CSEN3041 Ethical Hacking

Prof. NAGANATHAN E R
Room No.: SB431
[email protected]
9443111370
 Course Syllabus
• Module I: Finding Vulnerabilities (B1 Ch 0,5,6)
➢ The Stages of the Penetration Test - Chapter 0

➢ Open-Source Intelligence Gathering - Chapter 5

✓ Port Scanning

➢ Finding Vulnerabilities - Chapter 6

✓ Nessus, The Nmap Scripting Engine, Running a Single NSE Script, Metasploit Scanner
Modules, Metasploit Exploit Check Functions, Web Application Scanning, Manual
Analysis

CSEN3041 Ethical Hacking

 Course Syllabus

• Module II: (B1 Ch 7, 8)

➢ Capturing Traffic - Chapter 7
✓ Networking for Capturing Traffic, Using Wireshark, ARP Cache Poisoning, DNS Cache
Poisoning, SSL Attacks, SSL Stripping

➢ Exploitation - Chapter 8
✓ MS08-067, Exploiting WebDAV Default Credentials, Exploiting Open phpMyAdmin,
Downloading Sensitive Files, Exploiting a Buffer Overflow in Third-Party Software,
Exploiting Third-Party Web Applications, Exploiting a Compromised Service, Exploiting
Open NFS Shares

CSEN3041 Ethical Hacking

 Course Syllabus
• Module III: (B1 Ch 9, 10)
➢ Password Attacks - Chapter 9
✓ Password Management, Online Password Attacks, Offline Password Attacks, Dumping
Plaintext Passwords from Memory with Windows Credential Editor

➢ Client-Side Exploitation - Chapter 10

✓ Bypassing Filters with Metasploit Payloads, Client-Side Attacks

CSEN3041 Ethical Hacking

 Course Syllabus
• Module IV: (B1 Ch 11, 13)
➢ Social Engineering - Chapter 11
✓ The Social-Engineer Toolkit, Spear-Phishing Attacks, Web Attacks, Mass Email Attacks

➢ Post Exploitation - Chapter 13

✓ Meterpreter, Meterpreter Scripts, Metasploit Post- Exploitation Modules, Local Privilege
Escalation, Local Information Gathering, Lateral Movement, Pivoting, Persistence

CSEN3041 Ethical Hacking

 Course Syllabus
• Module V: (B1 Ch 15, 16)
➢ Wireless Attacks - Chapter 15
✓ Monitor Mode, Capturing Packets, Open Wireless, Wired Equivalent Privacy, Wi-Fi
Protected Access, WPA2, Wi-Fi Protected Setup

➢ A Stack-Based Buffer Overflow in Linux - Chapter 16

✓ Memory Theory, Linux Buffer Overflow

CSEN3041 Ethical Hacking

 Books for this Syllabus
Books
1. Georgia Weidman, Penetration Testing: A Hands-On Introduction to Hacking, No
Starch Press, 2014.
2. Peter Kim, The Hacker Playbook 2: Practical Guide to Penetration Testing, Secure
Planet LLC, 2015 .
References:
3. R1. Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gray Hat Hacking The
Ethical Hackers Handbook, 3/e, McGraw Hill, 2011.

CSEN3041 Ethical Hacking

 Assessment Scheme
# Assessment Method Weightage (100%) Tentative dates

1 Quiz 1 4% 22nd July, 2024

2 Assignment 1 5% Announcement:1st Aug, 24
Submission: 8th Aug,24
3 Quiz 2 4% 12th Aug, 2024
4 Quiz 3 4% 2nd Sep, 2024
5 Case Study / Mini 10% Announcement:4th Sep, 24
Project Submission: 27th Sep, 24
6 Quiz 4 4% 30th Sep, 2024
7 Assignment 2 5% Announcement:14th Oct, 24
Submission: 21st Oct, 24
8 Quiz 5 4% 25th Oct, 2024
9 Mid Term 30% 9th Sep, 2024
10 End Semester 30% 8th Nov, 2024
CSEN4171 Social Network Analysis 8
 Courses Online – Sample List

● Youtube: https://www.youtube.com/@TCMSecurityAcademy
● FutureLearn: Ethical Hacking: An Introduction
● Coursera: Ethical Hacking Essentials (EC Council)
● Coursera: Penetration Testing, Incident Response and Forensics (IBM)
● https://www.mygreatlearning.com/academy/learn-for-free/courses/introduction-to-ethical-hacking

CSEN3041 Ethical Hacking

Review

CSEN3041 Ethical Hacking

 Types of Hackers

• Black Hat: Criminal Hackers

• Motives: to profit from data breaches
• Most at risk: organizations, which hackers typically target to steal sensitive data that can compromise a
business financially.
• White Hat: Authorized Hackers
• Motives: help businesses prevent cybersecurity attacks
• Most at risk: criminal hackers
• Gray Hat: “Just for Fun” Hackers
• Motives: personal enjoyment, they may violate laws or ethical standards, but their intent is typically not
malicious.
• Most at risk: anyone who doesn’t want unauthorized access to their systems and networks
• Green Hat: Hackers in Training
• Motives: to learn how to become an experienced hacker
• Most at risk: no one (yet)

CSEN3041 Ethical Hacking

 Types of Hackers

• Blue Hat: Authorized Software Hackers

• Motives: to identify vulnerabilities in new organizational software before it’s released
• Most at risk: criminal hackers
• Red Hat: Government-Hired Hackers
• Motives: to find and destroy black hat hackers
• Most at risk: black hat hackers
• Script Kiddies: Ametuer Hackers
• Motives: to cause disruption
• Most at risk: organizations with unsecured networks and systems
• State/Nation Sponsored Hackers: International Threat Prevention Hackers
• Motives: to monitor and prevent international threats
• Most at risk: international hackers and criminals

CSEN3041 Ethical Hacking

 Types of Hackers

• Malicious Insider: Whistleblower Hackers

• Motives: to expose or exploit an organization’s confidential information
• Most at risk: internal executives and business leaders
• Hacktivists: Politically Motivated Hackers
• Motives: to shed light on an alarming social or political cause (or to make a political or ideological statement)
• Most at risk: government agencies
• Cryptojackers: Cryptocurrency Mining Hackers
• Motives: cryptocurrency mining
• Most at risk: any individual or organization with unsecured networks
• Gaming Hackers: Hackers of the Gaming World
• Motives: to compromise gaming competitors
• Most at risk: high-profile gamers

