CSIT302 Cybersecurity

Week 3 – Reconnaissance/Compromising
the System
Lecturer: Dr Zuoxia Yu
Email: [email protected]
Office: 3.116

1
Cybersecurity Kill Chain (Recap)
• External reconnaissance (or information gathering)
• Compromising the system
• Lateral movement
• Privilege escalation
• Concluding the mission

2
Reconnaissance

3
Reconnaissance

• Reconnaissance is used widely during

the military operation.
• Sending of spies into an enemy's
territory to gather data about where
and when to strike.
• When reconnaissance is done in the
right way, the target should not be
able to know that it is being done.

4
Reconnaissance (In Cybersecurity)
• Reconnaissance is one of the most
important stages of an attack life cycle.
(External) Reconnaissance
• Attackers search for vulnerabilities that
they can use to attack targets. Compromising System

• An attacker will be interested in locating Lateral Movement

and gathering data, and identifying any
loopholes in a target's network, its users, Privilege Escalation
or its computing systems.
Concluding the mission
• External or Internal reconnaissance

5
External Reconnaissance

6
External Reconnaissance
• External reconnaissance is done outside of the organization's network
and systems.
• It is normally targeted by exploiting the carelessness of users of an
organization.
• Possible ways to permit external reconnaissance are the following:
ØDumpster diving
ØSocial media
ØSocial engineering

7
Dumpster diving
• Organizations dispose of obsolete devices in a number of ways, such
as through bidding, sending to recyclers, or dumping them in storage.
à There are serious implications for these methods of disposal.
• By taking old external storage devices or obsolete computers which
are not thoroughly handled, attackers may get the information like
ØThe internal setup of an organization
ØOpenly-stored passwords on browsers
ØThe privileges and details of different users
ØAccess to some bespoke systems used in the network

8
Dumpster diving
• Example of thorough disposal: Google
ØThe company destroys its old hard drives from its data centres to prevent the
data that they contained from being accessed by malicious people.
ØThe hard drives are put into a crusher that pushes steel pistons up the centre
of the disks, rendering them unreadable.
Øhttps://www.youtube.com/watch?v=4jNEwOhCFVg

9
Dumpster diving
• More general way to completely remove the data in the
disks is degaussing
ØIt is the process of reducing or eliminating an unwanted
magnetic field (or data) stored on tape and disk media such as
computer and laptop hard drives => does not work for SSD.
ØDelete the data using software is generally not a secure way.
• How to remove the data in the SSD:
ØThere is no standard way to do this.
ØOne of the suggested way is encryption: Encrypt the disk with
the key random long enough keys and forget the key. Then,
format the disk.

10
Social Media
• Social Media
ØSocial media are interactive computer-mediated technologies that facilitate
the creation and sharing of information, ideas, career interests and other
forms of expression via virtual communities and networks.
• It became the easiest way to find out a lot of information about
people.
ØThe best place to mine data concerning specific targets.
ØData related to the companies where users work for.
ØDetails about family members, relatives, friends, and residence and contact
information.

11
Social Media
• While the technical revolution of Social Media during the past decade
can be viewed as exciting and innovative, it also leaves us vulnerable,
particularly to identity theft.
• Identity theft
ØEasy to create a fake account bearing the identity of another person
ØAll that is needed is access to some pictures and up-to-date details of the
identity theft victim.
ØUsing the fake account to the organisation’s high level officials, the hacker
requests
ü Network information and statistics from the IT department
ü Security Information of the Network

12
Social Media
• Hackers can guess passwords or answers to secret questions through
the posts:
ØAccepting “connections” or “friendships” with people you are not somehow
familiar with in your everyday life can put you at risk.
ØUser's date of birth, their parent's maiden name, names of the street that
they grew up in, pet names, school names and etc.
• Put a phishing post up or message from unfamiliar people using the
Social Media.
ØThose can be the attempts to install malwares in the target’s computer.

