Ethical Hackers And Ethical Hacking Information Technology Essay
The Internet and the other information systems are acting a vital role in organizations today. More and more organizations have become depend on network services completely of partially. So, a single failure of the network can cause severe losses to the organization.
However, due to this huge demand of Internet and network services, computer security and the serious threats of computer criminals have comes to the foreground. Computers around the world are systematically being victimized by hacking attacks every day. Most of the attacks are very organized attacks and the attackers are very well understood about the general system vulnerabilities. So if they found any of those vulnerabilities in a system, they might be able to steal everything they want from the system and completely ease their tracks within even in less than 20 minutes. That might be a huge loss for the company in term of money and reputation. Thus to avoid these kind of attacks companies should have to employ a mechanism to Identify vulnerabilities in networks, applications and systems before they can be exploited. Generally, this is the job of an ethical hacker.
Ethical Hacking and Phases
Ethical Hackers and Ethical Hacking
An ethical hacker is a security professional who helps organization to take defensive measures against malicious attacks and usually the process he doing to find those vulnerable point is called Ethical Hacking. Sometimes this is also known as Penetration Testing or Intuition Testing. In this case, the ethical hackers are getting into the minds of computer criminals; think like them to find about innovative ways the hackers may use to get into the systems. Then organizations can take required actions to avoid those vulnerabilities.
It has identified that the almost all computer systems have vulnerabilities that can be exploited by a hacker to come to do damages. This can be due to an unpatched application, a misconfigured router or a rough network device and it will be not able to detect unless penetrate the networks and assess the security posture for vulnerabilities and exposures regular basis. As the hacking is a felony in most of the countries, ethical hackers should only operate having required permission and knowledge of the organization that they are trying to defend. In some cases, to check the effectiveness of their security teams, an organization will not inform their teams of the ethical hacker’s activities. This situation is referred to as operating in a double blind environment.
To perform productive penetration testing, the ethical hackers who are going to conduct the testing must have to have variety of in-depth computer skills. They should know how to look for the weaknesses and vulnerabilities in target systems and need to have the knowledge of the tools a malicious hackers use on system hacking. However, because not everyone can be an expert in all the required fields that an organization uses, such as UNIX, Windows, Linux, and Macintosh systems; usually ethical hacking is conducted by teams whose members’ skills complement each other.
Generally, there are three types of ethical hacker classes. This classification is done based on the hacking purpose of the hacker.
Are the individuals who has the necessary computing expertise to carry out harmful attacks on information systems. They generally use their extraordinary knowledge and skills for personal gains. The black-hat hackers are also known as crackers.
Are the individuals with a split personality. At times, this individual will not break the law and, in fact, might help to defend a network. At other times, the gray hat hacker reverts to black hat activities. Thus we cannot predict their behaviour.
Are the individuals who usually have exceptional computer skills and use their abilities to increase the security posture of information systems and defend them from malicious attacks. These individuals probably are an information security consultant or security analyst.
Why Ethical Hacking is need to perform
Although many people know hacking as a horrible thing, most of them not think that they would not be hacked. But this is not the real situation. Almost every computer system has security breach that the haceks could come in and for security purposes these vulnerabilities need to avoid. One of the most important reasons for ethical hacking is to find those security leaks in an organization network. To do this, companies can hire security experts who have great knowledge on cyber security and trained as ethical hackers. So they can use their knowledge to hack into the systems to find insecure areas. Then the company can take necessary actions to secure their networks easily.
There are two kinds of security leaks that an ethical hacker can identify.
Hacking in to systems to steel data
If a company compromised with this sort of attack they will lose not only the information or money, they will lose their reputation as well. So that might be cause to lose their customers as they not feel their personal information and data are completely safe.
Leaks allows to compromise to Viruses
If the company network compromised into viruses, it will allow shutting down entire network in just minutes. More than that, some viruses are able to perform harmful activities like data deletions. So the company may lost important data.
Thus to improve overall security posture and avoid intellectual property thefts, regular ethical hacking practise is very critical in an IT company. More importantly, that will help save company money in millions and will build the reputation as well. Also as this system penetration is performing, thinking with a mindset of a hacker who tries to get in to the system, the companies can completely rely on professional ethical hacker’s reports to adjust the company security posture.
Framework of Ethical Hacking
In order to complete ethical hacking processes successfully, ethical hacking professionals have introduced several phases to follow up. In the there, they have break down the complete process in to several phases and generally both malicious and genuine users following that methodology. Following diagram illustrates those steps and it has described in detailed below.
