SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere Nutzervereinbarung und die Datenschutzrichtlinie.
SlideShare verwendet Cookies, um die Funktionalität und Leistungsfähigkeit der Webseite zu verbessern und Ihnen relevante Werbung bereitzustellen. Wenn Sie diese Webseite weiter besuchen, erklären Sie sich mit der Verwendung von Cookies auf dieser Seite einverstanden. Lesen Sie bitte unsere unsere Datenschutzrichtlinie und die Nutzervereinbarung.
Cyber Ethics-hacking introduction
And IT Security
Hacking – Introduction
Types of Hackers.
Malicious Hacker Strategies
Ethical Hacker Strategies
Steps for conducting Ethical Hacking.
Importance of Vulnerability Research.
Vulnerability Research References.
WHY SECURITY ?
• Increasing use of Complex computer
• Increasing use of Network elements &
• Decreasing level of skill set.
• Any Security breach in company will affect its
asset & goodwill.
•Any Security breach in government can affect its
operations & reputation.
• The Art of exploring various security breaches is termed as
•It’s an anti-society activity.
•It says, there always exists more than one way to solve the
•The terms Hacker and Hacking are being misinterpreted
and misunderstood with negative sidelines.
HACKER WHO ARE THEY ?
Hackers are Intelligent Computer Professionals.
To gain in-depth knowledge of a system, what’s happening
at the backend, behind the screen
To find possible security vulnerabilities in a system.
They create security awareness by sharing knowledge. It’s a
An Individuals who break into computers with malicious intent.
•To seek unauthorized access into a system and cause damage or
destroy or reveal confidential information.
•To compromise the system to deny services to legitimate users for
troubling, harassing them or for taking revenge.
Effects- Can cause financial losses & image/reputation damages,
•Defamation in the society for individuals or organizations
•Phreaks – These are persons who use computer devices and
software to break into phone networks.
•Motive/Intention- To find loopholes in security in phone
network and to makes phone calls at free of cost!!!
•Effects- You may have to big amount of phone bills, for doing
•Script Kiddies – These are persons not having technical skills to hack
•Motive/Intention- They use the available information about known
vulnerabilities to break into remote system.
•it’s an act performed for a fun or out of curiosity.
•White Hat Hackers – They use their knowledge and skill set for good, constructive
intents. They find out new
Security loopholes and their solution.
E.g.- LIKE ME.. As I’m Doing It Right Now ( I Hope So!!!)
• Black Hat Hacker- They use their knowledge and skill set for illegal activities
E.g.- to gain money (online robbery), to take revenge. Disgruntled
Employees is the best example of Black Hats. Attackers (Black Hat HACKERS) are not at
all concerned with security
professionals (White hat hackers). Actually these hackers are Bad Guys!!!`
ETHICAL HACKER STRATEGIES
“The one who can hack it, can only secure it”
“If you want to catch criminal then you’ll have to think like
• What to protect?
• How to protect?
• Against whom?
• How much resources needed?
•Understand Client Requirements for Security / Vulnerability Testing.
• In Preparation Phase, EH will sign an NDA with the client.
• Internal / External Testing.
• Conduct Network Security Audits/ VAPT.
• Risk Assessment & Mitigation
•Documenting Auditing Reports as per Standards.
•Submitting Developer as well as remediation reports.
• Implement remediation for found vulnerabilities.
ETHICAL HACKER STRATEGIES
social engineering is the single
greatest threat to enterprise security.
A consultant was hired by a business executive to test the security of
the executive's enterprise. The consultant was not hired to try to hack
through the firewall or bypass the intrusion detection system. He was
hired to see how easy it would be for a motivated intruder to gain
physical access to the company's mission-critical systems.
So the consultant created a fake company ID badge for himself. He
even simulated a magnetic swiping strip on the back of the ID by using
a piece of electrical tape. He used this fake ID to get into the company's
main building, then made his way up to the data centre where he
began swiping his fake ID badge through the scanner. After several
failed attempts, a friendly employee walked up and said, "Sometimes,
that thing doesn't work." The friendly fellow proceeded to swipe his
own badge, letting the consultant into the data centre.
