Hands-On Ethical Hacking Tactics E-Book

Hands-On Ethical Hacking Tactics

Strategies, tools, and techniques for effective cyber defense

Shane Hartman

Hands-On Ethical Hacking Tactics

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Dinesh Kharwa

Senior Editor: Isha Singh

Technical Editor: Yash Bhanushali

Copy Editor: Safis Editing

Proofreader: Safis Editing and Isha Singh

Indexer: Manju Arasan

Production Designer: Prashant Ghare

DevRel Marketing Coordinator: Marylou De Mello

First published: April 2024

Production reference: 1120424

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80181-008-1

www.packtpub.com

To my wife, Susan, for your love and support while taking this life-long journey with me.

To my sons, Jacob and Aiden, for reminding me that life moves quickly, and if you don’t stop once in a while and look around, you might miss it…

– Shane Hartman

Foreword

I have known and worked with Shane Hartman for more than 13 years. Shane is a leading ethical hacking and counterintelligence expert. In this book, Hands-on Ethical Hacking Tactics, Shane takes you on a learning journey that started nearly 30 years ago for him when he was hardening networks as an IT administrator and later specializing in identifying, responding to, and remediating the most advanced cyber threats to date. Shane is the kind of individual who tinkers with new technologies as they come out, such as near-field communication (NFC) in his lab, to see what he can break within a new protocol on a mobile device for payment systems, to review and understand new vulnerabilities to construct mitigations against attack.

In this book for undergraduates or those just starting in the business, Shane has leveraged his real-world field experience to build a practice guide for new practitioners in a hands-on approach to ethical hacking – bravo! All too often, we see books that academically discuss how to configure and harden a network or the opposite on how to generically perform a penetration test. We now have a generation of “tool monkeys” that don’t have much of an understanding beyond using a tool.

Real penetration testers worth their salt need to understand architecture, protocols, integrations, and more from both the red and blue team perspectives and must be tactical in how they achieve outcomes. They must also be able to prove it with “trust but verify” theories and approaches and, most importantly, validate, which is what this book is designed to do.

Shane provides that introduction here to ethical hacking, from both offensive and defensive perspectives to both orient and enable readers to start their journey. His view considers techniques, tactics, and procedures (TTPs) (MITRE ATT&CK) in everything he does, evidenced by how he thinks and walks readers through the training in this book. Practical guides lead the reader along the way, such as setting up a vulnerable Linux host, are clear, specific, and easy to follow, designed with both the setup and how the user leverages it for penetration testing.

Shane’s experience as the author of this book is significant. When I first met him well over a decade ago, he was a veteran expert within the IT administration field, eager to solve problems and learn the world of intelligence, counterintelligence, research, and response. This requires the pursuit of extreme problem solving with out-of-the-box thinking and mature critical thinking skills applied to complex problems within diversified and constantly changing cyber environments. Shane was hired and proved to be one of the most trusted, leading cyber threat intelligence analysts I know, responding to some of the most significant cyber challenges seen to date by sophisticated adversaries in cybercrime.

Since then, Shane’s experience now includes traditional commercial, federal, state, and local government, both small and large Fortune 100 organizations, to defend against nation-state actors, cyber-criminal rings, hacktivists, cyberterrorism, and more. He has real-world experience in dealing with the “threat of the unknown and undiscovered” for over a decade, managing incident response for emergent risks and identifying and countering adversarial TTPs. This combined experience provides Shane a unique and non-traditional view into the real world of how our adversaries are successfully attacking and attempting to breach, enabling him to author this book to help readers apply ethical hacking programs and proactive security measures to reduce risk in their organization.

Ken Dunham

CEO of 4D5A Security

Contributors

About the author

Shane Hartman is a senior incident response consultant for TrustedSec. In this capacity, he is responsible for delivering holistic incident response services using state-of-the-art host- and network-based tools. Using these tools, combined with advanced methodologies, he assists clients in obtaining situational awareness and rapidly identifying threats as part of a tactical response to intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data.

Prior to joining TrustedSec, Shane was an incident response consultant for RSA, where he performed incident response, threat hunts, and training. Before RSA, Shane performed malware analysis for ISight Partners/FireEye, now Mandiant. In this capacity, he provided analysis and threat intelligence based on the behavioral profile of submitted samples. This role included producing actionable intelligence, threat modeling, and mitigation techniques. Prior to malware analysis, Shane was performing perimeter security operations. This role covered the monitoring and maintenance of perimeter security software and devices, including firewalls, VPNs, architecture, and web services.

Shane is experienced in several areas, including threat hunting, network packet and log analysis, and network architecture, and has been working in information technology for the past 25+ years with 15+ of those years in information security.

Shane has presented at several industry conferences on security-related research and has taught at the college level on topics such as digital forensics, ethical hacking, and offensive computing for the last 13 years.

Shane received his BS in business/E-business, and his MS in digital forensics. His graduate focus was on malicious applications in the Android environment. He holds or has held the following certifications: Certified Information Systems Security Professional (CISSP), GIAC Certified Intrusion Analyst (GCIA), and GIAC Reverse Engineering Malware (GREM).

About the reviewers

Ashley Pearson has over a decade of industry experience in various disciplines including system administration, incident response, threat hunting, and, more recently, cyber threat intelligence. She began her career in the United States Air Force as a system administrator, later specializing in host and network forensics as a cyber warfare operator. She is currently a senior threat analyst on Mandiant’s “Advanced Practices” team.

She received her BS in Cybersecurity and Information Assurance from Western Governor’s University, and her MS in digital forensics from the University of Central Florida.

