Practice Labs - Ethical Hacker

v10
Introduction to Ethical
Hacking
Introductio
n Lab
Topology
Exercise 1 - Learn About Ethical
Hacking Review

Introduction
Ethical
Hacking Grey
Box
White
Box
Black
Box
Ethics

Welcome to the Introduction to Ethical Hacking Practice Lab. In this

module, you will be provided with the information needed to develop your
knowledge.

Learning Outcomes
In this module, you will complete the following

exercises: Exercise 1 - Learn About Ethical

Hacking

After completing this lab, you will have further

knowledge of: Ethical Hacking

The Need for Ethical Hacking
The Ethical Hacking Methodology
Exam Objectives
The following exam objectives are covered in this
lab:

5.2 Information Security Assessment

Methodologies
7.1 Ethics of Information Security
Note: Our main focus is to cover the practical, hands-on aspects of
the exam objectives. We recommend referring to course material
or a search engine to research theoretical topics in more detail.

Lab Duration
It will take approximately 30 minutes to complete this lab.

Help and Support

For more information on using Practice Labs, please see our Help and
Support page. You can also raise a technical support ticket from this page.

Click Next to view the Lab topology used in this module.

Lab Topology
This lab contains supporting materials for Certified Ethical
Hacker v10.

Click Next to proceed to the first exercise.

Exercise 1 - Learn About Ethical Hacking
Ethical hacking (also known as penetration testing) is a simulated cyber-
attack to exploit the vulnerabilities in a network and the systems. It locates
the vulnerabilities, then attempts to exploit them. A person conducting
ethical hacking can attempt a breach of applications, protocols, Application
Programming Interfaces (APIs), servers, firewalls, and anything else that
can be exploited on a network. The core intent is to discover the
vulnerabilities before an attacker from the outside, then exploit them to
simulate the damage that could be caused.

In this exercise, you will learn about the core fundamentals of ethical
hacking.

Learning Outcomes
After completing this exercise, you will have further

knowledge of: Ethical Hacking

The Need for Ethical Hacking
The Ethical Hacking Methodology
The Ethical Aspect of Ethical
Hacking Types of Threat Actors
The Difference Between Black Box vs. White Box vs. Grey Box
Hacking Real-life Attacks

Task 1 - Ethical Hacking

The fundamental difference between hacking and ethical hacking is

permissions. Hacking is when a computer or network is accessed by an
unauthorized source, usually for malicious reasons. Ethical hacking is
permitted by a person or an organization to explore the possibility of
vulnerabilities within a system or a network. The person performing ethical
hacking is known as an ethical hacker, who may be contracted or employed
by an organization to help them strengthen their security. Ethical hackers
work within legal boundaries, ensuring the data they have access to is not
exploited or disclosed to any third-parties (unless directed by the
Once discovering the vulnerabilities, the ethical hacker will help the
organization with suggestions of how to patch them and therefore prevent
attacks. For example, your organization has developed a new Web
application for a school. You have been asked to test the Web application
and locate vulnerabilities. When you test (hack) the application, you
discover that it is prone to SQL Injection attacks. If you had not hacked this
application and found the vulnerability to fix, then a hacker could have
carried it out, resulting in the data being compromised.

What needs to be protected:

While working, an ethical hacker must preserve the following:

Confidentiality: You must safeguard the information that you have and
know. It becomes your responsibility to ensure that the information does
not fall into the wrong hands. You can protect the information with
appropriate permissions and encryption. If these are not applied, there
are chances of disclosure, which allows an unauthorized person to
access the information.
Integrity: Keep the information in its original form and do not
allow any unauthorized alteration.
Availability: Keep the information available for the authorized
individuals to use it. If this is not done, the information can be lost.

Task 2 - The Need for Ethical Hacking

All systems on the internet are considered to be at risk. Attackers are

equipped with the latest tools and techniques to attack systems that they
find vulnerable. To be able to protect the systems of your organizations,
you must know the methods used by the hackers, and the steps that you
can take to prevent their attacks.

There are some fundamental answers that you need to know:

What to look for - what are you trying to protect?

How to protect - once you know what needs protecting, how are you
going to do that?

