ETHICAL HACKING

UNIT-1

Introduction to Hacking

• There are many definitions for “hacker.” Ask this question from a phalanx and you’ll get a new answer every time because “more mouths will have more talks” and this is the reason behind the different definitions of hackers which in my opinion is quite justified for everyone has a right to think differently. In the early 1990s, the word “hacker” was used to describe a great programmer, someone who was able to build complex logics. Unfortunately, over time the word gained negative hype, and the media started referring to a hacker as someone who discovers new ways of hacking into a system, be it a computer system or a programmable logic controller, someone who is capable of hacking into banks, stealing credit card information, etc. This is the picture that is created by the media and this is untrue because everything has a positive and a negative aspect to it. What the media has been highlighting is only the negative aspect; the people that have been protecting organizations by responsibly disclosing vulnerabilities are not highlighted. However, if you look at the media’s definition of a hacker in the 1990s, you would find a few common characteristics, such as creativity, the ability to solve complex problems, and new ways of compromising targets. Therefore, the term has been broken down into three types:

Hacking

• Hacking refers to the practice of exploiting vulnerabilities or weaknesses in computer systems, networks, or applications to gain unauthorized access, control, or insight. It can involve a range of activities, from identifying security flaws to bypassing security measures.
• Types of Hacking:
• - Ethical Hacking (White-hat Hacking): Authorized hacking to improve security and identify vulnerabilities.
• - Malicious Hacking (Black-hat Hacking): Unauthorized hacking with intent to harm, steal, or disrupt.
• Key Aspects:
• - Unauthorized Access: Gaining access to systems, networks, or data without permission.
• - Vulnerability Exploitation: Identifying and exploiting weaknesses in software, hardware, or configurations.
• - Security Testing: Testing systems and networks to identify security flaws and improve defenses.

​

Types of hacking

• 1. White hat hacker—This kind of hacker is often referred to as a security professional or security researcher. Such hackers are employed by an organization and are permitted to attack an organization to find vulnerabilities that an attacker might be able to exploit.
• 2. Black hat hacker—Also known as a cracker, this kind of hacker is referred to as a bad guy, who uses his or her knowledge for negative purposes. They are often referred to by the media as hackers
• 3. Gray hat hacker—This kind of hacker is an intermediate between a white hat and a black hat hacker. For instance, a gray hat hacker would work as a security professional for an organization and responsibly disclose everything to them; however, he or she might leave a backdoor to access it later and might also sell the confidential information, obtained after the compromise of a company’s target server, to competitors

​

�

4

6/26/2025

Categories of hackers

• Similarly, we have categories of hackers about whom you might hear oftentimes. Some of them are as follows:
• Script kiddie—Also known as skid, this kind of hacker is someone who lacks knowledge on how an exploit works and relies upon using exploits that someone else created. A script kiddie may be able to compromise a target but certainly cannot debug or modify an exploit in case it does not work.
• Elite hacker—An elite hacker, also referred to as l33t or 1337, is someone who has deep knowl edge on how an exploit works; he or she is able to create exploits, but also modify codes that someone else wrote. He or she is someone with elite skills of hacking.
• Hacktivist—Hacktivists are defined as group of hackers that hack into computer systems for a cause or purpose. The purpose may be political gain, freedom of speech, human rights, and so on. Ethical hacker
• An ethical hacker is as a person who is hired and permitted by an organization to attack its systems for the purpose of identifying vulnerabilities, which an attacker might take advantage of. The sole difference between the terms “hacking” and “ethical hacking” is the permission

Important Terminologies

• Asset An asset is any data, device, or other component of the environment that supports information related activities that should be protected from anyone besides the people that are allowed to view or manipulate the data/information
• Vulnerability Vulnerability is defined as a flaw or a weakness inside the asset that could be used to gain unau thorized access to it. The successful compromise of a vulnerability may result in data manipula tion, privilege elevation, etc
• Threat A threat represents a possible danger to the computer system. It represents something that an orga nization doesn’t want to happen. A successful exploitation of vulnerability is a threat. A threat may be a malicious hacker who is trying to gain unauthorized access to an asset.
• Exploit An exploit is something that takes advantage of vulnerability in an asset to cause unintended or unanticipated behavior in a target system, which would allow an attacker to gain access to data or information
• Risk A risk is defined as the impact (damage) resulting from the successful compromise of an asset. For example, an organization running a vulnerable apache tomcat server poses a threat to an organiza tion and the damage/loss that is caused to the asset is defined as a risk. Normally, a risk can be calculated by using the following equation: Risk = Threat * vulnerabilities * impact

