Ethical hacking & Prevention-Module 1

Module-1
Introduction: Hacking Impacts, The Hacker Framework: Planning the test, Sound
Operations, Reconnaissance, Enumeration, Vulnerability Analysis, Exploitation, Final
Analysis, Deliverable, Integration Information Security Models: Computer Security,
Network Security, Service Security, Application Security, Security Architecture
Information Security Program: The Process of Information Security, Component Parts of
Information Security Program, Risk Analysis and Ethical Hacking.

Introduction to Hacking:

• The word hacking normally conjures images of a lone cyber-criminal,

hunched over a computer and transferring money at will from an unsuspecting
bank, or downloading sensitive documents with ease from a government
database.

• In modern English, the term hacking can take on several different meanings
depending on the context.
• As a matter of general use, the word typically refers to the act of exploiting
computer security vulnerabilities to gain unauthorized access to a
system..

• Furthermore, hacking for the purposes of national security has also become a
sanctioned (whether acknowledged or not) activity by many nation-states.
Hacking Terminologies

Page |1
Ethical hacking & Prevention-Module 1

Hacker Classes:

Page |2
Ethical hacking & Prevention-Module 1

Hacking Impacts:
At the risk of stating the obvious, hacking—computer crime—can result in massive financial
losses for companies, governments, and individuals alike. The costs associated with computer
crime can manifest themselves in various ways, which may range from the obscure to a clear hit
to the bottom line.

Digital assets where costs from hackers can manifest themselves fall into four major categories:
resources, information, time, and reputation.

1. Resources- Resources are computer-related services that perform actions or tasks on the
user’s behalf. Core services, object code, or disk space can be considered resources that, if
controlled, utilized, or disabled by an unauthorized entity, could result in the inability to
capture revenue for accompany or have an impact on an important process resulting in the
failure to meet expected objectives.

2. Information- Information can represent an enormous cost if destroyed or altered without

authorization. However, there are few organizations that assign a value to information and
implement the proportionate controls.
(a)Loss. The loss of data is relatively easy to measure when compared to disclosure and
integrity. Information takes time to collect or produce, requires resources to be managed, and
will certainly (to some degree) have value. There are many examples of intentional and
unintentional data when a hard drive fails is a painful experience we all hope we
have to survive only once.

(b) Disclosure. Nearly every entity that uses information has the potential to be negatively

Page |3
Ethical hacking & Prevention-Module 1

affected by its uncontrolled disclosure. Although the impact of an unauthorized disclosure is

one of the most difficult to measure, such a breach is noteworthy because it represents the
traditional fear of hacking: proprietary information theft. If someone steals your car, there is
a cost that can be quickly determined because of the crime’s physical nature. Information,
on the other hand, is intangible, and the thief may not perceive content to be as valuable as
the owner does; therefore, the disclosure may have little or no impact.

(c.) Integrity. Ensuring information is accurate and complete is necessary for any
organization. If data were to be manipulated it could become a loss to the owner. This can be
as simple as the cost of an item online being $99.99 but represented as $9.99 because a hacker
found a way of manipulating cookies to move the decimal point one position to the left.

3. Time. The loss of time can be related to costs in the form of payroll, not meeting critical
deadlines, or an unavailable E-commerce site that would normally produce thousands of
dollars in revenue if it were available. Anything that consumes time, consumes money, and
expenditures for recovering from an incident can represent the greatest form of financial
loss.

4. Brand and Reputation. There are many companies who have very recognizable brands, so
much so that the color alone will promote images of

The Hacker Framework:

A framework is collection of measurable tasks, whereas a methodology is a specific set of

inputs, processes, and their outputs. A framework provides a hierarchy of steps, taking into
consideration the relationships that can be formed when executing a task given a specific
method.

• The mission of the framework is to explain the steps, their relation to other points
within the performance of a test, and to expose the impact on value when excluding
various methods within each.
• In the simplified Figure below, we see each primary phase of the framework with
points within each representing a task or value element. Some circles are larger than
others, signifying more potential value.
• Depending on what tasks are not employed, some downstream elements may not be
available simply because the required information or results from previous elements
do not exist.
• Given that the framework is founded on related processes that span phases, the use (or
omission) of a process will limit the availability or effectiveness of other processes

PLANNING THE TEST

• As with anything worth doing, proper planning is essential to performing a successful project.
Planning provides an opportunity to evaluate existing business demands and processes, how they
relate to a new business endeavour, and to make choices on which characteristics are worth doing
and those in which you’re not willing to accept risk.
• Existing security policies, culture, laws and regulations, best practices, and industry requirements
will drive many of the inputs needed to make decisions on the scope and scale of a test.