I’d like to thank my husband, John. Thank you for always supporting my constant side projects and career ambitions, and for tolerating the occasional nerd conference. I’d also like to thank the Alliance of Noble Warriors for their encouragement throughout the years.

Ahmed Neil is a well-known thought leader in the cybersecurity domain whose work focuses on approaches to information security, threat hunting, threat intelligence, malware analysis, and digital forensics. He also has a passion for academic research in the field of cybersecurity. He holds an MSc in computer forensics. He is currently working at IBM as a cybersecurity engineer (operations).

Narendra Bhati, a seasoned cybersecurity professional with an impressive 12-year tenure and a passionate commitment as a bug bounty hunter, holds the position of Manager at Suma Soft Pvt. Ltd. He is OSCP, OSWP, and CEH certified.

His expertise extends to discovering critical vulnerabilities such as arbitrary code execution and the same-origin bypass vulnerability in Apple’s Safari browser. He has tackled spoofing and sandbox vulnerabilities in the Google Chrome browser along with identified vulnerabilities within recognized platforms such as Facebook, Twitter, Google, and Microsoft.

Narendra has also identified security issues within cryptocurrency wallets such as MetaMask, Coinbase, Enjin, and MyEtherWallet.

I extend my gratitude to my understanding family and friends, who recognize the commitment needed to navigate the ever-changing landscape of cybersecurity. Special thanks to the entire infosec security community and its trailblazers for making this field an exciting and dynamic workplace. Your contributions are truly valued, and I am always thankful for everything you do!

The author acknowledges the use of cutting-edge AI, such as ChatGPT, with the sole aim of enhancing the language and clarity within the book, thereby ensuring a smooth reading experience for readers. It's important to note that the content itself has been crafted by the author and edited by a professional publishing team.

Table of Contents

Preface

Part 1: Information Gathering and Reconnaissance

1

Ethical Hacking Concepts

Technical requirements

What is ethical hacking?

Elements of information security

Why do intrusions and attacks happen?

Motive

Means

Opportunity

Types and profiles of attackers and defenders

Black hat hackers

Script kiddies

Hacktivists

Cyber terrorists/cyber warriors

Cyber criminals

White hat hackers

Attack targets and types

Network

Application

Host

The anatomy of an attack

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and control

Actions on objectives

Ethical hacking and penetration testing

Defensive technologies

Lab – setting up the testing lab

Setting up VirtualBox

Setting up Kali Linux

Setting up vulnerable hosts

Configuring the vulnerable Windows host

Setting up the vulnerable Linux host

Final checks

Summary

Assessment

Answers

2

Ethical Hacking Footprinting and Reconnaissance

Technical requirements

What is footprinting and reconnaissance?

Keeping inventory

Web searches and Google hacks

Exploring some useful Google hacks

Preventing exploitation through Google searches

WHOIS database records

Accessing WHOIS information

Understanding the name server entry

Third-party sources of intel

Sources for collecting intelligence

Accessing hidden information

Maltego

GitHub and online forums

SpiderFoot tool

Dmitry

Shodan

Archived information

Lab – Reconnaissance

Summary

Assessment

Answer

3

Ethical Hacking Scanning and Enumeration

Comparing scanning and enumeration

Exploring scanning techniques

Ping

Ping at scale

Traceroute

Understanding service enumeration

Introducing ports

How do port scans work?

