2. Ethical hacker is a security professional who uses his or her computing
capabilities for defensive purposes and to increase the security posture of
information systems.
A Phreaker is a hacker who focuses on communication systems to steal calling
card numbers, make free phone calls, attack PBXs, and acquire access, illegally,
to communication devices. “Phone (line) tapping” is one of her/his skillsets.
Originally, the term hacker did not have negative connotations. A hacker was a
computer person who was intellectually curious and wanted to learn as much as
possible about computer systems. A person who was “hacking” was developing
and improving software to increase the performance of computing systems.
A cracker was an individual using his or her capabilities for harmful purposes
against computer systems. Over time, the terms hacker and cracker both took on
the definition of an individual who used offensive skills to attack computer
systems. Some other titles explained below…
3. A whacker is a novice hacker who attacks Wide Area Networks (WANs) and wireless networks.
A script/kiddie is usually a young individual without programming skills who uses attack
software that is freely available on the Internet and from other sources.
Cyber-terrorist is an individual who works for a government or terrorist group that is
engaged in sabotage, espionage, financial theft, and attacks on a nation’s critical
infrastructure.
Hacktivists have tenets and ethics of their own. They work against what they think as
injustice (it may be an organization, individual or a group of individuals/entities).Their
activities are completely aligned to the cause for which they hack. Through their
“hacktivism”, they gain publicity for their cause and for themselves to help build their
reputation. No matter what the justification, breaking into computers and networks
is illegal.
White hats (intentionally ethical and/or by profession), Black hats (intentionally malevolent,
criminals, “digital/cyber anarchists”), Gray hats (Take risks that are seemingly malicious
yet their efforts helps organizations and community to secure themselves. They can
sometimes fallback as black hats or by law can be presumed to be so. Sometimes they
disguise as white hats too but are actually black hats), Red hats (security consultants), Blue
hats (consultants and outside organizations hired to do penetration testing).
4. Confidentiality ensures information is
not disclosed to unauthorized
person(s) or process(es).
Integrity achieved by
• Preventing modification by
unauthorized entities.
• Preventing unauthorized or
unintentional modification
by authorized entities
• Preserving internal and
external consistencies (eg:
Total of production servers
in each business unit
should match the sum
accounted for total
organization (Internal).
Total count of servers
should match what are
physically present
(External).
Availability ensures that a system’s authorized
users have timely and uninterrupted access to
the information in the system.
5. Threat - An event or activity that has the potential to cause harm to the
information systems or networks.
Vulnerability - A weakness or lack of a safeguard that can be exploited
by a threat, causing harm to the information systems or networks; can
exist in hardware, operating systems, firmware, applications, and configuration files.
Risk - The potential for harm or loss to an information system or network;
the probability that a threat will materialize.
Attack - An action against an information system or network that attempts
to violate the system security policy; usually the result of a threat realized
Target of Evaluation. An IT product, element, or system designated to
have a security evaluation.
Exploit - A means of exploiting a weakness or vulnerability in an IT system to violate
the system’s security.
When viewing an information system through the eyes of an ethical
hacker, system threats, vulnerabilities, risks, attacks, targets of
evaluation, and exploits have to be taken into account.
6. HARDWARE PLATFORM -
PC/MACs/PORTABLES/
MOBILE/SERVERS/
MAINFRAMES/WORKSTAT
IONS/ IOT/SCADA etc.
PROCESSOR/
MICROCONTROLLER /
ADAPTER / BUS / PCB/
CIRCUITRY OPERATING SYSTEMS
(REAL-TIME OS &
OTHERS) / OS
INTERNALS/ KERNEL
PROGRAMMING /
MNEMONICS &
ASSEMBLY ETCPROGRAMMING INTERFACES –
FRAMEWORKS, LANGUAGES,
META PROGRAMMING,
DECLARATIVE, STRUCTURAL,
PROCEDURAL, OBJECT-
ORIENTED,FUNCTIONAL ETC
AUTOMATED
KITS /
FRAMEWORKS
8. Typical effort time slice (relative timing not
precision)
Reconnaisance Scanning
Acquiring access Maintaining access
Backdooring and clearing tracks
9.