13
Social Media
• Some tips to protect identity in the age of social media:
ØCreate strong, multi-character passwords for your email and all apps on your
phone and remember to change them often.
ØWhen utilizing apps, enter as little personal information as possible.
ØBe cautious about what you post online. Never use personal information such
as your Social Security number, current address or telephone number.
ØMake sure your privacy settings are set to the highest level. Check these
settings often since they may be affected by upgrades.

14
Social Media
• Some tips to protect identity in the age of social media (Cont.):
ØAvoid downloading free applications for use on your social media profiles.
ØAvoid accepting connections or friendships with people you are not familiar
with.
ØVerify any link sent to you was sent from your connection or friend.
ØGoogle your own name, as well as any social media handles you utilize, to
track any possible forged accounts.

15
Social Engineering
• One of the most feared reconnaissance acts
ØA company cannot completely protect itself from this type of threat.
ØSomething beyond the protection of security tools (Exploiting Human
Nature).
• Humans are sympathetic, trusting of friends, show-offs, and obedient
to higher authorities à open to attacks through manipulation of the
information.
• Six levers of Social Engineering are
ØReciprocation, scarcity, consistency, liking, authority and validation.

16
Social Engineering
• Reciprocation
ØA victim does something for a social media user who in turn feels the need to
reciprocate the favour.
ØIt is part of human nature to feel obligated to return a favour to a person, and
attackers have come to know and exploit this.
• Scarcity
ØThreatening a short supply of something that the target is in need of.
Øe.g. a trip package, a mega sale, or a new release of products.
• Consistency
ØHumans tend to honour promises or get used to the usual flow of events
ØE.g. Attackers to clone the known vendor of a IT team and deliver malware-infected
electronics.

17
Social Engineering
• Liking
ØHumans are more likely to comply with the requests of people they like or
those that appear attractive. à easy to win the compliance of targets.
• Authority
ØCommonly used lever that has a high success rate.
ØGenerally, humans are obedient to the authority of those that are ranked
above them even if they seem malicious.
ØE.g. asking to give login credentials or to send some sensitive data over
unsecured channels.
• Validation
ØHumans will readily comply and do something if other people are doing the
same à do not want to be an odd one.
18
Social Engineering
• Popular types of social engineering attacks.
ØPretexting
ØDiversion theft
ØPhishing
ü Phone Fishing (vishing)
ü Spear phishing
ØBaiting
ØQuid pro quo
ØTailgating

19
Social Engineering
• Pretexting
ØThe construction of an elaborate lie that has been well-researched so as to
appear legitimate to the target.
ØSocial engineers that use pretexting have honed the art of impersonating an
imaginary boss or other trusted individuals in society, such as police officers,
debt collectors, tax officials, clergy, investigators.
• Diversion theft
ØAttackers persuade delivery and transport companies that their deliveries and
services are requested elsewhere.

20
Social Engineering
• Phishing
ØThe oldest tricks that hackers have used over the years, but its success rate is
still surprisingly high. A hacker sends emails to a target. It pretends to be a
legitimate third-party organization.
• Examples of Phishing:
ØA link leading to a malicious or fraudulent website is also attached. The
attackers will have made a replica website, complete with logos and usual
content, as well as a form to fill in with sensitive information.
ØClaiming a court order notice and ask the recipients to view more details.
Upon clicking the link, the recipients installed malware on their computers
that can be used for other malicious purposes.

21
Social Engineering
• Examples of Phishing:
ØIRS refund
ü Cyber attackers took advantage of the
month of April, sent emails claiming to be
from the IRS, attaching ransomware
through a Word file.
ØCareerBuilder
ü hackers pretended to be normal job
applicants, but instead of attaching resumes
they uploaded malicious files.
ü CareerBuilder then forwarded these CVs to
multiple companies that were hiring.
ü malware transferred to many organizations
including police offices

22
Social Engineering
• Examples of Phishing:
ØThe following figure shows an example of a phishing email sent to a Yahoo
user:

23
Phishing email
• The typical signs of Phishing emails include:
ØAsk for sensitive information
ØUse different domain
ØContains a link that is not consistent with the domain
ØIs not personalized
ØUse poor spelling and Grammar
ØAlways tries to panic the receiver
• Email is not completely secure!!!