Port scanning issues

Scanning countermeasures

Introducing the Nmap network scanning tool

Controlling Nmap scan speeds

Outputting results

The NSE

The Nmap GUI

Mapping the network

Lab – Scanning and enumeration

Summary

Assessment

Answer

4

Ethical Hacking Vulnerability Assessments and Threat Modeling

Vulnerability assessment concepts

Explaining vulnerability assessments

Types of vulnerability assessments

Vulnerability assessment life cycle

Vulnerability scanning tools

Introducing the Nessus vulnerability scanner

Best practices for vulnerability assessments

Vulnerability assessment reports

The elements of threat modeling

The finding

The kill chain

The single asset value

The organizational asset value

The estimated risk

Threat modeling frameworks

STRIDE

PASTA

VAST

Attack trees

CVSS

Threat modeling tools

Threat forecasting

Phase 1 - Research

Phase 2 - Implementation and analysis

Phase 3 - Information sharing and building

Threat model lab – personal computer security

Summary

Assessment

Answer

Part 2: Hacking Tools and Techniques

5

Hacking the Windows Operating System

Technical requirements

Exploiting the Windows OS

Exploiting Windows device drivers

Exploiting Windows networking

Address Resolution Protocol

Simple network management protocol

Server Message Block

NetBIOS

Exploiting Windows authentication

User authentication and movement

Obtaining and extracting passwords

Exploring password-cracking techniques

Authentication spoofing

Pulling Windows account names via null sessions

Tools for pulling account names via null sessions

Privilege elevation

Exploiting Windows services and applications

Server-side exploits

Client-side exploits

Exploring the Windows Registry

Windows Registry exploitation

Exploiting the Windows logs

Summary

Lab

Brute force password crack

Rainbow table crack

Assessment

Answers

6

Hacking the Linux Operating System

Exploiting the Linux operating system

Exploring the Linux filesystem

Exploiting the filesystem

Linux hidden files

Important files

Exploiting Linux networking

Exploiting Linux authentication

Cracking passwords

Linux updates and patching

The Linux logging system

Exploiting the Linux kernel

Checking your kernel version

Exploiting the kernel

Lab

Summary

Assessment

Answers

7

Ethical Hacking of Web Servers

Web servers’ architecture, configuration, and vulnerabilities

Adding processing logic

Threats, vulnerabilities, and exploits to web services

Web server authentication

Basic authentication

OAuth

Some real-world web servers and ways to combat attacks

IIS hardening tasks

Apache web server hardening tasks

Types of web server/website attacks

Website defacement

DoS/DDoS attack

HTTP response-splitting attack

Cross-Site Request Forgery

Deep linking

Directory traversal attack

Man-in-the-Middle/sniffing attack

Cookie tampering

Cookie-based session attacks

Session hijacking

DNS

Lab

Summary

Assessment

Answer

8

Hacking Databases

Finding databases on the network

Discovering databases on the network

Mitigating database discovery

Exploring databases and database structures

Database threats and vulnerabilities

Network-based database attacks

Database engine faults and bugs

Brute-force attacks on weak or default passwords

Misconfigurations

Remote code execution

Indirect attacks

Hidden database servers

Accessible backups

Privilege escalation

Insecure system architecture

Database server password cracking

Methods of attacking database servers

Scanning for vulnerabilities

Attacking the System Administrator account

Exploit module attacks

Google hacks

Perusing website source code

SQL replay attack

Protecting databases

Hidden or unknown databases

How insecure databases are created

Weak auditing and insufficient logging

Lab – Database hacking

Setup

Exercise 1

Exercise 2

Summary

Assessment

Answer

9

Ethical Hacking Protocol Review

Exploring communication protocols

Introducing the OSI model

Introducing IP

Introducing TCP

The three-way handshake

UDP

ICMP

Comparing TCP and UDP

Well-known ports

Understanding protocol attacks

TCP attacks

UDP attacks

ICMP attacks

An overview of IPv6

The setup and configuration of IPv6

Reconnaissance and attack tools

Defending IPv4 networks

Defending IPv6 networks

Lab

Exercise 1

Exercise 2

Summary

Assessment

Answers

10

Ethical Hacking for Malware Analysis

Technical requirements

Why does malware exist and who are its sources?

Exploring types of malware

Virus

Worms

Trojans

Ransomware

Bots/botnets

Adware

Spyware

Malvertising

Fileless malware

Backdoors

Rootkits

How does malware get onto machines?

Analyzing a sample

Setting up a malware analysis lab

Static analysis

Dynamic analysis

Detecting malware and removing it

Perimeter monitoring

Malware prevention

Summary

Lab

Assessment

Answers

Part 3: Defense, Social Engineering, IoT, and Cloud

11

Incident Response and Threat Hunting

What is an incident?

The incident response plan

The incident response process

The preparation phase

Detection phase

Analysis phase

Containment and eradication phase

Recovery phase

Post-incident activities (postmortem)

Information sharing and coordination

Incident response team structure

Introducing indicators of incidents

Types of indicators

IOC tools

Introducing threat hunting

Threat hunting tools

Getting Started with the Threat hunting process

Best practices for threat hunting

Practical aspects of threat hunting

Lab: Security incident response simulation

Exercise 2: Threat Hunt

Summary

Assessment

Answers

12

Social Engineering

Introducing social engineering

Phases of a social engineering attack

Social engineering attack techniques

Physical-based social engineering

Electronic-based social engineering

Social engineering tools

Social-Engineer Toolkit

Browser Exploitation Framework

Social engineering defenses

Protecting businesses’ strategies

Protecting businesses’ policies and practices

Protecting individuals

The impact of AI on social engineering

Lab

Activities

Summary

Assessment

Answers

13

Ethical Hacking of the Internet of Things

What is IoT?

Understanding IoT communication

IoT communication layers

IoT communication models

IoT communication protocols

Attack vectors for IoT devices

Access control

Firmware attacks

Web attacks

Network service/communication protocol attacks

Unencrypted local data storage

Confidentiality and integrity issues

Cloud computing attacks

Malicious updates

Insecure APIs

Mobile application threats

Other attacks

An IoT hacking methodology

Understanding OT

An OT hacking methodology

Best practices for securing IoT/OT

Lab – discovering IoT devices

Summary

Assessment

Answers

14

Ethical Hacking in the Cloud

Understanding cloud service types

IaaS

PaaS

SaaS

Cloud deployment models

NIST Cloud Computing Reference Architecture

Understanding virtual machines / virtualization

Understanding containers

Comparing containers and VMs

Introducing serverless computing

Cloud threats and attacks

Data loss/breach

Abusing Cloud Service

Insecure interfaces and APIs

Inadequate identity and access management

Service hijacking

Session hijacking

Domain name system attacks

Implementing cloud security

Implementing policies, procedures, and awareness

Ensuring perimeter security

Application security

Maintaining computing storage and information security

Cloud security logs

Azure Cloud

AWS

Google Cloud Platform (GCP)

Summary

Assessment

Answers

Index

Other Books You May Enjoy

Preface

Ethical hacking is the practice of knowing and understanding your adversary by learning about how attackers operate, including what they look for, what tools they use, and what techniques they employ against their victims. As organizations and individuals rely more on digital platforms for communication, commerce, and storage, the risk of cyber threats looms larger than ever before. Ethical hacking is the answer to those threats by offering a proactive defense strategy against malicious actors seeking to exploit vulnerabilities for nefarious purposes.

There are three main areas of coverage:

This introductory guide aims to demystify the realm of ethical hacking by providing a comprehensive overview of its fundamental concepts, methodologies, and tools. Through practical examples and hands-on exercises, you will embark on a journey to understand the principles of ethical hacking, explore common attack vectors, and learn best practices to secure digital assets effectively.

