Successfully reported this slideshow.
# ethical hacking -
hacking in its real sense




                          by Manu          Zacharia
                    ...
CONTENTS


                  INTRODUCTION


                     WHO IS A HACKER?


                      STATISTICS & CAS...
WHO AM I

Manu Zacharia
  Security Evangelist
WHO AM I
# hacking

• What’s the image that comes to your mind
when you hear about “hacker” or “hacking”?
BEFORE WE START….
# hacking

• Commonly defined in the media as:
  “Illegal intrusion into a computer system
  without the permission of the...
# misconceptions

• Most people associate   hacking   with
breaking the law.


• Assume that everyone who engages in
hacki...
# hacking

But what is hacking in its real sense?
# hacker defined




HACKER (Originally, someone who makes
furniture with an Ax.
# hacker

• Someone       involved   in    computer
security/insecurity
• An enthusiastic home computer hobbyist
• A progr...
# history of hacking

• Started off – MIT – Late 1950’s
• Tech Model Rail Road club of MIT
• Donated old telephone equipme...
# hacking & open source
# they called it hacking

They called this new and inventive use of
     telephone equipment hacking
# hacker evolution

• The conventional boundaries were broken
also at MIT Rail Road Club.
# do you know him?

• Often known as “Programmer's programmer”
• Creator of Ghostscript, a highly-portable, high-
quality,...
# do you know him?

• Dr. L. Peter Deutsch
• Started programming at the age of 11.
• He was accepted to the MIT Rail Road
...
# TX-0

• Fully transistorized computer

• Transistorized Experimental computer zero

• TX-0 - affectionately referred to ...
# short-pant hacker


• Age
• Race,
• Gender,
• Appearance,
• Academic degrees, and
• Social status were defied in search ...
# hacking

Know the difference between a cracker and
                a hacker.
# the money factor
# why study & select security?

• The 3 upcoming technology areas (Triple-
S – 3S).
  • Synchronize (Collaboration)
  • St...
# scope for a security pro

• Almost all the major / critical networks like:
  • Defense,
  • Communication,
  • Financial...
# financials “skilled” sec pro

• Average hourly rate – $40 – $60
• Skilled Pen Testers – $100 – $120 - $150
• 100 X 8 hrs...
# it‘s a long journey
# bytes ‘n’ bullets



“bytes are replacing bullets in the crime
world”
THE BIG PICTURE

• World wide internet usage (2008) -
             694 Million
• World wide internet usage (2009) -
      ...
THE BIG PICTURE

160   152
140
120
100
80            74
60                   52
40                          31      30    ...
BEFORE WE START….

               INTERNET USERS - INDIA


                                               50.6            ...
# the bigger picture

• 1.4 Billion users can communicate with
  your system
                   or
• Your system can commu...
# the bigger picture

• Out of the 1.4 Billion, some can rattle your
door to your computer to see if it is locked
or not
•...
# can you handle it

• Out of the 1.4 Billion, if 1% connects to
your system, what will happen?


•1%=?
# case study
# case study


•   The most powerful and costliest
    (physics) experiment ever built

•   5000 high power magnets arrang...
# case study
CASE STUDY
CASE STUDY
VICTIMS
VICTIMS
# credit & debit cards?

• How many of you use credit cards?
• What is the trust factor here?
# case study



• Hackers have broken into Web servers
  owned by domain registrar and hosting
  provider Network Solution...
CASE STUDY
# no boundaries

• What does this mean?
• Internet = No boundaries
• You(r network) could be the next target
# security
# traditional security concept

Protecting the resources by locking it under
and lock and key
# current security concept


• Security is a state of well being
• Security is all about being prepared for
the unexpected.
# information security

The
    • policies,
    • procedures and
    • practices
required to maintain and provide assuranc...
# security jargon

# Confidentiality    # Integrity
# Availability       # CIA Triad
# Vulnerability      # Threat
# Risk ...
# penetration testing

  Penetration testing is a time-constrained
and authorized attempt to breach the
architecture of a ...
# why penetration testing

  To test if internal users can break security
  To test external threats can break your
corpor...
# steps in hacking

Phase 1 – Reconnaissance

Phase 2 – Scanning

Phase 3 – Gaining Access

Phase 4 – Maintaining Access

...
# demo




Pre-attack phase

Attack Phase

Post Attack Phase
# types of pen testing

• Black Box Testing
  •No prior knowledge
• White Box Testing
  •Detailed knowledge of targeted ne...
# elements of pen testing

Three Elements for a Penetration Testing are:

• People

• Process

• Technology

Elements shou...
# technology

Two Types of technology associated with Pen Test:
• Pen Testing Tools and Technology
   Example – Info Gathe...
# pen testing team

Consists of generally three teams

  • Red Team – Attackers / pen testers

  • Blue Team – Defenders

...
# rules of engagement

• Definition: “ROE are detailed guidelines established
before the start of an information security ...
# hacking domain

