Introduction to Ethical Hacking 1.1 Gain knowledge on various hacking terminologies Exam Focus: Gain knowledge on various hacking terminologies. Objective includes: Understand the issues plaguing the information security world. Learn the basic elements of information security. Understand the security, functionality and ease of use triangle. Know the 5 stages of ethical hacking. Understand hactivism and understand the classification of hackers. Understand who is an ethical hacker. Gain information on how to become an ethical hacker. Learn the profile of a typical ethical hacker. Understand the scope and limitations of ethical hacking. Information Security Information security (sometimes shortened to InfoSec) is the practice of protecting an organization's data from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. In short, it is the protection of the availability, privacy, and integrity of company data and information. All of the information an organization stores, sends, receives, and refers to must be protected against accidental or deliberate modification and must be available in a timely fashion. Employee social security, addresses, company confidential financial data, trade secrets, customer data, intellectual property, the list is endless. Each of these examples refers to data that must be protected. The protection of information is not new. What is new, however, is the importance of protecting the information, and the consequences of not protecting it, or the consequences of having the security of that information compromised. As more and more of this information is stored and processed electronically and transmitted across networks or the internet, the risk of unauthorized access increases and we are presented with growing challenges of how best to protect our information. Why protect data? Would you leave your home for work without locking it? Possibly turning on an alarm for additional protection? How about your car? When you park it at the mall, do you lock it? Is it also armed by a security system? Why do you do this? To protect your assets. Similarly, an organization must protect its asset. An asset is defined as anything of value, including trademarks, patents, secret recipes, durable goods, data files, competent personnel, clients, and so on. Every asset has data associated with it, which must be protected. To fully understand why information security is important, an organization first needs to understand both the value of information and the consequences of such information being compromised. When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of information security breaches can be severe. For businesses, a breach usually entails huge financial penalties, expensive law suits, loss of reputation and business. Organizations must protect against unauthorized disclosure for a variety of reasons, the most important being: (a) legal and (b) competitive reasons. If poor security practices allow damage to your systems, you may be subject to criminal or civil legal proceedings. Negligence to protect your data can comprise your systems, and if third parties are impacted, there may be even more severe legal issues to deal with. Security breaches can result in the theft, pilferage, and redistribution of intellectual property, which in turn may lead to business loss. Botnets can be used to launch various types of Denialof-Service (DoS) and other web-based attacks, which may result in business downtime and significant loss of revenues. Attackers may steal and sell corporate secrets to competitors, compromise critical financial information, all of which are a compromise on an organization's competitive advantage in the market. Threats to information security Many people mistakenly believe that the biggest threat to information security comes from malicious attackers. However, it is far more likely that the biggest risks to information security comes from less suspicious sources. For example, a threat can be something natural, such as a flood or earthquake, or it could be accidental, such as a user inadvertently deleting a file, disgruntled employees, or individuals that have accidentally been granted access to resources they should not access to. In order for an organization to protect itself from threats, they first need to understand what threats they'll be facing in the coming year. With each passing day, these security threats are becoming more serious and difficult to detect, it is vital for companies to understand what they can do to best protect their systems and information. Top challenges for information security Worms, Viruses, Malware: Continues to be a top challenge, given the many methods to install malware on systems, including client-side software vulnerabilities. Browsers remain a top target for vulnerabilities. Vulnerability exploit is at the heart of hacking and data breaches. These types often rely on vulnerability exploit to infect, particularly clientside and third party applications. Malicious insiders/ex-employees: Threats are not always from the outside. Statistics show that up to a fifth of damage comes from desperate and disgruntled employees attempt to exploit the companies they currently or previously worked for. Careless/untrained employees: It is estimated that almost half of all the damage caused to information systems comes from authorized personnel who are either untrained or incompetent, and will continue to be a threat unless companies take action. Policies, procedures, training and a little technology can make a world of difference in reducing an organization's risk to careless insiders. Infrastructure: Don't discount physical factors such as fire, water, and bad power. They are a significant threat to information security. Mobile devices: Mobile devices have become a plague for information security professionals. There are worms and other malware that specifically target these devices such as the iPhone worm that would steal banking data and enlist these devices in a botnet. Thef of laptops is another major issue. Tens of thousands of laptops are stolen each year and often these have sensitive data that require public disclosure as a data breach. Social networking: Social networking sites have a certain element of