Monday, June 3, 2019
Ethical Hackers And Ethical Hacking Information Technology Essay
honest Hackers And Ethical Hacking Information Technology EssayThe Internet and the new(prenominal) information transcriptions argon acting a vital fictitious character in organizations today. More and more organizations have become depend on mesh topology services bring to passly of parti bothy. So, a single failure of the entanglement stooge ca enjoyment severe losses to the organization.However, cod to this huge demand of Internet and web services, calculating machine security and the serious threats of computer criminals have comes to the foreground. Computers around the ball be clayati margin cally being victimized by hacking labializes every day. Most of the approach paths argon very organized attacks and the attackers argon very well understood active the general dodging vulnerabilities. So if they found whatsoever of those vulnerabilities in a system, they might be up to(p) to steal everything they want from the system and completely help their footstep s within even in less than 20 minutes. That might be a huge loss for the comp each in term of coin and reputation. and hence to avoid these kind of attacks companies should have to employ a mechanism to Identify vulnerabilities in networks, applications and systems before they potful be exploited. Generally, this is the job of an ethical peon.Ethical Hacking and PhasesEthical Hackers and Ethical HackingAn ethical literary hack is a security professional who helps organization to take defensive measures against despiteful attacks and usually the process he doing to find those dangerous point is called Ethical Hacking. Sometimes this is also spotn as Penetration Testing or Intuition Testing. In this trip, the ethical hackers argon botherting into the minds of computer criminals think interchangeable them to find around innovative ways the hackers may delectation to get into the systems. Then organizations piece of tail take required actions to avoid those vulnerabiliti es.It has determine that the al to the highest degree all computer systems have vulnerabilities that open fire be exploited by a hacker to come to do damages. This can be due to an unpatched application, a misconfigured router or a rough network device and it give be non sufficient to detect unless penetrate the networks and assess the security potency for vulnerabilities and exposures regular basis. As the hacking is a felony in most of the countries, ethical hackers should only operate having required permission and bedledge of the organization that they are trying to suffer. In some cases, to check the effectiveness of their security teams, an organization forget not inform their teams of the ethical hackers activities. This situation is referred to as in operation(p) in a biramous blind environment.To set productive penetration testing, the ethical hackers who are going to conduct the testing must have to have alteration of in-depth computer skills. They should know how to look for the weaknesses and vulnerabilities in pit systems and need to have the intimacy of the tools a malicious hackers expend on system hacking. However, beca example not everyone can be an practiced in all the required fields that an organization uses, much(prenominal) as UNIX, Windows, Linux, and Macintosh systems usually ethical hacking is conducted by teams whose members skills complement each other.Generally, there are three types of ethical hacker classes. This classification is done found on the hacking purpose of the hacker.Black-Hat HackersAre the individuals who has the necessary computing expertise to obligate out harmful attacks on information systems. They generally use their extraordinary knowledge and skills for personal gains. The black-hat hackers are also known as crackers.Gray-Hat HackersAre the individuals with a split personality. At times, this individual testament not break the law and, in fact, might help to defend a network. At other time s, the gray hat hacker reverts to black hat activities. Thus we cannot predict their behaviour.White-Hat HackersAre the individuals who usually have exceptional computer skills and use their abilities to increase the security military strength of information systems and defend them from malicious attacks. These individuals probably are an information security consultant or security analyst.Why Ethical Hacking is need to fareAlthough many people know hacking as a horrible thing, most of them not think that they would not be hacked. however this is not the real situation. Almost every computer system has security breach that the haceks could come in and for security purposes these vulnerabilities need to avoid. One of the most important reasons for ethical hacking is to find those security leaks in an organization network. To do this, companies can hire security experts who have great knowledge on cyber security and trained as ethical hackers. So they can use their knowledge to hac k into the systems to find insecure areas. Then the company can take necessary actions to secure their networks easily.thither are two kinds of security leaks that an ethical hacker can set.Hacking in to systems to steel dataIf a company via mediad with this associate of attack they will lose not only the information or money, they will lose their reputation as well. So that might be cause to lose their customers as they not feel their personal information and data are completely safe.Leaks allows to compromise to VirusesIf the company network compromised into viruses, it will allow shutting down entire network in just minutes. More than that, some viruses are able to perform harmful activities like data deletions. So the company may lost important data.Thus to improve overall security posture and avoid intellectual property thefts, regular ethical hacking practise is very critical in an IT company. More importantly, that will help save company money in millions and will build th e reputation as well. Also as this system penetration is performing, thinking with a mindset of a hacker who tries to get in to the system, the companies can completely rely on professional ethical hackers reports to adjust the company security