Yuri Diogenes, Erdal Ozkaya Cybersecurity - Attack and Defense Strategies Infrastructure security with Red Team and Blue Team tactics Cybersecurity (cid:96) Attack and Defense Strategies (cid:42)(cid:79)(cid:71)(cid:83)(cid:66)(cid:84)(cid:85)(cid:83)(cid:86)(cid:68)(cid:85)(cid:86)(cid:83)(cid:70)(cid:2)(cid:84)(cid:70)(cid:68)(cid:86)(cid:83)(cid:74)(cid:85)(cid:90)(cid:2)(cid:88)(cid:74)(cid:85)(cid:73)(cid:2)(cid:51)(cid:70)(cid:69)(cid:2)(cid:53)(cid:70)(cid:66)(cid:78)(cid:2)(cid:66)(cid:79)(cid:69)(cid:2)(cid:35)(cid:77)(cid:86)(cid:70)(cid:2)(cid:53)(cid:70)(cid:66)(cid:78)(cid:2)(cid:85)(cid:66)(cid:68)(cid:85)(cid:74)(cid:68)(cid:84) Yuri Diogenes Erdal Ozkaya BIRMINGHAM - MUMBAI Cybersecurity (cid:96) Attack and Defense Strategies Copyright (cid:97) 2018 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors nor Packt Publishing or its dealers and distributors will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Namrata Patil Content Development Editor: Amrita Noronha Technical Editor: Sneha Hanchate Copy Editor: Safis Editing Project Coordinator: Shweta Birwatkar Proofreader: Safis Editing Indexers: Pratik Shirodkar Graphics: Tania Dutta Production Coordinator: Shantanu Zagade First published: January 2018 Production reference: 1230118 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78847-529-7 (cid:88)(cid:88)(cid:88)(cid:16)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) (cid:78)(cid:66)(cid:81)(cid:85)(cid:16)(cid:74)(cid:80) Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Mapt is fully searchable Copy and paste, print, and bookmark content PacktPub.com Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at (cid:88)(cid:88)(cid:88)(cid:16)(cid:49)(cid:66)(cid:68)(cid:76)(cid:85)(cid:49)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at (cid:84)(cid:70)(cid:83)(cid:87)(cid:74)(cid:68)(cid:70)(cid:33)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) for more details. At (cid:88)(cid:88)(cid:88)(cid:16)(cid:49)(cid:66)(cid:68)(cid:76)(cid:85)(cid:49)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78), you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the authors Yuri Diogenes is a professor at EC-Council University for their master's degree in cybersecurity program. Yuri has a master of science degree in cybersecurity from UTICA College, and MBA from FGV Brazil. Yuri currently holds the following certifications CISSP, CyberSec First Responder, CompTIA CSA+, E|CEH, E|CSA, E|CHFI, E|CND, CyberSec First Responder, CompTIA, Security+, CompTIA Cloud Essentials, Network+, Mobility+, CASP, CSA+, MCSE, MCTS, and Microsoft Specialist - Azure. First and foremost, I would like to thank God for enabling me to write another book. I also would like to thank my wife, Alexsandra, and my daughters, Yanne and Ysis, for their unconditional support. To my coauthor and friend, Erdal Ozkaya, for the great partnership. To Amrita Noronha for her amazing support throughout this project. Erdal Ozkaya is a doctor of philosophy in Cybersecurity, master of information systems security, master of computing research CEI, MCT, MCSE, E|CEH, E|CSA, E|CISO, CFR, and CISSP. He works for Microsoft as a cybersecurity architect and security advisor and is also a part-time lecturer at Australian Charles Sturt University. He has coauthored many security certification coursewares for different vendors and speaks in worldwide conferences. He has won many awards in his field and works hard to make the Cyber- World safe. I would like to thank my wife, Arzu, and my kids, Jemre and Azra, for all their support and love. I would like to give special thanks to my parents and brothers who have helped me become who I am. I would also like to thank my supervisor, Dr. Rafiqul Islam, for his help and feedback whenever I have needed it. About the reviewers Vijay Kumar Velu is a passionate information security practitioner, author, speaker, and blogger, currently based in Malaysia. He has more than 11 years of IT industry experience. He is a licensed penetration tester and has specialized in providing technical solutions to a variety of cyber problems. He is the author of Mastering Kali Linux for Advanced Penetration Testing, Second Edition and Mobile Application Penetration Testing. Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering with over 15 years of experience in designing, troubleshooting, and securing large-scale industrial control systems and the various types of network technologies they utilize. After more than a decade of hands-on, in-the-field experience, he joined Rockwell Automation in 2015. He is currently employed as a senior consultant of industrial cybersecurity with the Network and Security Services Group. He recently became a digital nomad and now travels the world with his family while fighting cyber adversaries. Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit (cid:66)(cid:86)(cid:85)(cid:73)(cid:80)(cid:83)(cid:84)(cid:16)(cid:81)(cid:66)(cid:68)(cid:76)(cid:85)(cid:81)(cid:86)(cid:67)(cid:16)(cid:68)(cid:80)(cid:78) and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface 1 Chapter 1: Security Posture 6 The current threat landscape 6 The credentials – authentication and authorization 10 Apps 11 Data 13 Cybersecurity challenges 14 Old techniques and broader results 14 The shift in the threat landscape 15 Enhancing your security posture 16 The Red and Blue Team 18 Assume breach 21 References 22 Summary 24 Chapter 2: Incident Response Process 25 Incident response process 25 Reasons to have an IR process in place 26 Creating an incident response process 28 Incident response team 31 Incident life cycle 32 Handling an incident 33 Best practices to optimize incident handling 36 Post-incident activity 36 Real-world scenario 36 Lessons learned 38 Incident response in the cloud 39 Updating your IR process to include cloud 40 References 40 Summary 41 Chapter 3: Understanding the Cybersecurity Kill Chain 42 External reconnaissance 42 Scanning 44 NMap 44 Table of Contents Metasploit 46 John the Ripper 47 THC Hydra 48 Wireshark 49 Aircrack-ng 50 Nikto 52 Kismet 53 Cain and Abel 54 Access and privilege escalation 55 Vertical privilege escalation 55 Horizontal privilege escalation 56 Exfiltration 56 Sustainment 57 Assault 58 Obfuscation 59 Threat life cycle management 60 References 63 Summary 65 Chapter 4: Reconnaissance 66 External reconnaissance 67 Dumpster diving 67 Social media 68 Social engineering 69 Pretexting 70 Diversion theft 70 Phishing 71 Phone phishing (vishing) 72 Spear phishing 73 Water holing 74 Baiting 74 Quid pro quo 75 Tailgating 75 Internal reconnaissance 76 Sniffing and scanning 76 Prismdump 77 tcpdump 78 NMap 78 Wireshark 80 Scanrand 81 Cain and Abel 82 Nessus 82 Metasploit 83 Aircrack-ng 85 [ ii ] Table of Contents Wardriving 86 Conclusion of the reconnaissance chapter 86 References 87 Summary 89 Chapter 5: Compromising the System 90 Analyzing current trends 91 Extortion attacks 91 Data manipulation attacks 92 IoT device attacks 94 Backdoors 94 Mobile device attacks 95 Hacking everyday devices 95 Hacking the cloud 97 Phishing 98 Exploiting a vulnerability 101 Zero-day 101 Fuzzing 102 Source code analysis 102 Types of zero-day exploits 103 Buffer overflows 104 Structured exception handler overwrites 104 Performing the steps to compromise a system 105 Deploying payloads 105 Installing and using a vulnerability scanner 105 Using Metasploit 106 Compromising operating systems 108 Compromising systems using Kon-Boot or Hiren's BootCD 108 Compromising systems using a Linux Live CD 110 Compromising systems using preinstalled applications 111 Compromising systems using Ophcrack 112 Compromising a remote system 113 Compromising web-based systems 114 SQL injection 114 Cross-site scripting 115 Broken authentication 115 DDoS attacks 116 References 117 Summary 119 Chapter 6: Chasing a User's Identity 120 Identity is the new perimeter 120 [ iii ] Table of Contents Strategies for compromising a user's identity 123 Gaining access to the network 125 Harvesting credentials 125 Hacking a user's identity 127 Brute force 128 Social engineering 129 Pass the hash 137 Other methods to hack identity 139 References 139 Summary 140 Chapter 7: Lateral Movement 141 Infiltration 142 Network mapping 142 Avoiding alerts 144 Performing lateral movement 145 Port scans 145 Sysinternals 146 File shares 149 Remote Desktop 150 PowerShell 151 Windows Management Instrumentation 152 Scheduled tasks 154 Token stealing 154 Pass-the-hash 155 Active Directory 155 Remote Registry 156 Breached host analysis 157 Central administrator consoles 157 Email pillaging 158 References 158 Summary 159 Chapter 8: Privilege Escalation 160 Infiltration 161 Horizontal privilege escalation 161 Vertical privilege escalation 162 Avoiding alerts 162 Performing privilege escalation 163 Exploiting unpatched operating systems 164 [ iv ]