CSEN3041 Ethical Hacking

 Types of Hackers
• Botnets: Large-Scale Hackers
• Motives: to compromise a high volume of network systems
• Most at risk: individuals with unsecured routers and WiFi-connected devices
• Elite Hackers: The Most Advanced Hackers
• Motives: to perform advanced cyberattacks on organizations and individuals
• Most at risk: high-revenue corporations
• Cryptojackers: Cryptocurrency Mining Hackers
• Motives: cryptocurrency mining
• Most at risk: any individual or organization with unsecured networks
• Gaming Hackers: Hackers of the Gaming World
• Motives: to compromise gaming competitors
• Most at risk: high-profile gamers

CSEN3041 Ethical Hacking

 Penetration Testing
• As technology continues to advance, so do the methods of cybercriminals looking to
exploit vulnerabilities in digital systems.
• This is where penetration testing comes in.
• A simulated attack on a computer system to identify security weaknesses before
malicious hackers can exploit them. Penetration testing is a critical component of
any cybersecurity strategy,

CSEN3041 Ethical Hacking

 Penetration Testing: Case Studies
• Case Study 1: Target Corporation
• In 2013, Target Corporation suffered a massive data breach that compromised the personal
and financial information of over 70 million customers. The breach was caused by a
vulnerability in the company's payment system, which allowed hackers to steal credit card
data as it was being transmitted between Target's point-of-sale terminals and its servers.
• The Target breach serves as a cautionary tale about the importance of regular penetration
testing. A vulnerability scan conducted before the attack identified the vulnerability that the
hackers exploited, but it was not prioritized for immediate remediation. This delay allowed the
attackers to infiltrate the system and steal sensitive data.
• Lessons Learned: Regular penetration testing is critical for identifying vulnerabilities, but it's
equally important to prioritize remediation efforts based on the severity of the vulnerabilities.

CSEN3041 Ethical Hacking

 Penetration Testing: Case Studies
• Case Study 2: Equifax
• In 2017, credit reporting agency Equifax suffered a massive data breach that exposed the
personal and financial information of 147 million customers. The breach was caused by a
vulnerability in the company's web application framework, which allowed hackers to access
sensitive data stored on the company's servers.
• The Equifax breach highlights the importance of thorough penetration testing. A vulnerability
scan conducted prior to the attack failed to identify the specific vulnerability that the hackers
exploited. Had the company conducted more extensive testing, it may have been able to
identify and remediate the vulnerability before the attack occurred.
• Lessons Learned: Thorough penetration testing is necessary to identify all vulnerabilities in a
system, and it's important to conduct testing on a regular basis to ensure that new
vulnerabilities are not introduced over time.

Source: https://www.emagined.com/blog

CSEN3041 Ethical Hacking

 Penetration Testing: Case Studies
• Case Study 3: The Democratic National Committee
• In 2016, the Democratic National Committee (DNC) suffered a data breach that exposed
sensitive information about the organization and its members. The breach was caused by a
spear-phishing attack, in which hackers sent fake emails to DNC employees in an attempt to
trick them into revealing their login credentials.
• The DNC breach highlights the importance of training employees to recognize and avoid
common cyberattacks. While penetration testing can help identify vulnerabilities in a system,
it's also important to ensure that employees are equipped with the knowledge and skills to
prevent attacks from succeeding in the first place.
• Lessons Learned: Employee training is a critical component of any cybersecurity strategy, and
regular phishing simulations can help ensure that employees are prepared to recognize and
avoid attacks.

Source: https://www.emagined.com/blog
CSEN3041 Ethical Hacking
 Penetration Testing: Case Studies
• Case Study 4: SolarWinds
• In 2020, SolarWinds, a popular software provider, suffered a supply chain attack that affected
numerous government agencies and private companies. The attackers were able to
compromise SolarWinds' software development process, inserting malicious code into
software updates that were then distributed to customers.
• The SolarWinds attack highlights the importance of not only conducting penetration testing
on your own systems but also on any third-party systems or software that you rely on. While
SolarWinds was not the direct target of the attack, its failure to detect the malicious code
before it was distributed to customers had severe consequences.
• Lessons Learned: It's important to conduct thorough security assessments of any third-party
systems or software that you rely on, and to ensure that these systems are regularly updated
and patched to address any vulnerabilities.

Source: https://www.emagined.com/blog

CSEN3041 Ethical Hacking

 Module I

Finding Vulnerabilities

CSEN3041 Ethical Hacking

 Penetration Testing
• Penetration testing, or pentesting involves simulating real attacks to assess the risk
associated with potential security breaches.
• On a pentest (as opposed to a vulnerability assessment), the testers not only discover
vulnerabilities that could be used by attackers but also exploit vulnerabilities, where possible,
to assess what attackers might gain after a successful exploitation.
• The penetration testing process cover everything needed to assess existing defense
mechanisms and prevent future hackers from gaining access to the system. The penetration
testing steps from below follow what is described in Penetration Testing Standard.
• Pentesting begins with the pre-engagement phase, which involves talking to the client about
their goals for the pentest, mapping out the scope (the extent and parameters of the test),
and so on. When the pentester and the client agree about scope, reporting format, and other
topics, the actual testing begins.
• Miscommunication between a pentester and a client who expects a simple vulnerability scan
could lead to a sticky situation because penetration tests are much more intrusive.

CSEN3041 Ethical Hacking

 Penetration Testing vs QA Testing
• Quality plays an integral role in the world of technology, without a doubt. QA is way of
preventing mistakes and defects in manufactured products. And avoiding problems when
delivering products or services to customers. Hence, it is a critical step in the software
development process. It makes sure that the quality of the product or project is no short of
excellent.
• Penetration Testing is a type of security testing used to uncover vulnerabilities, threats and
risks that an attacker could exploit in software applications, networks or web applications. The
goal is to identify and test all possible security vulnerabilities that are present in the software
application. It’s a given that it is quite important for website and app development.
• During the Pre-Engagement phase, the penetration testers should work with your company to
fully understand any risks, your organizational culture, and the best pentesting strategy for
your organization.

