify the server. As you can see, having the ability to know how a protocol, service, or application works and how it can be manipulated can be beneficial.

The OSI model and TCP/IP are discussed in the next sections. Pay careful attention to the function of each layer of the stack, and think about what role each layer plays in the communication process.

The OSI Model

Once upon a time, the world of network protocols was much like the Wild West. Everyone kind of did his or her own thing, and if there was trouble, there would be a shootout on Main Street. Trouble was, you never knew whether you were going to get hit by a stray bullet. Luckily, the IT equivalent of the sheriff and mayor came to town. These entities establish rules and regulations. This was the International Standards Organization (ISO). The ISO was convinced that there needed to be order and developed the Open Systems Interconnection (OSI) model in 1984. The model is designed to provide order by specifying a hierarchy in which each layer builds on the output of each adjacent layer. Although its role as sheriff was not widely accepted by all, the model is still used today as a guide to describe the operation of a networking environment.

There are seven layers of the OSI model: the application, presentation, session, transport, network, data link, and physical layers. The seven layers of the OSI model are shown in Figure 2-1, which overviews data moving between two systems up and down the stack, and are described in the following list:

Schematic representation of OSI model between two users is shown.

Figure 2-1 The OSI Model

  • Application layer: Layer 7 is known as the application layer. Recognized as the top layer of the OSI model, this layer serves as the window for application services. The application layer is one that most users are familiar with because it is the home of email programs, FTP, Telnet, web browsers, and office productivity suites, as well as many other applications. It is also the home of many malicious applications such as viruses, worms, Trojan horse programs, and other virulent programs.

  • Presentation layer: Layer 6 is known as the presentation layer. The presentation layer is responsible for taking data that has been passed up from lower levels and putting it into a format that application layer programs can understand. These common formats include American Standard Code for Information Interchange (ASCII), Extended Binary-Coded Decimal Interchange Code (EBCDIC), and American National Standards Institute (ANSI). From a security standpoint, the most critical process handled at this layer is encryption and decryption. If properly implemented, this can help secure data in transit.

  • Session layer: Layer 5 is known as the session layer. Its functionality is put to use when creating, controlling, or shutting down a TCP session. Items such as the TCP connection establishment and TCP connection occur here. Session layer protocols include items such as Remote Procedure Call and SQL*Net from Oracle. From a security standpoint, the session layer is vulnerable to attacks such as session hijacking. A session hijack can occur when a legitimate user has his session stolen by a hacker. This is discussed in detail in Chapter 6, “Sniffers, Session Hijacking, and Denial of Service.”

  • Transport layer: Layer 4 is known as the transport layer. The transport layer ensures completeness by handling end-to-end error recovery and flow control. Transport layer protocols include TCP, a connection-oriented protocol, as well as User Datagram Protocol (UDP), a connectionless protocol. TCP provides reliable communication through the use of handshaking, acknowledgments, error detection, and session teardown. UDP offers speed and low overhead as its primary advantage. Security concerns at the transport layer include synchronize (SYN) attacks, denial of service (DoS), and buffer overflows.

  • Network layer: Layer 3 is known as the network layer. This layer is concerned with logical addressing and routing. The network layer is the home of the Internet Protocol (IP), which makes a best effort at delivery of datagrams from their source to their destination. IP uses an IP ID (IPID) to handle fragmentation. The IPID and more bit are used to track and reassemble fragmented traffic. The last fragment will have the more bit turned off. This value can be misused in some scans to bounce traffic off of a secondary victim. Security concerns at the network level include route poisoning, DoS, spoofing, and fragmentation attacks. Route poisoning is the alteration of routing tables. Spoofing is a person or process emulating another person or process. Fragmentation attacks occur when hackers manipulate datagram fragments to overlap in such a way to crash the victim’s computer. IPsec is a key security service available at this layer.

  • Data link layer: Layer 2 is known as the data link layer. The data link layer is responsible for formatting and organizing the data before sending it down to the physical layer or up to the network layer. Each layer in the OSI model breaks down or adds to the results of the layer above and below it. The data link layer organizes the data into frames. A frame is a logical structure in which data can be placed; it’s a packet on the wire. When a frame reaches the target device, the data link layer is responsible for stripping off the data frame and passing the data packet up to the network layer. The data link layer is made up of two sublayers: the logical link control (LLC) layer and the media access control (MAC) layer. You might be familiar with the MAC layer; it shares its name with the MAC addressing scheme. These 6-byte (48-bit) addresses are used to uniquely identify each device on the local network. A major security concern of the data link layer is the Address Resolution Protocol (ARP) process. ARP is used to resolve known network layer addresses to unknown MAC addresses. ARP is a trusting protocol and, therefore, can be used by hackers for ARP poisoning, which can allow them access to traffic on switches they should not have.

  • Physical layer: Layer 1 is known as the physical layer. At Layer 1, bit-level communication takes place. The bits have no defined meaning on the wire, but the physical layer defines how long each bit lasts and how it is transmitted and received. From a security standpoint, you must be concerned anytime a hacker can get physical access. By accessing a physical component of a computer network—such as a computer, switch, or cable—the attacker might be able to use a hardware or software packet sniffer to monitor traffic on that network. Sniffers enable attacks to capture and decode packets. If no encryption is being used, a great deal of sensitive information might be directly available to the hacker.

Tip

For the exam, make sure that you know which attacks and defenses are located on each layer. As an example, at what layer does ARP occur?

