ETHICAL HACKING

SHYAM S.V.

Seminar guide : Mrs. Shiji

 WHO IS A HACKER??
HACKER noun. 1. A
person who enjoys
learning the details of
computer systems and
how to stretch their
capabilities….
2. One who programs
enthusiastically or who
enjoys programming
rather than just
theorizing about
programming
CATAGORISATION OF HACKERS
 Old School Hackers:
Stanford or MIT hackers.

no malicious intent, lack of concern for privacy

and proprietary information.
Believe the Internet to be an open system.

Script Kiddies or Cyber-Punks:

bored in school; caught for bragging online;

 intent is to vandalize or disrupt systems.

Professional Criminals or Crackers:break into

systems and sell the information.
Coders and Virus Writers: an elite programmer
write code without using them, released via others
 TYPES OF HACKERS!!!
• White Hat Hacker- referred as Ethical Hacker
or sometimes called as Sneakers. focuses on
securing corporate Network from outsider threat.
with good intention & fight against Black Hat.
• Grey Hat Hacker- Skilled Hacker who
sometimes act legally and sometime not. May
be call a Grey Hat hacker as Hybrid between
White Hat and Black Hat hacker
• Black Hat Hacker- referred as Cracker. A
Black Hat Hacker's intention is to break into
others Network, and secure his own machine.
uses different techniques for breaking into
systems which involve advanced programming
skills and social engineering.
 What is Ethical Hacking
• Ethical hacking :
process of hacking
into a system not for Test recovery
nefarious purposes Protocols in
Response to
Hack into system
To test system

but to test the attacks

vulnerabilities

systems
vulnerability to
attacks (auditing the
system) also termed Analyze and
‘white hat’ hacking. Improve system
Defenses
 WHY ETHICAL HACKING??
“The Best Defense Is A Good Offense.”
• Growth of the Internet, computer security has
become a major concern for businesses and
governments.
• organizations realized best ways to evaluate
the intruder threat would be to have
independent computer security professionals
attempt to break into their computer
systems.
• Website defacements increased to alarming
rates
 WHY ETHICAL HACKING??
June 01, 2004 to Dec.31, 2004

Domains No of Defacements

.com 922

.gov.in 24

.org 53

.net 39

.biz 12

.co.in 48

.ac.in 13

.info 3

.nic.in 2

.edu 2

other 13

Total 1131

Defacement Statistics for Indian Websites

WHY ETHICAL HACKING??

Total Number of Incidents

 Protection from possible External
Attacks

Social
Engineering
Automated
Organizational Attacks
Attacks

Restricted
Data

Accidental
Breaches in
Security Denial of
Viruses, Trojan Service (DoS)
Horses,
and Worms
 WHO ARE ETHICAL HACKERS?

• A computer and network expert .

• Enjoys exploring the details of
programmable systems and stretching
their capabilities,
• Enthusiastic programmer.
Required Skills of an Ethical Hacker
• Microsoft: skills in operation, configuration and
management.
• Linux: knowledge of Linux/Unix; security setting,
configuration, and services.
• Firewalls: configurations, and operation of intrusion
detection systems.
• Routers: knowledge of routers, routing protocols, and
access control lists
• Mainframes
• Network Protocols: TCP/IP; how they function and
can be manipulated.
• Project Management: leading, planning, organizing,
and controlling a penetration testing team.
 HISTORY HIGHLIGHTS

• FIRST ethical hack, the United States Air

Force conducted a “security evaluation” of
the Multics operating systems for “potential
use as a two-level (secret/top secret)
system.”
• Most notable work by Farmer and Venema,
which was originally posted to Usenet in
December of 1993.
 What do Ethical Hackers do?
• An ethical hacker’s evaluation of a system’s
security seeks answers to these basic questions:
– What can an intruder see on the target
systems?
– What can an intruder do with that information?
– Does anyone at the target notice the intruder’s
at tempts or successes?
– What are you trying to protect?
– What are you trying to protect against?
– How much time, effort, and money are you
willing to expend to obtain adequate protection
 ETHICAL HACKING COMMANDMENTS

