Scribd
Upload
13 views

Ethical hacking LEC-3

Ethical hacking, performed by 'white hats,' involves security assessments to improve an organization's security posture with prior approval. Key protocols include staying legal, defining the assessment scope, reporting vulnerabilities, and respecting data sensitivity. Ethical hackers differ from malicious hackers in their intent and methods, and they follow specific steps such as footprinting, scanning, and enumeration to identify and address security weaknesses.

Uploaded by

wfarouk
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Ethical hacking LEC-3

Ethical hacking, performed by 'white hats,' involves security assessments to improve an organization's security posture with prior approval. Key protocols include staying legal, defining the assessment scope, reporting vulnerabilities, and respecting data sensitivity. Ethical hackers differ from malicious hackers in their intent and methods, and they follow specific steps such as footprinting, scanning, and enumeration to identify and address security weaknesses.

Uploaded by

wfarouk
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Ethical Hacking 1

Network Security Secrets & Solutions

1
What is Ethical hacking?
• Also known as “white hats,” ethical hackers are
security experts that perform these security
assessments. The proactive work they do helps
to improve an organization’s security posture.
With prior approval from the organization or
owner of the IT asset, the mission of ethical
hacking is opposite from malicious hacking.

https://www.synopsys.com/glossary/what-is-ethical-hacking.html

4
Hacking experts follow four key
protocol concepts:
• Stay legal. Obtain proper approval before accessing and
performing a security assessment.
• Define the scope. Determine the scope of the assessment
so that the ethical hacker’s work remains legal and within
the organization’s approved boundaries.
• Report vulnerabilities. Notify the organization of all
vulnerabilities discovered during the assessment. Provide
remediation advice for resolving these vulnerabilities.
• Respect data sensitivity. Depending on the data sensitivity,
ethical hackers may have to agree to a non-disclosure
agreement, in addition to other terms and conditions
required by the assessed organization.

5
Ethical Hackers vs. Malicious Hackers

Ethical Malicious
• Ethical hackers use their • Malicious hackers intend to gain
knowledge to secure and improve unauthorized access to a resource
the technology of organizations. (the more sensitive the better)
for financial gain or personal
• They provide an essential service recognition.
to these organizations by looking • Malicious hackers deface
for vulnerabilities that can lead to websites or crash backend servers
a security breach. for fun, reputation damage, or to
• An ethical hacker reports the cause financial loss.
identified vulnerabilities to the • The methods used and
organization. vulnerabilities found remain
unreported.
• The ethical hacker performs a re-
test to ensure the vulnerabilities • They aren’t concerned with
improving the organizations
are fully resolved. security posture.

6
Certifications
• EC Council: Certified Ethical Hacking Certification
• Offensive Security Certified Professional (OSCP)
Certification
• CompTIA Security+
• Cisco’s CCNA Security
• SANS GIAC

7
Ethical Hacking Types

White Box

Gray Box

Black Box

8
Limitations of ethical hacking
• Limited scope. Ethical hackers cannot progress beyond
a defined scope to make an attack successful. However,
it’s not unreasonable to discuss out of scope attack
potential with the organization.
• Resource constraints. Malicious hackers don’t have
time constraints that ethical hackers often face.
Computing power and budget are additional
constraints of ethical hackers.
• Restricted methods. Some organizations ask experts to
avoid test cases that lead the servers to crash (e.g.,
Denial of Service (DoS) attacks).

9
Ethical Hacking Steps

Footprinting

Scanning

Enumeration

10
Footprinting
• What is footprinting & why
• Internet footprinting
1. Determine the scope of your activities
2. Get proper authorization
3. Publicly available information
4. WHOIS & DNS enumeration
5. DNS interrogation
6. Network reconnaissance

11
What Is Footprinting?
• Footprint: profile
• Why? It gives you a picture of what the hacker sees.
• The Art of War: Know yourself and your enemy!
• What to footprint/profile?
– Internet: domain names, network blocks and subnets, IP
addresses, TCP/UDP services, CPU arch, access control, IDS,
system enumeration, DNS hostnames
– Intranet: network protocols, internal domain names,
network blocks, IP addresses, TCP/UDP services, CPU arch,
access control, IDS, system enumeration
– Remote access: phone numbers, remote system type,
authentication mechanisms, VPN
– Extranet: domain names, connection source and
destination, type of connection, access control
12
Internet Footprinting
• Step 1: Determine the scope of your activities
– Entire organization or subsidiaries?
– Determine all so as to secure them
• Step 2: Get proper authorization
– Layers 8 and 9: politics and funding
– Get-out-of-jail-free card
• Step 3: Publicly available information
– Nothing short of amazing!

