Introduction to

Ethical Hacking
 Security News
• Zero-day Attacks are Meaner, more Rampant
than we ever thought.
• Computer attacks that target undisclosed
vulnerabilities are more common and last longer
than many security researchers previously thought.
The finding comes from a new study that tracked the
number and duration of so-called zero-day exploits
over three years
Internet Crime Current Report: IC3
Data Breach Investigation Report
 Essential Terminology
• Hack Value: It is the notion among hackers that
something is worth doing or is interesting
• Exploit: A defined way to breach the security of an IT
system through vulnerability
• Vulnerability: Existence of a weakness, design, or
implementation error that can lead to an unexpected
and undesirable event compromising the security of
the system.
 Essential Terminology
• Target of Evaluation: An IT system, product, or
component that is identified/subjected to a required
security evaluation.
• Zero-Day Attack: An attack that exploits computer
application vulnerabilities before the software
developer releases a patch for the vulnerability
• Daisy Chaining: Hackers who get away with database
theft usually complete their task, then backtrack to
cover their tracks by destroying logs, etc.
 Elements of Information Security
• Confidentiality: Confidentiality is the assurance that the
information is accessible only to those authorized to
have access. Confidentiality breaches may occur due to
improper data handling or a hacking attempt.
• Integrity: Integrity is the trustworthiness of data or
resources in terms of preventing improper and
unauthorized changes, the assurance that information
can be relied upon to be sufficiently accurate for its
purpose.
 Elements of Information Security
• Availability: Availability is the assurance that the systems
responsible for delivering, storing, and processing information
are accessible when required by authorized users.
• Authenticity: Authenticity refers to the characteristic of a
communication, document, or any data that ensures the
quality of being genuine or not corrupted from the original.
The major roles of authentication include confirming that the
user is who he or she claims to be and ensuring the message
is authentic and not altered or forged. Biometrics, smart
cards, and digital certificates are used to ensure authenticity
of data, transactions, communications, or documents.
Cont…
• Non-repudiation: Non-repudiation refers to the
ability to ensure that a party to a contract or a
communication cannot deny the authenticity of their
signature on a document or the sending of a
message that they originated. It is a way to
guarantee that the sender of a message cannot later
deny having sent the message and that the recipient
cannot deny having received the message.
The Security, Functionality, and
Usability Triangle
 Top Information Security Attack Vectors
• Virtualization and Cloud Computing
• Organized Cyber Crime
• Unpatched Software
• Targeted Malware
• Social Networking
• Insider Threats
• Botnets
Cont…
• Lack of Cyber Security Professionals
• Network Applications
• Inadequate Security Policies
• Mobile Device Security
• Compliance with Govt. Laws and Regulations
• Complexity of Computer Infrastructure
• Hacktivism
 Information Security Threats
Network Threats
• Information gathering
• Sniffing and eavesdropping
• Spoofing
• Session hijacking and man-in-the-middle attacks
• SQL injection
• ARP Poisoning
• Password-based attacks
• Denial of service attack
• Compromised-key attack
Information Security Threats cont..
Host Threats
• Malware attacks
• Target Footprinting
• Password attacks
• Denial of service attacks
• Arbitrary code execution
• Unauthorized access
• Privilege escalation
• Back door Attacks
• Physical security threats
Information Security Threats cont..
Application Threats
• Data/Input validation
• Authentication and Authorization attacks
• Configuration management
• Information disclosure
• Session management issues
• Buffer overflow issues
• Cryptography attacks
• Parameter manipulation
• Improper error handling and exception management
• Auditing and logging issues
Information Warfare
 IPv6 Security Threats
• Auto Configuration Threats
• Unavailability Reputation-based Protection
• Incompatibility of Logging Systems
• Rate Limiting Problem
• Default IPv6 Activation
• Complexity of Network Management Tasks
• Complexity in Vulnerability Assessment
• Overloading of Perimeter Security Controls
 IPv6 Security Threats cont’d
• IPv4 to IPv6 Translation Issues
• Security Information and Event Management
(SIEM) Problems
• Denial-of-service (DOS)
• Trespassing
 Hacking vs. Ethical Hacking
Hacking
• Hacking refers to exploiting system vulnerabilities
and compromising security controls to gain
unauthorized or inappropriate access to the system
resources. It involves modifying system or application
features to achieve a goal outside of the creator's
original purpose
 Hacking vs. Ethical Hacking cont’d
Ethical Hacking
• Ethical hacking involves the use of hacking tools,
tricks, and techniques to identify vulnerabilities so as
to ensure system security. It focuses on simulating
techniques used by attackers to verify the existence
of exploitable vulnerabilities in the system security
 Who Is a Hacker?
