Introduction To Ethical Hacking
-
Upload
thiga-mwangi -
Category
Documents
-
view
55 -
download
2
Transcript of Introduction To Ethical Hacking
![Page 1: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/1.jpg)
Introduction To Ethical HackingCLASS PRESENTATION
![Page 2: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/2.jpg)
What is hacking?• In layman’s language, hacking is the process of cutting with rough or heavy blows.
•However, in the computer world, hacking refers to the process of using a computer to gain unauthorized access to data in a system.
![Page 3: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/3.jpg)
Types Of Hackers
White hat hacker Gray hat hacker Black hat hacker
• an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies to ensure the security of an organization's information systems.
• A grey hat hacker lies between a black hat and a white hat hacker. A grey hat hacker may surf the Internet and hack into a computer system for the sole purpose of notifying the administrator that their system has a security defect, for example. They may then offer to correct the defect for a fee.
• violates computer security for little reason beyond maliciousness or for personal gain
![Page 4: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/4.jpg)
Ethical HackingIN DETAILS
![Page 5: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/5.jpg)
Ethical Hacking is:• Legal
• Permitted by the agent
• Part of an overal security programme
• When ethical hackers possess same skills,mindset and tools of a hacker but the attacks are done in a non destructive manner
A successful test doesn't necessarily mean a network or system is 100 percent secure, but it should be able to withstand automated attacks and unskilled hackers.
![Page 6: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/6.jpg)
Why Ethical Hacking?1.Counter
defacements2.Protection from
possible external attacks
![Page 7: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/7.jpg)
Introduction To Ethical Hacking• Ethical hackers use the same methods and techniques to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide advice on how to fix them.
• The purpose of ethical hacking is to evaluate the security of a system's infrastructure. It entails finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible.
![Page 8: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/8.jpg)
Ethical Hacking Process• Preparation
• Footprinting
• Enumaration fingerprinting
• Identification of vulnerabilities
•Attack
ANY ORGANIZATION THAT HAS A NETWORK CONNECTED TO THE INTERNET OR PROVIDES AN ONLINE SERVICE SHOULD CONSIDER SUBJECTING IT TO A PENETRATION TEST.
![Page 9: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/9.jpg)
Preparation• Identification of Targets – company websites, mail
servers, extranets, etc.
• Signing of Contract• Agreement on protection against any legal issues
• Contracts to clearly specifies the limits and dangers of the test
• Specifics on Denial of Service Tests, Social Engineering, etc.
• Time window for Attacks
• Total time for the testing
• Prior Knowledge of the systems
• Key people who are made aware of the testing
![Page 10: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/10.jpg)
FootprintingCollecting as much information about the target
DNS Servers
IP Ranges
Administrative Contacts
Problems revealed by administrators
Information SourcesSearch enginesForumsDatabases – whois, ripe, arin, apnicTools – PING, whois, Traceroute, DIG, nslookup, sam spade
![Page 11: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/11.jpg)
Enumeration & Fingerprinting
• Specific targets determined
• Identification of Services / open ports
• Operating System Enumeration
MethodsBanner grabbingResponses to various protocol (ICMP &TCP) commands Port / Service Scans – TCP Connect, TCP SYN, TCP FIN, etc.
ToolsNmap, FScan, Hping, Firewalk, netcat, tcpdump, ssh, telnet, SNMP Scanner
![Page 12: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/12.jpg)
Identification of VulnerabilitiesVulnerabilities
• Insecure Configuration
• Weak passwords
• Unpatched vulnerabilities in services, Operating systems, applications
• Possible Vulnerabilities in Services, Operating Systems
• Insecure programming
• Weak Access Control
![Page 13: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/13.jpg)
Identification of VulnerabilitiesMethods
• Unpatched / Possible Vulnerabilities – Tools, Vulnerability information Websites
• Weak Passwords – Default Passwords, Brute force, Social Engineering, Listening to Traffic
• Insecure Programming – SQL Injection, Listening to Traffic
• Weak Access Control – Using the Application Logic, SQL Injection
![Page 14: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/14.jpg)
Identification of VulnerabilitiesTools
Vulnerability Scanners - Nessus, ISS, SARA, SAINT
Listening to Traffic – Ethercap, tcpdump
Password Crackers – John the ripper, LC4, Pwdump
Intercepting Web Traffic – Achilles, Whisker, Legion
![Page 15: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/15.jpg)
Attack – Exploit the vulnerabilities• Obtain as much information (trophies) from the Target
Asset
• Gaining Normal Access
• Escalation of privileges
• Obtaining access to other connected systems
Last Ditch Effort – Denial of Service
![Page 16: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/16.jpg)
Attack – Exploit the vulnerabilities
Network Infrastructure Attacks
Connecting to the network through modem
Weaknesses in TCP / IP, NetBIOS
Flooding the network to cause DOS
Operating System AttacksAttacking Authentication SystemsExploiting Protocol ImplementationsExploiting Insecure configurationBreaking File-System Security
![Page 17: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/17.jpg)
Attack – Exploit the vulnerabilities
Application Specific Attacks• Exploiting implementations of HTTP, SMTP protocols
• Gaining access to application Databases
• SQL Injection
• Spamming
![Page 18: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/18.jpg)
Attack – Exploit the vulnerabilitiesExploits
Free exploits from Hacker Websites
Customized free exploits
Internally Developed
Tools – Nessus, Metasploit Framework,
![Page 19: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/19.jpg)
Reporting• Methodology
• Exploited Conditions & Vulnerabilities that could not be exploited
• Proof for Exploits - Trophies
• Practical Security solutions
![Page 20: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/20.jpg)
Ethical Hacking - Commandments• Working Ethically• Trustworthiness
• Misuse for personal gain
• Respecting Privacy
• Not Crashing the Systems
![Page 21: Introduction To Ethical Hacking](https://reader038.fdocuments.in/reader038/viewer/2022102905/55d292abbb61eb7e548b458c/html5/thumbnails/21.jpg)
prepared and Presented by: Group 1
•RefferencesWebsites:
Common Vulnerabilities & Exposures – http://cve.mitre.org
Bugtraq – www.securityfocus.com
Mwangi Thiga and Mwangi Edith