•Foot printing,        •Social Engineering

•Scanning              •Session Hijacking

•Enumeration     ...
# security & women

•Shon Harris – Author
of CISSP Study Guide
and Info Sec Expert



• Laura    Chappell–
Security   Expe...
Most frequently asked questions
  Read, Read and Read – Make it a habit
  Thorough understanding
  OS Concepts
  Networkin...
63
64
65
http://www.owasp.org/index.php/Kerala
 Contact - deepu.joseph1@gmail.com
67
# matriux


Free and Open source project – OS
You can be part of it – how?
  Write your scripts or programs and
send it to...
# forum




  http://chat.theadmins.info

              or

irc://irc.chat4all.org/#theadmis
                             ...
HACKING




“If you are a hacker everyone knows you, if
you are a good hacker nobody knows
you.."
# contact me
Manu Zacharia

m@matriux.com

 98470-96355

     or


                           71
www.matriux.com
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
Upcoming SlideShare
Loading in …5
×

Bar Camp 11 Oct09 Hacking

2,066 views

Published on

A session by Manu Zacharia at BarcampKerala6, Ragiri College, cochin

http://www.matriux.com

Published in: Technology, News & Politics
  • free free download this latest version 100% working.
    download link- http://gg.gg/hqcf
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Bar Camp 11 Oct09 Hacking