Anatomy of TCP/IP Protocols

Four main protocols form the core of TCP/IP: the Internet Protocol (IP), the Transmission Control Protocol (TCP), the User Datagram Protocol (UDP), and the Internet Control Message Protocol (ICMP). These protocols are essential components that must be supported by every device that communicates on a TCP/IP network. Each protocol serves a distinct purpose and is worthy of further discussion. Figure 2-2 shows the four layers of the TCP/IP stack. The figure lists the application, host-to-host, Internet, and network access layers and describes the function of each.

Illustration of the TCP/IP Stack.

Figure 2-2 The TCP/IP Stack

TCP/IP is the foundation of all modern networks. In many ways, you can say that TCP/IP has grown up along with the development of the Internet. Its history can be traced back to standards adopted by the U.S. Department of Defense (DoD) in 1982. Originally, the TCP/IP model was developed as a flexible, fault-tolerant set of protocols that were robust enough to avoid failure should one or more nodes go down. After all, the network was designed to these specifications to withstand a nuclear strike, which might destroy key routing nodes. The designers of this original network never envisioned the Internet we use today.

Because TCP/IP was designed to work in a trusted environment, many TCP/IP protocols are now considered unsecure. For example, Telnet is designed to mask the password on the user’s screen, because the designers didn’t want shoulder surfers stealing a password; however, the password is sent in clear text on the wire. Little concern was ever given to the fact that an untrustworthy party might have access to the wire and be able to sniff the clear-text password. Most networks today run TCP/IPv4. Many security mechanisms in TCP/IPv4 are add-ons to the original protocol suite. As the layers are stacked one atop another, encapsulation takes place. Encapsulation is the technique of layering protocols in which one layer adds a header to the information from the layer above. Figure 2-3 shows an example of this. This screenshot from a sniffer program has UDP highlighted.

A screenshot of wireshark is depicted.

Figure 2-3 Encapsulation

Note

A lot of free packet-sniffing utilities are available on the Internet. Consider evaluating Wireshark for Windows, OS X, or Linux. Wireshark can help you learn more about encapsulation and packet structure. Wireshark is one of the tools you can expect to see on the CEH exam.

Let’s take a look at each of the four layers of TCP/IP and discuss some of the security concerns associated with each layer and specific protocols. The four layers of TCP/IP are as follows:

  • The application layer

  • The transport or host-to-host layer

  • The Internet layer

  • The network access layer

The Application Layer

Image

The application layer sits at the top of the protocol stack. This layer is responsible for application support. Applications are usually mapped not by name, but by their corresponding port. Ports are placed into TCP and UDP packets so that the correct application can be passed to the required protocols below.

Although a particular service might have an assigned port, nothing specifies that services cannot listen on another port. A common example of this is Simple Mail Transfer Protocol (SMTP). Its assigned port is 25. Your cable company might block port 25 in an attempt to keep you from running a mail server on your local computer; however, nothing prevents you from running your mail server on another local port. The primary reason services have assigned ports is so that a client can easily find that service on a remote host. For example, FTP servers listen at port 21, and Hypertext Transfer Protocol (HTTP) servers listen at port 80. Client applications, such as a File Transfer Protocol (FTP) program or browser, use randomly assigned ports usually greater than 1023.

There are approximately 65,000 ports; they are divided into well-known ports (0–1023), registered ports (1024–49151), and dynamic ports (49152–65535). Although there are hundreds of ports and corresponding applications in practice, fewer than a hundred are in common use. Table 2-2 lists the most common. These are some of the ports that a hacker would look for first on a victim’s computer systems.

Table 2-2 Common Ports and Protocols

Port

Service

Protocol

20/21

FTP

TCP

22

SSH

TCP

23

Telnet

TCP

25

SMTP

TCP

53

DNS

TCP/UDP

67/68

DHCP

UDP

69

TFTP

UDP

79

Finger

TCP

80

HTTP

TCP

88

Kerberos

UDP

110

POP3

TCP

111

SUNRPC

TCP/UDP

135

MS RPC

TCP/UDP

139

NB Session

TCP/UDP

161

SNMP

UDP

162

SNMP Trap

UDP

389

LDAP

TCP

443

SSL

TCP

445

SMB over IP

TCP/UDP

514

Syslog

UDP

1433

MS-SQL

TCP

Tip

The CEH exam will expect you to know common ports and what services they are tied to.

Blocking these ports if they are not needed is a good idea, but it’s better to practice the principle of least privilege. The principle of least privilege means that you give an entity the least amount of access to perform its job and nothing more. If a port is not being used, you should close it. Remember that security is a never-ending process; just because the port is closed today doesn’t mean that it will be closed tomorrow. You want to periodically test for open ports. Not all applications are created equally. Although some, such as Secure Shell (SSH), are relatively secure, others, such as Telnet, are not. The following list discusses the operation and security issues of some of the common applications:

  • File Transfer Protocol (FTP): FTP is a TCP service and operates on ports 20 and 21. This application is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server. Attacks on FTP target misconfigured directory permissions and compromised or sniffed clear-text passwords. FTP is one of the most commonly hacked services.

  • Dynamic Host Configuration Protocol (DHCP): DHCP is used to assign IP addresses to devices connected to a network. It uses port 67 and port 68. DHCPv4 consists of four steps: discover, offer, request, and acknowledge (DORA). DHCPv6 uses four different steps: solicit, advertise, request, and reply (SARR). Both versions communicate via UDP.

