Certified Ethical Hacker

Unit 2 Project

Presented

By

Sandra Grannum

To

Dr. Pace

On

December 13, 2011

Table of Contents

Abstact………………………………………………………………………………………………………..3

Seven steps of Information gathering…………………………………………………..………..4

Popular Reconnaissance tools……………………………………………………………………….5

Methods to crack passwords on windows linux and Mac…………………………….…..8

Password Cracker downloads…………………………………………………………….………….9

Security Plan……………………………………………………………………………………………….. 9-11

Steps to remove evidence……………………………………………………………………………. 11

References:…………………………………………………………………………………………………..12

Abstract

This paper list and describe the seven steps of information gathering and describe some of the most popular reconnaissance tools while explaining the benefits and limitations of each. Included as well is the method to crack passwords on Windows, Linux, and Mac. There is also a password cracker tool that was downloaded on my home computer that describes the steps and outcomes. Least but not last, a security plan is also included in this project and the steps to remove evidence of an attack on a network.

Define the seven-step information gathering process • Information gathering is divided into seven steps. These steps include gathering information, determining the network range, identifying active machines, finding open ports and access points, OS fingerprinting, fingerprinting services, and mapping the network.
Define footprinting • Footprinting is the process of acquiring an increasing number of data regarding a precise network environment, typically for the purpose of finding ways to encroach into the environment.
Locate the network range • Locating the network range is desired to be familiar with what addresses can be targeted and are obtainable for extra scanning and analysis.
Identify active machines • In order to identify active machines, ping sweeps and port scans and assist in the testing of knowing if the machine is vigorously connected to the network and in reach.
Understand how to map open ports and identify their underlying applications • Ports are tied to applications and, as such, can be registered, arbitrary, or dynamic.
Describe passive fingerprinting • Identifying systems exclusive of injecting traffic or packets into the network is Passive fingerpriniting
State the various ways that active fingerprinting tools work • Certain systems respond in distinctively. So active fingerprinting tools inject oddly crafted packets into the network to measure how systems respond.
Use tools such as Nmap to perform port scanning and know common Nmap switches • Understanding Nmap switches is a required test element. Common switches include -sT, full connect, and -sS, stealth scan.

Reconnaissance Tools:

Security intrusion detection has gotten more complicated, so has the software used by hackers. By looking at the network, that’s how Intrusion-detection software identifies you. Hackers are aware that scanning and probing a network is likely to create a feeling or thought that might create an alarm. Based on this, hackers have developed new software that make an effort to achieve or completely hide the true purpose of its action. Reconnaissance tools that is used today:

|NMAP |WHOIS |
|SATAN |Ping |
|Portscanner |Nslookup |
|Strobe |Trace |
|Ethereal |NESSUS |

http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Reconnaissance-Tools.html

Three Useful Tools:

• Ethereal – see what is on your network • NMAP – determine which ports are open • NESSUS – search for vulnerabilities
Ethereal
• Open Source network protocol analyzer – ethereal.com • Key points: – Run as root, but use su (not su ­) – Use filters in busy networks – Analyze stored traffic or live traffic – Have permission to sniff traffic first
Ethereal
• Good points: Large list of decoded protocols, – Easy to use interface • Bad points: Filter language difficult to use (and important) May crash in heavy traffic (capture traffic using tethereal or tcpdump for later analysis) (ethereal.com)

NMAP • The continually updated Open Source tool for network exploration and security assessments. (nmap.insecure.org) • Written by a security consultant, Fyodor • Basically a port scanner but will do much more
Host Discovery: NMAP is useful for discovering in-use IP addresses. It quickly sends ICMP Echo with –sP to check to see which hosts are up and respond. ARP scans can be used in the local network, and are very fast and quite reliable (-PR), other types of scan are possible, such as ACK scan to port (-PA –p 80)
Port Scanning: Port scanning detects open ports and represents listening services, which are potentially vulnerable services. Use port scanning to check for compliance to policy, that is no web servers on desktops or unusual services, or service list differing from netstat, an indication that a rootkit has been installed. (nmap.insecure.org)
NMAP Port Scanning: Traditional port scan displays the port number and service name. NMAP can attempt to identify application version by adding reliability to service name identification and provides additional information to port scan based on banner grabbing.
NMAP OS Identification: NMAP will attempt to identify the OS version of scanned systems but requires discovering one closed port and examines responses to packets sent to open and closed ports. It collects other information, such as ISN, IP, id, window size, and order of TCP options 1707 fingerprints in version 3.95. (nmap.insecure.org)
Pros:
Faster, more flexible, and it’s a scanner, OS and application version information that accepts IP address ranges, lists, file format and has a frontend available for the commandline inhibited.
Cons:
Scanning maybe considered hostile, SYN scans have been known to crash some systems.
Nessus Vulnerability Scanner: It is available for free use @ nessus.org, Nessus works by locating hosts starting with a target file, port scanning the targets located and probe for vulnerabilities in application listening at open ports. (nessus.org) Nessus client server architecture client requests scan and format results, the server accepts scan requests, authenticates clients, and performs scans and scan based on large and constantly updated vulnerability list. Pros: free vulnerability scanning and check for effectiveness of patching. Cons: Some UI issues, less open than it once was as well as definitely appears hostile when used. (nessus.org)