It is important to remember that you cannot protect everything. If a

vulnerability is unknown, there is no way to protect against it. This is
where an ethical hacker comes in. For example, an attacker is able to
attacker was one step ahead of you. An ethical hacker could have
discovered this vulnerability beforehand.

As an ethical hacker, you need to:

Understand and know the systems and processes before starting any
activity. Know the rules of engagement before starting any activity.
You should know what needs to be done.
Obtain permissions in writing before proceeding with any type
of hacking. Be able to hack the organization's systems without
causing any damage.
Discover vulnerabilities and help the organization patch them.
Use the same methods and techniques you think an attacker would use
to exploit a system, application, or vulnerability.
Make sure you do NOT share any discovered vulnerability or
information with anyone other than the designated authorities.
Keep the communication channel open with the respective authorities
so that they are aware of the vulnerabilities.
Present your findings at the end of testing or hacking and share it with
the client.

Task 3 - The Ethical Hacking Methodology

Ethical hacking replicates the methodology of an attacker, so there are

certain
Note:steps that need
The steps usedto
bybeanperformed. These
organization maysteps
vary. include:

Reconnaissance and Footprinting - active and

passive Scanning
Enumeration
Hacking / Gaining
Access Escalation of
Privileges
Maintaining Access
Covering Tracks
Backdoor
Reporting

Reconnaissance and
Footprinting
Reconnaissance is gathering information about the target system(s), which
is critical in ethical hacking to identify the attack targets. With the amount
and type of information the attacker gathers, they can form the strategy for
ethical hacking. Footprinting helps to gather information about the size of
the organization.

Both of these tasks take place together. For example, when you are
gathering information about a network, you get the details of the systems on
the network, and at the same time, you get to know the number of systems
on there.

There are two types of reconnaissance and footprinting:

Passive

The ethical hacker can use various tools to obtain information without
interacting with the system. It is a safer method as you do not expose
yourself while collecting the information. The ethical hacker can look for
information on various places, such as:

Whois database
The target’s
website
Social media profiles of
employees Google search
results
DNS queries
Blogs and public forums

The ethical hacker can also use various tools to collect information passively.
Some of the key tools are:

WHOIS
Social
Media
Shodan
Google
Hacking DNS
Querying The
Harvester
Recon-ng
 Figure 1.1: Screenshot of Internet Explorer: Showing
information about the searched Website.

Active

In the active reconnaissance method, the ethical hacker connects with the
system and collects information. Even though this method provides more
accurate information compared to the passive method, the risk of getting
noticed and exposed is much higher. One example of active reconnaissance
is performing a port scan on a system. In a port scan, the ethical hacker is
connecting with the system to obtain the open port information.

There are various tools that can be used in active reconnaissance. Nmap is
one of the most sought-after tools for this. Let’s assume, you as the ethical
hacker want to scan the 192.168.0.0/24 network and see how many hosts
are up using a ping scan. You can use the following command:
Please login to the PLABKALI device using these
credentials:

Username:

root

Password:

Passw0r

d nmap -sP 192.168.0.0/24

Note: the -sP parameter is used for ping scanning. When you use
CIDR /24, Nmap will scan all 256 IP addresses on the network.
 Figure 1.2 Screenshot of Kali Linux: Showing the output of
the nmap -sP command.

The nmap command shown above pings 256 hosts on the network and
returns with a list of the hosts that are live at that time.

Scanning and Enumeration

After you have explored the network and identified the live systems on it,
you can move on to scanning and enumeration. This is critical for
exploitation or gaining access.

Enumeration is also considered part of active reconnaissance. Using

enumeration, you can find a lot of details about a device, server, or
service.

Enumeration can be used to find information, such as:

Operating system information, such as the

version DNS information
SNMP
information
Users and
groups
Password hashes and
passwords Hostnames
Domain information
Running services and
process

Scanning
nikto finds vulnerabilities
-host that can be exploited. For example, you can
http://192.168.0.10
use Nikto to scan a Web application and find vulnerabilities. Let’s look at
the example in which you execute the following command:

Note: You can host a vulnerable Web application and assign it an IP

address. Then, you can use the above command, replacing the IP
address with the Web application’s IP address.

The results show the various vulnerabilities

discovered.
 Figure 1.3 Screenshot of PLABKALI01: Showing the output
of the nikto command.