Whether you’re a seasoned professional seeking to enhance your cybersecurity skills or a novice intrigued by the intricacies of ethical hacking, this book serves as a valuable resource to confidently navigate the complex landscape of cybersecurity. Join me as we delve into the world of ethical hacking, and embark on a quest to safeguard systems and networks from the ever-evolving threat landscape.

There is a lot of demand for people with skills in the areas covered, including IT, security personnel, security operators, and incident responders.

Who this book is for

Hands-On Ethical Hacking Tactics: Strategies, Tools, and Techniques for Effective Cyber Defense is tailored for aspiring cybersecurity professionals, IT specialists, and students eager to delve into the world of digital defense by looking at how attackers operate and discussing tactics, techniques, and procedures (TTPs), as well as tools and concepts.

With hands-on exercises, tools of the trade, and expert insights, this book equips you with the tools and knowledge needed to safeguard networks, identify vulnerabilities, and mitigate cyber threats effectively.

What this book covers

Chapter 1, Ethical Hacking Concepts, introduces you to the concepts and ideas related to hacking and security, including testing computer systems to find flaws and vulnerabilities. By identifying such threats before malevolent hackers can take advantage of them, this technique seeks to strengthen security protocols and ultimately improve cybersecurity overall.

Chapter 2, Footprinting and Reconnaissance, discusses how attackers gather information about a target system or organization to identify potential vulnerabilities and attack vectors. This includes discovering network infrastructure, system configurations, and personnel details through passive and active reconnaissance techniques, laying the groundwork for subsequent penetration testing or ethical hacking activities.

Chapter 3, Scanning and Enumeration, provides an overview of scanning and enumeration that often follow reconnaissance. Scanning involves actively probing target systems to identify open ports, services, and potential vulnerabilities. Enumeration goes further by extracting detailed information about the discovered services, such as user accounts, shares, and system configurations. These processes help ethical hackers assess the security posture of a network or system and prioritize potential attack vectors for further investigation and mitigation.

Chapter 4, Vulnerability Assessment and Threat Modeling, discusses vulnerability assessments, involving systematically identifying, quantifying, and prioritizing vulnerabilities within a system or network infrastructure. Threat modeling uses vulnerability assessments and other information, in a proactive approach to cybersecurity, systematically identifying potential threats and vulnerabilities to predict and mitigate potential risks before adversaries can exploit them.

Chapter 5, Hacking Windows, provides an overview of the process of exploiting vulnerabilities within the Microsoft Windows operating system for various purposes, including gaining unauthorized access, stealing data, or disrupting system operations. This can involve techniques such as exploiting software vulnerabilities or leveraging misconfigurations to compromise Windows-based systems.

Chapter 6, Hacking Unix, like the previous chapter, discusses exploiting operating system vulnerabilities, including misconfigurations, weak user authentication, or software vulnerabilities, to gain unauthorized access but from a Unix-based system point of view. Attackers often study Unix systems extensively to understand their architecture and security mechanisms, aiming to improve defense strategies and protect against potential attacks.

Chapter 7, Hacking Web Servers and Applications, takes a look at web server and application vulnerabilities in server configurations, web applications, and underlying software to gain unauthorized access or disrupt services. Attackers can target known weaknesses such as SQL injection, cross-site scripting (XSS), or remote code execution to compromise data or gain control over a server. Ethical hackers often employ penetration testing methodologies to identify and remediate these vulnerabilities, ensuring the security and integrity of web-based systems.

Chapter 8, Hacking Databases, focuses on hacking databases, involving the exploitation of database management systems to gain unauthorized access to sensitive data or manipulate stored information. Attackers can target weaknesses such as insecure authentication mechanisms, misconfigured permissions, or missing patches. Ethical hackers often study database architectures, SQL syntax, and security best practices to identify and mitigate potential vulnerabilities, safeguarding critical data assets from exploitation.

Chapter 9, Hacking Packets – TCP/IP Review, examines the fundamentals of TCP/IP attacks used to compromise network communications and systems. Attackers can launch various assaults such as TCP SYN flooding, IP spoofing, or TCP session hijacking to disrupt services, intercept data, or gain unauthorized access. Understanding TCP/IP vulnerabilities and implementing robust security measures are essential to mitigate these attacks and ensure the integrity, confidentiality, and availability of network resources.

Chapter 10, Malware Analysis, explores malware. As a defender, you will come across malware, and as such, you should be ready to handle it when it comes. Malware analysis is the process of dissecting and understanding malicious software to uncover its functionality, behavior, and potential impact on systems. This chapters introduces you to analyst techniques, such as static and dynamic analysis, to identify malware’s characteristics and intentions. By comprehensively analyzing malware, security professionals can develop effective countermeasures, enhance threat intelligence, and fortify defenses against evolving cyber threats.

Chapter 11, Incident Response and Threat Hunting, introduces you to incident response techniques, involving a systematic approach to managing and mitigating security incidents when they occur. This chapter also looks at threat hunting, a proactive process of actively searching for and identifying potential threats or malicious activities within an organization’s network or systems before they manifest as incidents. By integrating incident response and threat hunting practices, organizations can effectively detect, contain, and eradicate cyber threats, bolstering their overall cybersecurity posture.

Chapter 12, Social Engineering, looks at the deceptive techniques used by attackers to manipulate individuals into divulging confidential information or performing actions against their better judgment. It relies on psychological manipulation and exploiting human emotions, such as trust or fear, to deceive targets into providing access to sensitive data or systems. Effective defense against social engineering involves raising awareness, implementing strict security policies, and providing ongoing training to recognize and thwart these deceptive tactics.

