Basics SHA2: 4 sep hash 224, 256, 384, 512

5 Phases to a penetration test Trust Models TCP Header Flags

Reconnaissance Web of trust: Entities sign certs for each URG: Indicates data being sent out of band
Scanning & Enumeration other ACK: Ack to, and after SYN
Gaining Access Single Authority: CA at top. Trust based PSH: Forces delivery without concern for
Maintaining Access on CA itself buffering
Covering Tracks Hierarchical: CA at top. RA’s under to RST: Forces comms termination in both
Attack Types manage certs directions
OS: Attacks targeting default OS settings XMKS - XML PKI System SYN: Initial comms. Parameters and
App level: Application code attacks sequence #’s
Shrink Wrap: off-the-shelf scripts and code Cryptography Attacks FIN: ordered close to communications
Misconfiguration: not configured well Known Plain-text: Search plaintext for
repeatable sequences. Compare to t DHCP
versions. Client —Discovers-> Server
Legal Ciphertext-only: Obtain several messages Client <—Offers—- Server
18 U.S.C 1029 & 1030
with same algorithm. Analyze to reveal Client —Requests—>Server
RFC 1918 - Private IP Standard
repeating code. Client <—-Ack—- Server
RFC 3227 - Collecting and storing data
Replay: Performed in MITM. Repeat IP is removed from pool.
ISO 27002 - InfoSec Guidelines
exchange to fool system in setting up a
CAN-SPAM - email marketing
comms channel. Scanning & Enumeration
SPY-Act - License Enforcement
Digital Certificate ICMP Message Types
DMCA - Intellectual Property
Used to verify user identity = 0: Echo Reply: Answer to Type 8 Echo
SOX - Corporate Finance Processes
nonrepudiation Request
GLBA - Personal Finance Data
Version: Identifies format. Common = V1 3: Destination Unreachable: No host/
FERPA - Education Records
Serial: Uniquely identify the certificate network
FISMA - Gov Networks Security Std
Subject: Whoever/whatever being Codes
identified by cert 0 – Destination network unreachable
CVSS - Common Vuln Scoring System
Algorithm ID: Algorithm used 1 – Destination host unreachable
CVE - Common Vulns and Exposure
Issuer: Entity that verifies authenticity of 6 – Network unknown
certificate 7 – Host unknown
Regional Registry Coverage Map
Valid from/to: Certificate good through 9 – Network administratively prohibited
dates 10 – Host administratively prohibited
Key usage: Shows for what purpose cert 13 – Communication administratively
was made prohibited
Subject’s Public Key: self-explanatory 4: Source Quench: Congestion control
Optional fields: e.g., Issuer ID, Subject Alt message
Name... 5: Redirect: 2+ gateways for sender to use
or the best route not the configured
Reconnaissance default gateway
Definition Codes
Gathering information on targets, whereas 0 – Redirect datagram for the network
foot-printing is mapping out at a high 1 – Redirect datagram for the host
level. These are interchangeable in C|EH. 8: Echo Request: Ping message requesting
Google Hacking: echo
Cryptography operator:keyword additional search items 11: Time Exceeded: Packet too long to be
Symmetric Encryption site: Search only within domain routed
Key pairs required = ext: File Extension CIDR
Symmetric Algorithms loc: Maps Location Method of representing IP Addresses
DES: 56bit key (8bit parity); fixed block intitle: keywords in title tag of page IPv4 Notation
3DES: 168bit key; keys ≤ 3 allintitle: any keywords can be in title /30 = 4 .255.252
AES: 128, 192, or 256; replaced DES inurl: keywords anywhere in url /28 = 16 .255.240
IDEA: 128 bit key allinurl: any of the keywords can be in url /26 = 64 .255.192
Twofish: Block cipher key size ≤ 256bit incache: Search Google cache only /24 = 256 .255.0
Blowfish: Rep. by AES; 64bit block DNS /22 = 1024 .248.0
RC: incl. RC2→RC6. 2,040key, RC6 Port 53 nslookup (UDP), Zone xfer (TCP) /20 = 4096 .240.0
(128bit block) DNS record types