  1. 1. # ethical hacking - hacking in its real sense by Manu Zacharia MVP (Enterprise Security), C|EH, C|HFI, Certified ISO 27001:2005 LA, MCP, CCNA, AFCEH
  2. 2. CONTENTS INTRODUCTION WHO IS A HACKER? STATISTICS & CASE STUDY ETHICAL HACKING & PEN TEST CONCLUSION & Q ‘n’ A www.matriux.com
  3. 3. WHO AM I Manu Zacharia Security Evangelist
  4. 4. WHO AM I
  5. 5. # hacking • What’s the image that comes to your mind when you hear about “hacker” or “hacking”?
  6. 6. BEFORE WE START….
  7. 7. # hacking • Commonly defined in the media as: “Illegal intrusion into a computer system without the permission of the computer owner/user”
  8. 8. # misconceptions • Most people associate hacking with breaking the law. • Assume that everyone who engages in hacking activities is a criminal
  9. 9. # hacking But what is hacking in its real sense?
  10. 10. # hacker defined HACKER (Originally, someone who makes furniture with an Ax.
  11. 11. # hacker • Someone involved in computer security/insecurity • An enthusiastic home computer hobbyist • A programmer(ing) culture that originated in US academia in the 1960’s - nowadays closely related with open source / free software.
  12. 12. # history of hacking • Started off – MIT – Late 1950’s • Tech Model Rail Road club of MIT • Donated old telephone equipment •They re-worked & re-created a complex system that allowed multiple operators to control different parts of the track by dialing into the appropriate sections.
  13. 13. # hacking & open source
  14. 14. # they called it hacking They called this new and inventive use of telephone equipment hacking
  15. 15. # hacker evolution • The conventional boundaries were broken also at MIT Rail Road Club.
  16. 16. # do you know him? • Often known as “Programmer's programmer” • Creator of Ghostscript, a highly-portable, high- quality, Open Source implementation of the PostScript language. • Founder of Aladdin Enterprises • Authored or co-authored various RFCs - RFC 190, RFC 446, RFC 550, RFC 567, RFC 606, RFC 1950, RFC 1951 and RFC 1952
  17. 17. # do you know him? • Dr. L. Peter Deutsch • Started programming at the age of 11. • He was accepted to the MIT Rail Road club at the age of 12 when he demonstrated his knowledge of the TX-0 and his desire to learn.
  18. 18. # TX-0 • Fully transistorized computer • Transistorized Experimental computer zero • TX-0 - affectionately referred to as tixo (pronounced "tix oh")
  19. 19. # short-pant hacker • Age • Race, • Gender, • Appearance, • Academic degrees, and • Social status were defied in search for free information
  20. 20. # hacking Know the difference between a cracker and a hacker.
  21. 21. # the money factor
  22. 22. # why study & select security? • The 3 upcoming technology areas (Triple- S – 3S). • Synchronize (Collaboration) • Store (Storage), • Secure – (Security) • Its challenging • You need to have the “stuff”
  23. 23. # scope for a security pro • Almost all the major / critical networks like: • Defense, • Communication, • Financial, • Infra networks, (Power Grids,) • Comn networks, etc
  24. 24. # financials “skilled” sec pro • Average hourly rate – $40 – $60 • Skilled Pen Testers – $100 – $120 - $150 • 100 X 8 hrs = 800 • 800 X 5 days = 4000 • 4000 X 20 working days = 80,000 • $ 80,000 to INR (Rs 50) = 40,00,000
  25. 25. # it‘s a long journey
  26. 26. # bytes ‘n’ bullets “bytes are replacing bullets in the crime world”
  27. 27. THE BIG PICTURE • World wide internet usage (2008) - 694 Million • World wide internet usage (2009) - 1.4 Billion Source: comScore Networks • Internet usage – growth rate (India) = 142 %
  28. 28. THE BIG PICTURE 160 152 140 120 100 80 74 60 52 40 31 30 24 23 18 16 16 20 0 Top 10 Online Populations by Country Excludes traffic from public computers such as Internet cafe and, access from mobile phones or PDAs.
  29. 29. BEFORE WE START…. INTERNET USERS - INDIA 50.6 USERS 40 42 39.2 22.5 16.5 5.5 7 2000 2001 2002 2003 2004 2005 2006 2007 Report of the Internet and Mobile Association of India (IAMAI) and IMRB International
  30. 30. # the bigger picture • 1.4 Billion users can communicate with your system or • Your system can communicate with 1.4 Billion users.
  31. 31. # the bigger picture • Out of the 1.4 Billion, some can rattle your door to your computer to see if it is locked or not • locked – Its fine • not locked – not fine
  32. 32. # can you handle it • Out of the 1.4 Billion, if 1% connects to your system, what will happen? •1%=?
  33. 33. # case study
  34. 34. # case study • The most powerful and costliest (physics) experiment ever built • 5000 high power magnets arranged in a 27 km giant tunnel. • will re-create the conditions present in the Universe just after the Big Bang • Large Hadron Collider (LHC) • CERN - European Organization for Nuclear Research • Hacked on 10 Sep 08
  35. 35. # case study
  36. 36. CASE STUDY
  37. 37. CASE STUDY
  38. 38. VICTIMS
  39. 39. VICTIMS
  40. 40. # credit & debit cards? • How many of you use credit cards? • What is the trust factor here?
  41. 41. # case study • Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over a period of three months
  42. 42. CASE STUDY
  43. 43. # no boundaries • What does this mean? • Internet = No boundaries • You(r network) could be the next target
  44. 44. # security
  45. 45. # traditional security concept Protecting the resources by locking it under and lock and key
  46. 46. # current security concept • Security is a state of well being • Security is all about being prepared for the unexpected.
  47. 47. # information security The • policies, • procedures and • practices required to maintain and provide assurance of the • confidentiality, • integrity, and • availability of information
  48. 48. # security jargon # Confidentiality # Integrity # Availability # CIA Triad # Vulnerability # Threat # Risk # Exposure # Countermeasure
  49. 49. # penetration testing Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques. Also known as EH
  50. 50. # why penetration testing To test if internal users can break security To test external threats can break your corporate security Compliance with standards Ensure and assure state of security to all stake holders
  51. 51. # steps in hacking Phase 1 – Reconnaissance Phase 2 – Scanning Phase 3 – Gaining Access Phase 4 – Maintaining Access Phase 5 – Covering Tracks
  52. 52. # demo Pre-attack phase Attack Phase Post Attack Phase
  53. 53. # types of pen testing • Black Box Testing •No prior knowledge • White Box Testing •Detailed knowledge of targeted network and systems •Emulates attackers with insider knowledge • Grey Box Testing / Hybrid Testing •Combination of black and white testing.
  54. 54. # elements of pen testing Three Elements for a Penetration Testing are: • People • Process • Technology Elements should be properly balanced to get the maximum quality output.
  55. 55. # technology Two Types of technology associated with Pen Test: • Pen Testing Tools and Technology Example – Info Gathering Tools Network Scanning Tools • Technology implemented at the clients / testing site. Example – OS Implemented Database used
  56. 56. # pen testing team Consists of generally three teams • Red Team – Attackers / pen testers • Blue Team – Defenders • White Team – Intermediate Team
  57. 57. # rules of engagement • Definition: “ROE are detailed guidelines established before the start of an information security test that give the test team authority to conduct the technical and nontechnical activities defined in the ROE without additional permission.” • It is the basis on which the PT is performed. • It will serve as a contract between the customer and the testing agent.
  58. 58. # hacking domain •Foot printing, •Social Engineering •Scanning •Session Hijacking •Enumeration •Web Server Hacking •System Hacking •Web App Vulnerabilities •Trojans and Backdoors •Web password cracking •Sniffers •Wireless Hacking •DoS, DDoS, DRDoS •Buffer Overflow •Cryptography
  59. 59. # security & women •Shon Harris – Author of CISSP Study Guide and Info Sec Expert • Laura Chappell– Security Expert – Packet Analysis
  60. 60. Most frequently asked questions Read, Read and Read – Make it a habit Thorough understanding OS Concepts Networking Concepts (TCP/IP) Programming / Coding (2 to 3 languages – Assembly, C, C++, Python, Perl, PHP, MySQL / SQL) 62
  61. 61. 63
  62. 62. 64
  63. 63. 65
  64. 64. http://www.owasp.org/index.php/Kerala Contact - deepu.joseph1@gmail.com
  65. 65. 67
  66. 66. # matriux Free and Open source project – OS You can be part of it – how? Write your scripts or programs and send it to us Test the OS and ensure its stability Documentation or Graphics 68
  67. 67. # forum http://chat.theadmins.info or irc://irc.chat4all.org/#theadmis 69
  68. 68. HACKING “If you are a hacker everyone knows you, if you are a good hacker nobody knows you.."
  69. 69. # contact me Manu Zacharia m@matriux.com 98470-96355 or 71
  70. 70. www.matriux.com

×