270 likes | 504 Views
EC-Council’s Certified Ethical Hacker (CEH). Richard Henson r.henson@worc.ac.uk May 2012. Session 1. This will cover: Structure of the course Principles of hacking ethically CEH ethical hackers toolkit and dummy client site “Footprinting” and reconnaissance Scanning networks.
E N D
EC-Council’sCertified Ethical Hacker (CEH) Richard Henson r.henson@worc.ac.uk May 2012
Session 1 • This will cover: • Structure of the course • Principles of hacking ethically • CEH ethical hackers toolkit and dummy client site • “Footprinting” and reconnaissance • Scanning networks
Certificate of Attendance • Certificate achieved through: • attending the seminars • doing the “lab” exercises
CEH qualification • Achieved through: • certificate of attendance • passing the examination (take any time at recognised Pearson or Vue centres) • can retake… • cost: approx £120
Ethical Hacking Principles • Hacking is a criminal offence in the UK • covered through The Computer Misuse Act (1990) • tightened by further legislation (2006) • It can only be done ”legally” by a trained (or trainee) professional • a computing student would be considered in this context under the law
Ethical Hacking principles • Even if it legal, doesn’t mean it is ethical! • Professionals only hack without permission if there is reason to believe a law is being broken • if not… they must ask permission • otherwise definitely unethical (and possibly illegal)
Ethical Hacking Principles • What is “hacking”? • breaching a computer system without permission • How is it done? • using software tools to get through the security of the system • also called penetration testing (if done with permission…)
Course Toolkit • This course provides access to penetration testing tools • Also a body of knowledge that shows how to use them… • theory: covered by these slides • practical: exercises provided; up to you to work through them • Together, provide the expertise to penetration test a client’s site • Dummy site: http://www.certifiedhacker.com
Preparing to use the Toolkit • You’ll need to install the following on a computer to do the exercises: • Windows 2008 Server (basic os) running Hyper-V • Windows 7 (as VM – Virtual Machine) • Windows XP (as VM) • Windows 2003 Server (as VM) • Backtrack and Linux (as VM) • All the Windows versions and virtual machine platform are available to download using MSDN • Guidance in CEHintro.pdf file
Virtualisation (Hyper-V on Windows 2008 Server, Citrix, VMware, etc.) • The use of software to allow a piece of hardware to run multiple operating system images at the same time • Possible to run Windows OS under Mac OS • run multiple versions of Windows OS on the same PC • Enables the creation of a “virtual” (rather than actual) version of any software environment on the desktop, e.g. Operating Systems, a server, a storage device or networks, an application
What and Why of Footprinting • Definition: • “Gathering information about a “target” system” • Could be Passive (non-penetrative) or active • Find out as much information about the digital and physical evidence of the target’s existence as possible • need to use multiple sources… • may (“black hat” hacking) need to be done secretly
What to Gather • Domain Names • User/Group names • System Names • IP addresses • Employee Details/Company Directory • Network protocols used & VPN start/finish • Company documents • Intrusion detection system used
Rationale for “passive” Footprinting • Real hacker may be able to gather what they need from public sources • organisation needs to know what is “out there” • Methodology: • start by finding the URL (search engine) • e.g. www.worc.ac.uk • from main website, find other external-facing names • e.g. staffweb.worc.ac.uk
Website Connections & History • History: use www.archive.org: • The Wayback Machine • Connections: use robtex.com • Business Intelligence: • sites that reveal company details • e.g. www.companieshouse.co.uk
More Company Information… • “Whois” & CheckDNS.com: • lookups of IP/DNS combinations • details of who owns a domain name • details of DNS Zones & subdomains • Job hunters websites: • e.g. www.reed.co.uk • www.jobsite.co.uk • www.totaljobs.com
People Information • Company information will reveal names • Use names in • search engines • Facebook • LinkedIn • Google Earth reveals: • company location(s)
Physical Network Information (“active” footprinting or phishing) • External “probing” • should be detectable by a good defence system… (could be embarrassing!) • e.g. Traceroute: • Uses ICMP protocol “echo” • no TCP or UDP port • reveals names/IP addresses of intelligent hardware: • e.g. Routers, Gateways, DMZs
Email Footprinting • Using the email system to find the organisation’s email names structure • “passive” monitor emails sent • IP source address • structure of name • “active” email sending programs : • test whether email addresses actually exist • test restrictions on attachments
Utilizing Google etc. (“passive”) • Google: Advanced Search options: • Uses [site:] [intitle:] [allintitle:] [inurl:] • In each case a search string should follow • e.g. “password” • Maltego • graphical representations of data
Network Layers and Hacking • Schematic TCP/IP stack interacting at three of the 7 OSI levels (network, transport, application): TELNET FTP SMTP NFS DNS SNMP X X X X ports X X TCP UDP IP
TCP & UDP ports • Hackers use these to get inside firewalls etc. • Essential to know the important ones: • 20, 21 ftp 80 http 389 Ldap • 22 ssh 88 Kerberos 443 https • 23 telnet 110 pop3 636 Ldap/SSL • 25 smtp 135 smb • 53 dns 137-9 NetBIOS • 60 tftp 161 snmp
Reconnaissance/Scanning • Three types of scan: • Network (already mentioned) • identifies active hosts • Port • send client requests until a suitable active port has been found… • Vulnerability • assessment of devices for weaknesses that can be exploited
Scanning Methodology • Check for Live Systems • Check for open ports • “Banner Grabbing” • Scan for vulnerabilities • Draw Network diagram(s) • Prepare proxies…
Now you try it! • Download software through MSDN • Set up your ethical hacking toolkit • Go through lab 1 • Gather evidence that you’ve done the lab • Bring evidence to the June meeting…