Ethical Hacking.ppt

Views:
 
Category: Entertainment
     
 

Presentation Description

hacking

Comments

Presentation Transcript

Ethical Hacking for Educators: 

Ethical Hacking for Educators Presented By Regina DeLisse Hartley, Ph.D. Caldwell Community College & Technical Institute

Overview: 

Overview Old School Hackers: History of Hacking Ec-Council: Certified Ethical Hacker Learning Competencies Teaching Resources: Ethical Hacking Textbooks Hacking Tools Hacker Challenge Websites Additional Web Sites Questions and Answers

Old School Hackers: History of Hacking : 

Old School Hackers: History of Hacking

PowerPoint Presentation: 

PREHISTORY 1960s: The Dawn of Hacking Original meaning of the word "hack" started at MIT; meant elegant, witty or inspired way of doing almost anything; hacks were programming shortcuts ELDER DAYS (1970-1979) 1970s: Phone Phreaks and Cap'n Crunch: One phreak, John Draper (aka "Cap'n Crunch"), discovers a toy whistle inside Cap'n Crunch cereal gives 2600-hertz signal, and can access AT&T's long-distance switching system. Draper builds a "blue box" used with whistle allows phreaks to make free calls. Steve Wozniak and Steve Jobs, future founders of Apple Computer, make and sell blue boxes. THE GOLDEN AGE (1980-1991) 1980: Hacker Message Boards and Groups Hacking groups form; such as Legion of Doom (US), Chaos Computer Club (Germany). 1983: Kids' Games Movie "War Games" introduces public to hacking.

PowerPoint Presentation: 

THE GREAT HACKER WAR Legion of Doom vs Masters of Deception; online warfare; jamming phone lines. 1984: Hacker 'Zines Hacker magazine 2600 publication; online 'zine Phrack. CRACKDOWN (1986-1994) 1986: Congress passes Computer Fraud and Abuse Act; crime to break into computer systems. 1 988: The Morris Worm Robert T. Morris, Jr., launches self-replicating worm on ARPAnet. 1989: The Germans , the KGB and Kevin Mitnick. German Hackers arrested for breaking into U.S. computers; sold information to Soviet KGB. Hacker "The Mentor“ arrested; publishes Hacker's Manifesto. Kevin Mitnick convicted; first person convicted under law against gaining access to interstate network for criminal purposes.

PowerPoint Presentation: 

1993: Why Buy a Car When You Can Hack One? Radio station call-in contest; hacker-fugitive Kevin Poulsen and friends crack phone; they allegedly get two Porsches, $20,000 cash, vacation trips; Poulsen now a freelance journalist covering computer crime. First Def Con hacking conference in Las Vegas ZERO TOLERANCE (1994-1998) 1995: The Mitnick Takedown: Arrested again; charged with stealing 20,000 credit card numbers. 1995: Russian Hackers Siphon $10 million from Citibank; Vladimir Levin, leader. Oct 1998 teenager hacks into Bell Atlantic phone system; disabled communication at airport disables runway lights. 1999 hackers attack Pentagon, MIT, FBI web sites. 1999: E-commerce company attacked; blackmail threats followed by 8 million credit card numbers stolen. ( www.blackhat.info ; www.h2k2.net ; www.slais.ubc.ca/ ; www.sptimes.com ; www.tlc.discovery.com )

Ec-Council: Certified Ethical Hacker: 

Ec-Council: Certified Ethical Hacker

EC-Council has certified IT professionals from the following organizations as CEH:: 

EC-Council has certified IT professionals from the following organizations as CEH: Novell, Canon, Hewlett Packard, US Air Force Reserve, US Embassy, Verizon, PFIZER, HDFC Bank, University of Memphis, Microsoft Corporation, Worldcom, Trusecure, US Department of Defense, Fedex, Dunlop, British Telecom, Cisco, Supreme Court of the Philippines, United Nations, Ministry of Defense, UK, Nortel Networks, MCI, Check Point Software, KPMG, Fleet International, Cingular Wireless, Columbia Daily Tribune, Johnson & Johnson, Marriott Hotel, Tucson Electric Power Company, Singapore Police Force

