Chapter-ending Exam Preparation Tasks help you drill on key concepts you must know thoroughly. Review questions help you assess your knowledge, and a final preparation chapter guides you through tools and resources to help you craft your final study plan. This EC-Council authorized study guide helps you master all the topics on the CEH v8 exam, including: Ethical hacking basics Technical foundations of hacking Footprinting and scanning Enumeration and system hacking Linux and automated assessment tools Trojans and backdoors Sniffers, session hijacking, and denial of service Web server hacking, web applications, and database attacks Wireless technologies, mobile security, and mobile attacks IDS, firewalls, and honeypots Buffer overflows, viruses, and worms Cryptographic attacks and defenses Physical security and social engineering.
Chapters are organized by exam objective, with a handy section that maps each objective to its corresponding chapter, so you can keep track of your progress. The text provides thorough coverage of all topics, along with challenging chapter review questions and Exam Essentials, a key feature that identifies critical study areas.
Subjects include intrusion detection, DDoS attacks, buffer overflows, virus creation, and more. This eBook does not include the practice exam that comes with the print edition. This comprehensive, in-depth review of CEH certification requirements is designed to help you internalize critical information using concise, to-the-point explanations and an easy-to-follow approach to the material.
Covering all sections of the exam, the discussion highlights essential topics like intrusion detection, DDoS attacks, buffer overflows, and malware creation in detail, and puts the concepts into the context of real-world scenarios. Each chapter is mapped to the corresponding exam objective for easy reference, and the Exam Essentials feature helps you identify areas in need of further study.
Currently, he is serving as a senior security engineer in a well-known organization located in Australia. To master the hacking technologies, you will need to become one, but an ethical one! This certification serves as a means of educating and training professionals to be able to understand and identify vulnerabilities and weaknesses within a system. Therefore, as an Ethical Hacker, the task will be yours to try to penetrate the computer systems and network of a company using the tools that a malicious hacker would.
The main difference between you and a malicious hacker is that your method of hacking is legal in that you have permission from the company to do so. He has worked for several large organizations and has held various roles as a senior instructor, network engineer, programmer, and consultant. Designed as an exam-focused study-self aid and resource, CEH Certified Ethical Hacker Practice Exams offers practice test items from each domain of the latest CEH exam, and provides knowledge and scenario-based questions plus one case study-based Lab Question per chapter.
In-depth answer explanations for both the correct and incorrect answers are included. The book contains more than practice exam questions in the book and electronic content that match the actual exam questions in content and feel.
The CEH Program certifies individuals in the specific network security discipline of Ethical Hacking from a vendor-neutral perspective. A Certified Ethical Hacker is a skilled IT professional responsible for testing the weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker.
Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an Ethical Hacker and an organization, it is legal. It also offers additional features like editing nodes manually, exporting diagram to Visio, multi-level network discovery, etc.
Select all or required devices to add to the topology. Figure Discovered Devices List Topology view of the scanned network. Now you can add nodes manually, export it to Vision and use other features of the tool.
Proxy systems play an important role in networks. Proxy systems are basically used by scanners to hide their identity to be traced back to the target. When a user sends a request for any resources to the other publically available servers, proxy server act as an intermediary for these requests. Users request is forwarded to proxy server first. The most popular use of the proxy server is in terms of web proxy servers.
These Web proxy servers are used to provide access to world wide web by bypassing the IP address blocking. Remote Access to Intranet.
Redirecting all requests to the proxy server to hide identity. Proxy Chaining to avoid detection. In addition to proxy servers, one proxy server forwards the traffic to next proxy server. This process is not recommended for production environments, or a long-term solution, however, this technique leverages your existing proxy. Figure Proxy Chaining Proxy Tool There is a number of proxy tools available as well as you can online search for a proxy server and configure manually on your web browser.
These tools include: - 1. Proxy Switcher 2. Proxy Workbench 3. TOR 4. You can enable any proxy server to hide your IP address. The following figure is showing the searching process of Proxy servers using Proxy Switcher tool.
It is an operating system that is specially designed to help you to use the internet anonymously leaving no trace behind. Tails preserve privacy and anonymity.
An attacker illicitly impersonates any user machine by sending manipulated IP packets with spoofed IP address.
Spoofing process involves modification of header with a spoofed source IP address, a checksum, and the order values. Packet-switched networking causes the packets arriving at the destination in different order. When these out of order packets are received at the destination, these packets are resembled to extract the message.
