1. INTRODUCTION TO ETHICAL HACKING  Chapter 8

2. HOW DO YOU PROTECT THIS? You have been contracted by the Mammoth Warehouse Sales Company to devise and carry out a series of cyber security attacks against their corporate network to find vulnerabilities in their security structure. Recently, a ___________ attack rendered their on-site hosted website unusable. You work for a security firm that has been contracted by a company to test the employees’ awareness of attacks by performing various social engineering attacks. Recently, a number of employees have had their network accounts compromised by clicking on links in phishing emails and responding to the threatening request of the sender. https://www.google.com/search?q=sales+warehouse&safe=active&biw=1366&bih=623&source=lnms&tbm=isch&s a=X&sqi=2&ved=0ahUKEwi-jNi5w8XLAhWG8j4KHVV7AAQQ_AUIBigB#imgrc=R5MeiXi2rX2N0M%3A

3. INTRODUCTION This chapter will introduce you to the skills you need to identify security threats and prevent them from happening. In order to understand those threats (and to be an ethical hacker ) you must begin to think like a black hat hacker. The unethical hackers out there will always have the advantage over you because of the fact that they try to hide when we do not and they are very patient, and will strike when ready. Attackers have to get it right just once for their attack to be successful. Defenders have to get it right every day. Understanding how to think like a ________ hat and work like a _______ hat is the key to safeguarding our information.

4. THE NEED FOR ETHICAL HACKING In 1982, a 15-year-old high school student named Rich Skrenta wrote the first known computer virus. Originally a joke, the virus was loaded onto a floppy disk and inserted to a friend’s computer. The virus was attached to a game and designed to launch the 50th time the game was started. It then changed to a blank screen that displayed a poem. This was just the beginning. From there, the virus was placed into the computer’s memory, which would then be copied over to uninfected floppy disks whenever they were inserted.

5. INTERNET HACKING After the Internet picked up speed and became widely used, the door was kicked opened for viruses to spread and for evil-doers to seek ways to carry out their intentions. It may not have been world domination, but there are many other motivators for people to do what they do. Microsoft puts it this way: “Hackers are often motivated, in part, by their invisibleness. Today’s more sophisticated hackers are often motivated by the prospect of a big ________ $$$$ Because there are people who want to do harm for many reasons including - money, fame, or destruction, there must be people there to prevent that from happening. In the same way a police force protects citizens, cyber security practitioners protect computers, users, employees, and customers from harm.

6. ETHICS One of the jobs of ________ is to answer the question “What actions are right or wrong in particular circumstances?” In ethical hacking, ethics are there to remind people to question “Is what I’m about to do legal or illegal ?” and to give them the discernment to know if what they’re going to do is right or wrong. Luckily there are laws to help determine when something is and isn’t legal. In most situations legal or illegal has to do with permission and ownership. In other words, the owner must give permission to hack or penetration test a system.

7. CYBERCRIMINALS Cybercriminals are typically motivated by _______ and seek financial gain. This group of hackers is likely the most notable. For instance, creators of the CryptoLocker ransomware trojan were simply motivated by money. They want you to pay them a lot of money to get your information back. And once you pay them, they may or may not deliver the decryption key.

8. CYBERTERRORISTS Cyberterrorists are typically motivated by ________ or other terrorism ideals and create harm or panic. Cyberterrorist activities include large-scale disruption of service or computer networks. The Technolytics Institute defines cyberterrorism as “The premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.”

9. INSIDER THREATS Obviously connection to the Internet presents all types of major threats to a network. However, a significant threat exists _______ any network as well. The possibility of insider threats should never be overlooked. Network tools are less effective against these threats, so well designed policies, user education and an overall security strategy are the keys to dealing with insider threats. Insider threats can be extremely challenging to monitor, as they typically resemble normal activities the user may perform every day. They are often more damaging than other types of attacks simply because they go undetected for longer periods of time. Some surveys indicate that insider threats account for more than 20 percent of malicious network activity.