posture.Framework of Ethical HackingIn order to complete ethical hacking processes winnerfully, ethical hacking professionals have introduced several phases to follow up. In the there, they have break down the complete process in to several phases and generally both malicious and genuine users following that methodology. pursuit diagram illustrates those steps and it has described in particular below.Anatomy of hackingSource http//www.twincling.org/twincling/slides/ethicalhacking.pdfReconnaissanceThis is the first step of any hacking attempt and generally the attacker tries to gather enough information as much a possible virtually the target system. This process also knows as foot-printing. In may gather information on areas such as determ ining the network range, identifying active machine, finding open ports, detecting operating systems. There are two ways reconnaissance is performing.Active reconnaissanceIs the process of live exploration of the system to find about the information such as foot race operating systems and services, open ports, routers and hosts.Passive reconnaissanceThis involves monitoring and finding information or clues on the network apply network sniffers or other mechanisms. The information can be domain names, locations, contact numbers and so ontera Sometimes this involves mechanisms such as searching through organizations or persons discarded materials.Following are some of clever ways or the tool, that reconnaissance can be perform against a target network.Using GoogleThis is the most common and cost-effective way of finding information about a company. As the Google is the most common search engine using in the Internet, Google can be use to find publicly forthcoming information ab out target system. Sometimes, even though the company has removed the data from their web sites Google will be able to suffer information from its caches. Thus Google can be use to begin the reconnaissance process.DNS Information toolsThe next best way to get information about a company is their domain name. If you know the domain of a company rest of the information such as their IP call in, contact information and locations can be find easy using DNS tools. For this purpose, most common command line tools are whois and dig and they will show above DNS information in text. But the web sites like www.dnsstuff.com, www.samspade.org, www.geektools.com and www.easywhois.com will provide same information in more user friendly way. Those tools have various options and can provide information quarrying by the IP address or domain name.Also the command nslookup will map the domain name to the IP address or vice-versa.ArinArin is a very well known web based tool to find network ranges whi ch a company holding. Just entering a single IP address of the range ARIN can give the whole network range the company owns.Social EngineeringAfter knowing the canonical information about a company, the best way to get know more information about the company is performing social engineering. In here, hackers phantasy people into revel information by themselves. The common way is calling or meeting employees and tricks them to get more information.ScanningThis is the second phase of hacking material and involves acquiring more detailed information based on the data collected in early phase. This is very similar to the active reconnaissance and in this phase it tries to dig into little deep. Generally this phase includes activities such as indentifying live hosts, discovering running services and their ports, detecting the running OS. Main target in this phase is to build the blue print of the target network including the live host IP addresses, opened service ports. The hackers us e various scanners in this case and few of their techniques listed below.PingTo identify the active hosts in a networks Ping is the best tool. It can provide the information such as status of the host, host name and their TTL details. It is a very simple utility uses ICMP packets to scanning. Ping ventilate ICMP packets to a target host and if it receives the acknowledgment we can make out the system is active. There are few handy tools that can be utilize to automate this ping process to check the availability of range of IP address. fewer examples of them are Hping, icmpenum, NetScan Tools.TracerouteTraceroute is a tool that can use to mapping the location of a targeted host. It uses same technology as Ping and shows the exact path to the target host.NMapNMap is the most popular port scanning tool and it is a free and open arising utility. Both malicious and genuine users use to identify vulnerabilities on computer systems. It has many options and it is able to perform almost every type of scan like connect scan, half open scans, SYN scan etc on a targeted host. Also it is a very utilitarian tool for task such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. NMap can scan host in a network range straight away and it is able to detect the versions of the operating system that running on the targeted system too.WAR DiallingThis is a tool widely used earlier time to detect active modems in the networks. This was a common hacking tool as there were many deal-in modems available in the network to enable their employees to login into the network. The program can automatically dials a defined range of phone numbers and logs the success full attempts in to its database. But as the modem technology is getting obsolete very fast this is not using very much.Banner grabbingAnother useful technique to find about running service ports is called banner grabbing. In this case the hackers tries to connect to well know port such as 80, 8080, 25, 110, 23, 22 etc using telnet. So if the trying service is running on the target server it will display the service banner including the type of the software and running version. Thus the hackers can grab that information to their building blue-print.Enumeration (OS / Application Attacks)This is the hacking technique of convincing some target servers to provide them some information about the system which are vital to precede the attack. The information the attackers normally target are resources and shares available in the system, valid users and user