UNIT 1: The technical Foundations of Hacking:

Introduction
The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is so dominant and
important to ethical hacking that it is given wide coverage in this chapter. Many tools, attacks,
and techniques that will be seen throughout this book are based on the use and misuse of TCP/IP
protocol suite. Understanding its basic functions will advance your security skills. This chapter
also spends time reviewing the attacker’s process and some of the better known methodologies
used by ethical hackers.

The Attacker’s Process

Objective: State the process or methodology hackers use to attack networks

Attackers follow a fixed methodology. To beat a hacker, you have to think like one, so it’s
important to understand the methodology. The steps a hacker follows can be broadly divided into
six phases, which include pre-attack and attack phases:

1. Performing Reconnaissance
2. Scanning and enumeration
3. Gaining access
4. Escalation of privilege
5. Maintaining access
6. Covering tracks and placing backdoors

A denial of service (DoS) might be included in the preceding steps if the attacker has no success
in gaining access to the targeted system or network.

Let’s look at each of these phases in more detail so that you better understand the steps.

Performing Reconnaissance
Reconnaissance is considered the first pre-attack phase and is a systematic attempt to locate,
gather, identify, and record information about the target.

The hacker seeks to find out as much information as possible about the victim. This first step is
considered a passive information gathering.
1
As an example, many of you have probably seen a detective movie in which the policeman waits
outside a suspect’s house all night and then follows him from a distance when he leaves in the
car. That’s reconnaissance; it is passive in nature, and, if done correctly, the victim never even
knows it is occurring.

Scanning and Enumeration

Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step
of attempting to connect to systems to elicit a response.

Enumeration is used to gather more in-depth information about the target, such as open shares
and user account information.

The hacker is moving from passive information gathering to active information gathering.
Hackers begin injecting packets into the network and might start using scanning tools such as
Nmap.

Unlike the elite blackhat hacker who attempts to remain stealth, script kiddies might even use
vulnerability scanners such as Nessus to scan a victim’s network.

Although the activities of the blackhat hacker can be seen as a single shot in the night, the script
kiddies scan will appear as a series of shotgun blasts, as their activity will be loud and detectable.

Programs such as Nessus are designed to find vulnerabilities but are not designed to be a hacking
tool; as such, they generate a large amount of detectable network traffic.

The greatest disadvantage of vulnerability scanners is that they are very noisy.

Gaining Access
As far as potential damage, this could be considered one of the most important steps of an attack.

This phase of the attack occurs when the hacker moves from simply probing the network to
actually attacking it.

After the hacker has gained access, he can begin to move from system to system, spreading his
damage as he progresses.

2
The factors that determine the method a hacker uses to access the network ultimately comes
down to his skill level, amount of access he achieves, network architecture, and configuration of
the victim’s network.

Escalation of Privilege
Although the hacker is probably happy that he has access, don’t expect him to stop what he is
doing with only a "Joe user" account.

Just having the access of an average user probably won’t give him much control or access to the
network.

Therefore, the attacker will attempt to escalate himself to administrator or root privilege. After
all, these are the individuals who control the network, and that is the type of power the hacker
seeks.

The end result of privilege escalation is that the application performs actions that are running
within a higher security context than intended by the designer, and the hacker is granted full
access and control.

Maintaining Access
Would you believe that hackers are paranoid people? Well, many are, and they worry that their
evil deeds might be uncovered. They are diligent at working on ways to maintain access to the
systems they have attacked and compromised.

They might attempt to pull down the etc/passwd file or steal other passwords so that they can
access other user’s accounts.

Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain
his access to the system and use it for malicious purposes. Rootkits have the capability to mask
the hacker, hide his presence, and keep his activity secret.

Sniffers are yet another option for the hacker and can be used to monitor the activity of
legitimate users. At this point, hackers are free to upload, download, or manipulate data as they
see fit.

3
Covering Tracks and Placing Backdoors
Nothing happens in a void, and that includes computer crime.

Hackers are much like other criminals in that they would like to be sure to remove all evidence
of their activities.

This might include using rootkits or other tools to cover their tracks. Other hackers might hunt
down log files and attempt to alter or erase them.

Hackers must also be worried about the files or programs they leave on the compromised system.
File hiding techniques, such as hidden directories, hidden attributes, and Alternate Data Streams
(ADS), can be used.

As an ethical hacker, you will need to be aware of these tools and techniques to discover their
activities and to deploy adequate countermeasures.

The Ethical Hacker’s Process

As an ethical hacker, you will follow a similar process to one that an attacker uses. but you will
work with the permission of the company and will strive to "do no harm."

By ethical hacking and assessing the organizations strengths and weaknesses, you will perform
an important service in helping secure the organization.

The ethical hacker plays a key role in the security process. The methodology used to secure an
organization can be broken down into five key steps. Assessment—Ethical hacking, penetration
testing, and hands-on security tests.

1. Policy Development—Development of policy based on the organization’s goals and

mission. The focus should be on the organization’s critical assets.
2. Implementation—The building of technical, operational, and managerial controls to secure
key assets and data.
3. Training—Employees need to be trained as to how to follow policy and how to configure
key security controls, such as Intrusion Detection Systems (IDS) and firewalls.

4
 4. Audit—Auditing involves periodic reviews of the controls that have been put in place to
provide good security. Regulations such as Health Insurance Portability and Accountability
Act (HIPAA) specify that this should be done yearly.

Security and stack:

National Institute of Standards and Technology (NIST)
The NIST 800-42 method of security assessment is broken down into four basic stages that
include

1. Planning
2. Discovery
3. Attack
4. Reporting

NIST has developed many standards and practices for good security. This methodology is
contained in NIST 800-42

Threat and Risk Assessment Working Guide (TRAWG)

The Threat and Risk Assessment Working Guide provides guidance to individuals or teams
carrying out a Threat and Risk Assessment (TRA) for an existing or proposed IT system.

This document helps provide IT security guidance and helps the user determine which critical
assets are most at risk within that system and develop recommendations for safeguards.

Operational Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE)

OCTAVE focuses on organizational risk and strategic, practice-related issues.

OCTAVE is driven by operational risk and security practices.

OCTAVE is self-directed by a small team of people from the organization’s operational,

business units, and the IT department.

5
The goal of OCTAVE is to get departments to work together to address the security needs of the
organization.

The team uses the experience of existing employees to define security, identify risks, and build a
robust security strategy.

Open Source Security Testing Methodology Manual (OSSTMM)

One well-known open sourced methodology is the OSSTMM. The OSSTMM divides security
assessment into six key points known as sections. They are as follows:

 Physical Security
 Internet Security
 Information Security
 Wireless Security
 Communications Security
 Social Engineering

The OSSTMM gives metrics and guidelines as to how many man-hours a particular assessment
will require. Anyone serious about learning more about security assessment should review this
documentation.

Cybersecurity Framework
The NIST Cybersecurity Framework illustrates how layers of security solutions should

work together to minimize the risk of cyberthreats.

It’s a straightforward and easy-to-understand model that focuses on five core

components: identify, protect, detect, respond and recover.

6
Identify entails determining what the critical functions are and what cybersecurity risks

could disrupt them.

Understanding what you are protecting is the first step.

Protect supports the ability to limit or contain the impact of a potential cybersecurity

event.

Examples of these are AV/Firewall/DNS filtering, which is where most security budgets

are focused today.

7
Detect includes having the relevant measures in place to quickly uncover threats and

other risks.

This includes continuous monitoring and threat hunting to identify unusual activity and

potential attacks.

Respond focuses on implementing relevant measures to take action against threats

that have made it past preventive tools.

This includes response planning, threat analysis and mitigation.

Recovery includes having the tools and strategic plan in place to restore any

capabilities or services after a cybersecurity incident.