INTRUSION DETECTION AND ETHICAL HACKING

Ethical Hacking Overview

Objectives
• At the end of this lesson and completing the activities, you will be able to:
• Discuss penetration testing methodologies
• Differentiate between the phases of penetration testing and hacking
Penetration Testing Methodologies
• What is…
• A systematic and repeatable approach applied when doing a complex task (such as
penetration testing)
• Why…
• Provides structure and consistency for a more effective process
• A proven methodology evolves into a standard that can be applied in different environments
• Examples…
• The Open Source Security Testing Methodology Manual (OSSTMM)
• Penetration Testing Framework 0.59
• SANS Penetration Testing Methodology
• OWASP Web Application Penetration Testing Methodology
Continue: Penetration Testing Methodologies

Surveying Different Standards and Methodologies

• There are several penetration testing methodologies that have been around for a while and continue to be updated
as new threats emerge.
• The following is a list of some of the most common penetration testing methodologies and other standards:
MITRE ATT&CK An amazing resource for learning about an adversary’s tactics, techniques, and procedures (TTPs). Both offensive
security professionals (penetration testers, red teamers, bug hunters, and so on) and incident responders and threat
hunting teams use this framework today. It is a collection of different matrices of tactics, techniques, and
subtechniques. These matrices–including the Enterprise ATT&CK Matrix, Network, Cloud, ICS, and Mobile–list the
tactics and techniques that adversaries use while preparing for an attack, including gathering of information (open-
source intelligence [OSINT], technical and people weakness identification, and more) as well as different
exploitation and post-exploitation techniques.

OWASP Web Sec A comprehensive guide focused on web application testing. It is a compilation of many years of work by OWASP
urity Testing Guid members. It covers the high-level phases of web application security testing and digs deeper into the testing
e (WSTG) methods used. For instance, it goes as far as providing attack vectors for testing cross-site scripting (XSS),
cross-site request forgery (CSRF), and SQL injection attacks; as well as how to prevent and mitigate these attacks.
It is the most detailed and comprehensive guide available.

NIST SP 800-115 A document created by the National Institute of Standards and Technology (NIST), which is part of the U.S.
Department of Commerce. It provides organizations with guidelines on planning and conducting information security
testing. It superseded the previous standard document, SP 800-42. It is considered an industry standard for
penetration testing guidance and is called out in many other industry standards and documents.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Exploring Penetration Testing Methodologies

Surveying Different Standards and Methodologies (Cont.)

OSSTMM The Open Source Security Testing Methodology Manual (OSSTMM) has been around a long time.
Distributed by the Institute for Security and Open Methodologies (ISECOM), it is a document that lays
out repeatable and consistent security testing. It is currently in version 3, and version 4 is in draft status.
The OSSTMM has the following key sections: Operational Security Metrics, Trust Analysis, Work
Flow, Human Security Testing, Physical Security Testing, Wireless Security Testing, Telecommunications
Security Testing, Data Networks Security Testing, Compliance Regulations, and Reporting with the
Security Test Audit Report (STAR).

PTES The Penetration Testing Execution Standard (PTES) provides information about types of attacks and
methods, and it provides information on the latest tools available to accomplish the testing methods
outlined. PTES involves seven distinct phases: Pre-engagement interactions, Intelligence
gathering, Threat modeling, Vulnerability analysis, Exploitation, Post-exploitation, and Reporting.

ISSAF The Information Systems Security Assessment Framework (ISSAF) is another penetration testing
methodology like the others on this list with some additional phases. It covers the following
phases: Information gathering, Network mapping, Vulnerability identification, Penetration, Gaining access
and privilege escalation, Enumerating further, Compromising remote users/sites, Maintaining access,
and Covering the tracks.

© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Why Pen Testing is needed
• Identify the threats facing an organization's information assets.
• For testing and validating the efficacy of security protections and controls.
• Reduce an organization's expenditure on IT security and enhance Return On
Security Investment {ROSI) by identifying and remediating vulnerabilities or
weaknesses
• For changing or upgrading existing infrastructure of software, hardware, or network design
• Provide assurance with a comprehensive assessment of the organization's
security including policy, procedure, design, and implementation
contd
• Focus on high-severity vulnerabilities and emphasize application-level
security issues to development teams and management.
• Gain and maintain certification to an industry regulation (BS7799,HIPAA etc.)
• Provide a comprehensive approach of preparation steps that can be taken to
prevent upcoming exploitation.
• Adopt best practices in compliance with legal and industry regulations.
• Evaluate the efficacy of network security devices such as firewalls, routers,
and web servers.
Comparing Security Audit, Vulnerability Assessment and Pen
Testing
• A Security Audit just checks whether the organization is
following a set of standard security policies and
procedures.
• A Vulnerability Assessment focuses on discovering the
vulnerabilities in the information system but provides
NO indication if the vulnerabilities can be exploited or the
amount of damage that may result from the successful
exploitation of the vulnerability.
• Penetration testing is a methodological approach to
security assessment that encompasses the security
audit and vulnerability assessment and demonstrates if
the vulnerabilities in the system can be successfully
exploited by attackers.
Pentest vs. Hacking
Pentest Hacking