NMAP Recommendation: I would recommend using NMAP, Why? According to Zebulebu 2006, NMap is intended to detect any open (and closed! and filtered! and firewalled!) ports on a computer and to determine which services may be running on those ports. NMap is sophisticated enough to fingerprint the Operating System as well as giving a detailed examination of which the machine behave in reaction to the scan. Nmap can also estimate without sufficient information to be sure as to what OS the target may be running. The NMap tool is considered gold to a hacker, it gives them the strength and vitality required to running exploits that is relevant to target. Rather than trying several times of exploits and may never succeed. Zebulebu also states that NMap has a countless of options for running scans, with hundreds of combinations of scan types possible. “It is a command line tool (though a GUI does exist for both the Windows and Linux versions) and should, in this author’s opinion, be run from its native environment.” (Zebulebu 2006) In order to appreciate and understand NMap, you will need to be running it from the command line and you will get an understanding of how an attacker utilizes this tool. (Zebulebu 2006)

Cracking Password on Windows, Linux, and Mac:
Windows would be most effective. Why? For Windows OS, Ophcrack is the tool of choice. It is a free Windows Password cracker based on Rainbow Tables. It has a GUI that makes it easier to run. The software can decipher passwords up to 14 characters in length in a quick 10 seconds.
To use Ophcrack one needs to download the Ophcrack ISO and burn it to a CD (or load it via a USB drive). Run the CD by loading it in the tray and restarting the computer with the power switch. Switch to the BIOS options and set the computer to boot from the CD Drive. The computer boots up and reads the Ophcrack CD, which then proceeds to break the password. Use this password to log into the machine. Ophcrack is multi-platform software and so can be used for Mac and Linux too.
Linux
Turn on the computer and press the ESC key when GRUB appears. Scroll down and highlight ‘Recovery Mode’ and press the ‘B’ key; this will cause you to enter ‘Single User Mode’.
You’re now at the prompt, and logged in as ‘root’ by default. Type ‘passwd’ and then choose a new password. This will change the root password to whatever you enter. If you’re interested in only gaining access to a single account on the system, however, then type ‘passwd username’ replacing ‘username’ with the login name for the account you would like to alter the password for.
Mac OS X Apart from Ophcrack, another simple method involves using the Mac OS X installation CD (for v10.4). Insert and reboot to display UTILITIES. Choose RESET PASSWORD to get a new one. Login using this password, to reset the password in Mac OS X 10.5, reboot the computer and press COMMAND + S
At the prompt type in: sck -fy mount -uw / launchctl load /System/Library/LaunchDaemons/com.apple.DirectoryServices.plist dscl . -passwd /Users/UserName newpassword
Login with the new reset password
Password Cracker:
The tool that I installed on my Red Hat server was john
The tool was downloaded from repo forge http://pkgs.repoforge.org/john/ The tool can be run in the following modes:
(1) Wordlist
(2) Single Crack
(3) Incremental
I ran it in the Wordlist and Incremental modes. In the first mode, the program checked the password against a dictionary word that I supplied. If the password was in the dictionary, it found it. If it was not in the dictionary, it was not found. In the Incremental mode, it was able to crack some passwords created on different character combinations.
This method actually took longer to crack than the previous method. On my systems at home, school and at work, I do take extra steps to secure my passwords by making it strong. Personally, I treat passwords as underwear. They should not be shared with anyone also and they should be changed often. To make my passwords secure, I try to stay away from using personal nouns that are related to me and I also stay away from common words or words in the dictionary. I also make sure that I use random sequence of characters with mixed cases, numbers and special characters on the keyboard such as spaces, hyphens, asterisks, commas and periods.