Chapter 13, Hacking Internet of Things (IoT), discusses Internet of Things (IoT) device vulnerabilities and exploiting interconnected smart devices to gain unauthorized access or disrupt operations. Attackers target weak security measures, default credentials, or insecure communication protocols to compromise IoT devices and networks. As IoT technology increases across various sectors, understanding and addressing IoT security risks are paramount to safeguarding personal privacy, critical infrastructure, and data integrity.

Chapter 14, Hacking the Cloud, dives into exploiting cloud technologies such as Azure and AWS, using vulnerabilities within cloud infrastructure, services, and applications to compromise data integrity, confidentiality, or availability. Attackers may target misconfigurations, weak access controls, or shared resources to gain unauthorized access or launch attacks against cloud-based environments. As organizations increasingly adopt cloud solutions, understanding and mitigating cloud security risks are essential to maintain trust, compliance, and resilience in the digital ecosystem.

To get the most out of this book

To get the most out of this book, refer to the following software/hardware and OS requirements:

Software/hardware covered in the book

Operating system requirements

Virtual Box

Windows, macOS, or Linux (Intel-based)

No Apple M1+ machines

Vagrant

8 GB and 16 GB+ recommended

Metasploit

20 GB of disk space

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Hands-On-Ethical-Hacking-Tactics. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: “You can also search for deep links if the path is known or common – for example, link:my-site.com/phpmyadmin.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: “This group is sometimes referred to as ethical hackers and is the opposite of black hat hackers.”

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Hands-On Ethical Hacking Tactics, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/978-1-80181-008-1

Part 1:Information Gathering and Reconnaissance

In this part, you will get an overview of the hacking concepts and an introduction to the attacker process often referred to as the kill chain. In addition, we will also look at some of the defender’s first lines of defense, including vulnerability assessments and threat modeling.

This section has the following chapters:

1

Ethical Hacking Concepts

Hackers and hacking are usually associated with criminal activity, but it wasn’t always that way. In the 1960s, learning and working on computers wasn’t readily available. They were difficult to work with and those that could get things working often hacked things together. In other words, hackers were innovators who could solve complex problems.

In the late 1970s, computers became accessible to the public through homebrew kits, and at that time, curiosity and innovation were still a part of the hacking community. It wasn’t until the 1980s that hacking took on a negative tone, with the release of movies such as WarGames and Hackers, and the image of a hacker changed from an enthusiast to a criminal. Since this time, the term hacker has been associated with criminal and malicious activity.

Fast-forward to today and we have a concept known as ethical hacking, meaning we take the concepts and techniques used by hackers and apply them for the benefit of organizations and individuals in an attempt to elevate their security posture. This is the first chapter in your journey to understand and apply the concepts of hacking in an ethical manner.

In this chapter, we’re going to cover the following main topics:

Technical requirements

Labs have been included to get the most out of this book. The labs are designed to enhance the subject matter by supplying tangible examples of what is covered. To be successful with the labs, the following minimum system settings are required:

What is ethical hacking?

Ethical hacking represents a group of skills within cyber security that manifests in a few distinctive roles, including pen testers, blue teamers, and purple teamers. Ethical hackers are also part of a larger group known as white hat hackers, whose focus is education and defense. We will discuss this in detail in the White hat hackers section later in this chapter.

What role does the ethical hacker play in organizational security? Unlike threat actors (black hats), who are motivated primarily by financial gain, ethical hackers align themselves on the defensive side of networks, attempting to secure networks by pointing out flaws and misconfigurations that malicious attackers would take advantage of. They are commonly associated with penetration testing but really can assume any role within an organization. Ethical hackers represent the apex of security practices within an organization. These practices start with core areas such as antivirus software and patch management and move on to more complex security issues such as remote automation and administration, as well as ingress and egress, encryption, and authentication.

Depending on their specific role, ethical hackers use a variety of tools and techniques to search for outdated software, misconfigured systems, and potential security weaknesses within the network. They use this information to not only bolster the overall organizational security but to find weaknesses and oversights that attackers would find by using the same techniques they use. Some other operations ethical hackers perform include discovering incomplete policies and procedures. They are also skilled in the tactics, techniques, and procedures (TTPs) of adversaries. This means they understand how attackers operate, what tools they use, how they find information, and how they use that to take advantage of an organization. Ethical hackers also realize security is an evolving discipline where learning and growth never end. One place to get a better understanding of attackers and the operations they perform is to review the MITRE ATT&CK framework, which lays out a matrix of 13 categories showing various attacks. For more information, see https://attack.mitre.org/.

How does one become an ethical hacker? There are several approaches that can be taken, including using this book, and courses covering hacking and cyber security that can get you started. There are also certifications, including the Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). However, even with all these opportunities and paths that can be taken, the one thing needed more than anything else is just to be curious – about how all this technology works, how information is stored and communicated, and how technology interoperates with other machines and devices.

Now that we know what ethical hacking is, let’s take a look at what makes up information security.

Elements of information security

Information security and, subsequently, ethical hacking methodologies revolve around three core principles: Confidentiality, Integrity, and Availability (CIA). These core principles provide the framework for information security and are used by ethical hackers and security professionals to test security and security solutions. These principles can be described as follows:

Ensuring this information is reserved for only those who need to know about it can be addressed through techniques such as encryption, network segmentation, and access restrictions, as well as practicing the principle of least privilege. These are the things ethical hackers check and test to make sure there are no gaps or exposure of information beyond what is authorized.

The concepts of CIA will be covered throughout the chapters as attack techniques are discussed and the principle(s) that are violated as part of an attack, as well as what practice (or practices) could be implemented to prevent/detect an attack. Next, let’s take a look at attackers and why they attack.

