Ethical Hacking ROULY BECHARÉcole Nationale Supérieure Institut Henri Fayoldes Mines de St-Étienne
Ethical Hacking• Independent computer security Professionals breaking into the computer systems.• Neither damage the target systems nor steal information• Evaluate target systems security and report back to owners about the vulnerabilities found.
Ethical Hacking• Completely trustworthy.• Strong programming and computer networking skills.• Learn about the system and trying to find its weaknesses.• Techniques of Criminal hackers- Detection-Prevention.• Published research papers or released security software.
Five stages to hacking1. Reconnaissance2. Scanning3. Gaining access4. Maintaining access5. Covering tracks
ReconnaissanceDuring this phase, a pentester uses a number ofpublicly available resources to learn more abouthis target. This information can be retrieved fromInternet sources such as forums, bulletinboards, newsgroups, articles, blogs, socialnetworks, andother commercial or non-commercial websites.Additionally, the data can also be gatheredthrough various search engines such asGoogle, Yahoo!, MSN Bing and others.
ReconnaissanceTwo types of reconnaissance :Passive: Google search Brows company web page Social Network (facebook, twitter,…) ……Active: Network scan ( nmap) Vulnerability scan Social engineering ……
ReconnaissanceThe purpose of reconnaissance is to specify the targettechniques to perform the suitable attacks: • Where the webservers are. • Avoid Broad-scan • Identify vulnerabilities • Wi-fi • Network equipment • Patch level • Default configuration + passwords
ReconnaissanceDefault configuration + passwords:
Passive Reconnaissance ResourcesNetcraft: ( Performed on Ecole des mines )
ScanningThis phase mainly deals with identifying thetargets network status, operating system, and itsrelative network architecture. This provides acomplete image of the current technologies ordevices interconnected and may help further inenumerating various services running over thenetwork.
ScanningNmap:Nmap can be used to check, forexample, vulnerabilities in network services, andenumerate resources on the target system,scanopen ports…It can perform wither a noisy or quiet scanExample of quiet scan: nmap -Pn –p –sT ip_address
Gaining access Metasploit• Exploits• Payloads
Privilege escalationAfter exploiting the vulnerabilities and gainingaccess to the target machine, you can use tools inthis category to escalate your privilege to thehighest privilege.
Privilege escalation• Attacking the password used by the privilegeaccounts• Sniffing the network to get the privilege accountsusername and password• Spoofing the network packet of the privilegeaccounts to run a particular system command
Attacking the password • Offline attack: In this method, the attacker gets thepassword file from the target machine and transfers it tohis machine. Then he uses the password cracking tool tocrack the password. The advantage of this method is that the attacker doesnt need to worry about a password blocking mechanism available in the target machine, because he uses his own machine to crack the password .• Online attack: In this method, the attacker guesses the password for a username. This may trigger a system to block the attacker after several failed password guesses.
Sniffing the networkNetwork sniffer is a software program or hardwaredevice which is capable of monitoring networkdata. It is usually used to examine network trafficby copying the data without altering the contents.With network sniffer you can see whatinformation is available in your network.
Sniffing the network tools Hamster Tcpdump Tcpick Wireshark …
Spoofing the networkNetwork spoofing is a process to modify networkdata, such as MAC address, IP address, and so on.The goal of this process is to be able to get thedata from two communicating parties.
Spoofing the network tools Arpspoofing Ethercap ….
Spoofing the network Demo
Maintaining accessThe main purpose of these tools is to help usmaintain access, bypass the filters deployed onthe target machine, or allow us to create a covertconnection between our machine and the target.By maintaining this access, we dont need to dothe whole penetration testing process again if wewant to get back to the target machine at anytime.
Maintaining access (Tunneling)Tunneling can be defined as a method to encapsulate aprotocol inside another protocol. In our case, we usetunneling to bypass the protection provided by thetarget system. Most of the time, the target system willhave a firewall that blocks connections to the outsideworld, except for a few common network protocols suchas HTTP and HTTPS. For this situation, we can usetunneling to wrap our packets inside the HTTP protocol.The firewall will allow these packets to go to the outsideworld.
Maintaining access (Tunneling)DNS2tcp:DNS2tcp is a tunneling tool to encapsulate TCPtraffic in DNS traffic. When it receives connectionin a specific port, all of the TCP traffic is sent to theremote dns2tcpd server in DNS traffic andforwarded to a specific host and port.
Maintaining access (Tunneling)Ptunnel:Ptunnel is a tool that can be used to tunnel TCPconnections over ICMP echo request(ping request) and reply (ping reply) packets
Maintaining access (Tunneling)Stunnel4:Stunnel4 is a tool to encrypt any TCP protocolsinside the SSL packets betweenlocal and remote servers.