Gaining Access (Exploitation)

When choosing an attack to use to gain access to the system, the
environment and situation have to be considered. Some common attack
techniques used in penetration testing are:

Social engineering - This attack sets the base for all other attacks. An
attacker can use different methods, such as phishing, to trigger the
attack.
Web application attacks - These can include attacks such as SQL
injection, XSS, and XSRF. These are applicable if you are performing a
penetration test on a Web application.
Session hijacking - This is useful when you have unencrypted
sessions. An attacker can perform session hijacking or a man-in-
the-middle attack.
 Password cracking - This involves some level of access to the server
or system, then using various tools to crack the passwords.

A private network is more secure than the public network, which is visible
to everyone. When breaking into a private network, the attacker must find
various methods to connect. For example, the attacker may use social
engineering and deploy malware by sharing an infected USB drive with a
user.

If you use a technical method, such as a Web application attack, you need
to locate a Webserver first and see if it has a Web application running. You
could then exploit the Web application.

In other cases, you may use a social engineering method, such as sending an
e-mail to a user, pretending to be from their bank. The e-mail may have a
URL the user is instructed to click on. Once they access the URL, the users
are navigated to a Website that looks like it is the bank’s Website. It could
then deploy malware onto their system.

Maintaining Access
Let’s assume that you have exploited a vulnerability in the Windows
operating system and gained access to the system. There is no guarantee
that you will be able to maintain access. In such situations, you need to do
something that allows you to maintain access if the vulnerability is patched.

For example, you can create a new user account with administrative
access. This will allow you to connect with the exploited system
remotely. Alternatively, you install a backdoor or rootkit.

Covering Tracks
In any form of hacking, you are likely to leave traces in the system,
possibly resulting in getting stopped or caught. For example, if you create
a user account, it will get captured in the log files. One of the key methods
used in covering tracks is to clear the log files.
However, when logs are cleared, a new entry in the log files is created,
Reportin
mentioning that logs have been deleted.
g
You must report your findings to the organization or person that has
requested the ethical hacking test. The report includes vulnerabilities,
sensitive data exposure, your access to the sensitive systems, and how to
mitigate the threats you were able to pose.

Task 4 - The Ethical Aspect of Ethical Hacking

An ethical hacker must follow professional principles and the code of

ethics.

For example, you must not use the organization’s information and data for
personal needs or misuse them with malicious intentions. Also, the
information must be protected from falling into the wrong hands as a result
of the testing. Any misuse of their data or information could result in legal
action.

Another critical aspect of ethical hacking is permissions. For example,

you mustThe
Note: have permission
Code toare
of Ethics hack a Webserver
available here: that runs a Web
application. If you do not have permission, then it is considered as
https://www.eccouncil.org/code-of-ethics/
hacking, not ethical hacking.
If you have the CEH certification and do not adhere to ethics defined by EC-
Council, you can lose your certification.

Task 5 - Types of Threat Actors

As an ethical hacker, you must know about different types of threat actors,
who are any entity behind a threat, which is a potential danger to an asset.
A threat actor can be largely categorized into three categories:

Internal Threat (eg: a rogue

employee) External Threat (eg: a
criminal group) Natural Threat (eg:
hurricane or tsunami)

Threat actors look for vulnerabilities to exploit. When a vulnerability or

weakness is present in the network, server, or application, it is at risk
from the threat actor.

Examples of threat actors

Hackers
There are three types of hacker: black hat, grey hat, and white hat.

Black hat hackers hack the systems with malicious intent. They are
also known as crackers.

White hat hackers are ethical hackers or sneakers. They are usually
either hired or contracted by organizations to evaluate their security
parameters.

Grey hat hackers are a combination of white hat and black hat hackers.
They break into systems without seeking permission. Their intentions are
not malicious; they want to demonstrate their skills. Their actions are still
considered to be illegal, as they do not seek permission to perform their
actions.

Script Kiddies
A script kiddie is someone who does not have the expertise of a hacker
and relies on ready-made tools as they can’t write their own code. Due
to a lack of expertise, their attacks are not sophisticated.

Hacktivists
Hacktivists are threat actors who are hackers with a specific mission,
which could be political or social. One of the most common attacks they
use is a Distributed Denial of Service (DDoS). They are determined to
fulfill their cause and can work in groups with like-minded hackers.

