Posted on by

Beginners guide to IDS and IPS

Hello, aspiring ethical hackers. This blogpost is a beginner guide to IDS (Intrusion Detection System) and IPS (Intrusion Preventions System). IDS and IPS are two of the security technologies used for securing the network of any organization from hackers.

What is an IDS and what is an IPS?

Intrusion Detection system (IDS) is an appliance or software that detects any malicious activity on the network and reports it. Intrusion Prevention System (IPS) on the other hand acts just like Intrusion Detection System but, unlike it doesn’t just make a report but tries to prevent its occurrence. This malicious activity can be anything like modification of system or important files, suspicious network traffic and execution of some files etc. Both Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) are useful in enhancing the security of the network.

IDS and IPS 1

Based on the mode of operation, Intrusion Detection System and Intrusion Prevention System can be classified into two types. They are, 1) Host based (Software) 2) Network based (Hardware).

  1. Host based Intrusion Detection and Prevention Systems: They work by detecting or preventing threats on a single system.
  2. Network based Intrusion Detection and Prevention Systems: These are most probably a hardware appliance that detects or prevents threats on the entire network.

Types of IPS and IDS

IDS and IPS 2

Based on the techniques they use to identify and prevent threats, Intrusion Detection Systems and Intrusion Prevention Systems can be classified into two types. They are,

    1. Signature-based :

    This type of Intrusion Prevention Systems and Intrusion Detection Systems detect threats by comparing actions with predefined signatures. For example, If action of an executable matches with a pre-defined signature of an IDS or IPS, it is classified as a threat.

    2. Anomaly based:

    Anomaly based Intrusion Detection Systems and Intrusion Prevention Systems detect threats by observing the behavior of the assumed threat. If the IDS and IPS see any different behavior than that is considered to be normal, it classifies it as a threat. For example, if a program being installed is trying to alter system files, this can be considered as an anomaly.

    Posted on by

    POST exploitation guide for beginners

    Hello, aspiring ethical hackers. In this blogpost, you will learn about POST-exploitation. POST-exploitation comes after the phase of gaining access in ethical hacking.

    POST Exploitation 1 781x1024

    What is POST-exploitation?

    POST- exploitation refers to all the operations that are performed after gaining initial access on the target system. It is done to further gain control of the target system and network. POST -Exploitation consists of three phases mainly. They are,

    1. Privilege escalation.
    2. Maintaining access.
    3. Covering tracks.

    Let’s learn about each in detail.

    1. Privilege escalation:

    Privilege escalation is an act of gaining elevated access to resources that are normally restricted to an application or user. Privilege escalation is an act or process of gaining access to privileges of the other user account using any means or techniques. Normally privileges of user account with higher privileges are targeted by hackers. Learn more about privilege escalation.

    2. Maintaining access:

    Maintaining access is the fourth phase in the total5 phases of ethical hacking. In this phase, hackers try to hold on to the initial access or foothold they have gained on the network. For this, they use various techniques like elevating privileges, installing backdoors, running persistence scripts and tunneling.

    3. Covering Tracks:

    Covering tracks or clearing tracks is the phase of ethical hacking in which a hacker tries to erase all the evidence on the target system that can lead back to the hacker. For covering tracks, hackers perform various actions like clearing logs, time stamping files etc.

    Posted on by

    Linux hacking guide for beginners

    Hello, aspiring ethical hackers. In this blogpost, you will learn about Linux hacking. It comes under gaining access, third of the 5 phases of ethical hacking.

    What is Linux hacking?

    Although Linux hacking can be generalized as any type of hacking attempt made on Linux systems, gaining initial access to the Linux system can be termed as Linux Hacking.

    Why is it important?

    Linux hacking is one of the most important topics in ethical hacking. Why? According to the Statcounter global stats, as of March 2024 operating system market share, the topmost operating systems being used around the world are Linux or its variants. The same report also states that usage of Linux as desktop increased to 4.05% this year. Also note that majority of the servers around the world are Linux servers. So, learning Linux hacking can provide lot of knowledge. But what are the various methods used for hacking Linux systems.

