Chapter 1
Ethical Hacking Overview
Last modified 12-14-16
-jw

Describe the role of an ethical hacker

Describe what you can do legally as an ethical
hacker

Describe what you cannot do as an ethical
hacker
Hands-On Ethical Hacking and Network Defense
2

Ethical hackers
 Employed by companies to perform penetration tests

Penetration test
 Legal attempt to break into a company’s network to find
its weakest link
 Tester only reports findings, does not solve problems
Hands-On Ethical Hacking and Network Defense
4

Vulnerability assessment
 Tester attempts to enumerate all vulnerabilities found in an
application or on a system

Security test
 More than an attempt to break in; also includes analyzing
company’s security policy and procedures
 Tester offers solutions to secure or protect the network
Hands-On Ethical Hacking and Network Defense
5

Hackers
 Access computer system or network without authorization
 Breaks the law; can go to prison

Crackers
 Break into systems to steal or destroy data
 U.S. Department of Justice calls both hackers

Ethical hacker
 Performs most of the same activities but with owner’s
permission
Hands-On Ethical Hacking and Network Defense
6

Script kiddies or packet monkeys
 Young inexperienced hackers
 Copy codes and techniques from knowledgeable hackers

Experienced penetration testers write programs or scripts
using these languages
 Practical Extraction and Report Language (Perl), C, C++, Python,
Ruby, JavaScript, Visual Basic, SQL, and many others

Script
 Set of instructions that runs in sequence to perform tasks
Hands-On Ethical Hacking and Network Defense
7

Hacktivist
 A person who hacks computer systems for
political or social reasons
Hands-On Ethical Hacking and
Network Defense, 3rd Edition
8

Job requirements for a penetration tester might
include:
 Perform vulnerability, attack, and penetration





assessments in Intranet and wireless environments
Perform discovery and scanning for open ports
Apply appropriate exploits to gain access
Participate in activities involving application penetration
Produce reports documenting discoveries
Debrief with the client at the conclusion
9

This class alone won’t make you a hacker, or
an expert
 It might make you a script kiddie


It usually takes years of study and experience
to earn respect in the hacker community
It’s a hobby, a lifestyle, and an attitude
 A drive to figure out how things work
Hands-On Ethical Hacking and Network Defense
10

Penetration testers usually have:
 A laptop computer with multiple OSs and hacking
tools

Tiger box
 Collection of OSs and hacking tools
 Usually on a laptop
 Helps penetration testers and security testers
conduct vulnerabilities assessments and attacks
Hands-On Ethical Hacking and Network Defense
11

White box model
 Tester is told everything about the network
topology and technology
 Network diagram
 Tester is authorized to interview IT personnel and
company employees
 Makes tester’s job a little easier
Hands-On Ethical Hacking and Network Defense
12

From ratemynetworkdiagram.com
Hands-On Ethical Hacking and Network Defense
13
Figure 1-1 A sample floor plan
Hands-On Ethical Hacking and Network Defense
14

Black box model
 Company staff does not know about the test
 Tester is not given details about the network
▪ Burden is on the tester to find these details
 Tests if security personnel are able to detect an
attack
Hands-On Ethical Hacking and Network Defense
15

Gray box model
 Hybrid of the white and black box models
 Company gives tester partial information
Hands-On Ethical Hacking and Network Defense
16

Basics:
 Windows and Linux skills
 Network+ or Cisco CCNA
 CompTIA Security+
Hands-On Ethical Hacking and Network Defense
18

Need additional Advanced Ethical Hacking
19

Developed by the International Council of
Electronic Commerce Consultants (EC-Council)
 Based on 22 domains (subject areas)
 Web site: www.eccouncil.org

Most likely be placed on a team that conducts
penetration tests
 Called a Red team
▪ Conducts penetration tests
▪ Composed of people with varied skills
▪ Unlikely that one person will perform all tests
20

OSCP
 An advanced certification that requires students
to demonstrate hands-on abilities to earn their
certificates
 Covers network and application exploits
 Gives students experience in developing
rudimentary buffer overflows, writing scripts to
collect and manipulate data, and trying exploits
on vulnerable systems
Hands-On Ethical Hacking and
Network Defense, 3rd Edition
21

Designated by the Institute for Security and
Open Methodologies (ISECOM)
 Based on Open Source Security Testing
Methodology Manual (OSSTMM)
▪ Written by Peter Herzog
 Five main topics (i.e., professional, enumeration,
assessments, application, and verification)
 Web site: www.isecom.org
22