In the process of sending direct TTL probes, packets are sent to the host that is suspected of sending spoofed packets and responses are observed. However, TTL values can vary in even normal traffic and this technique identify the spoofing when the attacker is on a different subnet. If IPID values are not closer, suspect traffic is spoofed. This technique can be used in case if the attacker is within a subnet.
We have also discussed several tools that can be helpful in collecting the general information regarding the target. Now we are moving to observe the target more closely in order to gain detailed information. This information is sensitive such as network information, network resources, routing paths, SNMP, DNS and other protocol-related information, user and group information, etc. This sensitive information is required to gain access to a system.
This information is gathered by using different tools and techniques actively. With this active connection, direct queries are generated to gain more information. These information helps to identify the system attack points. Once attacker discovers attack points, it can gain unauthorized access using this collected information to reach assets.
Using the tools required for enumeration phase may cross legal boundaries and chances to being traced as using active connections with the target. You must have proper permission to perform these actions.
An Email address contains username and domain name in it. Enumeration using Default Password Another way of enumeration is using default passwords. Every device and software has its default credentials and settings.
This default setting and configuration are recommended to be changed. It became so easy for an attacker to gain unauthorized access using default credentials. Finding default settings, configuration and password of a device is not a big deal. The attacker uses default community strings or guesses the string to extract information about a device.
SNMP protocol was developed to allow the manageability of devices by the administrator, such as servers, routers, switches, workstations on an IP network. It allows the network administrators to manage network performance of a network, finds, troubleshoots and solve network problems, design, and plan for network growth. SNMP is an application layer protocol.
It provides communication between managers and agents. It restricts the access to network resources only to the defined users and computers. The AD is a big target, a greater source of sensitive information for an attacker. Brute force attack to exploit, or generating queries to LDAP services are performed to gather information such as username, address, credentials, privileges information, etc. A zone transfer is a process to update DNS servers; Zone file carries valuable information which is retrieved by the attacker.
We will enumerate services, ports and operating system information using nmap utility with Kali Linux. The Initial 15 Characters are for identifying the device, 16th Character is to identify the service. It is also used to display information such as NetBIOS name tables, name cache, and other information.
Command using nbstat utility is shown below: - nbtstat. Enter the Hostname or IP address of target Windows machine. Select the Enumeration type from the left section. After configuring, to start enumeration process, Click Enumerate to initiate the process.
Figure Super Scan Enumeration tool After starting the Enumeration, it will gather the information about the target machine such as MAC address information, operating system information and other information depending upon the type of enumeration selected before initiating the process.
Nsauditor Network Nsauditor network monitoring provides some insight Security Auditor into services running locally, with options to dig down into each connection and analyze the remote system, terminate connections and view data. In this lab, we are using Windows Server to perform scanning using SoftPerfect Network Scanner to scan shared resources in a network.
Go to Properties. This host has shared folders with different users. Figure Exploring Results Now select other host and go to properties.
SNMP requires community string to authenticate the management station. Using the default community string, by guessing the community string, attacker extracts the information such as Host, devices, shares, network information and much more by gaining unauthorized access.
SNMP Read-Write Used in requests for information from a device community string and to modify settings on that device. Management station collects the information regarding different aspects of network devices. The second thing is configuration and software support by networking devices itself. Technically three components are involved in deploying SNMP in a network: - SNMP Manager: A software application running on the management station to display the collected information from networking devices in a nice and representable manner.
SNMP Agent: The software is running on networking nodes whose different components need to be monitored. Management Information Base: MIB stands for Management Information Base and is a collection of information organized hierarchically in a virtual database. These are accessed using a protocol such as SNMP. Tabular It defines multiple related objects instances. MIBs are collections of definitions, which define the properties of the managed object within the device to be managed.
MIB Example: The typical objects to monitor on a printer are the different cartridge states and maybe the number of printed files, and on a switch, the typical objects of interest are the incoming and outgoing traffic as well as the rate of packet loss or the number of packets addressed to a broadcast address. Plain text community V1 string is used for authentication No support for encryption and hashing either. Implementation of version 3 has three models. NoAuthNoPriv means no encryption and hashing will be used.
It helps network engineers to manage their devices and IP Address Space with ease. It performs network monitoring, detection of a rogue device intrusion, bandwidth usage monitoring and more. LDAP is for accessing and maintaining distributed directory information services in a hierarchical and logical structure.