CSEN3041 Ethical Hacking

Stages of the Penetration Test

CSEN3041 Ethical Hacking

 Stages of the Penetration Test
Pre-engagement interactions
• One over-looked step to penetration testing is pre-engagement interactions or
scoping. During this pre-phase, a penetration testing company will outline the logistics
of the test, expectations, legal implications, objectives and goals the customer would
like to achieve.
• During the Pre-Engagement phase, the penetration testers should work with your
company to fully understand any risks, your organizational culture, and the best
pentesting strategy for your organization. You may want to perform a white box, black
box, or gray box penetration test. It is at this stage when the planning occurs along
with aligning your goals to specific pentesting outcomes.

CSEN3041 Ethical Hacking

 Stages of the Penetration Test
Reconnaissance or Open Source Intelligence (OSINT) Gathering
• Reconnaissance or Open Source Intelligence (OSINT) gathering is an important first step in penetration
testing. A pentester works on gathering as much intelligence on your organization and the potential
targets for exploit.
• Depending on which type of pentest you agree upon, your penetration tester may have varying degrees
of information about your organization or may need to identify critical information on their own to
uncover vulnerabilities and entry points in your environment.
• Common intelligence gathering techniques include:
➢ Search engine queries, Domain name searches/WHOIS lookups, Social Engineering, Tax Records
➢ Internet Footprinting – email addresses, usernames, social networks, Internal Footprinting –Ping sweeps, port
scanning, reverse DNS, packet sniffing
➢ Dumpster Diving
➢ Tailgating
• A pentester uses an exhaustive checklist for finding open entry points and vulnerabilities within the
organization. The OSINT Framework provides a plethora of details for open information sources.

CSEN3041 Ethical Hacking

 Stages of the Penetration Test
Threat Modeling & Vulnerability Identification
• During the threat modeling and vulnerability identification phase, the tester identifies targets and maps
the attack vectors. Any information gathered during the Reconnaissance phase is used to inform the
method of attack during the penetration test.
• The most common areas a pentester will map and identify include:
• Business assets – identify and categorize high-value assets
➢ Employee data
➢ Customer data
➢ Technical data
• Threats – identify and categorize internal and external threats
➢ Internal threats – Management, employees, vendors, etc.
➢ External threats – Ports, Network Protocols, Web Applications, Network Traffic, etc.
• A pentester will often use a vulnerability scanner to complete a discovery and inventory on the security
risks posed by identified vulnerabilities. Then the pentester will validate if the vulnerability is
exploitable. The list of vulnerabilities is shared at the end of the pentest exercise during the reporting
phase. CSEN3041 Ethical Hacking
 Stages of the Penetration Test
Exploitation
• With a map of all possible vulnerabilities and entry points, the pentester begins to test the exploits
found within your network, applications, and data. The goal is for the ethical hacker is to see exactly
how far they can get into your environment, identify high-value targets, and avoid any detection.
• If you established a scope initially, then the pentester will only go as far as determined by the
guidelines you agreed upon during the initial scoping. For example, you may define in your scope to not
pentest cloud services or avoid a zero-day attack simulation.
• Some of the standard exploit strategies include:
• Web Application Attacks, Network Attacks, Memory-based attacks, Wi-Fi attacks, Zero-Day Angle
• Physical Attacks
• Social engineering
• The ethical hacker will also review and document how vulnerabilities are exploited as well as explain
the techniques and tactics used to obtain access to high-value targets. Finally, during the exploitation
phase, the ethical hacker should explain with clarity what the results were from the exploit on high-
value targets.

CSEN3041 Ethical Hacking

 Stages of the Penetration Test
Post-Exploitation, Risk Analysis & Recommendations
• After the exploitation phase is complete, the goal is to document the methods used to gain access to
your organization’s valuable information. The penetration tester should be able to determine the value
of the compromised systems and any value associated with the sensitive data captured.
• Some pentesters are unable to quantify the impact of accessing data or are unable to provide
recommendations on how to remediate the vulnerabilities within the environment. Make sure you ask
to see a sanitized penetration testing report that clearly shows recommendations for fixing security
holes and vulnerabilities.
• Once the penetration testing recommendations are complete, the tester should clean up the
environment, reconfigure any access he/she obtained to penetrate the environment, and prevent
future unauthorized access into the system through whatever means necessary.
• Typical cleanup activities include:
• Removing any executables, scripts, and temporary files from compromised systems
• Reconfiguring settings back to the original parameters prior to the pentest
• Eliminating any rootkits installed in the environment
• Removing any user accounts created to connect to the compromised system
CSEN3041 Ethical Hacking
 Stages of the Penetration Test
Reporting
• Reporting is often regarded as the most critical aspect of a pentest. It’s where you will obtain written
recommendations from the penetration testing company and have an opportunity to review the
findings from the report with the ethical hacker(s).
• The findings and detailed explanations from the report will offer you insights and opportunities to
significantly improve your security posture. The report should show you exactly how entry points were
discovered from the OSINT and Threat Modeling phase as well as how you can remediate the security
issues found during the Exploitation phase.
• The pentest report should include both an executive summary and a technical report.

CSEN3041 Ethical Hacking

 Stages of the Penetration Test
Executive Summary
The executive summary describes the goals of the test and offers a high level overview of the findings. The
intended audience is the executives in charge of the security program. Executive summary includes:
• Background: A description of the purpose of the test and definitions of any terms that may be
unfamiliar to executives, such as vulnerability and countermeasure.
• Overall posture: An overview of the effectiveness of the test, the issues found (such as exploiting the
MS08-067 Microsoft vulnerability), and general issues that cause vulnerabilities, such as a lack of patch
management.
• Risk profile: An overall rank of the organization’s security posture compared to similar organizations
with measures such as high, moderate, or low. You should also include an explanation of the ranking.
• General findings: A general synopsis of the issues identified along with statistics and metrics on the
effectiveness of any countermeasures deployed.
• Recommendation summary: A high-level overview of the tasks required to remediate the issues
discovered in the pentest.
• Strategic road map Give the client short- and long-term goals to improve their security posture. For
example, you might tell them to apply certain patches now to address short-term concerns, but
without a long-term plan for patch management, the client will be in the same position after new
CSEN3041 Ethical Hacking
patches have been released.
 Stages of the Penetration Test
Technical Report
The technical report includes
• Introduction: An inventory of details such as scope, contacts, and so on.
• Information gathering: Details of the findings in the information gathering phase. Of particular interest
is the client’s Internet footprint.
• Vulnerability assessment: Details of the findings of the vulnerability analysis phase of the test.
• Exploitation/vulnerability verification: Details of the findings from the exploitation phase of the test.
• Post exploitation: Details of the findings of the post-exploitation phase of the test.
• Risk/exposure: A quantitative description of the risk discovered. This section estimates the loss if the
identified vulnerabilities were exploited by an attacker.
• Conclusion: A final overview of the test.

