IP Sec Unit 5 CNS
IP Sec Unit 5 CNS
IP Sec Unit 5 CNS
IP Sec
IP Sec (Internet Protocol Security) is an Internet Engineering Task Force (IETF) standard
suite of protocols between two communication points across the IP network that provide data
authentication, integrity, and confidentiality. It also defines the encrypted, decrypted, and
authenticated packets. The protocols needed for secure key exchange and key management
are defined in it.
Uses of IP Security
IPsec can be used to do the following things:
To encrypt application layer data.
To provide security for routers sending routing data across the public internet.
To provide authentication without encryption, like to authenticate that the data originates
from a known sender.
To protect network data by setting up circuits using IPsec tunneling in which all data
being sent between the two endpoints is encrypted, as with a Virtual Private
Network(VPN) connection.
Components of IP Security
It has the following components:
1. Encapsulating Security Payload (ESP)
2. Authentication Header (AH)
3. Internet Key Exchange (IKE)
1. Encapsulating Security Payload (ESP): It provides data integrity, encryption,
authentication, and anti-replay. It also provides authentication for payload.
2. Authentication Header (AH): It also provides data integrity, authentication, and anti-
replay and it does not provide encryption. The anti-replay protection protects against the
unauthorized transmission of packets. It does not protect data confidentiality.
IP Header
IP Security Architecture
IPSec (IP Security) architecture uses two protocols to secure the traffic or data flow. These
protocols are ESP (Encapsulation Security Payload) and AH (Authentication Header). IPSec
Architecture includes protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main services:
Confidentiality
Authenticity
Integrity
IP Security Architecture
Working on IP Security
Unit 5
The host checks if the packet should be transmitted using IPsec or not. This packet traffic
triggers the security policy for itself. This is done when the system sending the packet
applies appropriate encryption. The incoming packets are also checked by the host that
they are encrypted properly or not.
Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves to
each other to start a secure channel. It has 2 modes. The Main mode provides greater
security and the Aggressive mode which enables the host to establish an IPsec circuit
more quickly.
The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agree on secret
keying material to be used with those algorithms.
Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
When the communication between the hosts is completed or the session times out then the
IPsec tunnel is terminated by discarding the keys by both hosts.
Features of IPSec
1. Authentication: IPSec provides authentication of IP packets using digital signatures or
shared secrets. This helps ensure that the packets are not tampered with or forged.
2. Confidentiality: IPSec provides confidentiality by encrypting IP packets, preventing
eavesdropping on the network traffic.
3. Integrity: IPSec provides integrity by ensuring that IP packets have not been modified or
corrupted during transmission.
4. Key management: IPSec provides key management services, including key exchange
and key revocation, to ensure that cryptographic keys are securely managed.
5. Tunneling: IPSec supports tunneling, allowing IP packets to be encapsulated within
another protocol, such as GRE (Generic Routing Encapsulation) or L2TP (Layer 2
Tunneling Protocol).
6. Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
7. Interoperability: IPSec is an open standard protocol, which means that it is supported by
a wide range of vendors and can be used in heterogeneous environments.
Advantages of IPSec
1. Strong security: IPSec provides strong cryptographic security services that help protect
sensitive data and ensure network privacy and integrity.
2. Wide compatibility: IPSec is an open standard protocol that is widely supported by
vendors and can be used in heterogeneous environments.
3. Flexibility: IPSec can be configured to provide security for a wide range of network
topologies, including point-to-point, site-to-site, and remote access connections.
4. Scalability: IPSec can be used to secure large-scale networks and can be scaled up or
down as needed.
5. Improved network performance: IPSec can help improve network performance by
reducing network congestion and improving network efficiency.
Disadvantages of IPSec
1. Configuration complexity: IPSec can be complex to configure and requires specialized
knowledge and skills.
Unit 5
2. Compatibility issues: IPSec can have compatibility issues with some network devices
and applications, which can lead to interoperability problems.
3. Performance impact: IPSec can impact network performance due to the overhead of
encryption and decryption of IP packets.
4. Key management: IPSec requires effective key management to ensure the security of the
cryptographic keys used for encryption and authentication.
5. Limited protection: IPSec only provides protection for IP traffic, and other protocols
such as ICMP, DNS, and routing protocols may still be vulnerable to attacks.
FIREWALL
Types of Firewall
Firewall is a network device that isolates organization’s internal network from larger outside
network/Internet. It can be a hardware, software, or combined system that prevents
unauthorized access to or from internal network.
