Ethical Hacking

ตัวอย่าง Hacking Methodologies หรือ Security Testing Frameworks
1. Hacking Methodologie
  1. EC-Council Ethical Hacking methodology
    1. Reconnaissance
    2. Scanning
    3. Gaining access
    4. Maintaining access
    5. Clearing tracks
  2. Foundstone Hacking methodology
    1. Footprinting
    2. Scanning
    3. Enumeration
    4. Gaining Access
    5. Escalation Privilege
    6. Covering Tracks
  3. Hacking Exposed Methodology
    1. Footprint
    2. Scan
    3. Enumerate
    4. Exploit
    5. Pillage
    6. Stealth
2. Security Testing Framework
  1. The Open Source Security Testing Methodology Manual (OSSTMM)
  2. SP800-115 National Institute of Standards and Technology(NIST) Special Publication
  3. The Information Systems Security Assessment Framework (ISSAF)
    1. PHASE I: PLANNING AND PREPARATION
    2. PHASE II: ASSESSMENT
      1. Information Gathering
      2. Network Mapping
      3. Vulnerability Identification
      4. Penetration
      5. Gaining Access and Privilege Escalation
      6. Gaining Access
      7. Gain Least Privilege
      8. Compromise
      9. Final Compromise on Target
      10. Privilege Escalation
      11. Enumerating Further
      12. Compromise Remote Users/Sites
      13. Maintaining Access
      14. Covert Channels
      15. Backdoors
      16. Root-kits
      17. Cover the Tracks
      18. Hide Files
      19. Clear Logs
      20. Defeat integrity checking
      21. Defeat Anti-virus
      22. Implement Root-kits
      23. Audit (optional)
      24. PHASE III: REPORTING, CLEAN UP & DESTROY ARTIFACTS
      25. Reporting
      26. Verbal Reporting
      27. Final Reporting
      28. Clean Up and Destroy Artifacts
Common Steps
1. Reconnaissance
  1. Active
    1. สืบค้นจาก DNS Server ของเป้าหมายโดยตรง
      1. ข้อมูลใน DNS มีดังต่อไปนี้
      2. SOA Records - Indicates the server that has authority for the domain.
      3. Serial
      4. Refresh
      5. Retry
      6. Expiry
      7. Minimum
      8. MX Records - List of a host’s or domain’s mail exchanger server(s).
      9. NS Records - List of a host’s or domain’s name server(s).
      10. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
      11. PTR Records - Lists a host’s domain name, host identified by its IP address.
      12. SRV Records - Service location record.
      13. HINFO Records - Host information record with CPU type and operating system.
      14. TXT Records - Generic text record.
      15. Version.bind
      16. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
      17. RP - Responsible person for the domain.
      18. วิธีการสืบค้น
      19. DNS Zone Transfer
      20. Reverse Lookup Zone Query
    2. Social Engineering
      1. Remote
      2. Phone
      3. Scenarios
      4. IT Department. "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network and I need to re-synchronise the Active Directory usernames and passwords. This is so that your logon process in the morning receives no undue delays" If you are calling from a mobile number, explain that the helpdesk has been issued a mobile phone for 'on call' personnel.
      5. Results
      6. Contact Details
      7. Name
      8. Phone number
      9. Email
      10. Room number
      11. Department
      12. Role
      13. Email
      14. Scenarios
      15. Hi there, I am currently carrying out an Active Directory Health Check for TARGET COMPANY and require to re-synchronise some outstanding accounts on behalf of the IT Service Desk. Please reply to me detailing the username and password you use to logon to your desktop in the morning. I have checked with MR JOHN DOE, the IT Security Advisor and he has authorised this request. I will then populate the database with your account details ready for re-synchronisation with Active Directory such that replication of your account will be re-established (this process is transparent to the user and so requires no further action from yourself). We hope that this exercise will reduce the time it takes for some users to logon to the network. Best Regards, Andrew Marks
      16. Good Morning, The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home. If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this 'opportunity' to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups. If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it. We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help. Kindest regards, lee EMAIL SIGNATURE
      17. Software
      18. Results
      19. Contact Details
      20. Name
      21. Phone number
      22. Email
      23. Room number
      24. Department
      25. Role
      26. Other
      27. Local
      28. Personas
      29. Name
      30. Suggest same 1st name.
      31. Phone
      32. Give work mobile, but remember they have it!
      33. Email
      34. Have a suitable email address
      35. Business Cards
      36. Get cards printed
      37. Contact Details
      38. Name
      39. Phone number
      40. Email
      41. Room number
      42. Department
      43. Role
      44. Scenarios
      45. New IT employee
      46. New IT employee. "Hi, I'm the new guy in IT and I've been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don't they? Can you help me out on this?" Get the following information, try to put a "any problems with it we can help with?" slant on it. Username Domain Remote access (Type - Modem/VPN) Remote email (OWA) Most used software? Any comments about the network? Any additional software you would like? What do you think about the security on the network? Password complexity etc. Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure. "Thanks very much and you'll see the results on the company boards soon."
