C|EH Introduction


Published on

Published in: Technology, News & Politics
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

C|EH Introduction

  1. 1. Ethical Hacking Presented By R. Sunil Kumar
  2. 2. Overview <ul><li>History of Internet </li></ul><ul><li>History of Hacking </li></ul><ul><li>Ethical Hacking </li></ul><ul><li>EC-Council : C|EH </li></ul><ul><li>C|EH Modules </li></ul>
  3. 3. Brief History of Internet <ul><li>1969  - The Advanced Research Projects Agency (ARPA) create the ARPANET, the forerunner of the Internet. The first four nodes (networks) of ARPANET consisted of the University of California Los Angeles, University of California Santa Barbara, University of Utah and the Stanford Research Institute. </li></ul><ul><li>1983  - The Internet is founded by splitting the Arpanet into separate military and civilian networks. </li></ul><ul><li>1983  - FidoNet is developed by Tom Jennings. FidoNet will become the most widespread information exchange network in the world for the next 10 years, until the Internet takes over. </li></ul><ul><li>1989  - the WWW is developed at CERN labs, in Switzerland. </li></ul><ul><li>1990  - The Arpanet is dismantled. </li></ul>
  4. 4. Advantages of Internet <ul><li>Sharing Information </li></ul><ul><li>Collection of Information </li></ul><ul><li>News </li></ul><ul><li>Searching Jobs </li></ul><ul><li>Advertisement </li></ul><ul><li>Communication </li></ul><ul><li>Entertainment </li></ul><ul><li>Online Education </li></ul><ul><li>Online Results </li></ul><ul><li>Online Airlines and Railway Schedules </li></ul><ul><li>Online Medical Advice </li></ul>
  5. 5. Disadvantages of Internet <ul><li>Theft of Personal information </li></ul><ul><li>Spamming </li></ul><ul><li>Viruses & Worms </li></ul><ul><li>Security Problems </li></ul><ul><li>Immorality </li></ul><ul><li>Wastage of times </li></ul><ul><li>chatting, playing games etc </li></ul>
  6. 6. History of Hacking
  7. 7. Hacker
  8. 8. Hackers are here. Where are you? <ul><li>The explosive growth of the Internet has brought many good things…As with most technological advances, there is also a dark side: criminal hackers. </li></ul><ul><li>HACKER noun. 1. A person who enjoys learning the details of computer systems and how to stretch their capabilities…. 2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming. </li></ul><ul><li>Hacking : The rapid crafting of a new program or making changes to the existing, usually complicated software </li></ul>
  9. 9. Hacker Classes <ul><li>Black Hats: Individuals who have extraordinary computing skills resorting to malicious or destructive purposes. </li></ul><ul><li>White Hats: individuals professing hacking skills and using them for defensive purposes. Also known as security professionals </li></ul><ul><li>Gray Hats: Individuals who work both offensively and defensively at various times. </li></ul><ul><li>Suicide Hackers: individuals who aim to bring down the critical infrastructures for a “cause” . </li></ul>
  10. 10. Hacker Classes <ul><li>Script Kiddies or Cyber-Punks: Between 12-30; predominantly white and male; bored in school; get caught due to bragging online; intent is to vandalize or disrupt systems. </li></ul><ul><li>Professional Criminals or Crackers: Make a living by breaking into systems and selling the information. </li></ul><ul><li>Coders and Virus Writers: See themselves as an elite; programming background and write code but won’t use it themselves; have their own networks called “zoos”; leave it to others to release their code into “The Wild” or Internet. ( www.tlc.discovery.com ) </li></ul>
  11. 11. Time Line and Major Events
  12. 12. <ul><li>1960s: The Dawn of Hacking MIT becomes home to the first computer hackers, who begin altering software and hardware to make it work better and/or faster. </li></ul><ul><li>1970s: Phone Phreaks and Cap'n Crunch: One phreak, John Draper (aka &quot;Cap'n Crunch&quot;), discovers a toy whistle inside Cap'n Crunch cereal gives 2600-hertz signal, and can access AT&T's long-distance switching system. Draper builds a &quot;blue box&quot; used with whistle allows phreaks to make free calls. </li></ul><ul><li>Steve Wozniak and Steve Jobs, future founders of Apple Computer, make and sell blue boxes. </li></ul><ul><li>1980s: Hacker Message Boards and Groups Hacking groups form; such as Legion of Doom (US), Chaos Computer Club (Germany). </li></ul><ul><li>1983: Kids' Games Movie &quot;War Games&quot; introduces public to hacking. </li></ul>