All data packets entering or leaving the internal network pass through the firewall, which
examines each packet and blocks those that do not meet the specified security criteria.
Unit 5
Deploying firewall at network boundary is like aggregating the security at a single point. It is
analogous to locking an apartment at the entrance and not necessarily at each door.
Firewall is considered as an essential element to achieve network security for the following
reasons −
Internal network and hosts are unlikely to be properly secured.
Internet is a dangerous place with criminals, users from competing companies,
disgruntled ex-employees, spies from unfriendly countries, vandals, etc.
To prevent an attacker from launching denial of service attacks on network resource.
To prevent illegal modification/access to internal data by an outsider attacker.
Firewall is categorized into three basic types −
In this type of firewall deployment, the internal network is connected to the external
network/Internet via a router firewall. The firewall inspects and filters data packet-by-packet.
Packet-filtering firewalls allow or block the packets mostly based on criteria such as source
and/or destination IP addresses, protocol, source and/or destination port numbers, and various
other parameters within the IP header.
The decision can be based on factors other than IP header fields such as ICMP message type,
TCP SYN and ACK bits, etc.
Unit 5
Stateless firewall is a kind of a rigid tool. It looks at packet and allows it if its meets the
criteria even if it is not part of any established ongoing communication.
Hence, such firewalls are replaced by stateful firewalls in modern networks. This type of
firewalls offer a more in-depth inspection method over the only ACL based packet inspection
methods of stateless firewalls.
Stateful firewall monitors the connection setup and teardown process to keep a check on
connections at the TCP/IP level. This allows them to keep track of connections state and
determine which hosts have open, authorized connections at any given point in time.
They reference the rule base only when a new connection is requested. Packets belonging to
existing connections are compared to the firewall's state table of open connections, and
decision to allow or block is taken. This process saves time and provides added security as
well. No packet is allowed to trespass the firewall unless it belongs to already established
connection. It can timeout inactive connections at firewall after which it no longer admit
packets for that connection.
Application Gateways
An application-level gateway acts as a relay node for the application-level traffic. They
intercept incoming and outgoing packets, run proxies that copy and forward information
across the gateway, and function as a proxy server, preventing any direct connection between
a trusted server or client and an untrusted host.
Unit 5
The proxies are application specific. They can filter packets at the application layer of the
OSI model.
Application-specific Proxies
For outbound packets, the gateway may replace the source IP address by its own IP address.
The process is referred to as Network Address Translation (NAT). It ensures that internal IP
addresses are not exposed to the Internet.
Circuit-Level Gateway
The circuit-level gateway is an intermediate solution between the packet filter and the
application gateway. It runs at the transport layer and hence can act as proxy for any
application.
Similar to an application gateway, the circuit-level gateway also does not permit an end-to-
end TCP connection across the gateway. It sets up two TCP connections and relays the TCP
segments from one network to the other. But, it does not examine the application data like
application gateway. Hence, sometime it is called as ‘Pipe Proxy’.
SOCKS
SOCKS (RFC 1928) refers to a circuit-level gateway. It is a networking proxy mechanism
that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side
without requiring direct IP reachability. The client connects to the SOCKS server at the
firewall. Then the client enters a negotiation for the authentication method to be used, and
authenticates with the chosen method.
The client sends a connection relay request to the SOCKS server, containing the desired
destination IP address and transport port. The server accepts the request after checking that
the client meets the basic filtering criteria. Then, on behalf of the client, the gateway opens a
connection to the requested untrusted host and then closely monitors the TCP handshaking
that follows.
The SOCKS server informs the client, and in case of success, starts relaying the data between
the two connections. Circuit level gateways are used when the organization trusts the internal
users, and does not want to inspect the contents or application data sent on the Internet.
A firewall is a mechanism used to control network traffic ‘into’ and ‘out’ of an organizational
internal network. In most cases these systems have two network interfaces, one for the
external network such as the Internet and the other for the internal side.
The firewall process can tightly control what is allowed to traverse from one side to the other.
An organization that wishes to provide external access to its web server can restrict all traffic
arriving at firewall expect for port 80 (the standard http port). All other traffic such as mail
traffic, FTP, SNMP, etc., is not allowed across the firewall into the internal network. An
example of a simple firewall is shown in the following diagram.
Unit 5
In the above simple deployment, though all other accesses from outside are blocked, it is
possible for an attacker to contact not only a web server but any other host on internal
network that has left port 80 open by accident or otherwise.
