Upload
bechar-rouly
View
1.368
Download
5
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Ethical Hacking
ROULY BECHAR
Institut Henri FayolÉcole Nationale Supérieure des Mines de St-Étienne
Ethical Hacking
• Independent computer security Professionals breaking into the computer systems.
• Neither damage the target systems nor steal information
• Evaluate target systems security and report back to owners about the vulnerabilities found.
Ethical Hacking
• Completely trustworthy.• Strong programming and computer
networking skills.• Learn about the system and trying to
find its weaknesses.• Techniques of Criminal hackers-
Detection-Prevention.• Published research papers or released
security software.
Five stages to hacking
1. Reconnaissance2. Scanning3. Gaining access4. Maintaining access5. Covering tracks
Reconnaissance
During this phase, a pentester uses a number of publicly available resources to learn more about his target. This information can be retrieved from Internet sources such as forums, bulletin boards, newsgroups, articles, blogs, social networks, andother commercial or non-commercial websites. Additionally, the data can also be gathered through various search engines such as Google, Yahoo!, MSN Bing and others.
Reconnaissance
Two types of reconnaissance :Passive:
Google searchBrows company web pageSocial Network (facebook, twitter,…)……
Active:Network scan ( nmap)Vulnerability scan Social engineering……
Reconnaissance
The purpose of reconnaissance is to specify the target techniques to perform the suitable attacks:• Where the webservers are.• Avoid Broad-scan• Identify vulnerabilities• Wi-fi• Network equipment• Patch level• Default configuration + passwords
ReconnaissanceDefault configuration + passwords:
Passive Reconnaissance Resources
Netcraft: ( Performed on Ecole des mines )
Passive Reconnaissance Resources
Google hacking
(username=* | username:* |) | ( ((password=* | password:*) | (passwd=* | passwd:*) | (credentials=* | credentials:*)) | ((hash=* | hash:*) | (md5:* | md5=*)) | (inurl:auth | inurl:passwd | inurl:pass) ) filetype:log
Passive Reconnaissance ResourcesGoogle hacking
Scanning
This phase mainly deals with identifying the target's network status, operating system, and its relative network architecture. This provides a complete image of the current technologies or devices interconnected and may help further in enumerating various services running over the network.
Scanning
Nmap:Nmap can be used to check, for example, vulnerabilities in network services, and enumerate resources on the target system,scan open ports…It can perform wither a noisy or quiet scanExample of quiet scan:
nmap -Pn –p –sT ip_address
Gaining accessMetasploit
• Exploits• Payloads
Privilege escalation
After exploiting the vulnerabilities and gaining access to the target machine, you can use tools in this category to escalate your privilege to the highest privilege.
Privilege escalation
• Attacking the password used by the privilege accounts• Sniffing the network to get the privilege accounts username and password• Spoofing the network packet of the privilege accounts to run a particular system command
Attacking the password• Offline attack: In this method, the attacker gets the
password file from the target machine and transfers it to his machine. Then he uses the password cracking tool to crack the password. The advantage of this method is that
the attacker doesn't need to worry about a password blocking mechanism available in the target machine,
because he uses his own machine to crack the password .• Online attack: In this method, the attacker guesses the password for a username. This may trigger a system to
block the attacker after several failed password guesses.
Attacking the passwordtools
• Offline attack: Rainbowcrack Samdump John Ophcrack Crunch Wyd …..
• Online attack: BruteSSH Hydra…
Sniffing the networkNetwork sniffer is a software program or hardware device which is capable of monitoring network data. It is usually used to examine network traffic by copying the data without altering the contents. With network sniffer you can see what information is available in your network.
Sniffing the networktools
Hamster Tcpdump Tcpick Wireshark …
Spoofing the network
Network spoofing is a process to modify network data, such as MAC address, IP address, and so on. The goal of this process is to be able to get the data from two communicating parties.
Spoofing the networktools
Arpspoofing Ethercap ….
Spoofing the network
Demo
Maintaining access
The main purpose of these tools is to help us maintain access, bypass the filters deployed on the target machine, or allow us to create a covert connection between our machine and the target. By maintaining this access, we don't need to do the whole penetration testing process again if we want to get back to the target machine at anytime.
Maintaining access(Tunneling)
Tunneling can be defined as a method to encapsulate a protocol inside another protocol. In our case, we use tunneling to bypass the protection provided by thetarget system. Most of the time, the target system will have a firewall that blocks connections to the outside world, except for a few common network protocols suchas HTTP and HTTPS. For this situation, we can use tunneling to wrap our packets inside the HTTP protocol. The firewall will allow these packets to go to the outsideworld.
Maintaining access(Tunneling)
DNS2tcp:DNS2tcp is a tunneling tool to encapsulate TCP traffic in DNS traffic. When it receives connection in a specific port, all of the TCP traffic is sent to the remote dns2tcpd server in DNS traffic and forwarded to a specific host and port.
Maintaining access(Tunneling)
Ptunnel:Ptunnel is a tool that can be used to tunnel TCP connections over ICMP echo request(ping request) and reply (ping reply) packets
Maintaining access(Tunneling)
Stunnel4:Stunnel4 is a tool to encrypt any TCP protocols inside the SSL packets betweenlocal and remote servers.
Practical Example
DNS PoisoningDemo
If you have any questions …..