  • Telnet: Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client’s keyboard to the host computer system. Although Telnet can be configured to allow anonymous connections, it should be configured to require usernames and passwords. Unfortunately, even then, Telnet sends them in clear text. When a user is logged in, he or she can perform any allowed task. Applications such as SSH should be considered as a replacement. SSH is a secure replacement for Telnet and does not pass clear-text username and passwords.

  • Simple Mail Transfer Protocol (SMTP): This application is a TCP service that operates on port 25. It is designed for the exchange of email between networked systems. Messages sent through SMTP have two parts: an address header and the message text. All types of computers can exchange messages with SMTP. Spoofing and spamming are two of the vulnerabilities associated with SMTP.

  • Simple Network Monitoring Protocol (SNMP): This application is a UDP service that receives requests on UDP port 161. The SNMP manager receives notifications, traps, and information requests on UDP port 162. SNMP allows agents to gather information, including network statistics, and report back to their management stations. Most large corporations have implemented some type of SNMP management. Some of the security problems that plague SNMP are caused by the fact that community strings can be passed as clear text and that the default community strings (public/private) are well known. SNMP version 3 is the most current, and it offers encryption for more robust security.

  • Domain Name System (DNS): This application operates on port 53 and performs address translation. Although we don’t always realize the role DNS plays, it serves a critical function in that it converts fully qualified domain names (FQDN) into a numeric IP address or IP addresses into FQDNs. If someone were to bring down DNS, the Internet would continue to function, but it would require that Internet users know the IP address of every site they want to visit. For all practical purposes, the Internet would be unusable without DNS.

Tip

For the exam, you may be asked about a specific application port. As an example, SNMP uses UDP on ports 161 and 162.

The DNS database consists of one or more zone files. Each zone is a collection of structured resource records. Common record types include the Start of Authority (SOA) record, A record (IPv4), AAAA record (IPv6), CNAME record, NS record, PTR record, and the MX record. There is only one SOA record in each zone database file. It describes the zone namespace. The last entry in the SOA record is the timeout value. This can be used by attackers to tell how long DNS poisoning will last. The A record is the most common; it contains IP addresses and names of specific hosts. The CNAME record is an alias. For example, the LulzSec hacker Hector Xavier Monsegur went by the alias of Sabu. The NS record lists the IP address of other name servers. An MX record is a mail exchange record. This record has the IP address of the server where email should be delivered. Hackers can target DNS servers with many types of attacks. One such attack is DNS cache poisoning. This type of attack sends fake entries to a DNS server to corrupt the information stored there. DNS can also be susceptible to DoS attacks and to unauthorized zone transfers. DNS uses UDP for DNS queries and TCP for zone transfers. Because of vulnerabilities in DNS, the Internet Engineering Task Force (IETF) developed Domain Name System Security Extensions (DNSSEC). DNSSEC is designed for origin authentication of DNS data used by DNS. Nslookup is the command-line tool typically used for querying DNS to obtain domain name or IP address mapping. On Linux computers, the host command can be used to look up DNS records. The command syntax is as follows: host [-c class] [-N ndots] [-R number] [-t type] [-W wait] [-m flag] [-4] [-6] {name} [server].

Tip

The CEH exam will expect you to understand that there are two DNS services involved: name resolvers, which simply answer requests; and authoritative servers, which hold DNS records for a given namespace.

Tip

The CEH exam will expect you to know common DNS record types, such as that A records are associated with IPv4 addresses and that AAAA records are associated with IPv6 addresses.

  • Trivial File Transfer Protocol (TFTP): TFTP operates on port 69. It is considered a down-and-dirty version of FTP because TFTP uses UDP to reduce overhead. It not only does so without the session management offered by TCP, it also requires no authentication, which could pose a big security risk. It is used to transfer router configuration files and is used by cable companies to configure cable modems.

  • Hypertext Transfer Protocol (HTTP): HTTP is a TCP service that operates on port 80. This is one of the most well-known applications. HTTP has helped make the Web the popular protocol it is today. The HTTP connection model is known as a stateless connection. HTTP uses a request/response protocol in which a client sends a request and a server sends a response. Attacks that exploit HTTP can target the server, browser, or scripts that run on the browser. Code Red is an example of code that targeted a web server.

Note

You need a basic understanding of these applications’ strengths and weaknesses for the exam.

The Transport Layer

The transport layer provides end-to-end delivery. Two primary protocols (TCP and UDP) are located at the host-to-host layer.

Transmission Control Protocol

TCP enables two hosts to establish a connection and exchange data reliably. To do this, TCP performs a three-step handshake before data is sent. During the data-transmission process, TCP guarantees delivery of data by using sequence and acknowledgment numbers. At the completion of the data-transmission process, TCP performs a four-step shutdown that gracefully concludes the session. Figure 2-4 shows the startup and shutdown sequences.

Two figures show TCP startup and TCP shutdown sequences

Figure 2-4 TCP Operation

TCP has a fixed packet structure that is used to provide flow control, maintain reliable communication, and ensure that any missing data is re-sent. At the heart of TCP is a 1-byte Flag field. Flags help control the TCP process. Common flags include synchronize (SYN), acknowledgment (ACK), push (PSH), and finish (FIN). Figure 2-5 details the TCP packet structure. TCP security issues include TCP sequence number attacks, session hijacking, and SYN flood attacks. SYN flood attacks leave the server in a half-open state. Programs such as Nmap manipulate TCP flags to attempt to identify active hosts.