Issued by the International
Information Systems Security
Certifications Consortium (ISC2)
 Tests security-related managerial skills
 Usually more concerned with policies
and procedures than technical details
 Consists of ten domains
 Web site: www.isc2.org
23

SysAdmin, Audit, Network, Security (SANS)
Institute
 Offers training and IT security certifications
through Global Information Assurance Certification
(GIAC)

Top 25 Software Errors list




One of the most popular SANS Institute documents
Details most common network exploits
Suggests ways of correcting vulnerabilities
Web site: www.sans.org
Hands-On Ethical Hacking and Network Defense
24

Penetration testers and security testers
 Need technical skills to perform duties effectively
 Must also have:
▪ A good understanding of networks and the role of
management in an organization
▪ Skills in writing and verbal communication
▪ Desire to continue learning

Danger of certification exams
 Some participants simply memorize terminology
▪ Don’t have a good grasp of subject matter
25

Laws involving technology change as rapidly as
technology itself

Find what is legal for you locally
 Laws change from place to place

Be aware of what is allowed and what is not
allowed
Hands-On Ethical Hacking and Network Defense
27

Tools on your computer might be illegal to possess

Contact local law enforcement agencies before
installing hacking tools

Laws are written to protect society
 Written words are open to interpretation

Governments are getting more serious about
punishment for cybercrimes

US State Law summary
 http://www.irongeek.com/i.php?page=computerlaws/state-hacking-laws
Hands-On Ethical Hacking and Network Defense
28
Hands-On Ethical Hacking and Network Defense
29
http://www.theonion.com/articles/after-checking-your-bankaccount-remember-to-log-o,32260/?ref=auto
Namecheap Hit by 100 Gbps DDoS
Attack (February 20, 2014)
Webhosting company Namecheap says it was
targeted by a huge 100 Gbps distributed denial-ofservice (DDoS) attack.
Namecheap said the attack bombarded its DNS
servers with traffic measured at up to 100 Gbps.
• http://news.cnet.com/8301-1009_3-57619235-83/namecheap-targeted-inmonumental-ddos-attack/
• http://www.csoonline.com/article/748570/namecheap-fends-off-ddos-attackrestores-services
KrebsOnSecurity Hit With 600+ Gbps
DDoS
KrebsOnSecurity website was targeted by a huge
620Gbps distributed denial-of-service (DDoS) attack.
• https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
150,000 IoT Devices Abused for
Massive 1.5 Tbps DDoS Attacks on
OVH
The hosting provider OVH continues to be
targeted by massive distributed denial-ofservice (DDoS) attacks powered by a large
botnet capable of generating significant attack
traffic.
• http://www.securityweek.com/150000-iotdevices-abused-massive-ddos-attacks-ovh
Recent Credit Card Reader Hacks
• 2013
– Target
• 2014
http://money.cnn.com/2015/04/29/technolo
gy/credit-card-machine-hack/
– Home Depot
– Michael’s Craft Stores
– Goodwill
– Dairy Queen
– Jimmy John’s
– UPS Stores
– Jewel Grocery Stores
– Staples
Recent Credit Card Reader Hacks
2015
– Trump Hotels
– Sally Beauty
– http://www.nytimes.com/interactive/2015/07/29
/technology/personaltech/what-parts-of-yourinformation-have-been-exposed-to-hackersquiz.html
– http://money.cnn.com/2015/04/29/technology/cr
edit-card-machine-hack/
Wikileaks
• Published <1000 US Gov't
diplomatic cables from
a leak of 250,000
• Distributed an encrypted "Insurance" file by
BitTorrent
• Widely assumed to contain the complete,
uncensored leaked data
• Encrypted with AES-256--no one is ever getting in
there without the key
• Key to be released if Assange is jailed or killed.
Since June 2012, he has been inside the
Ecuadorian embassy in London, where he has
been granted diplomatic asylum.
NSA Backdoors
• Cisco and Juniper
– http://www.theprohack.com/2014/01/CiscoExploits-Juniper-Exploits-hack-firewalls-routerexploits-hacked-by-NSA-prohack.html
SSL / TLS Vulnerabilities
•
•
•
•
•
SSL Strip
The Beast
Heartbleed
Shellshock
SSL 3.0 Poodle
– http://googleonlinesecurity.blogspot.com/2014/1
0/this-poodle-bites-exploiting-ssl-30.html
Hacktivism
• Act of hacking, or breaking into a computer
system, for a politically or socially motivated