10. Reconnaissance is also known as information-gathering. In this stage we gather
information about our attack-target. We can do this either passively or actively.
In passive method we will not be intrusive or be directly looking into the (say)
the network of the target. Instead we get conduit-tools, that wouldn’t easily
trace us back, do it. We probably even may not start off using a tool to hit the
network. We could just search about publications done by our target’s owning
entity (organization/ individual). Some methods and tools (in computer systems)
are listed below…
WHOIS - The Internet Assigned Numbers Authority (IANA) delegates Internet
resources to the RIRs; in turn, the RIRs follow their regional policies for further
sub-delegation of resources to their customers.Whois is the primary tool used to
navigate these databases and query Domain Name Services (DNS). Thus we
could search their database for information about target domain. American
Registry for Internet Numbers (ARIN): North America RIPE Network Coordination
Centre (RIPE NCC): Europe, the Middle East and Central Asia, Asia-Pacific
Network Information Centre (APNIC): Asia and the Pacific region, Latin
American and Caribbean Internet Address Registry (LACNIC): Latin America and
the Caribbean region, African Network Information Centre (AfriNIC): Africa
(Example: Searching arin.net for domain info).
11. NSlookup:- Nslookup is a program to query Internet domain name servers. It
displays information that can be used to identify the target’s Domain Name
System (DNS) infrastructure by querying DNS servers for machine name and
address information. Nslookup displays information that can be used to
diagnose Domain Name System (DNS) infrastructure, helps find additional IP
addresses, and can identify the MX record to reveal the IP of the mail server.
Traceroute:- Traceroute can be used to determine what path a packet takes to
get to the target computer. Traceroute uses an IP header field called Time to
Live (TTL) and shows the path packets travel between two hosts by sending out
consecutive packets with ever-increasing TTLs. TTL is a counter that keeps
track of each router hop as the packet travels to the target. The TTL field is
set by the sender of the datagram, and each router through which a packet
passes on the route to its destination reduces the TTL field by one.
12.
13. Human-based:- This is a very old and well known and a natural technique in the
art of thievery. In many aspects, hacking is nothing but thievery. Notorious hacker
Kevin Mitnick (now an acclaimed white-hat) has often used this technique on his
victims apart from his technical skills. He is also the author and founder of a social
engineering course! The attack or reconnaissance is performed by posing as a
legitimate user, important user (like customer), technical support etc.
Computer-based:- Phishing, Fake email and pop-up window attacks are the
methods used in this type of social engineering. Phishing is covered in greater
detail in https://www.slideshare.net/SreejithDMenon/strategies-to-handle-
phishing-attacks
Mobile-based:- While most of the techniques of computer-based are applicable
here, it includes, publishing malicious apps (The notorious Blue-whale is a good
example), Repackaging legitimate apps, Fake security apps, Using SMS
Social engineering has two-faceted aspects. One aspect is about reconnaissance
where it is used to gather information about a target. The second aspect is its
use in attacking which would fall under “Gaining access”. For brevity the below
consolidates both aspects. Social engineering can be…
14. The goal of the scanning phase of pretest reconnaissance is to discover open
ports and find applications vulnerable to hacking. This is done by pinging
individual machines, determining the target’s network ranges, and port scanning
individual systems. Therefore, the next steps to gathering information
(identifying active machines, discovering open ports and access points,
fingerprinting the operating system, and uncovering services on ports) are parts of
the scanning phase. Although the tester is still in information gathering mode,
scanning is more active than footprinting. Some tasks achieved in this phase (in a
computer system) are
Detecting “live” machines on the target network
Discovering services running on targeted server
Identifying which TCP and UDP services are running
Identifying the operating system
Using active and passive fingerprinting
15. Some tools that are very important and commonly used for scanning (in computer
systems and related) are listed below
PING– The venerable ping utility found in most of the operating systems provide a simple
solution for network mapping. But the mapping is usually limited to path from the scanning
host to the target ones. Ping sweep is a common technique used to scan multiple targets at
once.