Asymmetric Encryption Service (SRV): hostname & port # of
Public Key = Encrypt, Private Key = servers
Decrypt Start of Authority (SOA): Primary name
Asymmetric Algorithms server
Diffie-Hellman: Key Exchange, used in Pointer (PTR): IP to Hostname; for
SSL/IPSec reverse DNS
ECC: Elliptical Curve. Low process Name Server (NS): NameServers with
power/Mobile namespace
El Gamal: != Primes, log problems to Mail Exchange (MX): E-mail servers
encrypt/sign CNAME: Aliases in zone. List multi
RSA: 2 x Prime 4,096bit. Modern std. services in DNS
Hash Algorithms Address (A): IP to Hostname; for DNS
MD5: 128bit hash, expres as 32bit hex lookup
SHA1: 160bit hash,rq 4 use in US apps DNS footprinting: whois, nslookup, dig
Port Numbers NULL: No flags set. Responses vary by C|EH rules for passwords
0 – 1023: Well-known OS. NULL scans are designed for Linux/ Must not contain user’s name. Min 8 chars.
1024 – 49151: Registered Unix machines. 3 of 4 complexity components. E.g.,
49152 – 65535: Dynamic Special, Number, Uppercase, Lowercase
Important Port Numbers NetBIOS LM Hashing
FTP: 20/21 nbstat 7 spaces hashed: AAD3B435B51404EE
SSH: 22 nbtstat -a COMPUTER190 Attack types
Telnet: 23 nbtstat -A 192.168.10.12 remote table Passive Online: Sniffing wire, intercept
SMTP: 25 nbtstat -n local name table cleartext password / replay / MITM
WINS: 42 nbstat -c local name cache Active Online: Password guessing.
TACACS: 49 nbtstat -r -purge name cache Offline: Steal copy of Password i.e., SAM
DNS: 53 nbtstat -S 10 -display ses stats every 10 sec file. Cracking efforts on a separate
HTTP: 80 / 8080 1B == master browser for the subnet system
Kerbers: 88 1C == domain controller Non-electronic: Social Engineering
POP3: 110 1D == domain master browser Sidejacking
Portmapper (Linux): 111 Steal cookies exchanged between systems
NNTP: 119 SNMP and use to perform a replay-style attack.
NTP: 123 Uses a community string for PW Authentication Types
RPC-DCOM: 135 SNMPv3 encrypts the community strings. Type 1: Something you know
NetBIOS/SMB: 137-139 Type 2: Something you have
IMAP: 143 Sniffing and Evasion Type 3: Something you are
SNMP: 161/162 IPv4 and IPv6 Session Hijacking
LDAP: 389 IPv4 == unicast, multicast, and broadcast Refers to the active attempt to steal an
HTTPS: 443 IPv6 == unicast, multicast, and anycast. entire established session from a target
CIFS: 445 IPv6 unicast and multicast scope includes 1. Sniff traffic between client and
RADIUS: 1812 link local, site local, and global. server
RDP: 3389 MAC Address
 2. Monitor traffic and predict sequence
IRC: 6667 First half = 3 bytes (24bits) = Org UID
 3. Desynchronise session with client
Printer: 515, 631, 9100 Second half = unique number 4. Predict session token and take over
session
Tini: 7777 NAT (Network Address Translation) 5. Inject packets to the target server
NetBus: 12345 Basic NAT is a one-to-one mapping where Kerberos
Back Orifice: 27374 each internal IP == a unique public IP. Kerberos makes use of symmetric and
Sub7: 31337 NAT Overload (PAT) == port address asymmetric encryption technologies and
translation. Typically used as is the involves:
HTTP Error Codes cheaper option. KDC: Key Distribution Centre
200 Series - OK AS: Authentication Service
400 Series - Could not provide req Stateful Inspection TGS: Ticket Granting Service
500 Series - Could not process req Concerned with the connections. Doesn't TGT: Ticket Granting Ticket
sniff ever packet, it just verifies if it’s a Process
Nmap known connection, then passes along. 1. Client asks KDC (who has AS and
Nmap is the de-facto tool for this pen-test TGS) for ticket to authenticate
phase HTTP Tunnelling throughout the network. This request
Nmap <scan options> <target> Crafting of wrapped segments through a is in clear text.
