Ethical Hacking

ROULY BECHAR

Institut Henri FayolÉcole Nationale Supérieure des Mines de St-Étienne

Ethical Hacking

• Independent computer security Professionals breaking into the computer systems.

• Neither damage the target systems nor steal information

• Evaluate target systems security and report back to owners about the vulnerabilities found.

Ethical Hacking

• Completely trustworthy.• Strong programming and computer

networking skills.• Learn about the system and trying to

find its weaknesses.• Techniques of Criminal hackers-

Detection-Prevention.• Published research papers or released

security software.

Five stages to hacking

1. Reconnaissance2. Scanning3. Gaining access4. Maintaining access5. Covering tracks

Reconnaissance

During this phase, a pentester uses a number of publicly available resources to learn more about his target. This information can be retrieved from Internet sources such as forums, bulletin boards, newsgroups, articles, blogs, social networks, andother commercial or non-commercial websites. Additionally, the data can also be gathered through various search engines such as Google, Yahoo!, MSN Bing and others.

Reconnaissance

Two types of reconnaissance :Passive:

Google searchBrows company web pageSocial Network (facebook, twitter,…)……

Active:Network scan ( nmap)Vulnerability scan Social engineering……

Reconnaissance

The purpose of reconnaissance is to specify the target techniques to perform the suitable attacks:• Where the webservers are.• Avoid Broad-scan• Identify vulnerabilities• Wi-fi• Network equipment• Patch level• Default configuration + passwords

ReconnaissanceDefault configuration + passwords:

Passive Reconnaissance Resources

Netcraft: ( Performed on Ecole des mines )

Passive Reconnaissance Resources

Google hacking

(username=* | username:* |) | ( ((password=* | password:*) | (passwd=* | passwd:*) | (credentials=* | credentials:*)) | ((hash=* | hash:*) | (md5:* | md5=*)) | (inurl:auth | inurl:passwd | inurl:pass) ) filetype:log

Passive Reconnaissance ResourcesGoogle hacking

Scanning

This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides a complete image of the current technologies or devices interconnected and may help further in enumerating various services running over the network.

Scanning

Nmap:Nmap can be used to check, for example, vulnerabilities in network services, and enumerate resources on the target system,scan open ports…It can perform wither a noisy or quiet scanExample of quiet scan:

nmap -Pn –p –sT ip_address

Gaining accessMetasploit

• Exploits• Payloads

Privilege escalation

After exploiting the vulnerabilities and gaining access to the target machine, you can use tools in this category to escalate your privilege to the highest privilege.

Privilege escalation

• Attacking the password used by the privilege accounts• Sniffing the network to get the privilege accounts username and password• Spoofing the network packet of the privilege accounts to run a particular system command

Attacking the password• Offline attack: In this method, the attacker gets the

password file from the target machine and transfers it to his machine. Then he uses the password cracking tool to crack the password. The advantage of this method is that

the attacker doesn't need to worry about a password blocking mechanism available in the target machine,

because he uses his own machine to crack the password .• Online attack: In this method, the attacker guesses the password for a username. This may trigger a system to

block the attacker after several failed password guesses.

Attacking the passwordtools

• Offline attack: Rainbowcrack Samdump John Ophcrack Crunch Wyd …..

• Online attack: BruteSSH Hydra…

Sniffing the networkNetwork sniffer is a software program or hardware device which is capable of monitoring network data. It is usually used to examine network traffic by copying the data without altering the contents. With network sniffer you can see what information is available in your network.

Sniffing the networktools

Hamster Tcpdump Tcpick Wireshark …

Spoofing the network

Network spoofing is a process to modify network data, such as MAC address, IP address, and so on. The goal of this process is to be able to get the data from two communicating parties.

Spoofing the networktools

Arpspoofing Ethercap ….

Spoofing the network

Demo

Maintaining access

The main purpose of these tools is to help us maintain access, bypass the filters deployed on the target machine, or allow us to create a covert connection between our machine and the target. By maintaining this access, we don't need to do the whole penetration testing process again if we want to get back to the target machine at anytime.

Maintaining access(Tunneling)

Tunneling can be defined as a method to encapsulate a protocol inside another protocol. In our case, we use tunneling to bypass the protection provided by thetarget system. Most of the time, the target system will have a firewall that blocks connections to the outside world, except for a few common network protocols suchas HTTP and HTTPS. For this situation, we can use tunneling to wrap our packets inside the HTTP protocol. The firewall will allow these packets to go to the outsideworld.

Maintaining access(Tunneling)

DNS2tcp:DNS2tcp is a tunneling tool to encapsulate TCP traffic in DNS traffic. When it receives connection in a specific port, all of the TCP traffic is sent to the remote dns2tcpd server in DNS traffic and forwarded to a specific host and port.

Maintaining access(Tunneling)

Ptunnel:Ptunnel is a tool that can be used to tunnel TCP connections over ICMP echo request(ping request) and reply (ping reply) packets

Maintaining access(Tunneling)

Stunnel4:Stunnel4 is a tool to encrypt any TCP protocols inside the SSL packets betweenlocal and remote servers.

Practical Example

DNS PoisoningDemo

If you have any questions …..