      47. Fire Inspector
      48. Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace. Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake). Check for: number of fire extinguishers, pressure, type. Fire exits, accessibility etc. Look for any information you can get. Try to get on your own, without supervision!
      49. Results
      50. Maps
      51. Satalitte Imagery
      52. Google Maps
      53. Building layouts
      54. Other
    3. Active Web Spider
      1. htttrack
      2. teleport pro
      3. Black Widow
  2. Passive
    1. สืบค้นจากฐานข้อมูล Whois
      1. Authoratitive Bodies
      2. IANA - Internet Assigned Numbers Authority
      3. ICANN - Internet Corporation for Assigned Names and Numbers.
      4. NRO - Number Resource Organisation
      5. RIR - Regional Internet Registry
      6. AFRINIC - African Network Information Centre
      7. APNIC - Asia Pacific Network Information Centre
      8. National Internet Registry
      9. APJII
      10. CNNIC
      11. JPNIC
      12. KRNIC
      13. TWNIC
      14. VNNIC
      15. ARIN - American Registry for Internet Numbers
      16. LACNIC - Latin America & Caribbean Network Information Centre
      17. RIPE - Reseaux IP Européens—Network Coordination Centre
    2. Internet Search
      1. General Information
      2. Web Investigator
      3. Tracesmart
      4. Friends Reunited
      5. Ebay - profiles etc.
      6. Financial
      7. EDGAR - Company information, including real-time filings. US
      8. Google Finance - General Finance Portal
      9. Hoovers - Business Intelligence, Insight and Results. US and UK
      10. Companies House UK
      11. Land Registry UK
      12. Phone book/ Electoral Role Information
      13. 411 - Online White Pages and Yellow Pages. US
      14. Abika - Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
      15. Zabasearch - People Search Engine. US
      16. 192.com - Electoral Role Search. UK
      17. BT.com. UK
      18. Residential
      19. Business
      20. Google Hacking Database
      21. Code Search
      22. Generic Web Searching
      23. Linked To
      24. (See also Kartoo)
      25. Linked From
      26. (See also Kartoo)
      27. Forum Entries
      28. Email Addresses
      29. Contact Details
      30. Newsgroups/forums
      31. Back end files
      32. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
      33. Metagoofil
      34. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
      35. Social/ Business Networks
      36. The following sites are some of many social and business realted networking entities that are in use today. This list is not exhaustive and has been limited to those with over 1 million members.
      37. Africa
      38. BlackPlanet
      39. Australia
      40. Bebo
      41. Belgium
      42. Netlog
      43. Holland
      44. Hyves
      45. Hungary
      46. iWiW
      47. Iran
      48. Cloob
      49. Japan
      50. Mixi
      51. Korea
      52. CyWorld
      53. Poland
      54. Grono
      55. Nasza-klasa
      56. Russia
      57. Odnoklassniki
      58. Vkontakte
      59. Sweden
      60. LunarStorm
      61. UK
      62. FriendsReunited et al
      63. Badoo
      64. FaceParty
      65. US
      66. Facebook
      67. MySpace
      68. Classmates
      69. Friendster
      70. Assorted
      71. Linkedin
      72. Care2
      73. Habbo
      74. Hi5
      75. MocoSpace
      76. Orkut
      77. Passado
      78. Tagged
      79. Windows Live Spaces
      80. Yahoo! 360°
    3. Dumpster Diving
      1. Rubbish Bins
      2. Contract Waste Removal
      3. Ebay ex-stock sales i.e. HDD
    4. Passive Web Spider
    5. เครื่องมือในการสืบค้น
      1. Websites
      2. DNS Stuff
      3. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
      4. Fixed Orbit
      5. Autonomous System lookups and other online tools available.
      6. MyIPNeighbors.com
      7. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
      8. Geektools
      9. IP2Location
      10. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
      11. Kartoo
      12. Metasearch engine that visually presents its results.
      13. Netcraft
      14. Online search tool allowing queries for host information.
      15. Robtex
      16. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
      17. Note: - Can be unreliable with old entries (Use CentralOps to verify)
      18. Traceroute.org
      19. Website listing a large number links to online traceroute resources.
      20. Wayback Machine
      21. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
      22. Central Ops
      23. Domain Dossier
      24. Email Dossier
      25. Whois.net
      26. Applications/Utilities
      27. Maltego
      28. It is a great online resource for carrying out initial footprinting of your target network. It can be utilised in searching for the following: People, Groups of people (social networks), Companies, Organizations, Web sites, (including Domain and DNS details, Netblocks and IP addresses), Phrases, Affiliations, Documents and files
      29. Country whois
      30. Cheops-ng
      31. Domain Research Tool
      32. Firefox Plugins
      33. AS Number
      34. Shazou
      35. Firecat Suite
      36. Gnetutil
      37. Goolag Scanner
      38. Greenwich
      39. GTWhois
      40. Sam Spade
      41. Smart whois
      42. SpiderFoot
2. Scanning
  1. Active
  2. Passive
3. Enumeration
4. Gaining Access
5. Escalation Privilege
6. Maintaining Access
7. Covering Tracks