CYB 405 – INTRODUCTION TO ETHICAL HACKING

Course Outline

 Application attacks and other specialized attacks.

 Ethical hacking process, penetration testing, securing and protecting networks from

hackers and loss of data.

 Software and hardware-based vulnerability assessment network analyzers.

Vulnerability Assessment
What is a vulnerability assessment?
A vulnerability assessment is the process of defining, identifying, classifying and prioritizing
vulnerabilities in computer systems, applications and network infrastructures.
Vulnerability assessments provide organizations with the necessary knowledge, awareness and
risk backgrounds to understand and react to threats to their environment.

A vulnerability assessment intends to identify threats and the risks they pose. It typically
involves using automated testing tools, such as network security scanners, whose results are
listed in a vulnerability assessment report.
Organizations of any size, or even individuals who face an increased risk of cyberattacks, can
benefit from some form of vulnerability assessment, but large enterprises and organizations
subject to ongoing attacks will benefit most from vulnerability analysis.
Because security vulnerabilities enable hackers to access IT systems and applications, it is
essential for enterprises to identify and remediate weaknesses before they can be exploited. A
comprehensive vulnerability assessment, along with a vulnerability management program, can
help companies improve the security of their systems.

Importance of Vulnerability Assessments

Vulnerability assessments provide organizations with details on security weaknesses in their
environments. They also provide directions on how to assess the risks associated with those
weaknesses. This process offers the organization a better understanding of assets, security flaws
and overall risk, reducing the likelihood a cybercriminal will breach their systems.

Types of Vulnerability Assessments

Vulnerability assessments discover different types of system or network vulnerabilities. The
assessment process includes using a variety of tools, scanners and methodologies to identify
vulnerabilities, threats and risks.
Types of vulnerability assessment scans include the following:
 Network-based scans identify possible network security attacks. This type of scan can
also detect vulnerable systems on wired or wireless networks.
 Host-based scans locate and identify vulnerabilities in servers, workstations or other
network hosts. This scan usually examines ports and services that could be visible on
 network-based scans. It offers greater visibility into the configuration settings and patch
history of scanned systems, even legacy systems.
 Wireless network scans focus on points of attack in wireless network infrastructure. In
addition to identifying rogue access points, a wireless network scan also validates a
company’s network is securely configured.
 Application scans test websites to detect known software vulnerabilities and incorrect
configurations in network or web applications.
 Database scans identify weak points in a database to prevent malicious attacks, such as
SQL injection attacks.

Vulnerability Assessments vs. Penetration Tests

A vulnerability assessment often includes a pen testing component to identify vulnerabilities in
an organization’s personnel, procedures or processes. These vulnerabilities might not normally
be detectable with network or system scans. The process is sometimes referred to as vulnerability
assessment/penetration testing, or VAPT.
Pen testing is not sufficient as a complete vulnerability assessment and is, in fact, a separate
process. A vulnerability assessment aims to uncover vulnerabilities in a network and recommend
the appropriate mitigation or remediation to reduce or remove the risks.

A vulnerability assessment uses automated network security scanning tools. The results are listed
in a vulnerability assessment report, which focuses on providing enterprises with a list of
vulnerabilities that need to be fixed. However, it does so without evaluating specific attack goals
or scenarios.
Organizations should conduct vulnerability testing on a regular basis to ensure the security of
their networks, particularly when changes are made. For example, test when services are added,
new equipment is installed or ports are opened.
In contrast, pen testing involves identifying vulnerabilities in a network and then attempting to
exploit those vulnerabilities to attack the system. Although sometimes carried out in concert with
vulnerability assessments, the primary aim of pen testing is to check whether a vulnerability
exists. In addition, pen testing tries to prove that exploiting a vulnerability can damage the
application or network.
While a vulnerability assessment is usually automated to cover a wide variety of unpatched
vulnerabilities, pen testing generally combines automated and manual techniques to help testers
delve further into the vulnerabilities and exploit them to gain access to the network in a
controlled environment.
The difference between Penetration Testing and Vulnerability Scanning
Confused by the terms penetration testing and vulnerability scanning?
IT security terminology and acronyms are bandied about at a furious rate – so much so that the
use of several terms throughout the course of a typical cybersecurity conversation could end up
sounding quite similar. The terms penetration testing and vulnerability scanning, in particular,
often end up confusing many, especially when it comes to their key differences and overall
purpose.

