What is Hacking?

Hacking is the process of identifying and exploiting weakness in a system or a network to gain unauthorized access
to data and system resources. It can also be defined as an unauthorized intrusion into the information
systems/networks by an attacker by compromising the security. Example of Hacking: Exploiting the weakness of
default password to gain access to the data stored inside the system.

What is Ethical Hacking?

Ethical Hacking sometimes called as Penetration Testing is an act of intruding/penetrating into system or networks
to find out threats, vulnerabilities in those systems which a malicious attacker may find and exploit causing loss of
data, financial loss or other major damages. The purpose of ethical hacking is to improve the security of the network
or systems by fixing the vulnerabilities found during testing. Ethical hackers may use the same methods and tools
used by the malicious hackers but with the permission of the authorized person for the purpose of improving the
security and defending the systems from attacks by malicious users.

Ethical hackers are expected to report all the vulnerabilities and weakness found during the process to the
management.

Who is an Ethical Hacker?

An Ethical Hacker is a skilled professional who has excellent technical knowledge and skills and knows how to
identify and exploit vulnerabilities in target systems. He works with the permission of the owners of systems. An
ethical Hacker must comply with the rules of the target organization or owner and the law of the land and their aim
is to assess the security posture of a target organization/system.

CIA Triangle
CIA Triangle guides different information security policies for an organization. This is used to achieve the
correct balance of these three attributes for the better security of an organization.

Important characteristics of Information

Information is meaningful data which has to be protected in order to protect the privacy, security, identity of an
organization or a person or a nation. An information is called valuable because of few characteristics. The main
characteristics which make an information valuable are

1. Confidentiality

Confidentiality ensures that an Information is accessible to only an authorized user. The main pupose of
confidentiality is to protect the sensitive information from reaching the wrong hands.It is used to maintain the
privacy of the people. Encryption is a good example of confidentiality.

2. Availability

Information should be available to an authorised person when it is requested for. It is the guarantee of access to the
authorised individual to information. Keeping all the hardware and software up to date and keeping back up, taking
proper recovery measures will ensure availability of data.

3. Integrity

Integrity maintains the correctness or accuracy of the information while the data is in transit, storage or processing.
It is the guarantee that information is trust worthy and not tampered. This attribute ensures that an unauthorised
person will not be able to modify the data.

RSA digital signature, SHA1 hash codes are good examples.

4. Authentication

It is verifying whether the user, data, transactions involved is genuine. This attribute ensures that only genuine or
right people are given access to the information. Login mechanisms can be used to verify the authenticity of users

5. Non-Repuditiation

This is a property of information which is used to holds a person responsible for the information he sent or received.
In future, he cannot deny his role in sending or receiving the information.

Security, Functionality and Usability Triangle

There is an inter dependency between these three attributes. When security goes up, usability and functionality come
down. Any organization should balance between these three qualities to arrive at a balanced information system.
Some important terms to consider in hacking are

Threat: Anything that has potential to cause harm. There are various threats available to system threats,
Network threats, application threats, cloud threats, malicious files threats etc.

Vulnerability: A weakness or a flaw in the system which an attacker may find and exploit. An updated OS,
Default Passwords, Unencrypted protocols are all good examples of vulnerabilities.

Attack: Method followed by a hacker/Individual to break into the system. Denial of service attack,
Misconfiguration attacks, Operating system attacks, Virus, and Worms are all example of Attacks.

Attack vectors: Path or means by an attacker gains access to an information system to perform malicious
activities.

Phases of Hacking
There are mainly 5 phases in hacking. Not necessarily a hacker has to follow these 5 steps in a sequential
manner. It’s a stepwise process and when followed yields a better result.
1. Reconnaissance:

This is the first step of Hacking. It is also called as Footprinting and information gathering Phase. This is the
preparatory phase where we collect as much information as possible about the target. We usually collect information
about three groups,

1.Network

2.Host

3.People involved

There are two types of Footprinting:

Active: Directly interacting with the target to gather information about the target. Eg Using Nmap tool to scan the
target. Trying to collect the information about the target without directly accessing the target. This involves
collecting information from social media, public websites etc.