  13. 13. <ul><li>1984: Hacker Zines Hacker magazine 2600 publication; online zine Phrack. </li></ul><ul><li>1986: Congress passes Computer Fraud and Abuse Act; crime to break into computer systems. </li></ul><ul><li>1 988: The Morris Worm Robert T. Morris, Jr., launches self-replicating worm on Arpanet. </li></ul><ul><li>1989: The Germans , the KGB and Kevin Mitnick. </li></ul><ul><li>German Hackers arrested for breaking into U.S. computers; sold information to Soviet KGB ( Komitet Gosudarstvennoy Bezopasnosti) . </li></ul><ul><li>Hacker &quot;The Mentor“ arrested; publishes Hacker's Manifesto. </li></ul><ul><li>1990 : Kevin Mitnick </li></ul><ul><li>convicted; first person convicted under law against gaining access to interstate network for criminal purposes. </li></ul>
  14. 14. <ul><li>1990s: Why Buy a Car When You Can Hack One? Radio station call-in contest; hacker-fugitive Kevin Poulsen and friends crack phone; they allegedly get two Porsches, $20,000 cash, vacation trips; Poulsen now a freelance journalist covering computer crime. </li></ul><ul><li>First Def Con hacking conference in Las Vegas </li></ul><ul><li>1995: The Mitnick Takedown: Arrested again; charged with stealing 20,000 credit card numbers. </li></ul><ul><li>1995: Russian Hackers Siphon $10 million from Citibank; Vladimir Levin, leader. </li></ul><ul><li>1999 hackers attack Pentagon, MIT, FBI web sites. </li></ul><ul><li>damage through attacks on government and military computer systems has been calculated at between $1.5 and $1.8 Billion for 1999 </li></ul><ul><li>1999: E-commerce company attacked; blackmail threats followed by 8 million credit card numbers stolen. </li></ul>
  15. 15. <ul><li>2000 </li></ul><ul><li>May: The  ILOVEYOU  worm, also known as VBS/Loveletter and Love Bug worm, is a computer worm written in VBScript. It infected millions of computers worldwide within a few hours of its release. </li></ul><ul><li>September: teenage hacker  Jonathan James  becomes first juvenile to serve jail time for hacking. </li></ul><ul><li>2001 </li></ul><ul><li>Microsoft becomes the prominent victim of a new type of hack that attacks the  domain name server . In these denial-of-service attacks, the DNS paths that take users to Microsoft's Web sites are corrupted. </li></ul><ul><li>August:  Code Red worm , infects tens of thousands of machines. </li></ul>
  16. 16. <ul><li>2002 </li></ul><ul><li>August: Researcher  Chris Paget  publishes a paper describing &quot; shatter attacks &quot;, detailing how Windows' unauthenticated  messaging system  can be used to take over a machine. The paper raises questions about how securable Windows could ever be. </li></ul><ul><li>October: The  International Information Systems Security Certification Consortium  - (ISC)2 - confers its 10,000th  CISSP  certification. </li></ul><ul><li>2003 </li></ul><ul><li>March:  CULT OF THE DEAD COW  and  Hacktivismo  are given permission by the  United States Department of Commerce  to export software utilizing strong encryption. </li></ul><ul><li>December 18:  Milford Man  pleas guilty to hacking. </li></ul>
  17. 17. <ul><li>2004 </li></ul><ul><li>March:  Myron Tereshchuk  is arrested for attempting to extort $17 million from  Micropatent . </li></ul><ul><li>July: North Korea claims to have trained 500 hackers who successfully crack South Korean, Japanese, and their allies' computer systems. [18] </li></ul><ul><li>2005 </li></ul><ul><li>September 13 :  Cameron Lacroix  is sentenced to 11 months for gaining access to  T-Mobile USA's  network and exploiting  Paris Hilton's   Sidekick . [19] </li></ul><ul><li>November 3 :  Jeanson James Ancheta , whom prosecutors say was a member of the &quot;Botmaster Underground&quot;, a group of  script kiddies  mostly noted for their excessive use of  bot attacks  and propagating vast amounts of  spam , was taken into custody after being lured to FBI offices in Los Angeles. [20] </li></ul>
  18. 18. <ul><li>2006 </li></ul><ul><li>May: Jeanson James Ancheta receives a 57 month prison sentence,  [6]  and is ordered to pay damages amounting to $15,000.00 to the Naval Air Warfare Center in China Lake and the Defense Information Systems Agency, for damage done due to DDoS attacks and hacking. Ancheta also had to forfeit his gains to the government, which include $60,000 in cash, a BMW, and computer equipment  [7] . </li></ul><ul><li>May: Largest Defacement in Web History is performed by the  Turkish  hacker  iSKORPiTX  who successfully hacked 21,549 websites in one shot.  [8] </li></ul><ul><li>October: Jesus Oquendo releases Asteroid, a SIP Denial of Service testing tool. It broke all versions of Asterisk until 1.2.13. Asteroid is also known to affect certain SIP Softphones, SIP Phones and possibly other products using the SIP protocol. It was used in  Henning Schulzrinne 's Columbia University seminars. See MITRE CVE-2006-5444 and CVE-2006-5445 </li></ul>