PATHPING– Combines some features of a traceroute but shows us more statistics per path to a
target from host. This way we will know of more than one path to the target and also
determine network latency per path.
NMAP – This is one of the most important, powerful and effective tools that we can use when
it comes to scanning systems within a network. It does carry the same disadvantages that
other tools carry when scanned from outside of a network. Yet it gives us varied options to
even just “Ping”. More significant is its use to detect services running in target systems.
Network services usually “listen” to ports and there are pre-defined ports for some services.
Thus if a port is open we know what service is running in the target system.
HPING – is a network analysis tool that sends packets with non-traditional
IP stack parameters. It allows the scanner to gather information from the
response packets generated. This is another very powerful tool used for both scanning as well
as for attacking. This tool support TCL scripting. It is commonly used for DOS testing.
16. Some wireless tools (in computer systems and related) that commonly used for
scanning are listed below. Note that they have more uses than just scanning.
NetStumbler - NetStumbler displays wireless access points, SSIDs,
channels, whether WEP encryption is enabled, and signal strength.
NetStumbler can connect with GPS technology to log accurately the
precise location of access points.
AirSnort - AirSnort is a wireless LAN (WLAN) tool that cracks WEP
encryption keys. AirSnort passively monitors wireless transmissions
and automatically computes the encryption key when enough packets
have been gathered.
Kismet - Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection
system. Kismet identifies networks by passively collecting
packets and detecting standard named networks, detects hidden networks, and infers
the presence of non-beaconing networks via data traffic.
17. TCP scanning techniques:-
TCP connect() scanning - Connect() is the most basic and fastest-scanning technique. Connect() is able to
scan ports quickly simply by attempting to connect to each port in succession. The biggest disadvantage for
attackers is that it is the easiest to detect and can be stopped at the firewall.
TCP SYN (half open) scanning - TCP SYN scanning is often referred to as half-open scanning because, unlike
TCP connect(), a full TCP connection is never opened:
1. The scanning machine sends a SYN packet to a target port.
2. If a SYN/ACK is received, it indicates that the port is listening.
3. The scanner breaks the connection by sending an RST (reset) packet.
4. If an RST is received, it indicates that the port is closed.
This is harder to trace because fewer sites log incomplete TCP connections, but some packet-filtering
firewalls look for SYNs to restricted ports.
TCP SYN/ACK scanning - TCP SYN/ACK is another way to determine whether ports are open or closed. The
scanner initially sends a SYN/ACK to the target port. If the port is closed, it assumes the SYN/ACK packet
was a mistake and sends an RST. If the port is open, the SYN/ACK packet will be ignored and the port will
drop the packet. This is considered a stealth scan, since it isn’t likely to be logged by the target, but many
intrusion detection systems may catch it.
TCP FIN scanning - TCP FIN is a stealth scan that works like the TCP SYN/ACK scan. The scanner sends a FIN
packet to a port. If the port is closed, it replies with an RST. If the port is open, it ignores the FIN packet.
Beware: A Windows machine will send an RST regardless of the state of the port, so this scan is useful only
for identifying listening ports on non-Windows machines (or for identifying a Windows OS machine).
Few other type of scanning includes TCP FTP proxy (bounce attack) scanning, RPC scan, IDLE scan, XMAS
tree scan.
18. Packet sniffing:- It is the process of sniffing traffic in computer networks. It uses
techniques like MAC flooding, DNS poisoning, ARP poisoning, DHCP
attacks(starvation & rogue), Password sniffing, Spoofing attacks etc.
MAC flooding:- Spam the switch with data packets to interrupt the regular traffic
between sender/recipient. The data packets then go hither-thither and is eventually
available to the hacker.
DNS poisoning is done by redirecting a DNS server to the wrong domain. (E.g.:- to a
wrong website)
ARP poisoning is done by creating fake MAC-IP addresses mapping in ARP table.
