Ethical Hacking and Countermeasures Version6
o u e Introduction to Ethical ac ng
Module Objective This module will familiarize you with:
• • • • • • • • • •
EC-Council
’ Elemen Elements ts of securi security ty Various Various phases phases of the Hacking Hacking Cycle Cycle T es of hacker attacks Hack Hackti tivi vism sm Ethi Ethica call Hack Hackin ing g Vulnerabi Vulnerability lity research research and tools Steps for condu conducting cting ethical ethical hacking hacking Computer Computer crimes crimes and and implica implication tionss Cyber Cyber Laws prevaili prevailing ng in various various parts parts around around the world world
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Prob Pr oble lem m Defi Defini niti tion on – Wh Why y Evolution of technology focused on ease of use
Decreasing skill level needed for exploits
Increased network environment and network based applications
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Essential Terminologies Threat: • An action action or event event that might might compromi compromise se security. security. A threat threat is a potential violation of security
Vulnerability : , , can lead to an unexpected and undesirable event compromising the security of the system
Target of Evaluation: •
EC-Council
n IT s stem roduct or com onent that is identified/subjected identified/subjected to require security evaluation Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Essential Terminologies (cont’d)
Attack: • An assault assault on the the system system securit security y that is derived derived from from an intelligent threat. An attack is any action that violates security
Ex loit: • A defined defined way to breach breach the the security security of of an IT system system through vulnerability
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elements of Security
Security
Any hacking event wil willl aff affec ectt an an one one or more of the essential security elements
• A state state of well-bei well-being ng of inform information ation and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of inform informati ation on and and servic services es is ke ke t low or or tolera tolerable ble
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Elements of Security (cont’d) Security rests on confidentiality, authenticity, integrity, and availability Confidentiality • Authenticity • Integrity • and unauthorized changes Availability • The ability to use the desired information or or resource EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
The Security, Functionality, and Ease The number of exploits is minimized when the number of weaknesses is reduced => reater securit Takes more effort to conduct the same task task => reduced functionality
Functionality
Security EC-Council
Moving the ball towards security means moving away from from the the functi functiona onalit lit and ease ease of use
Ease of Use
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What Does a Malicious Hacker Do Reconnaissance • Activ Active/p e/pass assive ive
Reconnaissance Scanning
Clearing Tracks
Gaining access • Networ Network k level level • Denial Denial of of servic servicee
• Uploading Uploading/alte /altering/ ring/ download downloading ing programs or data
Maintaining Access
Scanning
Gaining Access
Clearing tracks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Phas Ph asee 1 - Re Reco conn nnai aiss ssan ance ce Reconnaissance Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack Business Risk: Notable - Generally noted as "rattling the door knobs" to see if
Could be the future point of return, noted for ease of entry for an attack when
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnaissancee Types Reconnaissanc Passive reconnaissance involves acquiring information without directly interacting with the target • For example, example, searc searching hing public public recor records ds or news news releases
Active reconnaissance involves interacting with the target directly by
• For examp example, le, telephon telephonee calls calls to the the help help desk or technical department
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Phas Ph asee 2 - Sc Scan anni ning ng Scanning refers to the pre-attack phase when the hacker scans the network for specific information on the basis of information gathered during reconnaissance
Business Risk: High – Hackers Hackers have to to get a single single point of entry to launch an attack
Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners, an so on EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Phas Ph asee 3 - Ga Gain inin ing g Acc Acces esss . exploits the vulnerability in the system
The exploit can occur over a LAN, the Internet, or as a deception, or theft. Examples include buffer overflows, denial of service, session hijacking, and password cracking Influencing factors include architecture and configuration of the target system, the skill level of the perpetrator, and the initial level of access obtained
Business Risk: Highest – The hacker hacker can can gain access access at the the o eratin s stem level a lication level or network level
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Phase Pha se 4 - Ma Maint intain aining ing Ac Acces cesss Maintaining access refers to the phase when the hacker tries to retain his/her ownership of the system The hacker has compromised the system Hackers may harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, RootKits, RootKits, or Trojans Hac ers can up oa , own oa , or manipu ate ata, app ications, an an configurations on the owned system