Image
Illustration of a TCP packet structure is shown.

Figure 2-5 TCP Packet Structure

The ports shown previously in Table 2-2 identify the source and target application. The sequence and acknowledgment numbers are used to verify that all data has been received and the packets are assembled into their proper order. Sequence numbers are sometimes manipulated by hackers when attempting a man-in-the-middle attack. The flags are used to manage TCP sessions. The six most common are ACK, PSH, RST, SYN, FIN, and URG. For example, the SYN and ACK flags are used in the three-way handshaking, and the RST and FIN flags are used to tear down a connection. FIN is used during a normal four-step shutdown, and RST is used to signal the end of an abnormal session. The checksum is used to ensure that the data is correct, but an attacker can alter a TCP packet and the checksum to make it appear valid. Another flag is urgent (URG). If no flags are set at all, the flags can be referred to as NULL, as none are set.

Note

Not all hacking tools play by the rules. Most port scanners can tweak TCP flags and send them in packets that should not normally exist in an attempt to elicit a response from the victim’s server. One such variation is the XMAS tree scan, which sets the SYN, URG, and PSH flags. Another is the NULL scan, which sets no flags in the TCP header.

Tip

The CEH exam may ask you about the structure of the TCP flag field. From left to right, the flags include CWR, ECE, URG, ACK, PSH, RST, SYN, and FIN.

User Datagram Protocol

UDP performs none of the handshaking processes that we see performed with TCP. Although that makes it considerably less reliable than TCP, it does offer the benefit of speed. It is ideally suited for data that requires fast delivery and is not sensitive to packet loss. UDP is used by services such as Dynamic Host Control Protocol (DHCP) and DNS. UDP is easier to spoof by attackers than TCP because it does not use sequence and acknowledgment numbers. Figure 2-6 shows the packet structure of UDP.

Illustration of a UDP packet structure is shown.

Figure 2-6 UDP Packet Structure

The Internet Layer

The Internet layer contains two important protocols: Internet Protocol (IP) versions 4/6 and Internet Control Messaging Protocol (ICMP). IP is a routable protocol whose function is to make a best effort at delivery. Figure 2-7 shows the IP header. Spend a few minutes reviewing it to better understand each field’s purpose and structure. You can find complete details in RFC 791. When you review the structure of UDP, TCP, and IP, packets might not seem like the most exciting part of security work. A basic understanding is necessary, though, because many attacks are based on manipulation of the packets. For example, the Total Length field and fragment offset field (IPID) are tweaked in a Ping of Death attack.

Image
IPv4 and IPv6 Header formats are shown.

Figure 2-7 IPv4 and IPv6 Header Structure

Internet Protocol version 6 (IPv6) is the newest version of IP and is the designated replacement for IPv4, as shown in Figure 2-7. IPv6 brings many improvements to modern networks. One of these is that the address space moves from 32 bits to 128 bits. Also, IPv4 uses an Option field. IPv6 does not, and broadcast traffic is not supported. Instead, IPv6 uses a link-local scope as an all-nodes multicast address. IPv4 uses decimal addresses, whereas IPv6 uses hexadecimal addresses. IPv6 offers built-in support for IPsec so that there is greater protection for data during transmission and offers end-to-end data authentication and privacy. With the move to IPv6, Network Address Translation (NAT) will no longer be needed. When IPv6 is fully deployed and IPv4 retired, one protocol that will no longer be needed is ARP. IPv6 does not support ARP and instead uses Network Discovery Protocol (NDP). Common routing protocols to be used with IPv6 include Routing Information Protocol next generation (RIPng), Open Shortest Path First version 3 (OSPFv3), Intermediate System-to-Intermediate System version 2 (IS-ISv2), and Enhanced Interior Gateway Routing Protocol version 6 (EIGRPv6).

IP addresses are laid out in a dotted-decimal notation format. IPv4 lays out addresses into a four-decimal number format that is separated by decimal points. Each of these decimal numbers is 1 byte in length, to allow numbers to range from 0 to 255. Table 2-3 shows IPv4 addresses and the number of available networks and hosts.

Table 2-3 IPv4 Addressing

Address Class

Address Range Number of Networks

Default Subnet Mask

Number of Networks

Number of Hosts

A

1–127

255.0.0.0 or /8

126

16,777,214

B

128–191

255.255.0.0 or /16

16,384

65,534

C

192–223

255.255.255.0 or /25

2,097,152

254

D

224–239

N/A

N/A

N/A

E

240–255

N/A

N/A

N/A

A number of addresses have also been reserved for private use. These addresses are nonroutable and normally should not been seen on the Internet. Table 2-4 defines the private address ranges.

Tip

The CEH exam may ask questions related to IP addresses or subnet ranges.

Table 2-4 Private Address Ranges

Class

Private Address Range

Subnet Mask

A

10.0.0.0–10.255.255.255.255

255.0.0.0 or /8

B

172.16.0.0–172.31.255.255

255.255.0.0 or /16

C

192.168.0.0–192.168.255.255

255.255.255.0 or /24

IP does more than just addressing. It can dictate a specific path by using strict or loose source routing, and IP is also responsible for datagram fragmentation. Fragmentation normally occurs when files must be split because of maximum transmission unit (MTU) size limitations. If IP must send a datagram larger than allowed by the network access layer that it uses, the datagram must be divided into smaller packets. Not all network topologies can handle the same datagram size; therefore, fragmentation is an important function. As IP packets pass through routers, IP reads the acceptable size for the network access layer. If the existing datagram is too large, IP performs fragmentation and divides the datagram into two or more packets. Each packet is labeled with a length, an offset, and a more bit. The length specifies the total length of the fragment, the offset specifies the distance from the first byte of the original datagram, and the more bit is used to indicate whether the fragment has more to follow or if it is the last in the series of fragments. Figure 2-8 shows an example of fragmentation.