(Cont.): 

PriceWaterhouseCoopers, SAP, Coca-Cola Corporation, Quantum Research, US Military, IBM Global Services, UPS, American Express, FBI, Citibank Corporation, Boehringer Ingelheim, Wipro, New York City Dept Of IT & Telecom – DoITT, United States Marine Corps, Reserve Bank of India, US Air Force, EDS, Bell Canada, SONY, Kodak, Ontario Provincial Police, Harris Corporation, Xerox, Philips Electronics, U.S. Army, Schering, Accenture, Bank One, SAIC, Fujitsu, Deutsche Bank (Cont.)

Hackers are here. Where are you? : 

Hackers are here. Where are you? The explosive growth of the Internet has brought many good things…As with most technological advances, there is also a dark side: criminal hackers. The term “hacker” has a dual usage in the computer industry today. Originally, the term was defined as: HACKER noun. 1. A person who enjoys learning the details of computer systems and how to stretch their capabilities…. 2. One who programs enthusiastically or who enjoys programming rather than just theorizing about programming.

What is a Hacker?: 

What is a Hacker? Old School Hackers: 1960s style Stanford or MIT hackers. Do not have malicious intent, but do have lack of concern for privacy and proprietary information. They believe the Internet was designed to be an open system. Script Kiddies or Cyber-Punks: Between 12-30; predominantly white and male; bored in school; get caught due to bragging online; intent is to vandalize or disrupt systems. Professional Criminals or Crackers: Make a living by breaking into systems and selling the information. Coders and Virus Writers: See themselves as an elite; programming background and write code but won’t use it themselves; have their own networks called “zoos”; leave it to others to release their code into “The Wild” or Internet. ( www.tlc.discovery.com )

What is Ethical Hacking? : 

What is Ethical Hacking? Ethical hacking – defined “methodology adopted by ethical hackers to discover the vulnerabilities existing in information systems’ operating environments.” With the growth of the Internet, computer security has become a major concern for businesses and governments. In their search for a way to approach the problem, organizations came to realize that one of the best ways to evaluate the intruder threat to their interests would be to have independent computer security professionals attempt to break into their computer systems.

Who are Ethical Hackers? : 

Who are Ethical Hackers? “One of the best ways to evaluate the intruder threat is to have an independent computer security professionals attempt to break their computer systems” Successful ethical hackers possess a variety of skills. First and foremost, they must be completely trustworthy. Ethical hackers typically have very strong programming and computer networking skills. They are also adept at installing and maintaining systems that use the more popular operating systems (e.g., Linux or Windows 2000) used on target systems. These base skills are augmented with detailed knowledge of the hardware and software provided by the more popular computer and networking hardware vendors.

What do Ethical Hackers do? : 

What do Ethical Hackers do? An ethical hacker’s evaluation of a system’s security seeks answers to these basic questions: What can an intruder see on the target systems? What can an intruder do with that information? Does anyone at the target notice the intruder’s at tempts or successes? What are you trying to protect? What are you trying to protect against? How much time, effort, and money are you willing to expend to obtain adequate protection?

How much do Ethical Hackers get Paid?: 

How much do Ethical Hackers get Paid? Globally, the hiring of ethical hackers is on the rise with most of them working with top consulting firms. In the United States, an ethical hacker can make upwards of $120,000 per annum. Freelance ethical hackers can expect to make $10,000 per assignment. Some ranges from $15,000 to $45,000 for a standalone ethical hack.