trust to them which makes them a breeding ground for a variety of spurious activities such as spam, scams, scareware and a host of other attacks and these threats will continue to rise. Identity theft would be a big factor from an information security perspective, Social engineering: Social engineering is always a popular tool used by cyber criminals and phishing is still a popular method for doing just that. Zero day exploits: A zero-day (or zero-hour or day zero) attack or threat is an attack that exploits a previously unknown vulnerability in a computer application, meaning that the attack occurs on "day zero" of awareness of the vulnerability. Zero day exploits can be engineered to take advantage of these file type exploits to compromise attacked systems or steal confidential data such as banking passwords and personal identity information. Cyber espionage: Most of these incidents surround government bodies and agencies and therefore have not been a huge threat to most individual organizations. Cloud computing: The public nature of data sharing in the cloud and the loss of control over their data for organizations is a big risk for security. Balancing data sharing with privacy requirements is a tight rope act. Basic elements of information security The following are elements of information security: Confidentiality: It is required to assure that only authorized users can access the information. Confidentiality breaches may take place because of improper data handling or a hacking attempt. Integrity: It is the trustworthiness of data or resources in the matter of preventing improper and unauthorized change. For this purpose, the information provided should be accurate. Availability: It assures that the systems used for delivering, storing, and processing information are accessible when needed by the authorized users. Security, Functionality, and Usability triangle The strength of the following three components can be used to define the levels of security: Functionality Usability Security The triangle is used as an increase or decrease in any one of the factors will have an impact on the presence of the other two. When the security is increased, the ball in the triangle moves away from the functionalities and ease of use parameters. Ethical hacking Ethical hacking is a process by which penetration testing of networks and/or computer systems is performed by an individual, called an Ethical Hacker. The Ethical Hacker is a person who is trusted by the organization and uses the same methods and techniques as a Hacker. However, malicious hacking, often referred as hacking, is a term in which a black hat hacker, sometimes called a cracker, breaks the computer security without authorization or uses technology (usually a computer, phone system or network) for malicious reasons, such as vandalism, credit card fraud, identity theft, piracy, or other types of illegal activity. Necessity of ethical hacking Vulnerability testing and security audits only cannot ensure that a network is secure. In order to ensure the security of networks, a "defense in depth" strategy is required to be implemented by penetrating into the networks to estimate vulnerabilities and expose them. Defense in depth is a security strategy in which several protection layers are placed throughout an information system. It is useful in preventing direct attacks against an information system and data as break in one layer directs the attacker to the next layer. Ethical hacking is necessary, since it permits the countering of attacks from malicious hackers by anticipating methods that can be used to break into a system. Stages of ethical hacking There are five stages to ethical hacking: 1. Reconnaissance: In this phase, the attacker collects information regarding the victim. The following are the types of reconnaissance: o Passive: It involves gaining information without directly interacting with the target. For example, searching public records or news releases. o Active: It involves interacting with the target directly by any means. For example, telephone calls to the help desk or technical department. 2. Scanning: In this phase, the attacker begins to probe the target for vulnerabilities that can be exploited. It can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, etc. Attackers extract information, such as computer names, IP address, and user accounts to launch attack. 3. Gaining Access: In this phase, the attacker exploits a vulnerability to gain access into the system. 4. Maintaining Access: In this phase, the attacker maintains access to fulfill his purpose of entering into the network. 5. Covering Tracks: In this phase, the attacker attempts to cover his tracks so that he cannot be detected or penalized under criminal law. The following image demonstrates the phases of malicious hacking: Who is an ethical hacker? A hacker is an intelligent individual having excellent computer skills. The hacker has the ability to create and explore into the computer's software and hardware. Hackers generally have the intention to gain knowledge to do illegal things. Some hackers have a hobby to find how many computers or networks they can compromise. Some hackers perform hacking with malicious intent behind their escapades, such as stealing business data, credit card information, social security numbers, email passwords, etc. What do ethical hackers do? Organizations hire ethical hackers to attack their information systems and networks so that they can find vulnerabilities and verify that security measures are functioning properly. Ethical hackers may have the following responsibilities: Test systems and networks for vulnerabilities. Break security controls to access sensitive data. Ethical hackers try to find the following: What can an intruder see on the target system? What can an intruder do with that information? Does anyone at the target notice the intruder's attempt or success? Skill profile of an ethical hacker An ethical hacker should have an excellent knowledge of computers and their functioning, including programming and networking. Since organizations have a variety of operating systems, such as UNIX, Linux, Windows, and Macintosh, an ethical hacker must be an expert in dealing with these operating