Illustration of fragmentation is shown.

Figure 2-8 Fragmentation (3,600)

The first fragment has an offset of 0 and occupies bytes 0–999. The second fragment has an offset of 1,000 and occupies bytes 1,000–1,999. The third fragment has an offset of 2,000 and occupies bytes 2,000–2,999, and the final fragment has an offset of 3,000 and occupies bytes 3,000–3,599. Whereas the first three fragments have the more bit set to 1, the final fragment has the more bit set to 0 because no more fragments follow. You need to understand these concepts to understand how various attacks function. If you are not completely comfortable with these concepts, review a general TCP/IP network book. TCP/IP Illustrated, Volume 1: The Protocols, Second Edition, by Kevin Fall and Richard Stevens, is recommended.

Note

On modern networks, there should be very little fragmentation. Usually such traffic will indicate malicious activities.

To get a better idea of how fragmentation can be exploited by hackers, consider the following: Normally, these fragments follow the logical structured sequence shown in Figure 2-8. Hackers can manipulate packets to cause them to overlap abnormally, though, as shown in Figure 2-9.

Illustration of overlapping fragmentation attack is shown.

Figure 2-9 Overlapping Fragmentation Attack

Hackers can also craft packets so that instead of overlapping there will be gaps between various packets. These nonadjacent fragmented packets are similar to overlapping packets because they can crash or hang older operating systems that have not been patched. That’s why it is so important to keep systems patched and up to date.

Note

A good example of the overlapping fragmentation attack is the Teardrop attack. Although considered outdated today, the Teardrop attack exploited overlapping IP fragment processing in older Windows computers.

One of the other protocols residing at the Internet layer is ICMP. Its purpose is to provide feedback used for diagnostics or to report logical errors. ICMP messages follow a basic format. The first byte of an ICMP header indicates the type of ICMP message. The second byte contains the code for each particular type of ICMP. For example, a type 3, code 3 ICMP means that a destination error occurred and that the specific destination error is that the targeted port is unreachable. Table 2-5 lists eight of the most common ICMP types.

Table 2-5 ICMP Types and Codes

Type

Code

Function

0/8

0

Echo response/request (ping)

3

0–15

Destination unreachable

4

0

Source quench

5

0–3

Redirect

11

0–1

Time exceeded

12

0

Parameter fault

13/14

0

Time stamp request/response

17/18

0

Subnet mask request/response

The most common ICMP type in Table 2-5 is the type 0 and 8, which is an ICMP ping request and reply. A ping is useful to determine whether a host is up, but it is also a useful tool for the attacker. The ping can be used to inform a hacker whether a computer is online. Although the designers of ICMP envisioned a protocol that would be helpful and informative, hackers use ICMP to send the Ping of Death, craft Smurf DoS packets, query the time stamp of a system or its netmask, or even send ICMP type 5 packets to redirect traffic. Table 2-6 lists some of the type 3 codes.

Note

The most common ICMP message type is a ping.

Table 2-6 Some Common Type 3 Codes

Code

Function

0

Net unreachable

1

Host unreachable

2

Protocol unreachable

3

Port unreachable

4

Fragmentation needed and Don’t Fragment was set

5

Source route failed

6

Destination network unknown

7

Destination host unknown

8

Source host isolated

9

Communication with destination network administratively prohibited

10

Communication with destination host administratively prohibited

11

Destination network unreachable for type of service

12

Destination host unreachable for type of service

13

Communication administratively prohibited

Tip

For the CEH exam, you should understand that while ICMP is useful, it can provide a wealth of information to an attacker, which is why most network administrators limit or block its use today.

Tip

You want to be familiar with all the common ICMP types and codes before attempting the CEH exam. They are covered in detail in RFC 792.

Traceroute

The traceroute utility is an example of an application that makes use of ICMP. Traceroute is used to determine the path to a target computer. Traceroute is available on Windows and UNIX platforms. In Windows, it is known as tracert because of 8.3 legacy filename constraints remaining from DOS. Traceroute was originally developed by Van Jacobson to view the path a packet follows from its source to its destination. Traceroute owes its functionality to the IP header Time To Live (TTL) field and ICMP. The TTL field is used to limit IP datagrams. Without a TTL, some IP datagrams might travel the Internet forever, because there would be no means of timeout. TTL functions as a decrementing counter. Each hop that a datagram passes through reduces the TTL field by one. If the TTL value reaches 0, the datagram is discarded, and a time exceeded in transit ICMP message is created to inform the source of the failure. Windows uses ICMP.

Linux-based versions of traceroute work much the same way but use UDP. Traceroute sends these UDP packets targeted to high-order port numbers on which nothing should be listening. Just as described previously, the TTL is increased until the target device is reached. Because traceroute is using a high-order UDP port—usually 33434—the host should ignore the packets after generating port unreachable messages. These ICMP port unreachable messages are used by traceroute to notify the source that the destination has been reached.