24
Pshing Email
• How to stay safe?
ØThink about before you click any link.
ØNever provide your details via a link in a message
ØContact the person or business to check if they sent the message.
ØProtect your computers via using security software
ØProtect your account using multi-factor authentication
Ø…

25
Social Engineering
• Phone phishing (vishing)
ØThe attacker uses phone calls instead of emails or as an extension of the email
phishing attack.
ØThe attacker will use an illegitimate interactive voice response system that sounds
exactly like the ones used by banks, service providers.
ØThe target will be prompted by the system to give out some verification information.
It is normal for the system to reject input that a target gives so as to ensure that
several PINs are disclosed.
• Spear Phishing
ØSpear phishing is specifically targeted to obtain information from particular end users
in an organization by performing a number of background checks on targets.
ØStatistically, normal phishing has a 3% success rate, whereas spear phishing has a
70% success rate.

26
Social Engineering
• Water holing
ØA social engineering attack that takes advantage of the amount of trust that
users give to websites they regularly visit.
ØHackers exploit any vulnerabilities on the website, attack them, take charge,
and then inject code that infects visitors with malware or that leads clicks to
malicious pages.
ØThese attacks are normally tailored to a specific target and specific devices,
operating systems, or applications that they use.
ØThe effective attack can be made by targeting the sites where IT personnel,
who potentially has an administrator right in the system, accesses such as
StackOverflow.com.

27
Social Engineering
• Baiting
ØExploiting the greed or curiosity of a certain target.
ØAn attacker will leave a malware-infected external storage device in a place
where other people can easily find it.
ØAttackers are normally crafty and will leave files that a victim will be tempted
to open such as "the executive summary of salaries and upcoming
promotions“
ØIn more serious cases, attackers might install rootkit viruses in the thumb
drive that infect computers when they boot, while an infected secondary
storage media is then connected to them.
ØBaiting has a high success rate because it is human nature to either be greedy
or curious and open and read files that are above their level of access.

28
Social Engineering
• Quid pro quo
ØIt is commonly carried out by low-level attackers.
ØAttackers will keep calling random numbers claiming to be from technical
support, and will offer some sort of assistance, which then gives the attackers
access to the victims' computers or the ability to launch malware.
ØThis has a very low success rate.
• Tailgating
ØThe least common social engineering attack, but it does have a significant
success rate.
ØAn attacker will walk behind an employee that has legitimate access and
enter behind them by 1) borrowing their RFID card, or 2) gaining entry by
using a fake card under the guise of accessibility problems.

29
Internal Reconnaissance

30
Internal Reconnaissance
• Unlike external reconnaissance, internal reconnaissance is done on-
site.
• Attacks are carried out within an organization’s network, systems and
premises.
• Mostly, this process is aided by software tools.
• An attacker interacts with the actual target systems to find out
information about its vulnerabilities.
ØThe main difference between external and internal reconnaissance.
ØExternal reconnaissance is done without interacting with the system, but by
instead finding entry points through humans that work in the organization.

31
Internal Reconnaissance
• The main target is the internal network of an organization,
ØHackers are sure to find the data servers and the IP addresses of hosts they
can infect.
• Attackers use networks to discover and analyze potential targets to
attack in the future.
• Internal reconnaissance is used to determine the security
mechanisms in place that ward off hacking attempts.
• Many cyber security tools have been made to mitigate software used
to perform reconnaissance attacks.
• Lack of the installation of enough security tools, hackers can still find
ways to hack through the already-installed ones.
32
Internal Reconnaissance
• Sniffing and Scanning
ØTerms used in network that generally refer to the act of eavesdropping on
traffic in a network.
ØEnable attackers and attackers know exactly what is happening in a network.
• Sniffing tools:
Øare designed to capture the packets being transmitted over a network and to
perform analysis on them.
ØE.g., Prismdump, tcpdump, Nmap, Wireshark, Scanrand, Cain and Abel….
• Packet Analysis is essential to perform internal reconnaissance.