CSEN3041 Ethical Hacking

 Information Gathering

The success of a pentest often depends on the results of the information-gathering phase

CSEN3041 Ethical Hacking

 Open Source Intelligence Gathering
• Open-Source Intelligence (OSINT) is defined as intelligence produced by collecting, evaluating
and analyzing publicly available information with the purpose of answering a specific
intelligence question.
• Open Source Intelligence (OSINT) is a method of gathering information from public or other open
sources, which can be used by security experts, national intelligence agencies, or cybercriminals. When
used by cyber defenders, the goal is to discover publicly available information related to their
organization that could be used by attackers, and take steps to prevent those future attacks.
• OSINT leverages advanced technology to discover and analyze massive amounts of data, obtained by
scanning public networks, from publicly available sources like social media networks, and from the
deep web—content that is not crawled by search engines, but is still publicly accessible.
• OSINT tools may be open source or proprietary: the distinction should be made between open source
code and open source content. Even if the tool itself is not open source, as an OSINT tool, it provides
access to openly available content, known as open source intelligence.

CSEN3041 Ethical Hacking

 OSINT sources and users
Sources Users

• Public Records • Government

• Law Enforcement
• News media • Military
• Libraries • Investigative journalists
• Social media platforms • Human rights investigators
• Private Investigators
• Images, Videos • Law firms
• Websites • Information Security
• The Dark web • Cyber Threat Intelligence
• Pen Testers
• Social Engineers

CSEN3041 Ethical Hacking

 How Attackers and Defenders Use OSINT
• There are three common users of OSINT: by cybercriminals, by cyber defenders, and by those seeking
to monitor and shape public opinion.
• How Security Teams Use OSINT
➢ For penetration testers and security teams, OSINT aims to reveal public information about internal
assets and other information accessible outside the organization. Metadata accidentally published
by your organization may contain sensitive information.
➢ For example, useful information that can be revealed through OSINT includes open ports;
unpatched software with known vulnerabilities; publicly available IT information such as device
names, IP addresses and configurations; and other leaked information belonging to the
organization.
➢ Websites outside of your organization, especially social media, contain huge amounts of relevant
information, especially information about employees. Vendors and partners may also be sharing
specific details about an organization’s IT environment. When a company acquires other
companies, their publicly available information becomes relevant as well.

CSEN3041 Ethical Hacking

 How Attackers and Defenders Use OSINT
• How Threat Actors Use OSINT
➢ A common use of OSINT by attackers is to retrieve personal and professional information about
employees on social media. This can be used to craft spear-phishing campaigns, targeted at
individuals who have privileged access to company resources.
➢ LinkedIn is a great resource for this type of open source intelligence, because it reveals job titles
and organizational structure. Other social networking sites are also highly valuable for attackers,
because they disclose information such as dates of birth, names of family members and pets, all of
which can be used in phishing and to guess passwords.
➢ Another common tactic is to use cloud resources to scan public networks for unpatched assets,
open ports, and misconfigured cloud datastores. If an attacker knows what they are looking for,
they can also retrieve credentials and other leaked information from sites like GitHub. Developers
who are not security conscious can embed passwords and encryption keys in their code, and
attackers can identify these secrets through specialized searches.

CSEN3041 Ethical Hacking

 How Attackers and Defenders Use OSINT
• How those seeking to monitor and shape public opinion Use OSINT
➢ In addition to cybersecurity, OSINT is also frequently used by organizations or governments seeking
to monitor and influence public opinion. OSINT can be used for marketing, political campaigns, and
disaster management.

CSEN3041 Ethical Hacking

 OSINT Tools
• There are three methods commonly used to gain open intelligence data, namely Passive, Semi-passive
and Active collection methods .
• Passive Collection
➢ This is the most commonly used way to gather OSINT intelligence. It involves scraping publicly
available websites, retrieving data from open APIs such as the Twitter API, or pulling data from deep
web information sources. The data is then parsed and organized for consumption.
• Semi-Passive
➢ This type of collection requires more expertise. It directs traffic to a target server to obtain
information about the server. Scanner traffic must be similar to normal Internet traffic to avoid
detection.
• Active Collection
➢ This type of information collection interacts directly with a system to gather information about it.
Active collection systems use advanced technologies to access open ports, and scan servers or web
applications for vulnerabilities.
➢ This type of data collection can be detected by the target and reveals the reconnaissance process. It
leaves a trail in the target’s firewall, Intrusion Detection System (IDS), or Intrusion Prevention System
(IPS). Social engineering attacks on targets are also considered a form of active intelligence gathering.
CSEN3041 Ethical Hacking
 OSINT Gathering Tools and Techniques
• Some of the OSINT tools are:
➢ Netcraft
➢ Whois Lookups
➢ DNS Reconnaissance
➢ Google Dorking
➢ Searching for Email Addresses
➢ Maltego
➢ Spiderfoot
➢ Spyse
➢ Intelligence X
➢ Builtwith
➢ Shodan
➢ HaveIbeenPwned