systems. Ethical hackers should also be familiar with a number of hardware platforms. They should be knowledgeable about security areas and related issues as well. Phases of ethical hacking Preparation: In this phase, a formal contract that contains a non-disclosure clause as well as a legal clause to protect the ethical hacker against any prosecution that he may face during the conduct phase is signed. The contract also outlines the infrastructure perimeter, evaluation activities, time schedules, and resources available to the ethical hacker. Conduct security evaluation: In this phase, the evaluation technical report is prepared based on testing potential vulnerabilities. Conclusion: In this phase, the results of the evaluation are communicated to the organization and corrective action is taken if needed. Scope and limitations of ethical hacking Ethical hacking is considered as a crucial component of risk assessment, auditing, counter fraud, best practices, and good governance. It is used to identify risks and highlight the remedial actions. It resolves the vulnerabilities by reducing Information and Communications Technology (ICT) costs. However, there are chances that you will not gain much by hiring the hacker unless the businesses first know what it is they are searching for and why they are hiring an outside hacker to hack systems in the first place. An ethical hacker can support the organization in better understanding their security system, but it is the responsibility of the organization to place the right guards on the network. Hacktivism (hactivism) Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. The person who performs the act of hacktivism is known as a hacktivist. A hacktivist uses the same tools and techniques as those used by a hacker. However, a hacktivist attacks government organizations and agencies, international economic organizations, and any other entities that the hacktivist defines as a cause of social and economic inequities. General classes of ethical hackers Hackers are categorized into the following classes: Black hat hackers (crackers): They are computer specialists. They perform malicious attacks on information systems by using their hacking skills. Gray hat hackers: They sometimes do not break laws and try to defend a network. They sometimes act as black hat hackers. White hat hackers (ethical hackers): They have excellent computer skills and secure information systems by using their knowledge. Security providing organizations: Some organizations and communities also provide security to information systems. 1.2 Understand the different types and implications of hacker attacks Exam Focus: Understand the different types and implications of hacker attacks. Objective includes: Understand vulnerability research and list the various vulnerability research tools. Learn the different ways an ethical hacker tests a target network. Understand penetration testing and the various methodologies used. Hacking terminology Before we dive into the discussion on types and implications of hacker attacks, let's familiarize ourselves over common hacking terminologies. Backdoor: A backdoor is a program or account that permits access to a system by skipping the security checks. Many vendors and developers implement backdoors by skipping the security checks while troubleshooting. This saves their time and efforts. A backdoor is considered as a security threat. A backdoor can be used to exploit the system if it becomes known to attackers and malicious users. Banner grabbing: Banner grabbing is an enumeration technique used to glean information about computer systems on a network and services running its open ports. Administrators can use this to take inventory of systems and services on their network. An intruder, however, can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits. Brute force: In a brute force attack, an attacker uses software that tries a large number of key combinations in order to get a password. In order to prevent such attacks, users should create passwords that are more difficult to guess, e.g., using a minimum of six characters, alphanumeric combinations, and lower-upper case combinations, etc. Buffer overflow: Buffer overflow is a condition in which an application receives more data than it is configured to accept. This usually occurs due to programming errors in the application. A buffer overflow can terminate or crash the application. DoS attack: A Denial of Service (DoS) attack is mounted with the objective of causing a negative impact on the performance of a computer or network. It is also known as a network saturation attack or bandwidth consumption attack. DDoS attack: In a Distributed Denial of Service (DDOS) attack, an attacker uses previously infected computers throughout the network. Such computers act as zombies and work together to send out bogus messages, thereby increasing the amount of phony traffic. Logic bomb: A logic bomb is a malicious program that executes when a predetermined event occurs. For example, a logic bomb can execute when a user logs on to a computer or presses certain keys on the keyboard. It can also execute on a particular date or at a time specified by the developers. Port Redirection: It is the process of redirecting network traffic from one IP address / port to another IP address / port. Session hijacking: Session hijacking refers to the exploitation of a valid computer session to gain unauthorized access to information or services in a computer system. Spoofing: Spoofing is a technique that makes a transmission appear to have come from an authentic source by forging the IP address, email address, caller ID, etc. Trojan: A Trojan horse is a malicious software program code that masquerades itself as a normal program. When a Trojan horse program is run, its hidden code runs to destroy or scramble data on the hard disk. Virus: A virus is an executable file that infects documents, has replacing ability, and avoids detection. Viruses are designed to corrupt or delete data files from the hard disk. Worm: A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Types of hacking attacks There are four types of hacking attacks, which are as follows: Operating system attacks: In these attacks, the