Why do intrusions and attacks happen?

Attacks do not operate in a vacuum, and as such, attacks and intrusions can be broken down into three core areas, sometimes referred to as the intrusion triangle or crime triangle. In other words, certain conditions must exist before an attack can occur. These core areas are Motive, Means, and Opportunity.

We’ll look at what each of these in the following sections.

Motive

An attacker must have a reason to want to attack a network. These motives include exploration, data manipulation, and causing damage, destroying, or stealing data. Motives may also be more personal, including financial, retaliation, or revenge. Examples include a disgruntled employee who wants to do damage based on some grievance with the company managers or coworkers. Another would be a cybercrime group targeting a company or industry to extort money through ransomware or some other means. Still, another would be a script kiddie who stumbled upon the network and thought it might be interesting to see what they could get access to. More on script kiddies in the Types and profiles of attackers and defenders section.

For investigators, it is also important to differentiate between motives for criminal activity and the operational goals and objectives associated with the larger crime. As an example, compromising user accounts is not the goal of an attack; gaining access to the corporate network and stealing data is. The account compromise is simply an operational goal.

It may also be important to understand the intensity of an attack and the motives behind it. People who are desperate are more determined to achieve their goals. The employee who is in a bad financial situation may see accessing and stealing company funds as the only means to alleviate the situation. And with that, the higher the pressure, the more likely it is that the employee will not only commit the crime but take larger risks to meet that goal.

Means

Once an attacker has a motive, they need the means to perform the attack. Means refers to the technology plus an individual’s or group’s skills, knowledge, and available resources. By understanding these requirements to commit a given crime, plus the potential motivations, investigators can narrow down attribution to individuals or groups and eliminate others. Additionally, investigators need to be aware of technological innovations as potential means of committing cybercrimes in relation to the crime committed. By way of example, a nation-state actor in China would not have the means to access and sabotage an electrical plant in the United States physically. However, once the electrical plant installed IoT sensors and connected them to the internet, the means would be made available.

Opportunity

The third part, completing the triangle, is opportunity. Used in conjunction with motive and means, an opportunity is that moment or chance where the attack can be completed successfully. For an opportunity to be available, it means that various protective mechanisms were either ineffective or non-existent. This means that human, technological, or environmental factors were conducive to the crime being committed. For example, a power failure might cause locked doors to fail open for safety but allow criminals free access to all areas of the company. Or, unpatched servers exposed to the internet might be discovered during a scan, informing attackers what exploit(s) will be successful in accessing the core network. You can see a visual representation of the crime triangle in the following figure:

Figure 1.1 – Crime triangle

Of the three areas, the ethical hacker has the most control over opportunity. As a defender, you cannot eliminate motive as that comes from the personal desires of the attacker, whether they are acting as an individual or a group. You also cannot eliminate means as knowledge is readily available, and skills can be acquired. This leaves opportunity as the area from which the odds of defending against and preventing most attacks are the most successful.

Now that we have looked at why intrusions happen, let’s take a look at the different types of people that make up the cyber security landscape, from attacker to defender.

Types and profiles of attackers and defenders

Now that we have spent time describing what is being protected and why attacks might occur, let’s look at our attackers and some of the areas where attacks take place.

The hacker community and the titles ascribed to or acquired by these groups have been a source of confusion furthered by movies and media. With all these names and titles, it can be challenging to understand who is on the good side, so to speak, versus the dark side. Let’s start by breaking these groups down, and defining what they do and where they operate.

Let’s start at the top, with Black Hats and White Hats. These monikers came from old Western movies where bad guys wore black hats, and the good guys wore white hats. The concept stuck, and from it, the black hat hacker was born, who uses their skills to perform criminal acts. On the other side is the white hat hacker, who uses their skills to help educate and defend companies and individuals from black hat activities. As with all groups and hats, for that matter, one size does not fit all, and as such, subgroups exist under these titles.

Let’s explore each of these in the following sections.

Black hat hackers

Black hat hackers are criminals who break into computer networks with malicious intent. Black hat hackers often start as novice script kiddies using purchased exploits and hacker tools – more on them in the Script kiddie section.

Their motivations lie in financial gain, revenge, or simply spreading havoc. Sometimes they might be ideological in nature, targeting industries and people they strongly disagree with.

How do black hat hackers operate? Well, they operate like any other big business; they have learned how to scale up campaigns and create distribution networks for their software. They have even developed specialties such as ransomware or phishing services they can sell or rent out.

Some even have call centers that they use to make outbound calls, pretending to represent organizations including Amazon, Microsoft, the IRS, and even law enforcement. In these scams, they try to convince potential victims to download remote control software allowing remote access. The attacker then uses their access to gather information from the victim including personal information, passwords, and banking information.

How do people end up becoming black hat hackers? Some will get a job from forums or other connections where they might be solicited and trained by organizations to make money quickly. Leading black hats are skilled hackers who may have formal training in the computer science or security fields.

Black hat hacking is extremely difficult to stop and a problem that is global in nature. The separation by geography, jurisdictions, and politics poses significant challenges for law enforcement.

Black hat hackers have several subcategories, including script kiddies, hacktivists, cyber terrorists, and cyber criminals, with slightly different motivations. Let’s look at these categories.

Script kiddies

Script kiddies, sometimes called skids or skiddies, are described as people who may be new to the area and have few skills, relying on the work of others to accomplish their goals. For their goals and motivations, this includes trading exploits, and attacking networks with well-known attacks that are in many cases easily thwarted. They may try to develop their skills or join other groups to gain experience, or possibly be used by criminal organizations. What makes this group dangerous is there are many of them and they do not necessarily have a core motivation, making them more difficult to profile.