CSEN3041 Ethical Hacking

 OSINT Tools - Netcraft
• Netcraft is a web-based tool that can be used in passive recon to gather technical information about a
target's website.
• Netcraft is used for getting to know the website. We gathered information regarding the site that it runs
on PHP, and runs JavaScript. It uses WordPress, so we can use WordPress to hack into the website. If we
scroll up, we also discovered web hosting of the website. Sometimes the information that web servers
and web-hosting companies gather and make publicly available can tell you a lot about a website.
• For instance, a company called Netcraft logs the uptime and makes queries about the underlying
software. Netcraft also provides other services, and their antiphishing offerings are of particular interest
to information security.
• The Extension has several built-in safety checks that will alert you if a URL contains suspicious characters,
or a page is possibly susceptible to Cross-Site Scripting (XSS) attacks.
• This information is made publicly available at http://www.netcraft.com/

CSEN3041 Ethical Hacking

 OSINT Tools - Whois Lookups
• Hackers use Whois lookup services to find information about domain ownership, registration dates, and
contact details. This data helps ethical hackers understand the website’s background and potential attack
vectors.
• This information is made publicly available at http://www.whois.com/
• Example: bulbsecurity.com

CSEN3041 Ethical Hacking

 OSINT Tools - DNS Reconnaissance - nslookup

• We can also use Domain Name System (DNS)

servers to learn more about a domain. DNS
servers translate the human-readable URL
www.contoso.com into an IP address.
• However, some security vulnerabilities exist
due to misconfigured DNS nameservers that
can lead to information disclosure about the
domain. This forms an important step of the
Information Gathering stage during a
penetration test or vulnerability assessment.
• "nslookup" utility is used as one of the tools to
demonstrate DNS Reconnaissance.
• We can also use https://www.nslookup.io/
• DNS Lookup

CSEN3041 Ethical Hacking

 OSINT Tools - DNS Reconnaissance - nslookup

• Common DNS Record Types

A - Address record (IPv4)
AAAA - Address record (IPv6)
CNAME - Canonical Name
MX - Mail Exchanger record
NS - Nameserver record
PTR - Pointer record
SOA - Start of Authority record
SRV - Service location record
TXT - Text record

CSEN3041 Ethical Hacking

 OSINT Tools - DNS Reconnaissance - nslookup

nslookup Syntax
nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]

Parameter Description
nslookup exit Exits the nslookup command-line tool.
nslookup finger Connects with the finger server on the current computer.

nslookup help Displays a short summary of subcommands.

nslookup ls Lists information for a DNS domain.
nslookup lserver Changes the default server to the specified DNS domain.

nslookup root Changes the default server to the server for the root of the
DNS domain name space.
nslookup server Changes the default server to the specified DNS domain.

CSEN3041 Ethical Hacking

 OSINT Tools - DNS Reconnaissance - nslookup
nslookup Syntax
nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]
Parameter Description
nslookup set Changes configuration settings that affect how lookups function.
nslookup set all Prints the current values of the configuration settings.
nslookup set class Changes the query class. The class specifies the protocol group of
the information.
nslookup set d2 Turns exhaustive Debugging mode on or off. All fields of every
packet are printed.
nslookup set debug Turns Debugging mode on or off.
nslookup set domain Changes the default DNS domain name to the name specified.
nslookup set port Changes the default TCP/UDP DNS name server port to the value
specified.
nslookup set querytype Changes the resource record type for the query.

CSEN3041 Ethical Hacking

 OSINT Tools - DNS Reconnaissance - nslookup
nslookup Syntax
nslookup [exit | finger | help | ls | lserver | root | server | set | view] [options]
Parameter Description
nslookup set recurse Tells the DNS name server to query other servers if it doesn't have the
information.
nslookup set retry Sets the number of retries.
nslookup set root Changes the name of the root server used for queries.
nslookup set search Appends the DNS domain names in the DNS domain search list to the request until
an answer is received. This applies when the set and the lookup request contain at
least one period, but do not end with a trailing period.

nslookup set srchlist Changes the default DNS domain name and search list.
nslookup set timeout Changes the initial number of seconds to wait for a reply to a request.
nslookup set type Changes the resource record type for the query.
nslookup set vc Specifies to use or not use a virtual circuit when sending requests to the server.
nslookup view Sorts and lists the output of the previous ls subcommand or commands.
CSEN3041 Ethical Hacking
 OSINT Tools - maltego

• Maltego is a data-mining tool designed to visualize open source intelligence gathering.

• Maltego uses information publicly available on the Internet, so it is perfectly legal to do
reconnaissance on any entity.
• Graph: Conduct complex link analysis to uncover connections in large datasets and map evidence to
chronological timelines and geographical locations.

CSEN3041 Ethical Hacking

 OSINT Tools - Review

• Netcraft
• Whois
• Nslookup
• Host
• Theharvester
• Maltego

CSEN3041 Ethical Hacking

 Port Scanning
• A port is a not a physical connection.
• It is a logical connection that is used by programs and services to exchange information.
• It determines which program or service on a computer or server that is going to be used. (Web page,
FTP, email)
• Port will have a unique number that identifies them. 0-65535
• Common port numbers :
• 80, 443 – Web pages (http, https)
• 21 – FTP (File Transfer Protocol)
• 25 – email (SMTP) IP Address Port
• A port number always associated with an IP address. 192.168.83.12 21
192.168.83.12 23
72.12.212.44 80
172.121.68.23 443

CSEN3041 Ethical Hacking

CSEN3041 Ethical Hacking
CSEN3041 Ethical Hacking
CSEN3041 Ethical Hacking
 Port Scanning
• The client could be running any number of programs with security issues:
• They could have misconfiguration issues in their infrastructure that could lead to compromise;
weak or default passwords could give up the keys to the kingdom on otherwise secure systems;
and so on
• Pentests often narrow your scope to a particular IP range and nothing more, and you won’t help your
client by developing a working exploit for the latest and greatest server-side vulnerability if they don’t
use the vulnerable software.
• We need to find out which systems are active and which software we can talk to.
• Port scanning is performed by
• Attackers – reconnaissance
• Administrators - verify policies
• Port scanning is used to find open port corresponding to a service that vulnerable.