-sA: ACK scan -sF: FIN scan port rarely filtered by the Firewall (e.g., 2. Server responds with secret key,
-sS: SYN -sT: TCP scan 80) to carry payloads that may otherwise hashed by the password copy kept
-sI: IDLS scan -sn: PING sweep be blocked. on AD server (TGT).
-sN: NULL -sS: Stealth Scan 3. TGT sent back to server requesting
-sR: RPC scan -Po: No ping Snort IDS TGS if user decrypts.
-sW: Window -sX: XMAS tree scan It has 3 modes: 4. Server responds with ticket, and
-PI: ICMP ping -PS: SYN ping Sniffer/Packet logger/Network IDS. client can log on and access network
-PT: TCP ping -oN: Normal output Config file: /etc/snort, or c:\snort\etc resources.
-oX: XML output -A OS/Vers/Script #~ alert tcp !HOME_NET any -> $HOME_NET SAM File
-T<0-4>: Slow - Fast 31337 (msg : “BACKDOOR ATTEMPT-Back- C:\Windows\system32\config
Scan Types orifice.”)
TCP: 3 way handshake on all ports. 
 Any packet from any address != home Registry
Open = SYN/ACK, Closed = RST/ACK network. Using any source port, intended 2 elements make a registry setting: a key
SYN: SYN packets to ports (incomplete for an address in home network on port (location pointer), and value (defines the
handshake). 
 31337, send msg. key setting).
Open = SYN/ACK, Closed = RST/ACK Span port: port mirroring Root level keys are as follows:
FIN: Packet with FIN flag set.
 False Negative: IDS incorrectly reports HKEY_LOCAL_MACHINE – Info on
Open = no response, Closed = RST stream clean Hard/software
XMAS: Multiple flags set (FIN, URG, and IDS Evasion Tactics HKEY_CLASSES_ROOT – Info on file
PSH) Binary Header: 00101001
 Slow down OR flood the network (and associations and Object Linking and
Open = no response, Closed = RST sneak through in the mix) OR Embedding (OLE) classes
ACK: Used for Linux/Unix systems
 fragmentation HKEY_CURRENT_USER – Profile info
Open = RST, Closed = no response TCPdump syntax on current user
IDLE: Spoofed IP, SYN flag, designed for #~ tcpdump flag(s) interface HKEY_USERS – User config info for all
stealth.
 active users
Open = SYN/ACK, Closed = RST/ACK Attacking a System
HKEY_CURRENT_CONFIG – pointer to Stack: Premise is all program calls are kept SYN Flood: Send thousands of SYN
\hardware Profiles\. in a stack and performed in order. Try to packets but never respond to any of the
HKEY_LOCAL_MACHINE\Software\ change a function pointer or variable to returned SYN/ACK packets. Target will
Microsoft\Windows\CurrentVersion allow code exe run out of available connections.
\RunServicesOnce Heap: Takes advantage of memory “on top ICMP Flood: Send ICMP Echo packets
\RunServices of” the application (dynamically with a fake source address. Target
\Run Once allocated). Use program to overwrite attempts to respond but reaches a limit of
\Run function pointers packets sent per second.
NOP Sled: Takes advantage of instruction Application level: Send “legitimate” traffic
Social Engineering called “no-op”. Sends a large # of NOP to a web application than it can handle.
Human based attacks instructions into buffer. Most IDS protect Smurf: Send large number of pings to the
Dumpster diving from this attack. broadcast address of the subnet with
Impersonation Dangerous SQL functions source IP spoofed to target. Subnet will
Technical Support The following do not check size of send ping responses to target.
Should Surfing destination buffers: Fraggle Attack: Similar to Smurf but uses
Tailgating / Piggybacking gets() strcpy() strcat() printf() UDP.
Ping of Death: Attacker fragments ICMP
Computer based attacks Wireless Network Hacking message to send to target. When the
Phishing - Email SCAM Wireless Sniffing fragments are reassembled, the resultant
Whaling - Targeting CEO’s Compatible wireless adapter with ICMP packet is larger than the max size
Pharming - Evil Twin Website promiscuous mode is required, but and crashes the system
