EC-Council’sCertified Ethical Hacker (CEH)

Richard Henson

r.henson@worc.ac.uk

May 2012

Session 1

This will cover: Structure of the course Principles of hacking ethically CEH ethical hackers toolkit and dummy

client site “Footprinting” and reconnaissance Scanning networks

Certificate of Attendance

Certificate achieved through: attending the

seminars doing the “lab”

exercises

CEH qualification

Achieved through: certificate of attendance passing the examination (take any time at

recognised Pearson or Vue centres) can retake… cost: approx £120

Ethical Hacking Principles

Hacking is a criminal offence in the UK covered through The Computer Misuse

Act (1990) tightened by further legislation (2006)

It can only be done ”legally” by a trained (or trainee) professional a computing student would be

considered in this context under the law

Ethical Hacking principles

Even if it legal, doesn’t mean it is ethical!

Professionals only hack without permission if there is reason to believe a law is being broken if not… they must ask permission otherwise definitely unethical (and

possibly illegal)

Ethical Hacking Principles

What is “hacking”? breaching a computer system without

permission How is it done?

using software tools to get through the security of the system

also called penetration testing (if done with permission…)

Course Toolkit

This course provides access to penetration testing tools

Also a body of knowledge that shows how to use them… theory: covered by these slides practical: exercises provided; up to you to

work through them Together, provide the expertise to

penetration test a client’s site Dummy site: http://www.certifiedhacker.com

Preparing to use the Toolkit

You’ll need to install the following on a computer to do the exercises: Windows 2008 Server (basic os) running Hyper-V Windows 7 (as VM – Virtual Machine) Windows XP (as VM) Windows 2003 Server (as VM) Backtrack and Linux (as VM)

All the Windows versions and virtual machine platform are available to download using MSDN

Guidance in CEHintro.pdf file

Virtualisation (Hyper-V on Windows 2008 Server, Citrix, VMware, etc.)

The use of software to allow a piece of hardware to run multiple operating system images at the same time

Possible to run Windows OS under Mac OS

run multiple versions of Windows OS on the same PC

Enables the creation of a “virtual” (rather than actual) version of any software environment on the desktop, e.g. Operating Systems, a server, a storage device or networks, an application

What and Why of Footprinting

Definition: “Gathering information about a “target” system”

Could be Passive (non-penetrative) or active Find out as much information about the digital and

physical evidence of the target’s existence as possible

need to use multiple sources… may (“black hat” hacking) need to be done secretly

What to Gather

Domain Names User/Group names System Names IP addresses Employee Details/Company Directory Network protocols used & VPN start/finish Company documents Intrusion detection system used

Rationale for “passive” Footprinting Real hacker may be able to gather

what they need from public sources organisation needs to know what is “out

there” Methodology:

start by finding the URL (search engine) e.g. www.worc.ac.uk

from main website, find other external-facing names

e.g. staffweb.worc.ac.uk

Website Connections & History

History: use www.archive.org: The Wayback Machine

Connections: use robtex.com Business Intelligence:

sites that reveal company details e.g. www.companieshouse.co.uk

More Company Information…

“Whois” & CheckDNS.com: lookups of IP/DNS combinations details of who owns a domain

name details of DNS Zones & subdomains

Job hunters websites: e.g. www.reed.co.uk www.jobsite.co.uk www.totaljobs.com

People Information

Company information will reveal names

Use names in search engines Facebook LinkedIn

Google Earth reveals: company location(s)

Physical Network Information (“active” footprinting or phishing)

External “probing” should be detectable by a good defence

system… (could be embarrassing!) e.g. Traceroute:

Uses ICMP protocol “echo” no TCP or UDP port

reveals names/IP addresses of intelligent hardware:

e.g. Routers, Gateways, DMZs

Email Footprinting

Using the email system to find the organisation’s email names structure “passive” monitor emails sent

IP source address structure of name

“active” email sending programs : test whether email addresses actually exist test restrictions on attachments

Utilizing Google etc. (“passive”)

Google: Advanced Search options: Uses [site:] [intitle:] [allintitle:]

[inurl:] In each case a search string should

follow e.g. “password”

Maltego graphical representations of data

Network Layers and Hacking Schematic TCP/IP stack interacting at three of

the 7 OSI levels (network, transport, application):

TELNET FTP NFS DNS SNMP

TCP UDP

IP

SMTP

X X X X X Xports

TCP & UDP ports

Hackers use these to get inside firewalls etc. Essential to know the important ones:

20, 21 ftp 80 http 389 Ldap 22 ssh 88 Kerberos 443 https 23 telnet 110 pop3 636 Ldap/SSL 25 smtp 135 smb 53 dns 137-9 NetBIOS 60 tftp 161 snmp

Reconnaissance/Scanning

Three types of scan: Network (already mentioned)

identifies active hosts

Port send client requests until a suitable active port has been

found…

Vulnerability assessment of devices for weaknesses that can be exploited

Scanning Methodology

Check for Live Systems Check for open ports “Banner Grabbing” Scan for vulnerabilities Draw Network diagram(s) Prepare proxies…

Now you try it!

Download software through MSDN Set up your ethical hacking toolkit Go through lab 1 Gather evidence that you’ve done the lab Bring evidence to the June meeting…