Page |4
Ethical hacking & Prevention-Module 1

• Arguably, the planning phase of a penetration test will have a profound influence on how the test is
performed and the information shared and collected, and will directly influence the deliverable and
integration of the results into the security program.
• Planning describes many of the details and their role in formulating a controlled attack. Security
policies, program, posture, and ultimately risk all play a part in guiding the outcome of a test. What
drives a company’s focus on security, its core business needs, challenges, and expectations will set
the stage for the entire engagement.

SOUND OPERATIONS

• How is the test going to be supported and controlled? What are the underlying actions that
must be performed regardless of the scope of the test? Who does what, when, where, how
long, who is out of bounds, and what is in bounds of a test all need to be addressed.
• Logistics of the test will drive how information is shared and to what degree (or depth) each
characteristic will be performed to achieve the desired results.
• Operational features will include determining what the imposed limitations of the tester are
and how they are evaluated during the test.

RECONNAISSANCE

Reconnaissance is the search for freely available information to assist in the attack.
The search can be quick ping sweeps to see what IP addresses on a network will respond, scouring
newsgroups on the Internet in search of employees divulging useful information, or rummaging
through the trash to find receipts for telecommunication services.

Page |5
Ethical hacking & Prevention-Module 1

ENUMERATION
Enumeration (also known as network or vulnerability discovery) is essentially obtaining readily
available (and sometimes provided) information directly from the target’s systems, applications,
and networks.
An interesting point to make very early is that the enumeration phase represents a point within the
project where the line between a passive attack and an active attack begins to blur. Without setting
the appropriate expectations, this phase can have results ranging from “Oops” to “Doyou swear to
tell the truth and nothing but the truth?”

Page |6
Ethical hacking & Prevention-Module 1

The information that is enumerated by the attacker is

• Users and Groups

• Networks and shared paths
• Hostnames
• Route Tables
• Service Settings
• SNMP port scanning and DNS Details

Significance of enumeration:

• Enumeration is often considered as a critical phase in Penetration testing as the outcome of

enumeration can be used directly for exploiting the system.

Enumeration classification

• NetBIOS Enumeration
• SNMP Enumeration
• NTP Enumeration
• SMTP Enumeration (VRFY, EXPN, RCPT TO)
• DNS Enumeration
Different Enumeration Tools

Tools Used for SNMP:

• SNMPUtil
• OpUtils
• Solar Winds IP
• SNMP Scanner
NTP Enumeration Tools:
• Ntptrace
SMTP Enumeration Tools:
• NetScan Tools
DNS Enumeration Tools:
• Nslookup Tools

Page |7
Ethical hacking & Prevention-Module 1

VULNERABILITY ANALYSIS

“Vulnerabilities are the gateways by which threats are manifested“- As documented by SANS

• During the enumeration phase, we try to perform an interpretation of the information collected
looking for relationships that may lead to exposures that can be exploited.

• The vulnerability analysis phase is a practical process of comparing the collected information with
known vulnerabilities.

• Most information can be collected from the Internet or other sources, such as newsgroups
or mailing lists, which can be used to compare information about the target to seek options
for exploitation.
• However, information provided by vendors and even data collected from the target can be
used to formulate a successful attack.
• Information collected during the reconnaissance phase from the company can provide
information about vulnerabilities unique to its environment.
• Data obtained directly from the company can actually support the discovery of
vulnerabilities that cannot be located anywhere else.
• Known vulnerabilities, incidents, service packs, updates, and even available hacker tools
help in identifying a point of attack. The Internet provides a plethora of insightful
information that can easily be associated with the architecture of the target.

Page |8
Ethical hacking & Prevention-Module 1

EXPLOITATION

A great deal of planning and evaluation is being performed during the earlier phases to ensure a
business-centric foundation of value is established for the test. Of course, all of this planning must
lead to some form of attack.
Exploiting systems and applications can be easy, such as running a tool, or intricate, with fine-
tuned steps executed in a specific way to get in.
No matter the level of difficulty, good testers follow a pattern during the exploitation phase of a
test.

The attack process is broken up into threads and groups and each appears insets of security. A
thread is a collection of tasks that must be performed in a specific order to achieve a goal. Threads
can be one step or many in a series used to gain access.