attacker looks for OS related vulnerabilities and uses those vulnerabilities to gain access to the network. Some of the OS vulnerabilities are as follows: o Buffer overflow vulnerabilities o Bugs in operating system o Unpatched operating system Application-level attacks: There are often many software which have poor error checking. Poor or nonexistent error checking in applications lead to the following: o Buffer overflow attacks o Active content o Cross-site scripting o Denial of service and SYN attacks o SQL injection attacks o Malicious bots Other application-level attacks are as follows: o o o o Phishing Session hijacking Man-in-the-middle attack Parameter/form tampering o Directory traversal attacks Shrink wrap code attack: When a user installs an OS/application, it comes with many sample scripts for administrative tasks. Often, these scripts are not customized, which leads to default code or shrink wrap code attacks. Misconfiguration attack: If an operating system is not correctly configured, it can be hacked easily. Often, network administrators do not have necessary skills to solve configuration related problems; hence, in such conditions, misconfiguration attacks can be performed very easily. Before devices are deployed in the network, the administrators are expected to change the configuration of the devices. If they do not change the configuration of device, default settings will be used to attack the system. Any redundant services or software should be removed to optimize the configuration of the machine Vulnerability research Vulnerability research is the process used to discover vulnerabilities and design flaws that may lead to an attack on or misuse of an operating system and its applications. Vulnerabilities are classified depending on severity level (low, medium, or high) and exploit range (local or remote). An administrator needs vulnerability research for the following purposes: Identify and correct network vulnerabilities. Collect information about viruses. Find weaknesses, and alert the network administrator before a network attack. Protect the network from being attacked by intruders. Get information that helps to prevent the security problems. Know how to recover from a network attack. Vulnerability research tools Here are some examples of various vulnerability research tools currently available in the market: CodeRed Center Hackerstorm Vulnerability Database Tool SecurityTracker HackerWatch Symantec SecurityFocus TechNet Security Magazine SC Magazine Help Net Security Computerworld CNET Blogs Techworld Security Watch HackerJournals Windows Security Blogs The following are some important vulnerability research tools: CodeRed Center: It is a comprehensive security that security administrators can use for daily, accurate, up-to-date information on the latest viruses, Trojans, malware, threats, security tools, risks, and vulnerabilities. SecurityTracker: It provides information on security vulnerabilities. HackerWatch: It is a utility built into McAffee's Personal Firewall software. When a user of that software sees a hacker trying to scan ports, HackerWatch makes a note of it and permits everyone to see. The site also exhibits the ports that are currently most used, so ethical hackers ensure that those ports are secure. SecurityFocus: It is used to provide information on security vulnerabilities. SC Magazine: It is a print and online magazine that specializes in IT security. Categories of computer crimes Computer crimes can be broadly classified into two categories: 1. Crimes facilitated by a computer: A computer-facilitated crime takes place when a computer is used as a tool for criminal activities. This can include the following: o Storing records of fraud o Producing false identification o Reproducing and distributing copyright material o Collecting and distributing child pornography 2. Crimes where the computer is the target: Crimes where computers are the targets are not the same as traditional types of crimes. Sophisticated technology has made it more difficult to answer queries about identification of the criminal, nature of the crime, identity of the victim, location or jurisdiction of the crime and other details. Hence, in an electronic or digital environment, evidence has to be gathered and handled differently than it has been handled in the traditional crime scene. Penetration tests A penetration test (also known as a Pen-test) is a method used to evaluate the security of a computer system or network. It simulates an attack from a malicious source, known as a black hat hacker, or cracker. In penetration test, an active analysis of the system is done for potential vulnerabilities that may appear due to the following: Poor or improper system configuration Known and/or unknown hardware or software flaws Operational weaknesses in process This analysis is performed from the position of a potential attacker, and can include active exploitation of security vulnerabilities. The security issues together with an assessment of their impact and often with a proposal for mitigation or a technical solution will be presented to the system owner. The intent of a penetration test is to determine feasibility of an attack and the amount of business impact of a successful exploit, if discovered. It is a component of a full security audit. Need for penetration testing Attackers are always looking for opportunities to penetrate systems. They employ any number of automated tools and network attacks looking for holes in your system. Most hackers use well known attacks and exploits, which are entirely preventable. Penetration testing provides IT management with a view of their network from a malicious point of view. The goal is that the penetration tester will find ways into the network so that they can be fixed before someone with less than honorable intentions discovers the same holes. Penetration testing: Identifies threats that an organization's information assets could face. Assures an organization that a thorough and comprehensive assessment of organizational security covering policy, procedure, design, and implementation will be done. Helps an organization gain and maintains certification to an industry regulation. Helps an organization adopt best