Hence, the problem most organizations face is how to enable legitimate access to public
services such as web, FTP, and e-mail while maintaining tight security of the internal
network. The typical approach is deploying firewalls to provide a Demilitarized Zone (DMZ)
in the network.
In this setup (illustrated in following diagram), two firewalls are deployed; one between the
external network and the DMZ, and another between the DMZ and the internal network. All
public servers are placed in the DMZ.
With this setup, it is possible to have firewall rules which allow public access to the public
servers but the interior firewall can restrict all incoming connections. By having the DMZ,
the public servers are provided with adequate protection instead of placing them directly on
external network.
CYBER FORENSICS
Cyber forensics is a process of extracting data as proof for a crime (that involves electronic
devices) while following proper investigation rules to nab the culprit by presenting the
evidence to the court. Cyber forensics is also known as computer forensics. The main aim
of cyber forensics is to maintain the thread of evidence and documentation to find out who
did the crime digitally. Cyber forensics can do the following:
It can recover deleted files, chat logs, emails, etc
It can also get deleted SMS, Phone calls.
It can get recorded audio of phone conversations.
It can determine which user used which system and for how much time.
It can identify which user ran which program.
Unit 5
After copying the files, experts verify that the copied data is consistent and exactly as it exists
in the real system.
It is possible to change the format of the data while duplicating it from a device, resulting in
discrepancies in the operating systems of the investigators and the one from which the data
was copied. To avoid this, detectives ensure that the structure stays constant and that the data
is forensically acceptable and is written on the hard disk drive in a format that is adequately
used in the computer.
Criminals think of innovative ways of deleting the scene and often remove some data that
could indicate their misconduct; it is the work of the investigators to recover and reconstruct
deleted files with state-of-the-art software.
Forensics specialists can recover files erased by the user from a computer; the files are not
permanently wiped from the computer, and forensics specialists can recover them.
The OS perceives vacant space in the hard disc as room for storing new files and directories;
however, temporary files and documents that were erased years ago will be stored there until
new data is entered. Forensics specialists look for these files using this free space.
Forensics specialists utilize tools that can access and produce pertinent information
throughout all data for phrases.
Unit 5
The last phase will be to produce a technical report that is relevant and easily understood
regardless of the background of the individual. The result of this report is to state clearly the
crime, possible culprits, and innocent individuals.
The technical report must be straightforward for everyone to grasp, irrespective of their
background. It should focus mostly on who the culprit is and what techniques they used to
commit the crime and how.
Cyber forensics is a field that follows certain procedures to find the evidence to reach
conclusions after proper investigation of matters. The procedures that cyber forensic
experts follow are:
dentification: The first step of cyber forensics experts are to identify what evidence is
present, where it is stored, and in which format it is stored.
Preservation: After identifying the data the next step is to safely preserve the data and
not allow other people to use that device so that no one can tamper data.
Analysis: After getting the data, the next step is to analyze the data or system. Here the
expert recovers the deleted files and verifies the recovered data and finds the evidence
that the criminal tried to erase by deleting secret files. This process might take several
iterations to reach the final conclusion.
Documentation: Now after analyzing data a record is created. This record contains all
the recovered and available(not deleted) data which helps in recreating the crime scene
and reviewing it.
Presentation: This is the final step in which the analyzed data is presented in front of
the court to solve cases.
There are multiple types of computer forensics depending on the field in which digital
investigation is needed. The fields are:
Network forensics: This involves monitoring and analyzing the network traffic to and
from the criminal’s network. The tools used here are network intrusion detection
systems and other automated tools.
Email forensics: In this type of forensics, the experts check the email of the criminal
and recover deleted email threads to extract out crucial information related to the case.
Malware forensics: This branch of forensics involves hacking related crimes. Here, the
forensics expert examines the malware, trojans to identify the hacker involved behind
this.
Memory forensics: This branch of forensics deals with collecting data from the
memory(like cache, RAM, etc.) in raw and then retrieve information from that data.
Unit 5
Mobile Phone forensics: This branch of forensics generally deals with mobile phones.
They examine and analyze data from the mobile phone.
Database forensics: This branch of forensics examines and analyzes the data from
databases and their related metadata.
Disk forensics: This branch of forensics extracts data from storage media by searching
modified, active, or deleted files.
