UNIT I - Introduction To Hacking

Hacking :

Process of cracking the security measures of a given device or network to gain

unauthorized access to a computer system

Ethical hacking:

Ethical hacking involves an authorized attempt to gain unauthorized access to a computer

system, application, or data.

This practice helps to identify security vulnerabilities which can then be resolved before a
malicious attacker has the opportunity to exploit them.

An ethical hacker is as a person who is hired and permitted by an organization to attack its
systems for the purpose of identifying vulnerabilities, which an attacker might take advantage
of.

Different types of hackers:

1. White hat hacker—This kind of hacker is often referred to as a security professional or
security researcher. Such hackers are employed by an organization and are permitted to attack
an organization to find vulnerabilities that an attacker might be able to exploit.

2. Black hat hacker—Also known as a cracker, this kind of hacker is referred to as a bad guy,
who uses his or her knowledge for negative purposes.

3. Gray hat hacker—This kind of hacker is an intermediate between a white hat and a black hat
hacker. For instance, a gray hat hacker would work as a security professional for an
organization and responsibly disclose everything to them; however, he also sell the confidential
information to competitors.

Script kiddie—Also known as skid, this kind of hacker is someone who lacks knowledge on how
an exploit works and relies upon using exploits that someone else created.

Elite hacker—An elite hacker, also referred as someone who has deep knowledge on how an
exploit works; he or she is able to create exploits, but also modify codes that someone else
wrote. He or she is someone with elite skills of hacking.
Hacktivist—Hacktivists are defined as group of hackers that hack into computer systems for a
cause or purpose. The purpose may be political gain, freedom of speech, human rights, and so
on.

Ethical hacker—An ethical hacker is as a person who is hired and permitted by an organization
to attack its systems for the purpose of identifying vulnerabilities

Important Terminologies:
Asset

An asset is any data, device, or other component of the environment that supports
informationrelated activities that should be protected from anyone besides the people that are
allowed to view or manipulate the data/information

Vulnerability

Vulnerability is defined as a flaw or a weakness inside the asset that could be used to gain
unauthorized access to it.

Threat

A threat represents a possible danger to the computer system. A threat may be a malicious
hacker who is trying to gain unauthorized access to an asset.

Exploit

An exploit is something that takes advantage of vulnerability in an asset to cause unintended

or unanticipated behaviour in a target system, which would allow an attacker to gain access to
data or information.

Risk

A risk is defined as the impact (damage) resulting from the successful compromise of an asset.
For example, an organization running a vulnerable apache tomcat server poses a threat to an
organization and the damage/loss that is caused to the asset is defined as a risk.
Normally, a risk can be calculated by using the following equation:

Risk = Threat * vulnerabilities * impact

Penetration Test:

 A penetration test is a subclass of ethical hacking;

 it comprises a set of methods and procedures that aim at testing/protecting an
organization’s security.
 The penetration tests prove helpful in finding vulnerabilities in an organization and
check whether an attacker will be able to exploit them to gain unauthorized access to an
asset.
 Vulnerability Assessments versus Penetration Test Oftentimes, a vulnerability
assessment is confused with a penetration test; however, these terms have completely
different meanings.

Rules of Engagement:

Every penetration test you do would comprise of a rules of engagement, which basically defines
how a penetration test would be laid out, what methodology would be used, the start and end
dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc

◾ A proper “permission to hack” and a “nondisclosure” agreement should be signed by both

the parties.

◾ The scope of the engagement and what part of the organization must be tested.

◾ The project duration including both the start and the end date.

◾ The methodology to be used for conducting a penetration test.

◾ The allowed and disallowed techniques, whether denial-of-service testing should be

performed or not.

◾ The liabilities and responsibilities, which are decided ahead of time.

Differences between vulnerability assessment VS penetration test:
In a vulnerability assessment, our goal is to figure out all the vulnerabilities in an asset and
document them accordingly.

In a penetration test, however, we need to simulate as an attacker to see if we are actually able
to exploit a vulnerability and document the vulnerabilities that were exploited and the ones
that turned out to be false-positive

Penetration Testing Methodologies:

OSSTMM

An open-source security testing methodology manual (OSSTMM) basically includes almost all
the steps involved in a penetration test.

Phase I: Regulatory

• Logistics – identify any physical and technical constraints to the processes in the channel

• Posture review – review relevant regulatory and legislative frameworks and standards

• Active detection verification – evaluate interaction detection and response

Phase II: Definitions

• Visibility audit – assess the visibility of information, systems and processes relevant to
the target

• Access verification – assess access points to the target

• Trust verification – assess trust relationship between the systems (or between people)

• Control verification – assess controls to maintain confidentiality, integrity, privacy and

non-repudiation within the systems.
Phase III: Information Phase

• Process verification – review the security processes of the organisation

• Configuration verification – evaluate the processes under various security level

conditions

• Property validation – examine the physical or intellectual property available at the

organisation

• Segregation review – determine the levels of personal information leaks

• Exposure review – evaluate sensitive information exposure

• Competitive intelligence – determine information leaks which could aid competitors

• Privileges audit – review effectiveness of authorisation and potential impact of

unauthorised privilege escalation

• Survivability validation – assess systems resilience and recovery

• Alerts and logs review – review audit activities in ensuring reliable events trail
NIST(National Institute for Science & Technology):

NIST is more comprehensive than OSSTMM, and it’s something that you would be able to apply
on a daily basis and in short engagements

The testing starts with the planning phase, where how the engagement is going to be
performed is decided upon. This is followed by the discovery phase, which is divided into two
parts—the first part includes information gathering, network scanning, service identification,
and OS detection, and the second part involves vulnerability assessment.