10. HACKTIVISTS The idea of hacktivism has been around since the mid-1980s and is generally used to describe an ambiguous idea of ___________ that serves a purpose. Oftentimes, hacktivists feel that their acts and crimes are justified, whether through the outing of classified information or by doing something morally right that would otherwise not have happened. The hacker group Anonymous, which first appeared in 2003, often refers to themselves as hacktivists in the sense that they are serving the world by righting wrongs and “generally doing good”.

11. THE MANY HATS OF HACKERS In the cyber security culture, hackers are divided into three distinctive categories based on how ethical they may or may not be. Today, hackers come in different “shades” as not all hackers are motivated to cause harm. To correctly differentiate the term across roles these programmers play, hackers are portrayed using icons derived from cowboy roles seen in old American TV westerns: A white hat hacker is merely looking for security vulnerabilities and performance issues. They may be a consultant, researcher or even someone hired by the software vendor. A black hat hacker is the bad guy who is looking for exploits for personal gain. These hackers typically use cracking programs and known vulnerabilities to search for a susceptible network to exploit. A _______ hat hacker might be seen as something in between a white and black hat hacker. They possess enough ethics to not steal, but they are probably engaging in the activity mostly for enjoyment and hacker status. Their actions are performed without the consent of a legitimate sponsoring company or individual.

12. SECURITY BREACH EXAMPLES Security breaches have become common occurrences in the news, many of which occur without the company ever finding out it happened. According to a study by Duke University, more than 80% of U.S. companies have been __________. And that’s just the ones that are known of. That’s a scary fact! It has become easier to simply expect your information to be stolen and keep a watch on your bank account for when it does happen. Knowing the facts and the ways to prevent security breaches are small steps in fixing a growing problem facing the cyber world.

13. TARGET Between November 27th and December 15 th of 2013, approximately 40 million credit and debit ________accounts were subjected to an attack where hackers targeted the physical checkout systems inside nearly 2000 Target stores in the United States. More specifically, the attack was aimed at Target’s Point-of-Sale ( POS) system and the attackers were able to copy every debit and credit card number as individuals swiped them through card readers, or when employees typed them in on keypads.

14. HOME DEPOT On November 6th, 2014, The Home Depot announced that their company had fallen victim to a network security breach. The press release they issued that day outlined a lot of information in regards to how the attackers were able to gain access to their systems and steal ________ addresses and credit card information from databases. According to a report, the attackers used a third-party vendor’s username and password to gain access to the perimeter of Home Depot’s network. Businesses may spend a lot of time training employees about using good cyber hygiene, however, many large companies fall victim to hacking because of their untrained third-party contractors.

15. THE HOME DEPOT ATTACK The first step in this attack was to gain a lower level of access to the system. Much like the Target incident mentioned earlier, hackers gained access to the network through a third-party vendor. However, acquiring credentials to gain access to the system was only the beginning of the attack. The attackers then acquired elevated rights that allowed them to navigate portions of Home Depot’s network. This then allowed them to deploy unique, custom-built malware on its point-of-sale terminals, specifically the self-checkout systems.

16. THE HOME DEPOT ATTACK The next step was to further elevate privileges. This could have been done a number of ways, such as taking advantage of known vulnerabilities within different systems. Once the attackers were in, they delivered their payload via malware. The malware mentioned above became known as _______. Custom-made malware like this has since been used to infect point-of-sales systems in networks of smaller companies who are less likely to patch their systems.

17. STUXNET In June 2010, a virus was discovered in the industrial control systems of the Iranian uranium enrichment infrastructure. This _______, known as Stuxnet, targeted the programmable logic controllers that guided the operation of their centrifuges. These centrifuges were critical pieces of the enrichment process. The virus was designed to increase the rotational speed of the centrifuge causing it to spin wildly out of control and break apart. At the same time, the virus collected “normal” data from the centrifuge and then played false data back to the PLC.

18. THE STUXNET ATTACK A small USB thumb drive was used to introduce the Stuxnet virus to the control network through a typical USB port. The host executed the drive’s Autorun feature and the virus was loaded into the machine where it began to execute three functions: The first was a worm that controlled the execution of the attack’s main payload. The second was a file that executed copies of the worm The third was a rootkit designed to prevent detection of Stuxnet by hiding its malicious files.

