Ethical Hacking

Date: 16- 01 -15

info@baabtra.com

facebook.com/baabtra

twitter.com/baabtra

in.linkedin.com/in/baabtra

Why ethical hacking

Different Phases in hacking

Hack something live

Career as a hacker

Contents

What is Hacking?

What is Hacking?“ Hacking is the practice of modifying the features of a system, in order to

accomplish a goal outside of the creator's original purpose ”

What is Hacking?

Its Hacking a system with the permission of the system owner

What is Hacking?

● Its hacking performed by a company or individual to help identify

potential threats on a computer or network.

● An ethical hacker attempts to bypass the system security and

search for any weak points that could be exploited by malicious

hackers.

● This information is then used by the organization to improve the

system security, in an effort to minimize or eliminate, any potential

attacks.

Why ethical hacking?

The hacker Groups !

TYPES OF HACKERØ Black Hat Hacker

– Bad guys

– Use their skill maliciously for personal gain

– Hack banks, steal credit cards and deface websites

Ø White Hat Hacker

– Good guys

– Don’t use their skill for illegal purpose

– Computer security experts and help to protect from Black

Hats.

TYPES OF HACKERØ Grey Hat Hacker

– It is a combination of White hat n Black Hat Hackers

– They usually do not hack for personal gain or have malicious

intentions, but may be prepared to break some laws during the

course of their technological exploits in order to achieve better

security

White hat hackers are normally referred as

Ethical hackers. It is also called as

penetration testing

Hackers according to Skill sets

• Elite hackerThey're the masters of deception that have a solid reputation among their

peers as the cream of the hacker crop.

• Script KiddieA Script Kiddie is basically a hacker amateur who doesn’t has much

knowledge to program tools to breaks into computer networks. He often use

downloaded hacking tools from internet written by other hackers/security experts.

● In order for hacking to be deemed ethical, the hacker must obey the following

rules:

o Expressed (often written) permission to probe the network and attempt to

identify potential security risks.

o You respect the individual's or company's privacy.

o You close out your work, not leaving anything open for you or someone

else to exploit at a later time.

o You let the software developer or hardware manufacturer know of any

security vulnerabilities you locate in their software or hardware if not

already known by the company.

How a Hacker becomes ethical Hacker?

Types of Ethical Hacking

Ethical hacking is divided into two categories

» Black Box hacking

» White Box hacking

Black Box hacking

• A black box tester has no or very little knowledge of the target

and it is his or her duty to find it all and try to penetrate the

target.

• Usually the client’s name is provided and it is then up to the

hacker to find out the rest using Penetration Testing.

• It actually simulate the activities of a black hat hacker and real

world attacks, so as to identify and prevent any attacks from

out side of the organization

White Box hacking

• White Box tester has prior knowledge of the target such as IP addresses

range or diagrams

• The Hacker is given all the information about the client’s network.

• The information provided is for example topology diagrams, physical

diagrams, IP addressing scheme.

• The type of equipment used such as firewalls, intrusion detection systems

or core routers.

• The advantage of this type of hacking is that it simulates an

attacker which is the company insider or assistance provided to him/her by

someone from the company.

Steps involved in hacking

Working of a Web server !

•

Generate HTML

Get index.php13

4

pass index.php to

PHP interpretor

5

WebServer

Index.php in

interpreted HTMl

form

Browser

2Get index.php from

hard disk

104.155.207.67

Steps involved in hacking

HACKING PROCESS

Scanning

Enumeration

Attack and

gaining access

Maintaining

Access,Creating

backdoors

Footprinting

HACKING PROCESS

Scanning

Enumeration

Attack and

gaining access

Maintaining

Access,Creating

backdoors

Footprinting

The purpose of footprinting is to

learn as much as you can about a

system, its remote access capabilities,

its ports and services, and the aspects

of its security.

It is the process of accumulating data

regarding a specific network

environment, usually for the purpose

of finding ways to intrude into the

environment.

Ex: nslookup,IpLookup, Whois

(https://who.is )Lookup,Ping

Ex tool : Sam Spade

HACKING PROCESS

Scanning

Enumeration

Attack and

gaining access

Maintaining

Access,Creating

backdoors

Footprinting

scanning is a common technique used

by a penetration tester to find out the

open doors,

During this process you have to find

out the alive host, operating systems

involved, firewalls, intrusion detection

systems, servers/services, perimeter

devices, routing and general network

topology (physical layout of network),

that are part of the target

organisation.

