Ethical Hacking

Adapted from Zephyr Gaurays slides found here:

http://www.slideworld.com/slideshow.aspx/Ethical-Hacking-ppt-2766165

And from Achyut Paudels slides found here:
http://www.wiziq.com/tutorial/183883-Computer-security-and-ethical-hacking-slide

And from This Research Paper:
http://www.theecommercesolution.com/usefull_links/ethical_hacking.php
Keith Brooks
CIO and Director of Services
Vanessa Brooks, Inc.
Twitter/Skype: lotusevangelist
[email protected]
How often have I said to you that when you
have eliminated the impossible, whatever
remains, however improbable, must be the
truth?
Or a modern variation:
"If you eliminate the impossible, whatever
remains, however improbable, must be the
truth."
2
nd
Quote is from Spock in Star Trek (2009) but really
from Sir Arthur Conan Doyles infamous Detective,
Sherlock Holmes as seen above
Anonymous
As for the literal operation of Anonymous, becoming part of it is
as simple as going onto its Internet Relay Chat forums and
typing away.
The real-life people involved in Anonymous could be behind their
laptops anywhere, from an Internet caf in Malaysia to a
Michigan suburb.
Anonymous appears to have no spokesperson or leader.
One could participate for a minute or a day in a chat room, and
then never go back again.
Anonymous is the future form of Internet-based social activism.
They laud the "hactivists" for their actions.

Underground Toolkit Arms Hackers For Java Flaw
By Antone Gonsalves, CRN March 29, 2012 3:57 PM ET

A software toolkit popular among cyber-criminals has been updated
to include malicious code targeting a critical Java vulnerability that
experts say many Internet users have yet to patch.

A patch for the Java bug was released in February, but based on the
Java patching behavior of 28 million Internet users, Rapid7 estimates
that from 60 percent to 80 percent of computers running Java
are vulnerable. The bug affects all operating systems, including
Windows, starting with XP, Ubuntu and Mac OS X.

In general, up to 60 percent of Java installations are never
updated to the latest version, according to Rapid7.

http://www.crn.com/news/security/232700528/underground-toolkit-
arms-hackers-for-java-flaw.htm;jsessionid=aN-
QwyraKe6tlMxNtzWh5A**.ecappj03?cid=nl_sec
Federal Statute 2B1.1. - Protected Computer - Civil Penalty

Protected Computer Cases.--In the case of an offense involving
unlawfully accessing, or exceeding authorized access to, a "protected
computer" as defined in 18 U.S.C. 1030(e)(2), actual loss includes
the following pecuniary harm, regardless of whether such pecuniary
harm was reasonably foreseeable: reasonable costs to the victim of
conducting a damage assessment, and restoring the system and data
to their condition prior to the offense, and any lost revenue due to
interruption of service.

(B) Gain.--The court shall use the gain that resulted from the offense
as an alternative measure of loss only if there is a loss but it
reasonably cannot be determined.

(C) Estimation of Loss.--The court need only make a reasonable
estimate of the loss. The sentencing judge is in a unique position to
assess the evidence and estimate the loss based upon that evidence.
Why Do People Hack
To make security stronger ( Ethical Hacking )
Just for fun
Show off
Hack other systems secretly
Notify many people their thought
Steal important information
Destroy enemys computer network during
the war


What is Ethical Hacking
Also Called Attack & Penetration Testing, White-hat hacking,
Red teaming
It is Legal
Permission is obtained from the target
Part of an overall security program
Identify vulnerabilities visible from the Internet
Ethical hackers possesses same skills, mindset and tools of
a hacker but the attacks are done in a non-destructive manner

Hacking
Process of breaking into systems for:
Personal or Commercial Gains
Malicious Intent Causing sever damage to Information & Assets
Conforming to accepted professional standards of conduct
Types of Hackers
White Hat Hackers:
A White Hat who specializes in penetration testing and in other
testing methodologies to ensure the security of an organization's
information systems.
Black Hat Hackers:
A Black Hat is the villain or bad guy, especially in a western movie in
which such a character would stereotypically wear a black hat in
contrast to the hero's white hat.
Gray Hat Hackers:
A Grey Hat, in the hacking community, refers to a skilled hacker
whose activities fall somewhere between white and black hat
hackers on a variety of spectra


Why Cant We Defend Against Hackers?
There are many unknown security hole
Hackers need to know only one security hole to
hack the system
Admin need to know all security holes to defend
the system

Why Do We Need Ethical Hacking
Viruses, Trojan
Horses,
and Worms
Social
Engineering
Automated
Attacks
Accidental
Breaches in
Security
Denial of
Service (DoS)
Organizational
Attacks
Restricted
Data
Protection from possible External Attacks
Ethical Hacking - Commandments
Working Ethically
Trustworthiness
Misuse for personal gain
Respecting Privacy
Not Crashing the Systems
What do hackers do after hacking? (1)
Patch security hole
The other hackers cant intrude
Clear logs and hide themselves
Install rootkit ( backdoor )
The hacker who hacked the system can use the
system later
It contains trojan virus, and so on
Install irc related program
identd, irc, bitchx, eggdrop, bnc

What do hackers do after hacking? (2)
Install scanner program
mscan, sscan, nmap
Install exploit program
Install denial of service program
Use all of installed programs silently

Basic Knowledge Required
The basic knowledge that an Ethical Hacker should have about different
fields, is as follows:
Should have basic knowledge of ethical and permissible issues
Should have primary level knowledge of session hijacking
Should know about hacking wireless networks
Should be good in sniffing
Should know how to handle virus and worms
Should have the basic knowledge of cryptography
Should have the basic knowledge of accounts administration
Should know how to perform system hacking