Phases of hacking

• The phases of hacking typically involve a structured approach to identifying and exploiting vulnerabilities in computer systems or networks. Here are the common phases:
• 1. Reconnaissance (Information Gathering): - Collecting information about the target system or network. - Identifying potential vulnerabilities and entry points.
• 2. Scanning: - Using tools to identify open ports, services, and potential vulnerabilities. - Gathering more detailed information about the target system.
•  3. Gaining Access: - Exploiting identified vulnerabilities to gain unauthorized access. - Using techniques such as password cracking, SQL injection, or buffer overflow attacks.
• 4. Maintaining Access: - Establishing a persistent presence in the system or network. - Creating backdoors or using other techniques to maintain access.
• 5. Clearing Tracks: - Covering tracks to avoid detection. - Deleting logs, hiding malware, or using other techniques to conceal evidence. These phases are often used in both ethical hacking (penetration testing) and malicious hacking. Understanding these phases can help organizations improve their security posture and protect against potential threats.

Diagram of phases of hacking

Introduction to Ports & Protocols: Ports, Protocols, Primary Network Types

• A port is a number assigned to a specific process or service running on a computer, allowing multiple applications to share the same IP address. Here are some key points about ports:
• Types of Ports:
• 1. TCP (Transmission Control Protocol) ports: Used for connection-oriented communication.
•  2. UDP (User Datagram Protocol) ports: Used for connectionless communication. Common Ports: 1. HTTP (80): Web traffic 2. HTTPS (443): Secure web traffic
• 3. FTP (21): File transfer 4. SSH (22): Secure shell access 5. Telnet (23): Remote access

• - Identifying open ports can reveal potential entry points for exploitation.
• - Commonly targeted ports:
•     - 80 (HTTP)
•     - 443 (HTTPS)
•     - 22 (SSH)
•     - 21 (FTP)

​

​

​

​

​

protocols

• Protocols are sets of rules governing data communication over networks. Here are some key points about protocols:
• Types of Protocols:
• 1. TCP/IP (Transmission Control Protocol/Internet Protocol): Suite of protocols for internet communication.
• 2. HTTP (Hypertext Transfer Protocol): Protocol for web communication.
• 3. FTP (File Transfer Protocol): Protocol for file transfer.
• 4. SSH (Secure Shell Protocol): Protocol for secure remote access.
• 5. DNS (Domain Name System): Protocol for domain name resolution.
• Protocol Functions:
• 1. Data formatting: Protocols define data format and structure.
• 2. Data transmission: Protocols govern data transmission and reception.
• 3. Error detection and correction: Protocols handle error detection and correction.

​

​

​

1. Network communication: Protocols enable devices to communicate over networks.

• 2. Data exchange: Protocols facilitate data exchange between devices.
• 3. Network security: Understanding protocols is crucial for securing networks and systems. Common Protocol Vulnerabilities:
• 1. Buffer overflow: Overflowing buffer with excessive data.
•  2. SQL injection: Injecting malicious SQL code.
• 3. Cross-site scripting (XSS): Injecting malicious code into web applications.
• - Understanding protocol vulnerabilities can help identify potential exploits.
• - Commonly targeted protocols:
•     - TCP/IP
•     - HTTP
•     - FTP
•     - SSH

​

Primary networks types

• Primary Network Types: - LAN (Local Area Network): Hackers may target LANs to gain access to sensitive data or systems. -
•  WAN (Wide Area Network): Hackers may target WANs to exploit vulnerabilities in remote systems or networks. -
•  Wi-Fi: Hackers may target Wi-Fi networks to intercept data or gain unauthorized access. Knowledge of ports, protocols, and network types helps hackers: - Identify potential vulnerabilities - Develop targeted attacks - Bypass security measures
• Understanding ports, protocols, and network types is essential for:
• - Network administration
• - Cybersecurity
• - Troubleshooting network issues

