The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Discover the best professional documents and content resources in AnyFlip Document Base.
Published by Enhelion, 2019-11-19 14:47:25

EH - Module 3

EH - Module 3


Attack Strategy Design

Generalized Attack Methodology:

Every Hacker must go through five phases which are as follows:

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks

1. Reconnaissance / Information Gathering

Reconnaissance refers to the preparatory phase where an attacker gathers as much
information as possible about the target prior to launching the attack. Additionally, in
this phase, the attacker draws on competitive intelligence to learn more about the
target. Network scanning, either external or internal, without authorization, may also be
involved in this phase.

This is the phase that allows the potential attacker to strategize his/her attack. This may
take some time as the attacker waits to unearth crucial information. Part of this
reconnaissance may include social engineering.

“Dumpster diving” is another reconnaissance technique. It is the process of looking
through an organization’s trash for discarded sensitive information. With the help of the
Internet, attackers can obtain information such as employee’s contact information,
business partners, technologies in use, and other critical business knowledge. However,
“dumpster diving” may provide them with even more sensitive information such as
usernames, passwords, credit card statements, bank statements, ATM slip, social
security numbers, telephone numbers, etc.

Reconnaissance Types

Reconnaissance techniques can be categorized broadly into active and passive

When using passive reconnaissance techniques to attack, the hacker does not interact
with the system directly. They use publicly available information, social engineering, and
dumpster diving as a means of gathering information.

While employing active reconnaissance techniques, the hacker tries to interact with the
system by using tools to detect open ports, accessible hosts, router locations, network
mapping, details of operating systems, and applications.

2. Scanning / Enumeration

Scanning is the method an attacker performs prior to attacking the network. In
scanning, the attacker utilizes the details gathered during reconnaissance to identify
specific vulnerabilities. Scanning can be regarded as a logical extension and an overlap
of the active reconnaissance. Generally, attackers use automated tools such as
network/host scanners, and war dialers to locate systems and try to discover

An attacker can collect critical network information such as the mapping of systems,
routers, and firewalls by employing simple tools such as Traceroute. Another option
they can use are tools such as Cheops to add sweeping functionality along with what
Traceroute renders.

Port scanners can be used to detect listening ports to acquire information about the
nature of services running on the target machine. The primary defense technique in this
regard is to shut down services that are not necessary. Appropriate filtering could also
be adopted as a defense mechanism. However, attackers can still use tools to discover
the rules implemented for filtering.

Vulnerability scanners, that can search for several known vulnerabilities on a target
network, and can potentially detect thousands of vulnerabilities, are the most
commonly used tools. This gives the attacker the advantage of time because they only
have to find a single entrance while the systems’ professional has to secure many
vulnerable areas by applying patches. Organizations that deploy intrusion detection
systems still have reason to worry because attackers can use evasion techniques at both
the application and network levels.

3. Gaining Access

In terms of potential damage, gaining access is the most important phase of an attack.
Attackers do not need to always gain access to the system to cause damage. For
instance, denial-of-service attacks can either exhaust resources or stop services from

running on the target system. Denial of service can be carried out by killing processes,
using a logic/time bomb, or even reconfiguring and crashing the system. Resources can
be exhausted locally by filling up outgoing communication links.

The exploit can occur locally, offline, over a LAN or the Internet as a ruse or theft. Stack-
based buffer overflows, denial-of-service, and session hijacking are examples of such
attacks. Spoofing is a technique used by attackers to exploit the system by pretending to
be strangers or different systems. This technique can be used to send a malformed
packet containing a bug to the target system in order to exploit vulnerability. Packet
flooding may be used to remotely stop availability of the essential services. Smurf
attacks try to evoke a response from the available users on a network and then use their
legitimate address to flood the victim.

Architecture and configuration of the target system, the skill level of the perpetrator,
and the initial level of access obtained are all factors that influence the chances of an
attacker gaining access. The most damaging type of the denial-of-service attacks can be
distributed denial-of- service attacks, where an attacker uses zombie software
distributed over several machines on the Internet to trigger an orchestrated large scale
denial of services.

4. Maintaining Access

After gaining access to the target system, the attacker can choose to use both the
system and its resources. Further, they can use the system as a launch pad to scan and
exploit other systems or maintain a low profile and continue exploiting the system. Both
these actions can damage the organization. For instance, the attacker can implement a
sniffer to capture all network traffic, including telnet and ftp sessions with other

Attackers, who prefer to remain undetected, eliminate evidence of their entry and use a
backdoor or a Trojan to gain access repeatedly. They can also install rootkits at the
kernel level to gain super user access. The reason for this is that while rootkits gain
access at the operating system level, a Trojan horse gains access at the application level.
Both rootkits and Trojans rely on users to install them. Within Windows’ systems, most
Trojans install themselves as a service and run as local system, which has administrative

Attackers can use Trojan horses to transfer user names, passwords, and even credit card
information stored on the system. They can retain control over the system for a long
time by strengthening the system against other attackers. Sometimes, in this process,
they do render some degree of protection to the system from other attacks. They can

then use their access to steal data, consume CPU cycles, and trade sensitive information
or even resort to extortion.

5. Covering Tracks

An attacker would prefer to eliminate evidence of their presence and activities for
various reasons such as maintaining access and evading punitive action. Erasing
evidence is a necessity for any attacker who would like to remain obscure. This is one of
the best methods to evade being traced back. Usually, this starts with erasing the
contaminated logins and any possible error messages that may have been generated
from the attack process. For example, a buffer overflow attack usually leaves a message
in the system logs. Next, attention is redirected to effecting changes so that future
logins are not logged. By manipulating and tweaking the event logs, the system
administrator can be convinced that the output of his/her system is correct, and that no
intrusion or compromise has actually taken place.

As the first thing a system administrator does to monitor unusual activity by checking
the system log files, it is common for intruders to use a tool to modify the system logs.
In some extreme cases, rootkits can disable logging altogether and discard all existing
logs. This occurs if the intruders intend to use the system for longer as a launch base for
future intrusions. Then, they will remove only those parts of the logs that can reveal
their presence.

It is vital for attackers to make the system look like it did before they gained access and
established backdoors for their use. Any modified files need to be reverted to their
original attributes. Information listed, such as file size and date, are just attribute
information contained within the file.

Trojans such as ps or netcat are useful for attackers who want to destroy the evidence
from the log files or replace the system binaries with the same. Once the Trojans are in
place, the attacker can be assumed to have gained total control of the system. Rootkits
are automated tools that are designed to hide the presence of the attacker. By
executing the script, a variety of critical files are replaced with trojaned versions, hiding
the attacker with ease.


The penetration testing execution standard covers everything related to a penetration test.
From the initial communication of information gathering, it also covers threat modeling phases

where testers are work behind the scenes to get a better understanding of the tested
organization, through vulnerability research, exploitation and post exploitation.


The main objective of penetration testing is to identify security weaknesses. Penetration testing
can also be used to test an organization's security policy, its adherence
to compliance requirements, its employees' security awareness and the organization's ability to
identify and respond to security incidents.


There are basically three levels of network penetration testing:

a. Security Assessment (Validation):

This level of testing is vulnerability-centric. Heavily utilizing automated toolsets, the
test starts with a vulnerability assessment and is followed by a manual review of any
findings to eliminate “false positives.” These automated scans take up to several
hours, and can search for tens of thousands of known vulnerabilities.
This introductory level of penetration test offers a report focused on vulnerabilities
in your network security posture.

b. CREST-Aligned Penetration Test

This level of test assesses the security of your network infrastructure by simulating
an attack from malicious outsiders and/or insiders to identify attack vectors,
vulnerabilities and control weaknesses. Penetration testing involves mainly manual
testing techniques that are supported by automation. This often includes open
source intelligence gathering (OSINT) by passive, semi-passive and/or active means,
exposed applications (unauthenticated), and potentially social
engineering (people) attack vectors as well.

c. Red Team Engagement
Organizations with mature security programs with professional staff dedicated to
defending against cyberattacks can take part in “red team” engagements, where the
penetration testers (ethical hackers) play offense and the security staff play defense.
This dynamic, highly targeted form of penetration testing uses real-world attack
scenarios designed to test your detection and response capabilities. A red team
engagement isn’t about pinpointing your vulnerabilities—it’s about gaining access by
any means available to the sensitive data you’re trying to protect and your ability to
detect and defend the attack.

• Define the parameters of the test

• Keep aware of the latest security threats and malware
• Review current corporate policies and help redefine procedures for better

• Strengthen current hardware and software with implementations of better

security standards
• Record feedback and reports for review of main business managers


Limitation of Time − As all of us know, penetration testing is not at all time bound
exercise; nevertheless, experts of penetration testing have allotted a fixed amount of
time for each test. On the other hand, attackers have no time constrains, they plan it in
a week, month, or even years.

Limitation of Scope − Many of the organizations do not test everything because of their
own limitations of resource constraints, security constraints, budget constraints, etc.
Likewise, a tester has limited scope and he has to leave many parts of the systems that
might be much more vulnerable and can be a perfect niche for the attacker.

Limitation on Access − Often testers have restricted access to the target environment.
For example, A company has carried out the penetration test against its DMZ systems
from across its internet networks. However, the attackers can attack through the
normal internet gateway.

Limitation of Methods − There are chances that the target system can crash during a
penetration test, so some of the particular attack methods would likely be turned off
the table for a professional penetration tester. For example, an attacker may produce a
denial of service flood to divert a system or network administrator from another attack
method, however it is likely to fall outside of the rules of engagement for most of the
professional penetration testers.

Limitation of Skill-sets of a Penetration Tester − Usually, professional penetration
testers are limited as they have limited skills irrespective of their expertise and past
experience. Most of them are focused on a particular technology and having rare
knowledge of other fields.

Limitation of Known Exploits − Many of the testers are aware with only those exploits,
which are public. In fact, their imaginative power is not as developed as attackers.
Usually, attackers think much beyond a tester’s ability to discover the flaw to attack.

