Introduction

The first five chapters introduced you to general security concepts. Now it is time to explore the techniques that are used to attack your network. If you do not know what the adversary knows, it is very difficult to truly secure your network. Before going any further, it is important to realize that many hackers are not criminals. A hacker is a person who wants to understand a system, often by probing its weaknesses. There are even hackers who work for organizations, testing the organizations’ system security. This is called penetration testing and also sometimes white hat hacking. There are several certifications for penetration testing:

• Offensive Security: https://www.offensive-security.com/information-security-certifications/

• SANS Institute: https://www.sans.org/cyber-security-courses/enterprise-penetration-testing/

• EC-Council’s Certified Ethical Hacker: www.eccouncil.org

There is also a magazine for white hat hackers called 2600 (www.2600.com). Many computer security professionals attempt to learn hacking techniques either to enhance their security capabilities or to simply satisfy their curiosity. The techniques themselves are not criminal. However, there are people who use hacking techniques to breach systems to steal data, damage systems, or commit other cybercrimes. These people are usually referred to as black hat hackers or crackers.

The techniques presented in this chapter are presented not only to give you an understanding of how black hat hackers work but to show how you can perform penetration testing on your own network. By attempting some of these techniques on your network, you can assess your vulnerability. (It should be pointed out that you should only do this when you are very comfortable with the techniques in this chapter—and only with permission from senior management.)

Basic Terminology

Before we can delve into the world of hacking, we need to discuss the basic terminology used in this community. As you already know, the term white hat hacker is used to describe a person who uses hacking techniques for legal/ethical purposes. And the terms black hat hacker and cracker are used to describe a person who uses hacking techniques for illegal purposes.

There are a few other terms you should be familiar with. A gray hat hacker is one who was previously a black hat hacker and turned into a white hat hacker (basically, a former criminal now turned ethical). With the proliferation of tools on the Internet, there are also a lot of people who download tools (some of which we will examine in this chapter) and perform cyber attacks without really understanding what they are doing. These people are termed script kiddies (also sometimes spelled kiddys). Another important term, phreaking, refers to hacking into phones (which predates hacking into computer systems).

Often penetration testing is conducted to emulate a specific adversary or type of adversary. This is done by a red team. For example, if an organization is concerned primarily about nation-state attacks, then a red team can conduct a penetration test utilizing the same techniques that are commonly used in nation-state attacks. In contrast to the red team is the blue team, which is the defensive team attempting to stop the red team’s attack.

The Reconnaissance Phase

Any intelligent/experienced hacker is going to attempt to find out information about a target before actually attempting an attack. Just as a bank robber would want to know about a bank’s alarm systems, number of guards, police response time, and so on, a black hat hacker would want to know about your system’s security. What may surprise you is how much information can be found easily on the Internet without even attaching to the target system.

Passive Scanning Techniques

One of the easiest things a hacker can do is check the target organization’s websites. Businesses commonly post information that can be very useful to an attacker. For example, let’s assume that company XYZ lists John Doe as its IT manager. An enterprising hacker can scan bulletin boards and discussion groups for references to John Doe at XYZ. That attacker might find information useful in spear phishing attacks (that is, phishing targeted at a specific individual or group of individuals), or the attacker might find information useful in social engineering. For example, a number of former employees might have complained online that John Doe is demanding and quick to fire people. An enterprising hacker could call someone at XYZ claiming to be working for John Doe. The hacker might claim that he is trying to log on remotely to that person’s computer to update her system. After a few moments, the hacker tells the person he forgot the password John Doe gave him and is very concerned he will get fired if he doesn’t complete this assignment; then he asks that person for his password. The information the attacker gleaned from the Web gave him enough information to make this social engineering attack plausible.

It is also possible for an attacker to scan bulletin boards, chat rooms, discussion groups, and other places, looking for questions from IT staff at the target organization. For example, if an administrator posts in a discussion group asking about a particular server problem, this can give the attacker valuable information about that target network.

Another way attackers can use the Web to find out information about a target is through job ads. For example, if a company routinely advertises for ASP.NET developers and never for PHP or Perl, then it is likely that the company’s web applications are developed with ASP.NET running on a Windows web server (Internet Information Services). This can allow the attacker to focus only on a small group of possible attacks—those against ASP.NET/Windows.