13
Publicly Available Information
Company Web Pages
• Unexpected: security configuration, asset inventory
spreadsheet, etc.
• HTML source code
– Things buried in comment tags: <, !, --
– Website mirroring tools for offline viewing: Wget (Linux),
Teleport Pro (Windows)
• Enumerate hidden files and directories recursively
– OWASP’s DirBuster
• Noisy: proxy through privoxy
• Remote access to internal resources via browser
– Proxy to internal servers (e.g. Microsoft Exchange)
• Look for other sites beyond the main
– www1, www2, web, test, etc.
– VPN sites
14
Publicly Available Information
Related Organizations
Location Details
• Related organizations
– Look for references and links to other organizations
• Outsourced web development
– Partners might not be security-minded
– Social engineering attack
• Location details
– Dumpster-diving, surveillance, social engineering,
unauthorized access, etc.
– Images
• Google Earth, Google Maps – Street View (/w Wi-Fi MAC),
Google Locations and Skyhook (MAC  location: “How I Met
Your Girlfriend” – BlackHat 2010 demo)
16
Publicly Available Information
Employee Information (1/2)
• Names, e-mail addresses
• Phone numbers  physical address
– Phonenumber.com, 411.com, yellowpages.com
• Other personal details
– Blackbookonline.info, peoplesearch.com
• Home phone number, address, social security number, credit history,
criminal record, etc.
– Social/information/professional networking, career, family
ancestry, photo management sites
• Facebook.com, Myspace.com, Reunion.com, Classmates.com,
Twitter.com, Linkedin.com, Plaxo.com, Monster.com,
Careerbuilder.com, Dice.com, Ancestry.com, Flickr.com,
Photobucket.com
• Business directory services: JigSaw.com
– Used by sales teams
– Paid-for services with incentive award points to new or update
entries 17
Publicly Available Information
Employee Information (2/2)
• Job posting and resumes
– “Checkpoint firewalls and Snort IDS” tells much!
– Google “company resume firewall” to get resumes
from current and past employees
– Search on job sites (monster.com, careerbuilder.com)
– Watch disgruntled and ex- employees: revenge!
• Employee’s home computers
– Remote access to the target
– Keystroke logger: free ride to the target!
• Impersonate a trusted user!

18
Publicly Available Information
Current Events
• Mergers, acquisitions, scandals, layoffs, rapid hiring,
reorganization, outsourcing, temporary contractors
• Merger or acquisition
– Blending of organizations’ networks
• Less or disabled security
• Human factor
– Low morale  update resumes
– Unauthorized guests
• SEC (Security and Exchange Commission) reports
– Periodical reporting: 10-Q (quarter) and 10-K (annual)
– Sec.gov  organizational charts
• Business info and stock trading sites
– Yahoo!Finance message boards
19
Publicly Available Information
Privacy or Security Policies
Archived Information
• Privacy or security policies
– Technical details indicating the types of security
mechanisms in place
• Archived information
– Archived copies > current copies
– Archive.org & cached results at Google

20
Publicly Available Information
Search Engines and Data Relationships
• Google.com, bing.com, yahoo.com, dogpile.com, ask.com
• Search strings used by hackers - Google Hacking Database
(GHDB) at hackersforcharity.org/ghdb/
• Search Google’s cache for vulnerabilities, errors,
configuration issues, etc. – Athena (snakeoillabs.com),
SiteDigger (foundstone.com), Wikto
(sensepost.com/research/wikto)
• Analyze metadata in web files for info leaks – FOCA
(informatica64.com/foca.aspx)
• Mining and linking relevant pieces of info on a subject –
Maltego (paterva.com)
 Public Database Security Countermeasures:
 Site Security Handbook: RFC 2196
 Periodically review and remove public but sensitive data!
21
NSLOOKUP
• You can look up IP addresses.
• Step 1: Open Command Prompt (PC) or Terminal (Mac)
as described previously in the Trace the Route activity.
• Step 2: Type nslookup and press Enter/Return.
• Step 3: Type in the address of a web site you want to
look up. Try looking up a website you use often.
When setting up an internet connection on a computer, it is usual
to allocate a primary DNS server and one or more secondary
servers. This information is generally provided by your ISP.
Step 4: WHOIS and DNS Enumeration
• Domain names, IP addresses, port numbers
– Centrally managed by ICANN (Internet Corporation for Assigned
Names and Numbers)
– Hierarchically stored in WHOIS/DNS servers
• Three Rs of WHOIS: registry, registrar, registrant
• To lookup keyhole.com, start from whois.iana.org
– Find the registry and registrar for .com (verisign-grs.com) and
then keyhole.com (markmonitor.com)
– Find the registrant details of keyhole.com (for later spoofing)
– Web whois or command-line whois
– Automatic tools (allwhois, uwhois) and GUI tools (superscan,
netscan tools pro)
• To lookup 61.0.0.2, start from arin.net
– Find apnic.net, then find National Backbone of India
– But keep in mind the IP address might be spoofed/masqueraded
24
Public Database Security Countermeasures
Administrative contacts, registered net blocks authoritative name servers

• Keep administrative contacts up-to-date


• Anonymize administrative contacts
• Authenticate updates rigidly to avoid domain
hijacking
– AOL in 1998: redirected traffic

25
Step 5: DNS Interrogation
• Obtain revealing info about the organization by querying
DNS servers (domain name <-> IP addresses)
• DNS zone transfer by untrusted users
– Due to misconfiguration
– From primary server to secondary server
– Private DNS info: internal hostnames and IP addresses
– dnsrecon
• nslookup
– mapping and getting all resource records (A, RP, MX, HINFO, etc.)
– HINFO: host info
– Search with grep, sed, awk, perl
– Scripts: dnsenum, dnsmap, fierce, host

26
DNS Security Countermeasures
• Restrict zone transfer to only authorized
servers
– named.conf in BIND
• Configure a firewall to deny unauthorized
inbound connections to TCP port 53 (thwart
zone transfer)
• Configure not to provide internal DNS info
• Discourage the use of HINFO records

27
Step 6: Network Reconnaissance
• Network topology and access path diagram
• traceroute, tracert, visualroute, McAfee’s
NeoTrace, Foundstone’s Trout
– Find the exact path (IP nodes – routers, firewall, etc.)
– Leverage TTL and ICMP
• Thwarting Network Reconnaissance
Countermeasures
– Intrusion detection: snort, bro
– Configure border routers to limit ICMP and UDP traffic
to specific systems

28
LAB Recap

29
Port and Services
• HTTP • 80
• FTP • 23
• Telnet • 21
• SSH • 22
• DNS • 53
• SMTP • 25

1.31
32
33
Summary
• Footprinting: tedious works to be done
regularly
• Automate tasks by shell, Python, Perl scripts
• Minimize info leaks
• Implement monitoring

34

You might also like