Cyber forensic investigators use various techniques and tools to examine the data and some
of the commonly used techniques are:
Reverse steganography: Steganography is a method of hiding important data inside the
digital file, image, etc. So, cyber forensic experts do reverse steganography to analyze
the data and find a relation with the case.
Stochastic forensics: In Stochastic forensics, the experts analyze and reconstruct digital
activity without using digital artifacts. Here, artifacts mean unintended alterations of
data that occur from digital processes.
Cross-drive analysis: In this process, the information found on multiple computer
drives is correlated and cross-references to analyze and preserve information that is
relevant to the investigation.
Live analysis: In this technique, the computer of criminals is analyzed from within the
OS in running mode. It aims at the volatile data of RAM to get some valuable
information.
Deleted file recovery: This includes searching for memory to find fragments of a
partially deleted file in order to recover it for evidence purposes.
Advantages
What are the required set of skills needed to be a cyber forensic expert?
As we know, over time technology always changes, so the experts must be updated with
the latest technology.
Cyber forensic experts must be able to analyse the data, derive conclusions from it and
make proper interpretations.
The communication skill of the expert must be good so that while presenting evidence
in front of the court, everyone understands each detail with clarity.
The expert must have strong knowledge of basic cyber security.
Types of Hackers:
To elaborate on the aforementioned hacking aims, it is vital to understand the various sorts
of hackers that exist in the cyber segment in order to distinguish between their
responsibilities and objectives. The types of hackers are:
1. Black Hat Hackers: These types of hackers, often known as crackers and always have
a malicious motive and gain illegal access to computer networks and websites. Their
goal is to make money by stealing secret organizational data, stealing funds from online
bank accounts, violating privacy rights to benefit criminal organizations, and so on. In
today’s world, the majority of hackers fall into this category and conduct their business
in a murky manner. Black hat hackers are nefarious individuals who aim to utilize their
technical expertise to exploit and harm others. They usually have the expertise and
training to get into computer networks without the consent of the owners, attack
security holes, and circumvent security procedures. With the malevolent goal of gaining
unauthorized access to networks and systems, they attack to steal data, spread malware
causing damage to systems.
2. White Hat Hackers/Ethical Hackers: White hat hackers (sometimes referred to as
ethical hackers) are the polar opposites of black hat hackers. They employ their
technical expertise to defend the planet against malicious hackers. White hats are
employed by businesses and government agencies as data security analysts, researchers,
security specialists, etc. White hat hackers, with the permission of the system owner and
with good motives, use the same hacking tactics that the black hackers use. They can
work as contractors, freelancers, or in-house for the companies. They assist their
customers in resolving security flaws before they are exploited by criminal hackers.
3. Gray Hat Hackers: They fall somewhere between the above-mentioned types of
hackers, in that they gain illegal access to a system but do so without any malicious
intent. The goal is to expose the system’s weaknesses. Instead of exploiting
vulnerabilities for unlawful gains, grey hat hackers may offer to repair vulnerabilities
they’ve identified through their own unauthorized actions. Example: They may, for
example, infiltrate your website, application without your permission to seek
vulnerabilities. They rarely, if ever, try to harm others. Grey hats do this to obtain
notoriety and reputation in the cyber security industry, which helps them further their
Unit 5
careers as security experts in the long run. This move, on the other hand, harms the
reputation of the organizations whose security flaws or exploits are made public.
4. Red Hat Hackers: Also known as eagle-eyed hackers. Red hat hackers want to stop
threat actors from launching unethical assaults. The red hat hackers aim the same as
ethical hackers, but their methods differ, the red hat hackers may utilize illegal or
extreme methods. Red hat hackers frequently use cyber attacks against threat actors’
systems.
5. Blue Hat Hackers: Safety experts that work outside of the organization are known as
blue hat hackers. Before releasing new software, companies frequently encourage them
to test it and uncover security flaws. Companies occasionally hold meetings for blue hat
hackers to help them uncover flaws in their critical internet systems. Money and fame
aren’t necessarily important to some hackers. They hack to exact personal vengeance on
a person, employer, organization, or government for a genuine — or perceived —
deception. To hurt their adversaries’ data, websites, or devices, blue hat hackers utilize
malicious software and various cyber threats on their rivals’ devices.
6. Green Hat Hackers: Green hat hackers aren’t familiar with safety measures or the
internal dynamics of the internet, but they’re quick learners who are driven (if not
desperate) to advance in the hacking world. Although it is unlikely that they want to
damage others, they may do so while “experimenting” with various viruses and attack
strategies. As a result, green hat hackers can be dangerous since they are frequently
unaware of the implications of their activities – or, even worse, how to correct them.