Each test is evaluated at every point within the operation to ensure the expected outcome is met.
Each divergence from the plan is appraised to make two fundamental determinations:

1.Expectations. The objective is to ensure each test is within the bounds of what was established
and agreed upon. On the other hand, if the test begins to produce results that were not considered
during the planning, enumeration, and
vulnerability analysis phases, the engagement needs to be reconsidered or, at a minimum, the
planning phase needs to be revisited.

2. Technical. Is a system reacting in an unexpected manner, which is having an impact on the test
and the engagement as a whole? Much more granular in theory than general expectations of the test,
technical gaps are literally the response of a system during the test. Keeping your eyes open for
unexpected responses from systems ensures you have not negatively affected the target or gone
beyond the set scope of the test.

Page |9
Ethical hacking & Prevention-Module 1

FINAL ANALYSIS

• Although the attack process has many checks and validations to ensure the overall success
of the engagement, a final analysis of all the collected data and exploits must be performed.
• Vulnerabilities associated with the test need to be categorized to determine the level of
exposure and to assist in supporting a well-defined deliverable and mitigation plan.
• The final analysis phase provides a link between the exploitation phase and the creation of
the deliverable.
• The first goal of the analysis is to take a comprehensive view of the entire engagement and
look for other opportunities that may exist, but are not directly observed.
• The idea is to build a bigger picture of the security posture of the target’s environment and
classify vulnerabilities to communicate the results in a clear and useful manner.
• The final analysis is part interpretation and part empirical results. To define something as
critical with little evidence can become problematic when presented to the recipient of the
test.

DELIVERABLE

The deliverable phase is the only way for an ethical hacker to convey the results of their tests.
Recently, ethical hacking has having economic value. Finally, it is essential that there is some
means of using the test results for something productive.

Deliverables communicate the results of tests in numerous ways.

• Some deliverables are short and concise, only providing a list of vulnerabilities and how to
fix them, while others are long and detailed, providing a list of vulnerabilities with detailed
descriptions regarding how they were found, how to exploit them, the implications of having
such a vulnerability and how to remedy the situation.
• The deliverable phase is a way for an ethical hacker to convey the results of their tests.
Recently, ethical hacking has become so commoditized that if a deliverable does not instill
fear into the hearts of executives, it could be considered a failure.

In Ethical Hacking Finally, it essential that there are some means of using the test results for
something productive. Often, the deliverable is combined with existing materials, such as risk
analysis, security policy, previous test results, and information associated with a security program
to enhance mitigation and develop remedies and patches for vulnerabilities.

There are three distinguishing factors that should be considered during the integration of any test
results:

Mitigation – In Ethical Hacking If vulnerability beyond acceptable risk was found, then it would
need to be fixed. Mitigation of vulnerability can include testing, piloting, implementing, and
validating changes to systems.

Defense – Vulnerabilities need to be addressed in a strategic manner in order to minimize future

or undetected vulnerabilities. Defense planning is establishing a foundation of security to grow on
and ensure long-term success.

P a g e | 10
Ethical hacking & Prevention-Module 1

Incident Management – In Ethical Hacking the ability to detect, respond, and recover from an
attack is essential. Knowing how attacks are made and the potential impacts on the system aid in
formulating an incident response plan. The ethical hacking process provides an opportunity for
discovering the various weaknesses and attractive avenues of attack of a system that can aid in
preventing future attacks.

INFORMATION SECURITY MODELS:

Two models are introduced here: the different levels, or layers, where one can employ security
controls, defense-in-depth, and a security architecture.

The defense-in-depth model is defined in four layers:

1. Computer security
2. Network security
3. Service security
4. Application security

Computer security includes many diverse subjects, such as controlling authorized (and unauthorized) access,
managing user accounts and their privileges, software management, change control, development, and
database security

P a g e | 11
Ethical hacking & Prevention-Module 1

There are numerous ways for securing a system

1. HARDEN A SYSTEM
Determining what steps are necessary to harden a system can be very frustrating. There are sample
configurations and tools that can be used to configure Microsoft and UNIX systems. The following are
some common characteristics of hardening a system.

Common practices are as follows:

• Install case locks on publicly accessible systems, such as workstations.

• Place critical systems in a locked cabinet (cage) in a controlled facility.
• Avoid the use, or installation, of removable media support such as floppies,
CD-drives, and removable hard drives.
• Disable or remove support for external access ports, such as UBS ports,
COM ports, and keyboard support when applicable.
• Set up a BIOS password to reduce the exposure of someone rebooting
the system and making changes to the system.
• Disable the power switch or use a lockable switch.
• Ensure power supplies are secured and redundant. It is one thing to hit
the power button; it is another to just unplug it.
• Provide suitable operating conditions such as raised floors and environmental
controls.
• Control access to the computer room.