  19. 19. <ul><li>2007 </li></ul><ul><li>May 17:  Estonia  recovers from massive denial-of-service attack [21] </li></ul><ul><li>June 13: FBI Operation Bot Roast finds over 1 million botnet victims </li></ul><ul><li>June 21: A  spear phishing  incident at the  Office of the Secretary of Defense  steals sensitive U.S. defense information, leading to significant changes in identity and message-source verification at OSD. </li></ul><ul><li>August 11:  United Nations  website hacked by Turkish Hacker Kerem125 </li></ul><ul><li>October 7:  Trend Micro  website successfully hacked by Turkish hacker Janizary(a.k.a Utku) </li></ul><ul><li>November 29: FBI Operation Bot Roast II: 1 million infected PCs, $20 million in losses and 8 indictments </li></ul>
  20. 20. <ul><li>2008 </li></ul><ul><li>January 18:  Project Chanology  Anon attacks Scientology website servers around the world. Private documents are stolen from Scientology computers and distributed over the Internet. </li></ul><ul><li>March 7: Around 20 Chinese hackers claim to have gained access to the world's most sensitive sites, including  The Pentagon . They operate from a bare apartment on a Chinese island. </li></ul>
  21. 21. <ul><li>2009 </li></ul><ul><li>April 1: Conficker worm has infiltrated billions of PCs worldwide including many government-level top-security computer networks. </li></ul>
  22. 22. Ethical Hacking
  23. 23. What is Ethical Hacking? <ul><li>Ethical hacking – defined “methodology adopted by ethical hackers to discover the vulnerabilities existing in information systems, operating environments.” </li></ul><ul><li>With the growth of the Internet, computer security has become a major concern for businesses and governments. </li></ul><ul><li>In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems. </li></ul>
  24. 24. Who are Ethical Hackers? <ul><li>“ One of the best ways to evaluate the intruder threat is to have an independent computer security professionals attempt to break their computer systems” </li></ul><ul><li>Successful ethical hackers possess a variety of skills. First and foremost, they must be completely trustworthy. </li></ul><ul><li>Ethical hackers typically have very strong programming and computer networking skills. </li></ul><ul><li>They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., Linux , Unix, Windows ) used on target systems. </li></ul><ul><li>These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors. </li></ul>
  25. 25. <ul><li>Ethical Hacker classes </li></ul><ul><ul><li>Former Black hats – Reformed hackers, first-hand experience, </li></ul></ul><ul><ul><li>lesser credibility perceived </li></ul></ul><ul><ul><li>W hite hats – Individual security consultants, knowledgeable about black hats </li></ul></ul><ul><ul><li>Consulting Firms – Part of ICT firms, good credentials </li></ul></ul>
  26. 26. What do Ethical Hackers do? <ul><li>An ethical hacker’s evaluation of a system’s security seeks answers to these basic questions: </li></ul><ul><ul><li>What can an intruder see on the target systems? </li></ul></ul><ul><ul><li>What can an intruder do with that information? </li></ul></ul><ul><ul><li>Does anyone at the target notice the intruder’s at tempts or successes? </li></ul></ul><ul><ul><li>What are you trying to protect? </li></ul></ul><ul><ul><li>What are you trying to protect against? </li></ul></ul><ul><ul><li>How much time, effort, and money are you willing to expend to obtain adequate protection? </li></ul></ul>
  27. 27. Required Skills of an Ethical Hacker <ul><li>Routers: knowledge of routers, routing protocols, and access control lists </li></ul><ul><li>Windows: skills in operation, configuration and management. </li></ul><ul><li>Linux: knowledge of Linux/Unix; security setting, configuration, and services. </li></ul><ul><li>Firewalls & IDS & IPS: configurations, and operation of IDS and IPS. </li></ul><ul><li>Mainframes </li></ul><ul><li>Network Protocols: TCP/IP; how they function and can be manipulated. </li></ul><ul><li>Project Management: knowledge of leading, planning, organizing, and controlling a penetration testing team. </li></ul>(Source: http://www.examcram.com )
  28. 28. Approaches to Ethical Hacking <ul><li>Remote network </li></ul><ul><li>Remote dial-up network </li></ul><ul><li>Local network </li></ul><ul><li>Stolen Equipment </li></ul><ul><li>Physical entry </li></ul><ul><li>Social engineering </li></ul>(Source: http://www.examcram.com )
