These activities are criminal activities in almost all countries. Doing a penetrating test in a particular system with the permission of the owner is done and also possible except in Germany. This certification validates the knowledge and skills that are required on how to look for the vulnerabilities as well as weaknesses in a particular computer.
Skip to content. Chapters are organized by exam objective, with a handy section that maps each objective to its corresponding chapter, so you can keep track of your progress. The text provides thorough coverage of all topics, along with challenging chapter review questions and Exam Essentials, a key feature that identifies critical study areas.
Subjects include intrusion detection, DDoS attacks, buffer overflows, virus creation, and more. Thanks to its clear organization, all-inclusive coverage, and practical instruction, the CEH v10 Certified Ethical Hacker Study Guide is an excellent resource for anyone who needs to understand the hacking process or anyone who wants to demonstrate their skills as a Certified Ethical Hacker.
In this phase, attacker scans the network by information acquired during the initial phase of reconnaissance. Scanning tools include Dialler, Scanners such as Port scanners, Network mappers, client tools such as ping, as well as vulnerabilities scanner.
During the scanning phase, attacker finally fetches the information of ports including port status, operating system information, device type, live machines, and other information depending upon scanning. Gaining Access Gaining access phase of hacking is the point where the hacker gets the control over an operating system, application or computer network.
Control gained by the attacker defines the access level such as operating system level, application level or network level access. Techniques include password cracking, denial of service, session hijacking or buffer overflow and others are used to gain unauthorized access. Similarly, attacker prevents the owner from being owned by any other hacker.
They use Backdoors, Rootkits or Trojans to retain their ownership. In this phase, an attacker may steal information by uploading the information to the remote server, download any file on the resident system, and manipulate the data and configuration.
To compromise other systems, the attacker uses this compromised system to launch attacks. Clearing Tracks An attacker must hide his identity by covering the tracks.
Covering tracks are those activities which are carried out to hide the malicious activities. To manipulate the identity and evidence, the attacker overwrites the system, application, and other related logs to avoid suspicion.
Increase in cybercrimes and hacking create a great challenge for security experts and analyst and regulations over the last decade. It is a popular war between hackers and security professionals. Fundamental Challenges to these security experts are of finding weaknesses and deficiencies in running and upcoming systems, applications, software and addressing them proactively. It is less costly to investigate proactively before an attack instead of investigating after falling into an attack, or while dealing with an attack.
For security aspect, prevention and protection, organizations have their penetration testing teams internally as well as contracted outside professional experts when and if they are needed depending on the severity and scope of the attack. Why Ethical Hacking is Necessary The rise in malicious activates, cybercrimes and appearance of different forms of advanced attacks require to need of penetration tester who penetrate the security of system and networks to be determined, prepare and take precaution and remediation action against these aggressive attacks.
These aggressive and advanced attacks include: - Denial-of-Services Attacks Manipulation of data Identity Theft Vandalism Credit Card theft Piracy Theft of Services Increase in these type of attacks, hacking cases, and cyber attacks, because of increase of use of online transaction and online services in the last decade.
It becomes more attractive for hackers and attackers to tempt to steal financial information. It focuses on the requirement of Pentester, a shortened form of Penetration tester for the search for vulnerabilities and flaw within a system before waiting for an attack. If you want to beat the attacker and hacker, you have to be smart enough to think like them and act like them.
As we know, hackers are skilled, with great knowledge of hardware, software, and exploration capabilities. It ensures the need and importance of ethical hacking which allows the ethical hacker to counter the attack from malicious hackers by anticipating methods. Another major advantage and need for ethical hacking are to uncover the vulnerabilities in systems and security deployments to take action to secure them before they are used by a hacker to breach security.
Scope and Limitations of Ethical Hacking Ethical Hacking is an important and crucial component of risk assessment, auditing, counter frauds. Ethical hacking is widely used as penetration testing to identify the vulnerabilities, risk, and highlight the holes to take remedial actions against attacks.