Ex tool: Nessus,Nmap

https://pentest-tools.com/discovery-

probing/tcp-port-scanner-online-nmap

HACKING PROCESS

Scanning

Enumeration

Attack and

gaining access

Maintaining

Access,Creating

backdoors

Footprinting

Enumeration is the first attack on

target network

Enumeration is the process to gather

the information about a target

machine by actively connecting to it.

Enumeration means to identify the

user account, system account and

admin account. Enumerating windows

active directory to find out these

stuffs. -

Tool : snmputil,NBTscan

HACKING PROCESS

Scanning

Enumeration

Attack and

gaining access

Maintaining

Access,Creating

backdoors

Footprinting

This is the actual hacking phase in

which the hacker gain access to the

system.

The hacker will make use of all the

information he collected in the pre-

attacking phases. Usually the main

hindrance to gaining access to a

system is the passwords.

Access Gaining Methods

• Social Engineering – Phishing

• Sql Injection

GAINING ACCESS

Social Engineering • Social engineering, in the context of information security, is

the art of manipulating people so they give up confidential

information.

Could you please

give your employee

id and password to

reconcile your salary

data?

Phishing• Phishing is the attempt to acquire sensitive

information such as usernames, passwords,

and credit card details (and sometimes,

indirectly, money) by masquerading as a

trustworthy entity in an electronic

communication.

Email - Phishing

•

Email - Phishing

•

Email - Phishing

•

Email - Phishing

•

Facebook - Phishing

•

Facebook - Phishing

Facebook - Phishing

MAINTAINING ACCESS

Hackers use Trojans Virus and other tools to

maintain access.

–Trojan Horse & Backdoors

–Virus & Worms

–Keyloggers

MAINTAINING ACCESS

Trojan HorseA Trojan horse is program that claims to do one thing but then does

something totally different.

A new game, an electronic mail or a free software from unknown person can

implant Trojan or a backdoor.

Eg: Netbus, Sub7, Beast, Zeus

MAINTAINING ACCESS

• Virus• Malicious code that infects an existing process or file.

• The infection from a virus can infect files, memory sectors, Boot sectors

and Hardware.

• Worms• Much like viruses, worms can have the same destructive force but the

worms do not need human interactions to replicate.

• Worms target vulnerability and then execute command to move from its

current host to another system and continue infecting other vulnerable

system automatically.

MAINTAINING ACCESS

KeyLoggers• A keylogger (also called as spy software) is a small program that monitors

each and every keystroke a user types on a specific computer’s keyboard.

• Once the keylogger is installed on a PC, it starts operating in the

background (stealth mode) and captures every keystroke of the target

computer.

COVERING TRACKS AND CREATING

BACKDOORS

• Once intruders have successfully gained Administrator access on a

system, they will try to cover the detection of their presence.

• When all the information of interest has been stripped from the target,

they will install several back doors so that easy access can be obtained in

the future.

Live Hacking with sql injection

How does the data stored in web application ?

•

Send request and

data to server

Scripting language

connects to database

and store values to it or

retrieve data from it

WebServerBrowser

Front End: done in PHP / .Net /

JSP or any server side scripting

languages

Stores data at the Back end

database in MYSQL/SQL

Server / Oracle or any other

DBMS

Front End: done in PHP / .Net /

JSP or any server side scripting

languages

Stores data at the Back end

database in MYSQL/SQL

Server / Oracle or any other

DBMS

Name Email password Address mob

John John@g john123 NY 9824

Ram ram@gma ram321 calicut 234

Name Email password Address mob

John John@g john123 NY 9824

Ram ram@gma ram321 calicut 234

Tb_user

Select * from tbl_user where

email=‘ram@gmail.com’ and password=‘ram321’

So what might be the query to extract that

piece of information from database ?

Select * from tbl_user where

email=‘ram@gmail.com’ and password=‘ram321’

So what might be the query to extract that

piece of information from database ?

Select * from tbl_user where

email=‘ram@gmail.com’ and password=‘ram321’

So what might be the query to extract that

piece of information from database ?

So instead giving values, we can inject hacking

queries to retrieve data from the database

Select * from tbl_user where

email=‘ram@gmail.com’ and password=‘ram321’

So what might be the query to extract that

piece of information from database ?

So instead of ram@gmail.com we give a query to hack like

this test’ or 1=1 --

Select * from tbl_user where

email=‘ram@gmail.com’ and password=‘ram321’

So what might be the query to extract that

piece of information from database ?