WORKING ETHICALLY:-
 HIGH PROFESSIONAL MORALS AND PRINCIPLES
 NO HIDDEN AGENDA
 TRUSTWORTHINESS-THE ULTIMATE TENET

RESPECTING PRIVACY:-
 ALL APPLICATION INFORMATIONS TO BE KEPT PRIVATE

NO SYSTEM CRASHING:-

FORMULATING A WELL PLANNED STRATERGY
 Modes of Ethical Hacking

• Insider attack
• Outsider attack
• Stolen equipment attack
• Physical entry
• Bypassed authentication attack (wireless
access points)
• Social engineering attack
 ANATOMY OF HACKING-
METHODOLOGY
1. Footprinting
2. Scanning
3. Enumeration
4. Gaining acess
5. Escalating privilage
6. Pilfering
7. Covering tracks
8. Creating backdoors
9. Denial of service
 1.FOOTPRINTING

• OBJECTIVE :
 Target address range, acquisition and
information gathering
• TECHNIQUES :
 Open source search

Whois
Web interface to whois
DNS zone transfer
 2.SCANNING

• OBJECTIVE :
 Bulk target assessment and
identification of listing services
Focuses on most promising avenues of
entry
• TECHNIQUES :
 Ping sweep
TCP/UDP port scan
OS Detection
 3.ENUMERATION

• OBJECTIVE :
 More intrusive probing by attacker
 identification of valid user accounts
Poorly protected resource shares
• TECHNIQUES :
 List user accounts
List file shares
Identify applications
 4.GAINING ACCESS

• OBJECTIVE :
 Acquiring enough data to access the
target
User Level Access Obtained
• TECHNIQUES :
Password eavesdropping
File share brute forcing
Password file grab
Buffer overflows
 5.ESCALATING PREVILEGES

• OBJECTIVE :
Attacker seeks complete control of the
system
• TECHNIQUES :
 password cracking
 6.PILFERING

• OBJECTIVE :
Information gathering process to gain
access to trusted systems
Aim is to gain total control
• TECHNIQUES :
Elevate trust
Search for clearnet passwords
 7.COVERING TRACKS

• OBJECTIVE :
Total ownership of target secured
These facts are hided from
administrators
• TECHNIQUES :
Clear logs
Hide tools
 8.CREATING BACKDOORS

• OBJECTIVE :
Laying trap doors at different parts of
the system to gain easy access at whim
of the intruder
• TECHNIQUES :
Creating rogue user accounts
Schedule batch jobs
Infect startup files
Plant remote control services
Install monitoring mechanisms
Replace apps with Trojans
 9.DENIAL OF SERVICE (DOS)

• OBJECTIVE :
Used in case of unsuccessful attack
Attacker disables the target as the last
resort
• TECHNIQUES :
 SYN flood
Identical SYN requests
ICMP techniques
DDOS
Out of bounds TCP options (OOB)
 ETHICAL HACKING TOOLS
 Samspade :
Provides us information about a
particular host.
This tool is very much helpful in
finding the addresses, phone
numbers etc.
Samspade GUI
 ETHICAL HACKING TOOLS
• E-mail tracker :
– To find out the server sending spam
messages.
– Every mail has a header associated with it
and this is used to identify the source
server.
• Virtual route:
– A tool which displays the location a
particular server with the help of IP
addresses.
– Connected with e-mail tracker to find exact
location of the server
E-mail tracker GUI
Visual route GUI
 REPORTING
 Methodology
Exploited Conditions & Vulnerabilities that
could not be exploited
Proof for Exploits - Trophies
Practical Security solutions
 Detailed reporting about the
vulnerabilities
 ADVANTAGES & DISADVANTAGES

 ADVANTAGES:
• “To catch a thief you have to think like a thief”
• Provides security to banking establishments
• Prevents website defacements
• Evolving technique
 DISADVANTAGES:
• Question of trust !!
• Expensive as salaries are very high!!
 FUTURE ENHANCEMENTS

 Ethical hacking is an evolving branch

 It’s the future of web and system security
 More enhanced softwares should be used for
optimum protection
 Tools used, need to be updated regularly and
more efficient ones need to be developed
 CONCLUSION
ETHICAL HACKING FROM VARIOUS PERSPECTIVES

Students:
 no S/W is made with zero vulnerabilities
Learn to avoid these vulnerabilities

Professionals:
Business is directly related with security
Develop S/W with least vulnerabilities
Keep updated about new tools and techniques