purpose
Anonymous
http://www.indybay.org/newsitems/2011/08/16/18687809.php
Operation Payback
• 4chan's Anonymous group
• Attacked Scientology websites in 2008
• Attacked the RIAA and other copyright
defenders
• Using the Low Orbit Ion Cannon with
HiveMind (DDoS)
• "Opt-in Botnet"
HB Gary Federal
• Aaron Barr
• Developed a questionable
way to track people down
online
• By correlating Twitter,
Facebook, and other
postings
• Announced in Financial
Times that he had located
the “leaders” of
Anonymous and would
reveal them in a few days
HB Gary Federal
• In 2011, HBGary Federal’s CEO
Aaron Barr found his e-mail
hacked, and 50,000 internal
business messages posted
online, an event that led to Barr
stepping down from the
company.
• The hackers from the LulzSec
group detailed how they
exploited weak passwords and
unpatched servers at HBGary
Federal, but they were
eventually caught, among them
Jake Davis, who confessed to
the crime in a London court.
Social Engineering & SQLi
•
http://tinyurl.com/4gesrcj
Leaked HB Gary Emails
• For Bank of America
– Discredit Wikileaks
– Intimidate Journalist Glenn Greenwald
• For the Chamber of Commerce
– Discredit the watchdog group US Chamber
Watch
– Using fake social media accounts
• For the US Air Force
• Spread propaganda with fake accounts
•
http://tinyurl.com/4anofw8
Drupal Exploit
OpBART
• Dumped thousands of commuter's email
addresses and BART passwords on the Web
– http://www.djmash.at/release/users.html
• Defaced MyBart.org
– http://www.dailytech.com/Anonymous%20Target
s%20Californias%20Infamous%20BART%20Hurts%
20Citizens%20in%20the%20Process/article22444.
htm
Booz Allen Hamilton
• "LulzSec" hacked it in July 2011
• Dumped 150,000 US Military email addresses
& passwords
– http://www.forbes.com/sites/andygreenberg/2011/07/11/
anonymous-hackers-breach-booz-allen-hamilton-dump90000-military-email-addresses/
Booz Allen Hamilton
• Government contractor
Booz Allen Hamilton was
supposed to be providing
security support for the
National Security Agency,
but was shocked to discover
last June that one of its
contactors, Edward
Snowden, had leaked reams
of stop-secret NSA
information to the press.
Missouri Sheriff's Association
• Hacked by AntiSec, another part of
Anonymous
• Published credit cards, informant personal
info, police passwords, and more
– https://vv7pabmmyr2vnflf.tor2web.org/
Th3j35t3r
• "Hacktivist for Good"
• Claims to be ex-military
• Originally performed DoS attacks on Jihadist
sites
• Bringing them down for brief periods, such
as 30 minutes
• Announces his attacks on Twitter, discusses
them on a blog and live on irc.2600.net
Th3j35t3r v. Wikileaks
• He brought
down Wikileaks
single-handed
for more than a
day
Wikileaks Outage
• One attacker, no botnet ???
Westboro Baptist Outage
• 4 sites held down for 8 weeks
• From a single 3G cell phone???
LulzSec
• The "skilled" group of Anons who
hacked
US Senate
Pron.com
Sony
Infragard
PBS
H B Gary Federal
AZ Police
Booz Hamilton
NATO
The Sun
Fox News
Game websites
Ryan Cleary
• Arrested June 21, 2011
• Accused of DDoSing the UK’s Serious Organised Crime Agency
•
http://www.dailymail.co.uk/news/article-2007345/Ryan-Cleary-Hacker-accusedbringing-British-FBI-site.html
• Released June 2013
•
http://www.informationweek.com/security/attacks/lulzsec-hacker-ryan-cleary-to-berelease/240156590
T-Flow Arrested July 19, 2011
• http://www.foxnews.com/scitech/2011/07/19/leading-member-lulzsechacker-squad-arrested-in-london/
LulzSec spokesman
Topiary Arrested
• On 7-27-11
• http://www.dailymail.co.uk/news/article2021332/Free-Radicals-The-Secret-AnarchyScience-sales-rocket-Jake-Davis-seenclutching-copy.html
Released from Prison
• http://www.theregister.co.uk/2013/06/25/f
ormer_lulzsec_spokesman_davis_released_
from_jail/
– http://mpictcenter.blogspot.com/2011/08/how-iout-hacked-lulzsec-member.html
Stay Out of Anonymous
• http://mpictcenter.blogspot.com/2011/08/stay-out-of-anonymous.html
Sabu, LulzSec co-founder, Hacker
"God" to "Snitch”, pleads guilty
August 2011
http://www.dailytech.com/Betrayed+by+Their+Chief+LulzSec+Don+Helps+FBI+Take+Do
wn+his+Underlings/article24175.htm
Served 7 months in prison
Sony aftermath
• http://www.cnet.com/news/sony-agreesto-settle-psn-hack-lawsuit-with-freebies/