Information can also be garnered from job ads. For example, if a small company with fewer than 200 employees has an advertisement for a network administrator twice a year, it is likely that the company has recently lost its old administrator because a small company would not need multiple administrators. If the current administrator is new, it means she is probably not as familiar with her own systems as the old admin. Also, if this trend of advertising for new administrators extends over a couple of years, the hacker can guess that the company has high turnover, and there is some problem the attacker may be able to exploit.

There are also specific websites that provide information an attacker may find useful. For example, netcraft.com, shown in Figure 6.1, provides information about websites. For example, you can find out what kind of server a site is running, and in some cases how long it has been since the server was last rebooted.

Another site that can be useful for attackers is https://archive.org. This site, shown in Figure 6.2, archives older versions of websites. The server scours the Web, archiving sites. The frequency with which a site is archived depends on its popularity.

Active Scanning Techniques

The previously mentioned techniques are all considered passive, as they do not require the attacker to connect to the target system. Since the attacker is not actually connecting to the target system, it is impossible for an intrusion detection system (IDS) to detect the scan. Active scans are far more reliable but may be detected by the target system. There are a few types of active scans.

Port Scanning

Port scanning is the process of attempting to contact each network port on the target system and see which ones are open. There are 1024 well-known ports that are usually associated with specific services. For example, port 161 is associated with Simple Network Management Protocol (SNMP). If an attacker detects port 161 open on the target system, he might decide to try SNMP-related attacks. Even more information can be derived from a port scan. For example, ports 137, 138, and 139 are all associated with NetBIOS, a very old Windows method of network communication that is not used in Windows anymore. However, NetBIOS is often used for systems where Windows machines need to communicate with Linux machines, so discovering those ports open reveals something about the target network.

A simple Google search for port scanner will reveal a host of well-known, widely used, and often free port scanners. However, the most popular port scanner in the hacking and security community is the free tool Nmap (https://nmap.org). There is a Windows version of it, called Zenmap, as shown in Figure 6.3.

Nmap allows you to customize a scan to make it more or less stealthy and to target certain systems. The most common types of scans are listed here:

• Ping scan: This scan simply sends a ping to the target port. Many network administrators block incoming ICMP packets for the purpose of stopping ping scans.

• Connect scan: This is the most reliable scan but also the type most likely to be detected. With this type of scan, a complete connection is made with the target system.

• SYN scan: This scan is very stealthy. Most systems accept SYN (synchronize) requests. This scan is similar to the SYN flood DoS attack described in Chapter 4, “Denial of Service Attacks.” In this type of scan, you send a SYN packet but never respond when the system sends a SYN/ACK. However, unlike with a DoS SYN flood, you send only one packet per port. This is also called a half-open scan.

• FIN scan: This scan has the FIN (connection finished) flag set. This is not an unusual packet for systems to receive, so it is considered stealthy.

Each of these scans provokes a different response on the target machine and thus provides different information to the port scanner:

• With a FIN scan or an XMAS scan, if the target port is closed, the system sends back an RST (reset) flag packet. If it is open, there is no response.

• With a SYN scan, if the port is closed, the response is an RST; if it is open, the response is a SYN/ACK.

• ACK scans and NULL scans work only on UNIX systems.

Nmap also lets you set a number of flags (either with the command line version of Nmap or the Windows version) to customize the scan. The allowed flags are listed here:

-O Detects the operating system

-sP Ping scan

-sT TCP connect scan

-sS SYN scan

-sF FIN scan

-sX Xmas tree scan

-sN NULL scan

-sU UDP scan

-sO Protocol scan

-sA ACK scan

-sW Windows scan

-sR RPC scan

-sL List/DNS scan

-sI Idle scan

-Po Don’t ping

-PT TCP ping

-PS SYN ping

-PI ICMP ping

-PB TCP and ICMP ping

-PM ICMP netmask

-oN Normal output

-oX XML output

-oG Greppable output

-oA All output

-T Timing

-T0 Paranoid

-T1 Sneaking

-T2 Polite

-T3 Normal

-T4 Aggressive

-T5 Insane

As you can see, there are a number of options available to an attacker using Nmap. One can spend a lot of time just learning Nmap.

Note

There are, of course, a number of other port scanning tools. We have focused on Nmap because it is free and widely used. It also figures prominently on the EC-Council Certified Ethical Hacker certification, GPEN (from SANS), and the Professional Penetration Tester certification.

