Beruflich Dokumente
Kultur Dokumente
Module: LD0777
(Ethical Hacking for Cyber Security)
Dr Haider M. al-Khateeb
Email: haider.alkhateeb@northumbria.ac.uk
Twitter: @H4ider
1
Ethical Hacking vs.
Network Security
Ethical Hacking is an offensive network security approach
2
What happens online in 60
seconds? -- Inforgraph
“IP on Everything”
– Vint Cerf, 1992
http://www.smartinsights.com/
3
Essential terminology
Vulnerability
a weakness that exposes risk
Exploit
the method to take advantage of a vulnerability
Attack vector
the 'route' by which an attack was carried out
Attack surface
How exposed are you?
Payload
Part of an exploit code to perform the intended malicious action
4
Essential terminology
Zero-day attack
Exploiting new unpatched vulnerability
Daisy Chaining
When the same information used to gain access, can be reused to
successfully target other networks
Doxing
From ‘.dox’ or documents
Search for, and publish, private or identifying information
Bot
Agent software that can be controlled remotely to execute tasks
5
Essential terminology
Attacks = Motive (objective) + Method + Vulnerability
Non-
Confidentiality Integrity Availability Authenticity
repudiation
6
Revision
Threat modelling
http://www.aspectsecurity.com/
7
Revision
OSI Reference Model
Datagram: TPDU (Transfer Protocol Data Unit) over UDP
http://www.telecomhall.com/osi-7-layers-model.aspx
8
Revision
TCP/IP Stack Layers
Application, Transport, Internet and Network Access
An Ethernet Frame
MAC Address is 48 bits
Frame Check Sequence (FCS) is a cyclic redundancy check (CRC), an
error detecting code
http://www.dcs.bbk.ac.uk/~ptw/teaching/IWT/link-layer/notes.html
9
Revision
Wireshark example
Ethernet Frame of an HTTP GET packet
10
Revision
Three-way handshake
SYN, SYN/ACK, ACK
Discussion
Type www.bbc.co.uk in your browser, then, describe what happens
with reference to the OSI model.
Bit-flipping attack
Integrity attack on an encrypted message, changes the cipher to
generate a predictable outcome in the decrypted plaintext.
11
Revision
MAC address
Burned into the NIC
Can be spoofed
6 bytes (48 bits)
12
Revision
IPv4/IPv6
http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html
13
Revision
14
Background
IPv6
16
Background
Scopes
Link local: hosts on the same subnet
Site local: hosts on the same organisation
Global: includes everything
Special IPv6 blocks
FE80::/10
Reserved for link-local addressing
FC00::/7
Reserved for private addressing
FEC0::/10
Reserved for site-local addresses
17
Security testing
Orange Book
Trusted Computer System Evaluation Criteria (TCSEC)
DoD Standard
Used until 2005
Common Criteria for Information Technology
Common Criteria (CC) replaced TCSEC
Gives Evaluation Assurance Level (EAL)
Level 1-7
Systems can be evaluated according to a specific level
Usually tested to US Gov. Agencies
18
Policies
Promiscuous
Permissive
Blocks what is known to be dangerous
Prudent
Maximum security while allowing risky but needed resources for
the business
Paranoid
19
The hats
Hacker classification
White hats, Black hats, Grey hats
Other types
Script kiddies
Suicidal
Hacktivists
Can be known as cyberterrorists
State-sponsored hackers
Terminology
Hacker vs. Ethical Hacker vs. Cracker
20
Security Controls
Preventative e.g. Authentication
Detective e.g. Audit, Logs
Corrective e.g. Backup
21
Types of attacks on a
system
Operating System (OS) attacks
Users could accept all default settings
Unpatched vulnerability
Application level attacks
Software code and logic
Shrink-wrap code attacks
Vulnerabilities in off-the-shelf software
Misconfiguration attacks
22
Attack phases
1. Fingerprinting and Reconnaissance
Social engineering, dumpster diving, network sniffing
Passive or active
2. Scanning and Enumeration
Port scan, network mappers, ping tools, vulnerability scanners
Identify live machines, port status, OS details, uptime, device type
3. Gaining Access
Escalation of privileges
4. Maintaining Access
5. Covering Tracks (Evasion)
Tip: corrupting a log file is better than erasing a log!
23
Pen-testing Methodology
Pen-testing is conducted in three phases
1. Preparation
2. Assessment
3. Conclusion
Preparation
Contract
Hack with permission, Get-out-of-jail-free card!
Nondisclosure Agreement (NDA)
Completion date
Scope e.g. no DoS
24
Pen-testing Methodology
Assessment
Also known as: security evaluation or conduct phase
Actual assault is performed
Conclusion
Post-assessment
Report is produced
Types of penetration testing, different stages of knowledge
about the Target of Evaluation (ToE)
Black-box testing
White-box testing
Gray-box testing
25
Relevant UK legislations
Data Protection Act 1998
http://www.legislation.gov.uk/ukpga/1998/29/contents
Privacy and Electronic Communications Regulations 2003
http://www.legislation.gov.uk/uksi/2003/2426/contents/made
Regulation of Investigatory Powers Act (RIPA) 2000
http://www.legislation.gov.uk/ukpga/2000/23/contents
Computer Misuse Act 1990
http://www.legislation.gov.uk/ukpga/1990/18/contents
Terrorism Act 2006
http://www.legislation.gov.uk/ukpga/2000/11/contents
Malicious Communications Act 1988
http://www.legislation.gov.uk/ukpga/1988/27/contents
…
26
Additional resources
CEH Certified Ethical Hacker All-in-One Exam Guide, Third
Edition
by Matt Walker
CEH v9: Certified Ethical Hacker Study Guide
by Sean-Philip Oriyano
Computer Security and Penetration Testing, 2nd Edition
by Alfred Basta, Nadine Basta and Mary Brown
Online resources
Search engines, research papers, YouTube tutorials …
27
End of session
Questions?
Discussion
28