However, there is also some limitations where ethical hacking is not enough, or just through ethical hacking, the issue could not resolve. An organization must first know what it is looking for before hiring an external pentester.
It helps focus the goals to achieve and save time. The testing team dedicated in troubleshooting the actual problem in resolving the issues. The ethical hacker also helps to understand the security system of an organization better. It is up to the organization to take recommended actions by the Pentester and enforce security policies over the system and network.
Phases of Ethical Hacking Ethical Hacking is the combination of the following phases: - 1. Enumeration 4. System Hacking 5.
Escalation of Privileges 6. Covering Tracks Skills of an Ethical Hacker A skilled, ethical hacker has a set of technical and non-technical skills. Ethical Hacker has in-depth knowledge of almost all operating systems, including all popular, widely- used operating systems such as Windows, Linux, Unix, and Macintosh.
These ethical hackers are skilled at networking, basic and detailed concepts, technologies, and exploring capabilities of hardware and software. Ethical hackers must have a strong command over security areas, related issues, and technical domains.
They must have detailed knowledge of older, advanced, sophisticated attacks. Non-Technical Skills 1. Learning ability 2. Problem-solving skills 3. Communication skills 4. Committed to security policies 5. Awareness of laws, standards, and regulations. With the combination of these components, assurance of information and information systems are ensured and protected during the processes, usage, storage, and communication.
These components are defined earlier in this chapter. Apart from these components, some methods and processes also help in the achievement of information assurance such as: - Policies and Processes.
Network Authentication. User Authentication. Network Vulnerabilities. Identifying problems and resources. Implementation of a plan for identified requirements. Application of information assurance control. Information Security Management Program Information Security Management programs are the programs that are specially designed to focus on reducing the risk and vulnerabilities towards information security environment to train the organization and users to work in the less vulnerable state.
The Information Security Management is a combined management solution to achieve the required level of information security using well-defined security policies, processes of classification, reporting, and management and standards. It is an approach to risk management which dedicatedly focuses on analyzing the system security and application security against security objectives.
This identification of threats and risks helps to focus and take action on an event to achieve the goals. Capturing data of an organization, implementing identification and assessment processes over the captured information to analyze the information that can impact the security of an application.
Application overview includes the identification process of an application to determine the trust boundaries and data flow. Decomposition of an application and identification of a threat helped to a detailed review of threats, identification of threat that is breaching the security control. This identification and detailed review of every aspect expose the vulnerabilities and weaknesses of the information security environment.
These security zones are the set of network devices having a specific security level. Different security zones may have a similar or different security level. Figure Network Security Zoning Information Security Policies Information Security Policies are the fundamental and the most dependent component of the information security infrastructure.
Fundamental security requirements, conditions, rules are configured to be enforced in an information security policy to secure the organization's resources. These policies cover the outlines of management, administration and security requirements within an information security architecture. Promiscuous policy 2. Permissive policy 3. Prudent policy 4. Paranoid Policy Promiscuous policy The promiscuous policy has no restriction on usage of system resources. Permissive policy The permissive policy restricts only widely known, dangerous attacks or behavior.
Prudent Policy The prudent policy ensures maximum and strongest security among them. However, it allows known, necessary risks, blocking all other service but individually enabled services.
Every event is log in prudent policy. Paranoid Policy Paranoid Policy denied everything, limiting internet usage. Legal implication of security policies enforces under the supervision of the professionals. These professionals are legal experts, consultant which comply with laws, especially local laws and regulations. Any violation of legal implication leads to lawsuits against the responsible. In Information Security, it is also considered important and regarded as the first layer of protection.
Physical security includes protection against human-made attacks such as theft, damage, unauthorized physical access as well as environmental impacts such as rain, dust, power failure and fire. Figure Physical Security Physical security is required to prevent stealing, tampering, damage, theft and many more physical attacks.
