Module 7

MODULE 7

ATTACK STRATEGY DESIGN

Generalized Attack Methodology:

Every Hacker must go through five phases which are as follows:

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

1. Reconnaissance / Information Gathering

Reconnaissance refers to the preparatory phase where an attacker gathers as much
information as possible about the target prior to launching the attack. Additionally, in this
phase, the attacker draws on competitive intelligence to learn more about the target.
Network scanning, either external or internal, without authorization, may also be involved
in this phase.

This is the phase that allows the potential attacker to strategize his/her attack. This may
take some time as the attacker waits to unearth crucial information. Part of this
reconnaissance may include social engineering.

“Dumpster diving” is another reconnaissance technique. It is the process of looking through
an organization’s trash for discarded sensitive information. With the help of the Internet,
attackers can obtain information such as employee’s contact information, business
partners, technologies in use, and other critical business knowledge. However, “dumpster
diving” may provide them with even more sensitive information such as usernames,
passwords, credit card statements, bank statements, ATM slip, social security numbers,
telephone numbers, etc.

Reconnaissance Types

Reconnaissance techniques can be categorized broadly into active and passive
reconnaissance.

When using passive reconnaissance techniques to attack, the hacker does not interact with
the system directly. They use publicly available information, social engineering, and
dumpster diving as a means of gathering information.

While employing active reconnaissance techniques, the hacker tries to interact with the
system by using tools to detect open ports, accessible hosts, router locations, network
mapping, details of operating systems, and applications.

2. Scanning / Enumeration

Scanning is the method an attacker performs prior to attacking the network. In scanning,
the attacker utilizes the details gathered during reconnaissance to identify specific
vulnerabilities. Scanning can be regarded as a logical extension and an overlap of the active
reconnaissance. Generally, attackers use automated tools such as network/host scanners,
and war dialers to locate systems and try to discover vulnerabilities.

An attacker can collect critical network information such as the mapping of systems,
routers, and firewalls by employing simple tools such as Traceroute. Another option they
can use are tools such as Cheops to add sweeping functionality along with what Traceroute
renders.

Port scanners can be used to detect listening ports to acquire information about the nature
of services running on the target machine. The primary defense technique in this regard is
to shut down services that are not necessary. Appropriate filtering could also be adopted as
a defense mechanism. However, attackers can still use tools to discover the rules
implemented for filtering.

Vulnerability scanners, that can search for several known vulnerabilities on a target
network, and can potentially detect thousands of vulnerabilities, are the most commonly
used tools. This gives the attacker the advantage of time because they only have to find a

single entrance while the systems’ professional has to secure many vulnerable areas by
applying patches. Organizations that deploy intrusion detection systems still have reason
to worry because attackers can use evasion techniques at both the application and network
levels.

3. Gaining Access

In terms of potential damage, gaining access is the most important phase of an attack.
Attackers do not need to always gain access to the system to cause damage. For instance,
denial-of-service attacks can either exhaust resources or stop services from running on the
target system. Denial of service can be carried out by killing processes, using a logic/time
bomb, or even reconfiguring and crashing the system. Resources can be exhausted locally
by filling up outgoing communication links.

The exploit can occur locally, offline, over a LAN or the Internet as a ruse or theft. Stack-
based buffer overflows, denial-of-service, and session hijacking are examples of such
attacks. Spoofing is a technique used by attackers to exploit the system by pretending to be
strangers or different systems. This technique can be used to send a malformed packet
containing a bug to the target system in order to exploit vulnerability. Packet flooding may
be used to remotely stop availability of the essential services. Smurf attacks try to evoke a
response from the available users on a network and then use their legitimate address to
flood the victim.

Architecture and configuration of the target system, the skill level of the perpetrator, and
the initial level of access obtained are all factors that influence the chances of an attacker
gaining access. The most damaging type of the denial-of-service attacks can be distributed
denial-of- service attacks, where an attacker uses zombie software distributed over several
machines on the Internet to trigger an orchestrated large scale denial of services.

