7. Black Hat vs White Hat
Pen Tester’s have prior approval
from Senior Management while
Hackers are approved by
themselves.
8. Black Hat vs White Hat
Pen Tester’s social engineering
attacks are there to raise
awareness.
Hackers social engineering
attacks are there to trick the
DMV into divulging sensitive
information about the
whereabouts of their estranged
ex-spouse.
9. Penetration Testing
White Hat hacking is known as
Penetration Testing or Pen Testing.
“A penetration test is a method of
evaluating the security of a
computer system or network by
simulating an attack from a
malicious source, known as a Black
Hat Hacker, or Cracker.”
- Wikipedia
10. Hacking methodology
An excellent
description
inside of the
back cover
page of
“Hacking
Exposed” text
by McClure et
al.
Scanning
Footprinting
Enumeration
Gaining Access
Escalating
Privilege
Pilferting
Covering Tracks
Creating Back
Doors
Denial of Service
11. Footprinting
• Find out as much information as
possible about the target host.
• Find out target IP address.
• Find domain name, admin, name
servers
• DNS transfer zone.
Technique
s
Open Source
search
Find domain
name, admin, IP
addresses, name
servers
DNS zone
transfer
Tools Google,search
engine, Edgar
Whois Nslookup
Sam Spade
12. Footprinting
Google - itself is very good
hacking device
Technique
s
Open Source
search
Find domain
name, admin, IP
addresses, name
servers
DNS zone
transfer
Tools Google,search
engine, Edgar
Whois Nslookup
Sam Spade
14. Footprinting
www.sec.gov -> edgar database
Technique
s
Open Source
search
Find domain
name, admin, IP
addresses, name
servers
DNS zone
transfer
Tools Google,search
engine, Edgar
Whois Nslookup
Sam Spade
17. Scanning
Three type scan-
– Port
– Network (live pc, pc name, OS).
– Vulnerability scan.
Techniques Ping sweep TCP/UDP port
scan
OS detection
Tools Fping, icmpenum
WS_Ping ProPack
nmap
Nmap
Superscan
fscan
Nmap
queso
siphon
18. Scanning
Scanning step
– Check live system
– Open port
– Service identification
– OS finger printing(what os in server)
– Vulnerability scan
– draw network diagrams of vulnerable host
– prepare proxy (ip spoofing)
Techniques Ping sweep TCP/UDP port
scan
OS detection
Tools Fping, icmpenum
WS_Ping ProPack
nmap
Nmap
Superscan
fscan
Nmap
queso
siphon
19. Enumeration
• Identify valid user accounts or poorly
protected resource shares.
• Most intrusive probing than scanning step.
Techniques list user
accounts
list file shares identify
applications
Tools Null sessions
DumpACL
Sid2usre
onSiteAdmin
Showmount
NAT
legion
Banner grabing
with telnet or
netcat, rpcinfo
20. Gaining Access
Based on the information gathered so far,
make an informed attempted to access the
target.
Techniq
ues
Password
eavesdropping
File share
brute forcing
Password
File grab
Buffer
overflow
Tools Tcpdump/ssldu
mp
L0phtcrack
readsmb
NAT
legion
Tftp
Pwddump2(NT)
Ttdb, bind
IIS
.HTR/ISM.D
LL
21. Escalating Privilege
If only user-level access was obtained in the last
step, seek to gain complete control of the system.
Techniques Password cracking Known Exploits
Tools John the ripper
L0phtcrack
Lc_messages,
Getadmin,
sechole
22. Covering Tracks
Once total ownership of the target is secured,
hiding this fact from system administrators become
paramount, less they quickly end the romp.
Techniques Clear Logs Hide tools
Tools Zap, Event Log GUI Rootkits
file streaming
23. Creating Back Doors
• Trap doors will be laid in various parts of the
system to ensure that privilege access is easily
regained whenever the intruder decides.
Techniques Create rogue
user accounts
Schedule batch
jobs
Infect startup files
Tools Members of
wheel, admin
Cron, AT rc, startup folder,
registry keys
Techniques Plant remote
control services
Install monitoring
mechanisms
Replace appls with
Trojans
Tools Netcat,
remote.exe
VNC, B02K
remote desktop
Keystroke loggers,
add acct. to
secadmin mail
aliases
Login, fpnwcint.dll
24. Denial of Services
• If atacker is unsuccessful in gaining
access, they may use readily available
exploit code to disable a target as a
last resort.
Techniques Syn flood ICMP techniques Identical src/dst
SYN requests
Tools synk4 Ping to death
smurf
Land
Latierra
Techniques Overlapping
fragment/offset
bugs
Out of bounds TCP
options (OOB)
DDoS
Tools Netcat, remote.exe
VNC, B02K
remote desktop
Keystroke loggers,
add acct. to sec
admin mail aliases
Trinoo
TFN
stacheldraht
25. Backtrack
BackTrack is a Linux-based
penetration testing arsenal that
aids security professionals in
the ability to perform
assessments in a purely native
environment dedicated to
hacking.