mod 3 EH

Page 1

Prepared by Mrs. POSHITHA.M, AP, Dept. of CSE, MVJ College of Engineering, Bangalore. The content introduces the module on ethical hacking specifically tailored for understanding vulnerability assessment and network sniffing.

Page 2

Course Objective

  • Understand real-world information intelligence methods.

  • Learn about vulnerability scanners.

  • Understand techniques to sniff network traffic.

  • Familiarize with methodologies used to hack targets.

  • Appreciate the variety of attacks that can be performed against wireless networks.

Page 3

Module Overview: Vulnerability Assessment & Network Sniffing

  • Introduction to Vulnerability Assessment including pros and cons.

  • Overview of NMap: functionality, database updating, and specific use cases in SCADA environments and vulnerability scanning.

  • Introduction to Nessus: usage in vulnerability scanning.

Page 4

Network Sniffing Concepts

  • Discuss types of sniffing, differences between hubs and switches, and modes of operation.

  • Cover MITM Attacks: techniques and implications.

  • Basics of the ARP protocol, associated attacks, and denial of service (DoS) attacks.

  • Tools for sniffing such as Dsniff, Drifnet, Urlsnarf, Webspy, and Wireshark.

Page 5

Advanced Sniffing Techniques

  • Ettercap: Overview of ARP poisoning and session hijacking through MITM attacks.

  • Techniques to sniff session cookies using Wireshark and methods to hijack sessions.

Page 6

SSL Stripping

  • Understand SSL stripping, its requirements, and automation of MITM attacks that utilize SSL stripping. Discuss DNS and DHCP spoofing techniques as well.

Page 7

Applications of Network Sniffing and DoS Attacks

  • Overview of the implications of network sniffing and denial of service attacks.

  • Details about the institution's backing and recognition.

Page 8

Vulnerability Scanning Focus

  • Examination of open ports, services, versions, and operating systems on target hosts/networks.

  • Highlight Nessus vulnerabilities and its integration with Metasploit for effective vulnerability assessments.

Page 9

  • Discuss the Nmap scripting engine for scanning vulnerabilities detailing its strengths and limitations in comparison to Nessus.

  • Basic usage of the tools will be explained.

Page 10

Understanding Vulnerability Scanners

  • Define vulnerability scanners and their operations: scanning for weaknesses in systems, networks, and applications.

  • Emphasize the probing methodology and analyzing responses from the target.

Page 11

Information Captured by Scanners

  • Enumerate capabilities of vulnerability scanners:

    • Open ports

    • Services running

    • Operating systems

    • Identifying vulnerabilities

Page 12

Pros and Cons of Vulnerability Scanners

  • Advantages: automated task capabilities improving efficiency of reconnaissance and scanning.

  • Disadvantages: vulnerability scanners are loud and prone to false positives and false negatives, which can impact stealth during penetration testing.

Page 13

Vulnerability Assessment with Nmap

  • Powerful features of Nmap, scripting for automation including Lua scripts for various tasks like OS fingerprinting and vulnerability scanning.

Page 14

Nmap Scripting Engine

  • Discuss directory path to Nmap scripts and mention several examples of available scripts useful for penetration testing. Examples include detection scripts for various services.

Page 15

Updating the Database

  • Best practices regarding frequent updates of the Nmap scripting engine database for optimal performance.

Page 16

Scanning Common Vulnerabilities

  • Focus on known vulnerabilities such as MS08_067_netapi on Windows environments.

  • Highlight Nmap's capabilities to automate vulnerability checks.

Page 17

Output Analysis

  • An example of expected Nmap scan outputs showing vulnerability detection.

Page 18

  • Discuss alternative commands to execute vulnerability scans while emphasizing that these could be easily detected.

Page 19

Testing SCADA Environments

  • Define SCADA and discuss precautions necessary while testing automated systems.

Page 20

Installing Vulnerscan Script

  • Outline steps to install the vulscan.nse script and how to execute it from Nmap to perform enhanced scanning.

Page 21

Overview of Nessus

  • Define Nessus as a multi-purpose vulnerability scanner, referring to its coverage compared to others such as Nmap. Mention its employer-reliant methodologies for banner grabbing.

