• Like
Ethical hacking presentation_october_2006
Upcoming SlideShare
Loading in...5
×

Ethical hacking presentation_october_2006

  • 4,376 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
    Are you sure you want to
    Your message goes here
  • awesome
    Are you sure you want to
    Your message goes here
    Be the first to like this
No Downloads

Views

Total Views
4,376
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
599
Comments
2
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Ethical Hacking for Educators Presented By Regina DeLisse Hartley, Ph.D. Caldwell Community College & Technical Institute
  • 2. Overview Old School Hackers: History of Hacking Ec-Council: Certified Ethical Hacker Learning Competencies Teaching Resources: Ethical Hacking Textbooks Hacking Tools Hacker Challenge Websites Additional Web Sites Questions and Answers
  • 3. Old School Hackers: History of Hacking
  • 4. PREHISTORY  Draper builds a "blue 1960s: The Dawn of box" used with whistle Hacking allows phreaks to make Original meaning of the free calls. word "hack" started at  Steve Wozniak and MIT; meant elegant, witty Steve Jobs, future or inspired way of doing founders of Apple almost anything; hacks Computer, make and sell were programming blue boxes. shortcuts THE GOLDEN AGEELDER DAYS (1970-1979) (1980-1991) 1970s: Phone Phreaks  1980: Hacker Message and Capn Crunch: One Boards and Groups phreak, John Draper (aka Hacking groups form; "Capn Crunch"), discovers such as Legion of Doom a toy whistle inside Capn (US), Chaos Computer Crunch cereal gives 2600- Club (Germany). hertz signal, and can  1983: Kids Games access AT&Ts long- Movie "War Games" distance switching system. introduces public to hacking.
  • 5. THE GREAT HACKER WAR  1989: The Germans , Legion of Doom vs the KGB and Kevin Mitnick. Masters of Deception; online warfare; jamming  German Hackers phone lines. arrested for breaking into U.S. computers; sold 1984: Hacker Zines information to Soviet Hacker magazine 2600 KGB. publication; online zine  Hacker "The Mentor“ Phrack. arrested; publishesCRACKDOWN (1986- Hackers Manifesto. 1994)  Kevin Mitnick convicted; 1986: Congress passes first person convicted Computer Fraud and Abuse under law against gaining access to interstate Act; crime to break into network for criminal computer systems. purposes. 1988: The Morris Worm Robert T. Morris, Jr., launches self-replicating worm on ARPAnet.
  • 6.  1993: Why Buy a Car  1995: Russian Hackers When You Can Hack Siphon $10 million from One? Citibank; Vladimir Levin, Radio station call-in leader. contest; hacker-fugitive  Oct 1998 teenager hacks Kevin Poulsen and friends crack phone; they into Bell Atlantic phone allegedly get two Porsches, system; disabled $20,000 cash, vacation communication at airport trips; Poulsen now a disables runway lights. freelance journalist  1999 hackers attack covering computer crime. Pentagon, MIT, FBI web First Def Con hacking sites. conference in Las Vegas  1999: E-commerce company attacked;ZERO TOLERANCE (1994- blackmail threats followed 1998) by 8 million credit card 1995: The Mitnick numbers stolen. ( Takedown: Arrested www.blackhat.info; www.h2k2.net; www.slais.ubc.ca/; www.sptimes.com; again; charged with www.tlc.discovery.com) stealing 20,000 credit card numbers.
  • 7. Ec-Council: Certified Ethical Hacker
  • 8. EC-Council has certified ITprofessionals from the following organizations as CEH:Novell, Canon, Hewlett Packard, US Air ForceReserve, US Embassy, Verizon, PFIZER, HDFCBank, University of Memphis, MicrosoftCorporation, Worldcom, Trusecure, USDepartment of Defense, Fedex, Dunlop, BritishTelecom, Cisco, Supreme Court of the Philippines,United Nations, Ministry of Defense, UK, NortelNetworks, MCI, Check Point Software, KPMG, FleetInternational, Cingular Wireless, Columbia DailyTribune, Johnson & Johnson, Marriott Hotel,Tucson Electric Power Company, Singapore PoliceForce
  • 9. (Cont.) PriceWaterhouseCoopers, SAP, Coca-Cola Corporation, Quantum Research, US Military, IBM Global Services, UPS, American Express, FBI, Citibank Corporation, Boehringer Ingelheim, Wipro, New York City Dept Of IT & Telecom – DoITT, United States Marine Corps, Reserve Bank of India, US Air Force, EDS, Bell Canada, SONY, Kodak, Ontario Provincial Police, Harris Corporation, Xerox, Philips Electronics, U.S. Army, Schering, Accenture, Bank One, SAIC, Fujitsu, Deutsche Bank
  • 10. Hackers are here. Where are you? The explosive growth of the Internet has brought many good things…As with most technological advances, there is also a dark side: criminal hackers. The term “hacker” has a dual usage in the computer industry today. Originally, the term was defined as: HACKER noun. 1. A person who enjoys learning the details of computer systems and how to stretch their capabilities…. 2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming.