To secure the premises and assets, setup of fences, guards, CCTV cameras, intruder monitoring system, burglar alarms, deadlocks to secures the premises. Important files and documents should be available on any unsecured location even within an organization or keep locked, available to authorized persons only.
Function area must be separated, biometrically protected. Continuous or frequent monitoring such as monitoring of wiretapping, computer equipment, HVAC, and firefighting system should also be done. This incident may be any specific violation of any condition, policies, or else.
Similarly, in information security, incident responses are the remediation actions or steps taken as the response of an incident depending upon identification of an event, threat or attack to the removal or elimination when system become stable, secure and functional again. Incident response management defines the roles and responsibilities of penetration testers, users or employees of an organization.
Additionally, incident response management defines actions required when a system is facing a threat to its confidentiality, integrity, authenticity, availability depending upon the threat level. Initially, the important thing to remember is when a system is dealing with an attack, it requires sophisticated, dedicated troubleshooting by an expert. While responding to the incident, the professional collects the evidence, information, and clues that are helpful for prevention in future, tracing the attacker and finding the holes and vulnerabilities in the system.
Preparation for Incident Response 2. Detection and Analysis of Incident Response 3. Classification of an incident and its prioritization 4. Notification and Announcements 5. Containment 6. Forensic Investigation of an incident 7. Eradication and Recovery 8. This Response team is consists of trained officials who are expert in collecting the information and secure all evidence of an attack from the incident system.
If IRP is not defined, not applicable on that case, the team has to follow the leading examiner to perform a coordinated operation. Examination and evaluation of event, determination of damage or scope of an attack.
Document the event, processes. If required, take the support of external security professional or consultant. If required, take the support of local law enforcement. Facts Collection. Through vulnerability assessment, you can identify weaknesses and threat to a system, scope a vulnerability, estimate the requirement and effectiveness of any additional security layer.
Types of Vulnerability Assessment The following are the types of vulnerability assessment: 1. Active Assessment 2. Passive Assessment 3. Host-based Assessment 4. Internal Assessment 5. External Assessment 6. Network Assessment 7. Wireless Network Assessment 8. The following are the phases of Vulnerability Assessment: 1. Acquisition 2. Identification 3. Analyzing 4. Evaluation 5. Identification In the Identification phase, interaction with customers, employees, administration or other people that are involved in designing the network architecture to gather the technical information.
Analyzing Analyzing phase reviews, the gathered, collected information in the form of a collection of documentation or one-to-one interaction. Analyzing phase is basically: - Review information. Analyzing previously identified vulnerabilities results. Risk Assessment. Vulnerability and Risk Analysis. Evaluation of the effectiveness of existing security policies.
Identify modification and Upgrades. Generating Reports Reporting phase is documentation of draft report required for future inspection.
This report helps identify vulnerabilities in the acquisition phase. Audit and Penetration also require these previously collected reports. When any modification in security mechanism is required, these reports help to design security infrastructure.
Central Databases usually holds these reports. Reports contain: - Task did by each member of the team. Collected information from different phases. Figure Comparing Pentesting Important for Penetration testing If you want to be ready for an attack, you must be smart, to think like them, act like them. The need and importance of penetration testing, in the modern world where variously advanced threat such as Denial-of-service, Identity theft, theft of services, stealing information is common, system penetration ensure to counter the attack from malicious threat by anticipating methods.
To provide a comprehensive assessment of policies, procedures, design, and architecture. To set remediation actions to secure them before they are used by a hacker to breach security. To identify what an attacker can access to steal.
To identify what information can be theft and its use. Modification and up-gradation of currently deployment security architecture. Black Box The black box is a type of penetration testing in which the pentester is blind testing or double-blind testing, i. Black boxing is designed to demonstrate an emulated situation as an attacker in countering an attack.
Gray box Gray box, is a type of penetration testing in which the pentester has very limited prior knowledge of the system or any information of targets such as IP addresses, Operating system or network information in very limited. Gary boxing is designed to demonstrate an emulated situation as an insider might have this information and to counter an attack as the pentester has basic, limited information regarding target.