Page 22

Nessus Feed Types

  • Discuss the different feeds available for personal and professional uses.

Page 23

Limitations of Nessus

  • Discuss potential shortcomings related to banner versioning and false positives in Nessus reports.

Page 24

Nessus Installation and Activation

  • Outline steps for obtaining an activation code for Nessus and registration process.

Page 25

Home vs Professional Feed

  • Differentiate the functionalities included in both feeds and emphasize usage limitations of the home feed.

Page 26

Installing Nessus on BackTrack

  • Steps on activating Nessus, referring to the significance of obtaining an activation code.

Page 27

Different Activation Code Functions

  • Discuss uses for different licenses and their application for Nessus.

Page 28

User Registration in Nessus

  • Outline registration process for users once installation is finished.

Page 29

Starting the Nessus Server

  • Describe steps in launching the Nessus server and confirming its operational status.

Page 30

User Setup

  • Instructions on the command to create users in Nessus and discuss administrative permissions within the system.

Page 31

Credential Setup

  • Query user setup procedure confirming user type and permissions.

Page 32

Nessus Server Access Interface

  • Describe accessing the Nessus server upon first-time login and security protocols in place.

Page 33

Nessus Control Panel Overview

  • Examine key components of the Nessus control panel detailing functionalities of each.

Page 34

Default Nessus Policies

  • Discuss predefined scan policies within Nessus, their objectives, and their configurations.

Page 35

Policy Descriptions

  • Detailed explanation of several Nessus default scanning policies with a brief note on their applications.

Page 36

Policy Identification

  • Highlight how to navigate and utilize Nessus policies for effective penetration testing.

Page 37

Integrating Nessus with Metasploit

  • Discuss the benefits of combining Nessus with Metasploit for a streamlined penetration testing process.

Page 38

Importing Nessus to Metasploit

  • Stepwise procedure to connect Nessus with Metasploit.

Page 39

Initial Commands for Integration

  • Disclose command line outputs during the loading of Nessus within Metasploit.

Page 40

Nessus Help Commands

  • Overview of available commands within Metasploit for Nessus interaction.

Page 41

Starting the Scan Process

  • Instructions to check available scan policies and initiate a new scan against a target.

Page 42

Running the Target Scan

  • Discuss command inputs to initiate scanning a specified target within Metasploit.

Page 43

Report Generation

  • Instructions for listing and accessing report components after scanning.

Page 44

Additional Tools: OpenVas

  • Introduce OpenVas as an open-source network vulnerability scanner, mentioning its comparison to Nessus in terms of checks available.

Page 45

  • Overview of OpenVas and its enhancements compared to Nessus.

Page 46

Introduction to Network Sniffing

  • Explain network sniffing methodology, intent, and common protocols targeted.

Page 47

Sniffing Types

  • Differentiate between active and passive sniffing; tactics used for both methods.

Page 48

Network Components

  • Discuss the operational differences between hubs and switches significantly impacting sniffing.

Page 49

  • Institutional representation and accreditation statements from MVJ College of Engineering.

Page 50

Hub-Based Network Communication

  • Overview of how hub-based networks operate leading to potential vulnerabilities during communications.

Page 51

Network Card Modes

  • Explain promiscuous and nonpromiscuous modes associated with network cards and their applicability to sniffing.

Page 52

MITM Attacks Explained

  • Detailed description of man-in-the-middle attacks with their mechanisms and results.

Page 53

ARP Protocol Functionality

  • Explain ARP’s foundational role in network traffic communication.

Page 54

ARP Functionality Scenarios

  • Narrate procedures ARP implements to facilitate communication between hosts.

Page 55

ARP Cache Management

  • Explain the role of ARP caches in maintaining operational efficiency on networks.

Page 56

Types of ARP Attacks

  • Address methods and scenarios of MAC flooding and ARP poisoning in targeted networks.

Page 57

MAC Flooding Techniques

  • Discuss implications and operational mechanics behind MAC flooding attacks.

Page 58

Tool: Macof

  • Introduction to the Macof tool and its capabilities for executing MAC flooding attacks.

Page 59

  • Provide command usage for employing Macof to overload networking hardware.

Page 60

Wireshark Capture Operation

  • Instructions on using Wireshark post-attack to analyze captured traffic from flooded networks.

