Ethical Hacking

Category: Education

Presentation Description

No description available.


Presentation Transcript

Ethical Hacking : 

Ethical Hacking Presented by : Annie Ahuja


AGENDA What is Ethical Hacking? Who are ethical hackers? Every Website-A Target Why- Ethical Hacking? Ethical Hacking- Process Being Prepared Planning Kinds of Testing Foot printing Enumeration & fingerprinting Identification of vulnerabilities Attack-exploit the vulnerabilities Final Report Ethical Hacking - Commandments

Ethical Hacking : 

Ethical Hacking Ethical hacking — also known as penetration testing or white-hat hacking — It involves the same tools, tricks, and techniques that hackers use, but with major differences: Ethical hacking is legal. Ethical hacking is performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities from a hacker’s viewpoint so systems can be better secured. It’s part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about the security of their products are legitimate.

Ethical Hackers but not Criminal Hackers : 

Ethical Hackers but not Criminal Hackers Completely trustworthy. Strong programming and computer networking skills. Learn about the system and trying to find its weaknesses. Techniques of ethical hackers-Detection-Prevention.

Why – Ethical Hacking? : 

Why – Ethical Hacking? Protection from possible External Attacks

Why – Ethical Hacking? : 

Why – Ethical Hacking?

Ethical Hacking - Process : 

Ethical Hacking - Process Preparation Planning Footprinting Enumeration & Fingerprinting Identification of Vulnerabilities Attack – Exploit the Vulnerabilities

Preparation : 

Preparation What can an intruder see on the target systems? What can an intruder do with that information? Does anyone at the target notice the intruder's attempts or successes? 1. What are you trying to protect? Who are you trying to protect against? How much time, effort, and money are you willing to expand to obtain adequate protection?

Planning : 

Planning Security evaluation plan How to test? Identify system to be tested Limitations on that testing Evaluation done under a “no-holds-barred” approach. Clients should be aware of risks. Limit prior knowledge of test.

Footprinting : 

Footprinting Collecting as much information about the target DNS Servers IP Ranges Administrative Contacts Problems revealed by administrators Information Sources Search engines Forums Databases – who is, ripe, Tools – PING, who is, Trace route, DIG, ns lookup.

Enumeration & Fingerprinting : 

Enumeration & Fingerprinting Specific targets determined Identification of Services / open ports Operating System Enumeration Methods Banner grabbing Responses to various protocol (ICMP &TCP) commands Port / Service Scans – TCP Connect, TCP SYN, TCP FIN, etc. Tools N map, F Scan, Firewall, net cat, telnet, SNMP Scanner

Identification of Vulnerabilities : 

Identification of Vulnerabilities Vulnerabilities Insecure Configuration Weak passwords Unpatched vulnerabilities in services, Operating systems, applications Possible Vulnerabilities in Services, Operating Systems Insecure programming Weak Access Control

Identification of Vulnerabilities : 

Identification of Vulnerabilities METHODS Unpatched / Possible Vulnerabilities – Tools, Vulnerability information Websites Weak Passwords – Default Passwords, Brute force, Social Engineering, Listening to Traffic Insecure Programming – SQL Injection, Listening to Traffic Weak Access Control – Using the Application Logic.

Identification of Vulnerabilities : 

Identification of Vulnerabilities TOOLS Vulnerability Scanners - Nessus, ISS, SARA, SAINT Listening to Traffic – Ethercap, tcpdump Password Crackers – John the ripper, LC4, Pwdump Intercepting Web Traffic – Achilles, Whisker, Legion WEBSITES Common Vulnerabilities & Exposures – Bugtraq – Other Vendor Websites

Example of Ethical Hacking : 

Example of Ethical Hacking One of the earliest examples of using ethical hackers occurred in the 1970's. At this time, the United States government utilized the knowledge and services of groups of experts, referred to as red teams. They enlisted these ethical hackers to hack into the United States government's computer system. The purpose was to evaluate how secure it was and to recognize any possible vulnerabilities. Ethical hacking is now a growing profession that is still used by the United States government, as well as technology companies and other corporations. Many large companies employ teams of ethical hackers to help keep their systems secure, such as IBM.

Attack – Exploit the vulnerabilities : 

Attack – Exploit the vulnerabilities Obtain as much information from the Target Asset Gaining Normal Access Escalation of privileges Obtaining access to other connected systems Last Ditch Effort – Denial of Service

Attack – Exploit the vulnerabilities : 

Attack – Exploit the vulnerabilities Network Infrastructure Attacks Connecting to the network through modem Weaknesses in TCP / IP, NetBIOS Flooding the network to cause DOS Operating System Attacks Attacking Authentication Systems Exploiting Protocol Implementations Exploiting Insecure configuration Breaking File-System Security

Attack – Exploit the vulnerabilities : 

Attack – Exploit the vulnerabilities Application Specific Attacks Exploiting implementations of HTTP, SMTP protocols Gaining access to application Databases SQL Injection Spamming

Attack – Exploit the vulnerabilities : 

Attack – Exploit the vulnerabilities Exploits Free exploits from Hacker Websites Customised free exploits Internally Developed Tools – Nessus, Metasploit Framework,

Final Report : 

Final Report Collection of all discoveries made during evaluation. Specific advice on how to close the vulnerabilities. Testers techniques never revealed. Delivered directly to an officer of the client organization in hard-copy form. Steps to be followed by clients in future.

Ethical Hacking - Commandments : 

Ethical Hacking - Commandments Working Ethically Trustworthiness Misuse for personal gain Respecting Privacy Not Crashing the Systems

authorStream Live Help