Setup practices include the following:

• Determine if there is a company-approved configuration or system image that is relevant to

the role of the system. For example, a Web server configuration may be very different if it is for
Internet services as opposed to an internal development system.
• Install the operating system from scratch. In other words, avoid updating an existing operating
system. The result may be inheriting vulnerabilities, viruses, or poor configurations.
• Select the appropriate file system format that reflects the needs of the computer. However,
based on today’s awareness of security, rarely is a nonsecure file system implemented, such as FAT
(File Allocation Table).
• If provided the opportunity, such as during the installation of Microsoft,RedHat, Solaris,
and BSD, to name a few, do not install any services by default. Look to enable services rather
than disable. Windows 2003 installs with all (most) services disabled by default. Disabling services
during installation is a trend many operating systems are practicing to reduce the likelihood of
frivolous exposures based on unused system elements.
• Enable interfaces only when they are necessary to complete the installation. This will avoid
interaction before it is properly configured. For example, to load a specific module you may need
to connect to a different system on the network to collect the application for installation.

Accessing the System:

Implement access control lists restricting only the protocols that are going to be used on the
system.
• Make protocol stack changes. For example, change the number of permitted open connections or
shorten the wait time associated with half open connections.
• Configure the system to accept or deny remote login and remote procedure calls that are
associated with execution of remote applications.

P a g e | 12
Ethical hacking & Prevention-Module 1

Clean up:

Before installing applications and other things that will affect the security of a system the next step
is very important and many still don’t do it: applying patches.

1. Functionality: A patch that fixes or enhances a certain function of the system. For example, how
memory is handled, performance of network connections, or adding more options to an
administrative program.
2. Feature. A feature patch increases the use of the system, an added feature.

3. Security. A security patch fixes a vulnerability in the system due to unexpected conditions the
system is in or a misstep in programming.

NETWORK SECURITY:

As with computer security, there are various characteristics of network security.

These are summarized in the following list:

• Transmission Security. The protection of data as it is transmitted from one location to

another.

• Protocol Security. The construction of packets and how they are processed and used to
transmit information.

• Routing Protocol Security. The information that is shared by network devices to work
together to support communications.

SERVICE SECURITY:
Services are processes that run on a computer to provide common functions for applications,
users, or other services. Services fall into two very similar categories:

1. Operational. A process that provides a service to applications or users for

functionality.
2. Network. A process that supports the exchange of information for network
services.
The following are examples of operational services used in Microsoft Windows:

• Security Accounts Manager. Stores security information for local user accounts.

• Plug and Play. Enables a computer to recognize and adapt to hardware changes with little or no
user input.
• Net Logon. Supports pass-through authentication of account logon events for computers in a
domain.
• Event Log. Enables event log messages issued by Windows-based programs and components to
be viewed in Event Viewer. This service cannot be stopped.

• Logical Disk Manager. Configures hard disk drives and volumes. The service only runs for
configuration processes and then stops.

P a g e | 13
Ethical hacking & Prevention-Module 1

• Indexing Service. Indexes contents and properties of files on local and remote computers;
provides rapid access to files through flexible querying language.

Application Security:

A good application development policy should define requirements and coding standards.

Buffer overflows
• Race conditions
• Tainted input
• Format string issues
• Trust management
• Third-party package connectivity
• Input validation
• Temporary file or memory usage
• Poor cryptography
• Appropriate logging and auditing

SECURITY ARCHITECTURE

1.The resource layer is where services and data reside. It is the home of servers, applications,
databases, workstations, and storage.

2. One of the more critical and complex is the control layer, which provides identity and access
management services. Moreover, the control layer is the point where policy becomes reality in the
technical space.
It provides management with the policy and is the point where policy is bound todata to promote
greater authorization across the other characteristics of the entire security architecture.

P a g e | 14
Ethical hacking & Prevention-Module 1

3. There is the perimeter layer, which enforces a logical boundary between the Internet and the
intranet, departments, applications, and even users.

4.Finally, the extended layer is a growing entity in its own right. This represents the externally
facing envelope of influence and security, such as remote access risks, application access, and E-
commerce.

Information Security Program:

• Managing the technical and procedural complexities of information security can

become over whelming for any company.
• A security program provides the foundation and guidance as to how security is
realized throughout a firm and is crucial to the management of security.
• The lack of a security program is typically reflected by the poor state of security for
an entire organization and the tactical nature of security-related activities.
• For companies that maintain a security program, there is a clear understanding of
expectations, processes, and even documents that support the program and ultimately
the maintenance of security.