Nation-States/State Sponsored
These threat actors are well-funded and well-organized entities that commit
their activities with the backing of governments, or similar. State-sponsored
attackers typically focus on infiltrating larger organizations with the intent
to steal large amounts of mission-critical and sensitive data.
Insider
Threats
These threat actors are internal to an organization and can carry out
malicious activity intentionally or unintentionally. Some of the activities
they could perform include handing out confidential or sensitive
information to others unintentionally, or selling information to another
threat actor who wants to misuse it.

It is very difficult to detect an insider threat as the person is part of the

system. They would have access to the data, along with the knowledge of
internal operations and processes. Since they are inside the network, their
actions are difficult to track by tools such as firewalls.

Task 6 - The Difference Between Black Box vs. White Box vs.
Grey Box Hacking

As an ethical hacker, you may be asked to perform different types of

hacking or penetration testing. The organization, after deciding the scope
of the task, may also ask you to perform a certain type of hacking or
penetration testing, which generally categorized into three types:

Black
box Grey
box
White
box

Black
Box
A black box test is also known as Zero-Knowledge penetration testing. In the
black box test, you do not have any information about the network, except
for an IP range. You are typically an external entity that needs to exploit the
network or systems at the fullest. The organization expects you to gather
information on your own, discover vulnerabilities, then exploit them. A black
box test takes more time as you do not know anything about the network or
its systems. However, it is more effective because you can provide an
accurate assessment of the security of the network, and it closely simulates
a real-life attack that could occur.
perform penetration testing. For example, the organization would share
the following information:

Network diagrams
List of systems with their IP
address IP ranges
User credentials to log on to
the systems

White box penetration testing takes less time than black box testing because
you have the required information available. However, it may not provide
accurate results as it is not the same situation an external attacker would be
in.

Grey Box
Grey box testing is a combination of black box and white box. You have the
limited information to begin with, but do not have user credentials or the
configuration details. For example, the organization may share the
application name and its IP address but does not provide the application
version or the services that it is running. This makes it slightly more
accurate than a white box test.

Task 7 - Real-life Attacks

As an ethical hacker, it is useful to understand the minds of hackers. One of

the best methods to do this is to study major attacks that have occurred in
the past. Some of these major attacks include:

Adobe
In October 2013, Adobe revealed that it had been attacked. Here is a
brief summary of the attack:

Removal of personal information of 2.9 million customers by the

attackers - login credentials, names, credit card information including
expiration dates
Sony
Customer IDs and encrypted passwords were accessed
Source code was stolen for ColdFusion, Acrobat Reader, and
Photoshop
Sony had been under major attacks twice.

The first incident occurred in April 2011, which led to the closing of Sony
PlayStation, Sony Online Entertainment, and Qriocity for one month.

Here is a brief summary:

Personal information of 77 million user accounts

was leaked Thousands of users’ bank accounts
were compromised

The vulnerability exploited was unencrypted data on the Sony

network, which was hijacked using SQL Injection attacks.

November 2014

In the second major attack, Sony Pictures Entertainment

was targeted. Here is a brief summary:

Attack was conducted using a worm

Attack was conducted by a hacker group named Guardians of Peace,
who ended up stealing more than 100 terabytes of data from Sony
The vulnerabilities exploited were poor infrastructure management
and incorrect configuration

Here are some other big organizations that have been hacked in

recent years: Facebook

Google+
Cambridge Analytica
MyHeritage
Quora
Timeho
p
Cathay Pacific Airways
T-mobile
British Airways
Yahoo
Marriott International
eBay
Uber
In the past, the Federal Bureau of Investigation (FBI) has used ex-hackers
to track down some of the smartest hackers in the world.

Review
Well done, you have completed the Introduction to Ethical Hacking
Practice Lab.

Summary
You completed the following exercises:

Exercise 1 - Learn About Ethical

Hacking

You should now have further

knowledge of: Ethical Hacking

The Need for Ethical Hacking
The Ethical Hacking Methodology
The Ethical Aspect of Ethical
Hacking Types of Threat Actors
The Difference Between Black Box vs. White Box vs. Grey Box
Feedbac
Hacking Real-life Attacks
k