​

​

​

Virtualization & Introduction to Kali Linux

• Virtualization:
• Virtualization is a technology that creates virtual environments for operating systems, applications, or hardware. It allows multiple virtual machines (VMs) to run on a single physical host, improving resource utilization and flexibility.
• Virtualization Software:
• 1. VMware: Popular virtualization platform for enterprise and personal use.
• 2. VirtualBox: Open-source virtualization software for personal and development use.
• 3. Hyper-V: Microsoft's virtualization platform for Windows.
• 4. Parallels: Virtualization software for macOS.
• Supported Platforms:
• 1. Windows: Supported by VMware, VirtualBox, and Hyper-V.
• 2. Linux: Supported by VMware, VirtualBox, and many Linux-specific virtualization tools.
• 3. macOS: Supported by VMware, VirtualBox, and Parallels.
• 4. Unix: Supported by various Unix-specific virtualization tools.

​

• Benefits:
• 1. Hardware virtualization: Runs multiple VMs on a single physical host.
• 2. OS virtualization: Runs multiple OS environments on a single host.
•  3. Application virtualization: Runs applications in isolated environments.
• 4. Improved resource utilization: Maximizes resource usage and reduces waste. Use Cases:
• 1. Development and testing: Virtualization enables developers to test applications in various environments.
• 2. Server virtualization: Improves server resource utilization and management.
• 3. Virtual desktop infrastructure (VDI): Provides secure and managed desktop environments.

• FileStructureinsideofLinux
• OnaLinuxsystem,mosteverythingisafile,andifitisnotafile,thenitisaprocess.
• HereisageneraldiagramforfilestructureinLinux.
• There are certain exceptions in a Linux file system
• Directories—Files that are lists of other files.
• Special file—Them echanismused for in out and output./dev are special files.
• Links—A system to make file ordirectory visible in multiple parts of the systems.
• Sockets—A special file type ,similar toTCP/IP sockets providing inter-processnetworking.
• Pipes—Moreorless like sockets;theyformawayforprocesstocommunicatewitheachother with out using network socket.

​

​

Introduction to Penetration Testing

• Penetration test
• A penetration test is a subclass of ethical hacking; it comprises a set of methods and procedures that aim at testing/protecting an organization’s security. The penetration tests prove helpful in f inding vulnerabilities in an organization and check whether an attacker will be able to exploit them to gain unauthorized access to an asset
• Vulnerability Assessments versus Penetration Test Oftentimes, a vulnerability assessment is confused with a penetration test; however, these terms have completely different meanings

• In a penetration test, however, we need to simulate as an attacker to see if we are actually able to exploit a vulnerability and document the vulnerabilities that were exploited and the ones that turned out to be false-positive.
• Preengagement Before you start doing a penetration test, there is whole lot of things you need to discuss with clients. This is the phase where both the customer and a representative from your company would sit down and discuss about the legal requirements and the “rules of engagement.”

​

​

• Rules of Engagement Every penetration test you do would comprise of a rules of engagement, which basically defines how a penetration test would be laid out, what methodology would be used, the start and end dates, the milestones, the goals of the penetration test, the liabilities and responsibilities, etc. All of them have to be mutually agreed upon by both the customer and the representative before the penetra tion test is started. Following are important requirements that are present in almost every ROE:
• ◾ A proper “permission to hack” and a “nondisclosure” agreement should be signed by both the parties.
• ◾ The scope of the engagement and what part of the organization must be tested.
•  ◾ The project duration including both the start and the end date.
•  ◾ The methodology to be used for conducting a penetration test.
• ◾ The goals of a penetration test.
• ◾ The allowed and disallowed techniques, whether denial-of-service testing should be per formed or not.
• ◾ The liabilities and responsibilities, which are decided ahead of time. As a penetration tester you might break into something that should not be accessible, causing a denial of service; also, you might access sensitive information such as credit cards. Therefore, the liabilities should be defined prior to the engagement.