Hacktivists

Hacktivism is where hacking meets political and/or social agendas. A hacktivist group has a clear focus on using their skills to target governments, corporations, and even individuals that fall into the agenda they support. Because of the nature of what they do, hacktivist groups can incorporate several other groups, including script kiddies and black hat hackers who agree with the agenda. Some of the most well-known hacktivist groups include Anonymous, LulzSec, and WikiLeaks.

Cyber terrorists/cyber warriors

This group tends to be more elite and includes cyber forces employed by their respective governments or powerful groups with the means, both financially and ideologically, to attract the people necessary to complete their tasks. These tasks cover several areas, including the following:

A term also synonymous with this group is cyber warfare since a large portion of this group involves nation-state activity.

Cyber criminals

This is a group that is motivated by profit and is composed of individuals or teams who use technology with malicious intent. This group may be involved in all types of crimes from credit card and identity fraud to bank account and medical record resale.

White hat hackers

This group is sometimes referred to as ethical hackers and is the opposite of black hat hackers. They defend computer systems and networks by identifying security flaws and making recommendations for improvements. Depending on their specific role, they perform a series of tests to check the efficiency of a security system. These tests can be simple security scans, policy and procedure tests, or attacker simulation tests. They can be performed by internal employees or third-party contractors attempting to find gaps in security.

How do white hat hackers operate? They use the same hacking methods as black hats; however, they have permission from the system owners to perform the operations and there are defined guidelines about what is being tested, which makes the process completely legal. So, instead of exploiting vulnerabilities and taking advantage of systems, white hat hackers work to help fix issues before actors with malicious intent discover them.

White hat hackers have a number of subcategories, including Pentesters (Red Team), Blue Team, and Purple Team, with slightly different duties. Let’s look that these categories.

Pentesters (red team)

This group is associated with pentesting and works in the offensive computing space. They are commonly third-party contractors who simulate an attack against a computer system to check for any exploitable vulnerabilities.

Blue hat hackers (blue team)

This group works in the defensive computing space and is commonly the internal employees in charge of various security systems, policies, and procedures. They establish the security measures for what needs to be protected and then monitor those measures, adjusting them based on their own tests and feedback from outside operations such as pentests and audits.

Purple team

There are times when the red team and blue team do not work well together. This can be caused by personalities and things such as ego and embarrassment. Other times, it can be caused by a disconnect between what the red team is testing and communicating to the blue team and how they might go about understanding and correcting the issues. Purple team members are there to bridge gaps in understanding and communication by having skills in both disciplines so they can ingest, distill, and translate information and details from one group to the other.

An example might be the results of a pentest showing that the dependence on legacy application frameworks opens an exploit vector that is easily taken advantage of with a simple buffer overflow to the authentication input screen. The blue team, not really knowing what to do with this information, turns to the purple team, who repositions the result to say something like “the outdated application has a buffer overflow vulnerability.” While it cannot be addressed directly with a patch to the system, it should be placed network-wise in a high-security group where, if the exploit is attempted, the attacker cannot gain anything further from it. This approach of understanding the problem, translating it, and offering potential solutions is what purple teams can do when working together or communications are not as effective as they could be.

There is one more group that does not really fit into any specific category, and that is gray hat hackers. Gray hat hackers are a peculiar mix of both black hat and white hat characteristics. They operate on their own, looking for network faults and hacks in networks, systems, and applications. They do so with the intention of demonstrating to owners and administrators that have networks, systems, and applications under their care and control that a defect exists in their security posture. Once they have validated that a vulnerability exists in a network or application, they may offer to help correct it, or in the case of an application, inform the company through responsible disclosure before publishing information publicly. In contrast, a black hat will exploit any vulnerability or tell others how to as long as they profit from it.

In many cases, gray hats are just curious and do provide beneficial information to companies about the security of their applications and services. However, many security professionals do not view their methods as ethical. The exploitation of a network is illegal, and they have not received permission from an organization to attempt to infiltrate their systems. Gray hats say they mean no harm with their hacking, and they are simply curious about high-profile systems operating without regard to privacy or laws. Regardless of the reasons, it is still illegal, and depending on what was done, it could land them in court or jail.

How do gray hat hackers operate? As stated earlier, gray hats work at the fringe of being black hats, but they look for opportunities to work their craft legally if they can. They look for companies that have bug bounty programs that encourage hackers to report their findings. In these cases, it is a win-win for the company as it gives an area for hackers to work in and helps to mitigate the risk of exploitation by a malicious actor. Once the hacker finds an exploit or vulnerability, they need to contact the organization and present their findings. The intent at this point is for the company to recognize the security flaw and begin the process of correcting it, and hopefully compensate the hacker for their time.

However, sometimes when organizations do not respond promptly or do not comply, the hacker may end up posting the vulnerability or exploitation method on the internet. This moral and ethical choice is what makes them gray hat hackers.

After exploring the different groups and their profiles, let’s look at the types of attacks that can be performed on networks and systems.

Attack targets and types

There are many things that can be targeted for an attack; however, all areas of an attack can be distilled down to three core areas. The first is the network, which is an attack on the communication structure of a network and it can target specific devices or communication protocols. The second is applications. This is the software running on devices and hosts. The third and last area is the host, which usually targets the endpoint operating system or user of the system. Let’s take a deeper look at these areas.