Certified Ethical Hacker (C|EH) Training: 

Certified Ethical Hacker (C|EH) Training InfoSec Academy http://www.infosecacademy.com Five-day Certified Ethical Hacker (C|EH) Training Camp Certification Training Program (C|EH) examination C|EH Certified Ethical Hacker Training Camp (5-Day Package) $3,595 ($2,580 training only) (Source: www.eccouncil.org )

Learning Competencies: 

Learning Competencies

Required Skills of an Ethical Hacker: 

Required Skills of an Ethical Hacker Routers: knowledge of routers, routing protocols, and access control lists Microsoft: skills in operation, configuration and management. Linux: knowledge of Linux/Unix; security setting, configuration, and services. Firewalls: configurations, and operation of intrusion detection systems. Mainframes Network Protocols: TCP/IP; how they function and can be manipulated. Project Management: knowledge of leading, planning, organizing, and controlling a penetration testing team. (Source: http://www.examcram.com )

Modes of Ethical Hacking: 

Modes of Ethical Hacking Insider attack Outsider attack Stolen equipment attack Physical entry Bypassed authentication attack (wireless access points) Social engineering attack (Source: http://www.examcram.com )

Anatomy of an attack: : 

Anatomy of an attack: Reconnaissance – attacker gathers information; can include social engineering. Scanning – searches for open ports (port scan) probes target for vulnerabilities. Gaining access – attacker exploits vulnerabilities to get inside system; used for spoofing IP. Maintaining access – creates backdoor through use of Trojans; once attacker gains access makes sure he/she can get back in. Covering tracks – deletes files, hides files, and erases log files. So that attacker cannot be detected or penalized. (Source: www.eccouncil.org )

PowerPoint Presentation: 

Hacker classes Black hats – highly skilled, malicious, destructive “crackers” White hats – skills used for defensive security analysts Gray hats – offensively and defensively; will hack for different reasons, depends on situation. Hactivism – hacking for social and political cause. Ethical hackers – determine what attackers can gain access to, what they will do with the information, and can they be detected. (Source: www.eccouncil.org )

Teaching Resources: Ethical Hacking Textbooks: 

Teaching Resources: Ethical Hacking Textbooks

Ec-Council: 

Ec-Council Certified Ethical Hacker www.eccouncil.org ISBN 0-9729362-1-1

Ec-Council Topics Covered: 

Ec-Council Topics Covered Introduction to Ethical Hacking Footprinting Scanning Enumeration System Hacking Trojans and Backdoors Sniffers Denial of Service Social Engineering Session Hijacking Hacking Web Servers

Ec-Council (Cont.): 

Ec-Council (Cont.) Web Application Vulnerabilities Web Based Password Cracking Techniques SQL Injection Hacking Wireless Networks Viruses Novell Hacking Linux Hacking Evading IDS, Firewalls and Honeypots Buffer Overflows Cryptography

Certified Ethical Hacker Exam Prep : 

Certified Ethical Hacker Exam Prep http://www.examcram.com ISBN 0-7897-3531-8

Certified Ethical Hacker Exam Prep: 

Certified Ethical Hacker Exam Prep The Business Aspects of Penetration Testing The Technical Foundations of Hacking Footprinting and Scanning Enumeration and System Hacking Linux and automated Security Assessment Tools Trojans and Backdoors Sniffers, Session Hyjacking, and Denial of Service

Certified Ethical Hacker Exam Prep (Cont.): 

Certified Ethical Hacker Exam Prep (Cont.) Web Server Hacking, Web Applications, and Database Attacks Wireless Technologies, Security, and Attacks IDS, Firewalls, and Honeypots Buffer Overflows, Viruses, and Worms Cryptographic Attacks and Defenses Physical Security and Social Engineering

Hands-On Information Security Lab Manual, Second Edition : 

Hands-On Information Security Lab Manual, Second Edition http://www.course.com/ ISBN 0-619-21631-X 1. Footprinting 2. Scanning and Enumeration 3. Operating System Vulnerabilities and Resolutions 4. Network Security Tools and Technologies 5. Security Maintenance 6. Information Security Management 7. File System Security and Cryptography 8. Computer Forensics

Hacking Tools: Footprinting and Reconnaissance : 

Hacking Tools: Footprinting and Reconnaissance

Whois: 

Whois

Whois (cont.): 

Whois (cont.) http://www.allwhois.com/

Whois (cont.): 

Whois (cont.)