White box The white box is a type of penetration testing in which the pentester has complete knowledge of system and information of the target. This type of penetration is done by internal security teams or security audits teams to perform auditing. Phases of Penetration Testing Penetration testing is a three-phase process. PCI Security Standards Council develops security standards for payment card industry and provides tools required for enforcement of these standards like training, certification, assessment, and scanning.
Information security management processes. Assurance of Cost effective risk management. Compliant with laws. HIPAA Security rules ensure what information is protected, additionally, the safeguards that must apply to secure electronic protected health information.
Administrative safeguards including physical safeguards, technical safeguards ensure the confidentiality, integrity, and availability of electronic protected health information e-PHI. The legislation provides the Department authority to develop and oversee the implementation of binding operational directives to other agencies, in coordination and consistent with OMB policies and practices. Collection of information also helps to identify the vulnerabilities within a system, which exploits, to gain access.
The attacker focuses the target by mean of the range of IP address he has to go through, to hack target or regarding domain information or else. Footprinting is the collection of every possible information regarding the target and target network. This collection of information helps in identifying different possible ways to enter into the target network.
This collection of information may have gathered through publicly- available personal information and sensitive information from any secret source. Active and passive methods of reconnaissance are also popular for gaining information of target directly or indirectly. The overall purpose of this phase is to keep interaction with the target to gain information without any detection or alerting.
Pseudonymous Footprinting Pseudonymous footprinting includes footprinting through online sources. In Pseudonymous footprinting, information about a target is shared by posting with an assumed name. This type information is shared with the real credential to avoid trace to an actual source of information. Internet Footprinting Internet Footprinting includes the Footprinting and reconnaissance methods for gaining information through the internet.
Objectives of Footprinting The major objectives of Footprinting are: - 1. To know security posture 2. To reduce focus area 3. Identify vulnerabilities 4. Search engines extract the information about an entity you have searched for from internet.
You can open a web browser and through any search engine like Google or Bing, search for any organization. The result collects every available information on the internet. This information includes headquartering location, the date on which the organization founded, names of founders, number of employees, parent organization, and its official website. You can scroll to its official website to get more information or any other websites to get information about it.
Apart from this publically available information, websites and search engines caches can also serve the information that is not available, updated or modified on the official website. Official Website can search through a search engine like Google, Bing, and others. Figure Netcraft Webpage Collect Location Information After collection of basic information through search engines and different services like Netcraft and Shodan. You can collect local information like the physical location of headquarters with the surrounding, the location of branch offices and other related information from online location and map services.
By just searching for your targeted organization, you can get financial information of these organizations. Google and Yahoo are the most popular Online Financial Services. This information includes Company location, Industry information, Contact Information, number of employees, Job requirement, hardware, and software information.
Similarly, on these job sites, by a fake job posting, personal information can be collected from a targeted individual. Some of the popular job sites are: - www. Joining with fake ID on these platforms and reaching closest to the target organization's group is not a big deal for anyone.
Any official and non-official group can leak sensitive information. Footprinting using Advanced Google Hacking Techniques Google Advanced Search Operators Some advanced options can be used to search for a specific topic using search engines. These Advance search operators made the searching more appropriate and focused on a certain topic.
Google Hacking popularized by Johnny Long. This categorized database of queries is designed to uncover the information. This information might be sensitive and not publically available. Google hacking is used to speed up searches. As shown in the figure, through www. Similarly, www. This trick is used to gather information from different social networking and other platforms from people for fraud, hacking and getting information for being close to the target.
Footprinting using Social Engineering on Social Networking Sites Social Networking is one of the best information sources among other sources. Different popular and most widely used social networking site has made quite easy to find someone, get to know about someone, including its basic personal information as well as some sensitive information as well. Advanced features on these social networking sites also provide up-to-date information. Figure Social Networking Sites Social Networking is not only a source of joy, but it also connects people personally, professionally and traditionally.