While both aim to detect weaknesses in a system, the methods used to conduct penetration tests and
vulnerability scans differ, as do their goals. In short, a pen test is an offensive technique that mimics
real-world attacks and their consequences, while a vulnerability scan is a higher-level technique that
identifies and reports on flaws.

Let's delve into penetration testing vs. vulnerability scanning - how they're different, how they're
related and why they're both important parts of an organization's IT security strategy.

What is Penetration Test

As mentioned, pen tests are offensive cybersecurity exercises in which IT security professionals use
real-world hacking techniques to identify vulnerabilities and what could happen if attackers exploit
them. Pen tests help security teams identify, report on and remediate vulnerabilities, as well as verify
their removal.

Note that pen testing is a form of ethical hacking. Security professionals should always obtain
permission from the organization before performing any tests.

The goal of pen testing, which can be conducted in-house or outsourced to a third-party tester, isn't to
steal data or cause harm to assets, but to mimic the tactics, techniques and procedures threat actors
might use to identify exploitable flaws in a business's systems. Once identified during a pen test,
security teams can fix these vulnerabilities prior to a real-world attack.

A pen test is a relatively broad term for the following six underlying testing steps:

1. Prepare and perform reconnaissance.

 2. Construct an attack plan.
3. Select a team to carry out the tests.
4. Choose target data types.
5. Execute the pen test.
6. Review and analyze results.

Security teams should follow up these steps with remediation efforts and retesting to ensure
vulnerabilities are fixed.

Follow
these six steps to perform a comprehensive pen test.
Security practitioners usually conduct pen tests with a particular focus. For example, a social
engineering penetration test determines how employees respond to phishing scams, a mobile
application pen test assesses the security of mobile apps and a cloud pen test discerns vulnerabilities
in cloud environments.

Ethical hackers use a variety of commercial and open source penetration testing tools.
Some options include Nmap to scan networks, Wireshark to capture and analyze protocols,
Checkmarx's Zed Attack Proxy to scan web applications and Aircrack-ng to test Wi-Fi security.

Pen test frequency varies by organization. Many experts suggest annual testing, but organizations in
high-risk industries, such as banking or healthcare, might need to test more often. Compliance
regulations can also dictate testing cadence. PCI DSS 4.0, for example, requires annual pen tests.
Teams should also perform pen tests after infrastructure changes, such as installing new appliances,
upgrading applications or equipment, opening new office locations or updating security policies.

Benefits of penetration testing include the following:

 Discovers and remediates vulnerabilities and weaknesses.

 Helps ensure compliance with regulatory testing requirements.
 Strengthens risk management by locating and analyzing security weak points.
 Boosts brand reputation and improves customer trust.

Challenges of pen testing include the following:

 Costs can be high, especially if pen testers don't have a specific attack or target.
 Tests can be time-consuming.
 Attacks don't always replicate real-world breaches, especially if employees know when
testing occurs.
 Tests can result in false positives.
 Narrow testing scopes can result in missed vulnerabilities or weaknesses.
 Testing could require skills and resources organizations don't have in-house.
 Executives might ignore test results and see pen testing as a box to check for compliance
reporting.
To counter high costs and the time-consuming nature of manual pen tests, many pen testing tools use
AI to automate some processes of the testing lifecycle. Automated tools enable teams to speed up
testing times and can counter staffing and skills gaps.

What is Vulnerability Scanning?

Vulnerability scanning is a higher-level security technique that involves the automated detection of
weaknesses and vulnerabilities across an organization's networks and systems. It is the first step in
the larger vulnerability management process of defining, identifying, classifying and prioritizing
vulnerabilities in IT systems.

Vulnerability assessment reports use scan results to summarize the vulnerabilities, prioritize threats
and create a remediation plan.