Sam Spade: 

Sam Spade

Sam Spade (Cont.): 

Sam Spade (Cont.)

Nslookup: 

Nslookup

Nslookup Options: 

Nslookup Options

Traceroute: 

Traceroute

Ping: 

Ping

Ping Options : 

Ping Options

Hacking Tools: Scanning and Enumeration: 

Hacking Tools: Scanning and Enumeration

nmap: 

nmap

NMapWin: 

NMapWin

SuperScan: 

SuperScan

SuperScan (Cont.): 

SuperScan (Cont.)

IP Scanner: 

IP Scanner

Hyena: 

Hyena

Retina: 

Retina

LANguard: 

LANguard

Hacking Tools: System Hacking: 

Hacking Tools: System Hacking

telnet: 

telnet

Snadboy: 

Snadboy

Password Cracking with LOphtcrack: 

Password Cracking with LOphtcrack

Keylogger: 

Keylogger

Hacking Tools: Trojans and Backdoors : 

Hacking Tools: Trojans and Backdoors

NetBus: 

NetBus

Game Creates Backdoor for NetBus: 

Game Creates Backdoor for NetBus

SubSeven: 

SubSeven

Hacking Tools: Sniffers: 

Hacking Tools: Sniffers

Spoofing a MAC address Original Configuration: 

Spoofing a MAC address Original Configuration

Spoofed Mac: 

Spoofed Mac

Ethereal: 

Ethereal

Iris: 

Iris

Snort: 

Snort

Hacking Tools: Web Based Password Cracking: 

Hacking Tools: Web Based Password Cracking

Cain and Abel: 

Cain and Abel

Cain and Abel (Cont.): 

Cain and Abel (Cont.)

Cain and Abel (Cont.): 

Cain and Abel (Cont.)

Legion: 

Legion

Brutus: 

Brutus

Hacking Tools: Covering Tracks: 

Hacking Tools: Covering Tracks

ImageHide: 

ImageHide

ClearLogs: 

ClearLogs

ClearLogs (Cont.): 

ClearLogs (Cont.)

Hacking Tools: Google Hacking and SQL Injection: 

Hacking Tools: Google Hacking and SQL Injection

Google Hacking: 

Google Hacking

Google Cheat Sheet : 

Google Cheat Sheet

SQL Injection : 

SQL Injection Allows a remote attacker to execute arbitrary database commands Relies on poorly formed database queries and insufficient input validation Often facilitated, but does not rely on unhandled exceptions and ODBC error messages Impact: MASSIVE. This is one of the most dangerous vulnerabilities on the web.

Common Database Query: 

Common Database Query

Problem: Unvalidated Input : 

Problem: Unvalidated Input

Piggybacking Queries with UNION: 

Piggybacking Queries with UNION

Hacker Challenge Websites: 

Hacker Challenge Websites

PowerPoint Presentation: 

http://www.hackr.org/mainpage.php

Hackthissite.org: 

Hackthissite.org http://www.hackthissite.org

Answers revealed in code: 

Answers revealed in code

Hackits: 

Hackits http://www.hackits.de/challenge/

Additional Web Sites: 

Additional Web Sites

Legion of Ethical Hacking: 

Legion of Ethical Hacking

Legion of Ethical Hacking (Cont.): 

Legion of Ethical Hacking (Cont.)

Hacker Highschool: 

Hacker Highschool http://www.hackerhighschool.org/

Hacker Highschool: 

Hacker Highschool

johnny.ihackstuff.com/: 

johnny.ihackstuff.com/

HappyHacker.org: 

HappyHacker.org

Foundstone: 

Foundstone

Insecure.org: 

Insecure.org

SANS Institute: 

SANS Institute

Questions & Answers: 

Questions & Answers