An ethical hacker is a security professional who helps organization to take defensive measures against malicious attacks and usually the process he doing to find those vulnerable point is called Ethical Hacking. Sometimes this is also known as Penetration Testing or Intuition Testing. In this case, the ethical hackers are getting into the minds of computer criminals; think like them to find about innovative ways the hackers may use to get into the systems. Then organizations can take required actions to avoid those vulnerabilities.
It has identified that the almost all computer systems have vulnerabilities that can be exploited by a hacker to come to do damages. This can be due to an unpatched application, a misconfigured router or a rough network device and it will be not able to detect unless penetrate the networks and assess the security posture for vulnerabilities and exposures regular basis. As the hacking is a felony in most of the countries, ethical hackers should only operate having required permission and knowledge of the organization that they are trying to defend. In some cases, to check the effectiveness of their security teams, an organization will not inform their teams of the ethical hacker’s activities. This situation is referred to as operating in a double blind environment.
To perform productive penetration testing, the ethical hackers who are going to conduct the testing must have to have variety of in-depth computer skills. They should know how to look for the weaknesses and vulnerabilities in target systems and need to have the knowledge of the tools a malicious hackers use on system hacking. However, because not everyone can be an expert in all the required fields that an organization uses, such as UNIX, Windows, Linux, and Macintosh systems; usually ethical hacking is conducted by teams whose members’ skills complement each other.
Generally, there are three types of ethical hacker classes. This classification is done based on the hacking purpose of the hacker.
- Black-Hat Hackers, are the individuals who has the necessary computing expertise to carry out harmful attacks on information systems. They generally use their extraordinary knowledge and skills for personal gains. The black-hat hackers are also known as crackers.
- Gray-Hat Hackers, are the individuals with a split personality. At times, this individual will not break the law and, in fact, might help to defend a network. At other times, the gray hat hacker reverts to black hat activities. Thus we cannot predict their behaviour.
- White-Hat Hackers, are the individuals who usually have exceptional computer skills and use their abilities to increase the security posture of information systems and defend them from malicious attacks. These individuals probably are an information security consultant or security analyst.
Why Ethical Hacking is Needed?
Although many people know hacking as a horrible thing, most of them not think that they would not be hacked. But this is not the real situation. Almost every computer system has security breach that the hacks could come in and for security purposes these vulnerabilities need to avoid. One of the most important reasons for ethical hacking is to find those security leaks in an organization network. To do this, companies can hire security experts who have great knowledge on cyber security and trained as ethical hackers. So they can use their knowledge to hack into the systems to find insecure areas. Then the company can take necessary actions to secure their networks easily.
There are two kinds of security leaks that an ethical hacker can identify.
- Hacking in to systems to steel data: If a company compromised with this sort of attack they will lose not only the information or money, they will lose their reputation as well. So that might be cause to lose their customers as they not feel their personal information and data are completely safe.
- Leaks allows to compromise to Viruses: If the company network compromised into viruses, it will allow shutting down entire network in just minutes. More than that, some viruses are able to perform harmful activities like data deletions. So the company may lost important data.
Thus to improve overall security posture and avoid intellectual property thefts, regular ethical hacking practice is very critical in an IT company. More importantly, that will help save company money in millions and will build the reputation as well. Also as this system penetration is performing, thinking with a mindset of a hacker who tries to get in to the system, the companies can completely rely on professional ethical hacker’s reports to adjust the company security posture.
Anatomy of an Ethical Hack
Initially, “Hacking” meant having extraordinary skills to break into the system. However today there are lots of automated freeware tools available on internet making it possible for anybody having the desire to hack succeed in breaking into the system. The 5 phases of ethical hacking process are;
1. Reconnaissance
Reconnaissance is the preparatory phase where an attacker gathers information about the target system prior to launching the attack. This phase might also involve network scanning either internal or external without any authorization.
One of the ways for gathering information during this phase may involve “Social engineering“. A social engineer is a person who smooth-talks and persuades people to reveal personal / sensitive information such as passwords, security policies etc. Social engineering is one of the easiest ways to hack as it requires no technical skills and one of the hardest forms of attack to defend against as humans are the weakest link in the security chain. All security measures taken care by the organization goes in vain when the employees get “social engineered”. Detecting social engineering attacks are difficult, as there is no tool to detect such attempts, in most of the cases victim themselves are not aware having revealed sensitive information. “Rebecca” and “Jessica” are the common terms used, which refer to people who are easy target for social engineering attacks such as a receptionist or a support executive.
