What is Black Hat Ethical Hacking, if you want to know, feel free to read this article explaining what goes beyond the terminology we know about hackers.
1. Black Hat “Ethical”Hacking – What doesthat mean?BlackHat / Ethical?
To understandthat,youneedtoknowwhat all the Hats mean,Black,White,Grey,Red, Blue sothat you will be
able to understandwhatBlackHat “Ethical”Hacking isabout.
WikipediaClassifies“BlackHat”:
Black-hat hackers form the stereotypical, illegal hacking groups often portrayed in popular culture,
and are "the epitome of all that the public fears in a computer criminal". Black-hat hackers break into
secure networks to destroy, modify, or steal data or to make the network unusable for those who are
authorized to use the network
Now,that alsocomes witha price,itsskill,because talent,youcanhave insomething,butskill,cannotbe
measuredinwords,butwork,and results,notevenapapercan prove the true skill because itlimitssomeone to
say “You have a CEH” itmeansyou are very skillful inthe securityindustry.
Its notlike thatthough,manypeople trainandstudyand gainskill onhow to install,configureandmaintain
networks,butitisnot necessarilytheirskillto“Test”themthe way a real “Hacker” would,because itslike Martial
Arts,theyteach youthe skill andart of defendingyourself.If youmisuse it,theyare notresponsible,yetyouearn
the skill of defensefromanoffensive perspective.
There are people whoare skillful inthe offensiveside,whatwe are sayingis,true securityiscombiningthe work
of defensiveside,incollaborationwithanoffensiveside,toworktogether,topreventfromareal offensiveside.
It takesone to knowone.
That requiresaNEW Positiontobe createdthat will handle thisspecifictask.
“You take the good,you take the bad, youtake themboth,andthere youhave the factsof life”
Its like 2strong opposite sidespushingonthe oppositedirections,one gainsskillonmaintainingthe right
directionandthe otherhas skill tomaintainthe leftdirection.
Ethical,comesinbetween,andsays,Whatif youmanagedto grow inyour company,both.Sotheycan testreal
life scenarioseachone withtheirexpertise andofferastrongerdefensive systemforyourcompany.Todo that,
youneedto allowthe positiontodevelop,anduntil then,askfromthe “BlackHat” Techniques,tobe tested.
Black Hats are skillful theyare notone,theyare many,theyare a community,itsnotsomethingyoulearn,it’sa
wayyou live,the onlyissue isthe ethical partbehindit,the fact that itcan take secondsto identify fromaquick
2. scan of an IPAddress,the vulnerabilities,thenitall goesdowntohow much skillful youare toexploitthat,how
fasthow confidentyouare,togeta session,andhowyouknow that“Shell”isjustthe beginning. The Factthat
youcan use social engineeringandmanipulatethe humanelementbehindthe hardware,use physical access,
techniquesthatdevelopsfromexperience inusingsuchtoolstotestyourinternal,externalnetwork,andthe
abilitytotestitfrom a real worldscenario. Whenyoustudyhow to protectsomething,theyare alreadytesting
howto breakit, itspassion.Some don’tdoitfor unethical reasons,some doitforthe passion,andofferitas a
service,helpingyouandyourIT people,see itfromthisperspective,anditsupto youhow much investmentyou
wantto put to fix those,oraccept themas “Known”Businessrisks.
Q: Hey,you have port22 open,andithas no protectionfrombrute force,soour scannerthat ran a simple
dictionary test,foundyourrootpassword.Are youOK withthat?
A1: Yes we are aware of that risk.
A2: How can we fix that?
That is justan example of averybasicquestionof anapproach that a hackerlooksat, theirmindsetworks
differently,theycansearchor an SQL Injectiononyourwebsite of amistake youdidnotsee,because youpaida
developertodoa site,anarticle buthe didn’tpayattentionthatthe wayhe wrote it, allowedanattackertotake
advantage of it,and escalatedtill he gotthe detailsneededtohave accessonyour network.
Black Hats,lookfor such details,doyouwantto know if youare safe ? You can.
The Word “Shell”isthe beginning, toahacker, is like GODACCESSinthe IT world.Afterashell,ahackercan
quicklyescalate privileges,andonce youhave a meterpretersessionwithSystemrights,thatiscompletelyover.
You can sniff traffic,youcan be ina MITM environment (Game Over) where fromone compromiseddevice you
launcha massive attackcompromisingeverydevice havingaccesstoit,installingmassive keyloggers across,
decryptinghistoryfilesfrombrowsers,makingpersistency,stealingaccounts,bitcoins,social media,important
workand that isjust the beginning,yes recordaudio,accessthe webcam,,if it’saphone dumpthe call lists,the
SMS, sendand spoof asthat personand more.