Social Networking platform can provide sufficient information of an individual by searching the target. Searching for Social Networking for People or an organization brings much information such as Photo of the target, personal information and contact details, etc.
What Users Do Information What attacker gets People maintain Photo of the target Personal Information about a their profile Contact numbers target including personal Email Addresses information, photo, etc.
By using this personal information, an attacker can create a fake profile with the same information. Posts have location links, pictures and other location information helps to identify target location.
Timelines and stories can also reveal sensitive information. By gathering information of interest and activities, an attacker can join several groups and forums for more footprinting.
Furthermore, skills, employment history, current employment and much more. These are the information that can be gathered to easily and used for determining the type of business of an organization, technology, and platforms used by an organization. In the posts, people are posting on these platforms, never think that what they are posting.
Their post may contain enough information for an attacker, or a piece of required information for an attacker to gain access to their systems. This information can be gathered by online service as defined earlier like netcraft. These tools can bring information like connection type and status and last modification information. Determining the Operating System Using websites such as Netcraft.
Go to the website www. Results in the figure below are hidden to avoid legal issues. If you enter a complete URL, it shows the in-depth detail of that particular website. Go to the following URL www. This browsing is targeted to a website to gather specific information such as names, email addresses. Downloading entire website onto the system enables the attacker to use, inspect the website, directories, structure and to find other vulnerabilities from this downloaded mirrored website copy in an offline environment.
Instead of sending multiple copies to a web server, this is a way to find vulnerabilities on a website. Mirroring tools are available which can download a website.
Additionally, they are capable of building all directories, HTML and other files from the server to a local directory. Extracting Information using the Wayback machine 1. Search for a target website. Select Year from the calendar. Select date from the highlighted dates. The following is the snapshot of the website on 2nd October These tools automatically check for updates and changes made to target websites.
Email is one of the most popular, widely used professional ways of communication which is used by every organization. Content or body of Email is hence important, extremely valuable to attackers. This content may include hardware and software information, user credentials, network and security devices information, financial information which is valuable for penetration testers and attackers.
Polite Mail is a very useful tool for Email footprinting. Polite Mail tracks email communication with Microsoft Outlook. Using this tool, with a list of email addresses of a targeted organization, the malicious link can be sent and trace the individual event. Several online and software applications offer Email header tracing. Email Tracker Pro is one of the popular tools. These websites gather information and reports of companies including legal news, press releases, financial information, analysis reports, and upcoming projects and plans as well.
Scrolling down the page shows further results such as a Geographical view of the audience, percentage, and ranking in every country and much more. These tools are used to track the reputation, ranking, setting up a notification when an organization known over the internet and much more. Here you can search any keyword such as those shown in the figure showing the result for Microsoft. Their icons separate results from different sources; you can review the result by selecting an entry. WHOIS lookup helps to find out who is behind the target domain name.
Figure whois. There are several lookup tools powered by www. There are several tools available on internet which perform DNS lookup. You can expand fields to extract information. Consider the figure below. Fortunately, there are several tools available which can be used for network footprinting to gain information about the target network.
Using these tools, an information seeker can create a map of the targeted network. Using these tools, you can extract information such as: - Network address ranges Hostnames Exposed hosts OS and application version information Patch state of the host and the applications Structure of the applications and back-end servers Tools for this purpose are listed below: - Whois Ping Nslookup Tracert Traceroute Tracert options are available in all operating system as a command line feature.
Visual traceroute, graphical and other GUI based traceroute applications are also available. Traceroute or Tracert command results in the path information from source to destination in the hop by hop manner. The result includes all hops in between source to destination.
The result also includes latency between these hops. After observing the following result, you can identify the network map. Figure Tracert Tracert result of It can either connected to To verify, trace next route.
