ethical hacking from ieee dtu students
TRANSCRIPT
-
7/27/2019 Ethical Hacking from ieee dtu students
1/35
-
7/27/2019 Ethical Hacking from ieee dtu students
2/35
What is Ethical Hacking
Who is hacker?
History of hacking
Types of hackingWhy Ethical Hacking
Hacking accidents
Why do hackers hack?
What hackers do after hacking?
What do hackers know?
-
7/27/2019 Ethical Hacking from ieee dtu students
3/35
How can kid hack?
Why cant Korean kid hack?
How can be a real hacker?
Why cant defend against hackers?
How can protect the system?
What should do after hacked?
How to translate the hackers language
Ethical Hacking - ProcessReporting
Ethical Hacking Commandments
-
7/27/2019 Ethical Hacking from ieee dtu students
4/35
so Called Attack & Penetration Testing,
ite-hat hacking, Red teaming
HackingProcess of breaking into systems for:Personal or Commercial Gains
Malicious Intent Causing sever damage to
Information &
AssetsEthicalConforming to accepted professional standards of
conductBlack-hat Bad
guys
White-hat - GoodGuys
-
7/27/2019 Ethical Hacking from ieee dtu students
5/35
It is Legal
Permission is obtained from the target
Part of an overall security program
Identify vulnerabilities visible from Internet at particular pointof time
Ethical hackers possesses same skills, mindset and tools of ahacker but the attacks are done in a non-destructive manner
-
7/27/2019 Ethical Hacking from ieee dtu students
6/35
HackCut with repeated irregular blowsExamine something very minutely
HackerThe person who hacks
CrackerSystem intruder/destroyer
Hacker means cracker nowadaysMeaning has been changed
-
7/27/2019 Ethical Hacking from ieee dtu students
7/35
Telephone hackingUse telephone freelyIts called phreaking
Computer virus
Destroy many computersNetwork hacking
Hack the important server remotely anddestroy/modify/disclose the information
-
7/27/2019 Ethical Hacking from ieee dtu students
8/35
Normal
data transfer
Interruption Interception
Modification Fabrication
-
7/27/2019 Ethical Hacking from ieee dtu students
9/35
Viruses, TrojanHorses,
and Worms
SocialEngineering
Automated
Attacks
AccidentalBreaches in
Security Denial ofService (DoS)
Organizational
Attacks
Restricted
Data
Protection from possible External Attacks
-
7/27/2019 Ethical Hacking from ieee dtu students
10/35
Internet WormRobert T. Morris made an internet worm. It spread through
the internet and crashed about 6000 systems.
Cuckoos EggClifford Stoll caught the hackers who are the German
hackers applied by KGB
IP Spoof
Kevin Mitnick was caught by Tsutomu Shimomura whowas security expert. Kevin Mitnick uses the IP Spoof attack
in this accident
-
7/27/2019 Ethical Hacking from ieee dtu students
11/35
Just for fun
Show off
Hack other systems secretly
Notify many people their thoughtSteal important information
Destroy enemys computer network during the war
-
7/27/2019 Ethical Hacking from ieee dtu students
12/35
Patch security holeThe other hackers cant intrude
Clear logs and hide themselves
Install rootkit ( backdoor )The hacker who hacked the system can use the system laterIt contains trojan ls, ps, and so on
-
7/27/2019 Ethical Hacking from ieee dtu students
13/35
Install irc related programidentd, irc, bitchx, eggdrop, bnc
Install scanner programmscan, sscan, nmap
Install exploit program
Install denial of service program
Use all of installed programs silently
-
7/27/2019 Ethical Hacking from ieee dtu students
14/35
Dont know how to use vi
Dont know what unix is
Dont know what they do
Know how to intrude the systemKnow how to crash the system
Know where the hacking programs are
-
7/27/2019 Ethical Hacking from ieee dtu students
15/35
Kid has much of timeKid can search for longer time than other people
All hacking program is easy to use
Kid doesnt have to know how the hacking programworks
These kids are called script kiddies
-
7/27/2019 Ethical Hacking from ieee dtu students
16/35
Almost all Korean kids dont know English well
Almost all hacking program manuals are written inEnglishHowever, many hacking program manuals are being
translated
-
7/27/2019 Ethical Hacking from ieee dtu students
17/35
Study C/C++/assembly language
Study computer architecture
Study operating system
Study computer networkExamine the hacking tools for a month
Think the problem of the computer
-
7/27/2019 Ethical Hacking from ieee dtu students
18/35
There are many unknown security hole
Hackers need to know only one security hole to hack thesystem
Admin need to know all security holes to defend thesystem
-
7/27/2019 Ethical Hacking from ieee dtu students
19/35
Patch security hole oftenEncrypt important data
Ex) pgp, ssh
Do not run unused daemon
Remove unused setuid/setgid programSetup loghost
Backup the system oftenSetup firewallSetup IDS
Ex) snort
-
7/27/2019 Ethical Hacking from ieee dtu students
20/35
-
7/27/2019 Ethical Hacking from ieee dtu students
21/35
1 -> i or l
3 -> e
4 -> a
7 -> t9 -> g
0 -> o
$ -> s
| -> i or l
|\| -> n
|\/| -> m
s -> z
z -> sf -> ph
ph -> f
x -> ck
ck -> x
-
7/27/2019 Ethical Hacking from ieee dtu students
22/35
Ex)1 d1d n0t h4ck th1s p4g3, 1t w4s l1k3 th1s wh3n 1 h4ck3d
1n
I did not hack this page, it was like this when I hacked in
-
7/27/2019 Ethical Hacking from ieee dtu students
23/35
1. Preparation
2. Footprinting
3. Enumeration & Fingerprinting
4.Identification of Vulnerabilities
5. Attack Exploit the Vulnerabilities
-
7/27/2019 Ethical Hacking from ieee dtu students
24/35
Identification of Targets company websites, mail servers,extranets, etc.