groups and about running applications etc. The common way of muniment is by use of the null sessions, the sessions which usually have no username or news. Once the hacker gets into the system the he starts enumeration by using some tools to find out the data he wants. There are several tools available that uses to do these queries. NBTscan and Netbios Auditing tools are few normally using tools.Hackers also enum erate the systems using the SNMP protocol too. Enumerating the SNMP protocol hackers can get the information they want easily. This is an easy way than using null session. But as SNMP v3 sends data after encrypting it, that data need to be decrypt before use it. SNMPutils, IP Network Browser, SNMP Informant, Getif are some of tool use for SNMP enumeration.Gaining AccessAs all above phases are only hacking preparation phases, this is the phase the actual attack is executing. The hacker will use the blue-print he drawd during preliminary phases. During this phase the attacker tries to launch attacks targeting the applications, operating system and the network. To do that, hackers may launches DoS attack, buffer flow attacks, application attacks and even they may insert viruses and trojan horse horses to get access to the network.Another goal of the hackers is to gain the highest level privileges he can get. If so, he will able to delete all the tracks and evidence of his activities without any issue. Also if the NetBIOS TCP 139 port is open and accessible the easistt way to login to the system is barb the password. Thus the first attempt of the attacker will be guessing the system passwords to enter with the highest level of privileges to the system.Most of the times, this step will be an easy task, because most of the users keep their password to an easy-to-remember one. Also if any information available about the user like family members names, childrens name, birthday, there is a great potential to be the password one of them. Also there are lists of ordinarily using password and the hackers can try those passwords to login to the system. If they were unable to guess the password, the next step is to crack the password using an automated tool.There are several strategies used by the hackers to crack passwords.Social EngineeringThe easiest and the common method to crack password and the hacker calls or meet the user get the password from him tricking by so me fraud.Dictionary crackingIn here the cracking is performing using some collected words related to the user and list of commonly using password. The list is checking one by one and usually this is an automated process doing by a tool such as Legion.Brute absorb crackingThis is an automated password cracking mechanism and this will just use combination assorted characters, letter and symbols to guess the password instead of mental lexicon words.Hybrid crackingThis is a mixed mechanism of both dictionary and hybrid password guessing mechanisms. It will first try the dictionary passwords and then tries the letter combinations.Some automated password-guessing tools are Legion and NetBIOS Auditing Tool. However, the tools like L0phtCrack,ScoopLM, KerbCrack will allows the system administrators to audit there users password and let them know if anyone using such password which can be compromised to a password cracking tool.Other than above mentioned password cracking methods, hackers use keystroke loggers to intercept the uses key strokes to find their passwords. Those keystroke loggers are able to save into files or send all the user key stokes to a remote destination. There are two types of keystroke loggers. It can be both software based or hardware based. The hardware keystroke loggers must physically be installed into the system and the software keystroke loggers can be a action of a Trojan-horse. Few examples for keystroke loggers are ISpyNow , PC Activity Monitor , Remote Spy and following figure shows an example of a hardware keystroke logger.If the hackers could not able to track down the user password the hacker will try to get access to the systems using network attacks. There are several methods hackers will use to attack the networks. Following listed are few of them.Sniffing AttacksSniffing id the process of capturing data from a network as they pass and storeing them to process offline. To this process hackers use various sniffing tools with diff erent capabilities. Some sniffers can only work with TCP/IP while more sophisticate sniffers works with many other protocols including data link form protocols. Also sniffing attacks can be use to grab user logins and passwords too. As the telnet, http, POP, SMB sends password data in plain text and travel around the network using sniffing attack they can be easily grabbed out.Sniffing can be either active or passive.Passive sniffing is performing at Hub networks and the speciality in there is that the all the machines in the networks sees all the traffic of the other machines. So the hackers can capture almost every data packet travels through the network. As the hub networks are not in real environments passive sniffing is very unlikely to happen.Active sniffing is takes place in switch networks and so the hackers will not able to see other users traffics except the broadcast data. Thus the only possible attack is the man-in-the-middle attacks. In here an attacker is positioned in the middle of communications amidst two legitimate entities in order to capture data that passes between the two parties.As mentioned earlier, there are several sniffing tools available with different capabilities. The most popular sniffing tool is the Wireshark and it was formally known as Ethereal. It is a free network protocol taker and supports for both Windows and Linux operating systems. It is a very sophisticated tool and it is capable of capture traffic on the network and save it on disk, filter traffic according to the requirement and showing summery and detailed information for each packet.Few of other sniffing tools are Packetyzer, Dsniff, TCPDump, and Snort.Dos AttacksA DoS attack is a network attack that results in some sort of interruption of service to users, devices, or applications. Hackers use several mechanisms to generate a DoS