• Goal is to discover vulnerabilities in • Goal is to attack a target system for

a computer system and secure the some reason (gain, destruction,
environment against actual attacks vendetta, etc.) without getting
• Done by a red team with caught
permission based on an agreement. • Done by a person (or a group)
without permission.
Pentest Methodology vs. Hacking Phases
SANS Pentest Methodology Hacking

1. Planning and Preparation Not a formal process…no meetings…no agreements

2. Information Gathering and Analysis 1. Reconnaissance

3. Vulnerability Detection 2. Scanning
4. Penetration Attempt 3. Gaining Access
No point in maintaining access (demo only) 4. Maintaining Access
5. Analysis and Reporting No formal reports or presentation of findings

6. Cleaning Up 5. Clearing Tracks

1. Planning and Preparation (Pentest Only)
• Kickoff meetings with client
• Define objectives
• Example: demonstrate exploitable vulnerabilities
• Define scope
• Example: what part(s) of the network is included
• Agree on timing and duration
• Example: during office hours
• Inform staff or not
2. Information Gathering (Reconnaissance)
• Tester (or attacker) seeks to gather information about the target system
• Passive
• Acquiring information without directly interacting with the target
• Example: searching public records, news
• Active
• Involves interacting with the target by any means
• Example: telephone calls, helpdesk query, registering in a website
3. Vulnerability Detection (Scanning)
• Now that you know your target, try to determine the vulnerabilities that exist in
the system
• Scanning is a pre-attack phase when the tester (attacker) scans the network
for specific information on the basis of what’s been discovered in the
reconnaissance phase
• Extract the information to be used in the attack
• Examples: Port scanning, network mapping, vulnerability scanning
4. Penetration Attempt (Gaining Access)
• The tester (attacker) selects a suitable target (e.g. computer or application)
and attempts to obtain access
• Access can be at different levels
• Examples: DoS, password cracking
Maintaining Access (Hacking Only)
• Attackers try to retain ownership to the system they attacked
• Attackers use compromised system to launch further attacks
• Attackers may use backdoors, Trojans, rootkits
5. Analysis and Reporting (Pentest Only)
• Since the ultimate goal of penetration testing is to highlight system
weaknesses for better security, the red team must analyze the findings and
report the following:
• Successful exploits
• Information gathered about the system
• Vulnerabilities found
• Fix recommendations
6. Cleaning Up (Covering Tracks)
Cleaning Up Covering Tracks

• Testers must clean up all unwanted • Attackers don’t want to get caught
changes that resulted from their so they try to hide any trails that
tests might lead to them
• They usually keep a list of what • In doing so, they can continue to
they have done access the system and delete
• This may require backups and evidence that can lead to
restores prosecution
• Must be verified by the organization • Examples: overwrite system and/or
• Example: remove accounts created application logs
for testing
Penetration Testing Models revisited.
• White box (known environment) model
• Tester is told about network topology and technology
• Tester is permitted to interview IT personnel and company employees
• No need for reconnaissance
• Specific targeting
• Black box (unknown environment) model
• Tester is not given details about technologies used
• Staff does not know about the test
• Tests security personnel’s ability to detect an attack
• Gray box (partially known environment) model
• Hybrid of the white and black box models
• Company gives tester partial information (e.g., OSs are used, but no network diagrams)
Example of information you could give to the white hacker

A sample floor plan

Fundamental Terminology
• black box model: A model for penetration testing in which management
doesn’t reveal to IT security personnel that testing will be conducted or give
the testing team a description of the network topology. In other words, testers
are on their own.
• Certified Ethical Hacker (CEH): A certification designated by the EC-Council.
• Certified Information Systems Security Professional (CISSP): Non-
vendor-specific certification issued by the International Information Systems
Security Certification Consortium, Inc. (ISC2).
• Crackers: Hackers who break into systems with the intent of doing harm or
destroying data.
• ethical hackers: Users who attempt to break into a computer system or
network with the owner’s permission.
Fundamental Terminology
• penetration test: In this test, a security professional performs an attack on a
network with permission from the owner to discover vulnerabilities; penetration
testers are also called ethical hackers.
• white box model: A model for penetration testing in which testers can speak with
company staff and are given a full description of the network topology and
technology.
• security test: In this test, security professionals do more than attempt to break
into a network; they also analyze security policies and procedures, report
vulnerabilities to management, and recommend solutions.
• gray box model: A hybrid of the black box and white box models for penetration
testing. In other words, the company might give a tester some information about
which OSs are running but not provide any network topology information (diagrams
of routers, switches, intrusion detection systems, firewalls, and so forth).