A directory service plays an important role by allowing the sharing of information like user, system, network, service, etc. LDAP provides a central place to store usernames and passwords. The NTP is an important protocol, as directory services, network devices and host rely on clock settings for login purposes and logging to keep a record of events.
NTP helps in correlating events by the time system logs are received by Syslog servers. It is just like TTL number that decreases every hop a packet passes by. Stratum value, starting from one, increases by every hop. For example, if we see stratum number 10 on local router, it means that NTP server is nine hops away. Securing NTP is also an important aspect as the attacker may change time at first place to mislead the forensic teams who investigate and correlate the events to find the root cause of the attack.
This authentication can be used to mitigate an attack. NTP Enumeration Another important aspect of collecting information is the time at which that specific event occurs. Thanks to the creators of NTP v3, it has support for authentication with NTP server before considering its time to be authenticated one. Figure ntptrace commands ntpq is a command line utility that is used to query the NTP server. It uses the standard NTP mode 6 control message formats.
Multiple -c options may be given. Prompts will be written to the standard output and commands read from the standard input. This is equivalent to the peer's interactive command.
By inspecting and comparing the responses for valid and invalid users through interacting the SMTP server via telnet, valid users can be determined. DATA To define data. HELP Show help. QUIT To terminate a session. Using port scanning techniques, you can find if the port is open.
DNS Zone transfer process provides support for resolving queries, as more than one DNS server can respond to the queries.
Consider a scenario in which both primary and secondary DNS Servers are responding to the queries. DNS Zone Transfer using nslookup command 1. Figure nslookup command 2. It will retrieve all records from a DNS server. If not allowed, it will show the request failed. Figure nslookup command 7. In the Hacking cycle, vulnerability analysis is a major and important part. In this chapter, we will discuss the concept of Vulnerability Assessment, Vulnerability Assessment phases, types of assessment, tools and other important aspects.
Vulnerability assessment includes discovering weaknesses in an environment, design flaws and other security concerns which can cause an operating system, application or website to be misused. These vulnerabilities include misconfigurations, default configurations, buffer overflows, Operating System flaws, Open Services, and others. There are different tools available for network administrators and Pentesters to scan for vulnerabilities in a network.
Discovered vulnerabilities are classified into three different categories based on their security levels, i. Vulnerability Assessment Vulnerability Assessment can be defined as a process of examination, discovery, and identification of system and applications security measures and weaknesses.
Systems and applications are examined for security measures to identify the effectiveness of deployed security layer to withstand attacks and misuses. Types of Vulnerability Assessments Active Assessments: Active Assessment is the process of Vulnerability Assessment which includes actively sending requests to the live network and examining the responses.
In short, it is the process of assessment which requires probing the target host. Passive Assessments: Passive Assessment is the process of Vulnerability Assessment which usually includes packet sniffing to discover vulnerabilities, running services, open ports and other information.
However, it is the process of assessment without interfering the target host. External Assessment: Another type in which Vulnerability assessment can be categorized is an External assessment. It the process of assessment with hacking's perspective to find out vulnerabilities to exploit them from outside.
Internal assessment includes discovering vulnerabilities by scanning internal network and infrastructure. Figure Types of Vulnerability Assessment Vulnerability Assessment Life-Cycle Vulnerability Assessment life cycle includes the following phases: Creating Baseline Creating Baseline is a pre-assessment phase of the vulnerability assessment life-cycle in which pentester or network administrator who is performing assessment identifies the nature of the corporate network, the applications, and services.
He creates an inventory of all resources and assets which helps to manage, prioritize the assessment. In the end, baseline helps to plan the process effectively, schedule the tasks, and manage them with respect to priority. Vulnerability Assessment Vulnerability Assessment phase is focused on assessment of the target.
The assessment process includes examination and inspection of security measures such as physical security as well as security policies and controls. Once scanning is complete, findings are ranked in terms of their priorities. At the end of this phase, vulnerability assessment report shows all detected vulnerabilities, their scope, and priorities.
Figure Vulnerability Assessment Lifecycle Risk Assessment Risk Assessment includes scoping these identified vulnerabilities and their impact on the corporate network or on an organization. Remediation Remediation phase includes remedial actions for these detected vulnerabilities. High priority vulnerabilities are addressed first because they can cause a huge impact.
Verification Verification phase ensures that all vulnerabilities in an environment are eliminated. Vulnerability Assessment Solutions Different approaches for Vulnerability Assessment Product based Solution Vs Service based Solution Product- based solutions are deployed within the corporate network of an organization or a private network.