practices to conform to legal and industry regulations Focuses on high security vulnerabilities. Application-level security issues are delegated to development teams Provides a comprehensive approach of preparation steps in order to prevent upcoming exploitation. Evaluates the efficiency of network security devices, such as firewalls, routers, and web servers. Reduces an organization's IT security costs and identifies and resolves vulnerabilities to provide a better return on security investment (ROSI). Types of penetration tests 1. Information gathering 2. Vulnerability analysis 3. External penetration testing 4. Internal network penetration testing 5. Router and switches penetration testing 6. Firewall penetration testing 7. IDS penetration testing 8. Wireless network penetration testing 9. Denial of service penetration testing 10. Password cracking penetration testing 11. Social engineering penetration testing 12. Stolen laptop, PDAs, and cell phones penetration testing 13. Application penetration testing 14. Physical security penetration testing 15. Database penetration testing 16. VoIP penetration testing 17. VPN penetration testing 18. War dialing 19. Virus and Trojan detection 20. Log management penetration testing 21. File integrity checking 22. Bluetooth and hand-held device penetration testing 23. Communication system penetration testing 24. Email security penetration testing 25. Data leakage penetration testing Penetration testing methodologies Penetration testing methodology defines a roadmap with practical ideas and proven practices which should be handled with great care in order to assess the system security correctly. Different testing frameworks and methodologies exist to help information security (InfoSec) professionals to choose the best strategy to conduct a successful penetration test. Here is a list of the most widely used methodologies. Whitebox testing is a testing technique in which an organization provides full knowledge about the infrastructure to the testing team. The information, provided by the organization, often includes network diagrams, source codes, and IP addressing information of the infrastructure to be tested. Also known as internal testing, this approach is less expensive and time consuming than other the black box approach. Since the tester or auditor (also known as a white-hat) is aware of all the internal and underlying technologies used by the target environment, it opens a wide gate for them to view and critically evaluate the security vulnerabilities with minimum possible efforts. The goal of this approach is to eliminate any internal security issues lying at the target infrastructure environment, thus, making it more tightened for malicious adversary to infiltrate from the outside. Blackbox testing is a technique in which the testing team has no knowledge about the infrastructure of the organization. This type of testing is also known as external testing. The testers or auditors (black-hats) must first determine the location and extent of the systems before commencing their analysis. This testing technique can be expensive and time consuming. In this approach, the tester will be assessing the network infrastructure from a remote location and will not be aware of any internal technologies deployed by the concerning organization. The tester will employ a number of real world hacker techniques and following through organized test phases, it may reveal some known and unknown set of vulnerabilities which may otherwise exist on the network. Graybox testing is a combination of whitebox testing and blackbox testing. This hybrid approach, provides a powerful insight for internal and external security viewpoints. It does require an auditor with limited knowledge of an internal system to choose the best way to assess its overall security. The tester or auditor (also known as a gray-hat) is equipped with the knowledge of system and designs test cases or test data based on system knowledge. The gray-hat typically performs testing to find vulnerabilities in software and network systems. Chapter Summary In this chapter, we learned about elements of information security, top security challenges, various hacking terminologies and the fundamentals of ethical hacking. We also learned about the skills required of an ethical hacker, hacktivism, phases of malicious hacking, and types of hacking attacks. Lastly, we discussed penetration testing and its associated methodologies. Glossary Attack An attack is an action against an information system or network that attempts to violate the system's security policy. Authentication Authentication is the act of establishing or confirming something (or someone) as authentic, i.e., claims made by or about the subject are true ("authentification" is a French language variant of this word). Authenticity Authenticity is considered as the characteristic of a communication, document, or any data that ensures the genuine quality or the quality is not corrupted from the original. Cracker A computer expert performing malicious actions Ethical Hacker A computer expert securing information Hacker A hacker is an intelligent individual having excellent computer skills. The hacker has the ability to create and explore into the computer's software and hardware. Hacktivism Hacktivism is the act of hacking or breaking into a computer system for a politically or socially motivated purpose. Non-repudiation Non-repudiation ensures that a party to a contract or a communication cannot refuse the authenticity of their signature on a document or the sending of a message that they generated. Penetration test A penetration test is a method of evaluating the security of a computer system or network by simulating an attack from a malicious source, known as a Black Hat Hacker, or Cracker. Phreaker A person who breaks a communication system Script kiddie A script kiddie is an individual who uses hacking programs developed by others to attack information systems and spoil Web sites. Threat A threat is an indication of a potential undesirable event. Vulnerability research Vulnerability research is the process used to discover vulnerabilities and design flaws that will open an operating system and its applications to attack or misuse.