Categories of Penetration Test

• Categories of Penetration Test When the scope of the penetration test is defined, the category/type of the penetration test engage ment is also defined along with it. The entire penetration test can be Black Box, White Box, or Gray Box depending upon what the organization wants to test and how it wants the security paradigm to be tested
• Black Box A black box penetration test is where little or no information is provided about the specified target. In the case of a network penetration test this means that the target’s DMZ, target operating sys tem, server version, etc., will not be provided; the only thing that will be provided is the IP ranges that you would test. In the case of a web application penetration test, the source code of the web application will not be provided. This is a very common scenario that you will encounter when performing an external penetration test.
• White Box A white box penetration test is where almost all the information about the target is provided. In the case of a network penetration test, information on the application running, the correspond ing versions, operating system, etc., are provided. In the case of a web application penetration test the application’s source code is provided, enabling us to perform the static/dynamic “source code analysis.” This scenario is very common in internal/onsite penetration tests, since organizations are concerned about leakage of information.

• Gray Box In a gray box test, some information is provided and some hidden. In the case of a network pen etration test, the organization provides the names of the application running behind an IP; how ever, it doesn’t disclose the exact version of the services running. In the case of a web application penetration test, some extra information, such as test accounts, back end server, and databases, is provided.

Types of Penetration Tests

• Network Penetration Test In a network penetration test, you would be testing a network environment for potential security vulnerabilities and threats. This test is divided into two categories: external and internal penetra tion tests. An external penetration test would involve testing the public IP addresses, whereas in an inter nal test, you can become part of an internal network and test that network. You may be provided VPN access to the network or would have to physically go to the work environment for the pen etration test depending upon the engagement rules that were defined prior to conducting the test.
•  Web Application Penetration Test Web application penetration test is very common nowadays, since your application hosts critical data such as credit card numbers, usernames, and passwords; therefore this type of penetration test has become more common than the network penetration test

​

​

Types of Penetration Tests

​

• Mobile Application Penetration Test T he mobile application penetration test is the newest type of penetration test that has become common since almost every organization uses Android- and iOS-based mobile applications to provide services to its customers. Therefore, organizations want to make sure that their mobile applications are secure enough for users to rely on when providing personal information when using such applications.
•  Social Engineering Penetration Test A social engineering penetration test can be part of a network penetration test. In a social engi neering penetration test the organization may ask you to attack its users. This is where you use speared phishing attacks and browser exploits to trick a user into doing things they did not intend to do.
• Physical Penetration Test A physical penetration test is what you would rarely be doing in your career as a penetration tester. In a physical penetration test, you would be asked to walk into the organization’s building physi cally and test physical security controls such as locks and RFID mechanisms.

Structure of Penetration Test Report.

1. Executive Summary

As the name suggests, an executive summary is the portion that is specifically addressed to execu- tives such as the CEO or the CIO of the company. The executive summary is the most essen- tial part of a penetration testing report; a good executive summary can make all the difference between a good report and a bad one.

.Followingaresomeoftheessentialpointsthatyoushouldtakeintoconsiderationwhilewritinganexecutive summary.

• Sinceexecutivesareverybusy,theyhaveminimaltimetoinvestinreadingyourreports. Thereforeyoushouldmakesurethatyourexecutivesummaryispreciseandtothepoint.
• Your executive summary should start with defining the purpose of the engagement and how itwascarriedout.Thingssuchasthescopeshouldbedefinedbutveryprecisely.

​

• Next,you should explain there sults of the penetration test and thefindings.
• Following this,you should discuss the overall weaknesses in general and the counter mea- sures that were not implemented that caused the vulnerability in thefirstplace.
• Next comes the analysis part;this is where you should write about the overall risk that was determined based upon our findings.
• And,finally,you should write about to what extent the risk would decrease after addressing the issues and implementing the appropriate counter measures.
• He following is an example of an executive summary that we wrote for acustomer.Iwould sug-gest you spend some time reviewing the essential points discussed and compare them with the executive summary that follows.