Signing of Contract Agreement on protection against any legal issues Contracts to clearly specifies the limits and dangers of the test Specifics on Denial of Service Tests, Social Engineering, etc. Time window for Attacks Total time for the testing Prior Knowledge of the systems Key people who are made aware of the testing
-
7/27/2019 Ethical Hacking from ieee dtu students
25/35
Collecting as much information about the target
DNS Servers
IP Ranges
Administrative Contacts
Problems revealed by administrators
Information Sources
Search engines
Forums
Databases whois, ripe, arin, apnic
Tools PING, whois, Traceroute, DIG, nslookup, sam spade
-
7/27/2019 Ethical Hacking from ieee dtu students
26/35
Specific targets determined Identification of Services / open ports
Operating System Enumeration
Methods
Banner grabbing
Responses to various protocol (ICMP &TCP) commands
Port / Service Scans TCP Connect, TCP SYN, TCP FIN, etc.
Tools
Nmap, FScan, Hping, Firewalk, netcat, tcpdump, ssh, telnet, SNMPScanner
-
7/27/2019 Ethical Hacking from ieee dtu students
27/35
Vulnerabilities
Insecure Configuration
Weak passwords
Unpatched vulnerabilities in services, Operating systems,applications
Possible Vulnerabilities in Services, Operating Systems
Insecure programming
Weak Access Control
-
7/27/2019 Ethical Hacking from ieee dtu students
28/35
Methods
Unpatched / Possible Vulnerabilities Tools, Vulnerabilityinformation Websites
Weak Passwords Default Passwords, Brute force, Social
Engineering, Listening to TrafficInsecure Programming SQL Injection, Listening to Traffic
Weak Access Control Using the Application Logic, SQLInjection
-
7/27/2019 Ethical Hacking from ieee dtu students
29/35
ToolsVulnerability Scanners - Nessus, ISS, SARA, SAINT
Listening to Traffic Ethercap, tcpdump
Password Crackers John the ripper, LC4, Pwdump
Intercepting Web Traffic Achilles, Whisker, Legion
-
7/27/2019 Ethical Hacking from ieee dtu students
30/35
Obtain as much information (trophies) from the Target AssetGaining Normal Access
Escalation of privileges
Obtaining access to other connected systems
Last Ditch Effort Denial of Service
-
7/27/2019 Ethical Hacking from ieee dtu students
31/35
Network Infrastructure Attacks
Connecting to the network through modem
Weaknesses in TCP / IP, NetBIOS
Flooding the network to cause DOS
Operating System Attacks
Attacking Authentication Systems
Exploiting Protocol Implementations
Exploiting Insecure configuration
Breaking File-System Security
-
7/27/2019 Ethical Hacking from ieee dtu students
32/35
Application Specific Attacks
Exploiting implementations of HTTP, SMTP protocols
Gaining access to application Databases
SQL Injection
Spamming
-
7/27/2019 Ethical Hacking from ieee dtu students
33/35
Exploits Free exploits from Hacker Websites
Customised free exploits
Internally Developed
Tools Nessus, Metasploit Framework,
-
7/27/2019 Ethical Hacking from ieee dtu students
34/35
MethodologyExploited Conditions & Vulnerabilities that could not be
exploited
Proof for Exploits - Trophies
Practical Security solutions
-
7/27/2019 Ethical Hacking from ieee dtu students
35/35
Working Ethically Trustworthiness Misuse for personal gain
Respecting Privacy
Not Crashing the Systems