2. Scanning:

Three types of scanning are involved:

● This phase involves scanning the target for the information like open ports, Live systems, various
services running on the host.
● Checking the target for weaknesses or vulnerabilities which can be exploited. Usually done with
help of automated tools
● Finding the topology of network, routers, firewalls servers if any, and host information and
drawing a network diagram with the available information. This map may serve as a valuable
piece of information throughout the hacking process.

3. Gaining Access:
This phase is where an attacker breaks into the system/network using various tools or methods. After entering into a
system, he has to increase his privilege to administrator level so he can install an application he needs or modify data
or hide data.

4. Maintaining Access:

Hacker may just hack the system to show it was vulnerable or he can be so mischievous that he wants to maintain or
persist the connection in the background without the knowledge of the user. This can be done using Trojans,
Rootkits or other malicious files. The aim is to maintain the access to the target until he finishes the tasks he planned
to accomplish in that target.

5. Clearing Track:

No thief wants to get caught. An intelligent hacker always clears all evidence so that in the later point of time, no
one will find any traces leading to him. This involves modifying/corrupting/deleting the values of Logs, modifying
registry values and uninstalling all applications he used and deleting all folders he created.

Different types of attacks

Types of attacks:

Operating System Attacks:

Finding OS Vulnerabilities and Exploit them For.eg. buffer overflow, un-patched system.

Misconfiguration Attacks:
Targeted towards databases, networks, web servers, application platforms etc, It Happens due to the
misconfiguration of the deployed devices or system.

Application Level Attacks:

Attacks are targeted towards the installed applications, e.g: Buffer overflow, cross-site scripting, SQL injection etc.

Shrink Wrap Code Attacks:

Using default or off the shelf components, it happens if the code/script is not fine-tuned.

Vulnerability Assessment

It is the process of identifying vulnerabilities in the computer systems, networks, and the communication channels. It
is performed as a part of auditing and also to defend the systems from further attacks. The vulnerabilities are
identified, classified and reported to the authorities so that necessary measures can be taken to fix them and protect
the organization.

Penetration Testing
It is the process of evaluating the security of an organization by exploiting the vulnerabilities in a way the
attackers could exploit them and thereby defending as well as documenting the procedure of attack.

Types of penetration testing:

 1. The penetration tester will not be given any details pertaining to the network, or infrastructure of
the network/ organization
2. The penetration tester will be aware of the complete details of the infrastructure to be tested
3. The penetration tester will be provided with a limited knowledge about the systems to be tested.

Information Security Laws, Standards and frameworks

PCI-DSS: Payment card industry Data security standard

HIPPA – Health Insurance Privacy Protection Act

ISO:IEC 27001:2013

Sarbanes Oxley attack (SOX)

The digital Millenium copyright Act (DMCA)

The federal Information secuirty Management act (FISMA)

What is Footprinting

Refers to the process of collecting as much as information as possible about the target system to find ways to
penetrate into the system. An Ethical hacker has to spend the majority of his time in profiling an organization,
gathering information about the host, network and people related to the organization.

Information such as ip address, Whois records, DNS information, an operating system used, employee email id,
Phone numbers etc is collected.

Footprinting helps to

Know Security Posture – The data gathered will help us to get an overview of the security posture of the company
such as details about the presence of a firewall, security configurations of applications etc.

Reduce Attack Area – Can identify a specific range of systems and concentrate on particular targets only. This will
greatly reduce the number of systems we are focussing on.

Identify vulnerabilities – we can build an information database containing the vulnerabilities, threats, loopholes
available in the system of the target organization.

Draw Network map – helps to draw a network map of the networks in the target organization covering topology,
trusted routers, presence of server and other information.