  29. 29. Anatomy of an attack: <ul><ul><li>Reconnaissance – attacker gathers information; can include social engineering. </li></ul></ul><ul><ul><li>Scanning – searches for open ports (port scan) probes target for vulnerabilities. </li></ul></ul><ul><ul><li>Gaining access – attacker exploits vulnerabilities to get inside system; used for spoofing IP. </li></ul></ul><ul><ul><li>Maintaining access – creates backdoor through use of Trojans; once attacker gains access makes sure he/she can get back in. </li></ul></ul><ul><ul><li>Covering tracks – deletes files, hides files, and erases log files. So that attacker cannot be detected or penalized. </li></ul></ul>(Source: www.eccouncil.org )
  30. 30. How Much Do Ethical Hackers Get Paid? <ul><li>Globally, the hiring of ethical hackers is on the rise with most of them working with top consulting firms. </li></ul><ul><li>In the United States, an ethical hacker can make upwards of $120,000 per annum. </li></ul><ul><li>Freelance ethical hackers can expect to make $10,000 per assignment. </li></ul><ul><li>Some ranges from $15,000 to </li></ul><ul><li>$45,000 for a standalone ethical </li></ul><ul><li>hack. </li></ul>
  31. 31. Ec-Council: Certified Ethical Hacker
  32. 32. EC-COUNCIL <ul><li>International council of electronic commerce consultants </li></ul><ul><ul><li>Most successful and rapidly growing IT security and certification providers </li></ul></ul><ul><ul><li>Standardized the concept of “Ethical Hacking” </li></ul></ul><ul><ul><li>EC-Council was the first to provide certification standards for these “Ethical Hackers” </li></ul></ul><ul><ul><li>EC-Council has trained more than 60,000 IT professionals, with over 20,000 earning a certification </li></ul></ul>
  33. 33. EC-Council has certified IT professionals from the following organizations as CEH: <ul><li>Novell, Canon, Hewlett Packard, US Air Force Reserve, US Embassy, Verizon, PFIZER, HDFC Bank, University of Memphis, Microsoft Corporation, Worldcom, Trusecure, US Department of Defense, Fedex, Dunlop, British Telecom, Cisco, Supreme Court of the Philippines, United Nations, Ministry of Defense, UK, Nortel Networks, MCI, Check Point Software, KPMG, Fleet International, Cingular Wireless, Columbia Daily Tribune, Johnson & Johnson, Marriott Hotel, Tucson Electric Power Company, Singapore Police Force </li></ul>
  34. 34. (Cont.) PriceWaterhouseCoopers, SAP, Coca-Cola Corporation, Quantum Research, US Military, IBM Global Services, UPS, American Express, FBI, Citibank Corporation, Boehringer Ingelheim, Wipro, New York City Dept Of IT & Telecom – DoITT, United States Marine Corps, Reserve Bank of India, US Air Force, EDS, Bell Canada, SONY, Kodak, Ontario Provincial Police, Harris Corporation, Xerox, Philips Electronics, U.S. Army, Schering, Accenture, Bank One, SAIC, Fujitsu, Deutsche Bank
  35. 35. Certified Ethical Hacker (C|EH) Training <ul><li>EC-Council Academy </li></ul><ul><li>http://www.eccouncil.org </li></ul><ul><ul><li>Five-day Course </li></ul></ul><ul><ul><li>(C|EH) exam Code 312-50 </li></ul></ul><ul><ul><li>No. Of questions : 150 </li></ul></ul><ul><ul><li>Exam Duration : 4 hours </li></ul></ul><ul><ul><li>Passing Score : 70% </li></ul></ul><ul><ul><li>Prometric and vue </li></ul></ul>
  36. 36. C|EH Modules
  37. 37. EC-Council <ul><li>Certified Ethical Hacker </li></ul>www.eccouncil.org ISBN 0-9729362-1-1
  38. 38. Ec-Council Topics Covered <ul><li>Introduction to Ethical Hacking </li></ul><ul><li>Hacking Laws </li></ul><ul><li>Foot printing </li></ul><ul><li>Google hacking </li></ul><ul><li>Scanning </li></ul><ul><li>Enumeration </li></ul><ul><li>System Hacking </li></ul><ul><li>Trojans and Backdoors </li></ul><ul><li>Viruses and worms </li></ul><ul><li>Sniffers </li></ul><ul><li>Social Engineering </li></ul>
  39. 39. Ec-Council (Cont.) <ul><li>Phishing </li></ul><ul><li>Hacking Email Accounts </li></ul><ul><li>Denial-of-service </li></ul><ul><li>Session Hijacking </li></ul><ul><li>Hacking Web servers </li></ul><ul><li>Web Application vulnerabilities </li></ul><ul><li>Web base password cracking </li></ul><ul><li>Sql Injection </li></ul><ul><li>Hacking wireless networks </li></ul><ul><li>Physical Security </li></ul>
  40. 40. Ec-Council (Cont.) <ul><li>Linux Hacking </li></ul><ul><li>Evading IDS, Firewalls and detecting honey pots </li></ul><ul><li>Buffer overflows </li></ul><ul><li>Cryptography </li></ul><ul><li>Penetration testing </li></ul>