Ethical Hacking

Module: LD0777
(Ethical Hacking for Cyber Security)

Introduction to Ethical Hacking

Dr Haider M. al-Khateeb
Email: haider.alkhateeb@northumbria.ac.uk
Twitter: @H4ider

1
 Ethical Hacking vs.
Network Security
 Ethical Hacking is an offensive network security approach

Network Security Ethical Hacking

Firewalls, Troubleshooting, Password cracking,
IDPS, SNMP, Hardware, Phishing, Wardriving,
TCP/IP … Identity theft, DDoS, SQL
Injection …

2
What happens online in 60
seconds? -- Inforgraph
 “IP on Everything”
– Vint Cerf, 1992

 Internet of Things (IoT)

http://www.smartinsights.com/

3
 Essential terminology
 Vulnerability
 a weakness that exposes risk
 Exploit
 the method to take advantage of a vulnerability
 Attack vector
 the 'route' by which an attack was carried out
 Attack surface
 How exposed are you?
 Payload
 Part of an exploit code to perform the intended malicious action

4
 Essential terminology
 Zero-day attack
 Exploiting new unpatched vulnerability
 Daisy Chaining
 When the same information used to gain access, can be reused to
successfully target other networks
 Doxing
 From ‘.dox’ or documents
 Search for, and publish, private or identifying information
 Bot
 Agent software that can be controlled remotely to execute tasks

5
 Essential terminology
 Attacks = Motive (objective) + Method + Vulnerability

 Attacks are directed on any of the Information Security Elements

Non-
Confidentiality Integrity Availability Authenticity
repudiation

6
 Revision
 Threat modelling

http://www.aspectsecurity.com/

7
 Revision
 OSI Reference Model
 Datagram: TPDU (Transfer Protocol Data Unit) over UDP

http://www.telecomhall.com/osi-7-layers-model.aspx

8
 Revision
 TCP/IP Stack Layers
 Application, Transport, Internet and Network Access
 An Ethernet Frame
 MAC Address is 48 bits
 Frame Check Sequence (FCS) is a cyclic redundancy check (CRC), an
error detecting code

http://www.dcs.bbk.ac.uk/~ptw/teaching/IWT/link-layer/notes.html

9
 Revision
 Wireshark example
 Ethernet Frame of an HTTP GET packet

10
 Revision
 Three-way handshake
 SYN, SYN/ACK, ACK
 Discussion
 Type www.bbc.co.uk in your browser, then, describe what happens
with reference to the OSI model.
 Bit-flipping attack
 Integrity attack on an encrypted message, changes the cipher to
generate a predictable outcome in the decrypted plaintext.

11
 Revision
 MAC address
 Burned into the NIC
 Can be spoofed
 6 bytes (48 bits)

 First 3 bytes: OUI to recognise the vendor (card manufacturer)

 Second 3 bytes: unique serial assigned by the vendor itself
 This ensures no two cards on a subnet will have the same address

12
 Revision
 IPv4/IPv6

http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html

13
 Revision

 How many people access the Internet over IPv6?

  https://www.google.com/intl/en/ipv6/statistics.html

 IPv6 values can be used to include readable string

 DNS records for the BBC  https://who.is/dns/bbc.co.uk

14
 Background
 IPv6

 The double colon can only be used once in an IPv6 address

15
 Background
 IPv6 loopback
 0:0:0:0:0:0:0:1
 ::1
 IPv6 address types
 Unicast
 Multicast
 Anycast: any of a large group of hosts can receive it

16
 Background
 Scopes
 Link local: hosts on the same subnet
 Site local: hosts on the same organisation
 Global: includes everything
 Special IPv6 blocks
 FE80::/10
 Reserved for link-local addressing
 FC00::/7
 Reserved for private addressing

 FEC0::/10
 Reserved for site-local addresses

17
 Security testing
 Orange Book
 Trusted Computer System Evaluation Criteria (TCSEC)
 DoD Standard
 Used until 2005
 Common Criteria for Information Technology
 Common Criteria (CC) replaced TCSEC
 Gives Evaluation Assurance Level (EAL)
 Level 1-7
 Systems can be evaluated according to a specific level
 Usually tested to US Gov. Agencies

18
 Policies
 Promiscuous
 Permissive
 Blocks what is known to be dangerous
 Prudent
 Maximum security while allowing risky but needed resources for
the business
 Paranoid

19
 The hats
 Hacker classification
 White hats, Black hats, Grey hats
 Other types
 Script kiddies
 Suicidal
 Hacktivists
 Can be known as cyberterrorists
 State-sponsored hackers
 Terminology
 Hacker vs. Ethical Hacker vs. Cracker

20
 Security Controls
 Preventative e.g. Authentication
 Detective e.g. Audit, Logs
 Corrective e.g. Backup

 Another way to categorise them is by means of physical

security measures
 Physical, Technical and Operational/Administrative
 CCTV, Encryption, Training …

21
 Types of attacks on a
system
 Operating System (OS) attacks
 Users could accept all default settings
 Unpatched vulnerability
 Application level attacks
 Software code and logic
 Shrink-wrap code attacks
 Vulnerabilities in off-the-shelf software
 Misconfiguration attacks

22
 Attack phases
1. Fingerprinting and Reconnaissance
 Social engineering, dumpster diving, network sniffing
 Passive or active
2. Scanning and Enumeration
 Port scan, network mappers, ping tools, vulnerability scanners
 Identify live machines, port status, OS details, uptime, device type
3. Gaining Access
 Escalation of privileges
4. Maintaining Access
5. Covering Tracks (Evasion)
 Tip: corrupting a log file is better than erasing a log!
23
Pen-testing Methodology
 Pen-testing is conducted in three phases
1. Preparation
2. Assessment
3. Conclusion
 Preparation
 Contract
 Hack with permission, Get-out-of-jail-free card!
 Nondisclosure Agreement (NDA)
 Completion date
 Scope e.g. no DoS

24
Pen-testing Methodology
 Assessment
 Also known as: security evaluation or conduct phase
 Actual assault is performed
 Conclusion
 Post-assessment
 Report is produced
 Types of penetration testing, different stages of knowledge
about the Target of Evaluation (ToE)
 Black-box testing
 White-box testing
 Gray-box testing

25
 Relevant UK legislations
 Data Protection Act 1998
 http://www.legislation.gov.uk/ukpga/1998/29/contents
 Privacy and Electronic Communications Regulations 2003
 http://www.legislation.gov.uk/uksi/2003/2426/contents/made
 Regulation of Investigatory Powers Act (RIPA) 2000
 http://www.legislation.gov.uk/ukpga/2000/23/contents
 Computer Misuse Act 1990
 http://www.legislation.gov.uk/ukpga/1990/18/contents
 Terrorism Act 2006
 http://www.legislation.gov.uk/ukpga/2000/11/contents
 Malicious Communications Act 1988
 http://www.legislation.gov.uk/ukpga/1988/27/contents
 …
26
 Additional resources
 CEH Certified Ethical Hacker All-in-One Exam Guide, Third
Edition
 by Matt Walker
 CEH v9: Certified Ethical Hacker Study Guide
 by Sean-Philip Oriyano
 Computer Security and Penetration Testing, 2nd Edition
 by Alfred Basta, Nadine Basta and Mary Brown
 Online resources
 Search engines, research papers, YouTube tutorials …

27
 End of session
 Questions?
 Discussion

28