19. THE STUXNET ATTACK The attackers took great care to tailor the virus to a specific piece of software on specific devices – Stuxnet was designed specifically to infect computers with Siemens Step7 software used to control centrifuges. The virus destroyed approximately one-fifth of Iran’s centrifuges, effectively stalling their nuclear development efforts for an extended period of time.

20. SONY PICTURES One of the most interesting cyber attacks was directed at Sony Pictures Entertainment in November of 2014. Not only did the attackers obtain a voluminous amount of __________ ________ email and intellectual properties from the Sony network and release it to the public, they also directed attacks against the computers, servers and network devices in the Sony network. Even now experts have not been able to determine who performed the attacks or why. Some accounts point to the North Korean government, others point to current and former employees, while other theories suggest a conspiracy of both groups.

21. SONY ATTACK The original Sony intrusion is thought to have happened many months before the November outbreak. After that original breach the attackers began taking Sony’s data over several months while remaining unnoticed. Finally, they installed a Malware program called ______ that was designed to erase the Sony servers. On November 24th, the virus was released, erasing the servers and rendering more than 80% of Sony’s computers useless. This all resulted in a tremendous amounts of lost data and productivity, as well as public embarrassment due to the content of many personal emails.

22. LOCKHEED-MARTIN CYBER KILL CHAIN The Cyber Kill Chain was developed to address multi-year __________ from threats dubbed “Advanced Persistent Threats”. These threats target very specific and very secure systems and have created the demand to address these threats in ways not traditionally managed through cyber security best practices.

23. INTRUSION KILL CHAIN The Intrusion Kill Chain focuses on seven phases: Reconnaissance Weaponization Delivery Exploitation Installation Command and Control (C2) Actions on Objectives

24. RECONNAISSANCE In military applications, Reconnaissance, or Recon for short, is “... ___________ of a region to locate an enemy or ascertain strategic features.” or “preliminary surveying or research.” The use of reconnaissance in a hacker’s general attack strategy is not really any different. Reconnaissance is a hacker’s first step to familiarizing themselves with their target and beginning to find a potential way into the target’s critical infrastructure, whether manually or digitally. A hacker will typically spend more time performing reconnaissance on their target and researching them than in actually exploiting vulnerabilities.

25. RECONNAISSANCE Reconnaissance time is well worth the investment as it can yield extremely useful information about a target’s network that can allow a hacker to focus on a particular vulnerability that will be more likely to yield results, disguise their attacks and limit exposure to potential detection devices on the network. Typically the first task in digital reconnaissance is to enumerate the network by performing a port scan.

26. ACTIVE VS. PASSIVE SCANNING In the world of network scanning, software can be used to actively scan and enumerate a network, find vulnerabilities, or to simply find an available network. Passive scanning, on the other hand, simply _______ and _______ back what it sees. Because the scanning is passive, the enemy ship doesn’t know the good guys are out there. This type of scanning is much, much safer, but it doesn’t reveal as much information to the good guys. In the same sense, passive network scanning, while very useful, may not yield as much information as active scanning.

27. SCANNING TOOLS One example of a passive scanning _______ is the Wireshark utility. Wireshark works by taking advantage of a function of network adapters called promiscuous mode.

28. SCANNING TOOLS This promiscuous mode is used to listen to traffic going through a ________, or over radio _______ in the case of a wireless network adapter. Wireshark then collects all the packets of data and organizes them into a graphically useful system where the user can sift through the information.

29. NETWORK ENUMERATION/PORT SCANNING No matter what the situation you run into, the first thing a good security practitioner (or hacker) does is enumerate the network- t o discover what is on the _______ or map the network so you know what hosts are connected. Knowing exactly what is on the network can alert you to a very serious security issue. You can discover all sorts of information by doing this, including whether there are any devices connected to the network that shouldn’t be there. Because you know how the network is configured and that its Layer 3 switches possess specific DHCP ranges, you can pinpoint which switch the unauthorized device is connected to. This will enable you to quickly disable that port on the switch.