Security Plan to protect against password & keylogger attacks:
Use a Firewall: In order for a Keylogger to do harm it needs to be tranmitted through a third party. Of course this is sending information out of your computer via the Internet. A firewall is an excellnet defense against keyloggers for the reason that it will monitor your computer’s activity closer than anyone could. When you identify that a program is trying to send data out, the firewall will ask for authorization or display a warning. Some firewall software, such as ZoneAlarm, will supply you with the option of shutting down all inbound and outbound data completely. (Smith 2011)
Install a Password Manager: According to Smith most users infected with a keylogger will never know it unless an account or credit card is hijacked. One disadvantage of keyloggers, however, is the fact that you can’t keylog what isn’t typed. That’s where automatic form filling becomes useful. If a password is filled in automatically by your PC, without any keystrokes, the password will only be susceptible to keyloggers the very first time you type it. All the major web browsers have this feature baked in and will request to store your password information the first time you type it. Some computers ship with software that offers this functionality throughout the entire operating system. So saying all that when you choose a paasword make sure it is a mix of alphanumeric and characters. (Smith 2011)
Keep your Software Updated: Taking charge of your computer’s security is always a good idea, and the most significant part of a proactive defense is keeping software updated. Keyloggers, like most variants of modern malware, can harness software vulnerabilities to inject them into your system without you, and in some cases your antivirus, being any the wiser. An example of Adobe Flash, has had issues with remote code implementation exploits in the past. Also Microsoft Windows and Mac OS X are habitually patched to take care of grave exploits. You must update your system as often as updates are available because if you don’t you will be leaving it open to all sorts of attacks that could otherwise have been avoided. If you implement the updating process by making sure all software is current this will make your lives easier. This process is quite easy and will save and stop most attacks before it occurs. (Smith 2011)
Change Your Passwords Frequently: For most users, the actions stated above will provide enough protection to ward off any keylogger woes, however, there is always password stolen issues even when things are done right to safe guard your password. This is most likely the fault of exploits that have yet to be identified or patched and it can sometimes occur because of social engineering. Almost all smart geek is vigilant, but none is perfect. By altering your passwords more often, say every 30 days will help reduce the latent damage of a keylogging attack. If your password is stolen the likely hood of it being used immediately is slim, unless that keylogger was directly targeted at you (in that case your problems are bigger than keylogging!). Also, if your password is changed every two weeks, then your stolen information will no longer be useful. Appling these methods will help to safeguard you against keyloggers and password by lessening their chance to infect your PC and diminishing the information they can steal if one does happen to be installed. Even though, you can never protect yourself 100%, applying/implementing these steps will decrease your risk.

Steps used to remove evidence of an attack on a network:
According to tech-faq.com before you make an effort to resolve the problems of an attack, it is suggested do your best to record all the information possible such as “the name and IP address of the machine, the installed operating system, operating system version, installed service packs, and record all running processes and services.”
Gathering evidence of network attacks, involves the following behaviors: • Achieving the most valuable information this is the process that would need to be acquired: ▪ Retrieving all application event log information. ▪ Retrieving all system event log information. ▪ Retrieving all security event log information. ▪ And also retrieving all other machine specific event logs, such as DNS logs, DHCP logs, or File Replication logs. • In-addition malicious activities needs to be recorded and must include: ▪ Corrupted, deleted and modified files. ▪ Also all unauthorized processes running.

References:
Understanding Footprintig and Scanning, Gregg M., (2006) retrieved on 12/5/11 from http://www.informit.com/articles/article.aspx?p=472323

How to Crack the Account Password on Any Operating System, Tech J, (2009) retrieved 12/6/11 from http://www.joetech.com/how-to-crack-the-account-password-on-any-operating-system/

http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Reconnaissance-Tools.html n.d. retrieved 12/10/11

http://pkgs.repoforge.org/john/ retrieved 12/13/11

NMap tutorial – part one, Zebulebu (2006) retrieved 12/10/11 from http://www.certforums.co.uk/forums/computer-security/18698-nmap-tutorial-part-one.html

4 Ways to protect against keyloggers and password, Smith M (2011) retrieved 12/12/11from http://www.makeuseof.com/tag/4-ways-protect-keyloggers/

Responding to IT Security Incidents, n.d. retrieved on 12/12/11 from http://technet.microsoft.com/en-us/library/cc875825.aspx

Responding to Network Attacks and Security Incidents, n.d. retrieved 12/13/11 from http://www.tech-faq.com/responding-to-network-attacks-and-security-incidents.html