Anatomy of hacking
This is the first step of any hacking attempt and generally the attacker tries to gather enough information as much a possible about the target system. This process also knows as foot-printing. In may gather information on areas such as determining the network range, identifying active machine, finding open ports, detecting operating systems. There are two ways reconnaissance is performing.
Is the process of live exploration of the system to find about the information such as running operating systems and services, open ports, routers and hosts.
This involves monitoring and finding information or clues on the network using network sniffers or other mechanisms. The information can be domain names, locations, contact numbers etc. Sometimes this involves mechanisms such as searching through organization’s or person’s discarded materials.
Following are some of clever ways or the tool, that reconnaissance can be perform against a target network.
This is the most common and efficient way of finding information about a company. As the Google is the most common search engine using in the Internet, Google can be use to find publicly available information about target system. Sometimes, even though the company has removed the data from their web sites Google will be able to provide information from its caches. Thus Google can be use to begin the reconnaissance process.
DNS Information tools
The next best way to get information about a company is their domain name. If you know the domain of a company rest of the information such as their IP address, contact information and locations can be find easy using DNS tools. For this purpose, most common command line tools are “whois” and “dig” and they will show above DNS information in text. But the web sites like www.dnsstuff.com, www.samspade.org, www.geektools.com and www.easywhois.com will provide same information in more user friendly way. Those tools have various options and can provide information quarrying by the IP address or domain name.
Also the command “nslookup” will map the domain name to the IP address or vice-versa.
Arin is a very well known web based tool to find network ranges which a company holding. Just entering a single IP address of the range ARIN can give the whole network range the company owns.
After knowing the basic information about a company, the best way to get know more information about the company is performing social engineering. In here, hackers trick people into revel information by themselves. The common way is calling or meeting employees and tricks them to get more information.
This is the second phase of hacking framework and involves acquiring more detailed information based on the data collected in early phase. This is very similar to the active reconnaissance and in this phase it tries to dig into little deep. Generally this phase includes activities such as indentifying live hosts, discovering running services and their ports, detecting the running OS. Main target in this phase is to build the blue print of the target network including the live host IP addresses, opened service ports. The hackers use various scanners in this case and few of their techniques listed below.
To identify the active hosts in a networks Ping is the best tool. It can provide the information such as status of the host, host name and their TTL details. It is a very simple utility uses ICMP packets to scanning. Ping send ICMP packets to a target host and if it receives the acknowledgment we can make out the system is active. There are few handy tools that can be used to automate this ping process to check the availability of range of IP address. Few examples of them are Hping, icmpenum, NetScan Tools.
Traceroute is a tool that can use to mapping the location of a targeted host. It uses same technology as Ping and shows the exact path to the target host.
NMap is the most popular port scanning tool and it is a free and open source utility. Both malicious and genuine users use to identify vulnerabilities on computer systems. It has many options and it is able to perform almost every type of scan like connect scan, half open scans, SYN scan etc on a targeted host. Also it is a very useful tool for task such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMap can scan host in a network range straight away and it is able to detect the versions of the operating system that running on the targeted system too.
This is a tool widely used earlier time to detect active modems in the networks. This was a common hacking tool as there were many deal-in modems available in the network to enable their employees to login into the network. The program can automatically dials a defined range of phone numbers and logs the success full attempts in to its database. But as the modem technology is getting obsolete very fast this is not using very much.
Another useful technique to find about running service ports is called banner grabbing. In this case the hackers tries to connect to well know port such as 80, 8080, 25, 110, 23, 22 etc using telnet. So if the trying service is running on the target server it will display the service banner including the type of the software and running version. Thus the hackers can grab that information to their building blue-print.
Enumeration (OS / Application Attacks)
This is the hacking technique of convincing some target servers to provide them some information about the system which are vital to precede the attack. The information the attackers normally target are resources and shares available in the system, valid users and user groups and about running applications etc. The common way of enumeration is by use of the null sessions, the sessions which usually have no username or password. Once the hacker gets into the system the he starts enumeration by using some tools to find out the data he wants. There are several tools available that uses to do these queries. NBTscan and Netbios Auditing tools are few commonly using tools.
Hackers also enumerate the systems using the SNMP protocol too. Enumerating the SNMP protocol hackers can get the information they want easily. This is an easy way than using null session. But as SNMP v3 sends data after encrypting it, that data need to be decrypt before use it. SNMPutils, IP Network Browser, SNMP Informant, Getif are some of tool use for SNMP enumeration.