Tip

For the exam, you must understand the differences in how Windows and Linux perform traceroute. Windows uses ICMP, whereas, depending on the options, Linux can use UDP or TCP.

To get a better idea of how this works, let’s take a look at how traceroute works. In Example 2-1, the target is 12 hops away. The output of this traceroute is as follows:

Example 2-1 Traceroute Example

Click here to view code image

C:Usersuser> tracert www.numpangnyc.com
Tracing route to app.getbento.com [45.55.240.49] over a maximum of
30 hops:

  1     4 ms      5 ms     2 ms  192.168.1.1
  2    11 ms     10 ms    11 ms  adsl-62-121-151-254.dsl.hstntx.swbell.
net [62.121.151.254]
  3    15 ms     16 ms    11 ms  12.83.37.161
  4    20 ms     18 ms    17 ms  gar25.dlstx.ip.att.net [12.122.85.233]
  5    18 ms     18 ms    19 ms  ae-9.r01.dllstx04.us.bb.gin.ntt.net
[129.250.8.237]
  6    18 ms     18 ms    17 ms  ae-2.r23.dllstx09.us.bb.gin.ntt.net
[129.250.6.128]
  7    44 ms     49 ms    43 ms  ae-3.r20.chcgil09.us.bb.gin.ntt.net
[129.250.4.153]
  8    60 ms     57 ms    58 ms  ae-0.r25.nycmny01.us.bb.gin.ntt.net
[129.250.2.167]
  9    56 ms     58 ms    55 ms  ae-2.r07.nycmny01.us.bb.gin.ntt.net
[129.250.3.98]
10     59 ms     57 ms    58 ms  xe-0-9-0-17.r08.nycmny01.us.ce.
gin.ntt.
net [129.250.204.114]
11     *         *         *     Request timed out.
12     56 ms     56 ms    56 ms  45.55.240.49

Windows first sends out a packet with a TTL of 1. Upon reaching the first hop, the packet’s TTL value is decremented to 0, which elicits a time exceeded type 11 error message.

This message is sent back to the sender to indicate that the packet did not reach the remote host. Next, Windows increases the TTL to a value of 2. This datagram makes it through the first router, where the TTL value is decremented to 1. Then it makes it through the second router, at which time the TTL value is decremented to 0 and the packet expires. Therefore, the second router creates a time exceeded in transit error message and forwards it to the original source. This process continues until we reach the destination in line 12. Because this is the destination, the targets issue either a normal ICMP ping response if Windows is used or an ICMP type 3 destination unreachable message if Linux is used.

Another piece of information that a pen tester or hacker may try to assess from traceroute is the type of device and port your connection is passing through. For example, line 6 of our traceroute provides the following information:

 9    56 ms    58 ms    55 ms  ae-2.r07.nycmny01.us.bb.gin.ntt.net
[129.250.3.98]

The naming format ae-#-# is a Juniper device Ethernet bundle in slot 2, port 07. Not everyone follows an exact naming convention, but with a little work you can start to pick out many pieces of useful information. Finally, hop 11 appears to be a firewall, or a router that blocks ICMP packets. Although traceroute isn’t 100 percent reliable, it can help you see which hop is the last to respond and might allow you to deduce if it is a firewall or some other type of edge device. Line 11 of our previous traceroute provides an example:

11     *        *        *     Request timed out.

Tip

Type 11 ICMP time exceeded messages are used by most traceroute programs to determine the IP addresses of intermediate routers.

Note

Hping is an example of a tool you can use to find firewalls and identify internal clients. It is especially helpful because it can use not only ICMP and UDP, but also TCP. Because hping has the ability to use TCP, it can verify whether a host is up even if ICMP packets are being blocked. In many ways, hping is similar to Netcat because it gives anyone attempting to enumerate a device a high level of control over the packets being transmitted. The difference is that Netcat gives control of the data portion of the packet; hping focuses on the header.

The Network Access Layer

The network access layer is the bottom of the stack. This portion of the TCP/IP network model is responsible for the physical delivery of IP packets via frames. Ethernet is the most commonly used LAN frame type. Ethernet frames are addressed with MAC addresses that identify the source and destination devices. MAC addresses are 6 bytes long and are unique to the network interface card (NIC) in which they are burned. To get a better idea of what MAC addresses look like, review Figure 2-10. It shows a packet with both the destination and the source MAC addresses. The first 3 bytes of a MAC address identify the vendor and collectively are known as the organizationally unique identifier (OUI), and the last 3 bytes identify the serial number of the device. Although these are generally considered static, hackers can use a variety of programs to change or spoof MAC addresses. Spoofing MAC addresses can be a potential tool of attackers attempting to bypass 802.11 wireless controls or when switches are used to control traffic by locking ports to specific MAC addresses.

A screenshot of wireshark is depicted.

Figure 2-10 MAC Addresses

MAC addresses can be either unicast, multicast, or broadcast. Although a destination MAC address can be any one of these three types, a frame always originates from a unicast MAC address. The three types of MAC addresses can be easily identified and are shown in Table 2-7.

Table 2-7 Three Types of MAC Addresses

Type

Identified By

Unicast

The first byte is always an even value.

Multicast

The low-order bit in the first byte is always on, and a multicast MAC address is an odd value. For example, notice the first byte (01) of the following MAC address, 0x-01-00-0C-CC-CC-CC.