We can collect information from a human quite easily than fetching information from systems. Using Social Engineering, some basic social engineering techniques are: - Eavesdropping Shoulder Surfing Dumpster Diving Impersonation Social Engineering You can understand the social engineering as an art of extracting sensitive information from peoples.
Social Engineers keep themselves undetected, people are unaware and careless and share their valuable information. This information is related to the type of social engineering. Operating System information. Software information. Network information. Eavesdropping Eavesdropping is a type of Social Engineering footprinting in which the Social Engineer is gathers information by listening to the conversation covertly. Listening conversations includes listening, reading or accessing any source of information without being notified.
Phishing In the Phishing process, Emails sent to a targeted group contains email message body which looks legitimate. The recipient clicks the link mentioned in the email assuming it as a legitimate link.
Once the reader clicks the link, enticed for providing information. It redirects users to the fake webpage that looks like an official website. For example, Recipient is redirected to a fake bank webpage, asking for sensitive information. Shoulder Surfing Shoulder Surfing is another method of gathering information by standing behind a target when he is interacting with sensitive information. By Shoulder surfing, passwords, account numbers, or other secret information can be gathered depending upon the carelessness of the target.
Dumpster Diving Dumpster Diving is the process of looking for treasure in trash. This technique is older but still effective.
This interactive tool gathers data and represents graphs for analysis. The measure purpose of this Data mining tools is an online investigation of relationships among different pieces of information obtained from various sources lies over the internet.
Using Transform, Maltego automate the process of gathering information from different data sources. Nodes based graph represents this information. Registration is required to download the software.
After Download, Installation needs a license key to run the application with full features. On the topmost, Click create new graph Icon. In our case, For example, Domain is Selected. Select the option and observed the results shown. This tool is written in python, having independent modules, database interaction and other features.
You can download the software from www. Figure Recon-ng Search command You can search for any entity within a module. Type Run to execute and press enter. FOCA tool finds Metadata, and other hidden information within a document may locate on web pages.
Scanned searches can be downloaded and Analyzed. Click Create to proceed. Click on Search All Button. You can select the file, download it, Extract Metadata, and gather other information like username, File creation date, and Modification. Devices and Servers are configured to avoid data leakage. Provide education, training, and awareness of footprinting, impact, methodologies, and countermeasures to the employees of an organization. Avoid revealing sensitive information in Annual reports, Press releases, etc.
Prevent search engines to cache web pages. Using Windows-based tools, let's gather some information about the target.
You can assume any target domain or IP address, in our case, we are using example. IP address of example. Round Trip Time 4. TTL value 5. Figure Ping example. You can try again to get the more appropriate fragment value. Download and install HTTrack tool. In this lab, we are going to copy a website into our local directory and browse it from there in an offline environment.
Now you can explore the website in an offline environment for the structure of the website and other parameters. Figure Original Website To make sure, compare the website to the original example. Open a new tab and go to URL example. Metasploit Pro enables you to automate the process of discovery and exploitation and provides you with the necessary tools to perform the manual testing phase of a penetration test.
You can use Metasploit Pro to scan for open ports and services, exploit vulnerabilities, pivot further into a network, collect evidence, and create a report of the test results. Topology Information: In this lab, we are running Metasploit Framework on a private network Network Distance: 1 hop Service Info: Host: localhost.
All scanned ports on Nmap done: IP addresses 9 hosts up scanned in X device X server Now Scanning network phase requires some of this information to proceed further. Network Scanning is a method of getting network information such as identification of hosts, port information, and services by scanning networks and ports.
When a user probes another user, it can reveal much useful information from the reply is received. In-depth identification of a network, ports and running services helps to create a network architecture, and the attacker gets a clearer picture of the target. TCP is connection oriented. Bidirectional communication takes place after successful connection establishment.
UDP is a simpler, connectionless Internet protocol. Multiple messages are sent as packets in chunks using UDP. ACK Acknowledge the receipt of a packet.
0コメント