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Phas Ph asee 5 - Co Cove veri ring ng Tra Track ckss Covering Tracks refer to the activities that the hacker does to hide his misdeeds
Reasons include the need for prolonged stay, continued use of resources, removing evidence of hacking, or avoiding legal action
Examples include Steganography, tunneling, and altering log files
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Hacker Attacks Ther Theree are are se seve vera rall wa s an atta attack cker er can can ain ain acce access ss to a s stem stem The attacker must be able to exploit a weakness or vulnerability in a
Attack Types: Operating System attacks Shrink Wrap code attacks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
1. Operating System Attacks
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
1. Operating System Attacks ’ o ay s opera ng sys ems are comp ex n na ure
O eratin s stems run man services orts and modes of access and re uire extensive tweaking to lock them down The default installation of most operating systems has large numbers of services running and ports open
’
Attackers look for OS vulnerabilities and exploit them to gain access to a ne wor sys em EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
2. Application Level Attacks Software developers are under tight schedules to deliver products on time Extreme Programming is on the rise in software en ineerin methodolo Software applications come with tons of functionalities and features Sufficient time is not there to perform complete testing before releasing products Security is often an afterthought and usually delivered as "add-on” component which leads to “Buffer Overflow Attacks” EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
3. Shrink Wrap Code Attacks Why reinvent the wheel when you can buy off-the-shelf “libraries” libraries ” and code?
When you install an OS/Application, it comes with tons of sample scripts to make the life of an administrator easy
The problem is “not “not fine tuning” tuning ” or customizing these scripts
This will lead to default code or shrink wrap code attack
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
4. Misconfiguration Attacks Systems that should be fairly secure are hacked because they were not configured Systems are complex and the administrator does not have the necessary skills or resources to fix the problem Administrator Administrator will create a simple configuration that works In order to maximize your chances of configuring a machine correctly, remove any unneeded services or software
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Remember This Rule!
If a hacker wants to get inside your system, he/she will and there is nothing you can do about it
The only thing you can do is m ake it harder for him to get in
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacktivism Refers Refers to to the idea idea of of hackin hackin with with or for for a cause cause
Com Com rise risess of hack hacker erss with with a soci social al or olit olitic ical al a enda enda
Aims at sending a message through their hacking activity an ga n ng v s y or e r cause an emse ves Common targets include government agencies, MNCs, or groups or individuals It remains a fact, however, that gaining unauthorized access s a cr me, no matter w atever t e ntent on s EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hacker Classes Black Hats • Individua Individuals ls with extraord extraordinary inary computin computing g skills, skills, resorting resorting to malicious or destructive activities. Also known as crackers
White Hats • Individua Individuals ls professing professing hacker hacker skills skills and using using them them for defensive purposes. Also known as security analysts
Gray Hats • Individua Individuals ls who work work both offensi offensively vely and and defensively defensively at at various times
Suicide Hackers • Individual Individualss who aim aim to bring down down critica criticall infrastruct infrastructure ure for a "cause" and do not worry about facing 30 years y ears in jail for their actions EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacker Classes Forme merr B ac Hats
• Firs Firstt-ha hand nd experi experien ence ce • Lesser Lesser cred credibi ibilit lity y percei perceived ved
• Inde Indepe pend nden entt secur securit ity y consultants (may be groups as • Claim Claim to be knowle knowledge dgeabl ablee about black hat activities
Consulting Firms
EC-Council
• Part Part of ICT ICT fir firms ms • Good Good cred creden enti tial alss
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Can Hacking be Ethical Hacker: • Refers to to a person who who enjoys enjoys learning learning the detail detailss of computer computer systems and to stretch his/her capabilities
• Refers to a person person who who uses his his hacking hacking skills skills for for offensive offensive purposes
Hacking: • Describes Describes the rapid rapid developme development nt of new new programs programs or the reverse reverse engineering of the already existing software to make the code better an more e c ent
Ethical hacker: •
EC-Council