30. NETWORK ENUMERATION TOOLS There are a number of ways to enumerate a network and various tools available to do so. Nmap is one of the most common examples of these _______ and should be included in any cyber security expert’s toolkit.

31. NETWORK ENUMERATION TOOLS NMap can be used to scan networks of all sizes to discover information, such as what operating system each host is running, what ports could potentially be open, or what hosts are on a particular network.

32. SOCIAL ENGINEERING Social engineering activities exploit __________ human nature to fool them into providing information about themselves, their business, or their computer/network. They accomplish this by using trickery, deceit, lies, gifts, or acts of kindness to first establish a level of trust. They then use this trust relationship to gain information. Typical social engineering ploys include using free sales pitches or personal notes of affection to get users to click on something that downloads malicious code to their system. Other social engineering efforts can go to great lengths to get users to surrender their log-in information.

33. SOCIAL ENGINEERING Social Engineering relies almost entirely on human interaction and often prays on a human being’s innate urge to help a fellow human and conning them into breaking normal security procedures. The ultimate goal in social engineering is to get the victim to eventually ________________ ______ information that wouldn’t be known by anyone outside the company such as passwords, usernames, maintenance schedules, and more. Physical access to restricted areas of a building is another goal often sought by social engineers. There are many types of Social Engineering attacks. However these attacks can be divided into two general categories: Those that rely on Physical techniques Those that rely on Psychological techniques

34. SHOULDER SURFING Shoulder surfing is one of the simplest and most common ________ social engineering techniques that can be employed on a potential victim. During a Shoulder Surf attack, the attacker will glance over an unsuspecting victim’s shoulder in hopes of watching or recording them input some private information, such as name, address, credit card number, social security number, etc. Shoulder surfing can occur in many different settings, but is usually most effective in a crowded area where the attack can be less obvious than if it were in a more intimate setting.

35. SHOULDER SURFING Shoulder surfing can occur in many different settings, but is usually most effective in a crowded area where the attack is less obvious than if it were conducted in a more intimate setting. Common opportunities for shoulder surfing include the following acts committed by the victim: Fills out information fields on a form or application Enters a PIN number at an ATM or Debit Card machine Enters username/password credentials in an office or public setting Enters a PIN/password/security pattern on a smart phone

36. EAVESDROPPING Eavesdropping is the act of secretly _________ to a private conversation without the consent of the parties involved. When you were younger, did you ever hide somewhere and try to listen to your parents as they talked about something you weren’t supposed to hear? Perhaps they were talking together, or maybe one of them was talking to someone else on the phone. This is a prime example of eavesdropping.

37. DUMPSTER DIVING In the fields of Information Technology and Ethical Hacking, dumpster diving is a technique used by a potential attacker to retrieve information that could be used to help them carry out an attack on a target system or computer network. Dumpster diving isn’t limited to searching through an entity’s garbage for obviously __________ pieces of information like passwords written down on sticky notes and taken out by janitorial staff. Information such as phone records, old calendars, or organizational flow-charts can be used to help a potential attacker social engineer their way into a target’s network.

38. PIGGYBACKING & TAILGATING Piggybacking is an act that occurs when a social engineer asks a target to “hold the door” for them, and therefore gain __________ to a restricted area without having to provide credentials to do so. This can be done either by simply asking the target and being granted access, or there may be some additional coercion required if the target initially denies the social engineer access and requests to see a credential such as a company badge.

39. PIGGYBACKING & TAILGATING The social engineer may simply claim that they left their badge inside the building when they went on a break, or that they left their badge at home when they came to work that morning. The social engineer may also have crafted a fake badge for this purpose and requests that a restricted door be held open for them even though the company’s policy may be that all employees should swipe their badge to gain entry Tailgating is similar to Piggybacking in that the social engineer’s ultimate goal is to ________ ________ to an unauthorized area of a company or organization. Piggybacking is used to describe this act with the consent of the target. Tailgating is a term used to describe this act occurring without the knowledge of the target such as waiting for someone to pass through the door, and then the attacker catching the door and gaining entry before the door closes, proceeding with their unauthorized access.