Objectives of Footprinting

Network Footprinting

This is the process of collecting information related to a target network. Information like Domain name,
subdomains, network blocks, IP addresses of reachable systems, IDSes running, Rouge websites/private websites,
TCP & UDP services running, VPN points, networking protocols, ACL's, etc are collected.

Collect System Information

The information related to the target system like user and group names, system banners, routing tables, SNMP
information, system names etc are collected using various methods.

Collect Organization's information –

The information related to employee details, organization website, Location details, security policies implemented,
the background of the organization may serve as an important piece of information for compromising the security of
the target using direct or social engineering attacks.

Footprinting Methodology

Various methods used to collect information about the target organization. They are

Footprinting through Search Engines

This is a passive information gathering process where we gather information about the target from social media,
search engines, various websites etc. Information gathered includes name, personal details, geographical location
detrails, login pages, intranet portals etc. Even some target specific information like Operating system details, IP
details, Netblock information, technologies behind web application etc can be gathered by searching through search
engines

Eg: collecting information from Google, Bingo etc

Google Hacking:

Google hacking refers to collecting information using google dorks (keywords) by constructing search queries
which result in finding sensitive information.details collected include compromised passwords, default credentials,
competitor information, information related to a particular topic etc.

Eg:inurl:, site:, allintitle etc

Examining HTML Source and Examining Cookies:

Html source codes of a web application may give us an understanding of the application functionality, hidden fields,
comments, variable names etc. Cookies are used to identify a user in his session. these cookies may be stored in the
browser or passed in the URL, or in the HTTP header.

The entire website can be mirrored using tools like HTTtracker to gather information at our own phase.

Extract website Archives: older versions of website can be obtained

which may reveal some information related to the target.

eg: www.archive.org

Email Footprinting

email header reveals information about the mail server, original sender’s email id, internal IP addressing
scheme, as well as the possible architecture of the target network
Competitive Intelligence

Competitive intelligence gathering is the process of gathering information about the competitors from
resources such as the Internet.

Eg: company website, search engine, internet, online databases, press releases, annual reports, trade
journals

Google Hacking/Google Dorks

This is a process of creating search queries to extract hidden information by using Google operators to
search specific strings of text inside the search results.

Some google operators, site, allinurl, inurl, allintitle

Whois Footprinting

Whois databases and the servers are operated by RIR - Regional Internet Registries. These databases
contain the personal information of Domain Owners. Whois is a Query response protocol used for
querying Whois databases and its protocol is documented in RFC 3912. Whois utility interrogates the
Internet domain name administration system and returns the domain ownership, address, location, phone
numbers, and other details about a specified domain name.

DNS Footprinting

DNS is a naming system for computers that converts human-readable domain names into computer
readable IP-addresses and vice versa.DNS uses UDP port 53 to serve its requests. A zone subsequently
stores all information, or resource records, associated with a particular domain into a zone file; Resource
records responded by the name servers should have the following fields:

Domain Name — Identifying the domain name or owner of the records

Record Types — Specifying the type of data in the resource record

Record Class — Identifying a class of network or protocol family in use

Time to Live (TTL) — Specifying the amount of time a record can be stored in cache before discarded.

Record Data — Providing the type and class dependent data to describe the resources.

A (address)—Maps a hostname to an IP address

SOA (Start of Authority)—Identifies the DNS server responsible for the domain information

CNAME (canonical name)—Provides additional names or aliases for the address record

MX (mail exchange)—Identifies the mail server for the domain

SRV (service)—Identifies services such as directory services

PTR (pointer)—Maps IP addresses to hostnames

NS (name server)—Identifies other name servers for the domain

HINFO = Host Information Records

DNS servers perform zone transfers to keep themselves up to date with the latest information. A zone
transfer of a target domain gives a list of all public hosts, their respective IP addresses, and the record
type.

Footprinting through Social Engineering:

Social media like twitter, facebook are searched to collect information like personal details, user
credentials, other sensitive information using various social engineering techniques. Some of the
techniques include

Eavesdropping: It is the process of intercepting unauthorized communication to gather information

Shoulder surfing: Secretly observing the target to gather sensitive information like passwords, personal
identification information, account information etc

Dumpster Diving: This is a process of collecting sensitive information by looking into the trash bin.
Many of the documents are not shredded before disposing them into the trash bin . Retrieving these
documents from trash bin may reveal sensitive information regarding contact information, financial
information, tender information etc.

Footprinting counter measures:

Creating awareness among the employees and users about the dangers of social engineering

Limiting the sensitive information

encrypting sensitive information

using privacy services on whois lookup database

Disable directory listings in the web servers

Enforcing security policies

What is Scanning?

Scanning is a set of procedures for identifying live hosts, ports, and services, discovering Operating system and
architecture of target system, Identifying vulnerabilities and threats in the network. Network scanning is used to
create a profile of the target organization.

Scanning refers to collecting more information using complex and aggressive reconnaissance techniques.

Network Scanning

The purpose of each scanning process is given below:

Port Scan– detecting open ports and services running on the target.

Network Scan– IP addresses, Operating system details, Topology details, trusted routers information etc

Vulnerability– scanning for known vulnerabilities or weakness in a system

Scanning Methodology

Check for Live Systems: Ping scan checks for the live system by sending ICMP echo request packets. If
a system is alive, the system responds with ICMP echo reply packet containing details of TTL, packet size
etc.

Check for Open Ports: Port scanning helps us to find out open ports, services running on them, their
versions etc. Nmap is the powerful tool used mainly for this purpose.

We have various types of scan:

Connect scan: Identifies open ports by establishing a TCP handshake with the target.

Nmap command: nmap -sT -v -p- <TargetIP>

Half-open scan otherwise known as Stealth scan used to scan the target in a stealthy way by not
completing the TCP handshake by abruptly resetting the communication.

Source: https://www.safaribooksonline.com

Nmap command: nmap -sS -v <TargetIp>

XMAS scan: This is also called as inverse TCP scanning. This works by sending packets set with PSH,
URG, FIN flags. The targets do not respond if the ports are open and send a reset response if ports are
closed.
Source: https://www.information-security.fr

FIN scan: Fin flag is set in the TCP packets sent to the target. open ports doe does not respond while
closed ports send a reset response.

Source: https://securitcrs.wordpress.com

Nmap command: nmap -SF <targetIp>

ACK scan: Here the attacker sets the ACK flag in the TCP header and the target's port status is gathered
based on window size and TTL value of RESET packets received from the target.

Source: https://www.hackingloops.com

Nmap command: nmap -SA -v <targetip>

Null Scan: Works by sending TCP packets with no flags set to the target. Open ports do not respond
while closed ports respond with a RESET packet.
Nmap Command: nmap -sN -p- <targetIP>

Idle Scan: Here the attacker tries to mask his identity uses an idle machine on the network to probe the
status details of target ports.

Source: https://en.wikipedia.org/wiki/Idle_scan

Nmap command : nmap -Pn -sI ZombieIp TargetIp

Banner Grabbing

Banner grabbing is a process of collecting information like operating system details, the name of the
service running with its version number etc.

Vulnerability scanning:

Mainly automated tools are used for this purpose. These automated scanners scan the target to find out
vulnerabilities or weakness in the target organization which can be exploited by the attackers.
Vulnerabilities include application vulnerabilities, configuration vulnerabilities, network vulnerabilities,
operating system vulnerabilities etc.

Some examples include operating system is not updated, default passwords used, plain text protocols
used, vulnerable protocols running etc.

Tools: Nessus, Acunetix

Draw Network Diagrams

With the information gathered, the attacker can come up with a network diagram which might give him
information about network and architecture of the target organization helping him to identify the target
easily

Tools: Network View, Opmanager etc

Prepare Proxies

Proxies can use to maintain the anonymity of the attacker by masking the IP address. It can capture
information passing through it since it acts as an intermediary between client and server and the attacker
can access the resources remotely using the proxies.

Eg: TOR browsers, Onion sites etc, Proxify, Psiphon etc

Countermeasures:

● Configure IDS and firewall to block probes.

● Keep firewall, routers, IDS firmware update
● Run port scanners to verify the security of the target.
● Add rules in firewall restricting access to ports.
● Disable ICMP based scanning at firewall.

Enumeration and its Types

Enumeration is defined as the process of extracting user names, machine names, network resources, shares and
services from a system. In this phase, the attacker creates an active connection to the system and performs directed
queries to gain more information about the target. The gathered information is used to identify the vulnerabilities or
weak points in system security and tries to exploit in the System gaining phase.

Types of information enumerated by intruders:

● Network Resource and shares

● Users and Groups
● Routing tables
● Auditing and Service settings
● Machine names
● Applications and banners
● SNMP and DNS details

Techniques for Enumeration

● Extracting user names using email ID's

● Extract information using the default password
● Brute Force Active Directory
● Extract user names using SNMP
● Extract user groups from Windows
● Extract information using DNS Zone transfer

Services and Port to Enumerate

● TCP 53: DNS Zone transfer

● TCP 135: Microsoft RPC Endpoint Mapper
● TCP 137: NetBIOS Name Service
● TCP 139: NetBIOS session Service (SMB over NetBIOS)
 ● TCP 445: SMB over TCP (Direct Host)
● UDP 161: SNMP
● TCP/UDP 389: LDAP
● TCP/UDP 3368: Global Catalog Service
● TCP 25: Simple Mail Transfer Protocol (SMTP)

NetBIOS Enumeration

NetBIOS stands for Network Basic Input Output System. It Allows computer communication over a LAN and
allows them to share files and printers.

NetBIOS names are used to identify network devices over TCP/IP (Windows). It must be unique on a network,
limited to 16 characters where 15 characters are used for the device name and the 16th character is reserved for
identifying the type of service running or name record type.

Attackers use the NetBIOS enumeration to obtain:

● List of computers that belong to a domain

● List of shares on the individual hosts on the network
● Policies and passwords

Commands and tools used:

Nbtstat: utility used to find protocol statistics, NetBIOS name table and name cache details

Superscan: GUI tool used to enumerate windows machine

Net view: command line tool to identify shared resources on a network

SNMP Enumeration
SNMP (Simple Network Management Protocol) is an application layer protocol which uses UDP protocol to
maintain and manage routers, hubs and switches other network devices on an IP network. SNMP is a very common
protocol found enabled on a variety of operating systems like Windows Server, Linux & UNIX servers as well as
network devices like routers, switches etc.

SNMP enumeration is used to enumerate user accounts, passwords, groups, system names, devices on a target
system.

It consists of three major components:

1. A managed device is a device or a host (technically known as a node) which has the SNMP
service enabled. These devices could be routers, switches, hubs, bridges, computers etc.
2. An agent can be thought of as a piece of software that runs on a managed device. Its primary job
is to convert the information into SNMP compatible format for the smooth management of the
network using SNMP protocol.
3. : These are the software systems that are used for monitoring of the network devices.
An agent running on every SNMP device will be providing access to a read and writable database. The
database is referred to as the management information base (MIB) which is organized hierarchically and
is a virtual database containing a formal description of all the network objects identified by a specific
object identifier (OID) that can be managed using SNMP. It's a giant repository of values and settings.
There is a manager involved in the process, and the manager will query the agent for various details.

Community strings is a text string used to authenticate communications between the management stations
and network devices on which SNMP agents are hosted. Community Strings travel in clear text over the
network, hence are subject to network sniffing attacks. Community Strings are sent with every network
packet exchanged between the node and management station.

Two types of community strings:

1. Read only: This mode permits querying the device and reading the information, but does not
permit any kind of changes to the configuration. The default community string for this mode is
“public.”
2. Read Write: In this mode, changes to the device are permitted; hence if one connects with this
community string, we can even modify the remote device ’s configurations. The default
community string for this mode is “private.”

when the community strings are left at the default settings, attackers take the opportunity and find the
loopholes in it.

Few tools:

1. OpUtils Network Monitoring Toolset - http://www.manageengine.com

2. SolarWinds ( best SNMP enumeration tool) - www.solarwinds.com

3. command line tools: SNMP-WALK, SNMP-CHECK

Countermeasures:

1. Remove or disable SNMP agents on hosts

2. Block port 161 at all perimeter network access devices
3. Restrict access to specific IP addresses
4. Use SNMPv3 (more secure)
5. Implement the Group Policy security option called "Additional restrictions for anonymous
connections"
6. Access to null session pipes, null session shares, and IPsec filtering should also be restricted

LDAP Enumeration

The Lightweight Directory Access Protocol is a protocol used to access directory listings within Active Directory or
from other Directory Services. A directory is usually compiled in a hierarchical and logical format, rather like the
levels of management and employees in a company. LDAP tends to be tied into the Domain Name System to allow
integrated quick lookups and fast resolution of queries. LDAP generally runs on port 389 and like other protocols
tends to usually conform to a distinct set of rules (RFC's). It is possible to query the LDAP service, sometimes
anonymously to determine a great deal of information that could glean the tester, valid usernames, addresses,
departmental details that could be utilised in a brute force or social engineering attack.

Tools:

Jxplorer - http://www.jxplorer.org/

LDAP Admin Tool - http://www.ldapsoft.com

Countermeasures:

1. Use NTLM or Basic authentication to limit access to known users only.

2. By default, LDAP traffic is transmitted unsecured; use SSL technology to encrypt the traffic.
3. Select a username different from your email address and enable account lockout.

NTP Enumeration

The Network Time Protocol is a protocol for synchronizing time across your network, this is especially important
when utilizing Directory Services. There exists a number of time servers throughout the world that can be used to
keep systems synced to each other. NTP utilizes UDP port 123. Through NTP enumeration you can gather
information such as lists of hosts connected to NTP server, IP addresses, system names, and OSs running on the
client system in a network. All this information can be enumerated by querying NTP server.

SMTP Enumeration

The Simple Mail Transport Protocol is used to send email messages as opposed to POP3 or IMAP which can be
used to both send and receive messages. SMTP relies on using Mail Exchange (MX) servers to direct the mail to via
the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or
alternatively SRV records. SMTP generally runs on port 25.
SMTP enumeration allows us to determine valid users on the SMTP server. This is done with the help built-in
SMTP commands, they are

● VRFY - This command is used for validating users.

● EXPN - This command tells the actual delivery address of aliases and mailing lists.
● RCPT TO - It defines the recipients of the message.

Tool:

NestScanTools Pro

Countermeasures:

● Configure SMTP server either to ignore email messages to unknown recipients.

● Don’t include information like mail relay systems being used, Internal IP address or host
information.
● Disable open relay feature.

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization.
DNS enumeration will yield usernames, computer names, and IP addresses of potential target systems. The list of
DNS record provides an overview of types of resource records (database records) stored in the zone files of the
Domain Name System (DNS). The DNS implements a distributed, hierarchical, and redundant database for
information associated with Internet domain names and addresses.

DNS Zone Transfer used to replicate DNS data across a number of DNS servers or to back up DNS files. A user or
server will perform a specific zone transfer request from a ―name server. If the name server allows zone transfers
by an anonymous user to occur, all the DNS names and IP addresses hosted by the name server will be returned in
human-readable ASCII text.

Tools:

nslookup, maltego, dnenum,dnsrecon

Countermeasures:

1. Disable Zone transfer by untrusted hosts

2. Ensure that private hostnames are not referenced to IP addresses within the DNS zone files of
publicly accessible DNS servers.
3. Use premium registration services.