otherwise pretty much the same as
Types of Social Engineers sniffing wired. Viruses
Insider Associates: Limited Authorized 802.11 Specifications Heartbleed: CVE-2014-0160
Access WEP: RC4 with 24bit vector. Keys are 40 Founded by Neel Mehta, Heartbleed is a
Insider Affiliates: Insiders by virtue of or 104bit vulnerability with heartbeat in OpenSSL
Affiliation that spoof the identity of the WPA: RC4 supports longer keys; 48bit IV software Library. Allowed for MITM to
Insider WPA/TKIP: Changes IV each frame and steal information protected under normal
Outsider Affiliates: Non-trusted outsider key mixing conditions by SSL/TLS encryption.
that use an access point that was left WPA2: AES + TKIP features; 48bit IV POODLE: CVE-2014-3566
open Spec Dist Speed Freq MITM exploit which took advantage of
802.11a 30m 54Mbps 5GHz internet and software client fallback to
Physical Security 802.11b 100m 11 Mbps 2.4GHz SSL 3.0.
802.11g 100m 54 Mbps 2.4GHz Shellshock: CVE-2014-6271
3 major categories of Physical Security
802.11n 125m 100 Mbps+ 2.4/5GHz Exploits a vuln that executes codes inside
measures
Bluetooth Attacks the ‘ ‘ where the text should not be exe.
Physical measures: Things you taste,
Bluesmacking: DoS against a device ILOVEYOU: A worm originating in the
touch, smell
Bluejacking: Sending messages to/from Philippines. Started in May 5, 2000, and
Technical measures: smart cards,
devices was built on a VBS macro in Microsoft
biometrics
Bluesniffing: Sniffs for Bluetooth word/excel templates.
Operational measures: policies and
Bluesnarfing: actual theft of data from a MELISSA: Email virus based on MS
procedures
device Word macro. Created in 1999 by David
L. Smith.
Web-based Hacking
CSRF - Cross Site Request Forgery Trojans and Other Attacks
Virus Types Linux Commands
Dot-dot-slash Attack
Boot: Moves boot sector to another Linux File System
Variant of Unicode or un-validated input
location. Almost impossible to remove. / -Root
attack
Camo: Disguise as legit files. /var -Variable Data / Log Files
SQL Injection attack types
Cavity: Hides in empty areas in exe. /bin -Binaries / User Commands
Union Query: Use the UNION command
Macro: Written in MS Office Macro /sbin -Sys Binaries / Admin Commands
to return the union of target Db with a
Language /root -Home dir for root user
crafted Db
Multipartite: Attempts to infect files and /boot -Stores kernel
Tautology: Term used to describe behavior
boot sector at same time. /proc -Direct access to kernel
of a Db when deciding if a statement is
Metamorphic virus: Rewrites itself when /dev -Hardware storage devices
true.
it infects a new file. /mnt -Mount devices
Blind SQL Injection: Trial and Error with
Network: Spreads via network shares. Identifying Users and Processes
no responses or prompts.
Polymorphic Code virus: Encrypts itself INIT process ID 1
Error based SQL injection: Enumeration
using built-in polymorphic engine. Root UID, GID 0
technique. Inject poorly constructed
Constantly changing signature makes it Accounts of Services 1-999
commands to have Db respond with table
hard to detect. All other users Above 1000
names and other information
Shell virus: Like boot sector but wrapped Permissions
around application code, and run on 4 - Read
Buffer Overflow
application start. 2 - Write
A condition that occurs when more data is
Stealth: Hides in files, copies itself to 1 - Execute
written to a buffer than it has space to
deliver payload. User/Group/Others
store and results in data corruption.
DOS Types 764 - User>RWX, Grp>RW, Other>R
Caused by insufficient bounds checking,
a bug, or poor configuration in the SYN Attack: Send thousands of SYN
program code. packets with a false IP address. Target
will attempt SYN/ACK response. All
machine resources will be engaged.
Snort Network Mapping
 Packet Generator