4. Maintaining Access

After gaining access to the target system, the attacker can choose to use both the system
and its resources. Further, they can use the system as a launch pad to scan and exploit other
systems or maintain a low profile and continue exploiting the system. Both these actions
can damage the organization. For instance, the attacker can implement a sniffer to capture
all network traffic, including telnet and ftp sessions with other systems.

Attackers, who prefer to remain undetected, eliminate evidence of their entry and use a
backdoor or a Trojan to gain access repeatedly. They can also install rootkits at the kernel
level to gain super user access. The reason for this is that while rootkits gain access at the
operating system level, a Trojan horse gains access at the application level. Both rootkits
and Trojans rely on users to install them. Within Windows’ systems, most Trojans install
themselves as a service and run as local system, which has administrative access.

Attackers can use Trojan horses to transfer user names, passwords, and even credit card
information stored on the system. They can retain control over the system for a long time
by strengthening the system against other attackers. Sometimes, in this process, they do
render some degree of protection to the system from other attacks. They can then use their
access to steal data, consume CPU cycles, and trade sensitive information or even resort to
extortion.

5. Covering Tracks

An attacker would prefer to eliminate evidence of their presence and activities for various
reasons such as maintaining access and evading punitive action. Erasing evidence is a
necessity for any attacker who would like to remain obscure. This is one of the best
methods to evade being traced back. Usually, this starts with erasing the contaminated
logins and any possible error messages that may have been generated from the attack
process. For example, a buffer overflow attack usually leaves a message in the system logs.
Next, attention is redirected to effecting changes so that future logins are not logged. By
manipulating and tweaking the event logs, the system administrator can be convinced that
the output of his/her system is correct, and that no intrusion or compromise has actually
taken place.

As the first thing a system administrator does to monitor unusual activity by checking the
system log files, it is common for intruders to use a tool to modify the system logs. In some
extreme cases, rootkits can disable logging altogether and discard all existing logs. This
occurs if the intruders intend to use the system for longer as a launch base for future
intrusions. Then, they will remove only those parts of the logs that can reveal their
presence.

It is vital for attackers to make the system look like it did before they gained access and
established backdoors for their use. Any modified files need to be reverted to their original
attributes. Information listed, such as file size and date, are just attribute information
contained within the file.

Trojans such as ps or netcat are useful for attackers who want to destroy the evidence from
the log files or replace the system binaries with the same. Once the Trojans are in place,
the attacker can be assumed to have gained total control of the system. Rootkits are
automated tools that are designed to hide the presence of the attacker. By executing the
script, a variety of critical files are replaced with trojaned versions, hiding the attacker with
ease.

PENETRATION TESTING METHODOLOGY

The penetration testing execution standard covers everything related to a penetration test. From
the initial communication of information gathering, it also covers threat modeling phases where
testers are work behind the scenes to get a better understanding of the tested organization, through
vulnerability research, exploitation and post exploitation.

Objective:

The main objective of penetration testing is to identify security weaknesses. Penetration testing
can also be used to test an organization's security policy, its adherence
to compliance requirements, its employees' security awareness and the organization's ability to
identify and respond to security incidents.

Scope:

There are basically three levels of network penetration testing:

a. Security Assessment (Validation):

This level of testing is vulnerability-centric. Heavily utilizing automated toolsets, the
test starts with a vulnerability assessment and is followed by a manual review of any
findings to eliminate “false positives.” These automated scans take up to several hours,
and can search for tens of thousands of known vulnerabilities. This introductory level
of penetration test offers a report focused on vulnerabilities in your network security
posture.

b. CREST-Aligned Penetration Test

This level of test assesses the security of your network infrastructure by simulating an
attack from malicious outsiders and/or insiders to identify attack vectors,
vulnerabilities and control weaknesses. Penetration testing involves mainly manual
testing techniques that are supported by automation. This often includes open
source intelligence gathering (OSINT) by passive, semi-passive and/or active means,
exposed applications (unauthenticated), and potentially social
engineering (people) attack vectors as well.