These solutions are usually for dedicated for internal private network. Service-based solutions are third-party solutions which offers security and auditing to a network. These solutions can be host either inside or outside the network. As these solutions are allowed to the internal network, hence a security risk of being compromised. Tree-based Assessment Vs. Inference-based Assessment Tree-based assessment is the assessment approach in which auditor follows different strategies for each component of an environment.
For example, consider a scenario of an organization's network where different machines are live, the auditor may use an approach for Windows-based machines whereas another technique for Linux based servers. Inference-based assessment is another approach to assist depending on the inventory of protocols in an environment.
For example, if an auditor found a protocol, using inference-based assessment approach, the auditor will investigate for ports and services related to that protocol.
Best Practice for Vulnerability Assessment The following are some recommended steps for Vulnerability Assessment for effective results. A network administrator or auditor must follow these best practices for vulnerability assessment. Before starting any vulnerability assessment tool on a network, the auditor must understand the complete functionality of that assessment tool.
It will help to select appropriate tool to extract your desired information. Make sure about the source location of scan to reduce the focus area. Run scan frequently for vulnerabilities. The numerical score can then be translated into a qualitative representation such as low, medium, high, and critical to help organizations properly assess and prioritize their vulnerability management processes.
Security Base Score Rating None 0. CVE maintain the list of known vulnerabilities including an identification number and description of known cybersecurity vulnerabilities. Vulnerability Scanning In this era of modern technology and advancement, finding vulnerabilities in an existing environment is becoming easy using different tools. Various tools, automated as well as manual tools, are available to help you in finding vulnerabilities.
Vulnerability Scanners are automated utilities which are specially developed to detect vulnerabilities, weakness, problems, and holes in an operating system, network, software, and applications. These scanning tools perform deep inspection of scripts, open ports, banners, running services, configuration errors, and other areas.
These tools not only inspect running software and application to find risk and vulnerabilities by Security experts but also by the attackers to find out loopholes in an organization's operating environment. Vulnerability Scanning Tool 1. This Scanning Product focuses on vulnerabilities and configuration assessment.
Using this tool, you can customize and schedule scans and extract reports. It provides a quick snapshot of security and compliances posture of Network and Web along with recommendations. The following figure is showing the result of Vulnerability scan for a targeted network. This lab is performed on Windows 10 virtual machine using Nessus vulnerability scanning tool.
Configuration: 1. Download and install Nessus vulnerability scanning tool. Open a web browser. Click on Advanced Button. Proceed to Add Security Exception. Confirm Security Exception. Figure Confirm Security Exception 7.
Following dashboard will appear. Figure Nessus Dashboard 9. In Basic Settings, Set a name of the Policy. Figure Configuring Policy Now go to Credentials tab to set credentials. Check the Policy, if it is successfully configured Figure Verify Policy Figure Launching Scan Observe the status if scan is successfully started. Upon completion, observe the result. Figure Scan results Click on Vulnerabilities Tab to observe vulnerabilities detected.
You can also check other tabs, Remediation, Notes and History to get more details about history, issues and remediation actions. Go to Export tab to export the report and select the required format.
The following is the preview of Exported report in pdf format. All information extracted so far are focused toward the target, now using this collection of information, we are moving forward to access the system. Summarizing the information collected in previous phases, such as a list of valid Usernames, Email addresses, passwords, groups, IP range, operating system, hardware and software version, shares, protocols and services information, and other details.
Depending upon the collection of information, the attacker will have a more precise image of the target. The process of system hacking is much difficult and complex than previous ones. Before starting the system hacking phase, an ethical hacker, or pentester must remember that you cannot gain access to the target system in a go. You must have to wait for what you want, deeply observe and struggle; then you will find some results. System Hacking Methodology The process of System hacking is classified into some System hacking methods.
This methodology includes: - 1. Cracking passwords 2. Escalating privileges 3. Executing applications 4. Hiding files 5. Covering tracks Goals of System hacking In the methodological approach of System hacking, bypassing the access control and policies by password cracking or social engineering attacks will lead to gain access to the system.
Using the operating system information, it helps to exploit the known vulnerabilities of an operating system to escalate the privileges. Once you have gained access to the system and acquire the rights and privileges, by executing an application such as Trojans, backdoors, and spyware, an attacker can create a backdoor to maintain the remote access to the target system. Now, to steal actual information, data or any other asset of an organization, the attacker needs to hide its malicious activities.