A hacker is a person who illegally breaks into a system or network
without any authorization to destroy, steal sensitive data, or
perform malicious attacks. Hackers may be motivated by a
multitude of reasons:
• Intelligent individuals with excellent computer skills, with the ability
to create and explore the computer's software and hardware
• For some hackers, hacking is a hobby to see how many computers
or networks they can compromise
• Their intention can either be to gain knowledge or to poke around
doing illegal things
• Some hack with malicious intent, such as stealing business data,
credit card information, social security numbers, email passwords.
 Hacker Classes
• Black Hats
• White Hats
• Gray Hats
• Suicide Hackers
• Script Kiddies
• Spy Hackers
• Cyber Terrorists
• State Sponsored Hackers
 Hacktivism
• Hacktivism is an act of promoting a political agenda by
hacking, especially by defacing or disabling websites. The
person who does these things is known as a hacktivist.
• Hacktivism thrives in an environment where information is
easily accessible
• It aims to send a message through hacking activities and gain
visibility for a cause.
• Common targets include government agencies, multinational
corporations, or any other entity perceived as "bad" or
"wrong" by these groups or individuals.
 Hacking Phases
• Reconnaissance
• Scanning
• Gaining Access
• Maintaining Access
• Clearing Tracks
 Reconnaissance
• Reconnaissance refers to the preparatory phase
where an attacker gathers as much information as
possible about the target prior to launching the
attack. Also in this phase, the attacker draws on
competitive intelligence to learn more about the
target. This phase may also involve network
scanning, either external or internal, without
authorization.
 Reconnaissance cont’d
• Reconnaissance Types
Reconnaissance techniques can be categorized broadly into active and
passive reconnaissance
When an attacker approaches the attack using passive reconnaissance
techniques, he or she does not interact with the system directly. The
attacker uses publicly available information, social engineering, and
dumpster diving as a means of gathering information.
Active reconnaissance is usually employed when the attacker discerns that
there is a low probability that these reconnaissance activities will be
detected. Newbies and script kiddies are often found attempting this to
get faster, visible results, and sometimes just for the brag value they can
obtain
 Scanning
• Scanning is what an attacker does prior to attacking
the network. In scanning, the attacker uses the
details gathered during reconnaissance to identify
specific vulnerabilities. Scanning can be considered a
logical extension (and overlap) of the active
reconnaissance. Often attackers use automated tools
such as network/host scanners and war dialers to
locate systems and attempt to discover
vulnerabilities
 Gaining Access
• Gaining access is the most important phase of an attack in terms of
potential damage. Gaining access refers to the point where the
attacker obtains access to the operating system or applications on the
computer or network. The attacker can gain access at the operating
system level, application level, or network level. Factors that influence
the chances of an attacker gaining access into a target system include
the architecture and configuration of the target system, the skill level
of the perpetrator, and the initial level of access obtained. The attacker
initially tries to gain minimal access to the target system or network.
Once he or she gains the access, he or she tries to escalate privileges to
obtain complete control of the system. In the process, intermediate
systems that are connected to it are also compromised.
 Maintaining Access
• Once an attacker gains access to the target system, the
attacker can choose to use both the system and its resources
and further use the system as a launch pad to scan and exploit
other systems, or to keep a low profile and continue
exploiting the system. Both these actions can damage the
organization. For instance, the attacker can implement a
sniffer to capture all network traffic, including telnet and ftp
sessions with other systems.
 Clearing Tracks
• An attacker would like to destroy evidence of his or her
presence and activities for various reasons such as
maintaining access and evading punitive action. Trojans such
as ps or netcat come in handy for any attacker who wants to
destroy the evidence from the log files or replace the system
binaries with the same. Once the Trojans are in place, the
attacker can be assumed to have gained total control of the
system. Rootkits are automated tools that are designed to
hide the presence of the attacker. By executing the script, a
variety of critical files are replaced with Trojanned versions,
hiding the attacker in seconds.