action protocol address port -> address port NetMapper
 Netscan

(option:value; option:value) LANState
 Scapy

alert tcp 10.0.0.1 25 -> 10.0.0.2 25 IPSonar Nemesis
(msg:”Sample Alert”; sid:1000;) Proxy, Anonymizer, and Tunneling
 Session Hijacking

Tor
 Paros Proxy

Command Line Tools ProxySwitcher
 Burp Suite

NMap ProxyChains
 Firesheep

nmap -sT -T5 -n -p 1-100 10.0.0.1 SoftCab
 Hamster/Ferret

Netcat HTTP Tunnel
 Ettecap

nc -v -z -w 2 10.0.0.1 Anonymouse Hunt
TCPdump Enumeration
 Cryptography and Encryption
tcpdump -i eth0 -v -X ip proto 1 SuperScan
 Encryption

Snort User2Sid/Sid2User
 True Crypt

snort -vde -c my.rules 1 LDAP Admin
 BitLocker

hping Xprobe
 DriveCrpyt
hping3 -I -eth0 -c 10 -a 2.2.2.2 -t 100 Hyena Hash Tools

10.0.0.1 SNMP Enumeration
 MD5 Hash

iptables SolarWinds
 Hash Calc
iptables -A FORWARD -j ACCEPT -p tcp SNMPUtil
 Steganography
—dport 80 SNMPScanner XPTools

System Hacking Tools ImageHide

Tools of the Trade Password Hacking
 Merge Streams

Cain
 StegParty

Vulnerability Research
John the Ripper
 gifShuffle

National Vuln Db
LCP
 QuickStego

Eccouncil.org
THC-Hydra
 InvisibleSecrets

Exploit-db
ElcomSoft
 EZStego

Foot-printing
Aircrack
 OmniHidePro
Website Research Tools

Rainbow Crack
 Cryptanalysis

Netcraft

Brutus
 Cryptanalysis

Webmaster

KerbCrack Cryptobench
Archive
Sniffing
 Sniffing
DNS and Whois Tools

Wireshark
 Packet Capture

Nslookup

Ace
 Wireshark

Sam Spacde

KerbSniff
 CACE

ARIN

Ettercap tcpdump

WhereisIP

Keyloggers and Screen Capture
 Capsa

DNSstuff

KeyProwler
 OmniPeek

DNS-Digger
Ultimate Keylogger
 Windump

Website Mirroring

All In One Keylogger
 dnsstuff

Wget

Actual Spy
 EtherApe
Archive

Ghost
 Wireless

GoogleCache
Hidden Recorder
 Kismet

Scanning and Enumeration
Desktop Spy
 Netstumbler
Ping Sweep

USB Grabber MAC Flooding/Spoofing

Angry IP Scanner

Privilege Escalation
 Macof

MegaPing
Password Recovery Boot Disk
 SMAC
Scanning Tools

Password Reset
 ARP Poisoning

SuperScan

Password Recovery
 Cain

NMap (Zenmap)

System Recovery UfaSoft

NetScan Tools Pro

Executing Applications
 WinARP Attacker
Hping

PDQ Deploy
 Wireless
Netcat
RemoteExec
 Discovery

War Dialing

Dameware Kismet

THC-Scan

Spyware
 NetStumbler

TeleSweep

Remote Desktop Spy
 insider

ToneLoc

Activity Monitor
 NetSurveyor
WarVox
OSMonitor
 Packet Sniffing

Banner Grabbing

SSPro
 Cascade Pilot

Telnet

Spector Pro Omnipeek

ID Serve

Covering Tracks
 CommView

Netcraft

ELsave
 Capsa
Xprobe
CCleaner
 WEP/WPA Cracking

Vulnerability Scanning

EraserPro
 Aircrack

Nessus

Evidence Eliminator KisMac

SAINT

Packet Crafting/Spoofing
 Wireless Security Auditor

Retina

Komodia
 WepAttack

Core Impact

Hping2
 WepCrack

Nikto
PackEth
 coWPatty
Bluetooth

BTBrowser

BH Bluejack

BTScanner

Bluesnarfer
Mobile Device Tracking

Wheres My Droid

Find My Phone

GadgetTrack

iHound
Trojans and Malware
Wrappers

Elite Wrap
Monitoring Tools

HiJackThis

CurrPorts

Fport
Attack Tools

Netcat

Nemesis
IDS

Snort
Evasion Tools

ADMutate

NIDSBench

IDSInformer

Inundator
Web Attacks
Wfetch

Httprecon

ID Serve

WebSleuth

Black Widow

CookieDigger

Nstalker

NetBrute
SQL Injection

BSQL Hacker

Marathon

SQL Injection Brute

SQL Brute

SQLNinja

SQLGET