As all above phases are only hacking preparation phases, this is the phase the actual attack is executing. The hacker will use the blue-print he created during previous phases. During this phase the attacker tries to launch attacks targeting the applications, operating system and the network. To do that, hackers may launches DoS attack, buffer flow attacks, application attacks and even they may insert viruses and Trojan horses to get access to the network.
Another goal of the hackers is to gain the highest level privileges he can get. If so, he will able to delete all the tracks and evidence of his activities without any issue. Also if the NetBIOS TCP 139 port is open and accessible the easistt way to login to the system is guessing the password. Thus the first attempt of the attacker will be guessing the system passwords to enter with the highest level of privileges to the system.
Most of the times, this step will be an easy task, because most of the users keep their password to an easy-to-remember one. Also if any information available about the user like family member’s names, children’s name, birthday, there is a great potential to be the password one of them. Also there are lists of commonly using password and the hackers can try those passwords to login to the system. If they were unable to guess the password, the next step is to crack the password using an automated tool.
There are several strategies used by the hackers to crack passwords.
The easiest and the common method to crack password and the hacker calls or meet the user get the password from him tricking by some fraud.
In here the cracking is performing using some collected words related to the user and list of commonly using password. The list is checking one by one and usually this is an automated process doing by a tool such as Legion.
Brute force cracking
This is an automated password cracking mechanism and this will just use combination different characters, letter and symbols to guess the password instead of dictionary words.
This is a mixed mechanism of both dictionary and hybrid password guessing mechanisms. It will first try the dictionary passwords and then tries the letter combinations.
Some automated password-guessing tools are “Legion” and “NetBIOS Auditing Tool”. However, the tools like “L0phtCrack”,”ScoopLM”, “KerbCrack “will allows the system administrators to audit there users password and let them know if anyone using such password which can be compromised to a password cracking tool.
Other than above mentioned password cracking methods, hackers use keystroke loggers to intercept the uses key strokes to find their passwords. Those keystroke loggers are able to save into files or send all the user key stokes to a remote destination. There are two types of keystroke loggers. It can be either software based or hardware based. The hardware keystroke loggers must physically be installed into the system and the software keystroke loggers can be a action of a Trojan-horse. Few examples for keystroke loggers are ISpyNow , PC Activity Monitor , Remote Spy and following figure shows an example of a hardware keystroke logger.
If the hackers could not able to track down the user password the hacker will try to get access to the systems using network attacks. There are several methods hackers will use to attack the networks. Following listed are few of them.
Sniffing id the process of capturing data from a network as they pass and storeing them to process offline. To this process hackers use various sniffing tools with different capabilities. Some sniffers can only work with TCP/IP while more sophisticated sniffers works with many other protocols including data link layer protocols. Also sniffing attacks can be use to grab user logins and passwords too. As the telnet, http, POP, SMB sends password data in plain text and travel around the network using sniffing attack they can be easily grabbed out.
Sniffing can be either active or passive.
Passive sniffing is performing at Hub networks and the speciality in there is that the all the machines in the networks sees all the traffic of the other machines. So the hackers can capture almost every data packet travels through the network. As the hub networks are not in real environments passive sniffing is very unlikely to happen.
Active sniffing is takes place in switch networks and thus the hackers will not able to see other user’s traffics except the broadcast data. Thus the only possible attack is the man-in-the-middle attacks. In here an attacker is positioned in the middle of communications between two legitimate entities in order to capture data that passes between the two parties.
As mentioned earlier, there are several sniffing tools available with different capabilities. The most popular sniffing tool is the Wireshark and it was formally known as Ethereal. It is a free network protocol analyzer and supports for both Windows and Linux operating systems. It is a very sophisticated tool and it is capable of capture traffic on the network and save it on disk, filter traffic according to the requirement and showing summery and detailed information for each packet.
Few of other sniffing tools are Packetyzer, Dsniff, TCPDump, and Snort.
A DoS attack is a network attack that results in some sort of interruption of service to users, devices, or applications. Hackers use several mechanisms to generate a DoS attack. The simplest method is to generate large amounts data appearing as a valid network traffic. This type of network DoS attack saturates the network so that valid user traffic cannot get through.
A DoS attack takes advantage of the fact that target systems such as servers must maintain state information. Applications may rely on expected buffer sizes and specific content of network packets. A DoS attack can exploit this by sending packet sizes or data values that are not expected by the receiving application. These attacks attempt to compromise the availability of a network, host, or application. They are considered a major risk because they can easily interrupt a business process and cause significant loss. These attacks are relatively simple to conduct, even by unskilled hackers.