Layer 4 DDoS
Many Attackers – One Target
Bandwidth Consumption
Companies that Refused Service to
Wikileaks
•
•
•
•
•
Amazon
Paypal
Mastercard
Visa
Many others
Low Orbit Ion Cannon
• Primitive DDoS Attack, controlled via IRC
• Sends thousands of packets per second from the
attacker directly to the target
• Like throwing a brick through a window
• Takes thousands of participants to bring down a
large site
• They tried but failed to bring down Amazon
• http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon
Low Orbit Ion Cannon
Operation Payback v. Mastercard
December 2012
• Brought down Visa, Mastercard, and many
other sites
– Easily tracked, and easily blocked
– High bandwidth, cannot be run through
anonymizer
– Dutch police have already arrested two
participants
Mastercard Outage
3,000 to 30,000 attackers working together
Operation Megaupload
In retaliation for the shut down of the file sharing
service Megaupload and the arrest of four
workers, Anonymous DDoSed the websites of
UMG, the United States Department of Justice,
the United States Copyright Office, the FBI, the
MPAA, Warner Brothers Music and the RIAA, and
HADOPI, all on the afternoon of January 19,
2012
• http://news.softpedia.com/news/AnonymousInitiates-Operation-Wall-Street-Threatens-toDox-CEOs-and-Executives-333425.shtml
Layer 7 DoS
One Attacker – One Target
Exhausts Server Resources
Layer 7 DoS
•
•
•
•
Subtle, concealable attack
Can be routed through proxies
Low bandwidth
Can be very difficult to distinguish from
normal traffic
HTTP GET
SlowLoris
• Send incomplete GET
requests
• Freezes Apache with
one packet per second
R-U-Dead-Yet
• Incomplete HTTP POSTs
• Stops IIS, but requires thousands of packets
per second
• http://code.google.com/p/r-u-dead-yet/
Keep-Alive DoS
• HTTP Keep-Alive allows 100 requests in a
single connection
• HEAD method saves resources on the
attacker
• Target a page that is expensive for the server
to create, like a search
– http://www.esrun.co.uk/blog/keep-alive-dos-script/
• A php script
– pkp keep-dead.php
keep-dead
XerXes
• Th3j35t3r's DoS Tool
• Routed through proxies like Tor to hide the
attacker's origin
• No one knows exactly what it does
• Layer 7 DoS?
Video Demo - http://vimeo.com/17268609
XerXes
IPv6 - The Ping of
Death returns
http://www.infoworld.com/d/security/microsoft-patch-tuesday-the-pingof-death-returns-ipv6-style-224867
Link-Local DoS
IPv6 Router Advertisements
http://www.hotforsecurity.com/blog/denial-of-serviceattack-through-ipv6-router-advertisement-vulnerability4362.html
IPv4: DHCP
PULL process
 Client requests an IP
 Router provides one
I need an IP
Use this IP
Host
Router
IPv6: Router Advertisements
PUSH process
 Router announces its presence
 Every client on the LAN creates an address and joins
the network
JOIN MY NETWORK
Yes, SIR
Host
Router
Router Advertisement Packet
RA Flood
Windows Vulnerability
• It takes a LOT of CPU for Windows to process
those Router Advertisements
• 5 packets per second drives the CPU to 100%
• And they are sent to every machine in the LAN
(ff02::1 is Link-Local All Nodes Multicast)
• One attacker kills all the Windows machines on
a LAN
Responsible Disclosure
•
•
•
•
Microsoft was alerted by Marc Heuse on July 10, 2010
Microsoft does not plan to patch this
Juniper and Cisco devices are also vulnerable
Cisco has released a patch, Juniper has not
Defenses from RA Floods
•
•
•
•
Disable IPv6
Turn off Router Discovery
Block rogue RAs with a firewall
Get a switch with RA Guard
Defending Websites
Attack > Defense
• Right now, your website is only up
because
– Not even one person hates you, or
– All the people that hate you are ignorant
about network security
Defense
• Mod Security--free open-source defense
tool
• Latest version has some protections
against Layer 7 DoS
• Akamai has good defense solutions
• Caching
• DNS Redirection
• Javascript second-request trick
Load Balancer
Counterattacks
• Reflecting attacks back to the command &
control server
• Effective against dumb attackers like
Anonymous' LOIC
– Will lose effect if they ever learn about
Layer 7 DoS, which is happening now
• Free DDoS Protection
• Uses a network of proxy servers
• Stopped th3j35t3r in real attack