Select * from tbl_user where email=‘test’ or 1=1 -- and

password=‘’

HOW TO PREVENT HACKING

SQL Injection

Use dynamic SQL only if absolutely necessary.

Use parameterized queries and stored procedures.

Encrypt Sensitive data

Ensure the data entered is valid.

Use automated test tools for SQL injections.

HOW TO PREVENT HACKING

Server Side/ Client side Validations

• Validation should always be done on the browser and server side.

• The browser can catch simple failures like mandatory fields that are empty

and when you enter text into a numbers only field etc.

• Client Side validations can however be bypassed,and you should make

sure you check for these validation at server side, failing to do so could

lead to malicious code or scripting code being inserted into the database.

HOW TO PREVENT HACKING

Passwords

Enforcing password requirements such as a minimum of around eight

characters, including an uppercase letter and number will help to protect

their information.

Passwords should always be stored as encrypted values,

preferably using any one of hashing algorithm. eg:md5

Ethical Hacking as a Career

What ! Ethical Hacking as a Career ??

What ! Ethical Hacking as a Career ??

Yes ,

Breaking into computer systems which once was a pastime for

geeks, now has become a full-fledged career option

Ethical Hacking as a Career ??

• Companies such as Wipro, Infosys, IBM, TCS, Tech

Mahindra, HCL, Airtel, Reliance and many more are also

looking for good ethical hackers

• The kind of jobs available are that of Network Security

Systems Manager, Network Security Administrator,

Systems/Applications, Security Executive, Web Security

Administrator, Web Security Manager etc.

• A fresher may work as an intern for a couple of months and

can start with a minimum of Rs 2.5 lakh per annum*.

(*source : Times of India)

Skill sets required

• First and foremost is the ability to write programs in many programming

languages like C, C++, Perl, Python, and Ruby.

• For those working with web applications, Microsoft .NET and PHP are

vital.

• Knowledge of a variety of operating systems (Microsoft Windows,

various versions of Linux, etc) is critical.

• Experience with various network devices, including switches, routers and

firewalls is also important. An ethical hacker also should have a basic

understanding of TCP/IP protocols such as SMTP, ICMP and HTTP.

Certifications for Ethical Hacking

• CEH (Certified Ethical Hacker)

• CHFI ( Computer Hacking Forensic Investigator)

– offered by EC Council; (International council of elect.

Commerce consultants)

• CCNA Security (Cisco Certified Network Associate Security)

• SCNP (Security Certified Network Professional)

• CISSP (Cerified Information Systems Security Professional)

offered by Intl Information System Security certification

Consortium

Learn computer Programming , Web programming,

ethical hacking and embedded programming at

US UK UAE

7002 Hana Road,

Edison NJ 08817,

United States of America.

90 High Street,

Cherry Hinton,

Cambridge, CB1 9HZ,

United Kingdom.

Suite No: 51, Oasis Center,

Sheikh Zayed Road, Dubai,

UAE

Email to info@baabtra.com or Visit baabtra.com

Looking for learning more about the above

topic?

India Centres

Emarald Mall (Big Bazar Building)

Mavoor Road, Kozhikode,

Kerala, India.

Ph: + 91 – 495 40 25 550

NC Complex, Near Bus Stand

Mukkam, Kozhikode,

Kerala, India.

Ph: + 91 – 495 40 25 550

Cafit Square IT Park,

Hilite Business Park,

Kozhikode

Kerala, India.

Email: info@baabtra.com

TBI - NITC

NIT Campus, Kozhikode.

Kerala, India.

Start up Village

Eranakulam,

Kerala, India.

Start up Village

UL CC

Kozhikode, Kerala

Follow us @ twitter.com/baabtra

Like us @ facebook.com/baabtra

Subscribe to us @ youtube.com/baabtra

Become a follower @ slideshare.net/BaabtraMentoringPartner

Connect to us @ in.linkedin.com/in/baabtra

Give a feedback @ massbaab.com/baabtra

Thanks in advance

www.baabtra.com | www.massbaab.com |www.baabte.com

Want to learn more about programming or Looking to become a good programmer?

Are you wasting time on searching so many contents online?

Do you want to learn things quickly?

Tired of spending huge amount of money to become a Software professional?

Do an online course @ baabtra.com

We put industry standards to practice. Our structured, activity based courses are so designedto make a quick, good software professional out of anybody who holds a passion for coding.