Back to Subject
Practice MCQ

Unit 3 - Notes

INT244

Unit 3: Enumeration, System Hacking, Malware

1. Enumeration

Enumeration is the phase of the hacking lifecycle that follows footprinting and scanning. While scanning identifies active systems and open ports, enumeration involves actively connecting to the system to acquire more detailed information. It is considered an aggressive step because it involves direct interaction with the target system.

Goal: To gather specific data such as:

  • Usernames and Group names
  • Hostnames
  • Network shares and services
  • Routing tables
  • Application versions and configurations

Windows Enumeration

Windows environments rely heavily on specific protocols for resource sharing and identification, making them prime targets for enumeration.

  • NetBIOS (Network Basic Input/Output System):

    • Operates on ports 137, 138, and 139.
    • Allows applications on different computers to communicate within a LAN.
    • NetBIOS Null Session: An unauthenticated connection (using a null user and password) to the IPC$ (Inter-Process Communication) share. If successful, attackers can list users, shares, and policies.
    • Tools: nbtstat, SuperScan, Hyena.
    • Command: nbtstat -a <IP_Address> (Displays the NetBIOS name table).

  • SMB (Server Message Block):

    • Operates on port 445 (over TCP/IP).
    • Used for file sharing and printer services.
    • Enumeration can reveal shared folders, version information, and access controls.

  • RPC (Remote Procedure Call):

    • Operates on port 135.
    • Allows a program on one computer to execute code on a remote system.

Enumeration with SNMP (Simple Network Management Protocol)

SNMP is used to manage network devices (routers, switches, servers). If misconfigured, it leaks massive amounts of system information.

  • Components:

    • Manager: The console used to monitor devices.
    • Agent: The software running on the device being monitored.
    • MIB (Management Information Base): A database containing the information (objects) the device maintains.
    • OIDs (Object Identifiers): Numeric strings that identify specific objects within the MIB.

  • Community Strings:

    • SNMP uses "community strings" as a form of password.
    • Public: Read-only access (often the default).
    • Private: Read-write access (allows configuration changes).
    • Vulnerability: Attackers guess default strings ("public", "private", "manager") to read the MIB.

  • Data Extracted: Network interfaces, ARP tables, routing tables, device uptime, and installed software.

  • Tools: snmpwalk, OpUtils, SolarWinds.

LDAP and Directory Service Enumeration

Lightweight Directory Access Protocol (LDAP) is used to query directory services like Microsoft Active Directory.

  • Ports: TCP 389 (Standard) and 636 (SSL).
  • Structure: Hierarchical tree structure.
    • DN: Distinguished Name.
    • CN: Common Name.
    • DC: Domain Component.
  • Enumeration Risk: An attacker can query the directory to find valid usernames, email addresses, department structures, and group memberships.
  • Tools: Jxplorer, Softerra LDAP Browser, nmap scripts.

SMTP Enumeration

Simple Mail Transfer Protocol (SMTP) handles email transmission. It often provides built-in commands that confirm the existence of users on a system.

  • Port: TCP 25.
  • Key Commands:
    • VRFY (Verify): Validates whether a user exists on the mail server.
    • EXPN (Expand): Reveals the actual delivery address of aliases and mailing lists.
    • RCPT TO (Recipient To): Defines the recipient; server responses can indicate if the user exists.
  • Countermeasure: Administrators typically disable VRFY and EXPN on public-facing mail servers to prevent directory harvesting.

2. System Hacking

System hacking is the process of gaining access to a system, escalating privileges, executing applications, and hiding the malicious activity. It typically follows the enumeration phase.

The Methodology (CEH Framework)

  1. Gaining Access: Bypassing security controls (password cracking, exploit injection).
  2. Escalating Privileges: Moving from a standard user to an Administrator/Root.
  3. Executing Applications: Installing malware, backdoors, or tools.
  4. Hiding Files: Using steganography or modifying file attributes.
  5. Covering Tracks: Deleting logs to avoid detection.

Password Cracking

The process of recovering passwords from data stored in or transmitted by a computer system.

Types of Attacks:

  1. Non-Electronic: Social engineering, shoulder surfing, dumpster diving.
  2. Dictionary Attack: Uses a file containing common words (dictionary) as input.
  3. Brute Force: Tries every possible combination of characters. Computationally expensive but theoretically guaranteed to succeed eventually.
  4. Hybrid Attack: Combines dictionary words with numbers or symbols (e.g., "Password123").
  5. Rainbow Tables: Uses pre-computed hash tables. This drastically reduces the time needed to crack a password (time-memory tradeoff) but requires large storage.
  6. Rule-Based: Uses information gathered about the target (birthdays, pet names) to generate guesses.

Authentication on Microsoft Platforms

Microsoft systems store passwords as hashes, not plaintext.

  • SAM (Security Account Manager):

    • A database file located at %SystemRoot%\System32\config\SAM.
    • Stores local user account passwords.
    • Access is locked while the OS is running; attackers must dump it from memory or boot from an external drive.