attack. The simplest method is to generate large amounts data appearing as a valid network traffic. This type of network DoS attack saturates the network so that valid user traffic cannot get through.A DoS attack takes advantage of the fact that target systems such as servers must maintain state information. Applications may rely on pass judgment buffer sizes and specific marrow of network packets. A DoS attack can exploit this by sending packet sizes or data values that are not expected by the receiving application. These attacks attempt to compromise the availability of a network, host, or application. They are con positionred a major risk because they can easily interrupt a assembly line process and cause significant loss. These attacks are relatively simple to conduct, even by unskilled hackers.Maintaining AccessBy entering to this step the hacker has to be getting in to the system by any mean and this phase it is counselling on to the established session maintaining. Thus the hacker is able to perform any file upload/download or any software tool inserting. In this stage hackers are trying to establish a private path to enter to the system next time easily. So to do that, they will insert some malicious software like Trojan-horses, sniffers keystroke loggers etc.Trojan-horses are malwares that carries out malicious operations under the appearance of a desired function. A virus or worm could carry a Trojan-horse. A Trojan-horse contains hidden, malicious code that exploits the privileges of the user that runs it. Games can often have a Trojan-horse attached to them. When running the game, the game works, but in the background, the Trojan-horse has been installed on the users system and continues running after the game has been closed.The Trojan-horse concept is flexible. It can cause immediate damage, provide a back door to a system, or perform actions, such as password capturing, keystroke capturing, executing DoS attacks. Some advance hackers writes custom Trojan-horses according to the requirement and those are very hard to detect.There are many examples of Trojan-horses like Tini, netcat, subseven, backoffice etc.Clearing TracksThis is the final step of the hacking framework and in here the hackers delete all the evidence and track of their access. Generally, in any operating system it keeps a record about the user logins, file deletes, file inserting, installing etc. So once hacker loges into a system his attempts and actions are logged in to operating system log files. So the hackers have to delete these logs.Although this is a very hard task to perform in reality, there are some tools do alternative actions such as disabling the operating system auditing, deleting all the log records, delete temporary log files etc. So executing tools like that they can delete their tracks, usually with all the other log files. There for system administrator may know that system has been compromised. The software tool auditpol.exe is a such tool that able to disable OS logging.Also attackers need to hide the files they uploaded in to the systems and to do this there are few techniques available call wrappers. These wrapper tools are able to hide the uploaded data as picture file.Design an Evidence convention PrototypeImportance of a Evidence Gathering PrototypeAs shown above, the possibilities and opportunities are barrierless a company can be targeted by a malicious attack. Although implementing correct firewall and security policies can defame the exposure of many systems to the hackers, it is very unrealistic to completely avoid security breaches in a comport system. Therefore, it is very important to detect intrusion activities and limit as much as possible the damage they can produce. Installing well planed and configured Evidence Gathering Prototype with intrusion signal detection and honeypot capabilities will do that.In generally, intruder detection systems are able to record all the system activities on a given host or a network. Thus if the monitoring system is compromised or targeted to attack, all the useful information to track the attacker, are recording in the IDS system. Sometimes they can horrify the system administrators about the attacks as well. One of another(prenominal) feature of such kind of system is that they are able recognize violations of an organisations security and acceptable use policies such as transfers of inappropriate material throughout the companys network, or downloads of authorizes data files, accessing restricted contents, use of unauthorized application, etc. Also, some systems are able to identify reconnaissance activities which may followed by hacking attacks.As these systems are able to keep log on every said incidence, the systems administrators can use those data in there ethical hacking exercises. Furthermore, they can get idea about the techniques attackers use, attack launching periods, times and frequencies, common types of attacks they get and about the locations of the attackers and etc. One of the side advantage can have installing a IDS system is that the deterr ing of hacking attempts, because being aware that their activities are being monitored the hacker might be less prostrate launch attacks.Thus installing a system in purpose of evidence gathering is very crucial and rest of this document will focus on designing a better exemplar for that purpose. For example, a hacker can identify whether an IDS is present in the system if present that attacker may first attack the IDS to bring it offline.Architecture of the prototypeThe general idea of this prototype is to provide new defence mechanism to networks from huge varieties of behavioural network attacks. Especially rootkit attacks, buffer overflows, DOS / DDOS attacks, SQL injections and many other types of hacking in to a network. Keeping records of malicious behaviours and providing tracking down the intruders, this system will be a whole new protection concept for current networking intrusion threats.Techniques like Intrusion Prevention Systems, Honeypot and network Sniffers can be us ed as first line of defence to fights again unauthorized access to networks and network resources. But it is hard to use each of them separately in a network