At that point, the consultant walked to the centre of the room, raised his
arms, and said, "Okay everyone, I'm conducting a surprise security
audit. I need everyone to leave the room immediately." Although there
were a few surprised faces, all the employees in the data centre filed
The consultant pulled out his cell phone, called the executive who hired
him, and said, "Guess where I am?"
How to Prevent Social Engineering
Vulnerability research is process of finding vulnerabilities,
threats & loopholes in server/ system.
Includes Vulnerability Assessment & Penetration Testing.
Vulnerability notes can be search on internet via Number,
VULNERABILITY RESEARCH REFERENCES
• Common Vulnerability database is available at
•National Vulnerability Database is available at
• US – CERT also publishes CVD on http://www.us-cert.gov
1. Contains Alerts which can be helpful to administrator.
2. It doesn’t contain solutions.
Security is important because prevention is better than cure.
Community of Hackers.
Security Involves five phases.
Ethical Hacking involves Conducting Security Audits,
Vulnerability, Assessment & Penetration testing.
Vulnerability Research is process of discovering different
vulnerabilities in technology & applications.
SQL Injection Attack
Allow remote attacker to execute arbitrary database
Relies on poorly formed database queries and
Often facilated,but does not rely unhandled
exceptions and ODBC error messages.
Impact:Massive This is one of the most dangerous
vulnerability on the web.
• Information Gathering- Definition
• Initial Info gathering of websites.
• Info Gathering using search engine ,
blogs & forums.
• Info gathering using job, matrimonial
Why Information Gathering ?
• Information Gathering can reveal online footprints of criminal.
• Information Gathering can help investigator to profile
Information Gathering Of Websites
Who is Information
•Owner of website.
•Email id used to register domain.
• Domain name server information.
• Related websites.
Who is. is query to database to get following information.
1.Owner of website.
2.Email id used to register domain.
4. Domain name server information.
5. Related websites.
Reverse IP -Mapping
• Reverse IP will give number of websites hosted on
•If one website is vulnerable on the server then
easily root the server.
Info. Gathering Using Search Engine
• Search engines are efficient mediums to get specific
results according to your requirements.
•Google & yahoo search engine gives best results out
Info. Gathering Using Search Engine
• This type of search engines retrieves results from different
search engine & make relation or connections between
Info.Gathering Using Search Engine
• Maltego is an open source intelligence and forensics
• It allows for the mining and gathering of information as
well as the representation of this information in a
• Coupled with its graphing libraries, Maltego, allows you to
identify key relationships between information and identify
previously unknown relationships between them.
Almost 80% internet users use blogs/forums for
knowledge sharing purpose.
Information gathering from specific blog will also helpful
Information gathering from Social Networking websites
can also reveal personal info about suspect.
Many websites stored email id lists for newsletters. these
email ids can also be retrieved using email spiders.
In the cyber-world phishing is a form of illegal act whereby
fraudulently sensitive information is acquired, such as
passwords and credit card details, by a person/entity
masquerading as a trustworthy person or business in an
apparently official electronic communication, such as an e-
or instantaneous communication.
Investigator should trace Email using Headers.
As it is going to be Spoof Mail in every case, Investigator should
gather information about hosting server from which it is originated.
Contacting Hosting Server with Message ID & Headers for Real IP
Asking for Domain names registered within specific time duration
during which this incident reported.
Credit Card or Paypal account or any other online payment account
which was used for transaction.
Bank Statement with online banking A/C Access log which gives IP
address of the culprit.
Beneficiary Bank account statement.
Beneficiary Bank account Access Log.
Prevention is Better
Harden the server
Scan and apply patches
Good physical Security
Intrusion detection system.
Train the technical staff only
Serous policy and procedure.