CSEN3041 Ethical Hacking

 Port Scanning
• TCP/IP - IP address + Port (21-FTP, 22-SSH, 23-Telnet, 25-SMTP, 53-DNS, 80-http)
- 65535 port (Well-known port [0-1023], Registered Port [1024-49151], Dynamic port
[49152-65535])
• A port is a logical form to identify system activities or various network services used to create local or
network-based communications.
• These ports can be opened and used by software applications and operating system services to send
and receive data over networks (LAN or WAN) that employ certain protocols (eg TCP, UDP).
• For example, we use 80 for HTTP-web-based plain-text surfing and 443 for HTTPS-web-based
encrypted websites in our daily work.

CSEN3041 Ethical Hacking

 Port Scanning
• Functions of a Port
• When interacting over the Internet, TCP and UDP protocols make connections, recompile data
packages after the transfer, and then deliver them to applications on the recipient’s device.
• For this handover to work, the operating system must install and open the gateway for the
transfer. Each door has a unique code number.
• After transmission, the receiving system uses the port number to determine where the data
should be sent. The port numbers of the sender and receiver are always included in the data
packet.
• Port Scanning
• A method of finding the services offered by the host or victim (Example: Server)
• To know the status of the port – open, closed, filtered

CSEN3041 Ethical Hacking

 Example port numbers and the services
• Ports 20 and 21: File Transfer Protocol (FTP). users use FTP for the transfer of computer files from a
server to a client on a network
• Port 22: Secure Shell (SSH). Users use SSH for remote login and command-line execution
• Port 25: Simple Mail Transfer Protocol (SMTP). Users use SMTP for electronic mail transmission
• Port 53: Domain Name System (DNS). DNS maps domain names to their corresponding IP addresses
• Port 80: Hypertext Transfer Protocol (HTTP). HTTP is an application layer protocol in the TCP/IP model
for transmitting hypermedia information
• Port 443: Hypertext Transfer Protocol Secure (HTTPS) is a secured HTTP version where all traffic is
bind with strong encryption that passes through 443

CSEN3041 Ethical Hacking

 Port Scanning
• Types of Ports
• Open: The host replies and announces that it is listening and open for queries. An undesired
open port means that it is an attack path for the network.
• Closed: The host responds but notices that no application is listening. Hackers will scan again if it
is opened.
• Filtered: The host does not respond to a request. This could mean that the packet was dropped
due to congestion or a firewall
• Tools Used in Port Scanning:
• Netcat – Manual Port Scanning
• Nmap
• Ping, hping, fping
• Angry IP Scan
• Zenmap
• Advanced Port Scanner
• MASSCAN CSEN3041 Ethical Hacking
TCP Hanshaking

CSEN3041 Ethical Hacking

TCP/IP Segment

CSEN3041 Ethical Hacking

 Objectives of Network Scanning
• Discovering live hosts, IP address, and open ports of live hosts running on the network.
• Discovering open ports: Open ports are the best means to break into a system or network. You can
find easy ways to break into the target organization's network by discovering open ports on its
network.
• Discovering operating systems and system architecture of the targeted system: This is also referred
to as fingerprinting. Here the attacker will try to launch the attack based on the operating system's
vulnerabilities.
• Identifying the vulnerabilities and threats: Vulnerabilities and threats are the security risks present
in any system. You can compromise the system or network by exploiting these vulnerabilities and
threats.
• Detecting the associated network service of each port

CSEN3041 Ethical Hacking

Objectives of Network Scanning

CSEN3041 Ethical Hacking

 Port Scanning
• A port scan is a common technique hackers use to discover open doors or weak points in a network.
• There are two types of port scanning:
• Horizontal port scanning is scanning a set of IP addresses for a specific port address
• Vertical port scanning is scanning a specific IP address for multiple port addresses
• Port scanning reveals the status of each port and the service that is running on it. The port status can
be open, closed, or filtered.

CSEN3041 Ethical Hacking

 Objectives of Port Scanning
• Nmap
• Nmap is a tool that can be used for ping scans, also known as host discovery. This determines the
live hosts on a network.
• nmap –sn 192.168.168.3

• Ping sweep: nmap -sP -R 192.168.0.1-254

• Ping sweep is used to determine the live hosts from a range of ip addresses by sending ICMP
ECHO requests to multiple hosts. If a host is live, it will return an ICMP ECHO reply.
• Attackers calculate subnet masks using Subnet Mask calculators to identify the number of hosts
present in the subnet.
• Attackers then use ping sweep to create an inventory of live systems in the subnet.
CSEN3041 Ethical Hacking
CSEN3041 Ethical Hacking
CSEN3041 Ethical Hacking
 hping
• Hping2/HPing3 is command line TCP/IP packet assembler/analyzer that sends ICMP echo request and
supports TCP, UDP, ICMP and raw-IP protocols.
• It has a Traceroute mode, and enables to send files between covert channels.
• It has the ability to send cutom TCP/IP packets and displays target replies.
• It supports idle host scanning.
• An attacker studies the behaviour of an idle host to gain information about the target such as the
services that the host offers, the ports supporting the services, and the OS of the target.

CSEN3041 Ethical Hacking

 hping3

CSEN3041 Ethical Hacking

 Port Scanning Methods
• There are several port scanning methods. Each of them uses either transmission control protocol
(TCP) or user datagram protocol (UDP) as transport layer protocol:
• TCP SYN Scan
• TCP Connect Scan
• TCP ACK Scan
• TCP NULL Scan
• TCP FIN Scan
• TCP XMAS Scan
• UDP Scan

CSEN3041 Ethical Hacking

 Port Scanning Methods
• Scanning your network for open ports and services is a critical part of assessing your attack surface
and identifying vulnerabilities.
• An NMAP (Network Mapper) port scan finds hosts on your network and identifies open TCP and UDP
ports, services running on those ports, and the operating system running on targeted hosts
• TCP SYN Scan
• SYN scanning is a tactic that a hacker can use to determine the state of a communications port
without establishing a full connection.
• This approach, one of the oldest in the repertoire of hackers, is sometimes used to perform a
denial-of-service (DoS) attack. SYN scanning is also known as half-open scanning.
• It is a type of stealth scan where packet flags cause the target system to respond without having
a fully established connection.