to prevent malicious attacks. So a good system should use all those techniques in a single system. Also only one technique will not suit either, as they may have some tribulations on it.Thus, the designing prototype uses all the techniques mentioned above. It will work as a choke point between the WAN and LAN so all the network traffic should flow through it and the traffic will inspect from there. roughly architecture, the prototype is consisting of three Intrusion undercover work Systems, Honeypot and a monitoring console. Three IDSs will be trace based, Anomaly based and Stateful-protocol analysis IDSs. every the incoming network traffic will be inspected by these IDSs before enter in to the LAN. If IDSs are detected any suspicious behaviours, they will send an alarm message to the Honeypot. Then the malicious traffic wi ll start to circulate among the IDSs without the intruders knowledge. Therefore an intruder will not be able to perform continuous actions because the IP addresses of the traffic are keeping changing. The Honeypot monitor all the network traffic which will be forwarded by the IDSs and keep records of all behaviours. Allowing or denying the network traffic to enter in to the LAN will be decided by monitoring the behaviour of the incoming traffic to the Honeypot. A separate monitoring console is connected to the Honeypot which also has an online monitoring and log making system so that the sources of any malicious traffic can be identified. Following figure show the overview of the system.Major componentsSignature based IDSs has a predefined database of attack signatures. It compares all the network packets against the attack signatures in the database.Anomaly based IDSs compares the network traffic against a profile build by previous trainings of network traffic behaviours and contin ually sampling all activities occurring within the system. Therefore it can react to new zero-day attacks.Stateful-protocol analysis IDs relies on vendor-developed universal profiles that specify how particular protocols should and should not be used, on decision taking.Core of the system is the Honeypot which will monitor all the network traffic flow through it.Monitoring console with a real time log making and tracking system implemented on it. This console provides a real time monitoring and online tracking system to track down and locate the intruders source.Network traffic database will store all the information about the traffic flow the Honeypot encountered, signature database and IP addresses of all the malicious / suspicious traffic flows.Capabilities of the prototypeSignature based Intrusion Detection SystemKnowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of how the attacks are carried out are developed and called sign atures. for each one identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable.Anomaly based Intrusion Detection SystemThese are behavior based products that do not contain databases of attack signatures. They first go through a learning mode to build a profile of normal behaviour of a system or a network by continually sampling all activities occurring within the system. These IDSs will be configured to detect the Zero-day attacks which means configured to detect new and unacknowledged threats. All anomaly based IDSs will be trained by using accepted penetration tools such as GFILanguard, Nesses, Nmap, Retina, NetCat and Enstealth. After the profile create all the activities are compared against it. If anything which does not match the profile occurs an alarm is triggered and packets will be tagged.Stateful-protocol analysis Intrusio n Detection SystemThis is little similar to anomaly-based detection technique. But it relies on profiles that provided by the device vendors. Those profiles enable IDPS to understand and track the state of network, transport and application protocols that have a notion of state. It can thus identify unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command without first issuing another command upon which it is dependent.HoneypotHoneypot is an essentially decoy network-accessible resource, could be deployed in a network as surveillance and early-warning tools. Techniques used by the attackers that attempt to compromise these decoy resources are studied during and after an attack to keep an eye on new exploitation techniques. Such analysis could be used to raise tighten security of the actual network being protected by the Honeypot. All traffic entering and leaving the Honeypot is logged. Honeypot can carry risks to a network, and must be hand led with care. If they are not properly walled off, an attacker can use them to break into a system.Monitoring ConsoleThis machine is to ensure the intrusion methods / traffic flow used by the intruder. This analyze will be done synchronizing with the Honeypot. Those details will be used to create complete reports about the encounters. The tracking system which is installed on the console will provide a complete track of the intruder.Other FeaturesThe prototype can analyze the behaviours of the incoming traffic since all the traffic should go through the system. Any intrusions which will match to the signatures, the Signature Based IDSs will alarm immediately to the Honeypot. By recording and tracking the traffic pattern, a decision can be taken whether to drop the identified traffic or track back the source of the intruder.The detected or suspicious traffic will be redirected to the Honeypot as the final action. Make use of the online tracking and log making system, the prototype can record all the behaviours in real time and provide a tracking system to catch the intruders.Commercially available Intrusion Detection SystemsSnortSnort is a free and open-source network-based IDS system and it is the most commonly using intrusion detection system. It is a software-based NIDPS and able to perform both protocol analysing and content searching. Snort has intrusion prevent capabilities as well. So it is use to both actively block and passively detect a variety of attacks and probes. It uses signature, protocol and anomaly-based inspection to intruder detection.CISCO Secure IDSThis
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.