Post on 05-Jan-2016
description
EC-Council’sCertified Ethical Hacker (CEH)
Richard Henson
r.henson@worc.ac.uk
May 2012
Session 1
This will cover: Structure of the course Principles of hacking ethically CEH ethical hackers toolkit and dummy
client site “Footprinting” and reconnaissance Scanning networks
Certificate of Attendance
Certificate achieved through: attending the
seminars doing the “lab”
exercises
CEH qualification
Achieved through: certificate of attendance passing the examination (take any time at
recognised Pearson or Vue centres) can retake… cost: approx £120
Ethical Hacking Principles
Hacking is a criminal offence in the UK covered through The Computer Misuse
Act (1990) tightened by further legislation (2006)
It can only be done ”legally” by a trained (or trainee) professional a computing student would be
considered in this context under the law
Ethical Hacking principles
Even if it legal, doesn’t mean it is ethical!
Professionals only hack without permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and
possibly illegal)
Ethical Hacking Principles
What is “hacking”? breaching a computer system without
permission How is it done?
using software tools to get through the security of the system
also called penetration testing (if done with permission…)
Course Toolkit
This course provides access to penetration testing tools
Also a body of knowledge that shows how to use them… theory: covered by these slides practical: exercises provided; up to you to
work through them Together, provide the expertise to
penetration test a client’s site Dummy site: http://www.certifiedhacker.com
Preparing to use the Toolkit
You’ll need to install the following on a computer to do the exercises: Windows 2008 Server (basic os) running Hyper-V Windows 7 (as VM – Virtual Machine) Windows XP (as VM) Windows 2003 Server (as VM) Backtrack and Linux (as VM)
All the Windows versions and virtual machine platform are available to download using MSDN
Guidance in CEHintro.pdf file
Virtualisation (Hyper-V on Windows 2008 Server, Citrix, VMware, etc.)
The use of software to allow a piece of hardware to run multiple operating system images at the same time
Possible to run Windows OS under Mac OS
run multiple versions of Windows OS on the same PC
Enables the creation of a “virtual” (rather than actual) version of any software environment on the desktop, e.g. Operating Systems, a server, a storage device or networks, an application
What and Why of Footprinting
Definition: “Gathering information about a “target” system”
Could be Passive (non-penetrative) or active Find out as much information about the digital and
physical evidence of the target’s existence as possible
need to use multiple sources… may (“black hat” hacking) need to be done secretly
What to Gather
Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used
Rationale for “passive” Footprinting Real hacker may be able to gather
what they need from public sources organisation needs to know what is “out
there” Methodology:
start by finding the URL (search engine) e.g. www.worc.ac.uk
from main website, find other external-facing names
e.g. staffweb.worc.ac.uk
Website Connections & History
History: use www.archive.org: The Wayback Machine
Connections: use robtex.com Business Intelligence:
sites that reveal company details e.g. www.companieshouse.co.uk
More Company Information…
“Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain
name details of DNS Zones & subdomains
Job hunters websites: e.g. www.reed.co.uk www.jobsite.co.uk www.totaljobs.com
People Information
Company information will reveal names
Use names in search engines Facebook LinkedIn
Google Earth reveals: company location(s)
Physical Network Information (“active” footprinting or phishing)
External “probing” should be detectable by a good defence
system… (could be embarrassing!) e.g. Traceroute:
Uses ICMP protocol “echo” no TCP or UDP port
reveals names/IP addresses of intelligent hardware:
e.g. Routers, Gateways, DMZs
Email Footprinting
Using the email system to find the organisation’s email names structure “passive” monitor emails sent
IP source address structure of name
“active” email sending programs : test whether email addresses actually exist test restrictions on attachments
Utilizing Google etc. (“passive”)
Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:]
[inurl:] In each case a search string should
follow e.g. “password”
Maltego graphical representations of data
Network Layers and Hacking Schematic TCP/IP stack interacting at three of
the 7 OSI levels (network, transport, application):
TELNET FTP NFS DNS SNMP
TCP UDP
IP
SMTP
X X X X X Xports
TCP & UDP ports
Hackers use these to get inside firewalls etc. Essential to know the important ones:
20, 21 ftp 80 http 389 Ldap 22 ssh 88 Kerberos 443 https 23 telnet 110 pop3 636 Ldap/SSL 25 smtp 135 smb 53 dns 137-9 NetBIOS 60 tftp 161 snmp
Reconnaissance/Scanning
Three types of scan: Network (already mentioned)
identifies active hosts
Port send client requests until a suitable active port has been
found…
Vulnerability assessment of devices for weaknesses that can be exploited
Scanning Methodology
Check for Live Systems Check for open ports “Banner Grabbing” Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…
Now you try it!
Download software through MSDN Set up your ethical hacking toolkit Go through lab 1 Gather evidence that you’ve done the lab Bring evidence to the June meeting…