The Nmap settings are, for the most part, self-explanatory. Perhaps the timing warrants a bit more discussion, however. Timing involves how quickly to send scanning packets. Essentially, the faster you send packets, the more likely the scan is to be detected.

Here is the most basic Nmap scan:

nmap 192.168.1.1

Here is a scan of a range of IP addresses:

nmap 192.168.1.1-20

The following command scans to detect operating system, use TCP scan, and use sneaky speed:

nmap -O -PT -T1 192.168.1.1

Other Scans

There are a wide range of scans an attacker can use to probe your network. It is often a good idea to look at logs for any evidence that such scans are being conducted against your network. Even if an attacker is not successful in breaching your system, the fact that he or she has attempted to do so makes it likely the attacker will try again.

These are a few of the scans an attacker may use to probe your network:

• FIN probe: A FIN packet is sent to an open port, and the response is recorded. Although the standard for the FIN flag (RFC 793) states that the required behavior is not to respond, many operating systems such as Windows will respond with an RST.

• FTP bounce scan: This scan bounces scan packets off an FTP server, which makes the scan harder to trace.

• SNMP scan: Simple Network Management Protocol (SNMP) is a popular protocol for remote monitoring and management on a network. It’s used to report the status of services and devices. It works through a system of agents and nodes. SNMP is designed so that requests are sent to agents, and the agents send back replies. The requests and replies refer to configuration variables that are accessible by agent software. Traps are used to signify an event that might be of interest. This can be anything from a simple reboot to some system failure. SNMP makes use of the Management Information Base (MIB), which is the database of configuration variables that resides on the networking device. SNMP uses UDP port 161.

Vulnerability Assessment

Vulnerability assessment involves checking a system to see if it is vulnerable to specific attacks. Although hackers can use vulnerability assessment tools to assess your system, these tools are designed to allow you to assess your system. These tools are not particularly stealthy and thus will probably be detected by an intrusion detection system. In fact, network administrators commonly use vulnerability assessment tools to test their own networks. These tools will be covered in Chapter 11, “Network Scanning and Vulnerability Scanning.”

Enumeration

Another technique that is commonly used before an actual attack is enumeration. Enumeration is simply the process of finding out what is on the target system. If the target is an entire network, the attacker wants to find out what servers, computers, and printers are on that network. If the target is a specific computer, the attacker wants to find out what users and shared folders exist on that system.

A simple Google search will help you find a number of enumeration tools. One of the easiest to use is Cain and Abel, shown in Figure 6.4.

Although we are focusing on enumeration here, Cain and Abel can do a lot more than just enumeration. To use Cain and Able for enumeration, simply click on the Network tab, and you will find all the machines connected to the network you are on. (You obviously need some level of access before you can enumerate the target network.)

The following are a few other enumeration tools that are popular with hackers and can easily be found on the Internet:

• Sid2User

• Cheops (Linux only)

• UserInfo

• UserDump

• DumpSec

• Netcat

• NBTDump

This is not an exhaustive list, but it includes some of the most widely used enumeration tools.

To defend against scanning, you should use the following techniques:

• Be careful how much information you put on the Internet about your organization and its network.

• Create a company policy mandating that technical personnel who use bulletin boards, chat rooms, and so on for technical data not use their real names or reveal the company’s name.

• Use an IDS that detects many scans.

• Block incoming Internet Control Message Protocol (ICMP) packets.

These techniques won’t make scanning and reconnaissance on your system impossible, but they will significantly reduce the amount of information an attacker can gather.

Shodan

Shodan (see Figure 6.5) is a tool used by attackers and penetration testers alike. The website https://www.shodan.io is essentially a search engine for vulnerabilities. You need to sign up for a free account to use it, but then it can be invaluable to a pen tester trying to identify vulnerabilities. Of course, the site can also be invaluable to attackers.

There are many options you can use in searching with Shodan.io; some are given here:

• Search for default passwords, using search terms such as the following:

  • default password country:US

  • default password hostname:chuckeasttom.com

  • default password city:Chicago

• Find Apache servers:

  • apache city: “San Francisco”

• Find webcams:

  • webcamxp city:Chicago

  • OLD IIS

  • “iis/5.0”

In addition to these search terms, you can use filters, including these:

• city: Find devices in a specific city.

• country: Find devices in a specific country.

