ethical hacking and network defense. contact information sam bowne sam bowne website: website:
DESCRIPTION
3 Isn’t Hacking a Crime?TRANSCRIPT
Contact InformationContact Information Sam BowneSam Bowne Email: Email: [email protected]@ccsf.edu Website: Website: samsclass.infosamsclass.info
All materials from this talk are already All materials from this talk are already on that websiteon that website
Download them and use them freelyDownload them and use them freelyHands-On Ethical Hacking and Network Defense 2
Ethical HackingEthical Hacking Ethical hackersEthical hackers
Employed by companies to Employed by companies to perform penetration testsperform penetration tests
Penetration testPenetration test Legal attempt to break into Legal attempt to break into
a company’s network to find a company’s network to find its weakest linkits weakest link
Tester only reports findings, Tester only reports findings, does not harm the companydoes not harm the company
5
Penetration TestersPenetration Testers HackersHackers
Access computer system or network without Access computer system or network without authorizationauthorization
Breaks the law; can go to prisonBreaks the law; can go to prison
CrackersCrackers Break into systems to steal or destroy dataBreak into systems to steal or destroy data U.S. Department of Justice calls both hackersU.S. Department of Justice calls both hackers
Ethical hackerEthical hacker Performs most of the same activities but with owner’s Performs most of the same activities but with owner’s
permissionpermission
6
Penetration TestersPenetration Testers
Script kiddies or packet monkeysScript kiddies or packet monkeys Young inexperienced hackersYoung inexperienced hackers Copy codes and techniques from Copy codes and techniques from
knowledgeable hackersknowledgeable hackers Experienced penetration testers use Experienced penetration testers use
Perl, C, Assembler, or other languages Perl, C, Assembler, or other languages to code exploitsto code exploits
Security CredentialsSecurity Credentials CompTIA offers Security+ certification, CompTIA offers Security+ certification,
a basic familiarity with security a basic familiarity with security concepts and termsconcepts and terms
7
8
OSSTMM Professional OSSTMM Professional Security Tester (OPST)Security Tester (OPST)
Designated by the Designated by the Institute for Security Institute for Security and Open and Open Methodologies Methodologies (ISECOM)(ISECOM)
Based on the Open Based on the Open Source Security Source Security Testing Methodology Testing Methodology Manual (OSSTMM)Manual (OSSTMM)
9
Certified Information Certified Information Systems Security Systems Security
Professional (CISSP)Professional (CISSP)
Issued by the International Information Issued by the International Information Systems Security Certifications Consortium Systems Security Certifications Consortium (ISC(ISC22))
Usually more concerned with policies and Usually more concerned with policies and procedures than technical detailsprocedures than technical details
Web siteWeb site wwww.isc2.orgww.isc2.org
10
Certified Ethical Hacker (CEH)Certified Ethical Hacker (CEH)
But see Run Away From The CEH CertificationBut see Run Away From The CEH Certification Link at Link at samsclass.infosamsclass.info
11
What You Cannot Do LegallyWhat You Cannot Do Legally Accessing a computer without permission Accessing a computer without permission
is illegalis illegal Other illegal actionsOther illegal actions
Installing worms or virusesInstalling worms or viruses Denial of Service attacksDenial of Service attacks Denying users access to network resourcesDenying users access to network resources
Possession of others’ passwords can be Possession of others’ passwords can be a crimea crime See See Password theft Password theft
Link at Link at samsclass.infosamsclass.info
12
Get Out of Jail Free CardGet Out of Jail Free Card When doing a penetration test, have a When doing a penetration test, have a
written contract giving you permission written contract giving you permission to attack the networkto attack the network
Using a contract is just good businessUsing a contract is just good business Contracts may be useful in courtContracts may be useful in court Have an attorney read over your contract Have an attorney read over your contract
before sending or signing it before sending or signing it
ProjectsProjects To get credit for this session, do any one of To get credit for this session, do any one of
these:these: Project 1: Using The Metasploit Framework Project 1: Using The Metasploit Framework
to take over a vulnerable computer remotelyto take over a vulnerable computer remotely Project 2: : Using Ophcrack to crack Project 2: : Using Ophcrack to crack
Windows passwords with Rainbow tablesWindows passwords with Rainbow tables Project 3: Using a Keylogger to record Project 3: Using a Keylogger to record
keystrokes (including passwords)keystrokes (including passwords)
13