Download What can “Economics of Information Security” offer for SMEs

EC-Council’s
Certified Ethical Hacker (CEH)
Richard Henson
[email protected]
May 2012
Session 1

This will cover:





Structure of the course
Principles of hacking ethically
CEH ethical hackers toolkit and dummy
client site
“Footprinting” and reconnaissance
Scanning networks
Certificate of Attendance

Certificate
achieved through:


attending the
seminars
doing the “lab”
exercises
CEH qualification

Achieved through:




certificate of attendance
passing the examination (take any time at
recognised Pearson or Vue centres)
can retake…
cost: approx £120
Ethical Hacking Principles

Hacking is a criminal offence in the UK



covered through The Computer Misuse Act
(1990)
tightened by further legislation (2006)
It can only be done ”legally” by a trained
(or trainee) professional

a computing student would be considered in
this context under the law
Ethical Hacking principles


Even if it legal, doesn’t mean it is ethical!
Professionals only hack without permission
if there is reason to believe a law is being
broken


if not… they must ask permission
otherwise definitely unethical (and possibly
illegal)
Ethical Hacking Principles

What is “hacking”?


breaching a computer system without
permission
How is it done?


using software tools to get through the
security of the system
also called penetration testing (if done with
permission…)
Course Toolkit


This course provides access to penetration
testing tools
Also a body of knowledge that shows how to
use them…



theory: covered by these slides
practical: exercises provided; up to you to work
through them
Together, provide the expertise to penetration
test a client’s site

Dummy site: http://www.certifiedhacker.com
Preparing to use the Toolkit

You’ll need to install the following on a computer
to do the exercises:







Windows 2008 Server (basic os) running Hyper-V
Windows 7 (as VM – Virtual Machine)
Windows XP (as VM)
Windows 2003 Server (as VM)
Backtrack and Linux (as VM)
All the Windows versions and virtual machine
platform are available to download using MSDN
Guidance in CEHintro.pdf file
Virtualisation (Hyper-V on Windows
2008 Server, Citrix, VMware, etc.)

The use of software to allow a
piece of hardware to run multiple
operating system images at the
same time



Possible to run Windows OS
under Mac OS
run multiple versions of Windows
OS on the same PC
Enables the creation of a “virtual”
(rather than actual) version of any
software environment on the
desktop, e.g. Operating Systems,
a server, a storage device or
networks, an application
What and Why of Footprinting

Definition:


“Gathering information about a “target” system”
Could be Passive (non-penetrative) or active

Find out as much information about the digital and
physical evidence of the target’s existence as possible


need to use multiple sources…
may (“black hat” hacking) need to be done secretly
What to Gather








Domain Names
User/Group names
System Names
IP addresses
Employee Details/Company Directory
Network protocols used & VPN start/finish
Company documents
Intrusion detection system used
Rationale for “passive”
Footprinting

Real hacker may be able to gather what
they need from public sources


organisation needs to know what is “out
there”
Methodology:

start by finding the URL (search engine)


e.g. www.worc.ac.uk
from main website, find other external-facing
names

e.g. staffweb.worc.ac.uk
Website Connections & History

History: use www.archive.org:



The Wayback Machine
Connections: use robtex.com
Business Intelligence:


sites that reveal company details
e.g. www.companieshouse.co.uk
More Company Information…

“Whois” & CheckDNS.com:




lookups of IP/DNS combinations
details of who owns a domain name
details of DNS Zones & subdomains
Job hunters websites:



e.g. www.reed.co.uk
www.jobsite.co.uk
www.totaljobs.com
People Information


Company information will reveal names
Use names in




search engines
Facebook
LinkedIn
Google Earth reveals:

company location(s)
Physical Network Information
(“active” footprinting or phishing)

External “probing”


should be detectable by a good defence
system… (could be embarrassing!)
e.g. Traceroute:

Uses ICMP protocol “echo”


no TCP or UDP port
reveals names/IP addresses of intelligent
hardware:

e.g. Routers, Gateways, DMZs
Email Footprinting

Using the email system to find the
organisation’s email names structure

“passive” monitor emails sent
IP source address
 structure of name


“active” email sending programs :
test whether email addresses actually exist
 test restrictions on attachments

Utilizing Google etc. (“passive”)


Google: Advanced Search options:
Uses [site:] [intitle:] [allintitle:] [inurl:]



In each case a search string should follow
e.g. “password”
Maltego

graphical representations of data
Network Layers and Hacking

Schematic TCP/IP stack interacting at three of
the 7 OSI levels (network, transport, application):
TELNET
ports
X
FTP
SMTP
NFS
DNS
X
X
X
X
TCP
UDP
IP
SNMP
X
TCP & UDP ports


Hackers use these to get inside firewalls etc.
Essential to know the important ones:






20, 21 ftp
22 ssh
23 telnet
25 smtp
53 dns
60 tftp
80 http
88 Kerberos
110 pop3
135 smb
137-9 NetBIOS
161 snmp
389 Ldap
443 https
636 Ldap/SSL
Reconnaissance/Scanning

Three types of scan:

Network (already mentioned)


Port


identifies active hosts
send client requests until a suitable active port has been
found…
Vulnerability

assessment of devices for weaknesses that can be exploited
Scanning Methodology






Check for Live Systems
Check for open ports
“Banner Grabbing”
Scan for vulnerabilities
Draw Network diagram(s)
Prepare proxies…
Now you try it!





Download software through MSDN
Set up your ethical hacking toolkit
Go through lab 1
Gather evidence that you’ve done the lab
Bring evidence to the June meeting…