33
Sniffing and Scanning Tools
• Prismdump
ØDesigned only for Linux, this tool allows hackers to sniff with Prism2 chipset-
based cards.
ØOnly capturing packets and storing it to pcap format.
• Tcpdump
Øthe most powerful packet-filtering capabilities and can even selectively
capture packets.
• Wireshark
ØMost popular sniffing tools with a user-friendly interface and powerful packet
interpretation.
• Aircrack-ng

34
Sniffing Tools
• Nmap
ØAttackers will try to map out the hosts in a network in order to discover the ones that
contain valuable information.
ØThe hackers use slower scanning tools that get past all network monitoring systems.
The monitoring tools will not detect the scanning activity.
• Nessus
ØThe known best network scanners and vulnerability scanner for white hats.
ØIt scans a network and shows connected devices that have misconfigurations and
missing patches.
ØThe tool shows the devices that are using their default passwords, weak passwords,
or have no passwords at all and recovers passwords from some devices by launching
an external tool to help it with dictionary attacks against targets in the network.
ØLastly, the tool is able to show abnormal traffic in the network.
ØExample of the report (https://virginia.service-
now.com/its?id=itsweb_kb_article&sys_id=75e70054dbb553404f32fb671d9619d5)

35
Conclusion
• At the end of both stages of reconnaissance, attackers will have
enough information to proceed or cancel a cyber-attack.
• From an external reconnaissance,
Øthey will know the behavior of users and use it to an organization's
disadvantage.
• Internal reconnaissance,
Øwill enable attackers to learn more about the network in question.
• At the end of this stage, attackers are then able to engage an
organization on two fronts: either from the users' side or internally
from the network's vulnerabilities.
36
Compromising the System
-Current Trends

37
Current trends
• Hackers can be persistent, more creative, and increasingly sophisticated
with their attacks. à Hacking techniques become more sophisticated each
year.
• Current Trends in terms of the preferred attacks and modes of execution
includes following:
ØExtortion attacks
ØData manipulation attacks
ØBackdoors
ØIoT device attacks
ØMobile device attacks
ØHacking every devices
ØHacking the cloud

38
Extortion attacks
• Extorting money directly from their victims
Øholding computer files to ransom
Øor threatening to release damaging information about a victim to the public
• Ransomware
ØWannaCry
ü The hacker asks for $300 within 72 hours through Bitcoin address.
ü The money becomes double and permanently locked after 7 days.
ü WannaCry reportedly only made $50,000 since a kill switch was discovered.
• Extorting money by threatening to hack sites
ØThe Ashley Madison incident
ü After failed extortion attempts, hackers exposed the user data of millions of people.
ü The company offered to pay a total of $11 million to compensate for the exposure of 36
million users.

39
Extortion attacks
• Extorting money by threatening to hack sites (Another case)
ØUnited Arab Emirates bank (2015)
ü The hacker held the user data to ransom and demanded a payment of $3 million from
the bank.
ü The company did not accept the hackers’ offer. à The user data which contained
personal details of the account owners, their transactions, and details of the entities that
they had transacted with was released to the public.
• Logistically, this is viewed as simpler than trying to sell off stolen data
to third parties.
• Hackers are also able to negotiate for more money as the data they
hold is more valuable to owners than it is to third parties.

40
Data manipulation attacks
• Hackers compromise systems through the manipulation of data
instead of deleting or releasing it. à It is difficult to detect.
• The hacker changes just a single value, but the consequences can be
far-reaching.
• The next stage of cybercrime, and it is anticipated that there will be
many more cases of it in the near future.
• The manipulation can be happened on health care, financial, and
government data which were reported to be compromised by the
hackers.

