Ethical Hacking Part — II: Cyber Attack
On the first part of the series I had discussed basics of ethical hacking, namely information security. On this part, we will directly jump on to the ethical hacking process.
Let’s move on to Ethical hacking methodology.
There are 5 steps in Ethical Hacking. Let’s see them one by one.
Information Gathering consists of finding all details about our target machine. This includes Operating System, its version, ports open, services running behind ports etc.
Vulnerability Assessment involves finding out weakness and bugs in the target, finding out their CVE codes, their severity level and all information about vulnerabilities.
Penetration Testing involves exploiting the vulnerabilities found to mimic a cyber attack. It serves the purpose of finding out all the devices that are vulnerable, different methods to perform cyber attack and extent of damage the attack can cause.
We submit the report containing all details of vulnerabilities and its exploit, along with Proof-of-concept (in form of screenshot or video) of said vulnerabilities to the management. We also provide suggestion on how to patch or remediate said vulnerabilities.
Finally, the team removes backdoors, clears logs and erases any traces.
Let us mimic a cyber attack :-
Let’s introduce the attacker — Kali Linux Machine
And our target — Windows 7 machine
Any device is uniquely identified using IP address. Our attacker machine has IP
And the target machine has the IP
We use tools like Nmap to perform this task
This is a very basic scan to find which ports are open. For a more detailed scan, we perform aggressive scan
This provides us more information such as services running behind the open ports, Operating System of target, account names, etc.
For finding out vulnerabilities, we use software like Nessus or Qualys.
The Qualys virtual scanner appliance allows us to scan all the devices in our network (I mimic a network using a Oracle Virtualbox)
The Scanner has found out 44 vulnerabilities, mostly ones regarding Server Message Block (SMB) and Remote Desktop Protocol (RDP).
Let us perform penetration Testing. We use metasploit software to perform the task.
Since we found SMB and RDP based vulnerabilities, we will concentrate on those. Eternalblue (CVE 2017–0143) is one of the many SMB vulnerabilities.
To set the Target as Windows 7,
Let’s see if the information is correct
This vulnerability allows attacker to gain access to reverse shell. Let us exploit it
“meterpreter” describes the shell. To verify that we have reverse shell, let’s see the IP address and name of the machine
As you can see we are inside the Windows 7 machine. This vulnerability allows attacker to conduct Remote Code Execution (RCE) attack. This also allows the attacker to see what the target is typing and mouse action.
This attack is called Keylogging, in which attacker can quietly record what the target is typing and clicking on.
We have explorer.exe process ID as 1364.
Start the keylogger,
If the target types something in their device,
Attacker can see it remotely
To stop the attack,
We used a SMB vulnerability to quietly listen to target’s key strokes.
There is a way to steal target’s credentials such as passwords and username. If we look at Nmap scan results, the port 135 was open. Thus we can perform it using arp poisoning attack using the software Ettercap (in built in Kali Linux).
We use the default settings, hence click on check mark on top right corner
To scan for targets, click on search icon on top left corner
To add the target, click on 3 dot icon on top right corner, from drop down menu select hosts and hosts list.
Right click on target IP (our target is 192.168.200.5) and select add to Target 1.
Now click on globe icon (MITM) on top right corner and select start ARP poisoning. Select Sniff remote connections from pop up window.
Now if the target enters any credentials, it can intercepted by the attacker
Thus the attacker can steal sensitive information from the target with ease.
These exercises try to mimic the threats faced by cyber security experts and create awareness with general audience. I will publish write ups on how to perform ethical hacking on web servers in near future.
In part III of this series, I will discuss on how to remediate vulnerabilities.
Images without source are screenshot from my personal computer and act as proof of concept.
Other parts of this series :-