• geo: Pass coordinates (that is, latitude and longitude).

• hostname: Find values that match a specific hostname.

• net: Search based on an IP or /x CIDR address.

• os: Search based on operating system.

• port: Find particular ports that are open.

• before/after: Find results within a time frame.

For example, Figure 6.6 shows the results of a search for default passwords city:dallas.

When you are performing a penetration test, it is a good idea to search the company domain for anything you can find via Shodan. You can restrict your search to the hostname or domain name of the client who has hired you to conduct a penetration test. You can use Shodan to seek out default passwords, old web servers, unsecured web cameras, and other vulnerabilities in the target network. Again, you can be sure that would-be attackers will also use this tool.

Actual Attacks

Now that we have discussed how attackers scan a target system, let’s look at a few attacks that are commonly used. Obviously this isn’t an exhaustive list, but it provides some insight into the attack methodologies used. In Chapter 4 we discussed denial of service (DoS) attacks and some tools used to perpetrate these attacks. In this section we will look at other sorts of attacks and the techniques and tools used to make them happen.

SQL Script Injection

SQL script injection might be the most popular type of attack on websites. In recent years, more websites have taken steps to mitigate the dangers of these attacks, but unfortunately, many websites are still susceptible. An SQL script injection attack involves passing Structured Query Language (SQL) commands to a web application and getting the website to execute them.

Before we can discuss SQL injection further, we must talk about SQL and relational databases. Relational databases are based on relations between various tables. The structure includes tables, primary and foreign keys, and relations:

• Each row represents a single entity.

• Each column represents a single attribute.

• Each record is identified by a unique number called a primary key.

• Tables are related by foreign keys. A foreign key is a primary key in another table.

You can see an example of these relations in Figure 6.7.

All relational databases use SQL, which includes commands such as SELECT, UPDATE, DELETE, INSERT, and WHERE. At least the basic queries are very easy to understand and interpret.

Most basic SQL injection works like this: Many websites/applications have a page where a user enters a username and password. That username and password will have to be checked against some database to see if they are valid. Regardless of the type of database (Oracle, SQL Server, MySQL), all databases speak SQL. SQL looks and functions a great deal like English. For example, to check a username and password, you might want to query the database to see if there is any entry in the users table that matches the username and password that was entered. If there is such an entry, you have a match. The SQL statement to ask this might look something like this:

Click here to view code image

'SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'

The problem with this query is that, although it is valid SQL, it hard codes the username and password. For a real website, you would have to take whatever the user entered into the username field and password field and check that. This can be easily done (regardless of what programming or scripting language the website is programmed in). It would look something like this:

Click here to view code image

'SELECT * FROM tblUsers WHERE USERNAME = '" + txtUsername.Text +' AND PASSWORD = '" +
txtPassword.Text +"'".

If you enter username jdoe and password letmein, this code produces the following SQL command:

Click here to view code image

SELECT * FROM tblUsers WHERE USERNAME = 'jdoe' AND PASSWORD = 'letmein'

Now if there is a username jdoe in tblUsers, and the password for it is letmein, then this user will be logged on. If not, then an error will occur.

SQL injection works by putting some SQL into the username and password block that is always true. For example, suppose you enter 'OR X=X' into the username and password boxes. This will cause the program to create this query:

Click here to view code image

SELECT * FROM tblUsers WHERE USERNAME = ''OR X=X' AND PASSWORD = ''OR X=X'

Notice that you start with a single quotation mark (') before the OR X=X. This closes the open quote the attacker knows must be in the code. And if you see '', that essentially is a blank or null, and it tells the database to log you in if the username is blank, or if X=X, and if the password is blank, or if X=X. If you think about this for a second, you will see that X always equals X, so this will always be true.

There is no significance to 'OR X=X'; it is simply a statement that will always be true. Attackers try other similar statements, such as the following:

' or 'a' ='a
' or '1' ='1
' or (1=1)

The example given here is the most basic version of SQL injection, but it is the most common. You can do far more with SQL injection. The attacker is limited only by her knowledge of SQL and the target database system.

The defense against this type of attack is to filter all user input before processing it. This process, often referred to as input validation, prevents an attacker from entering SQL commands rather than a username and password. Unfortunately, many sites do not filter user input and are still vulnerable to SQL injection attacks.