    Linux hacking techniques

    There are multiple ways by which hackers can gain initial access on Linux systems. They are,

    1. Vulnerabilities in the operating system or kernel
    2. Application vulnerabilities.
    3. Payloads & malicious software.
    4. Password attacks.
    5. Misconfigured services.
    6. Social- engineering
    Linux Hacking 1 1

    1. Vulnerabilities in the operating system or kernel:

    An operating system or kernel is the core of any Linux system. Organizations around the world use various versions of Linux operating system for different purposes. So, any vulnerability exposed in the operating system can be exploited by hackers to gain initial access.

    For example, in 2014, a vulnerability named Heartbleed was detected in the OpenSSL package that comes inbuilt with Linux kernel. It was used to exploit HTTPS enabled websites of Yahoo, Google, Dropbox, Facebook and other thousands of websites.

    2. Application vulnerabilities:

    A lot of applications or programs are installed on Linux for performing various functions. Any vulnerabilities in these installed programs can be exploited successfully to hack the Linux system. For example, hackers exploited Apache ActiveMQ software to deploy Kinsing malware on the infected systems in November 2023, Apache ActiveMQ is used as a communication bridge between multiple components that can be hosted on separate servers.

    3. Malicious payloads:

    Hackers just don’t use vulnerabilities to gain access. They also use malicious payloads like malware and virus to hack Linux systems. Since 2023, malware especially ransomware designed for Linux systems in or the rise. This malware is usually delivered by exploiting vulnerabilities, phishing attack or drive-by downloads. Examples of some payload generators are msfvenom, Veil, MSFPC, Cypher etc.

    4. Password attacks:

    As already mentioned, most of the servers in the world are built on Linux as it is open source. These include services like FTP, HTTP, SSH etc. If credentials of any of these services are cracked by hackers, it will provide a way to gain access to the underlying Linux server. Learn more about password cracking.

    5. Misconfigured services:

    Sometimes, services being used in the target Linux systems can be misconfigured either by mistake or by ignorance. Hackers can exploit these misconfigurations to hack the Linux system. For example, in March 2023, an advanced malware campaign exploited misconfigurations in Apache Hadoop, YARN, Docker, Confluence and Redis on Linux instances.

    7. Social-engineering:

    No matter how strong the firewall on the network is or how secure the Linux devices are in a network, if the employees of the organization are not well trained, they can eventually give hackers access into the network or Linux devices. Social-engineering is often very underrated as a factor that allows hackers to hack Linux systems. Learn more about social engineering.

    Posted on by

    Windows hacking guide for beginners

    Hello, aspiring ethical hackers. This article is a beginners guide for Windows hacking. It comes under gaining access, third of the 5 phases of ethical hacking.

    What is Windows hacking?

    Although Windows hacking can be generalized to any hacking performed on the Windows operating system, gaining initial access to the Windows systems is known as Windows hacking.

    Why is it important?

    According to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. That is the reason why Windows hacking is one of the most important topics of ethical hacking.

    Windows hacking techniques

    There are multiple ways by which hackers can gain initial access on Windows systems. They are,

    1. Vulnerabilities in the operating system or kernel
    2. Application vulnerabilities.
    3. Payloads & malicious software.
    4. Password attacks.
    5. Misconfigured services.
    6. Social- engineering
    Windows Hacking 1 1

    1. Vulnerabilities in the operating system or kernel:

    An operating system or kernel is the core of any Windows system. Enterprises around the world use Windows operating system for various purposes. As already mentioned, according to StatCounter Global Stats, over 72.52% of people worldwide use Windows as their Desktop. So, any vulnerability exposed in the operating system can be exploited by hackers to gain initial access.

    For example, in 2008, ms08-067 vulnerability was exploited by Conficker worm to infect millions of devices around the world. Similarly, another vulnerability in Windows software, Eternal Blue (ms17-010) was exploited by NSA for intelligence gathering and counter terrorism missions. When this vulnerability got leaked, it was exploited by the WannaCry ransomware attack that infected 2,30,000 Windows PCs across 150 countries.