  • Hashing Algorithms:

    • LM (LAN Manager): Legacy, very weak. Passwords are split into 7-character chunks, converted to uppercase, and hashed. Easy to crack.
    • NTLM (NT LAN Manager): The successor to LM.
      • NTLMv1: Uses MD4/DES. Vulnerable to interception.
      • NTLMv2: Current standard for non-Kerberos environments. Adds HMAC-MD5 for better security.

  • Kerberos:

    • The default authentication protocol for Active Directory.
    • Relies on a trusted third party (Key Distribution Center - KDC).
    • Uses Tickets (TGT - Ticket Granting Ticket) rather than passing password hashes over the network.
    • Vulnerability: Golden Ticket attacks (forging a TGT to gain unlimited access).

Executing Applications

Once access is gained, the attacker executes malicious applications to maintain control or steal data.

  • Remote Execution: Using tools like PsExec or vulnerabilities to run commands on the target without physical access.
  • Keyloggers: Software or hardware that records keystrokes to steal passwords and sensitive data.
  • Spyware: Gathers information about a person or organization without their knowledge.
  • Rootkits:
    • Designed to hide the existence of certain processes or programs from normal methods of detection.
    • Can operate at the User Mode (Application level) or Kernel Mode (OS level—hardest to detect and remove).

3. Malware (Malicious Software)

Malware is an umbrella term for any software designed to cause damage to a computer, server, client, or computer network.

Malware and the Law

Legal frameworks vary globally, but most jurisdictions have specific laws regarding malware.

  • CFAA (Computer Fraud and Abuse Act - USA): Makes it illegal to access a computer without authorization or in excess of authorization. Distributing malware that causes damage or loss is a felony.
  • Intent vs. Research: Writing malware code is generally not illegal in isolation (educational/research purposes). However, deploying it, selling it for malicious use, or using it to damage systems is a crime.
  • Damages: Courts look for financial loss, impairment of medical treatment, or threats to public safety.

Categories of Malware

1. Viruses

  • Definition: A program that replicates by inserting its own code into other programs (host files).
  • Mechanism: Requires user interaction (e.g., clicking a file) to spread.
  • Types:
    • File Infector: Attaches to .exe or .com files.
    • Boot Sector Virus: Infects the Master Boot Record (MBR).
    • Macro Virus: Embedded in documents (Word, Excel) using macro languages like VBA.
    • Polymorphic Virus: Changes its code signature each time it replicates to evade antivirus detection.

2. Worms

  • Definition: A standalone malware computer program that replicates itself in order to spread to other computers.
  • Mechanism: Does not need a host file or user interaction. It uses network vulnerabilities (like the EternalBlue exploit) to propagate automatically.
  • Impact: Consumes network bandwidth and creates botnets.

3. Trojans (Trojan Horse)

  • Definition: Malware that misleads users of its true intent. It disguises itself as legitimate software (e.g., a free game or screensaver).
  • Mechanism: Does not replicate. It relies on social engineering.
  • Payload: Can create backdoors (RAT - Remote Access Trojan), steal data, or delete files.

4. Spyware

  • Definition: Software that aids in gathering information about a person or organization without their knowledge.
  • Function: Monitors web browsing, captures keystrokes, and harvests login credentials.

5. Adware

  • Definition: Advertising-supported software.
  • Function: Automatically renders advertisements (pop-ups, banners) in the user interface. While often just annoying, it can degrade performance and track user behavior (crossing into spyware).

6. Scareware

  • Definition: Malware that uses social engineering to cause shock, anxiety, or the perception of a threat.
  • Example: Fake antivirus pop-ups claiming, "Your computer is infected! Click here to clean," which actually installs malware or steals credit card info.

7. Ransomware

  • Definition: Malware that denies access to a computer system or data until a ransom is paid.
  • Mechanism:
    • Crypto-ransomware: Encrypts files (AES/RSA) and demands payment (usually Bitcoin) for the decryption key.
    • Locker-ransomware: Locks the user out of the operating system interface.

4. Overt and Covert Channels

This concept relates to how data is transmitted and how security can be bypassed.

Overt Channels

  • Definition: The normal, legitimate, and authorized methods of communication within a system or network.
  • Example: Transferring a file over FTP port 21, or browsing a website over HTTP port 80. Security policies usually monitor and control these channels.

Covert Channels

  • Definition: A method of communication that is not intended for information transfer, used to leak data or send commands secretly, bypassing security monitors (firewalls/IDS).
  • Types:
    1. Covert Storage Channels: Hiding data within the protocol headers of a packet.
      • Example: Manipulating the TCP "Sequence Number" field or the IP "Identification" field to carry ASCII characters.
    2. Covert Timing Channels: Relaying information by modulating the timing of events or system resources.
      • Example: Sending packets at specific intervals (e.g., a 1-second delay = 1, a 2-second delay = 0) to reconstruct binary data at the receiving end.
    3. Tunneling: Encapsulating a forbidden protocol inside a permitted one (e.g., running SSH over DNS port 53).