Remember that earlier in the text when we first, briefly, mentioned SQL injection, it was suggested that filtering input could prevent such an attack. For example, a programmer creating a website should write the code to first check for any common SQL injection symbols such as the single quote ('), percent sign (%), equal sign (=), or ampersand (&), and if those are found, stop processing and log an error. This would prevent many SQL injection attacks. There are methods to circumvent these security measures, but implementing them would, nonetheless, stop many SQL injection attacks.

http://www.example.com/process.aspx=../../../../some dir/some file
http://www.example.com/../../../../some dir/some file

#cmd1 && cmd2

www.google.com && cat /etc/passwd

Password Cracking

Doing password cracking is easiest when one can actually get physical access to a machine—and this is not as difficult as it sounds. Many organizations (such as universities) have kiosk machines where someone can use the system with minimal/guest privileges. A skilled hacker can use this access to gain further access.

Password Cracking Methods

There are several different approaches to password cracking. The more common approaches are listed here:

• Dictionary attacks: A text file full of dictionary words is loaded into a password program and then run against user accounts located by the application. If simple passwords have been used, this might be enough to crack the code. Dictionary attacks can be performed offline with tools like LCP and Hashcat and online with tools like Brutus and THC-Hydra.

• Hybrid attacks: This type of attack is similar to a dictionary attack except that it adds numbers or symbols to the dictionary words. Many people change their passwords by simply adding a number to the end of their current password. The pattern usually takes this form: First month’s password is Mike, second month’s password is Mike2, third month’s password is Mike3, and so on.

• Rainbow table: Passwords are often stored as a hash. A hash cannot be “unhashed”; however, one can make tables of widely used passwords and hash those. Then if one can get access to the hash of a password, one can search the rainbow table for a match.

• Brute-force attacks: This is the most comprehensive form of attack and the most potentially time-consuming. Brute-force attacks can take weeks, depending on the length and complexity of the password.

ophcrack

A very popular tool for cracking Windows passwords is ophcrack. ophcrack can be downloaded from http://ophcrack.sourceforge.net. It is based on an understanding of how Windows passwords work. Windows passwords are stored as hashes in a SAM file in one of the system directories, usually C:WINDOWSsystem32config. SAM is an acronym for Security Accounts Manager. The passwords are stored as a hash. (Hashes will be discussed in detail in Chapter 8, “Encryption.”) Windows hashes the password you type in and compares it to the hash found in the SAM file. If there is a match, then you are logged in. To prevent someone from copying the SAM file and taking it off to try to brute-force it, as soon as Windows begins the boot process, the operating system locks the SAM file. ophcrack boots to Linux and then gets the SAM file and looks up the hashed passwords in a large table of hashed values it has, searching for a match. If it finds one, then the matching text in that table of hashed values is the password. You can see ophcrack in Figure 6.8.

This tool is remarkably easy to use. Just put the ophcrack CD into the machine and reboot. During the boot process, you can press F12 for a boot menu and tell the system to boot from CD. You will then start ophcrack. It should be noted that longer passwords (as of this writing, longer than 10 characters) are usually not crackable by ophcrack.

If ophcrack is successful (though it isn’t always), what can the attacker now do? At best she simply got the local machine admin account and not a domain account. Well, this can be used to then gain domain access. One such method of obtaining domain access will be explored later in this chapter in the “Net User Script” section.

Other Password Cracking Tools

As you probably can guess, there are many password cracking tools one can get from the Internet. A few common tools are listed here:

• Brutus: Brutus can perform remote dictionary or brute-force attacks against Telnet, FTP, SMTP, and web servers.

• John the Ripper: This tool has been around for many years. It is an effective password cracking tool.

• WebCracker: This simple tool takes text lists of usernames and passwords and uses them as dictionaries to implement basic authentication password guessing.

• THC-Hydra: This very useful web password-cracking tool attacks many common authentication schemes.

• Crack Station: The website for this tool, https://crackstation.net, attempts to match a hashed password with a known password in a rainbow table.

Malware Creation

In this section we will briefly discuss how easy it is to create malware. In Chapter 5, “Malware,” you saw the tool eLiTeWrap. In this section you will see the methods used to actually create viruses. This is not in any way an encouragement for you to create such viruses. It is meant to educate you on why such malware is so common.

