Ethical Hacking

Bharat T SabneAkshay M TeleNeha R PatilMayuri A MokalMayur S Ghode

Datta Meghe College of Engineering.

Overview

Old School Hackers: History of Hacking Types of Hackers Common Steps of Hackers Ethical Hacking Required Skills of an Ethical Hacker Ethical Hacking Tools

1971 - Cap ‘n Crunch phone exploit discovered

1988 - Morris Internet worm crashes 6,000 servers

1994 - $10 million transferred from CitiBank accounts

2000 - Major websites succumb to DDoS

2000 - 15,700 credit and debit card numbers stolen from Western Union (hacked while web database was undergoing maintenance)

2001 Code Red• exploited bug in MS IIS to penetrate & spread• probes random IPs for systems running IIS• had trigger time for denial-of-service attack• 2nd wave infected 360000 servers in 14 hours

Code Red 2 - had backdoor installed to allow remote control

Nimda -used multiple infection mechanisms email, shares, web client, IIS2002 – Slammer Worm brings web to its knees by attacking MS SQL Server

Old School Hackers: History of Hacking

Hacker A person who enjoys learning the details of computer systems and

how to stretch their capabilities….

One who programs enthusiastically or who enjoys programming rather than just theorizing about programming.

Access computer system or network without authorization

Types of hacker Black-Hat

Unauthorized user (malicious intent)

White-HatDebug or correct security vulnerabilities

Gray-HatMorally Ambiguous. Black-Hat skills, White-Hat tasks?

Common Steps of hackers

Reconnaissance Scanning & Enumeration Gaining access Maintaining access Covering tracks

Reconnaissance

• Intelligent work of obtaining information either actively or passively

• Examples:• Passively: Sniffing Traffic, eavesdropping• Actively: Obtaining data from American Registry for Internet

Numbers (ARIN), whois databases, web sites, social engineering

Scanning

• Identifying systems that are running and services that are active on them

• Examples: Ping sweeps and port scans


Gaining Access

• Exploiting identified vulnerabilities to gain unauthorized access

• Examples: Exploiting a buffer overflow or brute forcing a password and logging onto a system

Maintaining Access

• Uploading malicious software to ensure re-entry is possible

• Example: Installing a backdoor on a system

Covering Tracks

• Carrying out activities to hide one’s malicious activities

• Example: Deleting or modifying data in a system and its application logs


Ethical Hacking also known as penetration testing or intrusion testing or

red teaming has become a major concern for businesses and governments.

Companies are worried about the possibility of being “hacked” and potential customers are worried about maintaining control of personal information.

Necessity of computer security professionals to break into the systems of the organization.

Ethical hackers employ the same tools and techniques as the intruders.

They neither damage the target systems nor steal information.

The tool is not an automated hacker program rather it is an audit that both identifies the vulnerabilities of a system and provide advice on how to eliminate them.

Required Skills of an Ethical Hacker

Microsoft: skills in operation, configuration and management.

Linux: knowledge of Linux/Unix; security setting, configuration, and services.

Firewalls: configurations, and operation of intrusion detection systems.

Routers: knowledge of routers, routing protocols, and access control lists Mainframes

Network Protocols: TCP/IP; how they function and can be manipulated.

Project Management: leading, planning, organizing, and controlling a penetration testing team.

Hacking Tools: Foot printing and Reconnaissance

NslookupWhois

Hacking Tools: Foot printing and Reconnaissance

PingTraceroute

Hacking Tools: Scanning and Enumeration

nmap SuperScan

Hacking Tools: System Hacking

telnet Snadboy

Hacking Tools: System Hacking

Password Cracking with LOphtcrack Keylogger

Hacking Tools: Trojans and Backdoors

NetBus Game Creates Backdoor for NetBus

Hacking Tools: Sniffers/snooper

MAC makeup Ethereal

Hacking Tools: Web Based Password Cracking

Cain and Abel Legion

Hacking Tools: Covering Tracks

ImageHide ClearLogs

Google Hacking

SQL Injection

Allows a remote attacker to execute arbitrary databasecommands

Relies on poorly formed database queries and insufficient

input validationOften facilitated, but does not rely on unhandled

exceptions and ODBC error messagesImpact: MASSIVE. This is one of the most dangerous

vulnerabilities on the web.

Any Questions??