Rootkits and steganography are the most common techniques to hide malicious activities. Once an attacker steals the information and remains undetected, the last phase of system hacking ensures to be undetected by hiding the evidence of compromises by modifying or clearing the logs. Usually, only the username and password authentication are configured but now, password authentication is the moving toward two-factor authentication or multiple-factor authentication which includes something you have such as username and password with the biometrics.
Password cracking may be performed by social engineering attack or cracking through tempering the communication and stealing the stored information. Guessable password, short password, password with weak encryption, a password only containing numbers or alphabets can be cracked with ease. Having a strong lengthy and difficult password is always an offensive line of defense against these cracking attacks.
Typically, as good password contains: - Case Sensitive letters Special characters Numbers lengthy password typically more than 8 letters Types of Password Attacks Password Attacks are classified into the following types: - 1. Non-Electronic Attacks 2. Active Online Attacks 3.
Passive Online Attacks 4. Default Password 5. Offline Attack 1. Non-Electronic Attacks Non-Electronic attacks or Nontechnical Attacks are the attacks which do not require any type of technical understanding and knowledge. This is the type of attack that can be done by shoulder surfing, social engineering, and dumpster diving.
Active Online Attacks Active Online Attack includes different techniques that directly interact with the target for cracking the password. Active Online attacks include: - 1. Dictionary Attack In the Dictionary attack to perform password cracking, a password cracking application is used along with a dictionary file.
This dictionary file contains entire dictionary or list of known and common words to attempt password recovery. This is the simplest type of password cracking, and usually, systems are not vulnerable to dictionary attacks if they use strong, unique and alphanumeric passwords.
Brute Force Attack Brute Force attack attempt to recover the password by trying every possible combination of characters. Each combination pattern is attempted until the password is accepted. Brute forcing is the common, and basic technique to uncover password. Hash Injection In the Hash injection attack, hashing and other cryptography techniques knowledge is required.
In this type of attack, a. By compromising a workstation, or a server by exploiting the vulnerabilities, attacker gain access to the machine. Once it compromises the machine, it extracted the log-on hashes of valuable users and admins.
With the help of these extracted hashes, attacker logged on to the server like domain controller to exploit more accounts. Passive Online Attacks Passive online attacks are performed without interfering with the target.
Importance of these attacks is because of extraction of the password without revealing the information as it obtains password without directly probing the target. There are different sniffing tools available which can collect the packets flowing across the LAN, independent of the type of information carrying.
Some sniffers offer to filter to catch only certain types of packets. Man-in-the-Middle Attack A man-in-the-middle attack is the type of attack in which attacker involves himself into the communication between other nodes.
MITM attack can be explained as a user communicating with another user, or server and attacker insert himself in between the conversation by sniffing the packets and generating MITM or Replay traffic. Once packets are captured, relevant information such as passwords is extracted. By generating replay traffic with the injection of extracted information, attacker gain access to the system 4. Default Password Every new equipment is configured with a default password by the manufactures.
It is recommended to change the default password to a unique, secret set of characters. An attacker using default passwords by searching through the official website of device manufacturer or through online tools for searching default passwords can attempt this type of attack.
The following are the list of online tools available for searching default password. Go to any of the websites you would like to use for searching default password of a device. Offline Attacks Pre-Computed hashes and Rainbow Table An example of offline attacks is comparing the password using a rainbow table.
Every possible combination of character is computed for the hash to create a rainbow table. When a rainbow table contains all possible precomputed hashes, attacker captures the password hash of target and compares it with the rainbow table. The advantage of Rainbow table is all hashes are precomputed. Hence it took few moments to compare and reveal the password.
Limitation of a rainbow table is it takes a long time to create a rainbow table by computing all hashes.
To generate rainbow tables. Click Ok to proceed. Using the unused processing power of machines across the network, DNA recovers the password by decrypting the hashes. Password Guessing Password guessing is the trial and error method of guessing the password. The attacker uses the information extracted by initial phases and guess the password, attempt manually for cracking the password.
This type of attack is not common, and rate of failure is high because of the requirement of password policies. Normally, information collected from social engineering helps to crack the password. As USB drive plugs in, Window Autorun feature allows running the application automatically if the feature is enabled. Once the application is allowing to execute, it will extract the password. When you authenticate an entity, the motive of authentication is to validate if the device is legitimate or not.