For many years, one needed significant programming skills in order to create a virus. However, in recent years there have been a number of tools developed to create viruses. These tools allow the end user to click a few buttons and create a virus. This is one reason viruses are becoming so prevalent. One such tool is TeraBIT Virus Maker, shown in Figure 6.9.

Tools like this make it very easy for even a novice to create a virus. When tools that automate some specific computer attack become prevalent, then one can expect a great many more such attacks.

You can easily see from the options that TeraBIT Virus Maker can create some rather damaging malware. It is important to realize that this is only one option that a malware creator has. There are a number of tools on the Internet that help create viruses. There are even ransomware development kits. A few common utilities for making malware are as follows:

• Sam’s Virus Generator

• Internet Worm Maker Thing

• JPS Virus Maker

• Deadlines Virus Maker

• Sonic Bat Virus Creator

In addition to these tools, there are websites that contain catalogs of malware code. Anyone with only moderate programming skills can download the code for a virus and modify that malware for his specific needs. You can think of this as a sort of cyber weapons proliferation.

This proliferation of cyber weapons is the primary reason for this section in this chapter. It is critical that security professionals (and aspiring security professionals) be aware of just how easy it is to create a virus. We should reasonably expect to see more viruses as time goes on. Of course, there are still custom written viruses, and these are in fact the most effective form of malware. But the proliferation of tools and source code means that even those with only minimal technical skills can create viruses.

net user /domain /add localaccountname password
net group /domain "Domain Admins" /add Domain

Penetration Testing

As mentioned at the beginning of this chapter, the techniques described in this chapter can be used in penetration testing. However, a penetration test is not simply a random application of a variety of hacking techniques. Usually a penetration test is done along with or subsequent to a vulnerability assessment. (We will discuss vulnerability assessments in detail in Chapter 11.)

A penetration test involves methodical probing of a target network in order to identify weaknesses in the network. The theory behind penetration testing is that the only way to objectively determine the security level of a given network is to have a competent penetration tester attempt to breach security. As described in this section, there are a variety of standards that one can use to guide a penetration test.

The Dark Web

The Dark Web is an area of the Internet that is accessible only via onion routing. Onion routing essentially routes packets all around the world, bouncing through proxy servers. Each packet is encrypted with multiple layers of encryption, and each proxy can only decrypt one layer, and send the packet to the next proxy. If someone intercepts a packet in transit between two proxies, you can only determine the previous proxy and the next proxy. You cannot determine the actual origin or destination. This is shown in Figure 6.10.

This leads to a situation in which a user’s location is not easily determined. For example, I used the TOR browser to visit Yahoo.com while sitting in my study in Plano, Texas. In Figure 6.11 you can see the results. As you can see, Yahoo thought I was coming from Sweden and presented its page in Swedish.

The anonymity provided by TOR is not inherently wrong or unethical. Many people simply do not wish to be monitored when surfing the Web. However, this level of anonymity does lend itself to criminal activity, and markets on the Dark Web traffic in a range of illegal products and services.

In the past several years, many Dark Web criminal markets—for example, Silk Road, Silk Road 2, HANSA, and Alpha Bay—have been taken down by law enforcement. But others have popped up. Within minutes of searching the Dark Web, you can readily find drugs, guns, child pornography, and many other illegal products and services. You can find Jihad training sites, instructions on how to make explosives, hacking services, places to buy and sell malware, and even sites devoted to extreme sexual deviation. As one example of a Dark Web market, Figure 6.12 shows The People’s Drug Store (http://newpdsuslmzqazvr.onion).

Surfing the Dark Web can be a bit dangerous. Many sites are replete with malware. Therefore, you must establish a specific environment for Dark Web activities—a virtual machine that is completely isolated from the host operating system (which means no sharing of the Clipboard or folders). The virtual machine should preferably run a different operating system than the host, making crossing the VM/host barrier even more difficult. Finally, that VM should be used only for the Dark Web activities and for no other purpose. Many Dark Web investigators like to use The Amnesiac Incognito Live System (TAILS) for Dark Web surfing. It is a free download from https://tails.boum.org.

You should note that TOR has been updated to use Onion v3. Many sites are moving their addresses to Onion v3. As pf October 15, 2021, all Onion v2 sites are disabled in the TOR browser. If you have links from before 2022, they may no longer work.