  • 11. What is a Hacker? Old School Hackers: 1960s style Stanford or MIT hackers. Do not have malicious intent, but do have lack of concern for privacy and proprietary information. They believe the Internet was designed to be an open system. Script Kiddies or Cyber-Punks: Between 12-30; predominantly white and male; bored in school; get caught due to bragging online; intent is to vandalize or disrupt systems. Professional Criminals or Crackers: Make a living by breaking into systems and selling the information. Coders and Virus Writers: See themselves as an elite; programming background and write code but won’t use it themselves; have their own networks called “zoos”; leave it to others to release their code into “The Wild” or Internet. (www.tlc.discovery.com)
  • 12. What is Ethical Hacking? Ethical hacking – defined “methodology adopted by ethical hackers to discover the vulnerabilities existing in information systems’ operating environments.” With the growth of the Internet, computer security has become a major concern for businesses and governments. In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems.
  • 13. Who are Ethical Hackers? “One of the best ways to evaluate the intruder threat is to have an independent computer security professionals attempt to break their computer systems” Successful ethical hackers possess a variety of skills. First and foremost, they must be completely trustworthy. Ethical hackers typically have very strong programming and computer networking skills. They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., Linux or Windows 2000) used on target systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors.
  • 14. What do Ethical Hackers do? An ethical hacker’s evaluation of a system’s security seeks answers to these basic questions: • What can an intruder see on the target systems? • What can an intruder do with that information? • Does anyone at the target notice the intruder’s at tempts or successes? • What are you trying to protect? • What are you trying to protect against? • How much time, effort, and money are you willing to expend to obtain adequate protection?
  • 15. How much do Ethical Hackers get Paid? Globally, the hiring of ethical hackers is on the rise with most of them working with top consulting firms. In the United States, an ethical hacker can make upwards of $120,000 per annum. Freelance ethical hackers can expect to make $10,000 per assignment. Some ranges from $15,000 to $45,000 for a standalone ethical hack.
  • 16. Certified Ethical Hacker (C|EH) Training InfoSec Academy http://www.infosecacademy.com • Five-day Certified Ethical Hacker (C|EH) Training Camp Certification Training Program • (C|EH) examination • C|EH Certified Ethical Hacker Training Camp (5-Day Package)$3,595 ($2,580 training only)(Source: www.eccouncil.org)
  • 17. Learning Competencies
  • 18. Required Skills of an Ethical Hacker Routers: knowledge of routers, routing protocols, and access control lists Microsoft: skills in operation, configuration and management. Linux: knowledge of Linux/Unix; security setting, configuration, and services. Firewalls: configurations, and operation of intrusion detection systems. Mainframes Network Protocols: TCP/IP; how they function and can be manipulated. Project Management: knowledge of leading, planning, organizing, and controlling a penetration testing team. (Source: http://www.examcram.com)
  • 19. Modes of Ethical Hacking Insider attack Outsider attack Stolen equipment attack Physical entry Bypassed authentication attack (wireless access points) Social engineering attack (Source: http://www.examcram.com)
  • 20. Anatomy of an attack:• Reconnaissance – attacker gathers information; can include social engineering.• Scanning – searches for open ports (port scan) probes target for vulnerabilities.• Gaining access – attacker exploits vulnerabilities to get inside system; used for spoofing IP.• Maintaining access – creates backdoor through use of Trojans; once attacker gains access makes sure he/she can get back in.• Covering tracks – deletes files, hides files, and erases log files. So that attacker cannot be detected or penalized. (Source: www.eccouncil.org)