c. Red Team Engagement
Organizations with mature security programs with professional staff dedicated to
defending against cyberattacks can take part in “red team” engagements, where the
penetration testers (ethical hackers) play offense and the security staff play defense.
This dynamic, highly targeted form of penetration testing uses real-world attack
scenarios designed to test your detection and response capabilities. A red team
engagement isn’t about pinpointing your vulnerabilities—it’s about gaining access by
any means available to the sensitive data you’re trying to protect and your ability to
detect and defend the attack.

• Define the parameters of the test

• Keep aware of the latest security threats and malware
• Review current corporate policies and help redefine procedures for better security
• Strengthen current hardware and software with implementations of better security

standards
• Record feedback and reports for review of main business managers

Limitations:

Limitation of Time − As all of us know, penetration testing is not at all time bound
exercise; nevertheless, experts of penetration testing have allotted a fixed amount of time
for each test. On the other hand, attackers have no time constrains, they plan it in a week,
month, or even years.

Limitation of Scope − Many of the organizations do not test everything because of their
own limitations of resource constraints, security constraints, budget constraints, etc.
Likewise, a tester has limited scope and he has to leave many parts of the systems that
might be much more vulnerable and can be a perfect niche for the attacker.

Limitation on Access − Often testers have restricted access to the target environment. For
example, A company has carried out the penetration test against its DMZ systems from
across its internet networks. However, the attackers can attack through the normal internet
gateway.

Limitation of Methods − There are chances that the target system can crash during a
penetration test, so some of the particular attack methods would likely be turned off the
table for a professional penetration tester. For example, an attacker may produce a denial
of service flood to divert a system or network administrator from another attack method,
however it is likely to fall outside of the rules of engagement for most of the professional
penetration testers.

Limitation of Skill-sets of a Penetration Tester − Usually, professional penetration
testers are limited as they have limited skills irrespective of their expertise and past

experience. Most of them are focused on a particular technology and having rare
knowledge of other fields.

Limitation of Known Exploits − Many of the testers are aware with only those exploits,
which are public. In fact, their imaginative power is not as developed as attackers. Usually,
attackers think much beyond a tester’s ability to discover the flaw to attack.

Limitation to Experiment − Most the testers are time bound and follow the instructions
already given to them by their organization or seniors. They do not try something new.
They do not think beyond the given instructions. On the other hand, attackers are free to
think, to experiment, and to create some new path to attack.

Moreover, penetration testing can neither replace the routine IT security tests, nor it can
substitute a general security policy, but rather, supplement the established review
procedures and discovers new threats.

The following are some common and basic tools that are necessary to complete penetration
testing with the expected results:

• VMware:
VMware enables us to run multiple instances of the operating system on a single
workstation.

1. Linux Based Operating System:

As Linux is the most recommended OS for penetration testing, mostly

penetration testing is carried on Linux based system.

2. Windows-Based Operating System:

Windows XP/7 is necessary for certain tools to be used. Many commercial tools

or Microsoft-specific network assessment and penetration tools are available

that run cleanly on the platform.

• Wifi Adapter:

An 802.11 USB adapter allows the easy connection of a wireless adapter to the

penetration testing system. The 802.11 USB adapter is recommended as other don’t

support the required functions.

• Spectrum Analyzer:

A spectrum analyzer is a device used to examine the spectral composition of some

electrical or optical waveform. IT is used to determine whether or not a wireless

transmitter is working according to defined standards.

