This document discusses ethical hacking. It defines hacking as unauthorized computer and network access and explains that ethical hackers are trusted professionals who test systems for vulnerabilities to improve security. The document outlines different types of hackers, common hacking techniques like SQL injection and cross-site scripting, and the skills and knowledge required of an ethical hacker like operating systems, networking protocols, and project management.
2. What is Hacking ???What is Hacking ???
Hacking is unauthorized use of computerHacking is unauthorized use of computer
and network resources. (The termand network resources. (The term
"hacker" originally meant a very gifted"hacker" originally meant a very gifted
programmer. In recent years though,programmer. In recent years though,
with easier access to multiple systems, itwith easier access to multiple systems, it
now has negative implications.)now has negative implications.)
3. Type of HackersType of Hackers
Script Kiddies or Cyber-PunksScript Kiddies or Cyber-Punks:: Between ageBetween age
12-30; bored in school; get caught due to12-30; bored in school; get caught due to
bragging online .bragging online .
Professional Criminals or CrackersProfessional Criminals or Crackers:: Make aMake a
living by breaking into systems and selling theliving by breaking into systems and selling the
information.information.
Coders and Virus WritersCoders and Virus Writers:: These have strongThese have strong
programming background and write code butprogramming background and write code but
won’t use it themselves; have their ownwon’t use it themselves; have their own
networks called “zoos”; leave it to others tonetworks called “zoos”; leave it to others to
release their code into “The Wild” or Internet.release their code into “The Wild” or Internet.
4. What do Hackers do?What do Hackers do?
A few examples of Web application hacksA few examples of Web application hacks
File QueryFile Query
Browser cachingBrowser caching
Cookie and URL hacksCookie and URL hacks
SQL InjectionSQL Injection
Cross-site Scripting (# 1 threat today!)Cross-site Scripting (# 1 threat today!)
5. Web File QueryWeb File Query
A hacker tests for HTTP (80) or HTTPSA hacker tests for HTTP (80) or HTTPS
(443)(443)
Does a “View Source” on HTML file toDoes a “View Source” on HTML file to
detect directory hierarchydetect directory hierarchy
Can view sensitive information left byCan view sensitive information left by
system administrators or programmerssystem administrators or programmers
Database passwords in /include filesDatabase passwords in /include files
6. Browser Page CachingBrowser Page Caching
Be aware of differences betweenBe aware of differences between
browsers!browsers!
Pages with sensitive data should not bePages with sensitive data should not be
cached: page content is easily accessedcached: page content is easily accessed
usingusing browser’s historybrowser’s history
7. Cookies and URLsCookies and URLs
Sensitive data in cookies and URLs?Sensitive data in cookies and URLs?
Issues that arise are:Issues that arise are:
Information is stored on a local computer (as filesInformation is stored on a local computer (as files
or in the browser’s history)or in the browser’s history)
Unencrypted data can be intercepted on theUnencrypted data can be intercepted on the
network and/or logged into unprotected web lognetwork and/or logged into unprotected web log
filesfiles
8. SQL Injection AttacksSQL Injection Attacks
SQL injection is a security vulnerability
that occurs in the database layer of an
application. Its source is the incorrect
escaping of dynamically-generated string
literals embedded in SQL statements.
9. Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
AttacksAttacks
Malicious code can secretly gatherMalicious code can secretly gather
sensitive data from user while usingsensitive data from user while using
authentic website (login, password,authentic website (login, password,
cookie)cookie)
10. What is Ethical Hacking ??What is Ethical Hacking ??
Ethical hackingEthical hacking –– defined “methodology adopteddefined “methodology adopted
by ethical hackers to discover the harmedby ethical hackers to discover the harmed
existing in information systems’ of operatingexisting in information systems’ of operating
environments.”environments.”
With the growth of the Internet, computer security hasWith the growth of the Internet, computer security has
become a major concern for businesses andbecome a major concern for businesses and
governments.governments.