Some states consider it legal
 Not always the case
 Be prudent before using penetration-testing tools

Federal government does not see it as a
violation
 Allows each state to address it separately
▪ Research state laws
Hands-On Ethical Hacking and Network Defense
99

Read your ISP’s “Acceptable Use Policy”
 Comcast
▪ http://www.comcast.com/Corporate/Customers/Policies/Hig
hSpeedInternetAUP.html?SCRedirect=true
 AT&T
▪ http://www.att.com/esupport/article.jsp?sid=KB400169
 More than likely – NO from ISP prospective
 Remember - Big Brother may be watching!
Hands-On Ethical Hacking and Network Defense
100

IRC “bot”
 Program that sends automatic responses to users
 Gives the appearance of a person being present
 Some ISP’s may prohibit the use of IRC bots
Hands-On Ethical Hacking and
Network Defense, 3rd Edition
101

http://www.cod.edu/people/faculty/wagnerju/cit2640q/conduct.pdf
Hands-On Ethical Hacking and Network Defense
102

Federal computer crime laws are getting
more specific
 Cover cybercrimes and intellectual property issues

Computer Hacking and Intellectual Property
(CHIP)
 New government branch to address cybercrimes
and intellectual property issues
Hands-On Ethical Hacking and Network Defense
103

The Cyber Security Enhancement Act of 2002
 Mandates life sentences for hackers who “recklessly”
endanger the lives of others.

Securely Protect Yourself Against Cyber Trespass
Act of 2007 (SPY ACT)
 Defines popups spyware and spam as illegal

18 USC §1029 and 1030 (US Code)
 Defines unauthorized access and malicious software
 Strict penalties for hacking, no matter what the intent.
Hands-On Ethical Hacking and Network Defense
104

ADA Section 508
 all users, regardless of disability status, can access
technology.


Children's Online Privacy Protection Act of 1998
(COPPA)
Computer Security Act of 1987
 Provide for Government-wide computer security, and
to provide for the training in security matters of persons
who are involved in the management, operation, and
use of Federal computer systems, and for other
purposes. Hands-On Ethical Hacking and Network Defense
105
Hands-On Ethical Hacking and Network Defense
106
 Accessing a computer without permission
 Destroying data without permission
 Copying information without permission
 Installing malicious software
 Denial of Service attacks
 Denying users access to network resources

Be careful your actions do not prevent
customers from doing their jobs
Hands-On Ethical Hacking and Network Defense
107

Using a contract is just good business
 Contracts may be useful in court

Books on working as an independent contractor
 Getting Started as an Independent Computer Consultant by Mitch
Paioff and Melanie Mulhall
 The Consulting Bible: Everything You Need to Know to Create and
Expand a Seven-Figure Consulting Practice by Alan Weiss

Internet can also be a useful resource

Have an attorney read over your contract before
sending or signing it
Hands-On Ethical Hacking and Network Defense
108

What it takes to be a security tester
 Knowledge of network and computer technology
 Ability to communicate with management and IT
personnel
 Understanding of the laws
 Ability to use necessary tools
Hands-On Ethical Hacking and Network Defense
109

Companies hire ethical hackers to perform
penetration tests
 Penetration tests discover vulnerabilities in a network
 Security tests are performed by a team of people with
varied skills

Penetration test models
 White box model
 Black box model
 Gray box model
110

Security testers can earn certifications
 CEH
 CISSP
 OPST

As a security tester, be aware
 What you are legally allowed or not allowed to do

ISPs may have an acceptable use policy
 May limit ability to use tools
Hands-On Ethical
Hacking and Network
Defense, 3rd Edition
111

Laws should be understood before conducting a
security test
 Federal laws
 State laws

Get it in writing
 Use a contract
 Have an attorney read the contract

Understand tools available to conduct security
tests
 Learning how to use them should be a focused and
112
methodical process