Broadcast

They are all binary 1s or will appear in hex as FF FF FF FF FF FF.

Tip

Exam candidates should know how to look up and identify the OUI of an identified address. For example, a search of 00:00:0c at https://www.wireshark.org/tools/oui-lookup.html identifies the vendor as Cisco.

Address Resolution Protocol (ARP) is the final protocol reviewed at the network access layer. ARP’s role in the world of networking is to resolve known IP addresses to unknown MAC addresses. ARP’s two-step resolution process is performed by first sending a broadcast message requesting the target’s physical address. If a device recognizes the address as its own, it issues an ARP reply containing its MAC address to the original sender. The MAC address is then placed in the ARP cache and used to address subsequent frames. Hackers are interested in the ARP process because they can manipulate it to bypass the functionality of a switch. Because ARP was developed in a trusting world, bogus ARP responses are accepted as valid, which can enable attackers to redirect traffic on a switched network. Proxy ARPs can be used to extend a network and enable one device to communicate with a device on an adjunct node. ARP attacks play a role in a variety of man-in-the-middle attacks, spoofing, and session hijacking attacks.

Tip

ARP is unauthenticated and, therefore, can be used for unsolicited ARP replies, for poisoning the ARP table, and for spoofing another host.

Summary

This chapter discussed the attacker’s methodology and some of the methodologies used by ethical hackers. Ethical hackers differ from malicious hackers in that ethical hackers seek to do no harm and work to improve an organization’s security by thinking like a hacker. This chapter also discussed the OSI model and the TCP/IP protocol suite. It looked at some of the most commonly used protocols in the suite and examined how they are used and misused by hackers. Common ports were discussed, as was the principle of deny all. One simple rule for the security professional is to deny all. Blocking all ports initially leaves the organization in much more of a secure state than just blocking ports that are deemed dangerous or unneeded. Ports and applications should be opened only on approval of justified business purposes.

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have several choices for exam preparation: the exercises here, Chapter 12, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 2-8 lists a reference of these key topics and the page numbers on which each is found.

Image

Table 2-8 Key Topics for Chapter 2

Key Topic Element

Description

Page Number

List

The attacker’s process

48

List

The ethical hacker’s process

52

Section

The Application Layer

59

Table 2-2

Common Ports and Protocols

60

Figure 2-5

The TCP Flag field of the TCP header

65

Figure 2-7

IPv4 and IPv6 header structure

67

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

Address Resolution Protocol (ARP)

buffer overflow

denial of service (DoS)

dumpster diving

intrusion detection system (IDS)

media access control (MAC)

session hijack

sniffer

social engineering

SYN flood attack

Exercises

2.1 Install a Sniffer and Perform Packet Captures

In this exercise, you walk through the steps needed to install and use a packet analyzer. You configure the packet analyzer to capture traffic in promiscuous mode and examine the structure of TCP/IP traffic.

Estimated Time: 30 minutes.

Step 1. Go to the Wireshark website at https://www.wireshark.org and download the Wireshark application.

Step 2. Install the Wireshark application along with WinPcap, if required. You might be asked to reboot the computer.

Step 3. Take a few minutes to review the Wireshark user guide. This PDF can be found in the folder that you installed Wireshark into.

Step 4. Go to https://wiki.wireshark.org/SampleCaptures and look for the FTPv6-1.cap download. Download the Wireshark capture of an FTP session.

Step 5. Open FTPv6-1.cap, which will start Wireshark.

Step 6. Scroll down to packet number 228 and observe the username of anonymous.

Step 7. Scroll down to packet 268 and observe the password of IEUser@, as shown in Figure 2-11.

A screenshot depicts how to clear-text password in wireshark.

Figure 2-11 Clear-text Password Displayed in Wireshark

Step 8. This should give you a good example of what clear-text protocols look like when transmitted over a network and how anyone can easily capture FTP usernames and passwords.

2.2 List the Protocols, Applications, and Services Found at Each Layer of the Stack

In this exercise, you list the various layers, the protocols that function at each layer, and which attacks they are vulnerable to.

Estimated Time: 30 minutes.

Step 1. Using the information found in the chapter, complete Table 2-9.

Table 2-9 Layers and Responsibilities

Layer

Layer Responsibility

Protocols, Ports, or Services

Potential Attacks

Application

Communication

SNMP, Telnet, DNS, SSH, SMTP

Host-to-host

Connection and connectionless communication

Session hijacking, connectionless, scanning communication

Internet

IP and ICMP

Routing attacks, man-in-the-middle attacks

Network access

Physical layer delivery

ARP

Step 2. When you complete Table 2-9, verify your answers with those in Appendix C, “Memory Tables Answer Key.”

2.3 Using Traceroute for Network Troubleshooting

In this exercise, you will use traceroute from a Windows computer to evaluate Traceroute.

Estimated Time: 10 minutes.

Step 1. Using the command prompt, open Traceroute.

Step 2. Enter a domain to trace the route, such as www.person.com.

Step 3. Examine the information that is returned.

Step 4. Go to http://www.snapfiles.com/get/trout.html, and download Trout. It is an example of a graphical Traceroute tool.

Step 5. Traceroute the same domain. Were the results the same or different?