40. DIVERSION A diversion is a tactic that is intended to _______ an individual from __________ something. Typically diversions are created so that an attacker can either view sensitive information without being seen, or gain entry into a secure area without being questioned. Diversions are commonly a team-based technique for attackers, where one attacker is creating the diversion and distracting an individual from monitoring a resource or entryway, but diversions can also be created by an individual attacker. An example could be some sort of loud noise that gains the attention of a security guard and prompts them to investigate, leaving an entry point open to the attacker.

41. PRETEXTING Pretexting is defined as “the practice of presenting oneself as _________ ______ in order to obtain private information.” Social engineers use elaborate lies to persuade victims in giving them desire information or to perform a specific act.

42. PHISHING Phishing is a social engineering tactic that utilizes fraudulent _________ in which the attacker sends out emails that appear to be legitimate in an attempt to gather personal information from the recipients. Usually, messages appear to come from a well-known and trustworthy web sites or companies. As with the word “fishing” which phishing is named after, phishing attempts to cast out bait in hopes that individuals will “bite” and fall victim to the bait.

43. PHISHING PRECAUTIONS Methods individuals can employ to avoid phishing scams include: Fills out information fields on a form or application Maintaining suspicion of emails asking for sensitive information, never responding to email requests for personal information Never following a link in an email that is suspected to be a phishing attempt Using web browsers that alert users of known or suspected phishing site

44. SPEAR-PHISHING Spear-phishing is similar to phishing in that it is a spoofed _________ fraud attempt. The primary difference however, is that while phishing attacks are sent to a broad range of targets seemingly at random, spear-phishing attacks target a specific organization (or an individual within that organization) to attempt to gain unauthorized access to confidential data. Spear-phishing attacks are more likely to be conducted by attackers who are seeking large financial gain, industry secrets, or military information.

45. WHALING Whaling is another sub-type of phishing that targets “high-profile” end-users such as corporate executives, politicians, or celebrities. Just like with any phishing attack, the goal of a whaling attack is to trick an individual into divulging personal or corporate information and data through spoofed emails or other social engineering tactics. Whaling emails and websites can be highly personalized to the target, even to the point of including the target’s name, job title, and other information legitimately relevant that has been gleaned from a variety of sources.

46. WHALING DEFENSES Due to the focused nature of whaling attacks, they are often more difficult to detect that other phishing attacks. In an enterprise network environment, security administrators can help prevent successful whaling attacks by mandating corporate executives and other high-ranking employees undergo mandatory security awareness training.

47. VISHING Email is not the only method employed by attackers to attempt to fool individuals into providing personal or sensitive information. Attackers will also try and use _________ to solicit information from someone. This method of using a phone to conduct a phishing attack is called vishing, (voice-phishing). Attackers can also use this method to pretend to be someone else and open new lines of credit if they have the necessary information to do so.

48. SMISHING Smishing is similar to other phishing-type attacks, except for the fact that it uses ______ phone text ________, or SMS messages, to lure in potential targets. Smishing attacks are often trying to get an individual to respond to a fraudulent advertisement in an attempt to gain information from the potential victim later on. In most cases, smishing attacks are looking for “live” numbers that they can continue to send messages to and, at some point, try and extract information from in some way. The best defense against smishing attacks is to simply not respond to the message.

49. PHARMING Pharming is another form of ______ similar to phishing where even though the user has typed in the correct website address they may be redirected to a bogus website. This is most commonly achieved using a DNS cache poisoning attack where the “pharmer” will introduce bogus data into a DNS server’s resolver cache. ISPs and major DNS providers validate DNS responses to make sure they came from an authoritative source, but many organization choose to run their own name servers and if they are not configured properly they can be poisoned in this manner. Pharming may also involve hacking of a legitimate website changing a link to redirect users to a fraudulent site or even hacking a registrar account where domain name servers can be changed altogether. It is important to use strong and unique passwords for registrar accounts to help prevent this sort of activity.