DHCP attacks include starvation of DHCP server (by spamming with faked client
requests)
Password sniffing gives attack the access to credentials. Sometimes the information
needs to be decrypted.
Spoofing attacks are done by faking IP addresses etc.
Monitoring telephone or internet conversations with cover
intentions. It is sometimes done actively where information is
intercepted and can also be manipulated. It is also done passively
where traffic is just recorded and intercepted data can be
decrypted/decoded and/or read.
Sniffing:-
19. Session hijacking refers to the exploitation of a valid computer session, where
an attacker takes over the session between two computers.
The attacker steals a valid Session ID which is then used to get into the
system and snoop the traffic-data.
In TCP session hijacking, an attacker takes over a TCP session live between
two different machines.
Since most authentication occurs only at the start of a TCP session, this gains
the attacker, access to the machine.
Session hijacking is carried out following below steps
Tracking connection.
Desynch the connection.
Injecting the attacker’ packet.
Session hijacking: -
20. Cookie poisoning :- Changing data with cookies to steal or manipulate info.
Web server hacks:- Directory traversal, web-cache poisoning, SSH-brute-
forcing, web-defacement, HTTP response splitting etc.
Non-validated input :– Manipulating URL and elements to gain unauthorized
access to hidden elements, cookies etc.
Cross-site scripting (XSS) :- Injection of malicious scripts that rewrite web
content that will eventually be executed by another user, service etc.
Injection flaws :- Vulnerabilities that allow untrusted data to be executed as
part of their command.
SQL Injection :- Injection of SQL commands via query strings and form fields
to gain access to the backend database.
Denial of Service (DOS) :- Disrupt the services to such extent that the service
denies access to even legitimate users.
Broken access control :- Flaw found whereby authentication is bypassed and
network is compromised.
Web attacks :-
21. Broken session management :- When security-sensitive credentials such as
passwords and other useful materials are not properly taken care, these types of
attacks occur. Attackers compromise credentials through such vulnerabilities.
Broken account management :- Even authentication schemes that are valid are
weakened because of vulnerable account management functions including account
update, forgotten or lost password recovery or reset, password changes and
similar functions.
Cookie snooping :- Using user-cookies to analyze surf habits and sell information
to others or attack victim’s web applications.
Hidden manipulation :- Manipulation of hidden fields to manipulate internal state
that finally affects calculations or processing in the application. (e.g. Manipulating
hidden form field that finally affect how price of a product is finally calculated).
DMZ attacks :- After compromising a web app, the hacker can further leverage the
exploit to attack DMZ and gain access to the internal network.
Mal-code execution :- Execution of malicious code or executable by way of
tricking the URL redirection or query string parsing.
Web attacks :-
22. Buffer overflow exploitation:-
Injection vector :- The vulnerable point or buffer. It is this what is ultimately
exploited to allow the hacker to put malicious content in the target. Attacks
can be staged sometimes depending on the “room” available. However once
the “stages” are completed, attacker gains more control and can transfer
execution to any other part of the memory.
Injected address :- Typically this address is where the CPU’s execution path is
transferred to.
Payload :- The injected address redirects the code to the payload which is
the “intent” of the hacker. It can be anything from code to spawn a command
interpreter to executing anything else the hacker wants.
Probably one of the biggest threats of hacking was and is buffer overflow. There are
frameworks built nowadays that ease the job of pen-testing. It has many forms like
stack overflow, heap overflow, format string problem etc. When data is copied to
buffers that are allocated in stack or heap without a check on size, it may result in an
overflow. An attacker can effectively overwrite saved EIP in case of stack or
neighboring variables in lower heap areas in case of heap overflow. Eventually this
leads to a redirection of code to malicious code crafted by the hacker. The pattern of
such an attack has a structure and parts as below…
23. Malwares:-
Virus :- Virus was originally defined as a program that replicates considering
the term’s relevance to the biological organism. It would replicate to fill
space, it could mutate to remain undetectable and it could subvert the
system. Abilities like spreading and stealth gave birth to other forms below
and it retained its older status for ever. Older classification also included “file
infector”, “disk infector” and so on.