Some people speculate that the stories about illicit materials on the Dark Web are simply hype. The following are just a few stories related to the Dark Web from news sources:

• U.S., German Authorities Shut Down Hydra, Largest Darknet Marketplace (April 2022): https://www.secureworld.io/industry-news/usa-germany-shut-down-hydra

• Man Gets 10½ Years in Federal Prison for Downloading Child Porn from “Dark Web” (May 2022): https://www.thesunchronicle.com/news/local_news/seekonk-man-get-10-1-2-years-in-federal-prison-for-downloading-child-porn-from/article_a301355a-5a97-5af9-852c-ad85bb7d500a.html

• Tampa Woman Gets 6 Years in Prison for Trying to Hire Hitman on Dark Web (April 2022): https://www.tampabay.com/news/tampa/2022/04/20/tampa-woman-gets-6-years-in-prison-for-dark-web-murder-for-hire/

• Man Who Obtained Infant Pornography on Dark Web Sentenced to Federal Prison (May 2022): https://www.justice.gov/usao-ndia/pr/man-who-obtained-infant-pornography-dark-web-sentenced-federal-prison

For those readers who would like more technical information on the Dark Web, the most important thing to understand is the nodes. The various nodes are described here:

• Entry node: This is the first node, where the traffic enters the TOR network. Any relay node can act as an entry node. There is no difference in the function of the entry and relay nodes; however, there is a difference from the user’s point of view. The entry node is the node that has the real identity of the user. This is the extent of the knowledge the entry node has. The entry node only knows the identity of the user and the next node information. It doesn’t know about the destination because of Perfect Forward Secrecy.

• Relay node: Relay nodes accept the TOR connections, unwrap the additional layer of the Perfect Forward Secrecy, and relay the connection to the next node in the forward path chain. Default configurations have set only one node in the middle of the TOR circuit, but you can increase the number if you like. Be aware that as you increase the number of middle nodes, the delay in the connection increases.

• Exit node: The exit node is the node that communicates to the destination. Again, this node is no different from the other two nodes, but as it communicates to the destination server and forwards the traffic out of the TOR network, it serves as the source for the destination server. Because of this, exit nodes are always being accused of their activities in the TOR network. Exit nodes are always targeted by investigators. Owners of exit nodes have to repeatedly give explanations to justify their servers.

• Advertised relay nodes: These nodes are called advertised nodes because they are listed in the directory servers. These are the real nodes that help to anonymize the TOR network by maintaining Perfect Forward Secrecy. Anyone can see the identity of these nodes by querying them as they would a TOR browser.

• Bridge nodes: Bridge nodes are like any other nodes except that they are not advertised, which means bridge nodes are not listed in the directory servers. What is the purpose of bridge nodes if they are not listed in the directory servers? The main reason to have these nodes is to hide the TOR traffic from government agencies and Internet firewalls. As you may know, TOR nodes are often accused by security agencies because of their activities on the TOR network. In addition, these are easy to block as the identities of the TOR nodes are publicly available on the directory servers. Bridge nodes are used to bypass the blocks. If a bridge node is serving as an entry node, it is hard to find and block the traffic on the firewalls as they are not listed in the TOR directory servers. The main challenge of using a bridge node as an entry node, however, is that someone has to learn about the active bridge server, and it has to be configured manually on the TOR browser.

You can find lists of exit nodes on many websites. The following are just a few:

• https://www.dan.me.uk/tornodes

• https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1

• https://www.dan.me.uk/tornodes (This site has additional data.)

• https://www.bigdatacloud.com/insights/tor-exit-nodes (This site also has geolocation of exit nodes.)

Summary

In this chapter we have examined just a few techniques hackers utilize and illustrated the need for a variety of security measures. The scanning techniques illustrate the need for blocking certain traffic at the firewall and for running an IDS. The SQL injection attack demonstrates why security must be part of application development. And the ophcrack tool illustrates why physical security is important and why the principle of least privileges is important. Putting tech support staff into the domain admins group violates the concept of least privileges and makes the privilege escalation script possible. If you wish to delve deeper into hacking and penetration testing, you may wish to read Penetration Testing Fundamentals: A Hands-On Guide to Reliable Security Audits, also from Pearson and from the same author as this current book.

Test Your Skills

Multiple Choice Questions

1. Elizabeth is describing web-based attacks to a group of students in a computer security course. What does an SQL injection attack require?