Review Questions

1. When referring to the domain name service, what is a zone?

a. A collection of domains

b. The zone namespace

c. A collection of resource records

d. A collection of alias records

2. You have gone to an organization’s website to gather information, such as employee names, email addresses, and phone numbers. Which step of the hacker’s methodology does this correspond to?

a. Scanning and enumeration

b. Reconnaissance

c. Fingerprinting

d. Gaining access

3. Kevin and his friends are going through a local IT firm’s garbage. Which of the following best describes this activity?

a. Reconnaissance

b. Intelligence gathering

c. Social engineering

d. Dumpster diving

4. You’ve just performed a port scan against an internal device during a routine pen test. Nmap returned the following response:

Starting NMAP 7.30 at 2016-10-10 11:06 NMAP scan report
for 192.168.123.100
Host is up (1.00s latency). Not shown: 993 closed ports PORT
STATE
SERVICE 80 /tcp open http 161/tcp open snmp 515/tcp open lpd
MAC Address: 00:1B:A9:01:3a:21

Based on this scan result, which of the following is most likely correct?

a. The host is most likely a Windows computer.

b. The host is most likely a Linux computer.

c. The host is a Cisco router.

d. The host is a printer.

5. Which of the following protocols is used when an attacker attempts to launch a man-in-the-middle attack by manipulating sequence and acknowledgment numbers?

a. ICMP

b. UDP

c. TCP

d. IP

6. This application uses clear-text community strings that default to public and private. Which of the following represents the correct port and protocol?

a. UDP 69

b. TCP 161

c. TCP 69

d. UDP 161

7. During the early stages of a pen test you have attempted to map out the route to a network with Linux traceroute and have not been successful because it seems ICMP is blocked. Which of the following would be a good tool for you to use to attempt to gather additional information?

a. Tracert

b. Hping

c. Ping

d. A port scanner

8. What flag or flags are set on the second step of the three-way TCP handshake?

a. SYN

b. SYN ACK

c. ACK

d. ACK PSH

9. You’re concerned that an attacker may have gained access to one of your Linux systems, planted backdoors, and covered her tracks. Which of the following tools could you use to examine the log files?

a. Notepad

b. Type

c. Sc query

d. Grep

10. Which rule means that all ports and applications are turned off, and only the minimum number of applications and services needed to accomplish the organization’s goals are turned on?

a. Deny all

b. Principle of least privilege

c. Access control list

d. Defense in depth

11. During a packet capture, you have found several packets with the same IPID. You believe these packets to be fragmented. One of the packets has an offset value of 5dc hex, and the more bit is off. With this information, which of the following statements is true?

a. This might be any fragmented packet except the first in the series.

b. This might be any fragmented packet except the last in the series.

c. This is the first fragment.

d. This is the last fragment.

12. You have just started using traceroute and were told that it can use ICMP time exceeded messages to determine the route a packet takes. Which of the following ICMP type codes maps to time exceeded?

a. Type 3

b. Type 5

c. Type 11

d. Type 13

13. In which layer of the OSI model could ARP poisoning occur?

a. Network

b. Data link

c. Session

d. Transport

14. Which type of attack sends fake entries to a DNS server to corrupt the information stored there?

a. DNS DoS

b. DNS cache poisoning

c. DNS pharming

d. DNS zone transfer

15. In which layer of the OSI model do SYN flood attacks occur?

a. Network

b. Data link

c. Physical

d. Transport

16. Black hat Bob would like to redirect his co-worker’s traffic to his computer so that he can monitor his co-worker’s activities on the Internet. The local area network is fully switched and sits behind a NATing router and a firewall. Which of the following techniques would work best?

a. ARP spoofing.

b. Black hat Bob should configure his MAC address to be the same as that of the co-worker he would like to monitor.

c. DNS spoofing.

d. Black hat Bob should configure his IP address to be the same as the default gateway.

17. Which DNS record gives information about the zone, such as administrator contact and so on?

a. CNAME

b. MX record

c. A record

d. Start of Authority

18. Setting which IP option enables hackers to specify the path an IP packet would take?

a. Routing

b. Source routing

c. RIP routing

d. Traceroute

19. You have captured packets that you believe have had the source address changed to a private address. Which of the following is a private address?

a. 176.12.9.3

b. 12.27.3.1

c. 192.168.14.8

d. 127.0.0.1

20. You have started a pen test and are starting to resolve domain names. Which of the following is the correct syntax to look for IP addresses?

a. host -t a hackthestack.com

b. host -t AXFR hackthestack.com

c. host -t ns hackthestack.com

d. host -t soa hackthestack.com

Suggested Reading and Resources

http://www.networkworld.com/article/2886283/security0/top-10-dns-attacks-likely-to-infiltrate-your-network.html: Understanding DNS attacks

https://www.digitalocean.com/community/tutorials/an-introduction-to-dns-terminology-components-and-concepts: Glossary of DNS terms

http://www.inetdaemon.com/tutorials/internet/tcp/3-way_handshake.shtml: Understanding the TCP handshake

http://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-34/syn-flooding-attacks.html: Preventing SYN flood attacks

http://0daysecurity.com/articles/hping3_examples.html: Using hping to test firewalls and end devices

https://support.microsoft.com/en-us/kb/314868: How traceroute works

https://www.wireshark.org/docs/wsug_html/: Using a packet sniffer

https://www.tummy.com/articles/networking-basics-how-arp-works/: How ARP works

http://www.pearsonitcertification.com/articles/article.aspx?p=1868080: TCP ports and protocols

https://www.liquidweb.com/kb/reverse-dns-lookup/: Reverse DNS Lookup overview

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.201.97.224