By entering to this step the hacker has to be getting in to the system by any mean and this phase it is focus on to the established session maintaining. Thus the hacker is able to perform any file upload/download or any software tool inserting. In this stage hackers are trying to establish a hidden path to enter to the system next time easily. So to do that, they will insert some malicious software like Trojan-horses, sniffers keystroke loggers etc.
Trojan-horses are malwares that carries out malicious operations under the appearance of a desired function. A virus or worm could carry a Trojan-horse. A Trojan-horse contains hidden, malicious code that exploits the privileges of the user that runs it. Games can often have a Trojan-horse attached to them. When running the game, the game works, but in the background, the Trojan-horse has been installed on the user’s system and continues running after the game has been closed.
The Trojan-horse concept is flexible. It can cause immediate damage, provide a back door to a system, or perform actions, such as password capturing, keystroke capturing, executing DoS attacks. Some advance hackers writes custom Trojan-horses according to the requirement and those are very hard to detect.
There are many examples of Trojan-horses like Tini, netcat, subseven, backoffice etc.
This is the final step of the hacking framework and in here the hackers delete all the evidence and track of their access. Generally, in any operating system it keeps a record about the user logins, file deletes, file inserting, installing etc. So once hacker loges into a system his attempts and actions are logged in to operating system log files. So the hackers have to delete these logs.
Although this is a very hard task to perform in reality, there are some tools do alternative actions such as disabling the operating system auditing, deleting all the log records, delete temporary log files etc. So executing tools like that they can delete their tracks, usually with all the other log files. There for system administrator may know that system has been compromised. The software tool auditpol.exe is a such tool that able to disable OS logging.
Also attackers need to hide the files they uploaded in to the systems and to do this there are few techniques available call wrappers. These wrapper tools are able to hide the uploaded data as picture file.
Design an Evidence Gathering Prototype
Importance of a Evidence Gathering Prototype
As shown above, the possibilities and opportunities are limitless a company can be targeted by a malicious attack. Although implementing correct firewall and security policies can minimize the exposure of many systems to the hackers, it is very unrealistic to completely avoid security breaches in a comport system. Therefore, it is very important to detect intrusion activities and limit as much as possible the damage they can produce. Installing well planed and configured Evidence Gathering Prototype with intrusion detection and honeypot capabilities will do that.
In generally, intruder detection systems are able to record all the system activities on a given host or a network. Thus if the monitoring system is compromised or targeted to attack, all the useful information to track the attacker, are recording in the IDS system. Sometimes they can alert the system administrators about the attacks as well. One of another feature of such kind of system is that they are able recognize violations of an organisation’s security and acceptable use policies such as transfers of inappropriate material throughout the company’s network, or downloads of authorizes data files, accessing restricted contents, use of unauthorized application, etc. Also, some systems are able to identify reconnaissance activities which may followed by hacking attacks.
As these systems are able to keep log on every said incidence, the systems administrators can use those data in there ethical hacking exercises. Furthermore, they can get idea about the techniques attackers’ use, attack launching periods, times and frequencies, common types of attacks they get and about the locations of the attackers and etc. One of the side advantage can have installing a IDS system is that the deterring of hacking attempts, because being aware that their activities are being monitored the hacker might be less prone launch attacks.
Thus installing a system in purpose of evidence gathering is very crucial and rest of this document will focus on designing a better prototype for that purpose. For example, a hacker can identify whether an IDS is present in the system if present that attacker may first attack the IDS to bring it offline.
Architecture of the prototype
The general idea of this prototype is to provide new defence mechanism to networks from huge varieties of behavioural network attacks. Especially rootkit attacks, buffer overflows, DOS / DDOS attacks, SQL injections and many other types of hacking in to a network. Keeping records of malicious behaviours and providing tracking down the intruders, this system will be a whole new protection concept for current networking intrusion threats.
Techniques like Intrusion Prevention Systems, Honeypot and network Sniffers can be used as first line of defence to fights again unauthorized access to networks and network resources. But it is hard to use each of them separately in a network to prevent malicious attacks. So a good system should use all those techniques in a single system. Also only one technique will not suit either, as they may have some tribulations on it.
