Scribd
Upload
3 views15 pages

Ethical hacking process_U5_L3

The document outlines the ethical hacking process, which includes five steps: formulating a plan, selecting tools, executing the plan, evaluating results, and moving on. It emphasizes the importance of planning, selecting appropriate tools, and understanding the hacker mindset to effectively conduct ethical hacking tests. Additionally, it discusses the motivations and methods of hackers, highlighting the challenges faced in maintaining security against malicious attacks.

Uploaded by

iqbalshaikh64684
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
3 views15 pages

Ethical hacking process_U5_L3

The document outlines the ethical hacking process, which includes five steps: formulating a plan, selecting tools, executing the plan, evaluating results, and moving on. It emphasizes the importance of planning, selecting appropriate tools, and understanding the hacker mindset to effectively conduct ethical hacking tests. Additionally, it discusses the motivations and methods of hackers, highlighting the challenges faced in maintaining security against malicious attacks.

Uploaded by

iqbalshaikh64684
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

OUTLINE

• Ethical Hacking Process


• Cracking the Hacker mindset
ETHICAL HACKING PROCESS
• Just like any IT or security project, ethical hacking needs to be planned in
advance
• Ethical hacking process consists of 5 steps:
1) Formulating Plan
2) Selecting Tools
3) Executing the plan
4) Evaluating the results
5) Moving on
ETHICAL HACKING PROCESS
Formulating the Plan
• First approval for ethical hacking is essential
• If ethical hacking is for a customer, one should have signed contract in
place, stating the customer’s support and authorization
• The plan document should contain following information:
- Specific systems to be tested
- Risks that are involved
- When the tests are performed and overall timeline
- How the tests are performed
- How much knowledge of systems you have before you start testing
ETHICAL HACKING PROCESS
- What is done when major vulnerability is discovered
- The specific deliverables – e.g. security assessment reports, higher
level report outlining the general vulnerabilities to be addressed,
countermeasures that should be implemented
• When selecting systems to test, start with most critical or vulnerable
systems
• For example, ethical hacker can test passwords or attempt social
engineering attacks before drilling down into more detailed system
ETHICAL HACKING PROCESS
Selecting Tools
• Right tools should be selected for ethical hacking process
• Ethical hacker should know the powers and limitations of the selected
tools
• Many tools generate false positives and negatives
• Some tools may miss vulnerabilities
• Many tools focus on specific tests, but not a single tool can test
everything. So a set of specific tools are required
• The more are tools, the easier ethical hacking efforts are
• To crack passwords, one needs a cracking tool such as LC4, John the
Ripper or pwdump
ETHICAL HACKING PROCESS
• For in-depth analysis of a web application, a web application
assessment tool such as Whisker or WebInspect is more appropriate
than a network analyzer such as Ethereal

Executing the plan


• Executing the ethical hacking plan need a lot of time and patience
• Ethical hacker has to make sure to keep everything as quiet and private
as possible
• While transmitting and storing the test results, ethical hacker should
either password protect it or he should encrypt the emails or files using
Pretty Good Privacy (PGP) or similar
ETHICAL HACKING PROCESS
• Ethical hacker should start with broad view and then narrow down the
focus
• Ethical hacker may search Internet for organization’s name, computer
and network system’s name and IP addresses
• Then he may narrow the scope, by targeting the specific systems
• He may perform actual scan and other tests on the systems
• After finding loophole, he may perform actual attack

Evaluating Results
• Assess the result to see what has been uncovered
• Evaluating the result and correlating the specific vulnerabilities
discovered is a skill that gets better with experience
ETHICAL HACKING PROCESS
• Submit a formal report to upper management or customer, outlining the
results
Moving on
• When finished with ethical hacking tests, one still need to implement
his/her analysis and recommendations to make systems secure
• New security vulnerabilities continuously appear
• At any time, everything can change, especially after software upgrades,
adding computer systems or applying patches.
• So plan to test regularly
CRACKING THE HACKER MINDSET
• Knowing what hackers and malicious users want helps to understand
how they work
• This understanding better prepares for ethical hacking tests
• Hackers can be classified by both their abilities and underlying
motivations
• Some are skilled and their motivations are benign; they may be hacking
for the pursuit of knowledge and thrill of the challenge
• At the other end, hackers with malicious intent may hack for political,
social, competitive and financial purposes
• Malicious hackers are usually few steps ahead of the technology
designed to protect the systems
CRACKING THE HACKER MINDSET
Examples of how hackers work:
• Evading an Intrusion Prevention System by changing their MAC address
or IP address every few minutes to get into network without being
completely blocked
• Exploiting a physical security weakness
• Bypassing web access controls by changing a malicious site’s URL into
its dotted decimal IP address equivalent
• Using unauthorized software that would otherwise be blocked at the
firewall by changing the default TCP port that it runs on
• Setting up a wireless “evil twin” near a local Wi-Fi hotspot to attract
Internet surfers onto a rouge network where there information can be
captured and missued
CRACKING THE HACKER MINDSET
• Using an overly trusting colleague’s user ID and password to gain access
to sensitive information
• Unplugging the power cord or Ethernet connection to a networked
security camera that monitors access to the computer room or other
sensitive area and subsequently gaining unmonitored access
• Performing SQL injection or password cracking against a website

Hacker’s job is easy because of


• Widespread use of networks and Internet connectivity
• Anonymity provided by computer systems working over the Internet and
often on the internal network
CRACKING THE HACKER MINDSET
• Greater number and availability of hacking tools
• Large number of open wireless networks that help hackers cover their tracks
• Computer savvy children
• Unlikelihood that attackers will be investigated and prosecuted if caught

Hackers often remain anonymous by using


• Borrowed or stolen remote desktop and VPN accounts from friends or
previous employees
• Public computers at libraries, schools, Internet cafes etc.
• Open wireless networks, Internet proxy servers
• Anonymous or disposable e-mail accounts from free email services
• Infected computers also called zombies or bots at other organizations
• Workstations or servers on victims own network

You might also like