e ers to secur ty pro ess ona s w o app y t e r ac ng s defensive purposes
s or
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Become an Ethical To become an ethical hacker, you must meet the
Should be proficient with programming programming and computer networ ing s i s
ou
e am ar w
vu nera
y researc
techniques
ou EC-Council
e prepare o o ow a s r c co co e o conduct Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Skill Profile of an Ethical Hacker A computer expert adept at technical oma ns Has in-depth knowledge of target , , , and Linux Has exemplary knowledge of ne wor ng an re a e ar ware an software
and related issues In othe otherr word wordss ou must ust be “hi “hi hl technical” to launch sophisticated attacks EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
What is Vulnerability Research Discovering vulnerabilities and designing weaknesses that will misuse
ongoing assessment of the hacking underground
delivered within product improvements for security systems
Can be classified based on: , , • Exploi Exploitt range range (loca (locall or remot remote) e) EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Why Hackers Need Vulnerabilit Vulnerability y
To identify and correct network vulnerabilities To protect the network from being attacked by intruders To get information that helps to prevent security problems To gather information about viruses To find weaknesses in the network and to alert the network administrator before a network attack o now ow o recover rom a ne wor a ac
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Research Tools
US-CERT publishes information regarding a variety of vulnerabilities in “US-CERT Vulnerabilities Notes”
• • • • •
Similar Similar to alerts alerts but but contains contains less less informatio information n Does not not contain contain solutions solutions for for all the vulnerabi vulnerabilities lities Contains Contains vulnera vulnerabilit bilities ies that meet meet certain certain criteria criteria Contains Contains informat information ion that is useful useful for the administ administrato ratorr
name, vulnerability ID number, and CVE-name • Can be cross cross checked checked with with the Common Common Vulnera Vulnerabilit bilities ies and Exposures (CVE) catalog
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Vulnerability Research www.securitytracker.com www.microsoft.com/security www.securiteam.com www w ww.p .pac ac et etst stor orms msec ecur ur ty ty.co .com m www.hackerstorm.com www.hackerwatch.org www.securityfocus.com www.securitymagazine.com
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How to Conduct Ethical Hacking Step 1: Talk to your client on the needs of testing
Step 2: Prepare NDA documents and ask the client to sign them
Step 3: Prepare an ethical hacking team and draw up schedule for testing
Step 4: Conduct the test
Step 5: Analyze 5: Analyze the results and prepare a report
Penetration Testing methodology is Council’s LPT program
Step 6: Deliver the report to the client EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
How Do They Go About It Any security evaluation involves three components: Cond Conduc uctt – In this this phase, the evaluation technical report is re ared based on testing potential vulnerabilities
Prepar Preparatio ation n – In this this phase, phase, a forma formall contract is signed that contains a nondisclosure clause as well as a legal clause to prosecution that might otherwise attract during the conduct phase. The contract also outlines infrastructure perimeter, evaluation activities, time schedules, and
– phase, the results of the evaluation are communicated to the organization or corrective action is taken if needed EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking Testing There are different forms of security testing. Examples include vulnerability scan cannin eth ethical ical hack ackin and and enet enetrratio ation n test testin in Approaches to testing are shown below: Black box • With no prior prior knowledg knowledgee of the the infrastr infrastructure ucture to be tested
White box • With a complete complete knowledg knowledgee of the network network infrastruct infrastructure ure
Gray box • Also known known as Internal Internal Testing. Testing. It It examines examines the the extent extent of the access by insiders within the network
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethical Hacking Deliverables
• Details Details the results results of the the hacking hacking activi activity, ty, matching it against the work schedule decided prior to t e con uct p ase • Vulnerabi Vulnerabilitie litiess are detaile detailed d and preven prevention tion measures are suggested. It is usually delivered in hard copy format for security reasons
Issues to consider: • Team, Team, sensitivity sensitivity of informat information, ion, Nondisc Nondisclosu losure re clause in the legal contract (availing the right , evaluation EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary Security is critical across sectors and industries Ethical Hacking is a methodology to simulate a malicious attack without causing damage Hacking involves five distinct phases Security evaluation includes preparation, conduct, and evaluation phases
U.S. Statutes ξ 1029 and 1030 primarily address cyber crime
EC-Council
Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited