Mod 3 (Part II)

Ethical Hacking Methodologies

Scanning

Scanning is the second step of the hacking process. The information gathered previously during
the reconnaissance phase is important as it helps fine-tune the search. Scanning is the second step
of the hacking process. On this step, Networks are scanned to determine which hosts are live on
the network and what they do. There are multiple types of scans and tools available. Most popular
tools are Nmap and SuperScan.

Performing explicit searches reduces the time required to discover data and brings down the odds
of the scan getting detected by an IDS or anti-virus system and getting logged. It also reduces the
chances of system administrators getting alerted about the incident.

During the scanning phase, the network is scanned by the attacker for explicit data based on data
assembled during the information gathering phase.

Scanning can include use of diallers, port scanners, network mapping, ping tools, vulnerability
scanners, etc.

Attacker scans the whole network and find out, which of the hosts are live and which ones are
dead. After running a scan, the second step is port scanning. In Computer Networking, a Port is an
endpoint of communication. In simple wording Ports are being considered as a door of the
computers through which the computer communicates their services. There are Total 65535 ports
in which some are registered by IANA or by ICANN.

Ports 0 to 1023 are the well-known ports, ports 1024 to 49151 are registered ports, and ports from
49152 to 65535 are dynamic or private ports.

Extracting Information

After completing scanning the tools give some return value as information of the victim/target
machine such as Live Machines, ports, port status, OS details, device type, system uptime, type of
service running on the networks etc. to launch attack.

Network Scanning is one of the components of the information gathering an attacker uses to create
a profile of the target organization.

Gaining Access

Gaining access means to Bypass access control and gain access to the victims’ system.

Gaining access is the most important phase of an attack in term of potential Damage, although
attackers don’t always have to gain access to the system to cause Damage. Gaining access is the
process of hacking into a network or computer system and having control of it. It is in this phase
in which a hacker can cause severe damage to the target network or computer system. A hacker
takes advantage of the vulnerabilities discovered in the information gathering phase and the
scanning phase to hack into the targets. The attack vectors hackers use to attack could be the local
area network, physical access to a computer system, or over the Internet.

Hackers use the various techniques for gaining access. Some of them are listed below.

i) Phishing Scams.
ii) Buffer Overflow.
iii) Keylogging.
iv) Exploitation.
v) Password cracking/Hashing.
vi) Social-Engineering attack.
vii) SQL injection.

Phishing scams, keylogging, exploitation and password hashing are the major factors of gaining
access. In which Exploitation is the method / process that the hackers mostly use for getting access
into the victims’ computers.

Phishing
It is a type of social engineering attack in which a hacker attempts to steal victims' sensitive
information, such as website credentials. The hacker achieves this by either posing as a legitimate
employee of an organisation with which the victim is associated with, such as the bank with which
the victim has a bank account with or by sending phishing emails to the victims.

Buffer Overflow
A buffer is a continuous block of computer memory that is allocated to contain data which can be
anything from an array of integers to a string of characters. Buffer Overflow is countered as an
attack vector in the security circle. Buffer overflows occur when a computer program tries to insert
more data in a buffer than can be stored in a buffer. Buffer overflow can also occur when a
computer program tries to insert data in a memory location that lies beyond a buffer.

Keylogging
Keylogging is a technique of retrieving the confidential data like (Usernames and

Passwords) for the purpose of access gaining. In this scenario the attacker install the key-logger
into the victims system and keep spying (link visiting or visited) on the target. Whenever victim
login the Username and Password from his keyboard the key-logger fetch’s its key stroke and
collect the data and store as a log file in it.

Exploitation

After discovering a vulnerability, exploitation of a vulnerability is the next step in the ethical
hacking. Exploits are used for a number of different reasons, from gaining financial information
to tracking a user's whereabouts. Exploits can be executed within a network itself and this makes
them very hard to spot. Severe damage can be caused by hackers through the use of exploits.

An example of exploit could be the one that includes a malware that would be installed on a target
computer and would wait until a specific condition is met before activating. The condition could
be either a specific date or when the attacker remotely connects to the target device. It is easy to
deal with exploits when they are in their initial stages, yet it might at present take a long time to
completely resolve both the activity and the basic weakness that enabled the malicious activity to
happen in any case.

Abuse is experienced by a portion of the apparatuses or structure, in which Metasploit is the Major
Swiss Knife of Hackers to get entrance command over powerless frameworks.

Maintaining Access

After gaining access, an ethical hacker tries to maintain their access to the target system so that
they can perform other malicious activities in the future. The ethical hacker could use scripts and
other tools to hide the evidence of their attack and to also create backdoors for future attacks. A
risk involved with backdoors is that if another hacker manages to find that backdoor than even
they could get access to the system. They could also choose to close the backdoor after performing
the activities that they wanted to perform on the system containing the backdoor. Rootkits and
trojans can also be used for hiding the ethical hacker's activities from the company's security
personnel.

