SANS 504.

2
To Create an effective defense, we must understand the
offensive tools attackers use, That’s what this book is all about

Attack Trends

💡 First rule is Always Get Permission, and it needs to be in writing.

Most of the new IoT devices lack security, As there is price competition between
vendors and short-to-market development cycles.

Industry experts expects 5.7B IoT devices by 2025

Crowd Strike report indicates the nation-state attackers are getting faster, reducing
breakout time:

Russia: 20 min, North Korea: 140 min, China: 240 min, Iran: 309 min

This means you have about 3.5 hours to respond to an initial compromise of
your network.

The bottom line here is that we live in the Golden Age of hacking,
But it’s also the golden age of information security. The two go hand
in hand

Reconnaissance

SANS 504.2 1
 The internet is a teasure trove of information for a curious
attacker

Before your first packet to a target you should collect OSINT data

OSINT used both Offensively and Defensively, as we’ll see in this module.

Some OSINT techniques:

whois , Collect Information about the registrant

, history information about the target, but you gotta give them 1$ per
😟
12whois

one lookup

Reverse whois

Gather information about targets, which CAs are in use

have i been pwned website

SpiderFoot, provide domain name, hostname or email addresses

OSINT great for attackers since it doesn’t generate logs.

After OSINT stop, they do some active scanning

DNS Interrrogation

SANS 504.2 2
 The attacker’s goal is to discover as many IP addresses
associated with the target domain as possible.

the nslookup command can be used to interact with the DNS server to get this
data.

Dig is another useful tool for DNS recon

Using the same technique we can do the same in UNIX

You can do DNS brute force

To mitigate this type of attack, don’t allow zone transfer from just any system,
Use split DNS, Make sure your DNS servers are hardened.

SANS 504.2 3
 Website Searches
You should check Press realeases, white papers, design documents, contacts,
etc…

Check Public databases, job sites and hacker sites

Pushpin, it’s a social media geolocation using Flicker and google photo
metadata

pulls all available social media posts from that area

can map targetes to behavior patterns

Search Engines
The easist way to get information is to ask for it, Who ?

Google, Bing, Baidu, Yahoo and Shodan

There is also GHDB

he talked about some google dorks

Waybackurls

Many files (.doc, .xls, .pdf, .jpeg) have metadata that can be useful for attackers
like:

Usernames, directory path, vulnerable version of sw

If you are trying to extract the metadata manually it’s like a pain in the ass
process, Luckily for us we got FOCA, which automates this process for us.

SANS 504.2 4
 Recon-ng by Tim Tomes, is another powerful recon tool

Bihshop Fox’s SearchDiggity is a fantastic suite that includes Google Diggity

Maltego it’s an intelligence-gathering tool that searches through various public

Gathers information about relationship between people, social networks,

Numerous webistes offer the capability to research or even attack other sites

Shodan

tools.dnsstuff.com

www.network-tools.com

www.securityspace.com

Shodan is an online service that crawls the internet in much the

Scanning
War Dialing

SANS 504.2 5
 War Dialing, it’s an old technique, but still amazingly successful

This technique is used to attack voicmail systems

HD Moore released a tool called WarVOX that focueses on conducting war-

War Driving

The indentification of wirless networks was known as war driving

Wifi Networks are an attractive target for attackers

Some tools we use for scanning wifi:

inSSIDer

from Metageek uses active and passive scanning with a standard WI-FI
card on Windows. Identifies SSID, channel information, Integrates with a
GPS for location mapping.

WiFi Analyzer

SANS 504.2 6
 gather similar data but for android devices

Kismet

Captures WiFi activity, provides detailed information about networks and

It’s completely passive

PSK-based WiFi auth is simple and inexpensive to deploy, but it’s susceptible to
offline password guessing

AFter getting the ouptut of Kismet we can use Aircrack-ng to

SANS 504.2 7
 Possible to impersonate open APs without special hardware, ILMN is Linux
virtual machine to impersonate AP

Non-WiFi attacks are less common, but no less damaging to

Beyond WiFi there are many other vulnerabilities:

Insecure protocol

Bluetooth

automation controls over ZigBee

automation systems over Z-Wave

Vulnerable RFID systems for door locks.

PSK it is not appropriate for enterprise networks, you should deploy WPA2 with
a plan to deploy WPA3

For Identifying wireless intruders, you could look for the appearance of renegade
access points or strange messages sent by intuding wireless clients.

SANS 504.2 8
 Also. For detecting renegade access points, Cisco offer built-in capabilities in
existing access points to detect unregistered access points that appear in your
environment.

This tools it’s widely used by law enforcement to identify criminals using WiFi
access points

Nmap is an essential tool for attackers and defenders alike!

Nmap sends four packets to identify UP hosts:

ICMP Echo request

TCP SYN to port 443

TCP ACK to port 80

ICMP Timestamp request

Once Nmap finishes conducting a network sweep and its tracerouting activities,
The Zenmap GUI can provide an interactive graphical portrayal of the network

SANS 504.2 9
 To mitigate get scanned, he recommended diabling ICMP Echo request
messages, But your users couldn’t ping you.

Or if you notice a particularly frequent ping sweep, you could temporarily block
source address.

SANS 504.2 10
 SYN scan it the stealthiest one as it doesn’t complete the connection, and
most systems don’t log uncompleted connection.

ACK Scans are useful for mapping, but not for port scanning, Useful for finding
sensitive internal systems post-exploitation.

More than 30 methods are used for Nmap OS fingerprinting

Traditional Port scanning can be slow with Nmap.

Masscan, separating SYN send from ACK receive, which is way faster than
Nmap.

EyeWitness, takes screenshots of websites, VNC and RDP services

SANS 504.2 11
 Evading IPS, IDS
Many IDS/IPS systems do not validate the TCP checksum

An attacker can insert a TCP Reset with an invalid checksum to clear the
IDS/IPS buffer.

Many attackers today abuse services and protocols your environment uses
every day.

SSH, RDP, Citrix, OWA

Attackers will use an exploit /payload combination on the intitial attack, but will
switch to stolen user credentials as soon as possible.

As some mitigation for the evasion:

Keep your IDS, IPS up to date

For sensitive systems, use host-based IDS in addition to network-based IDS

Implement User behavioral analytics

Utilize host-based IDS/IPS

Vulnerability Scanners

SANS 504.2 12
 Many commercial Scanners:

Rapid7

SAINT

beyondTrust

Nessus

OpenVAS

Talked about NESSUS, the most popluar one “Check the room on try hack
me”

SMB sessions
SMB is an application-layer protocol that implements file and printer sharing,
domain auth, remote admin, and other features.

SMB is heavily used by attackers, often appearing as “normal”

Establishing and SMB session from windows:

SMB Password Guessing:

SANS 504.2 13
 BloodHound

A tool that graphs the quickest way to get domain administrator privileges.

For example:

Gain access as a Domain user.

Find all systems

Find oen of those systems where a domain administrators is logged on

Steal the domain administrator’s access.

SANS 504.2 14