Limitation to Experiment − Most the testers are time bound and follow the instructions
already given to them by their organization or seniors. They do not try something new.
They do not think beyond the given instructions. On the other hand, attackers are free
to think, to experiment, and to create some new path to attack.

Moreover, penetration testing can neither replace the routine IT security tests, nor it
can substitute a general security policy, but rather, supplement the established review
procedures and discovers new threats.

The following are some common and basic tools that are necessary to complete
penetration testing with the expected results:

• VMware:
VMware enables us to run multiple instances of the operating system on a single

1. Linux Based Operating System:
As Linux is the most recommended OS for penetration testing, mostly
penetration testing is carried on Linux based system.

2. Windows-Based Operating System:
Windows XP/7 is necessary for certain tools to be used. Many commercial
tools or Microsoft-specific network assessment and penetration tools are
available that run cleanly on the platform.

• Wifi Adapter:
An 802.11 USB adapter allows the easy connection of a wireless adapter to the
penetration testing system. The 802.11 USB adapter is recommended as other
don’t support the required functions.

• Spectrum Analyzer:
A spectrum analyzer is a device used to examine the spectral composition of some
electrical or optical waveform. IT is used to determine whether or not a wireless
transmitter is working according to defined standards.

• Series of software:
The software requirements are based upon the engagement scope. However, some
commercial and open source software that could be required to conduct a full
penetration test properly are listed below:
1. Maltego
2. Nessus

3. Nespose
4. Rainbow Crack
5. Dnsmap
6. The Social Engineering Toolkit (SET)
7. The Metasploit Toolkit
8. Dnsrecon

The penetration testing execution standard consists of six phases:

1. Preparation
2. Intelligence Gathering
3. Scanning
4. Threat Modelling
5. Vulnerability Analysis
6. Reporting

1. Preparation:

In this phase, we prepare and gather the required tools, OS, and software to start
penetration testing. Selecting the tools required during a penetration test depends on
several factors such as the type and the depth of the engagement.

2. Intelligence Gathering

In this phase, the information or data is gathered to aid in guiding the assessment actions. The
information gathering process is conducted to gather information about the target that can
help the attacker to get access, potentially secret or private data, or information that is
otherwise relevant to the target.

At this stage they Utilizes publicly available information by using

• Search Engines
• Websites
• Registrars
• Recruiting sites

3. Threat Modeling:

Threat modeling is a process for optimizing network security by identifying vulnerabilities and
then defining countermeasures to prevent, or diminish the effects of threats to the system. The
threat modeling is used to determine where the most effort should be applied to keep a system
secure. This is a factor that changes as applications are added, removed, or upgraded or user
requirements are evolved.

4. Vulnerability Analysis:

Vulnerability Analysis is used to identify and assess the security risks posed by identified
vulnerabilities. The process of vulnerability analysis is divided into two steps: Identification and

• Identification: Discovering the vulnerability is the main task in this step.
• Validation: In this step, we reduce the number of identified vulnerabilities to only

those that are actually valid.

5. Exploitation

After finding the vulnerabilities, we try to exploit those vulnerabilities to breach the system and
its security. Different framework and software are recommended for exploitative purpose and
are freely available. Some of the most recommended tools include:

1. Core IMPACT
2. SAINT Scanner and Exploit
3. Metasploit Framework
4. SQL Map
5. Canvas
6. Social Engineering Toolkit
7. Netsparker


In the Post-exploitation phase, the value of the machine compromised is determined to
maintain control of the machine for later use. The value of the machine is ascertained by the
sensitivity of the data stored on it and the machine’s usefulness in further compromising the

6. Reporting:

In this phase, we report the findings in a way that is understandable and acceptable by the
organization that owns that system or hardware. The report includes the defects that allow an
attacker to violate security policies to achieve some impact or consequence. In particular,

defects that allow intruders to gain increased levels of access or interfere with the normal
operation of systems are vulnerabilities.

There are different types of reporting that depends on the type of authority to whom we are

• Executive Level Reporting
Business Impact
Talking to the business
Affect bottom line
Strategic Roadmap
Maturity model
Appendix with terms for risk rating

• Technical Reporting
Identify systemic issues and technical root cause analysis
Maturity Model

• Technical Findings
Ensure all PII is correctly redacted
Request/Response captures
PoC examples
Ensure PoC code provides benign validation of the flaw

• Reproducible Results
Test Cases
Fault triggers

• Incident response and monitoring capabilities
Intelligence gathering
Reverse IDS
Pentest Metrics
Vulnerability Analysis
Residual effects (notifications to 3rd parties, internally, LE, etc…)

• Common elements
Summary of findings
Appendix with terms for risk rating


• How to become the world’ No. 1 Hacker- Gregory D. Evans

• 5 Phases every Hacker Must Follow- Hash program

• Penetration Testing Limitations- Tutorials Point

• Penetration Testing Methodologies and Standards – Infosec

Click to View FlipBook Version