Some activities that an ethical hacker may perform for maintaining access are:

i. Creating and installing Backdoor.
ii. Installing Malwares.
iii. Installing Trojans.

iv. Installing Botnets.
v. Installing shells.
vi. Installing rootkits.

Maintaining Access with Metasploit

Metasploit is an open-source tool that can be used for exploiting vulnerabilities and for maintaining
access. Kali Linux operating system includes the command-line version of Metasploit which is
free to use and includes several modules that an ethical hacker can use for security testing purposes.

Clearing Tracks

In this stage, after the hackers have gained access and performed their malicious activities, they
clear their tracks to keep away from the identification by security personnel, to keep on utilising
the compromised target system, to expel proof of hacking, or to dodge lawful activity. At present,
numerous security incidents occur but no one is able to detect them. This incorporates situations
where firewalls and careful log inspection were set up.

In the event that an ethical hacker is successful in compromising the target system, they would at
that point need to verify that the system administrator doesn't realize that the hacker was there, and
that the person can't identify the hacker. There are not many ways that a hacker can cover their
tracks, making it hard for a system administrator, law enforcement officer, or a forensics examiner
to follow the hacker's malignant activities.

Logs are the most well-known method for a system administrator to figure out what has
occurred on their computer system. Each failed login, successful login, and security incident is
written into the logs. In this way, the primary thing the hacker has to do is to make sure there
is no hint of their malignant activities in those log documents.

Clearing tracks from Windows and Linux target systems
Clear the event logs from a Windows target using Metaplot’s Meterpreter
There is a script called clearev that is included in Metasploit's meterpreter that can be used to
clear all logs. It accesses the event logs in the Windows operating system and erases all the
logs. This may look somewhat suspicious to a careful system administrator, yet most
administrators are not watchful. At any rate, it will expel any associations of the hacker with
the target system from the log documents. Obviously, there might be other proof that could still
remain on the system or the IDS or router logs.
To start with, an ethical hacker could use Metasploit to gain access to the system and get a
meterpreter shell.

Once we get a meterpreter shell on a system, we can simply type the following two commands:
• meterpreter > getsystem

• meterpreter > clearev

As can be seen in the screenshot above, all the event logs from System, Security and Application
have been cleared from the log files on the victim system.
Clear the event logs on a Windows target
Another approach to erase the log records on target systems using the Windows operating
systems is to utilise the clearlogs.exe program. On the off chance that an ethical hacker has
physical access to the target system, they can essentially install and execute clearlogs.exe on it.
The ethical hacker can clear the Security, Application, or System logs.
To clear the security logs, the following command can be executed in the Windows Command
Prompt:

• clearlogs.exe -sec

The ethical hacker can go into the Windows Event Viewer and check the Security events details.
After using clearlogs.exe -sec the ethical hacker will find that all the security events have been
erased and no evidence is left over about any security events occurring.

If an ethical hacker has remote access to the system, the ethical hacker can simply upload
clearlogs.exe to the target system via TFTP and then execute it on the system.

It should not be forgotten to remove clearlogs.exe before leaving the target system as the
presence of the clearlogs program on the target system will be a tell-tale evidence that someone
has compromised their system.

Clear event logs on Linux target systems
In Linux computer systems, log records are put away in the/var/log directory. One can easily
view the contents of that plaintext file containing logs. The file can be viewed using any word
processor. For example, the command kwrite /var/log/messages could be used to open the file
in the KWrite text editor.

Before leaving the target system, an ethical hacker should open this log file and basically erase
all the log entries, or cautiously skim the log file and erase only those records related explicitly
to their hacking activities.

Erase the command history on Linux
To make sure that tracks are properly cleaned, it is recommended that the command hostroy is
erased by an ethical hacker. On a Linux target system, the command history can be erased by
using various commands. The bash shell in which commands are typed in saves the last 500
commands executed in it. Hence, all the commands that get executed on the system could be
tracked by a system administrator and they could detect the activities that were performed on
the target system by the hacker and use the findings as evidence.

To see the command history, the following command can be used:

• more ~/.bash_history
The environment variable HISTSIZE defines the size of the command history file. The value of
the HISTSIZE variable can be found out via the following command:

• echo $HISTSIZE
The value could then be changed to zero via the command:

• export HISTSIZE=0

Executing this command makes the shell not store any command history. The HISTSIZE should
be changed to zero before beginning to hack a target system, and no commands will be saved
by the system. In the case, when some commands have already been written into the bash shell,
after setting the value of the HISTSIZE variable to zero the ethical hacker should log out and
log back in so that the history gets erased.
If there is less time to either clear the histroy or change the value of the HISTSIZE variable, the
ethical hacker could just shred the histroy file by using the command:

• shred -zu root/.bash_history
This command will overwrite any history with zeros, and then delete the history file.

To verify whether the history file was successfully shredded or not, the following command can
be used:

• more /root/.bashhistory