In their search for a way to approach the problem,In their search for a way to approach the problem,
organizations came to realize that one of the bestorganizations came to realize that one of the best
ways to evaluate the unwanted threat to theirways to evaluate the unwanted threat to their
interests would be to have independent computerinterests would be to have independent computer
security professionals attempt to break into theirsecurity professionals attempt to break into their
computer systems.computer systems.
11. Who are Ethical Hackers?Who are Ethical Hackers?
““One of the best ways to evaluate the intruder threat is to have anOne of the best ways to evaluate the intruder threat is to have an
independent computer security professionals attempt to break theirindependent computer security professionals attempt to break their
computer systems”computer systems”
Successful ethical hackers possess a variety of skills. First andSuccessful ethical hackers possess a variety of skills. First and
foremost, they must be completely trustworthy.foremost, they must be completely trustworthy.
Ethical hackers typically have very strong programming andEthical hackers typically have very strong programming and
computer networking skills.computer networking skills.
They are also adept at installing and maintaining systems that useThey are also adept at installing and maintaining systems that use
the more popular operating systems (e.g., Linux or Windows 2000)the more popular operating systems (e.g., Linux or Windows 2000)
used on target systems.used on target systems.
These base skills are detailed knowledge of the hardware andThese base skills are detailed knowledge of the hardware and
software provided by the more popular computer and networkingsoftware provided by the more popular computer and networking
hardware vendors.hardware vendors.
12. What do Ethical Hackers do?What do Ethical Hackers do?
An ethical hacker’s evaluation of a system’s securityAn ethical hacker’s evaluation of a system’s security
seeks answers to these basic questions:seeks answers to these basic questions:
What can an intruder see on the target systems?What can an intruder see on the target systems?
What can an intruder do with that information?What can an intruder do with that information?
Does anyone at the target notice the intruder’s atDoes anyone at the target notice the intruder’s at
tempts or successes?tempts or successes?
What are you trying to protect?What are you trying to protect?
What are you trying to protect against?What are you trying to protect against?
How much time, effort, and money are you willing toHow much time, effort, and money are you willing to
expend to obtain adequate protection?expend to obtain adequate protection?
13. Required Skills of an EthicalRequired Skills of an Ethical
HackerHacker
Routers:Routers: knowledge of routers, routing protocols, andknowledge of routers, routing protocols, and
access control listsaccess control lists
Microsoft:Microsoft: skills in operation, configuration andskills in operation, configuration and
management.management.
Linux:Linux: knowledge of Linux/Unix; security setting,knowledge of Linux/Unix; security setting,
configuration, and services.configuration, and services.
Firewalls:Firewalls: configurations, and operation of intrusionconfigurations, and operation of intrusion
detection systems.detection systems.
Mainframes : knowledge of mainframes .Mainframes : knowledge of mainframes .
Network Protocols:Network Protocols: TCP/IP; how they function and canTCP/IP; how they function and can
be manipulated.be manipulated.
Project Management:Project Management: knowledge of leading, planning,knowledge of leading, planning,
organizing, and controlling a penetration testing team.organizing, and controlling a penetration testing team.
14. Hacker ClassesHacker Classes
Hacker classesHacker classes
Black hatsBlack hats – highly skilled,– highly skilled,
malicious, destructive “crackers”malicious, destructive “crackers”
White hatsWhite hats – skills used for– skills used for
defensive security analystsdefensive security analysts
Gray hatsGray hats – offensively and– offensively and
defensively; will hack for differentdefensively; will hack for different
reasons, depends on situation.reasons, depends on situation.
HactivismHactivism – hacking for social and political cause.– hacking for social and political cause.
Ethical hackersEthical hackers – determine what attackers can gain– determine what attackers can gain
access to, what they will do with the information, and canaccess to, what they will do with the information, and can
they be detected.they be detected.
15. How to hack Windows-XPHow to hack Windows-XP
PasswordsPasswords
Simple User PasswordSimple User Password :-:-
simply boot the System and presssimply boot the System and press
keyboard key “F8”. After this start thekeyboard key “F8”. After this start the
system in safe made .And open thesystem in safe made .And open the
Control panel-->User AccountControl panel-->User Accountchange orchange or
remove the password.remove the password.