 Types of Attacks on a System
• Operating system attacks: Attackers search for OS
vulnerabilities and exploit them to gain access to a
network system.
• Application-level attacks: Software applications
come with myriad functionalities and features. There
is a dearth of time to perform complete testing
before releasing products. Those applications have
various vulnerabilities and become a source of
attack.
Types of Attacks on a System cont’d
• Misconfiguration attacks: Most administrators don't
have the necessary skills to maintain or fix issues, which
may lead to configuration errors. Such configuration
errors may become the sources for an attacker to enter
into the target's network or system.
• Shrink wrap code attacks: Operating system applications
come with numerous sample scripts to make the job of
administrator easy, but the same scripts have various
vulnerabilities, which can lead to shrink wrap code
attacks.
 Operating System Attacks
Some OS vulnerabilities include:
• Buffer overflow vulnerabilities
• Bugs in the operating system
• Unpatched operating systems
Attacks performed at the OS level include:
• Exploiting specific network protocol implementations
• Attacking built-in authentication systems Q Breaking file
system security
• Cracking passwords and encryption mechanisms
 Misconfiguration Attacks
• Misconfiguration vulnerabilities affect web servers,
application platforms, databases, networks, or frameworks
that may result in illegal access or possible owning of the
system. If a system is misconfigured, such as when a change is
made in the file permission, it can no longer be considered
secure. Administrators are expected to change the
configuration of the devices before they are deployed in the
network. Failure to do this allows the default settings to be
used to attack the system. In order to optimize the
configuration of the machine, remove any redundant services
or software
 Application-level Attacks
• Buffer overflow attacks Other application-level attacks
• Active content include:
• Cross-site scripting • Phishing
• Denial-of-service and SYN • Session hijacking
attacks • Man-in-the-middle attacks
• SQL injection attacks • Parameter/form tampering
• Malicious bots • Directory traversal attacks
 Shrink Wrap Code Attacks
When you install an OS/application, it comes with many
sample scripts to make the administrator's life easy.
• The problem is "not fine tuning" or customizing these
scripts
• This will lead to default code or shrink wrap code
attacks.
 Why Ethical Hacking Is Necessary
“To beat a hacker, you need to think like one!”
• Ethical hacking is necessary because it allows the
countering of attacks from malicious hackers by
anticipating methods they can use to break into a
system.
• Ethical Hacking: As hacking involves creative
thinking, vulnerability testing and security audits
cannot ensure that the network is secure
Scope and Limitations of Ethical Hacking
Scope
The following is the scope of ethical hacking:
• Ethical hacking is a crucial component of risk
assessment, auditing, counter fraud, best practices,
and good governance.
• It is used to identify risks and highlight remedial
actions, and it reduces information and
communications technology (ICT) costs by resolving
those vulnerabilities
 Cont’d
Limitations
The following are the limitations of ethical hacking:
• Unless businesses first know what it is they are looking for
and why they are hiring an outside vendor to hack systems in
the first place; chances are that there will not be much to gain
from the experience.
• An ethical hacker therefore can help the organization only to
better understand their security system, but it is up to the
organization to implement the right safeguards on the
network.
 Defense-in-Depth
• Defense in depth is a security strategy in
which several protection layers are placed
throughout an information system
• It helps to prevent direct attacks against an
information system and data because a break
in one layer only leads the attacker to the next
layer
 Incident Management Process
• Incident management is a set of defined
processes to identify, analyze, prioritize, and
resolve security incidents to restore the
system to normal service operations as soon
as possible and prevent the recurrence of the
same incident.
 The purpose of the incident
management process
• Improves service quality
• Pro-active problem resolution
• Reduces impact of incidents on business/
organization
• Meets service availability requirements
• Increases staff efficiency and productivity
• Improves user/customer satisfaction
• Assists in handling future incidents.
 Incident management steps
• Preparation for Incident Handling and Response
• Detection and Analysis
• Classification and Prioritization
• Notification
• Containment
• Forensic Investigation
• Eradication and Recovery
• Post-incident Activities
 Information Security Policies
• A security policy is a document or set of documents that describes
the security controls that should be implemented in the company at
a high level for safeguarding the organizational network from inside
and outside attacks. This document defines the complete security
architecture of an organization and the document includes clear
objectives, goals, rules and regulations, formal procedures, and so
on. It clearly mentions the assets to be protected and the person
who can log in and access sites, who can view the selected data, as
well as the people who are allowed to change the data, etc.
Without these policies, it is impossible to protect the company from
possible lawsuits, lost revenue, and so on
 The goals of security policies include
• Maintain an outline for the management and administration of network
security
• Protection of organization's computing resources
• Elimination of legal liability from employees or third parties
• Ensure customers' integrity and prevent wasting of company computing
resources
• Prevent unauthorized modifications of data
• Reduce risks caused by illegal use of the system resources and loss of
sensitive, confidential data and potential property
• Differentiate a user's access rights
• Protect confidential, proprietary information from theft, misuse, or
unauthorized disclosure
 Classification of Security Policies
• User Policy
• IT Policy
• General Policies
• Partner Policy
• Issue-specific Policies
 Types of Security Policies
• Promiscuous Policy
• Permissive Policy
• Prudent Policy
• Paranoid Policy
 Steps to Create and Implement
Security Policies
1. Perform risk assessment to identify risks to the organization's assets
2. Learn from standard guidelines and other organizations
3. Include senior management and all other staff in policy development
4. Set clear penalties and enforce them and also review and update the
security policy
5. Make the final version available to all staff in the organization
6. Ensure every member of your staff reads, signs, and understands the
policy
7. Install the tools you need to enforce the policy
8. Train your employees and educate them about the policy
 Examples of Security Policies
• Acceptable-Use Policy
Defines the acceptable use of system resources
• User-Account Policy
Defines the account creation process and authority, rights, and responsibilities of
user accounts
• Remote-Access Policy
Defines who can have remote access, and defines access medium and remote
access security controls
• Information-Protection Policy
Defines the sensitivity levels of information, who may have access, how is it
stored and transmitted, and how should it be deleted from storage media
• Firewall-Management Policy
Defines access, management, and monitoring of firewalls in the organization
Special-Access
 Vulnerability Research
• Vulnerability research means discovering
system design faults and weaknesses that
might help attackers compromise the system.
Once the attacker finds out the vulnerability in
the product or the application, he or she tries
to exploit it.
 Vulnerability Research cont’d
An administrator needs vulnerability research:
• To gather information about security trends, threats,
and attacks
• To find weaknesses and alert the network
administrator before a network attack
• To get information that helps to prevent security
problems.
• To know how to recover from a network attack
 What Is Penetration Testing?
• Penetration testing is a method of evaluating
security levels of a particular system or network. This
helps you determine the flaws related to hardware
and software. The early identification helps protect
the network. If the vulnerabilities aren't identified
early, then they become an easy source for the
attacker for the intrusion.
 Why Penetration Testing?
Penetration testing is required because it helps you to:
• Identify the threats facing an organization's information assets
• Reduce an organization's IT security costs and provide a better
Return On Security Investment (ROSI) by identifying and
resolving vulnerabilities and weaknesses
• Provide an organization with assurance: a thorough and
comprehensive assessment of organizational security covering
policy, procedure, design, and implementation
• Gain and maintain certification to an industry regulations.
• Adopt best practices by conforming to legal and industry
regulations.
 Why Penetration Testing? Cont’d
• Test and validate the efficiency of security protections and
controls
• Change or upgrade existing infrastructure of software,
hardware, or network design
• Focus on high-severity vulnerabilities and emphasize
application-level security issues to development teams and
management
• Provide a comprehensive approach of preparation steps that
can be taken to prevent upcoming exploitation
• Evaluate the efficiency of network security devices such as
firewalls, routers, and web servers.
 Penetration Testing Methodology
• As a pen tester, you should never overlook any information
resource. All possible information sources must be tested for
vulnerabilities. Not just the information sources, but every
mechanism and the software involved in your business must
be tested because if the attacker is not able to compromise
the information system, then he or she may try to gain access
to the system and then to the sensitive information. A few
attacks, such as denial-of- service attacks, don't even need
access to the system. Therefore, to ensure that you check all
possible ways of compromising a system or network, you
should follow the penetration testing methodology. This
ensures the full scope of the test.