Thus, the designing prototype uses all the techniques mentioned above. It will work as a choke point between the WAN and LAN so all the network traffic should flow through it and the traffic will inspect from there. About architecture, the prototype is consisting of three Intrusion Detection Systems, Honeypot and a monitoring console. Three IDSs will be Signature based, Anomaly based and Stateful-protocol analysis IDSs. All the incoming network traffic will be inspected by these IDSs before enter in to the LAN. If IDSs are detected any suspicious behaviours, they will send an alarm message to the Honeypot. Then the malicious traffic will start to circulate among the IDSs without the intruder’s knowledge. Therefore an intruder will not be able to perform continuous actions because the IP addresses of the traffic are keeping changing. The Honeypot monitor all the network traffic which will be forwarded by the IDSs and keep records of all behaviours. Allowing or denying the network traffic to enter in to the LAN will be decided by monitoring the behaviour of the incoming traffic to the Honeypot. A separate monitoring console is connected to the Honeypot which also has an online monitoring and log making system so that the sources of any malicious traffic can be identified. Following figure show the overview of the system.
Signature based IDS’s has a predefined database of attack signatures. It compares all the network packets against the attack signatures in the database.
Anomaly based IDS’s compares the network traffic against a profile build by previous trainings of network traffic behaviours and continually sampling all activities occurring within the system. Therefore it can react to new zero-day attacks.
Stateful-protocol analysis IDs relies on vendor-developed universal profiles that specify how particular protocols should and should not be used, on decision taking.
Core of the system is the Honeypot which will monitor all the network traffic flow through it.
Monitoring console with a real time log making and tracking system implemented on it. This console provides a real time monitoring and online tracking system to track down and locate the intruder’s source.
Network traffic database will store all the information about the traffic flow the Honeypot encountered, signature database and IP addresses of all the malicious / suspicious traffic flows.
Capabilities of the prototype
Signature based Intrusion Detection System
Knowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of how the attacks are carried out are developed and called signatures. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.
Anomaly based Intrusion Detection System
These are behavior based products that do not contain databases of attack signatures. They first go through a learning mode to build a profile of normal behaviour of a system or a network by continually sampling all activities occurring within the system. These IDSs will be configured to detect the Zero-day attacks which means configured to detect new and unknown threats. All anomaly based IDSs will be trained by using accepted penetration tools such as GFILanguard, Nesses, Nmap, Retina, NetCat and Enstealth. After the profile built all the activities are compared against it. If anything which does not match the profile occurs an alarm is triggered and packets will be tagged.
Stateful-protocol analysis Intrusion Detection System
This is little similar to anomaly-based detection technique. But it relies on profiles that provided by the device vendors. Those profiles enable IDPS to understand and track the state of network, transport and application protocols that have a notion of state. It can thus identify unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command without first issuing another command upon which it is dependent.
Honeypot is an essentially decoy network-accessible resource, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to further tighten security of the actual network being protected by the Honeypot. All traffic entering and leaving the Honeypot is logged. Honeypot can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to break into a system.
This machine is to examine the intrusion methods / traffic flow used by the intruder. This analyze will be done synchronizing with the Honeypot. Those details will be used to create complete reports about the encounters. The tracking system which is installed on the console will provide a complete track of the intruder.
The prototype can analyze the behaviours of the incoming traffic since all the traffic should go through the system. Any intrusions which will match to the signatures, the Signature Based IDSs will alarm immediately to the Honeypot. By recording and tracking the traffic pattern, a decision can be taken whether to drop the identified traffic or track back the source of the intruder.
The detected or suspicious traffic will be redirected to the Honeypot as the final action. Make use of the online tracking and log making system, the prototype can record all the behaviours in real time and provide a tracking system to catch the intruders.
Commercially available Intrusion Detection Systems
Snort is a free and open-source network-based IDS system and it is the most commonly using intrusion detection system. It is a software-based NIDPS and able to perform both protocol analysing and content searching. Snort has intrusion prevent capabilities as well. So it is use to both actively block and passively detect a variety of attacks and probes. It uses signature, protocol and anomaly-based inspection to intruder detection.
CISCO Secure IDS
This is a IDS system introduced by Cisco systems. It is able to detect malicious activies using signature, anomaly and Stateful-protocol analysis techniques. It can get latest signatures and profiles directly from Cisco Security Intelligent operations. It is a hardware based system and thus able to handle high amount of data stream.
The first section of this case study is to discuss about the ethical hackers, ethical hacking and the hacking framework. In there is has discussed about the ethical hackers, their efforts to find leaks in computer systems, the five steps of hacking framework and about the tool use in each phase.
The second section of the report is focus on hacking evidence gathering prototype. In their it has discuss about the hacking evidence gathering techniques, commercial tools for evidence gathering and it has introduced a new prototype for that purpose.Order Now