Types of vulnerability scans include the following:

 Internal scans. These scans look for vulnerabilities within a network. They have access
to the internal network and look for vulnerabilities such as misconfigurations, missing
patches, weak passwords and coding errors.
 External scans. These scans are performed outside the network being tested. They do
not have access to the internal network. External scans look for vulnerabilities that could
provide access to external attackers, such as open ports, insecure APIs and web
application flaws.
 Unauthenticated scans. These scans mimic external attackers who do not have
legitimate access to a network.
 Authenticated scans. These scans test a system as a valid, credentialed user. They search
for vulnerabilities attackers could exploit if they had access to a network.

Common targeted vulnerability scans include compliance scanning, network scanning, database
scanning and host-based scanning.

Security teams have a variety of commercial and open source vulnerability scanners to choose from.
Some open source options include Open Vulnerability Assessment Scanner to find known
vulnerabilities, Snyk Open Source to discover application dependencies with known vulnerabilities
and sqlmap to scan databases.
Vulnerability scanning benefits include the following:

 Discovers misconfigured security controls and other vulnerabilities within a security

system.
 Helps ensure compliance with industry regulations for periodic scanning for security
weaknesses.
 Helps inform security teams to fix vulnerabilities or weaknesses before attackers exploit
them.

Vulnerability scanning challenges include the following:

 Can create false positives about potential vulnerabilities.

 Provides a limited picture of security systems and controls -- organizations require
continuous monitoring, which can be costly and degrade network performance.
 Catches known security issues but can miss newer, more sophisticated attacks and zero-
day vulnerabilities.

Security teams conduct automated vulnerability scans at regularly scheduled intervals as part of
their vulnerability management program. These automated scans provide up-to-date reports of
potentially vulnerable systems and software so security administrators can prioritize and schedule
patching efforts to mitigate cyberthreats.

Comparing Pen Testing vs. Vulnerability Scanning

Both cybersecurity tools enable security practitioners to find weaknesses and vulnerabilities within
security controls, networks, web applications, APIs and other IT systems. A major difference
between them is vulnerability scanning provides a broad view of a system's weaknesses, whereas pen
testing simulates cyberattacks.

While both tools use varying levels of automation to find vulnerabilities, pen tests are generally more
manual and in-depth than vulnerability scans, which makes them more expensive. Pen tests also
attempt to exploit vulnerabilities to discover their effects on systems, while vulnerability scans only
report flaws and weaknesses but not their exploitability.

Pen Test vs. Vulnerability Scan: Which should organizations use?

Most organizations find that pen tests and vulnerability scans are not an either-or proposition. A
combination of the two is important to prevent, detect and mitigate system weaknesses.
Vulnerability scanning is often performed as part of a pen test. As mentioned above, step two of a
pen test lifecycle involves the construction of an attack plan. Depending on the target types and
attack methods, this could involve the use of one or more pen test tools. These tools might focus on
the following tasks:

 Intelligence gathering.
 Gaining access to applications or systems.
 Privilege escalation.
 Payload inspection and analysis.

Vulnerability scanning is key to the intelligence gathering step. It detects and creates a report on
potential weaknesses. Security teams can use this report to inform their pen test efforts, as well as
validate the results of a scan.
Threats and Vulnerabilities
What Are Web Application Attacks?
Web application attacks are malicious activities that target web applications by exploiting
vulnerabilities in their design or implementation. These attacks can result in unauthorized access,
data theft, or other harmful consequences.
Common types of web application attacks include SQL injection, cross-site scripting (XSS),
cross-site request forgery (CSRF), and file inclusion attacks. Attackers may use automated tools
or manually craft their attacks to bypass security measures and gain access to sensitive
information or systems.
Organizations can prevent or mitigate web application attacks by implementing strong security
measures, such as input validation, user authentication, and regular vulnerability testing.

What Are the Consequences of Web Application Attacks?

Web application attacks can have a wide range of consequences for organizations, users, and
other stakeholders. Some of the potential consequences of web application attacks include:
Data breaches: Attackers may gain unauthorized access to sensitive data, such as personal
information, financial data, or intellectual property, leading to data breaches. This can result in
severe financial, reputational, and legal consequences for the affected organization.
Identity theft: Attackers may steal personal information during web application attacks, leading
to identity theft. Victims of identity theft may face financial losses, credit issues, and time-
consuming recovery processes.
Financial loss: Web application attacks may lead to direct financial losses for businesses, either
through theft of funds, fraud, or the costs associated with remediation and recovery.
Damage to reputation: A successful web application attack can damage an organization’s
reputation, leading to loss of customer trust, negative publicity, and reduced business
opportunities.
Legal consequences: Organizations that fail to protect their web applications may face legal
consequences, such as fines, lawsuits, or regulatory penalties, particularly if the attack results in
a data breach involving personal information.
Business disruption: Web application attacks can disrupt business operations by causing system
downtime, impacting the availability of online services, or compromising critical infrastructure.
Learn more in our detailed guide to mobile security.
Common Types of Web Application Attacks
1. Cross-Site Scripting (XSS)
Cross-site scripting (XSS) is a type of web application attack that involves injecting malicious
scripts into web pages that are viewed by other users. This is typically accomplished by injecting
the script into a form input field or URL parameter that is then stored in the web application’s
database.

When another user views the page that contains the malicious script, the script is executed in
their browser, allowing the attacker to steal data or perform other malicious actions on the user’s
behalf. XSS attacks can be prevented by properly sanitizing user input, using content security
policy (CSP) headers, and escaping untrusted data.

2. Cross-Site Request Forgery (CSRF)

Cross-site request forgery (CSRF) is a type of web application attack that tricks a user into
executing an unwanted action on a web application that they are already authenticated with. This
is typically accomplished by sending a specially crafted link or script to the user, which then
performs the unwanted action when clicked.

For example, a CSRF attack could be used to make unauthorized purchases or change account
settings. CSRF attacks can be prevented by using anti-CSRF tokens, which are unique tokens
that are generated by the web application for each user session and must be included in every
request to the application.

3. XML External Entity (XXE)

XML External Entity (XXE) is a type of web application attack that involves exploiting
vulnerabilities in XML parsers used by a web application. This can allow an attacker to read
sensitive data or execute unauthorized actions on the web application’s server.

XXE attacks typically involve injecting specially crafted XML payloads that exploit the XML
parser’s ability to read external entities. XXE attacks can be prevented by disabling external
entity parsing or using secure XML parsers that properly sanitize input data.
4. Injection Attacks
Injection attacks involve inserting malicious code into a web application, typically in the form of
input data such as SQL queries, commands, or scripts. Injection attacks are successful when an
application fails to properly validate and sanitize input data. These attacks can be prevented by
properly validating and sanitizing input data and using parameterized queries to access
databases.

5. Fuzz Testing (Fuzzing)

Fuzz testing, also known as fuzzing, is a technique used to discover vulnerabilities in a web
application by sending it random or invalid input data. The goal of fuzz testing is to identify how
the web application responds to different inputs and to find errors and crashes.

Fuzz testing can be performed manually or with the help of automated tools. Fuzz testing can
uncover vulnerabilities that may not be detected by other security testing methods such as
penetration testing. To perform effective fuzz testing, a tester needs to understand the web
application’s input and output mechanisms and the types of data that the application processes.

6. DDoS (Distributed Denial-of-Service)

A Distributed Denial-of-Service (DDoS) attack is a type of web application attack that involves
overwhelming a web application with a large volume of traffic from multiple sources, such as
botnets or compromised devices. This can cause the web application to become unavailable to
legitimate users.

DDoS attacks can be prevented by using network security devices, such as firewalls and
intrusion prevention systems, that can detect and block malicious traffic. Additionally, web
application developers can use content delivery networks (CDNs) and load balancers to
distribute traffic across multiple servers to help mitigate the effects of DDoS attacks.