    2. Application vulnerabilities:

    A lot of applications or programs are installed in Windows operating system to perform various functions. Any vulnerabilities in these installed programs can be exploited successfully to hack the Windows system. For example, macros feature in Microsoft office has been exploited for a long time by hacker groups around the world to gain initial access until this was banned officially by Microsoft. Macros is a feature in Microsoft office to automate procedures.

    In 2022, Chinese hacker group Cicada, exploited VLC Media Player, a popular and open source multimedia player to hack Windows systems and installed malware for espionage purpose. They did this by embedding a malicious file alongside the VLC Media Player’s export functions.

    3. Malicious payloads:

    Hackers just don’t use vulnerabilities to gain access. They also use malicious payloads like malware and virus to hack Windows systems. These payloads can be spread by using dive-by downloads or phishing. For example, Zeus trojan that specializes stealing banking information is spread through same techniques mentioned above. Examples of some payload generators are msfvenom, Veil, MSFPC, Cypher etc.

    4. Password attacks:

    Some Enterprise Windows systems are enabled with remote access so that employees can connect to them remotely for the purpose of their work. The protocols enabling remote access like SSH, FTP, Telnet and RDP etc. Cracking the credentials of these services give hackers a way to gain access to the servers and subsequently to the Windows system. Learn more about password cracking.

    As recently as November 2023, a Russian Hacker group (Midnight Blizzard) used password spraying attack, a type of password attack to compromise some corporate accounts of Microsoft users.

    5. Misconfigured services:

    Sometimes, services being used in the target Windows network can be misconfigured either by mistake or on purpose. Hackers can exploit these misconfigurations to hack the Windows system. In October 2022, Microsoft company exposed one endpoint to public internet without authentication. This led to data leak of 65,000 customers in 111 countries. The total size of the stolen data was 2.4 terabytes.

    7. The human factor:

    No matter how strong the firewall on the network is or how secure the Windows devices are in a network, if the employees of the organization are not well trained, they can eventually give hackers access into the network or Windows devices. Social-engineering is often very underrated as a factor that allows hackers to hack Windows systems. Learn more about social engineering.

    Posted on by

    Covering tracks in ethical hacking

    Hello, aspiring ethical hackers. In this blogpost, you will learn about covering tracks which is the last of the 5 phases of ethical hacking.

    What is Covering tracks?

    Covering tracks or clearing tracks is the phase of ethical hacking in which a hacker tries to erase all the evidence on the target system that can lead back to the hacker. For covering tracks, hackers perform various actions. They are,

    1. Uninstalling executables and scripts:

    Hackers install many scripts and executables on the target system as part of their hacking attack. These scripts may help hackers cracking passwords, privilege escalation, maintaining access etc. Detection of these scripts and executables on the target system can lead the investigators to the hacker. So, hackers uninstall or delete any scripts or executables they have used in carrying the hacking attack.

    2. Clearing logs:

    Every operating system has its own logs that record different operational activities being performed on the operating system. They also record any actions performed by hackers. When an incident investigator observes these logs, he can easily deduce what the hacker did on the target system. To prevent this, hackers clear these logs to hide whatever they did on the target system.

    Covering Tracks 2 1
    Fig: Event Viewer in Windows where all logs can be viewed
    Covering Tracks 3 1
    Fig: In Linux all logs are stored in the “/var/log/” directory

    3. Timestamping files:

    Every file on the operating system has a time stamp which reveals information about the file like the date of its creation, last modified time etc. Hackers change this timestamp of the files appropriately to prevent detection of the modifications they made to files inadvertently while hacking.

    Covering Tracks 4 1
    Fig: Timestamp of a file in Windows
    Covering Tracks 5
    Fig: Timestamp of a file in Linux

    4. Modifying registry values:

    The Windows Registry in the Windows operating system is a hierarchical database that contains information, settings, options, and other values for programs and hardware installed on the Windows operating system. Changes made to some program can also be detected by viewing this registry. So, hackers also modify these registry values to hide their malicious activity.

    Covering Tracks 6
    Fig: Windows Registry