CSEN3041 Ethical Hacking

 Port Scanning Methods
nmap -sS 192.168.253.1
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-19
12:31 India Standard Time
Nmap scan report for 192.168.253.1
Host is up (0.0017s latency).
Not shown: 994 closed tcp ports (reset)
Open PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
nmap -p22,113,139 192.168.253.1 445/tcp open microsoft-ds
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-19 12:43 902/tcp open iss-realsecure
India Standard Time 912/tcp open apex-mesh
Nmap scan report for 192.168.253.1 3306/tcp open mysql
Host is up (0.0010s latency).
PORT STATE SERVICE Nmap done: 1 IP address (1 host up) scanned in 0.98
22/tcp closed ssh seconds
113/tcp closed ident
Stealth Scan
139/tcp open netbios-ssn
Nmap done: 1 IP address (1 host up) scanned in 0.75 seconds
CSEN3041 Ethical Hacking
 Port Scanning Methods

nmap -p22,113,139 scanme.nmap.org

Starting Nmap ( https://nmap.org )

Nmap scan report for scanme.nmap.org
(64.13.134.52)
PORT STATE SERVICE
Closed 22/tcp open ssh
113/tcp closed auth
139/tcp filtered netbios-ssn

Filtered
nmap -d --packet-trace -p22,113,139 192.168.253.1
--packet-trace to understand a SYN scan
CSEN3041 Ethical Hacking
 Port Scanning Methods
• TCP Connect Scan
• A TCP connect scan establishes a
complete connection to the target host
by completing a TCP three-way
handshake. After the scan is complete,
Nmap terminates the connection. Open

• Risky kind of scan as the attaker can be nmap -T4 -sT scanme.nmap.org
tracked. Starting Nmap ( https://nmap.org )
• Nmap asks the underlying operating Nmap scan report for scanme.nmap.org (64.13.134.52)
system to establish a connection with Not shown: 994 filtered ports
the target machine and port by issuing PORT STATE SERVICE
22/tcp open ssh
the connect system call.
25/tcp closed smtp
• This is the same high-level system call 53/tcp open domain
that web browsers, P2P clients, and 70/tcp closed gopher
most other network-enabled 80/tcp open http
applications use to establish a 113/tcp closed auth
connection. Nmap done: 1 IP address (1 host up) scanned in 4.74
seconds
CSEN3041 Ethical Hacking
 Port Scanning Methods
• TCP NULL Scan
• The Null Scan is a type of TCP scan that hackers
— both ethical and malicious — use to identify
listening TCP ports
• In a null scan, the attacker sends a packet to
the target without any flags set within it.
• In the right hands, a Null Scan can help identify
potential holes for server hardening, but in the
wrong hands, it is a reconnaissance tool. It is a
pre-attack probe.
• A Null Scan is a series of TCP packets that
contain a sequence number of 0 and no set
flags and the target will be confused and will
not respond.
• This will indicate the port is open on the target.
• However, if the target responds with an RST
packet, this means the port is closed on the
device.
CSEN3041 Ethical Hacking
 Port Scanning Methods
• TCP FIN Scan
• An adversary uses a TCP FIN scan to determine if ports
are closed on the target machine. nmap -sF -T4 para
• This scan type is accomplished by sending TCP segments
Starting Nmap ( https://nmap.org )
with the FIN bit set in the packet header.
Nmap scan report for para (192.168.10.191)
• The target will be confused and will not respond. Not shown: 995 closed ports
• This behavior should allow the adversary to scan for PORT STATE SERVICE
closed ports by sending certain types of rule-breaking 22/tcp open|filtered ssh
packets (out of sync or disallowed by the TCB) and detect 53/tcp open|filtered domain
closed ports via RST packets. 111/tcp open|filtered rpcbind
• In addition to its relative speed in comparison with other 515/tcp open|filtered printer
types of scans, the major advantage a TCP FIN Scan is its 6000/tcp open|filtered X11
ability to scan through stateless firewall or ACL filters. MAC Address: 00:60:1D:38:32:90 (Lucent
Such filters are configured to block access to ports usually Technologies)
by preventing SYN packets, thus stopping any attempt to
'build' a connection. FIN packets, like out-of-state ACK
packets, tend to pass through such devices undetected. nmap -sF Your_IP_Address
FIN scanning is still relatively stealthy as the packets tend
to blend in with the background noise on a CSEN3041
network link.
Ethical Hacking
 Port Scanning Methods
• TCP XMAS Scan
• Nmap Xmas scan was considered a stealthy scan that
analyzes responses to Xmas packets to determine the nmap -sX -T4 scanme.nmap.org
nature of the replying device.
Starting Nmap ( https://nmap.org )
• Each operating system or network device replies in a
Nmap scan report for scanme.nmap.org
different way to Xmas packets revealing local
(64.13.134.52)
information, such as OS (Operating System), port state,
Not shown: 999 open|filtered ports
and more.
PORT STATE SERVICE
• Normally stateless firewalls block SYN bits or headers 113/tcp closed auth
from TCP packets when sent without ACK bits. The
Xmas scan consists of clearing the SYN header from Nmap done: 1 IP address (1 host up) scanned in
the TCP packet and replacing it with FIN, PSH, and URG 23.11 seconds
bits (Or headers), bypassing the firewall.
• The Xmas scan is an old stealth scan technique, but
currently not reliable, detected by most firewalls and
anti-intrusion measures. Yet, it is reproducible and
highly educational to learn about the TCP structure.
nmap -sX Your_IP_Address

CSEN3041 Ethical Hacking

 Port Scanning Methods
• TCP ACK Scan nmap -sA -T4 scanme.nmap.org
• The TCP ACK scanning technique uses packets with the
flag ACK on to try to determine if a port is filtered. Starting Nmap ( https://nmap.org )
Nmap scan report for scanme.nmap.org
• One of the most interesting uses of ACK scanning is to (64.13.134.52)
differentiate between stateful and stateless firewalls. Not shown: 994 filtered ports
• A packet with the flag ACK is sent to each selected PORT STATE SERVICE
port. 22/tcp unfiltered ssh
• If the port is open or closed, a RST packet is sent by 25/tcp unfiltered smtp
the target machine. This response also indicates that 53/tcp unfiltered domain
the target host 70/tcp unfiltered gopher
80/tcp unfiltered http
113/tcp unfiltered auth