  • 21.  Hacker classes • Black hats – highly skilled, malicious, destructive “crackers” • White hats – skills used for defensive security analysts • Gray hats – offensively and defensively; will hack for different reasons, depends on situation. Hactivism – hacking for social and political cause. Ethical hackers – determine what attackers can gain access to, what they will do with the information, and can they be detected. (Source: www.eccouncil.org)
  • 22. Teaching Resources: Ethical Hacking Textbooks
  • 23. Ec-CouncilCertified Ethical Hacker www.eccouncil.org ISBN 0-9729362-1-1
  • 24. Ec-Council Topics Covered Introduction to Ethical Hacking Footprinting Scanning Enumeration System Hacking Trojans and Backdoors Sniffers Denial of Service Social Engineering Session Hijacking Hacking Web Servers
  • 25. Ec-Council (Cont.) Web Application Vulnerabilities Web Based Password Cracking Techniques SQL Injection Hacking Wireless Networks Viruses Novell Hacking Linux Hacking Evading IDS, Firewalls and Honeypots Buffer Overflows Cryptography
  • 26. Certified Ethical Hacker Exam Prep http://www.examcram.com ISBN 0-7897-3531-8
  • 27. Certified Ethical Hacker Exam Prep The Business Aspects of Penetration Testing The Technical Foundations of Hacking Footprinting and Scanning Enumeration and System Hacking Linux and automated Security Assessment Tools Trojans and Backdoors Sniffers, Session Hyjacking, and Denial of Service
  • 28. Certified Ethical Hacker Exam Prep (Cont.) Web Server Hacking, Web Applications, and Database Attacks Wireless Technologies, Security, and Attacks IDS, Firewalls, and Honeypots Buffer Overflows, Viruses, and Worms Cryptographic Attacks and Defenses Physical Security and Social Engineering
  • 29. Hands-On Information Security Lab Manual, Second Edition1. Footprinting2. Scanning and Enumeration3. Operating System Vulnerabilitiesand Resolutions4. Network Security Tools andTechnologies5. Security Maintenance6. Information SecurityManagement7. File System Security andCryptography8. Computer Forensics http://www.course.com/ ISBN 0-619-21631-X
  • 30. Hacking Tools: Footprinting and Reconnaissance
  • 31. Whois
  • 32. Whois (cont.) http://www.allwhois.com/
  • 33. Whois (cont.)
  • 34. Sam Spade
  • 35. Sam Spade (Cont.)
  • 36. Nslookup
  • 37. Nslookup Options
  • 38. Traceroute
  • 39. Ping
  • 40. Ping Options
  • 41. Hacking Tools: Scanning and Enumeration
  • 42. nmap
  • 43. NMapWin
  • 44. SuperScan
  • 45. SuperScan (Cont.)
  • 46. IP Scanner
  • 47. Hyena
  • 48. Retina
  • 49. LANguard
  • 50. Hacking Tools: System Hacking
  • 51. telnet
  • 52. Snadboy
  • 53. Password Cracking with LOphtcrack
  • 54. Keylogger
  • 55. Hacking Tools: Trojans and Backdoors
  • 56. NetBus
  • 57. Game Creates Backdoor for NetBus
  • 58. SubSeven
  • 59. Hacking Tools: Sniffers
  • 60. Spoofing a MAC address Original Configuration
  • 61. Spoofed Mac
  • 62. Ethereal
  • 63. Iris
  • 64. Snort
  • 65. Hacking Tools: Web Based Password Cracking
  • 66. Cain and Abel
  • 67. Cain and Abel (Cont.)
  • 68. Cain and Abel (Cont.)
  • 69. Legion
  • 70. Brutus
  • 71. Hacking Tools: Covering Tracks
  • 72. ImageHide
  • 73. ClearLogs
  • 74. ClearLogs (Cont.)
  • 75. Hacking Tools: Google Hacking and SQL Injection
  • 76. Google Hacking
  • 77. Google Cheat Sheet
  • 78. SQL Injection Allows a remote attacker to execute arbitrary database commands Relies on poorly formed database queries and insufficient input validation Often facilitated, but does not rely on unhandled exceptions and ODBC error messages Impact: MASSIVE. This is one of the most dangerous vulnerabilities on the web.
  • 79. Common Database Query
  • 80. Problem: Unvalidated Input
  • 81. Piggybacking Queries with UNION
  • 82. Hacker Challenge Websites
  • 83. http://www.hackr.org/mainpage.php
  • 84. Hackthissite.org http://www.hackthissite.org
  • 85. Answers revealed in code
  • 86. Hackits http://www.hackits.de/challenge/
  • 87. Additional Web Sites
  • 88. Legion of Ethical Hacking
  • 89. Legion of Ethical Hacking (Cont.)
  • 90. Hacker Highschool http://www.hackerhighschool.org/
  • 91. Hacker Highschool
  • 92. johnny.ihackstuff.com/
  • 93. HappyHacker.org
  • 94. Foundstone
  • 95. Insecure.org
  • 96. SANS Institute
  • 97. Questions & Answers