Page 61

Understanding ARP Poisoning

  • Provide clarity on the ARP poisoning process and impact on network communication.

Page 62

ARP Poisoning Scenarios

  • Illustrate the practical implications of ARP poisoning via supported scenarios to explain attack flow.

Page 63

Denial of Service Attacks via ARP Spoofing

  • Logic behind utilizing ARP spoofing for executing denial-of-service attacks on targeted systems.

Page 64

Practical Tools: Dsniff

  • Overview of Dsniff as a comprehensive command-line ARP spoofing tool.

Page 65

Enabling IP Forwarding for MITM

  • Instructions for enabling IP forwarding to facilitate traffic redirection during MITM attacks.

Page 66

Performing MITM with ARP Spoof

  • Stepwise details on preparing the environment for conducting a successful MITM attack.

Page 67

Capturing Traffic

  • Explain logistics behind intercepting and analyzing captured traffic utilizing Dsniff with ARP spoofing.

Page 68

Drifnet Usage

  • Illustrate the use of Drifnet for capturing visual content from the victim’s browsing session.

Page 69

URL Snarf and WebSpy Functions

  • Describe functionality and usage of URL snarf and webspy tools from the Dsniff toolset.

Page 70

  • Example operational output from urlsnarf tool to visualize captured browsing data from the target.

Page 71

  • Instructions on deploying webspy tool for real-time webpage generation based on captured browsing sessions.

Page 72

Wireshark in Action

  • Discuss practical usages of Wireshark in capturing and analyzing passively intercepted traffic.

Page 73

Using Wireshark for HTTP Authentication

  • Stepwise guidance on capturing plain-text passwords utilizing Wireshark during traffic interception.

Page 74

Overview of Ettercap

  • Present Ettercap as a versatile tool for network attacks and ARP spoofing.

Page 75

Performing ARP Poisoning with Ettercap

  • Provide a specific methodology for using Ettercap to conduct ARP poisoning attacks on networks.

Page 76

Scanning for Hosts

  • Explain processes for host detection using Ettercap capabilities within the network.

Page 77

Target Selection in Ettercap

  • Outlining procedures for selecting targeted hosts for ARP poisoning within Ettercap settings.

Page 78

ARP Poisoning and Traffic Capture

  • Discuss specifics on initiating and monitoring traffic captured after successful ARP poisoning.

Page 79

Conducting Denial-of-Service Attacks via Ettercap

  • Utilize Ettercap’s built-in capabilities to perform denial-of-service attacks based on ARP poisoning.

Page 80

Hijacking Sessions Through MITM

  • Methodologies to exploit stolen session tokens and cookies for session hijacking via MITM techniques.

Page 81

Practical Attack Scenarios

  • Stepwise breakdown of performing a MITM attack targetting session hijacking using previously discussed methods.

Page 82

ARP Poisoning with Cain and Abel

  • Describing technical execution steps for conducting effective ARP poisoning using Cain and Abel.

Page 83

Session Hacking Techniques

  • Discuss procedures and tools necessary to hijack active sessions from targeted victims.

Page 84

SSL Stripping for Credential Capture

  • Overview of the tool SSL Strip for capturing credentials over HTTP-based traffic disguised as HTTPS.

Page 85

Preparing the Environment for SSL Stripping

  • Explain the necessity of ARP spoofing and environment set-up before executing SSL stripping.

Page 86

Automating Man-in-the-Middle Attacks with Yamas

  • Introduce Yamas tool for automating multiple attack vectors during MITM scenarios.

Page 87

DNS Spoofing Techniques

  • Overview of the mechanism behind DNS spoofing with practical implications for phishing attacks.

Page 88

Launching a DNS Spoofing Attack

  • Step-by-step explanation of the processes involved in conducting a successful DNS spoofing operation.

Page 89

DHCP Spoofing Methodology

  • Discuss DHCP spoofing approaches to manipulate network settings beneficial for data interception.

Page 90

Final Steps for DHCP Spoofing

  • Explaining end-to-end command executions to achieve successful DHCP attacks and subsequent traffic analysis.

Page 91

Module Conclusion

  • Summary of vulnerabilities and ethical considerations regarding network sniffing and exploitation techniques discussed in the module.