50. QUID PRO QUO Quid Pro Quo is commonly referred to in the practice of law to refer to an exchange of something that has ________, for something else of value in a contract. In ethical hacking, the premise of quid pro quo can be applied to social engineering as well. Basically, the attacker will offer something of value to a social engineering target in hopes that the target will provide something of value in return, such as sensitive information or access to a restricted area. This technique works well with disgruntled empl oyees, such as individuals who have been passed over for a promotion or a salary increase. Sometimes, such employees will accept a social engineer’s offer in order to harm their employer in retaliation. Disgruntled employees can also be considered inside threats because they pose a threat to the organization they work for and can cause harm to that organization “from the inside”.

51. PENETRATION TESTING A penetration test, or pentest, is simply an _______ on a network with the goal of finding security weaknesses. This essentially involves trying to hack your own (or your customer’s) systems. This type of testing exists as a way for organizations to use outside sources to attack and their network or system for the purpose of obtaining information about the insecurities of their network and how to fix them.

52. STEP 1. DEFINE WHO WILL BE INVOLVED In most situations, companies will hire a pentest organization or company to conduct the test. The two entities will work together to determine who will play what role in the test. There are usually three groups: A red team that conducts the attack A blue team who are typically the victims (i.e. network administrators) A white team who oversee the test

53. STEP 2. DEFINE WHAT YOU WANT TO ACCOMPLISH Maybe the company has problems with phishing attacks and users innocently giving out passwords. In such cases, the goal would be to decrease the number of successful phishing attempts.

54. STEP 3. DEFINE WHAT SYSTEMS (HUMAN OR OTHERWISE) ARE OPEN TO ATTACK AND FOR HOW LONG When conducting a phishing attack, the pentester would not necessarily be interested in attacking something that is out of the scope of the goal. Depending on how the company operates, this can be a very gray area and oftentimes one of the biggest areas the white team administrators will work to define.

55. STEP 4. DEFINE WHO ON THE BLUE TEAM WILL KNOW ABOUT THE ATTACK Let’s say you are conducting social engineering with the goal of infiltrating the company in order to gain access to a server closet. What happens when you walk down a hall, looking very suspicious, and someone calls you out? They ask for identification and you failed to acquire a visitor’s badge from the front desk. Maybe they will just escort you out of the building. However, if this were to happen at night when the building was closed, there could be a very different result, one where you end up in handcuffs.

56. STEP 5. LEGALITIES There are many laws involved in ethical and unethical hacking. Companies need to be aware of what they are getting into and pentest companies also need to know what is and isn’t illegal at the local, state, and federal level. A company should be sure that the pentesters sign all the necessary confidentiality and nondisclosure agreements required by federal laws.

57. TYPES OF PENTEST ATTACKS The pentester will typically perform a wide variety of tests to determine areas of weakness or vulnerability in the customer’s network: Social Engineering Activities IP Header Manipulation Session Hijacking MAC Spoofing MAC Flooding ARP Spoofing/Poisoning Man-in-the-Middle DNS Spoofing SQL Injection DoS/DDoS Ping Flood Attacks Smurf Attacks UDP Flood Attack SYN Flooding Password Attacks Wireless Attacks

58. PENTEST DOCUMENTATION For both ethical hackers and pentesters, documentation is extremely important and can make or break a test, as well as keep you out of serious trouble. Also, if you are hired by a company to test a network it is important to have something tangible to give them, as well as findings and recommendations regarding their network. Regardless of whether the report is for a government entity or private company, the results and findings (as well the technical aspects of the report) should be kept secured and out of the hands of those who don’t need access to it.

59. PENTEST DOCUMENTATION The report should be targeted towards administrative level executive staff and IT personnel. Copies of the report and who receives them should be documented as well. The master copy should be stored in a very secure place where other valuable information is stored.

60. INFORMATION COLLECTION For the pentester and ethical hacker, documenting everything done and discussed is vital. Whether it’s through screenshots, data dumps, packet captures, or anything like that, the more documentation you have to support your claim the stronger your argument will be. Pentesting Report Executive Summary Scope of Work Project Objectives Assumptions Timeline Summary of Findings Detailed Findings Solutions and Recommendations Closing Remarks