Basic Knowledge Required (cont)
Should have the knowledge of physical infrastructure hacking
Should have the primary knowledge of social engineering
Should know to how to do sacking of web servers
Should have the basic knowledge of web application weakness
Should have the knowledge of web based password breaking procedure
Should have the basic knowledge of SQL injection
Should know how to hack Linux
Should have the knowledge of IP hacking
Should have the knowledge of application hacking

Denial of Service
If an attacker is unsuccessful in gaining access, they may use readily
available exploit code to disable a target as a last resort
Techniques
SYN flood
ICMP techniques
Identical SYN requests
Overlapping fragment/offset bugs
Out of bounds TCP options (OOB)
DDoS
How Can We Protect The System?
Patch security hole often
Encrypt important data
Ex) pgp, ssh
Do not run unused daemon
Remove unused setuid/setgid program
Setup loghost
Backup the system often
Setup firewall
Setup IDS
Ex) snort

What should do after hacked?
Shutdown the system
Or turn off the system
Separate the system from network
Restore the system with the backup
Or reinstall all programs
Connect the system to the network

Many topics of hacking still remain to be covered and there are
more slides in this presentation for your review later.


Thank You !!!
Ethical Hacking - Process
1. Preparation
2. Foot Printing
3. Enumeration & Fingerprinting
4. Identification of Vulnerabilities
5. Attack Exploit the Vulnerabilities
6. Gaining Access
7. Escalating Privilege
8. Covering Tracks
9. Creating Back Doors
1.Preparation
Identification of Targets company websites, mail
servers, extranets, etc.
Signing of Contract
Agreement on protection against any legal issues
Contracts to clearly specifies the limits and dangers of the
test
Specifics on Denial of Service Tests, Social Engineering,
etc.
Time window for Attacks
Total time for the testing
Prior Knowledge of the systems
Key people who are made aware of the testing
2.Footprinting
Collecting as much information about the target
DNS Servers
IP Ranges
Administrative Contacts
Problems revealed by administrators

Information Sources
Search engines
Forums
Databases whois, ripe, arin, apnic
Tools PING, whois, Traceroute, DIG, nslookup, sam spade
3.Enumeration & Fingerprinting
Specific targets determined
Identification of Services / open ports
Operating System Enumeration

Methods
Banner grabbing
Responses to various protocol (ICMP &TCP) commands
Port / Service Scans TCP Connect, TCP SYN, TCP FIN, etc.

Tools
Nmap, FScan, Hping, Firewalk, netcat, tcpdump, ssh, telnet, SNMP
Scanner
4.Identification of Vulnerabilities
Vulnerabilities

Insecure Configuration
Weak passwords
Unpatched vulnerabilities in services, Operating systems,
applications
Possible Vulnerabilities in Services, Operating Systems
Insecure programming
Weak Access Control
4.Identification of Vulnerabilities
Methods
Unpatched / Possible Vulnerabilities Tools, Vulnerability
information Websites
Weak Passwords Default Passwords, Brute force, Social
Engineering, Listening to Traffic
Insecure Programming SQL Injection, Listening to
Traffic
Weak Access Control Using the Application Logic, SQL
Injection

4.Identification of Vulnerabilities
Tools
Vulnerability Scanners - Nessus, ISS, SARA, SAINT
Listening to Traffic Ethercap, tcpdump
Password Crackers John the ripper, LC4, Pwdump
Intercepting Web Traffic Achilles, Whisker, Legion

Websites
Common Vulnerabilities & Exposures http://cve.mitre.org
Bugtraq www.securityfocus.com
Other Vendor Websites
5.Attack Exploit the Vulnerabilities
Obtain as much information (trophies) from the Target
Asset
Gaining Normal Access
Escalation of privileges
Obtaining access to other connected systems

Last Ditch Effort Denial of Service
5.Attack Exploit the Vulnerabilities
Network Infrastructure Attacks
Connecting to the network through modem
Weaknesses in TCP / IP, NetBIOS
Flooding the network to cause DOS

Operating System Attacks
Attacking Authentication Systems
Exploiting Protocol Implementations
Exploiting Insecure configuration
Breaking File-System Security
5.Attack Exploit the Vulnerabilities
Application Specific Attacks
Exploiting implementations of HTTP, SMTP protocols
Gaining access to application Databases
SQL Injection
Spamming

5.Attack Exploit the Vulnerabilities
Exploits
Free exploits from Hacker Websites
Customised free exploits
Internally Developed

Tools Nessus, Metasploit Framework,
6. Gaining access:
Enough data has been gathered at this point to make an informed
attempt to access the target
Techniques
Password eavesdropping
File share brute forcing
Password file grab
Buffer overflows
7. Escalating Privileges
If only user-level access was obtained in the last step, the attacker will
now seek to gain complete control of the system
Techniques
Password cracking
Known exploits
8. Covering Tracks
Once total ownership of the target is
secured, hiding this fact from system
administrators becomes paramount, lest
they quickly end the romp.
Techniques
Clear logs
Hide tools
9. Creating Back Doors
Trap doors will be laid in various parts of the system to ensure that
privileged access is easily regained at the whim of the intruder
Techniques
Create rogue user accounts
Schedule batch jobs
Infect startup files
Plant remote control services
Install monitoring mechanisms
Replace apps with trojans