Trojan :- Named after the legendary “Trojan horse” and also called “Troyan”,
Trojans could inject itself and hide inside any programs with the motive of
stealth and random or timed re-activation.
Worms :- They evolve really fast. They spread. Hence these were named
after their ability to move across and pervade networks.
Logic bombs :- Blast based on events or time expiry and so on.
Malwares especially backdoors have their history dating back to 1st generation
of computing. Malwares could be the ultimate intent of a hacker. The word
malware is better term that is an ensemble of Virus, Trojan, Worm, Spyware,
Adware, Rootkits, BOTs and anything else that is malicious. Some of them are
also very effective means of “hiding”, “camouflaging” or clearing footprints of
attacker. Nowadays they do not come independent of each other. They are
usually packed together based on the hacker’s intent.
24. Rootkits :- These are comparatively younger than the other malwares yet existed
as a clear implementation for couple of decades now. It probably had a unclear
implementation even during “vacuum tube” times. These “root(kits)” were
devised for tricking the “root” users. It would replace the usual supervisor(root)-
accessed files but later became more powerful by subverting the kernel itself.
They are user-mode sometimes which make them stealthier. They are the most
effective support-malware for stealth. The kernel types have seen a great
decrease by serious emphasis put by commercial vendors (and others) on
“digitally-signed code”. The same solution may be effective for user-mode but
just that there are a lot of user-mode code that isn’t ready to pay for the costly
certification and we have to keep in mind the open source software. They also
provide covert channels for the attacker to get back to the victim as and when
needed.
Spyware/Adware :- They spy the user and her/his activities and the latter nags
the users with Ads some of which might be leveraged to escalate attacks with
phishing etc. Thus they go hand-in-hand mostly.
BOTS & RATS :- RATS or remote administration tools were malwares that would
give the attacker a control path to the victim’s system. It does anything from
stealing keystrokes to taking screenshots or using the cam.
Key loggers :- Were malwares that would log key strokes and they exist for ever. It
is difficult to completely detect them as at some point a software isn’t able to
dichotomize legitimate and illegitimate keyboard code scans.
Malwares:-
25. Misc:-
Crypto-virology :- The ubiquitous cryptography is exploited by good old virus
and is a trouble forever for all anti-hacking software, which are trying to detect
such computer-virii.
Steganography :- Sometimes called hiding in plain sight, it is the art of hiding
data in something else such that it either camouflaged or completely hidden.
While mostly used for hiding data within media files (pictures, audio and movie
files), it even applies to mixing of data to be hidden inside communication
channel packets, hiding in files etc. Technology like “NTFS streams” although
holds a different status, such technologies still relates a lot to steganography.
Other forms are hidden partition etc.
Track-clearing tools :- Tools designed to clear logs, subvert views of logs,
delete auditing information etc. comprise the rest. Malwares like rootkit allow
the hacker to maintain covert channel which could subvert auditing etc.
Hijacking tools can cheat the victim from viewing the reality.
Anti-anti-hacking tools :- Everything else that subvert anti-hacking tools. Some
are techniques used by other tools to cloak themselves from the anti-hacking
tools or efforts.
26. Reconnaisance/Scanning :- NSLOOKUP, WHOIS
NC utility :- Using NC to grab banners & other uses for gaining and sustaining access.
NMAP utility:- Using NMAP for stealth scans etc.
Metasploit :-
Exploit/Payload and other commands.
Unleashing the power of meterpreter.
Web hacking :-
Simple SQL injection using OWASP WebGoat.
Simple XSS hack demo using OWASP WebGoat.
Reverse engineering :-
Intro to disassemblers and debuggers.
Sample program with disabled UI/Ollydbg reversing to introduce Nag-screen removal and serial
cracking/software security.
Lab setup:-
• Hyper-V basics
• Virtualized Kali Linux (2017).
• Windows XP SP3 (MSDN).
• Windows 2000 Advanced Server (MSDN).
Hacking demos:-
27. A bunch of things not included in this seminar- what and where to
find info….and…