A. Having database admin privileges

B. Creating an SQL statement that is always true

C. Creating an SQL statement that will force access

D. Understanding web programming

2. Juan is using a rainbow table to circumvent passwords on a Windows computer. What is the best description of a rainbow table?

A. A table of precomputed hashes

B. A brute-force password attack

C. A dictionary attack on passwords

D. A multi pronged attempt to crack passwords

3. You are responsible for security on an e-commerce system. You want to mitigate as many attacks as you can. How can you prevent cross-site scripting?

A. Filter user input.

B. Use an IDS.

C. Use a firewall.

D. It cannot be prevented.

4. What is an advantage of using Shodan.io?

A. It is free.

B. It can check for a wide range of vulnerabilities.

C. It is designed for Windows systems.

D. It includes an IDS.

5. Perez is exploring different password cracking tools. A friend has told him about ophcrack. ophcrack depends on the attacker doing what?

A. Getting physical access to the machine

B. Getting domain admin privileges

C. Using social engineering

D. Using a scanning tool

6. If you wish to view items that have been removed from a website, what is the best way to do so?

A. Use Nessus.

B. Use Nmap.

C. Use www.netcraft.com.

D. Use www.archive.org.

7. Malek needs a port scanner so he can scan open ports on his own network. Which of the following is a popular port scanner?

A. Nessus

B. ophcrack

C. MBSA

D. Nmap

8. Jane wants to mitigate as many attacks as she can. A colleague suggested that she block ICMP packets. Blocking incoming ICMP packets will prevent what type of scan?

A. SYN

B. Ping

C. FIN

D. Stealth

9. It is important that you understand cybersecurity terminology, including terms for different actors in cybersecurity. What is the correct term for a person who uses hacking techniques for illegal activities?

A. A hacker

B. A gray hat hacker

C. A phreaker

D. A cracker

10. What is the term for a person who hacks into phone systems?

A. A hacker

B. A gray hat hacker

C. A phreaker

D. A cracker

11. Penelope is teaching an introductory cybersecurity course and is trying to explain the terminology to students. What is the term for a person who uses tools to hack without understanding the underlying technology?

A. A script kiddy

B. A gray hat hacker

C. A novice

D. A white hat hacker

12. What is the name for the process of trying to list all the servers on a network?

A. Port scanning

B. Enumeration

C. Vulnerability scanning

D. Scouting

13. Terrance is performing a scan. What response will a Windows machine give to a FIN scan?

A. ACK

B. None

C. SYN

D. RST

14. Jaron is trying to do a port scan of his own company. He wants to test to see if the company’s security systems will be able to detect his scan. Which of the following is considered the stealthiest port scan?

A. SYN

B. Connect

C. Ping

D. Nmap

15. What is the stealthiest way to find out what type of server a website is running?

A. Use Nmap.

B. Use Cain and Abel.

C. Use www.netcraft.com.

D. Use www.archive.org.

Exercises

EXERCISE 6.1: Using www.archive.org

This exercise gives you practice using www.archive.org. Go to www.archive.org and pull up at least two previous versions of your college’s/university’s website. What information can you find that is no longer on the website?

EXERCISE 6.2: Using Nmap

This exercise introduces you to the Nmap tool. You should download and install Nmap. Then run at least three different scans on either your own computer or a designated lab computer. (While it is not illegal to scan a computer, doing so may violate security policies for some colleges and universities. Make certain you scan only a designated lab computer.)

EXERCISE 6.3: Using ophcrack

Download ophcrack to a CD. Then reboot your own machine to the ophcrack CD and attempt to crack your own local passwords. (It is critical that you do this only on your own machine or a designated lab machine. Doing this on other machines would probably violate security policies at your college/university/company.)

EXERCISE 6.4: Using Netcraft.com

Visit www.netcraft.com and do a search on at least three different websites of your choosing. Note what information you are able to gather about each website.

Projects

PROJECT 6.1: Passive Reconnaissance

Select a local organization and conduct passive reconnaissance on it. This should include searching job boards, the organization’s own website, user groups/bulletin boards, social networking sites, www.archive.org, and more. Gather as much information about the target network as you can.

PROJECT 6.2: Port Scanners

Use your favorite search engine to locate at least two other port scanners besides Nmap. Download and install them and then try them on your own machine or a designated lab computer. Compare and contrast these tools to Nmap. Are they easier to use? More informative?