“Dumpster diving” is another way of gathering information. It is the process of looking for discarded sensitive information in an organization thrash. It is one of the effective ways of gathering information as it may provide attackers with even more sensitive information such as username, password, ATM slip, social security number, Bank statements.
It is important that an organization has appropriate policies in place to protect their assets and also provide proper guidance to employees on the same.
Reconnaissance technique can be classified into active and passive reconnaissance. In passive reconnaissance, the attacker does not interact with the system directly but uses social engineering or dumpster diving as a mean to gather information. Where as in a active reconnaissance, the attacker makes use of tools for port scanning, network scanning to get the details of the application, operating system etc. Often reconnaissance phase overlaps with the scanning phase.
2. Scanning
Scanning precedes the actual attack and is one of the important phase of information gathering where in the attacker gathers information about the targets IP address, operating system, system architecture, services running in the system in order to find various ways to intrude into targets system. The strategy to launch the attack is based on the gathered information. The risk of an organization is considered high in the scanning phase as it enables access to the network.
Different types of scanning are;
- Port Scanning: Procedure for identifying the open ports and the services running on the target system.
- Network Scanning: Procedure for identifying IP addresses, active hosts on a network either to attack them or as a network security assessment.
- Vulnerability Scanning: Automates method to identify the known vulnerabilities present in the system and the network.
Some of the important tools used during this phase are Nmap which is used for port scanning; it also offers a variety of advanced features such as remote OS detection. Nessus is a vulnerability scanner which detects the local flaws, uninstalled patches and weakness in network hosts. Nessus has a security vulnerability database which is updated on a daily basis. It carries out development of security checks for recent security holes.
3. Gaining Access
This is one of the most important phases for an attack as this is where the actual attack is planted. Therefore the business risk is highest in this phase. Although not a mandatory phase as an attacker need not always gain access to cause damage like in denial of service attacks. The main aim in this phase is to obtain elevated privileges such as system privilege to execute commands to access sensitive information.
During this phase the attacker tries to launch attacks targeting the applications, operating system and the network. To do that, hackers may launches DoS attack, buffer flow attacks, application attacks and even they may insert viruses and Trojan horses to get access to the network.
Another goal of the hackers is to gain the highest level privileges he can get. If so, he will able to delete all the tracks and evidence of his activities without any issue. Also if the NetBIOS TCP 139 port is open and accessible the easiest way to login to the system is guessing the password. Thus the first attempt of the attacker will be guessing the system passwords to enter with the highest level of privileges to the system.
Most of the times, this step will be an easy task, because most of the users keep their password to an easy-to-remember one. Also if any information available about the user like family member’s names, children’s name, birthday, there is a great potential to be the password one of them. Also there are lists of commonly using password and the hackers can try those passwords to login to the system. If they were unable to guess the password, the next step is to crack the password using any automated tools.
4. Maintaining Access
Once the attacker gains access into the system or the network, he tries to retain his “ownership” on the compromised system and periodically attack it. Typically in this phase the attacker tries to install Key loggers to capture the keyboard strokes, sniffers to capture network traffic, rootkits at the kernel level to gain super user access and Trojan horse to gain repeated backdoor access, also download the password files to access the system at a later time. Trojan-horses are malwares that carries out malicious operations under the appearance of a desired function. A virus or worm could carry a Trojan-horse. A Trojan-horse contains hidden, malicious code that exploits the privileges of the user that runs it. Games can often have a Trojan-horse attached to them. When running the game, the game works, but in the background, the Trojan-horse has been installed on the user’s system and continues running after the game has been closed. The Trojan-horse concept is flexible. It can cause immediate damage, provide a back door to a system, or perform actions, such as password capturing, keystroke capturing, executing DoS attacks. Some advance hackers writes custom Trojan-horses according to the requirement and those are very hard to detect.
During this phase the attackers might even harden the system against other attackers by fixing the vulnerability which allowed them to access the system or the network.
5. Clearing Tracks
This is the final step of the hacking framework and in here the hackers delete all the evidence and track of their access. Generally, in any operating system it keeps a record about the user logins, file deletes, file inserting, installing etc. So once hacker loges into a system his attempts and actions are logged in to operating system log files. So the hackers have to delete these logs.
Although this is a very hard task to perform in reality, there are some tools do alternative actions such as disabling the operating system auditing, deleting all the log records, delete temporary log files etc. So executing tools like that they can delete their tracks, usually with all the other log files. There for system administrator may know that system has been compromised. The software tool auditpol.exe is a such tool that able to disable OS logging.
Also attackers need to hide the files they uploaded in to the systems and to do this there are few techniques available call wrappers. These wrapper tools are able to hide the uploaded data as picture file.