When you authenticate a user, it means you are verifying the actual user against the imposter. These protocols ensure the authentication of users, computers, and services. Within Microsoft platform, SAM database contains passwords in a hashed form and other account information. While the operating system is running, this database is locked to be accessed by any other service and process. There are several other security algorithms are applied to the database to secure and validate the integrity of data.
Windows XP and Later version of Windows do not store the value of LM hash, or when the value of LM hash is exceeding 14 characters, it stores blank or dummy value instead. This challenge is a byte random number generated by the domain controller.
By comparing the received encrypted challenge with the database, Domain controller permit or deny the login session. NTLMv1 Older version 2. Authentication Server 2. The authentication server authenticates the client by comparing the user identity and password from its database and reply with Tick-granting-ticket TGT and a session key. The session key is for a session between Client and TGS. TGS reply with ticket and session key.
Ticket and Session key is for communicating with another user within a trusted domain. Password Salting Password salting is the process of adding additional character in the password to one-way function. Major advantage or primary function of Password salting is to defeat the dictionary attacks and pre-computed attacks. Consider the following example, one of the hashed value is of the password without salting, while another hashed value is of the same password with salting.
Without Salting: 23d42f5f3fb2c8ff4c20b8c5ace With Salting: 87dd36bcbd4c94e9e2bdc By adding a lot of random characters in a password make it more complex and even hard to reverse. Password Cracking Tools There are lots of tools available on the internet for password cracking. For once, you have to install the application on mobile. Figure FlexySpy In the Password section, you can get the password of accounts. Along with username and last captured details. Windows 7 machine is having multiple users configured on it.
Using Administrative access, we will access the encrypted hashes and forward it to Windows 10 machine installed with Ophcrack tool to crack the password. Procedure: 1. Go to Windows 7 machine and run Command Prompt with administrative privileges. Figure Windows Command Line 2. Now, go to the directory where pwdump7 is located and run. In our case, Pwdump7 is located at the desktop. Copy the result into a text file using command pwdump7.
Check the file Hashes. Now, sending the file Hashes. You can install Ophcrack tool on the same machine as well. As shown below, Hashes are loaded in the application. Select your desired table, in our case; Vista free table is used. Select and click Install Locate the folder where the table is located.
In our case, we are using default tables with the application, hence located the folder where the application is installed. Click Crack Button to start cracking. The result is showing user having no password configuration, Users with a cracked password. The result may include some password which is not cracked; you can try other tables to crack them. In our case, User2 password Albert is cracked.
Now access the Windows 7 machine with User2. Enter the password Albert cracked. Escalating Privileges In the section of Privilege Escalation, we will discuss what to do after gaining access to the target. There is still a lot of tasks to perform in Privilege Escalation. You may not always hack an admin account; sometimes, you have compromised the user account which has lower privileges. Using the compromised account with limited privilege will not help you to achieve your goals.
Prior to anything after gaining access, you have to perform privilege escalation to have complete you high-level access with no or limited restrictions. Each Operating system comes with some default setting and user accounts such as administrator account, root account and guest account, etc. It is easy for an attacker to find vulnerabilities of pre- configured account in an operating system to exploit and gain access.
Privilege Escalation is further classified into two types: - 1. Horizontal Privileges Escalation 2. Vertical Privileges Escalation Horizontal Privileges Escalation In Horizontal Privileges Escalation, an attacker attempts to take command over the privileges of another user having the same set of privileges for his account.
Horizontal privileges escalation occurs when an attacker is attempting to gain access to the same set of resources allowed for the particular user. Consider an example of horizontal privileges escalation by considering an operating system having multiple users including Administrator having full privileges, User A, User B and so on having limited privileges to run application only not allowed to install or uninstall any application.
Each user is assigned with the same level of privileges. By finding any weakness or exploiting any vulnerability, User A, gain access to User B. Now user A is able to control and access the User B account. Vertical Privileges Escalation In Vertical Privileges Escalation, an attacker attempts to escalate privileges to a higher level.
Vertical privileges escalation occurs when an attacker is attempting to gain access usually to the administrator account. Higher privileges allow the attacker to access sensitive information, install, modify and delete files and programs such as a virus, Trojans, etc.
In Windows operating system, most of the application search for DLL in directories instead of using fully qualified path. This generated malicious DLL is renamed and pasted in the directory. When application run, it will open the session with system privileges. This execution of malicious programs is intended for gaining unauthorized access to system resources, crack passwords, set up backdoors, and for other motives. These executable programs can be customized application or available software.
This process, execution of the application is also called as "System Owning.
0コメント