THE PROCESS OF INFORMATION SECURITY:

IDENTIFY RISK:
Identification of risk involves identification of assets, threats, and vulnerabilities. Assets are
classically defined as something of value to an organization, and may be tangible, such as hardware,
or may be intangible, such as goodwill. Threats are events that offer potential harm to an asset.
Vulnerabilities are inherent weaknesses that may allow a threat to occur. Risk is associated with
each combination of threats and vulnerabilities.

Risk Analysis Process:

A risk is considered the probability of a threat agent exploiting a vulnerability resulting in damage,
disruption, or loss of a system or information. Risk analysis issued to ensure that security is cost
effective and relevant to the identified threats. It assists companies in prioritizing their risks and
illustrates the amount of resources required to protect against those risks in a proportionate manner.
The main purpose of performing a risk analysis is to quantify or qualify the impact of potential
threats or to put a value on the loss of business functionality.

P a g e | 15
Ethical hacking & Prevention-Module 1

P a g e | 16
Ethical hacking & Prevention-Module 1

QUANTIFY RISK:

Identifying risk in and of itself is of marginal value and the quantity of identified risks may at first
seem overwhelming but necessary in defining risk. Risk must be in some way quantified to allow
for prioritization. Prioritized risk may then be used as the basis for a risk mitigation strategy such
as an information security program,

There are two main methods to account for risk when building a business case.

• Quantitative. An analysis based on quantification of data is related to amounts, such as the amount
of money or amount of data that can be physically damaged or stolen.
These types of assessments are based on the amount of loss. One of the factoring algorithms includes
Annualized Loss Expectancy (ALE), which takes the amount of loss times the Annualized Rate of
Occurrence (ARO) to equal the loss expectancy.

P a g e | 17
Ethical hacking & Prevention-Module 1

A risk analysis based on quantity can be used to determine financial impacts in the event of an
attack on resources.

• Qualitative. Qualitative assessments are based on the forecast of loss compared to several
calculated factors. Some of the factors include the use of (ARO) and a more ambiguous Exposure
Factor (EF). For organizations that have a high market-value-to-asset ratio, qualitative risk
assessments are typical.

COMPONENT PARTS OF INFORMATION SECURITY PROGRAMS:

Security organizations address the individual’s role in the security program.

• Functional Roles allow assignment of specific security responsibilities such as Information
Security Officers.

• Information Security Management Committees are chartered with specific tasks such as
Configuration Control Boards.
• Multidisciplinary Management Forums are tasked with promoting information security
awareness throughout the organization with codified practices that refine an organization’s risk
mitigation strategy to a level of
granularity that can be implemented.

• Policies express conceptual goals of upper management defining the risk mitigation strategy.

• Standards define measurable requirements in support of policy goals.

P a g e | 18
Ethical hacking & Prevention-Module 1

• Guidelines offer best practice advice on how to meet standard requirements.

• Procedures furnish step-by-step instructions to create a consistent and repeatable process.

Business Continuity programs ensure the sustainability of the organization.

• Incident Management programs respond to anomalies.

• Security Awareness programs educate an organization’s personnel on information security

issues

CONTROLS
Controls come in many forms, including physical devices, configurations, roles, and processes,
affecting networks, platforms, roles, and operations. Many controls require subordinate or
supporting controls. For example:
• A firewall is a network control device used to enforce network access and service
requirements. The firewall requires:
– A supporting procedure for authorized users and services
– A supporting role to administer the device
– A supporting organization for configuration control
• A sniffer is a network control device used to monitor traffic for both network management
and anomaly detection.
– A supporting monitoring policy may be required to mitigate an additional
risk of illegal eavesdropping or invasion of privacy.
• Hardening scripts are platform controls used to modify system configurations to minimize
effectiveness of common system exploits.
– A supporting role must track and update the scripts.
• System logging is a control that includes:
– A device such as a log server
– A configuration to enable logging on each device
– A role to analyze the log file

MAINTENANCE PLAN:

An effective security program must always be considered an ongoing initiative, subject to regular
maintenance. Controls deployed today will only meet the current threat environment, and tomorrow
is another day. The program maintenance plan validates protection of the security architecture
model, addressing both security program review and audit.

RISK ANALYSIS AND ETHICAL HACKING:

P a g e | 19
Ethical hacking & Prevention-Module 1

P a g e | 20
Ethical hacking & Prevention-Module 1

P a g e | 21