Thisis a glimpse of whattheycan do, and a skillful “BlackHat”doesnotneedto explainhow he doesit,he does
it.And doesitfast.
3. Nowyes,that iscriminal.Butimagine,you getpeoplewithsuchmindsetskill toperformapenetrationtestingin
your network,notasoftware thatcan scan good but letthe personbehinditwithsuchmindsetsdothe scan.
It means,all youhave to do isgive himan IP,a Name of a Companyand the jobof a blackhat “Ethical” Hackeris
to getyou proof of how he compromisedyournetworkandnot“IF”. How to fix andmitigate eachone,whatsteps
are neededfromyourside todo,so that youcan overcome,nota simulatedattack,buta real one.How
Importantisit to you?
No software cando that,but signingaNon-DisclosedAgreementwiththem,grantsthemthe righttodo whatever
isneeded,totestyournetwork,andhavingdocumentedeverythingforyourteamto read,studyand start
preformingthe changes,some of themrequire educational lessonsforyouremployees,maybeyouneedtohire
more people toactuallydevelopthisinyourcompanyanddependingonif youhave the time andthe rightpeople
for thisjob,or yououtsource itand have your people fix regularly,orjustacceptit as “KnownBusinessRisk”.
Thisis whatBlack Hat Ethical Hacking isabout.
Since there are terminologiesof White Hats,BlackHats,Grey Hats,and Blue Hats, youalreadyknow aboutthat.
Black Hat “ethical”Hacking,is a newclassification.And importanttoointhe CyberSecurityWorld.
Securityisa myth... the goodpeople gettostudyhow to make thingsmore secure,andthe badpeople are testing
newmethodsagainstthose,likeacat and mouse,the problemis,amajorfact called“Human”element,iswhata
blackhat can use,totake over anyhardware systemfromany brandand vendorandany IDS Systeminthe world.
That elementweaknessisthe mostvulnerable anddangerousfactor.“Social Engineering”.
Hackingis 90% Recon and10% ExecutionandPostWork or 1% Execution(ShellAccess,Exploitdone) andthe 9%
Postwork andClean.
Reconnaissance andsocial engineeringhastodo witha lot of research,aboutthe company,the people working
for it,yourexposure onthe internet,if amembersubscribedintoanexternal site like apizzaonlinedelivery,with
hisworkemail,andusingthe same password.
Thingslike thatcan be discoveredinminutesorhours,anddays,so all the yearsof worka black hatcan see this
quickly,programslike Maltego,Scripts,SkillandpythoncustomwrittenusingAPIKeysof searchengines,social
media,Shodun,ToolslikeRecon-NG,canbe used,that isskill,andthe attack getswell prepared,andtargeted
througha social engineermethod, thatwill make thatpersonvulnerable,andthisisall ittakes,one window,one
click,one mistake fora blackhat to compromise youcompletely.
WhichSecurityDevice canprotectyou fromthat?
In Conclusion:
The bestway to secure yourself isto growyourown securityinyourcompany,create itbasedon your needs,
investinpeople whoknowaboutthe otherside othings,like blue andredteam, create yourownred teamand
4. blue team,have themtestreal scenarios,letthe redteamshow the skill tothe blue team, sothat the blue team
can withtheirexpertiseprotectandtake the rightstepsto preventsuchtechniques. Letthe passiontakesit
course,itspassionthatwill letyoumake the difference.Lose that,andwatchwhat happens..
But to do this,youneedtoallowthe RED (BlackHat) Team show youhow its done,not“Show”you,but letyou
“get” a taste of howstrong the war isagainst,because DDoSCAN be done from a 12 yearold,on a 3G Card he
got, froma phone runninga terminal,andSSHto a raspberryPI somewhere,withONECommand.AndthisCAN
ruinyour networks,andcreate havocwithyourhardware.AndYES there is preventiontothat,and itsVERY
Simple because the mindsetof aBlackHat the waytheylearn,isthe opposite of the wayit istaught. Andthat isa
small percentthatknowthat,so true securityisallowingbothtoperformthis.
Black Hat Ethical Hacking– offerssuchBlackBox Techniques –If you are Certainand confidentthatIf youget
attackedyouare readyto applythe remedyandmitigate yourrisks,whynottestthat fromthis perspective,
because CyberCriminalsare there,anddoinggreatdamage,itsnot“IF” youwill getattacked,its“When”youwill
getattacked,howbadlyyou will be damagedbasedonthe necessary precautionstakenagainstsuchanattack.
WrittenbyChrisAbou-Chabke //blackhatethicalhacking.com