• Series of software:
The software requirements are based upon the engagement scope. However, some
commercial and open source software that could be required to conduct a full
penetration test properly are listed below:
1. Maltego
2. Nessus
3. Nespose
4. Rainbow Crack
5. Dnsmap
6. The Social Engineering Toolkit (SET)
7. The Metasploit Toolkit
8. Dnsrecon

The penetration testing execution standard consists of six phases:

1. Preparation
2. Intelligence Gathering
3. Scanning
4. Threat Modelling
5. Vulnerability Analysis

6. Reporting

1. Preparation:
In this phase, we prepare and gather the required tools, OS, and software to start penetration
testing. Selecting the tools required during a penetration test depends on several factors such
as the type and the depth of the engagement.

2. Intelligence Gathering
In this phase, the information or data is gathered to aid in guiding the assessment actions. The
information gathering process is conducted to gather information about the target that can help the
attacker to get access, potentially secret or private data, or information that is otherwise relevant
to the target.
At this stage they Utilizes publicly available information by using

• Search Engines
• Websites
• Registrars
• SEC
• Recruiting sites
• Netcraft.com

3. Threat Modeling:
Threat modeling is a process for optimizing network security by identifying vulnerabilities and
then defining countermeasures to prevent, or diminish the effects of threats to the system. The
threat modeling is used to determine where the most effort should be applied to keep a system
secure. This is a factor that changes as applications are added, removed, or upgraded or user
requirements are evolved.
4. Vulnerability Analysis:

Vulnerability Analysis is used to identify and assess the security risks posed by identified
vulnerabilities. The process of vulnerability analysis is divided into two steps: Identification and
Validation.

• Identification: Discovering the vulnerability is the main task in this step.
• Validation: In this step, we reduce the number of identified vulnerabilities to only those

that are actually valid.

5. Exploitation
After finding the vulnerabilities, we try to exploit those vulnerabilities to breach the system and
its security. Different framework and software are recommended for exploitative purpose and are
freely available. Some of the most recommended tools include:

1. Core IMPACT
2. SAINT Scanner and Exploit
3. Metasploit Framework
4. SQL Map
5. Canvas
6. Social Engineering Toolkit
7. Netsparker

Post-Exploitation
In the Post-exploitation phase, the value of the machine compromised is determined to maintain
control of the machine for later use. The value of the machine is ascertained by the sensitivity of
the data stored on it and the machine’s usefulness in further compromising the network.

6. Reporting:
In this phase, we report the findings in a way that is understandable and acceptable by the
organization that owns that system or hardware. The report includes the defects that allow an

attacker to violate security policies to achieve some impact or consequence. In particular, defects
that allow intruders to gain increased levels of access or interfere with the normal operation of
systems are vulnerabilities.
There are different types of reporting that depends on the type of authority to whom we are
reporting:

• Executive Level Reporting
Business Impact
Customization
Talking to the business
Affect bottom line
Strategic Roadmap
Maturity model
Appendix with terms for risk rating

• Technical Reporting
Identify systemic issues and technical root cause analysis
Maturity Model

• Technical Findings
Description
Screenshots
Ensure all PII is correctly redacted
Request/Response captures
PoC examples
Ensure PoC code provides benign validation of the flaw

• Reproducible Results
Test Cases
Fault triggers

• Incident response and monitoring capabilities
Intelligence gathering
Reverse IDS
Pentest Metrics
Vulnerability Analysis
Exploitation
Post-exploitation
Residual effects (notifications to 3rd parties, internally, LE, etc…)

• Common elements
Methodology
Objective(s)
Scope
Summary of findings
Appendix with terms for risk rating

References:
• How to become the world’ No. 1 Hacker- Gregory D. Evans
https://www.scribd.com/document/58822764/NO1H-Short-SimpleGuide

• 5 Phases every Hacker Must Follow- Hash program
https://hashprogram.wordpress.com/2015/04/16/5-phases-every-hacker-must-be-followed/

• Penetration Testing Limitations- Tutorials Point
https://www.tutorialspoint.com/penetration_testing/penetration_testing_limitations.htm

• Penetration Testing Methodologies and Standards – Infosec
https://resources.infosecinstitute.com/penetration-testing-methodologies-and-standards/