​

Remediation Report

​

•  Next up we have the remediation report, which contains the overall recommendations that once implemented would increase the security of the organization. This is specifically an area of interest for the management class, as they are the ones that are going to enforce the security policies of an organization. As mentioned earlier, these guys may or may not be technical; therefore our remediation report should be very precise and easy to understand
• Things that could improve overall security such as implementing SDLC, a firewall, and an intrusion detection system should be recommended. The following is an example of how a remediation report should look like

​

​

​

• Vulnerability Assessment Summary Next,
• we have the vulnerability assessment summary, sometimes referred to as “findings sum mary.” This is where we present the findings from our engagement. Things such as the overall strengths and weaknesses and risk assessment summary can also be included under this section. “A picture speaks a thousand words” is a brilliant quotation that all of us remember from our childhood, don’t we? Behold, for now it’s time to see the actual use of it. It always helps to include charts in your report, which would give the audience a better understanding of the vulnerabilities that were found. Security executives might be interested in this portion of the report as they would need to enforce the countermeasures

​

• the first one classifies the vulnerability assessment the basis of these verityand the second one on percentage.

​

� Risk Assessment and Risk Assessment Matrix

​

​

Risk assessment as defined before is the analysis part of the report. It is very crucial for thecustomer because they would want to know the intensity of the damage the vulnerabilities arelikely to cause; similarly, the security executives would also want to know how their team isPerforming.

• Risk Assessment Matrix
• When we talk about risk assessment analysis in terms of a penetration test, we compare the “likeli-hood of the occurring” and the “impact caused by the occurring.”
• The following is a “hazard risk assessment matrix” derived from MIL-STD-882B; it’s an excel-lent method for demonstrating risk to the customer. In the following matrix the “frequency ofoccurrence,” that is, the likelihood of how often the vulnerability is occurring, is compared withthe four hazard categories “catastrophic,” “critical,” “serious,” “minor,” and this is something youshould definitely include in your penetration testing report.

HAZARD RISK ASSESSEMENT MATRIX

Methodology�

• After including the risk assessment matrix, you should write a line or two describing the total risk. Based upon the comparison of the vulnerabilities that were determined, their likeli- hood and their impact we conclude the overall risk is high and the risk percentage was determined to be 82%.
• Methodology

We have discussed a wide variety of methodologies and standards of penetration testing, such as

OSSTMM, NIST, and OWASP. I would also like to include the methodology that was followed

Introduction to Hacking for conducting the penetration test; though its inclusion in the report is optional, it could add great value to your penetration report. In a scenario where you have been asked to follow a certainstandard, talking about the methodology and its steps is a good idea.

The following is a screenshot from one of our penetration testing reports where the NIST

methodology was followed in order to conduct the penetration test. Notice that we include the flowchart on how the methodology works and explain each step precisely.

​

• Detailed Findings This is where you address the technical audience, specifically the security manager and the developers; also, this is where you are allowed to talk in depth about how the vulnerabilities were discovered, the root causes of the vulnerabilities, the associated risks, and the necessary recommendations. Let’s now briefly talk about four essentials that should be included in the “Detailed Findings” section. Description This is where you talk about the vulnerability itself; a brief explanation should be provided in this section.
• 1 Ethical Hacking and Penetration Testing Guide Explanation This is the section where you reveal where the vulnerability was found, how it was found, the root cause of the vulnerability, the proof of concept, or the evidence of the finding. Risk This is where you talk about the risks and the likely impact that the vulnerability carries. Recommendation This is where you address the developers on how to fix the vulnerability; you may also include general suggestions to avoid that particular class of vulnerability in future. The following screenshot comes directly from one of our penetration testing reports. Our finding was “DOM-based XSS” vulnerability. In the “Description” section we discussed the vulnerability. In the “Explanation” section, we talked about where the vulnerability was found and what line of the JavaScript code is the root cause of the vulnerability. We then talked about general risks and the impact and finally the general remediations to avoid vulnerabilities of a similar class.

Reports & Conclusion�

REPORTS

• Reports Now that you know the basics and structure of how a penetration testing report is written, I would urge you to spend some time reviewing the following penetration testing sample reports.
• ◾ http://www.offensive-security.com/penetration-testing-sample-report.pdf

◾http://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf

 ◾ http://pentestreports.com/

CONCLUSION

• In this chapter, we talked about basic terminologies that you will encounter on a daily basis as a penetration tester. We discussed about the types of penetration tests and the different penetration testing methodologies. We then talked about what makes a good penetration testing report. We also looked at how a penetration test report should be laid out in order to provide the target audi- ence the necessary information.