7. Brute Force Attack

A brute force attack is an automated method of guessing a username and password combination
to gain unauthorized access to a web application. Attackers use software tools to try different
combinations of usernames and passwords until they successfully guess the correct one.
To prevent brute force attacks, web applications can implement rate-limiting and account lockout
policies. Rate-limiting limits the number of login attempts from a single IP address, while
account lockout temporarily blocks access to an account after a certain number of failed login
attempts.

8. Path Traversal
Path traversal is a type of web application attack that involves manipulating file paths in a web
application in order to access unauthorized files or directories on the server. Path traversal
attacks typically occur when a web application does not properly validate user input, allowing an
attacker to traverse up and down directory structures to access sensitive files.
Path traversal attacks can be prevented by properly validating user input and sanitizing file paths,
as well as using secure file access methods that restrict access to sensitive files and directories.

Web Application Security Strategies

Here are some web application security strategies that organizations can implement to protect
their web applications:

Secure coding practices: Adopt secure coding practices, such as the OWASP Top 10 guidelines,
to ensure that web applications are built with security in mind. This includes measures like input
validation, output encoding, and secure authentication mechanisms.
Regular security testing: Perform regular security testing, such as penetration testing and
vulnerability scanning, to identify and address security vulnerabilities in web applications.
Access control: Implement access controls to ensure that only authorized users can access
sensitive data or functionality within web applications. This includes measures like role-based
access control and multi-factor authentication.
Secure communication: Use secure communication protocols, such as HTTPS, to ensure that
data transmitted between web applications and users is encrypted and protected from
interception.
Server and network security: Implement server and network security measures, such as
firewalls and intrusion detection systems, to protect web applications from attacks like DDoS
and SQL injection.
Regular updates and patches: Keep web applications and supporting software up-to-date with
the latest security patches and updates to address known vulnerabilities.
User education: Educate users on best practices for safe web browsing, such as avoiding
clicking on suspicious links or downloading attachments from unknown sources.
Incident response planning: Develop and test incident response plans to ensure that web
application security incidents are identified and addressed in a timely and effective manner.

What Does an Ethical Hacker Do?

An ethical hacker is a cybersecurity professional trained to identify and fix vulnerabilities in
systems before malicious hackers can exploit them. They simulate real-world cyberattacks to
assess risk and strengthen security posture.

Ethical Hackers help organizations answer critical cybersecurity questions:

 What vulnerabilities could an attacker exploit?
 What systems or data are most at risk?
 What damage could an attacker cause with the compromised information?
 How many security layers detect or log the intrusion?
Ethical hackers learn and perform hacking in a professional manner, based on the direction of the
client, and later, present a maturity scorecard highlighting their overall risk and vulnerabilities
and suggestions to improve.

What are the best ways to mitigate these vulnerabilities?

They operate under strict authorization, document their findings, and deliver a comprehensive
risk and vulnerability scorecard along with actionable recommendations.

Importance of Ethical Hacking?

In the dawn of international conflicts, terrorist organizations funding cybercriminals to breach
security systems, either to compromise national security features or to extort huge amounts by
injecting malware and denying access. Resulting in the steady rise of cybercrime. Organizations
face the challenge of updating hack-preventing tactics, installing several technologies to protect
the system before falling victim to the hacker.
New worms, malware, viruses, and ransomware are primary benefit are multiplying every day
and is creating a need for ethical hacking services to safeguard the networks of businesses,
government agencies or defense.

Benefits of Ethical Hacking?

The primary benefit of ethical hacking is to prevent data from being stolen and misused by
malicious attackers, as well as:
1. Discovering vulnerabilities from an attacker’s POV so that weak points can be fixed.
2. Implementing a secure network that prevents security breaches.
3. Defending national security by protecting data from terrorists.
4. Gaining the trust of customers and investors by ensuring the security of their products and
data.
5. Help protect networks with real-world assessments.

Types of Ethical Hacking?

It is no big secret that any system, process, website, device, etc., can be hacked. In order to
understand how the hack might happen and what the damage could be, ethical hackers must
know how to think like malicious hackers and know the tools and techniques they are likely to
use.
 Web Application Hacking
 System Hacking
 Web Server Hacking
 Hacking Wireless Network
 Social Engineering
Types of Hacking/Hackers
Hackers are of different types and are named based on their intent of the hacking system.
Broadly, there are two main types in hacking/hacker – White-Hat hacker and Black-Hat hacker.
The names are derived from old Spaghetti Westerns, where the good guy wears a white hat and
the bad guy wears a black hat.