FOOTPRINTING
The process of cybersecurity footprinting involves profiling organizations and collecting data
about the network, host, employees and third-party partners. This information includes
the OS used by the organization, firewalls, network maps, IP addresses, domain name
system information, security configurations of the target machine, URLs, virtual private
networks, staff IDs, email addresses and phone numbers.
2. passive footprinting
Active footprinting describes the process of using tools and techniques, like using
the traceroute commands or a ping sweep -- Internet Control Message Protocol sweep -- to
Unit 5
collect data about a specific target. This often triggers the target's intrusion detection system
(IDS). It takes a certain level of stealth and creativity to evade detection successfully.
As the name implies, passive footprinting involves collecting data about a specific target
using innocuous methods, like performing a Google search, looking through Archive.org,
using NeoTrace, browsing through employees' social media profiles, looking at job sites and
using Whois, a website that provides the domain names and associated networks fora specific
organization. It is a stealthier approach to footprinting because it does not trigger the target's
IDS.
Reconnaissance is similar to footprinting and is a crucial part of the initial hacking exercise.
It is a passive footprinting exercise where one collects data about the target's potential
vulnerabilities and flaws to exploit while penetration testing.
Footprinting can help ethical hackers find potential vulnerabilities to assess and test.
Footprinting processes start with determining the location and objective of an intrusion. Once
ethical hackers identify a specific target, they gather information about the organization using
nonintrusive methods, such as accessing the organization's own webpage, personnel directory
or employee bios.
Advantages
Scanning is another essential step, which is necessary, and it refers to the package of
techniques and procedures used to identify hosts, ports, and various services within a
network. Network scanning is one of the components of intelligence gathering and
information retrieving mechanism an attacker used to create an overview scenario of the
target organization (target organization: means the group of people or organization which
falls in the prey of the Hacker). Vulnerability scanning is performed by pen-testers to detect
the possibility of network security attacks. This technique led hackers to identify
vulnerabilities such as missing patches, unnecessary services, weak authentication, or weak
encryption algorithms. So a pen-tester and ethical hacker list down all such vulnerabilities
found in an organization's network
Network Scanning
Port Scanning
Vulnerability Scanning
Objectives of Network Scanning
Scanning Methodologies
Port Scanning
It is a conventional technique used by penetration testers and hackers to search for open doors
from which hackers can access any organization's system. During this scan, hackers need to
find out those live hosts, firewalls installed, operating systems used, different devices
attached to the system, and the targeted organization's topology. Once the Hacker fetches the
victim organization's IP address by scanning TCP and UDP ports, the Hacker maps this
organization's network under his/her grab. Amap is a tool to perform port scanning.
TCP/IP Handshake
Before moving to the scanning techniques, we have to understand the 3-way TCP/IP
handshaking process. In computer terms, handshaking means the automated process used to
set dynamic parameters of a communication channel between two entities using some
protocols. Here, TCP (Transmission Control Protocol) and IP (Internet Protocol) are the two
protocols used for handshaking between a client and a server. Here first, the client sends a
synchronization packet for establishing a connection, and the server listens to and responds
with a syn/ack packet to the client. The client again responds to the server by sending an ack
packet. Here SYN denotes synchronization, which is used to initialize connections between
the client and the server in packets. ACK denotes acknowledgment, which is used to establish
a connection between two hosts.
1. SYNScan: SYN scan or stealth doesn't complete the TCP three-way handshake
technique. A hacker sends an SYN packet to the victim, and if an SYN/ACK frame is
received back, then the target would complete the connection, and the port is in a
position to listen. If an RST is retrieved from the target, it is assumed that the port is
closed or not activated. SYN stealth scan is advantageous because a few IDS systems
log this as an attack or connection attempt.
2. XMASScan: XMAS scan send a packet which contains URG (urgent), FIN (finish)
and PSH (push) flags. If there is an open port, there will be no response; but the target
responds with an RST/ACK packet if the port is closed. (RST=reset).
3. FINScan: A FIN scan is similar to an XMAS scan except that it sends a packet with
just the FIN (finish) flag and no URG or PSH flags. FIN scan receives the same
response and has the same limitations as XMAS scans.
4. IDLEScan: An IDLE scan uses a spoofed/hoax IP to send the SYN packet to the
target by determining the port scan response and IP header sequence number.
Depending on the response of the scan, the port is determined, whether open or
closed.