After the discovery phase comes the attack phase, which is the heart of every penetration test.
If you are able to compromise a target and a new host is discovered, in case the system is dual-
homed or is connected with multiple interfaces, you would go back to step 2, that is, discovery,
and repeat it until no targets are left.

It explains more about the attack phase. It consists of things such as “gaining access,”
“escalating privileges,” “system browsing,” and “install additional tools.”
Categories of Penetration Test :

Black Box

A black box penetration test is where little or no information is provided about the specified
target. In the case of a network penetration test this means that the target’s target operating
system, server version, etc., will not be provided; the only thing that will be provided is the IP
ranges that you would test. In the case of a web application penetration test, the source code
of the web application will not be provided

White Box

A white box penetration test is where almost all the information about the target is provided.
In the case of a network penetration test, information on the application running, the
corresponding versions, operating system, etc., are provided. In the case of a web application
penetration test the application’s source code is provided, enabling us to perform the
static/dynamic “source code analysis.”

Gray Box

In a gray box test, some information is provided and some hidden. In the case of a network
penetration test, the organization provides the names of the application running behind an IP;
however, it doesn’t disclose the exact version of the services running. In the case of a web
application penetration test, some extra information, such as test accounts, back end server,
and databases, is provided.

Types of Penetration Tests:

Network Penetration

Network Penetration Test In a network penetration test, you would be testing a network
environment for potential security vulnerabilities and threats. This test is divided into two
categories: external and internal penetration tests. An external penetration test would involve
testing the public IP addresses, whereas in an internal test, you can become part of an internal
network and test that network.

Web Application Penetration Test

Web application penetration test is very common nowadays, since application hosts critical
data such as credit card numbers, usernames, and passwords; therefore this type of
penetration test has become more common than the network penetration test.

Mobile Application Penetration Test

Therefore, organizations want to make sure that their mobile applications are secure enough
for users to rely on when providing personal information when using such applications.

Social Engineering Penetration Test

A social engineering penetration test can be part of a network penetration test. In a social
engineering penetration test the organization may ask you to attack its users. This is where you
use speared phishing attacks and browser exploits to trick a user into doing things they did not
intend to do.

Physical Penetration Test

In a physical penetration test, you would be asked to walk into the organization’s building
physically and test physical security controls such as locks and RFID mechanisms.

Report Writing:

The following are the key factors to a good report:

 Your report should be simple, clear, and understandable.

 Presentation of the report is also important. Headers, footers, appropriate fonts, well-
spaced margins, etc., should be created/selected properly and with great care.
 The report should be well organized and Correct spelling and grammar is important too.
 Perform a detailed analysis of the vulnerability to find out its root cause.
Understanding the Audience

Understanding the audience that would be reading your penetration testing report is a very
crucial part of the penetration test. We can divide the audience into three different categories:

1. Executive class

2. Management class

3. Technical class

Structure of a Penetration Testing Report :

Cover Page

Cover page includes details such as your company logo, title, and a short description about the
penetration test

Table of Contents
Executive Summary

As the name suggests, an executive summary is the portion that is specifically addressed to
executives such as the CEO or the CIO of the company.

Following are some of the essential points that you should take into consideration while writing
an executive summary.

◾ Your executive summary should start with defining the purpose of the engagement and
should explain the results of the penetration test and the findings.

◾you should write about to what extent the risk would decrease after addressing the issues and
implementing the appropriate countermeasures.

Remediation Report

the remediation report, which contains the overall recommendations that once implemented
would increase the security of the organization.

Eg: a web application fire wall shall be implemented to detect ,filter and block all the malicious
packets.

Vulnerability Assessment Summary

It is referred as “findings summary.” This is where we present the findings from our
engagement. Things such as the overall strengths and weaknesses and risk assessment
summary can also be included under this section

There are different ways for representing vulnerability assessment outputs in the form of
graphical charts.
Tabular Summary

A tabular summary is also a great way to present the findings of a vulnerability assessment to a
customer.

Eg:

Risk Assessment

Risk assessment as defined before is the analysis part of the report. It is very crucial for the
customer because they would want to know the intensity of the damage the vulnerabilities are
likely to cause; similarly, the security executives would also want to know how their team is
performing.

Risk Assessment Matrix

In the following matrix the “frequency of occurrence,” that is, the likelihood of how often the
vulnerability is occurring, is compared with the four hazard categories “catastrophic,” “critical,”
“serious,” “minor,” .
Methodology:

We have wide variety of methodologies and standards of penetration testing, such as OSSTMM,
NIST, and OWASP.

for conducting the penetration test; though its inclusion in the report is optional, asked to
follow a certain standard, talking about the methodology and its steps is a good idea.

Detailed Findings

This is where you address the technical audience, specifically the security manager and the
developers; also, this is where you are allowed to talk in depth about how the vulnerabilities
were discovered, the root causes of the vulnerabilities, the associated risks, and the necessary
recommendations.

Description

This is where you talk about the vulnerability itself; a brief explanation should be provided in
this section

Explanation
This is the section where you reveal where the vulnerability was found, how it was found, the
root cause of the vulnerability, the proof of concept, or the evidence of the finding.

Risk

This is where you talk about the risks and the likely impact that the vulnerability carries.

Recommendation

This is where you address the developers on how to fix the vulnerability; you may also include
general suggestions to avoid that particular class of vulnerability in future.