41
Data manipulation attacks
• A slight escalation of these attacks would have greater consequences
ØFor example, in a bank, the data manipulation is catastrophic.
ü Withdrawals could be suspended, and it would take the bank months, or even years, to
determine the actual customer balances.
• Data manipulation attacks could also be used to provide misinformation to
the masses:
ØE.g. hackers were able to hack into the official Twitter account of The Associated
Press and tweet a news story that the Dow had dropped by 150 points (Deflation of
the Dow by an estimated $136 billion).
Ø As seen, this is an attack that can affect any company and hurt its profits.
• Many people who have motives, especially competitors, to bring down
other companies in whichever way possible.

42
Backdoors
• In 2016, one of the leading network device manufacturers, Juniper
Networks, found that some of its firewalls had firmware that
contained backdoors installed by hackers. The backdoors enabled
hackers to decrypt traffic flowing through the firewalls.
• The National Security Agency (NSA) was put in the spotlight since the
backdoor had similarities to another one that was also attributed to
the agency. Although it is unclear who was actually responsible for
the backdoor, the incident brings up a big threat.
• Since these types of backdoor are hard to find, it is expected that they
will be extensively used by hackers in the near future.

43
IoT device attacks
• The attacks using Internet of Things (IoT) devices available, from smart
home appliances to baby monitors.
• The attacks were aimed at commandeering large networks made up of
these devices à the huge numbers of IoT devices generate vast
illegitimate traffic to take down the servers (which is called distributed
denial of service (DDoS))
• IoT devices are easier to access, are already available in large numbers, and
are not adequately protected.
ØManufacturers of IoT products have not been prioritizing the security of their
devices.
ØUsers are lazy, and experts say that most users leave IoT devices with their default
security configurations.

44
Mobile Device Attacks
• Gradual increase in malicious activity targeting mobile devices
Ø9 Million attacks blocked (2015) à 18 Million attacks blocked (2016)
• A mobile malware aims to
ØSend messages on victim's phones to generate revenues for hackers.
ØSteal personal information from their victims' devices.
• Most smartphone users are unconcerned about attacks that hackers can
carry out on their devices.
• Smartphones have browsers and web-supported apps
ØVulnerable to scripting attacks
ØExploitable through the man-in-the-middle attack.
• Example of Smartphone Malwares: BlueBorne (September 2017)

45
Hacking Every Devices
• Targeting to non-obvious devices, which is seemed to be harmless, in
corporate networks.
• In particular, printers: Since modern printers come with an inbuilt memory
function and only basic security features. Accessing to the printer may
reveal the following:
ØPassword authentication mechanisms
ØGathering the sensitive data that users send to be printed
ØUsed as entry points into otherwise secure networks
• Examples: “Weeping Angel” in WikiLeaks
ØExploiting the always-on voice command system of Samsung smart TVs
ØSpying on people in a room by recording their conversations
ØTransmitting the conversation of viewers to a CIA server.

46
Hacking the Clouds
• Clouds are one of the fastest growing technologies today.
ØClouds offer flexibility, accessibility, and capacity to the Company’s IT system.
• One great vulnerability in the cloud: everything - storage space, CPU cores,
and network interfaces, is shared.
• Hackers try to go beyond the boundaries that cloud vendors have
established for each user.
• Security majorly left to the cloud vendor:
ØThe security environment of the cloud is largely determined by the vendor.
ØThe security control of the individual company is limited.
ØThe use of shared platforms with other people.
• There has been an upward growth of incidences of cloud vendors and
companies using the cloud being attacked.

47
Hacking the Clouds
• The cloud was not the direct target: hackers had to compromise a user or a
system within an organization.
• Examples:
ØTarget: The credit card details of up to 70 million customers of Target were stolen. It
was started from a phishing email, but the data in the cloud server were leaked to
the hacker.
ØHome Depot: the details of about 56 million credit cards and 50 million emails
belonging to clients were compromised. The hacker used a malware on a point of
sale system.
ØSony Pictures: the attackers were able to obtain from the organization's cloud
servers employee information, financial details, sensitive emails, and even
unreleased films.
ØThe US Internal Revenue Service (IRS): The details of more than 100,000 accounts
from IRS were stolen from the cloud server.

48