Week 1: Notes - morgan-hanrahan/Tech-Journal GitHub Wiki

Introduction to Ethical Hacking

“Legal and authorized attempt to locate and successfully exploit computer systems for the purpose of making those systems more secure”

Black Box Testing:

  • Testers have no inside knowledge of the target system(s)

  • The goal is to simulate an external hacking or cyber warfare attack

  • Pros:

    • Simulates real scenario

  • Cons:

    • Tests can take a long time
    • May miss important targets

White Box Testing:

  • Testers have inside knowledge

  • Often work in conjunction with system admins to conduct tests

  • Pros:

    • More efficient use of test time/resources
    • Ensures that all targets are included

  • Cons:

    • May not simulate a real attack

Rules of Engagement

“Agreement between tester(s) and those with permission to approve the test.”

  1. Protections for Tester?
  2. Protections for Organization being tested?
  3. Questions: Who, What, When, How, Where, Etc.

Cyber-Attack Method

Cyber-attacks vary with motives and targets but generally follow the same pattern.

Step 1. Reconnaissance - Find the targets

How do attackers identify targets?

  • Automated network scans
  • Scan for live hosts, server applications
  • NMAP is a popular tool
  • Browse directories and other public data
  • Scrape webpages for email and other databases
  • Acquire a list of targets from other attackers
  • Social Engineering

Step 2. Probe - Find the vulnerability

Targets are identified now try and find vulnerabilities to exploit:

  • Improper security settings
    • Admin forgot to enable controls
    • Controls enabled wrong
  • Missing system patches
  • Passwords that are easy to guess
    • No password
    • Default password
    • Re-used password
  • Social Engineering Look at vulnerability Scanner
  • Nessus

Step 3: Exploit - Take advantage of the vulnerability to successfully complete attack

Vulnerability fonud:

  • Exploit the vulnerability for a successful attack
  • Examples;
    • System compromise
      • Gain remote control of system
      • Trick someone into giving you creds
    • Denial-of-Service
      • Limited connection sockets
    • System Misuse
      • Write access to web site: post scam pages
      • Write access to the file system: store copyrighted materials for illegal sharing

Reconnaissance

Goals:

  • Network Info
    • IP address, Ranges
    • Domain Info
    • Service provider
  • Systems
    • Service names/IPs
  • Applications
    • What's running
    • OS might not be vulnerable
  • Security Tools
    • Any filtering tools?
    • Firewalls
    • IPS
    • Endpoint Protection
  • People
    • Admins, Engineers
    • Developers
    • Others?
    • “There is no patch for stupid”
  • Partners
    • Vendors
    • Hosting Providers

Active vs Passive Recon

Active Recon

  • Includes interacting directly with the target
  • The target may record our IP and log our activity
  • Requires permission if going beyond public access

Passive Recon

  • Uses knowledge online
  • Not interacting directly with the target
    • Target has no way of knowing, recording, or logging our activity

Domain Registrations

ICANN - Internet Coroportation for Assigned Names and Numbers

  • Organizations must register domain names
    • Domain Whois
  • Contact names, addresses, nameserver information

IP Address Registration

IANA: Internet Assigned and Numbers Authority - Responsible for global coordination of IP addresses

Divided into 5 regions:

  • Each Region has a whois service
    • AfriNIC
    • APNIC
    • ARIN
    • LACNIC
    • RIPE

Google Hacking

  • Using public search engines and directories can gain a lot of info
  • “Google Hacking” - Using sites like Google to gather information anonymously
  • What type of info?
    • Interesting people
    • Server info
    • Sensitive files
    • Vulnerabilities/Footholds