5. Inverse TCP Flag Scan: Here, the attacker sends TCP probe packets with a TCP flag
(FIN, URG PSH) or no flags. If there is no response, it indicates that the port is open,
and RST means it is closed.
6. ACK Flag Probe Scan: Here, the attacker sends TCP probe packets where an ACK
flag is set to a remote device, analyzing the header information (TTL and WINDOW
field). The RST packet signifies whether the port is open or closed. This scan is also
used to check the target's/victim's filtering system.
Unit 5
Vulnerability Scanning
It is the proactive identification of the system's vulnerabilities within a network in an
automated manner to determine whether the system can be exploited or threatened. I this
case, the computer should have to be connected to the internet.
Open Windows OS
Press Win+R (Run) buttons in combination
In the Run, type- cmd
Type the command: ping IP Address or type: ping DomainName
Nmap: extract information such as live hosts on the network, services, type of packet
filters/firewalls, operating systems, and OS versions.
Angry IP Scanner: scans for systems available in a given input range.
Hping2/Hping3: are command-line packet crafting and network scanning tools used
for TCP/IP protocols.
Superscan: is another powerful tool developed by Mcafee, which is a TCP port
scanner, also used for pinging.
ZenMap: is another very powerful Graphical user interface (GUI) tool to detect the
type of OS, OS version, ping sweep, port scanning, etc.
Net Scan Tool Suite Pack: is a collection of different types of tools that can perform a
port scan, flooding, webrippers, mass emailers; and This tool is a trial version, but
paid versions are also available.
Wireshark and Omnipeak are two powerful and famous tools that listen to network
traffic and act as network analyzers.
Names of other famous PCs tools are Advanced Port Scanner, Net Tools, MegaPing,
CurrPorts, PRTG Network Monitor, SoftPerfect Network Scanner, Network Inventory
Explorer, etc.
There are various other scanners available free and inbuilt in Kali Linux OS.
Tools and software that are used in mobiles as scanners include the names such as
Umit Network Scanner, Fing, IP network Scanner, PortDroid network Analysis, Panm
IP Scanner, Nessus Vulnerability Scanner, Shadow Sec Scanner, etc.
Hacking
Pen Testing
White Hat Hacking
website email spoofing, Zmail, etc) the hacker sends an email asking the users to log in to a
new Google portal with their credentials. They already have the Social Engineering Toolkit
running and have sent an email with the server address to the users masking it with a bitly
or tinyurl.
Other options include creating a reverse TCP/IP shell in a PDF using Metasploit ( may be
caught by spam filter). Looking at the event calendar they can set up an Evil Twin router
and try to Man in the Middle attack users to gain access. A variant of Denial of Service
attack , stack-based buffer overflows, and session hijacking may also prove to be great.
4. Maintaining Access: Once a hacker has gained access, they want to keep that access for
future exploitation and attacks. Once the hacker owns the system, they can use it as a base
to launch additional attacks.
In this case, the owned system is sometimes referred to as a zombie system . Now that the
hacker has multiple e-mail accounts, the hacker begins to test the accounts on the domain.
The hacker from this point creates a new administrator account for themselves based on the
naming structure and tries and blends in. As a precaution, the hacker begins to look for and
identify accounts that have not been used for a long time. The hacker assumes that these
accounts are likely either forgotten or not used so they change the password and elevate
privileges to an administrator as a secondary account in order to maintain access to the
network. The hacker may also send out emails to other users with an exploited file such as
a PDF with a reverse shell in order to extend their possible access. No overt exploitation or
attacks will occur at this time. If there is no evidence of detection, a waiting game is
played letting the victim think that nothing was disturbed. With access to an IT account,
the hacker begins to make copies of all emails, appointments, contacts, instant messages
and files to be sorted through and used later.
5. Clearing Tracks (so no one can reach them): Prior to the attack, the attacker would
change their MAC address and run the attacking machine through at least one VPN to help
cover their identity. They will not deliver a direct attack or any scanning technique that
would be deemed “noisy”.
Once access is gained and privileges have been escalated, the hacker seeks to cover their
tracks. This includes clearing out Sent emails, clearing server logs, temp files, etc. The
hacker will also look for indications of the email provider alerting the user or possible
unauthorized logins under their account.
Most of the time is spent on the Reconnaissance process. Time spend gets reduced in
upcoming phases. The inverted triangle in the diagram represents a time to spend in
subsequent phases that get reduced.