Nmap done: 1 IP address (1 host up) scanned in

4.01 seconds

nmap -sA Your_IP_Address

CSEN3041 Ethical Hacking

 Manual Port Scanning
• Netcat is a simple networking tool that is used to nc -vv 192.168.20.10 25
read and write to TCP and UDP ports. The simplest nc: 192.168.20.10 (192.168.20.10) 25 [smtp] open
definition of Netcat is a versatile tool that has been nc: using stream socket
nc: using buffer size 8192
dubbed for hackers.
nc: read 66 bytes from remote
• Uses of Netcat 220 bookxp SMTP Server SLmail 5.5.0.4433 Ready
• How to connect TCP or UDP port ESMTP spoken here
nc: wrote 66 bytes to local
• Listening on TCP or UDP port
• Transferring file with Netcat nc -v www.google.com 80
• Remote administration with Netcat
windows : nc -nvlp 1111
• develop a chat system on Windows and Linux with Linux : nc -nv 192.168.43.134 1111
the help of netcat. Follow the below-given command.
windows : nc -nvlp 1111 > wget.exe
nc -nv 192.168.43.134 1111
Linux : nc -nv 192.168.43.134 1111
</usr/share/windows-resource/binaries/wget.exe

Linux : nc -nvlp 1111 -e /bin/bash

Windows : nc -nv 192.168.43.134 1111
CSEN3041 Ethical Hacking
 UDP Scanning
• UDP is connectionless, so the scanning logic is a bit different. nmap -sU scanme.nmap.org
• A user diagram protocol (UDP) scan checks for any UDP ports that are deployed on a target. Conversely,
the regular scan only scans the TCP ports.
• UDP scans are normally slower and more difficult than TCP scans.
• Administrators have several reasons for performing a UDP scan using NMAP. It could be to simply audit
the network for open unnecessary ports. For cybersecurity reasons, unnecessary services should be
disabled, and an NMAP scan tells administrators which machines are running services that can be shut
down.
• An adversary engages in UDP scanning to gather information about UDP port status on the target
system. UDP scanning methods involve sending a UDP datagram to the target port and looking for
evidence that the port is closed.
• Open UDP ports usually do not respond to UDP datagrams as there is no stateful mechanism within the
protocol that requires building or establishing a session. Responses to UDP datagrams are therefore
application specific and cannot be relied upon as a method of detecting an open port.
• UDP scanning relies heavily upon ICMP diagnostic messages in order to determine the status of a
remote port.
CSEN3041 Ethical Hacking
 Scanning a Specific Port

nmap -sS -p 21 192.168.20.10 # specific port

nmap -p 3232 -sV 192.168.20.10 # version scan

CSEN3041 Ethical Hacking

 Finding Vulnerabilities

• Before we start digging into exploits, we need to do some more research and analysis.
• When identifying vulnerabilities, we actively search for issues that will lead to compromise in the
exploitation phase.
• Although some security firms will just run an automated exploitation tool and hope for the best,
careful study of the vulnerabilities by a skilled pentester will garner better results than any tool on its
own.
• Nessus is available as a paid professional version that pentesters and in-house security teams can
use to scan networks for vulnerabilities.
• Nessus Essential (free version) is limited to scanning 16 IP addresses.
• The Nessus database includes vulnerabilities across platforms and protocols, and its scanner
performs a series of checks to detect known issues.

CSEN3041 Ethical Hacking

 Nmap scripting Engine (NSE)
• Nmap has similarly evolved beyond its original goal of port scanning. The Nmap Scripting Engine
(NSE) lets you run publicly available scripts and write your own.
• The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features.
• It allows users to write (and share) simple scripts (using the Lua programming language ) to
automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed
and efficiency you expect from Nmap.
• Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to
meet custom needs.
Examples using default scripts
• nmap --script-help default
• nmap –sC gitam.edu
• If you use the -sC flag to tell Nmap to run a script scan in addition to port scanning, it will run all
the scripts in the default category

CSEN3041 Ethical Hacking

 Metasploit Scanner Modules
• Metasploit is one of the best penetration testing frameworks that help a business find out and shore
up vulnerabilities in their systems before exploitation by hackers.
• Meterpreter is a Metasploit attack payload that provides an interactive shell to the attacker from
which to explore the target machine and execute code. Meterpreter is deployed using in-memory
DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk.
• Metasploit can conduct vulnerability scanning via numerous auxiliary modules.
• Unlike exploits, these modules will not give us control of the target machine, but they will help us
identify vulnerabilities for later exploitation.

CSEN3041 Ethical Hacking

 Web Application Scanning
• Although a client’s custom-built apps may have security problems, your target may also deploy prebuilt
web applications such as payroll apps, webmail, and so on, which can be vulnerable to the same issues.
• If we can find an instance of known vulnerable software, we may be able to exploit it to get a foothold in
a remote system.
• Nikto is a web application vulnerability scanner built into Kali for web apps: It looks for issues such as
dangerous files, outdated versions, and misconfigurations.
nikto -h bulbsecurity
• Manually browsing to the default installation path for every application with known vulnerabilities
would be a daunting task, but fortunately, Nikto seeks out URLs that may not be apparent. One
particularly interesting finding here is a vulnerable installation of the TikiWiki software on the server.

• Sure enough, if we browse to the TikiWiki directory at http://192.168.20.11/tikiwiki/, we find the CMS
software. Nikto thinks that this install is subject to a code execution vulnerability, and further analysis of
Open Sourced Vulnerability Database (OSVDB) entry 40478 reveals that this issue has a Metasploit
exploit that we can use during exploitation.
CSEN3041 Ethical Hacking
 Manual Analysis
• Exploring a Strange Port
• Some of the listening program is designed to listen for a particular input and that it has difficulty
processing anything else.
• This sort of behavior is interesting to pentesters, because programs that crash when handling
malformed input aren’t validating input properly.
• Finding Valid Usernames
• We can drastically increase our chances of a successful password attack if we know valid usernames for
services.
• One way to find valid usernames for mail servers is to use the VRFY SMTP command, if it is available. As
the name implies, VRFY verifies if a user exists.
• Connect to TCP port 25 using Netcat, and use VRFY to check for usernames

CSEN3041 Ethical Hacking