White Hat Hacker

Ethical hackers or white hat hackers do not intend to harm the system or organization but they do
so, officially, to penetrate and locate the vulnerabilities, providing solutions to fix them and
ensure safety.
Black Hat Hacker
Contrary to an ethical hacker, black hat hackers or non-ethical hackers perform hacking to fulfill
their selfish intentions to collect monetary benefits.
Gray Hat Hacker
Grey hat hackers are the combination of white and black hat hackers. They hack without any
malicious intention for fun. They perform the hacking without any approval from the targeted
organization.

 Port Scanning: Using tools like Nmap or Angry IP Scanner to find open ports
or services.
 Vulnerability Scanning: Using tools like Nessus to detect known weaknesses
in systems and applications.
 Network Mapping: Generating a visual map that shows the network topology
with applications like SolarWinds.
 Banner Grabbing: This involves collecting software version information from
open services to help determine any weaknesses.
 Ping Sweeps: This entails sending ICMP requests to identify active hosts on a
particular network.
3. Gaining Access
During this crucial stage, the intruder utilizes the weaknesses identified during
scanning for unauthorized entry into the target system. This may involve leveraging
applications, operating systems, or network flaws. The objective is establishing access
at different privilege levels, from user accounts to administrative control.
Exploitation Methods comprise buffer overflows, SQL injection, and cross-site
scripting (XSS).
Popular Tools Used:
 Metasploit
 SQLmap
 Hydra
Commonly used techniques for Gaining Access:
 Password Cracking: Using brute force and dictionary attacks or to crack
passwords, rainbow tables are used.
 Exploration of Vulnerabilities: Unauthorized access can be obtained by
exploiting known vulnerabilities such as SQL Injection or buffer overflows.
 Privilege Escalation: Higher-level privileges are acquired within a system
through exploitation or misconfiguration.
 Session Hijacking: Taking over a valid session between a user and a system
gives entrance without permission.
 Man-in-the-Middle (MITM) Attacks: By intercepting communication
between two parties, sensitive data can be accessed, violating confidentiality
principles.
4. Maintaining Access
Once inside, the intruder must maintain a presence on the target machine for further
actions such as gathering or monitoring sensitive data. Therefore, backdoors, rootkits,
or Trojan horses can be installed at this point to ensure continued access to the device
even after it has been rebooted or patched.
Persistence Techniques: Employing malicious programs, establishing concealed user
accounts, or exploiting cron jobs.
Tools Used:
 Netcat
 Ngrok
 Empire
Standard Methods of Maintaining Access:
 Installing Backdoors: Creating permanent ways of accessing the system later,
like backdoors or rootkits.
 Creating Hidden User Accounts: Adding unauthorized users with
administrative privileges that are hard to discover.
 Tunneling: Employing strategies such as SSH tunneling for secure
communication with an infected machine.
 Keystroke Logging: Capturing user’s keystroke entries to acquire confidential
details such as passwords or private information.
 Trojan Horses: Integrating applications that look real but permit unlawful
entry.
5. Clearing Track
The finale of ethical hacking revolves around ensuring the hacker remains under the
radar. This implies wiping logs, concealing files, and manipulating timestamps to
eliminate evidence or proof of any attack. The intention is to ensure that attackers can
never be detected or traced via their attack methodology.
Tools Used:
 CCleaner
 Stealth Rootkit
 Timestamp
Standard Methods for Covering Tracks:
 Log Tampering: Deleting or modifying logs to erase evidence of hacking
activities.
 Steganography: Hiding malicious files or data within legitimate files to avoid
detection.
 File Timestamp Alteration: Changing the timestamps of modified files to
mislead investigators.
 Clearing Command Histories: Deleting or altering shell command histories to
prevent detection.
 Encryption: Encrypting communication and files to obscure activities makes
forensic analysis more difficult.