Network

Network attacks are usually one of the first types of attacks to occur. The most common of these types of attacks are flooding attacks, which overwhelm the receiving hardware, forcing it to perform unintended operations or to simply give up and not work at all, such as in a denial of service (DOS) attack. A DOS attack can occur internally or externally depending on the source. It occurs when a source generates more traffic than the receiver can handle; this can be on a specific service such as a web server or on an interface level, such as an ARP flood. Other types of network attacks include man-in-the-middle (MITM) attacks.

Application

Application attacks, as the name suggests, focus on applications or services. Most of these will be at the server level, however, they are not limited to servers and can exist on standalone devices or user workstations. Application attacks usually take advantage of misconfigurations or vulnerabilities. SQL injection and cross-site scripting are examples of this. Another type of application attack is kerberoasting, which is an attack on Microsoft Active Directory servers to grab and crack passwords. Misconfigurations or vulnerabilities can not only allow the exploitation of the application but can act as a conduit exposing the network to further exploitation, including credential dumping, data exposure, and financial loss.

Host

Host attacks, sometimes called endpoint attacks, are attacks that target end user systems through their desktop machines and laptops. Because of the nature of these machines, they tend to have a much larger number of applications installed, and the behavior of the users operating them is less defined. This gives the attacker a larger attack surface to work with. Some examples of host-based attacks include the following:

However, before any type of attack takes place, a series of steps or actions take place, often referred to as the cyber kill chain. Let’s look at the cyber kill chain and see why it’s in the order it currently stands in.

The anatomy of an attack

The anatomy of an attack, sometimes referred to as the Cyber Kill Chain, basically lays out a series of actions and events attackers commonly take to exploit a system or network.

This model helps defenders with context and categorizing at what stage an attacker is at when detections are made.

The cyber kill chain was adopted from the military term kill chain, describing the structure of an attack. It was developed by Lockheed Martin as a model for identifying, detecting, and preventing intrusion activity using computers. It also describes the TTPs used during an attack.

The kill chain can be broken down into the following key areas, or order of operations:

Figure 1.2 – Cyber kill chain

In the following sections, we’ll describe the key areas in some detail.

Reconnaissance

Reconnaissance is the first step in an attack. The attacker needs to gather intelligence on their target. This information gathering helps the attacker profile the target and determine which vulnerabilities will meet their objectives. This part of the attack is usually the most prolonged and can take weeks, months, or even years depending on the target and the attacker’s goals. Given the current state of information available on the internet, the attacker’s job is made easier.

Here are some of the areas they look at:

For defenders, it is almost impossible to identify and detect reconnaissance due to how it is conducted. Over time, attackers can collect enough information without any active connection to have a comprehensive profile of the target. However, to discover servers exposed to the internet, what ports are open, and running services, adversaries need to actively connect to the target. If defenders can identify that activity, it can help them to determine the overall intent and subsequent actions. These will be covered in greater detail in subsequent chapters, including how these techniques are performed.

Weaponization

After sufficient time, when the collected information about the target nears completion, adversaries move into the weaponization phase. Weaponization may include preparing an exploit based on a vulnerability identified in the target’s environment. In other instances, an exploit is developed for a vulnerability, with attackers scanning the internet for anyone who appears vulnerable to deploy the payload to. This is opportunistic exploitation. The following are some preparation techniques used by adversaries as part of the weaponization process:

Security defenders cannot detect weaponization until near the end of this stage, when they contact the target. However, this is an essential phase for defenders to be prepared for by keeping their security controls hardened against these tactics or exploitation and deploying malware. By being vigilant and implementing best practices, security teams can be more resilient and mitigate attacks before they start. The following are some blue team techniques for countering the weaponization stage:

Let’s learn about delivery next.

Delivery

At the completion of the weaponization stage, the attacker is ready for the delivery phase. They will launch their attack using the delivery method of choice and wait for the exploitation to take place. As noted in the previous stage, some common methods for launching an attack include the following:

Depending on how the weaponization is performed, this may be the first opportunity for security defenders to detect, analyze, and block the delivery. Depending on the size of the organization, security individuals or teams need to monitor incoming and outgoing traffic and classify and analyze behavior. They also need to monitor public-facing servers and services to detect and block malicious activities.

Exploitation

Exploitation is the stage where the attacker attempts to gain access to the victim. For this to take place, the adversary needs to exploit a vulnerability; this could be a vulnerability on an internet-facing system, it could be through phishing, or it could even be through some sort of social engineering. The adversary already has spent time collecting information about the vulnerabilities, not only in systems but in people, during the reconnaissance phase. The following is a short list of some of the weaponization techniques an adversary can use to exploit a victim:

Traditional security measures help to counter the exploitation phase; however, attackers are aware of these techniques. This means defenders will also need to understand new tactics and techniques attackers are developing. The following are some key traditional measures for security defenders to be aware of and implement in some form:

Installation

Once exploitation is successful, the attacker moves on to the installation phase. This is the time when the attacker entrenches the system and organization. They do this by establishing persistency by installing backdoors or opening a connection from the victim to a C2 server. Once entrenchment is complete, the attacker begins the process of lateral movement and further installations. The following are some ways attackers maintain persistence:

Defenders use different security controls such as host-based intrusion detection systems (HIDS), endpoint detection and response (EDR), antivirus (AV) software, and even security information and event management (SIEM) platforms to detect block installation of backdoors. Security teams should monitor the following areas to detect installations:

Now let’s dive in and explore command and control.

Command and control

In the C2 phase, the attacker creates two-way communication with their server to issue commands from – this is known as a C2 server. This C2 server can be owned and managed by the adversary or rented from another group. This C2 server is set to command the infected hosts, much like other legitimate applications that use an agent on the endpoint to foster communications. The following are some characteristics of C2 channels: