CGT 312 ETHICAL HACKING

MODULE 1
Security Fundamental, Security testing, Hacker and Cracker, Descriptions, Test Plans-
keeping It legal, Ethical and Legality, The Attacker’s Process, The Ethical Hacker’s Process,
Security and the Stack

1.1 Security Fundamentals

What is Security?
Security is a state of well-being of information and infrastructures in which the possibility of successful yet
undetected theft, tampering, and disruption of information and services is kept low or tolerable.
 Protection of information and its critical elements
 Systems and hardware that use ,store and transmit information
 The quality or state of being secure—to be free from danger”
A successful organization should have multiple layers of security in place:
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
 Information security

Information Security Components:

❑ Confidentiality
❑ Integrity
❑ Availability
1. Confidentiality
 Only sender and intended recipient should be able to access the data
 To protect confidentiality of information,
❑ Information Classification
❑ Secure Document Storage
❑ Application of general security policies
❑ Education to end users
2. Integrity
 Data cannot be modified without authorization
 Quality or state of being whole , complete and uncorrupted.
3. Availability
 Assets are available to authorized parties at appropriate times
 Must be available when it is needed.
 Preventing service disruptions due to power outages ,hardware failures and system upgrades
CIA TRIANGLE
 C.I.A. triangle was standard based on confidentiality, integrity, and availability.

1
 CGT 312 ETHICAL HACKING

 The CIA triad is a common model used to develop security systems,

identify vulnerabilities, and create solutions. It's a broad, high-level
model that helps organizations establish security procedures and policies,
and identify and mitigate cybersecurity threats.
 The CIA triad is important because the confidentiality, integrity, and
availability of information are crucial to a business's operation. A strong
cybersecurity strategy based on the CIA triad's principles can help
organizations maintain maximum security while enabling staff to perform
everyday tasks.
 Authentication: The process of verifying the identity of a user, device, or process before allowing
access to sensitive data or systems
 Authorization: The process of specifying access rights to secure resources.
 Non-repudiation: The assurance that the parties involved cannot repudiate or deny an action or
transaction.

1.2 Security Testing

Security Testing is a type of Software Testing that uncovers vulnerabilities in the system and determines that
the data and resources of the system are protected from possible intruders. It ensures that the software
system and application are free from any threats or risks that can cause a loss. Security testing of any system
is focused on finding all possible loopholes and weaknesses of the system that might result in the loss of
information or repute of the organization.
The goal of security testing is to:
• To identify the threats in the system.
• To measure the potential vulnerabilities of the system.
• To help in detecting every possible security risk in the system.
• To help developers fix security problems through coding.
The main objectives of security testing are to:
• Identify vulnerabilities: Security testing helps identify vulnerabilities in the system, such as weak
passwords, unpatched software, and misconfigured systems, that could be exploited by attackers.
• Evaluate the system’s ability to withstand an attack: Security testing evaluates the system’s ability to
withstand different types of attacks, such as network attacks, social engineering attacks, and
application-level attacks.
• Ensure compliance: Security testing helps ensure that the system meets relevant security standards
and regulations, such as HIPAA, PCI DSS, and SOC2.
• Provide a comprehensive security assessment: Security testing provides a comprehensive
assessment of the system’s security posture, including the identification of vulnerabilities, the
evaluation of the system’s ability to withstand an attack, and compliance with relevant security
standards.
• Help organizations prepare for potential security incidents: Security testing helps organizations
understand the potential risks and vulnerabilities that they face, enabling them to prepare for and
respond to potential security incidents.

2
 CGT 312 ETHICAL HACKING

• Identify and fix potential security issues before deployment to production: Security testing helps
identify and fix security issues before the system is deployed to production. This helps reduce the risk
of a security incident occurring in a production environment.
Principle of Security Testing
Below are the six basic principles of security testing:
• Confidentiality
• Integrity
• Authentication
• Authorization
• Availability
• Non-repudiation
Major Focus Areas in Security Testing
• System Software Security: Testing the security of system softwares used.
• Authentication and Authorization: Testing the system’s ability to properly authenticate and authorize
users and devices. This includes testing the strength and effectiveness of passwords, usernames, and
other forms of authentication, as well as testing the system’s access controls and permission
mechanisms.
• Network and Infrastructure Security: Testing the security of the system’s network and infrastructure,
including firewalls, routers, and other network devices. This includes testing the system’s ability to
defend against common network attacks such as denial of service (DoS) and man-in-the-middle
attacks.
• Database Security: Testing the security of the system’s databases, including testing for SQL injection,
cross-site scripting, and other types of attacks.
• Application Security: Testing the security of the system’s applications, including testing for cross-site
scripting, injection attacks, and other types of vulnerabilities . It includes Client-side Application
Security and Server-side Application Security.
• Data Security: Testing the security of the system’s data, including testing for data encryption, data
integrity, and data leakage.
• Compliance: Testing the system’s compliance with relevant security standards and regulations, such
as HIPAA, PCI DSS, and SOC2.
• Cloud Security: Testing the security of cloud.
Types of Security Testing
1. Vulnerability Scanning: Vulnerability scanning is performed with the help of automated software to
scan a system to detect known vulnerability patterns.
2. Security Scanning: Security scanning is the identification of network and system weaknesses. Later
on, it provides solutions for reducing these defects or risks. Security scanning can be carried out in
both manual and automated ways.
3. Penetration Testing: Penetration testing is the simulation of the attack from a malicious hacker. It
includes an analysis of a particular system to examine for potential vulnerabilities from a malicious
hacker who attempts to hack the system.

3
 CGT 312 ETHICAL HACKING

4. Risk Assessment: In risk assessment testing security risks observed in the organization are analyzed.
Risks are classified into three categories i.e., low, medium, and high. This testing endorses controls
and measures to minimize the risk.

5. Security Auditing: Security auditing is an internal inspection of applications and operating systems for
security defects. An audit can also be carried out via line-by-line checking of code.

6. Ethical Hacking: Ethical hacking is different from malicious hacking. The purpose of ethical hacking is
to expose security flaws in the organization’s system.
7. Posture Assessment: It combines security scanning, ethical hacking, and risk assessments to provide
an overall security of a system.
8. Application security testing: Application security testing is a type of testing that focuses on identifying
vulnerabilities in the application itself. It includes testing the application’s code, configuration, and
dependencies to identify any potential vulnerabilities.
9. Network security testing: Network security testing is a type of testing that focuses on identifying
vulnerabilities in the network infrastructure. It includes testing firewalls, routers, and other network
devices to identify potential vulnerabilities.

10. Social engineering testing: Social engineering testing is a type of testing that simulates phishing,
baiting, and other types of social engineering attacks to identify vulnerabilities in the system’s human
element.

Tools such as Nessus, OpenVAS, and Metasploit can

be used to automate and simplify the process of
security testing. It’s important to ensure that security
testing is done regularly and that any vulnerabilities
or threats identified during testing are fixed
immediately to protect the system from potential
attacks. organization.

Advantages of Security Testing

1. Identifying vulnerabilities: Security testing helps identify vulnerabilities in the system that could be
exploited by attackers, such as weak passwords, unpatched software, and misconfigured systems.
2. Improving system security: Security testing helps improve the overall security of the system by
identifying and fixing vulnerabilities and potential threats.

3. Ensuring compliance: Security testing helps ensure that the system meets relevant security standards
and regulations, such as HIPAA, PCI DSS, and SOC2.

4. Reducing risk: By identifying and fixing vulnerabilities and potential threats before the system is
deployed to production, security testing helps reduce the risk of a security incident occurring in a
production environment.

4
 CGT 312 ETHICAL HACKING

5. Improving incident response: Security testing helps organizations understand the potential risks and
vulnerabilities that they face, enabling them to prepare for and respond to potential security
incidents.

Disadvantages of Security Testing

1. Resource-intensive: Security testing can be resource-intensive, requiring significant hardware and
software resources to simulate different types of attacks.
2. Complexity: Security testing can be complex, requiring specialized knowledge and expertise to set up
and execute effectively.
3. Limited testing scope: Security testing may not be able to identify all types of vulnerabilities and
threats.
4. False positives and negatives: Security testing may produce false positives or false negatives, which
can lead to confusion and wasted effort.
5. Time-consuming: Security testing can be time-consuming, especially if the system is large and
complex.
6. Difficulty in simulating real-world attacks: It’s difficult to simulate real-world attacks, and it’s hard to
predict how attackers will interact with the system.

1.3 Hackers Vs. Crackers

What is Hacking?

Hacking refers to exploiting system vulnerabilities and compromising security controls to gain unauthorized
or inappropriate access to the system resource.

Or
It is a form of planning or a technique that people use to get access to various unauthorized systems, software,
and devices.
In simpler words, hacking is the process of gaining access to a computer or a network that might not be legal
or permitted for any random user. The people who master hacking are very skilled with computer systems
and have a great deal of knowledge about various software and hardware devices.
The people who have hacking skills are basically of two types:
• Hackers
• Crackers
What are Hackers?

These are people who hack devices and systems with good intentions. They might hack a system for a
specified purpose or for obtaining more knowledge out of it. Hackers work by finding loopholes in a given
system and by covering these loopholes. They are basically programmers who gather extensive knowledge

5
 CGT 312 ETHICAL HACKING

regarding programming languages and operating systems (OS). They never intend to harm, compromise, or
damage any system data.
What are Crackers?
These are people who hack a system by breaking into it and violating it with some bad intentions. They may
hack a system remotely for stealing the contained data or for harming it permanently. In simpler words,
crackers destroy the data and information contained in a system by getting unauthorized access to its
concerned network. They always keep their works hidden because what they do is illegal and mostly
prohibited or forbidden. A cracker can easily bypass your device’s passwords, company websites, social
media, personal bank details and can use those details for directly transferring money from your bank.

Difference Between Hackers and Crackers

Parameters Hackers Crackers

Definition Hackers are good people who hack
devices and systems with good
intentions. They might hack a
system for a specified purpose or for
obtaining more knowledge out of it.
Crackers are people who hack a system
by breaking into it and violating it with
some bad intentions. They may hack a
system remotely for stealing the
contained data or for harming it
permanently.

Skills and They have advanced knowledge of These people may be skilled. But most
Knowledge programming languages and of the time, they don’t even need
computer OS. Hackers are very extensive skills. Some crackers only
skilled and intelligent people. have a knowledge of a few illegal tricks
that help them in stealing data.

Role in an Hackers work with specific Crackers harm an organization. These

Organization organizations to help them in are the people from whom hackers
protecting their information and defend sensitive data and protect the
important data. They mainly organizations as a whole.
provide organizations with
expertise in security and internet
safety.

Ethics These are ethical types of These are illegal and unethical types of
professionals. people who only focus on benefiting
themselves with their hacking.

6
 CGT 312 ETHICAL HACKING

Data Security They protect the data and never They usually steal, delete, corrupt, or
steal or damage it. Their only compromise the data they find from a
intention is to gain knowledge from system’s loopholes. Your data stays
the concerned data and vulnerable in the hands of a cracker.
information.

Use of Tools Hackers use their own legal tools for Crackers don’t have any tools of their
checking network strength, own. They make use of someone else’s
establishing security, and protecting tools for performing illegal activities
an organization from internet and harming/ compromising a system.
threats.

Network They help improve a network’s They harm and deplete a network’s
Strength strength. strength.

Certification They always have legal certificates
for hacking, for example, XCEH
certificates. Hackers have nothing to
hide and perform legal activities.
Thus, they need certification for the
work they do.
They usually don’t have any certificates
as they are unskilled. But some of them
may even have certificates. Crackers
usually refrain away from certification
because they prefer staying anonymous
about their work.

Types of Hackers
• Black hat hackers
Hackers with malicious intent who gain unauthorized access to computer systems and networks
• White hat hackers
Also known as security researchers, they help organizations improve their cybersecurity by identifying
weaknesses
• Gray hat hackers
Hackers who may sometimes violate laws or ethical standards, but are not necessarily malicious
• Red hat hackers
Ethical hackers who use their skills to protect systems and networks from malicious attacks
• Blue hat hackers
Experts who focus on penetration tests and malware analysis
• Script kiddies
Amateur hackers who download tools or use hacking codes written by others, often to impress friends
or gain attention
• Green hat hackers
Novices or beginners in hacking and cybersecurity, whose intent is usually not malicious

7
 CGT 312 ETHICAL HACKING

• Hacktivists
Hackers who gain unauthorized access to websites to raise awareness of political, religious, or social
issues

Types of Cracking Attacks

There are many types and categories of cracking attacks in the cyber security world, targeting
the vulnerabilities of computer systems and networks.
Mainly there are these 3 main types of Cracking attacks:
1. Password Cracking
2. Software Cracking and Piracy
3. Network and System Exploitation

1. Password Cracking: Password Cracking is the most popular and simplest type of hacking when hackers try
to guess or crack your login credentials and passwords, which might give them access to your account leading
to financial loss, sensitive data breach, and legal consequences. For example, if a hacker cracks your
password, he can get access to your personal information, such as financial details, sensitive information,
legal documents, etc.
There are many methods and techniques used in Password Cracking, some of them include:
• Brute Force Attack: This is done when the attacker attacks the system by trying out every possible
combination of characters, digits, and alphabets until the password is found.
• Dictionary Attack: This method is done by guessing passwords using common phrases and words from
lists
• Hybrid Attack: This method uses both a Brute Force attack and a Dictionary attack to improve
efficiency.
• Rainbow Table Attack: This attack involves using pre-calculated tables that are used for quickly
cracking hashed passwords
• Phishing: This is where cyber criminals use fake login pages or email scams to trick users into entering
their credentials, allowing attackers to know their passwords and credentials.

2. Software Cracking and Piracy: Software Cracking and Piracy is another form of hacking that involves
altering the security mechanism in software, so they do not have any license restrictions. They often use
these cracked versions of software to install malware or steal user data.
Common ways of Software Cracking are:
• Reverse Engineering: Reverse engineering involves analysing the software machine code to
understand how it works and what security measures are in place.
• Patching: This is done to change the binary code in the software for copy protection or to remove
license restrictions.
• Keygen Programs: This is a type of tool that generates a valid serial number or activation code for
software activation
• Cracks: These are the modified versions of software applications that might take away the protection
of copies or licensing restrictions.

8
 CGT 312 ETHICAL HACKING

• Distribution: The Distribution of Cracked software is distributed mainly through P2P file-sharing
services, BitTorrent, or other illegal distribution methods.

3. Network and System Exploitation: Network and system exploitation is the type of hacking attack that
involves breaking into a local system or network or exploiting some vulnerability in a computer system. It is
commonly known as Network cracking or WEP cracking, which targets poorly secured networks.
1. Zero-day exploits: A Cyberattack in which an attacker takes advantage of unknown or unaddressed
security flow in the system's hardware, software or firmware.
2. Man-in-the-Middle Attack: A form of cyberattack in which hacker exploits weak web-based protocols,
inserting themselves in between the communication channels, stealing the data and information
3. SQL injection attack: It is done by injecting malicious code into a website to access sensitive
information.
4. Buffer Overflow Attack: Overloading the application buffer with data to gain unauthorized access.
Other Cracking Techniques
• Malware Attacks: This is done by the Installation of malicious software (Trojan, keylogger) to steal
passwords or data.
• Denial-of-Service (DoS) Attack: It is very effective in making the systems unavailable and traffic.
• Wireless Network Attacks: Cracks the Wi-Fi passwords to gain unauthorized access to the network.
• Session Hijacking: This is done by stealing a user's session ID to impersonate them and access their
accounts.

1.4 Test plans-keeping it legal in ethical hacking

Ethical hackers can keep their test plans legal by following these guidelines:
• Get permission
Obtain written authorization from the system owner before starting any ethical hacking activities. This
authorization should be in the form of a contract that clearly defines the scope of the work and what the
hacker can and cannot do.
• Follow industry standards
Use recognized frameworks and methodologies for penetration testing, such as OWASP, PTES, and NIST SP
800-115.
• Respect privacy
Do not access, use, or disclose any information obtained during the test without proper authorization.
• Comply with laws
Make sure all activities comply with laws and regulations regarding data privacy, computer misuse, and
unauthorized access.
• Be professional
Maintain integrity, honesty, and transparency throughout the process.
• Protect findings
Keep findings confidential and only share them with the owning organization.
• Document the test
Prepare a formal report of vulnerabilities and other findings, and include recommendations for improving
security.

9
 CGT 312 ETHICAL HACKING

Ethical hackers use the same tools and techniques as unethical hackers, but they use them to help protect
systems from attack
1.5 Ethical and Legality
How to Be Ethical
Ethical hacking is usually conducted in a structured and organized manner, usually as part of a penetration
test or security audit. The depth and breadth of the systems and applications to be tested are usually
determined by the needs and concerns of the client. Many ethical hackers are members of a tiger team. A
tiger team works together to perform a full-scale test covering all aspects of network, physical, and systems
intrusion. The ethical hacker must follow certain rules to ensure that all ethical and moral obligations are
met. An ethical hacker must do the following:
 Gain authorization from the client and have a signed contract giving the tester permission to perform
the test.
 Maintain and follow a nondisclosure agreement (NDA) with the client in the case of confidential
information disclosed during the test.
 Maintain confidentiality when performing the test. Information gathered may contain sensitive
information.
 No information about the test or company confidential data should ever be disclosed to a third party.
Perform the test up to but not beyond the agreed-upon limits. For example, DoS attacks should only
be run as part of the test if they have previously been agreed upon with the client. Loss of revenue,
goodwill, and worse could befall an organization whose servers or applications are unavailable to
customers as a result of the testing.
The following steps are a framework for performing a security audit of an organization and will help to ensure
that the test is conducted in an organized, efficient, and ethical manner:
1. Talk to the client, and discuss the needs to be addressed during the testing.
2. Prepare and sign NDA documents with the client.
3. Organize an ethical hacking team, and prepare a schedule for testing.
4. Conduct the test
5. Analyze the results of the testing, and prepare a report.
6. Present the report findings to the client.
Keeping It Legal
An ethical hacker should know the penalties of unauthorized hacking into a system. No ethical hacking
activities associated with a network-penetration test or security audit should begin until a signed legal
document giving the ethical hacker express permission to perform the hacking activities is received from the
target organization. Ethical hackers need to be judicious with their hacking skills and recognize the
consequences of misusing those skills.
Computer crimes can be broadly categorized into two categories: crimes facilitated by a computer and crimes
where the computer is the target.
Information Security Laws and Standards
• Laws functions as a system of rules and guidelines enforced by a particular country or community to govern
behaviour.
• A Standard is a document established by consensus and approved by a recognized body that provides for
common and repeated use, rules, guidelines or characteristics for activities of their results, aimed at the
achievement of the optimum degree of order in a given context.
10
 CGT 312 ETHICAL HACKING

1. Payment Card Industry Data Security Standard (PCI-DSS)

• The PCI-DSS is a proprietary information security standard for organizations that handles card holder
information for the major debit , credit, prepaid, e purse, ATM and POS cards.
• PCI DSS applies to all entities involved in payment card processing including merchants, processors,
acquirers, issuers and service providers, as well as all other entities that store, process or transmit card holder
data.
• Failure to meet the PCI-DSS requirements may result in fines or termination of payment-card processing
privileges
2. ISO/IEC 27001:2013
• ISO/IEC27001:2013 specifies the requirements for establishing, implementing, maintaining and continually
improving an information security management system within the context of organization
3. Health Insurance Portability and Accountability Act. (HIPAA)
• The HIPAA Privacy Rules provide federal protections for individually identifiable health information held by
covered entities and their business associates and gives patients and array of rights with respect to that
information.
• At the same time the privacy rule permits the disclosure of health information needed for patient care and
other important purposes.
• The office of civil rights implemented HIPAA’s Administrative Simplification Statute and Rules
4. Federal Information Security Management Act (FISMA)
• The FISMA provides a comprehensive framework for ensuring the effectiveness of information security
controls over information resources that supports federal operations and assets.
• It includes
• Standards for categorizing information and information system by mission impact
• Standards for minimum security requirements for information and information systems
• Guidance for selecting appropriate security controls for information systems
• Guidance for assessing security controls in information system and determining security control
effectiveness
• Guidance for the security authorization of information system
5. Cyber Security Enhancement Act and SPY ACT
The Cyber Security Enhancement Act of 2002 mandates life sentences for hackers who “recklessly” endanger
the lives of others. Malicious hackers who create a life-threatening situation by attacking computer networks
for transportation systems, power companies, or other public services or utilities can be prosecuted under
this law. The Securely Protect Yourself Against Cyber Trespass Act of 2007 (SPY ACT) deals with the use of
spyware on computer systems and essentially prohibits the following:
 Taking remote control of a computer when you have not been authorized to do so
 Using a computer to send unsolicited information to people (commonly known as spamming)
 Redirecting a web browser to another site that is not authorized by the user
 Displaying advertisements that cause the user to have to close out of the web browser (pop-up
windows)
 Collecting personal information using keystroke logging
6. Federal Managers Financial Integrity Act : The Federal Managers Financial Integrity Act of 1982 (FMFIA) is
basically a responsibility act to ensure that those managing financial accounts are doing so with the utmost
responsibility and are ensuring the protection of the assets. This description can be construed to encompass

11
 CGT 312 ETHICAL HACKING

all measurable safeguards to protect the assets from a hacking attempt. The act essentially ensures that
Funds, property, and other assets are safeguarded against waste, loss, unauthorized use, or misappropriation.
Costs are in compliance with applicable laws. The FMFIA is important to ethical hacking as it places the
responsibility on an organization for the appropriate use of funds and other assets.
7. Freedom of Information Act (FOIA):The Freedom of Information Act (5 USC 552), or FOIA, makes many
pieces of information and documents about organizations public. Most records and government documents
can be obtained via the FOIA. Any information gathered using this act is fair game when you are performing
reconnaissance and information gathering about a potential target.
8. PRIVACY ACT 1974:The Privacy Act of 1974 (5 USC 552a) ensures nondisclosure of personal information
and ensures that government agencies are not disclosing information without the prior written consent of
the person whose information is in question.

Do legal and ethical have the same meaning?

Ethical and legal have a different meaning although they both the purpose of ensuring people live well. Ethical
means bearing the value of distinguishing right from wrong behaviour while legal means acting in accordance
to the law.
What is the difference between ethical and legal standards?
Legal standards are enforced by a government entity while ethical standards are usually enforced by human
principles involving right and wrong behaviour. Thus legal standards are penalized upon violation unlike
ethical standards.
1.6 The Attacker’s Process
The attacker's process is a systematic approach to gaining unauthorized access to a computer system or
systems.
Attackers can use a variety of techniques to gain access to a system, including:
• Social engineering: Using fake emails or webpages to trick a target into clicking on a bad link
• Man-in-the-middle attacks: Intercepting cyberspace communications
• Malware: Installing malware such as bots, viruses, or worms
• Denial of service attacks: Flooding a network or device with too much information
• SQL injection and cross-site scripting (XSS) attacks: Targeting databases and websites
To protect your system, you can monitor your network traffic for anomalies and signs of attacks. You can
also add two-factor authentication to services or implement the principle of least privilege.
Objective: State the process or methodology hackers use to attack networks
The steps a hacker follows can be broadly divided into six phases, which include pre-attack and attack phases:
1. Performing Reconnaissance
2. Scanning and enumeration
3. Gaining access
4. Escalation of privilege
5. Maintaining access
6. Covering tracks and placing backdoors

12
 CGT 312 ETHICAL HACKING

1. Performing Reconnaissance
Reconnaissance or footprinting involves gathering preliminary data or intelligence on the target
organization to enable a hacker plan for the attack.
Reconnaissance is considered the first pre-attack phase and is a systematic attempt to locate,
gather, identify, and record information about the target. The hacker seeks to find out as much
information as possible about the victim. This first step is considered a passive information gathering.
Covertly discover and collect information about target system
• Initial information
• Network range
• Active machines
• Open ports and Access Points
• Fingerprint the OS
• Services on Ports
• Map the Network.

2. Scanning and Enumeration

The phase uses technical tools to gather more detailed intelligence on the systems and applications
on the target organisation’s network. An example is the use of a vulnerability scanner to collect
information on the weaknesses inherent in the target network.
Scanning and enumeration is considered the second pre-attack phase. Scanning is the active step of
attempting to connect to systems to elicit a response. Enumeration is used to gather more in-depth
information about the target, such as open shares and user account information. At this step in the
methodology, the hacker is moving from passive information gathering to active information
gathering. Hackers begin injecting packets into the network and might start using scanning tools such
as Nmap. The goal is to map open ports and applications. The hacker might use techniques to lessen
the chance that he will be detected by scanning at a very slow rate. As an example, instead of checking
for all potential applications in just a few minutes, the scan might take days to verify what applications
are running. Many organizations use intrusion detection systems (IDS) to detect just this type of
activity. Don’t think that the hacker will be content with just mapping open ports. He will soon turn
his attention to grabbing banners. He will want to get a good idea of what type of version of software
applications you are running. And, he will keep a sharp eye out for down-level software and
applications that have known vulnerabilities. An example of down-level software would be Windows
95.

13
 CGT 312 ETHICAL HACKING

• Scanning can include use of dialers, port scanners, network mappers, ping tools, vulnerability
scanners, etc.
• Attackers extract information such as live machines, port, port status, OS details, device type, system
uptime, etc. to launch attack.

3. Gaining Access
In this phase, an attacker gains control of one or more network devices which he uses to obtain
data from the target system or network. He may also use the device he controls to launch further
attacks on other systems and networks.
As far as potential damage, this could be considered one of the most important steps of an attack.
This phase of the attack occurs when the hacker moves from simply probing the network to actually
attacking it. After the hacker has gained access, he can begin to move from system to system,
spreading his damage as he progresses.
Access can be achieved in many different ways. A hacker might find an open wireless access point
that allows him a direct connection or the help desk might have given him the phone number for a
modem used for out-of-band management. Access could be gained by finding a vulnerability in the
web server’s software.
Gaining Access refers to the point where the attacker obtains access to the operating system or
applications on the computer or network.
• The attacker can gain access at the operating system level, application level or network level.

4. Escalation of Privilege
• The attacker can escalate privileges to obtain complete control of the system. In the process,
intermediate systems that are connected toit are also compromised.
• Examples includes password cracking, buffer overflow, denial of service, session hijacking, etc
Privilege escalation can best be described as the act of leveraging a bug or vulnerability in an
application or operating system to gain access to resources that normally would have been protected
from an average user. The end result of privilege escalation is that the application performs actions
that are running within a higher security context than intended by the designer, and the hacker is
granted full access and control.

5. Maintaining Access
An attacker uses this phase to maintain his presence on the target network to gather as much
information as possible. The attacker must remain stealthy to avoid detection.
They are diligent at working on ways to maintain access to the systems they have attacked and
compromised. They might attempt to pull down the etc/passwd file or steal other passwords so that
they can access other user’s accounts.
Rootkits are one option for hackers. A rootkit is a set of tools used to help the attacker maintain his
access to the system and use it for malicious purposes. Rootkits have the capability to mask the
hacker, hide his presence, and keep his activity secret.
• Attackers can upload, download or manipulate data , applications and configuration of the owned
system.
• Attackers use the compromised system to launch further attacks

14
 CGT 312 ETHICAL HACKING

6. Covering Tracks and Placing Backdoors

The final phase requires the attacker to take the necessary steps to remove all traces of his
activities. The attacker uses this phase to return the system to its previous state to avoid detection
by the administrators of the host network.
Covering tracks refers to the activities carried out by an attacker to hide malicious acts.
• The attacker’s intentions include: continuing access to the victim’s system, remaining unnoticed and
uncaught, deleting evidence that might lead to his/her prosecution.
• The attacker overwrites the server, system and applications logs to avoid suspicion.
• Attackers always cover tracks to hide their identity
Hackers must also be worried about the files or programs they leave on the compromised system.
File hiding techniques, such as hidden directories, hidden attributes, and Alternate Data Streams
(ADS), can be used. As an ethical hacker, you will need to be aware of these tools and techniques to
discover their activities and to deploy adequate countermeasures.
Backdoors are methods that the hacker can use to re-enter the computer at will.

1.7 The Ethical Hacker’s Process

As an ethical hacker, you will follow a similar process to one that an attacker uses. The stages you
progress through will map closely to those the hacker uses, but you will work with the permission of

15
 CGT 312 ETHICAL HACKING

the company and will strive to "do no harm." By ethical hacking and assessing the organizations
strengths and weaknesses, you will perform an important service in helping secure the organization.
The ethical hacker plays a key role in the security process. The methodology used to secure an
organization can be broken down into five key steps.
1. Assessment—Ethical hacking, penetration testing, and hands-on security tests.
2. Policy Development—Development of policy based on the organization’s goals and mission. The
focus should be on the organization’s critical assets.
3. Implementation—The building of technical, operational, and managerial controls to secure key
assets and data.
4. Training—Employees need to be trained as to how to follow policy and how to configure key security
controls, such as Intrusion Detection Systems (IDS) and firewalls.
5. Audit—Auditing involves periodic reviews of the controls that have been put in place to provide good
security. Regulations such as Health Insurance Portability and Accountability Act (HIPAA) specify that
this should be done yearly.
All hacking basically follows the same six-step methodology discussed in the previous section:
reconnaissance, scanning and enumeration, gaining access, escalation of privilege, maintaining
access, and covering tracks and placing backdoors.

1.8 Security and the Stack

Modern societies have become overly dependent on cyber systems without adequate protections.
Many of the tools and supply chains constructed to support human activity globally are
interconnected with and interdependent upon cyber systems that are insufficiently secure. There is
an imbalance between benefit (e.g., ease of use) and risk that is international in scope and byzantine
in complexity.

16
 CGT 312 ETHICAL HACKING

Security overlays have their value to be sure, but they are not enough. Systems need to be made
secure from the start of their design; hence the term “security-by-design” was coined.
Layer 1 – Assured Systems and Content (AS&C): This layer is the set of information-communications
technologies (ICT) architected and designed to operate securely within an appropriate cyber-threat
environment. For example, a system designed for government information processing would be
expected to operate within a higher cyber threat environment than, say, a system designed for
consumer entertainment. Accordingly, a greater degree of inherent security should be applied in
developing the government system. For instance, its software code should be developed using the
disciplines of software assurance.
Layer 2 – Integrated Security Overlay: Layer 2 is the traditional “security” layer as we know it today.
It comprises several control planes across both the network and application layers. There are many
forms of overlay in this layer, ranging from engineered-for-purpose hardware to software evaluation
tools. Typically this is where we add defense in depth, based upon sensitivity to risk. For various
reasons the security industry has evolved in a series of so-called “point solutions,” each vendor’s
solution independently addressing problems at specific points in the architecture. For instance, Web
application firewalls were developed to address the fundamental issues associated with Web servers
facing a general purpose “anonymous” network that provides information to unknown consumers.
Anti-virus software updates were built as a means to inoculate a workstation or server against known
and later unknown forms of malicious software that could be downloaded by or pushed to these
platforms.
Layer 3 – Intelligence: We also need situational awareness. We need to see the world of cyberspace
both inside and outside our computing enclaves. This happens in Layer 3 – the Intelligence Layer –
which correlates information from sensors to give advance warning of threats. The Intelligence Layer
detects threats so that defences can be adjusted, ports closed, and mitigations enacted before attacks
can achieve their intended purposes. The anonymity of the Internet and certain shortcomings of
TCP/IP make it difficult to learn about those who would do harm. This is the problem of attribution.
We need better intelligence regarding what is going on inside the network perimeter and what is
taking place outside the network, beyond immediate control. This, in essence, is situational
awareness.
Layer 4 – National Cyber Response: Real-world borders of national sovereignty must be protected
through cybersecurity. Layer 4 represents more recent considerations that are now expanding the
domain of cybersecurity, where interests of national security intersect with the interests of the private
sector. National critical infrastructures such as telecommunications networks, the power grid, and air
space must be protected in the interest of national security. The needed exchanges of threat
information cannot wait for bureaucratic time in these vital areas.
*********************************************************************************

17