Académique Documents
Professionnel Documents
Culture Documents
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
ABSTRACT:
The explosive growth of the Internet has brought many good things: electronic commerce, easy access to vast stores of reference material, collaborative computing, e-mail, and new avenues for advertising and information distribution. As with most technological advances, there is also a dark side- criminal hackers. Governments, companies, and private citizens around the world are anxious to be a part of this revolution, but they are afraid that some hacker will break into their Web server and replace their logo with pornography, read their
from an on-line shopping site, or implant software that will secretly transmit their organization's secrets to the open internet. With these concerns and others, the ethical hacker can help. This paper describes ethical hackers: their skills, their attitudes, and how they go about helping their customers find and plug up security holes.
CONTENT:
INTRODUCTION ETHICAL HACKING
When ethical is placed in front of the term hacking it denotes moral activity, Unethical hacking has no permission to intrude on systems. Ethical hacking includes permission to intrude such as contracted consulting services, hacking contests, and beta testing. If there is no permission to intrude, ethical hackers still find ad hoc ways to become aware of the system security of other systems. The end goal of ethical hackers is to learn system
INTRODUCTION:
Unauthorized computer intrusions are considered illegal in all but the most desperate of circumstances. Once hacking ability is used to commit a crime the hacker becomes a criminal. Criminal hackers or crackers gain unauthorized access primarily to seek financial motivations systems, gain of but recently have to other been crackers damage
vulnerabilities so that they can be repaired for community self-interest - and as a side-product also the common good. Networked systems are dependent upon each other for system security so awareness of the security of machines within ones community-of-interest is not entirely altruistic but rather concerned with system security.
categorized such as seeking to subvert doing systems (vandalism), promoting political causes (hactivism), and acting as an agent of a foreign state (cyber terrorism and information warfare). The misapplication of the term cracker to a law-abiding hacker is due to celebrated incidents of unauthorized intrusions into computer systems that have incorrectly to been attributed to backers due to the extensive programmingskill success. needed achieve
HACKERS :
Hacker refers to a person who enjoys learning the details of computer capabilities. systems and stretch their
HACKING:
Hacking describes the rapid development of new programs or reverse engineering of already existing software to make the code better and efficient.
ETHICAL HACKING:
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners, seeking vulnerabilities that a malicious hacker could exploit. Ethical hacking is also known as penetration testing, intrusion testing and red teaming. An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" were a white hat and the "bad guy" were a black hat.
significantly slow down the system. Methods include: Flood a network. Bandwidth/Throughput attacks Protocol attacks. Software Vulnerability attacks. Disrupt connections between two machines. Prevent a particular individual from accessing a service.
SOCIAL ENGINEERING:
It is an art of using influence and persuasion to deceive people for the purpose of obtaining information or to perform some action. Even with all firewalls, authentication processes, VPN, companies are still wide open to attacks. Humans are the weakest link in the security chain. It is the hardest form of
Automated Attacks
basic questions: 1. What can an intruder see on the target systems? 2. What can an intruder do with that information? 3. Does anyone at the target notice the intruder's attempts or successes?
DENIAL OF SERVICE:
An attack with which an attacker renders a system unusable or
While the first and second of these are clearly important, the third is even more important: If the owners or operators of the target systems do not notice when someone is trying to break in, the intruders can, and will, spend weeks or months trying and will usually eventually succeed.
given
on
fixing
vulnerabilities
and
minimizing the risk. A penetration test could focus exclusively on your web applications. This could be done at various levels
PENETRATION TESTING:
GREY-BOX
TESTING:
Often enough, a web
Fig 2:TESTING Penetration testing is a unique approach to solving network security problems. Without a security assessment such as this or a security audit it is impossible to implement testing adequate includes security measures. Penetration vulnerability check and analysis, together with emulating the threat that a would-be attacker takes.The service covers but not limited to network security security testing testing, and system wireless network security testing, web application inspection, authentication
application involves authentication and authorization components. In order to be able to test these, we request for a dummy user account with the least level of privileges within the application. Using this account, we are able to log in and test for various flaws in the authentication scheme, as well as attempt to escalate our privileges restrictions and bypass authorization
Advice measures
and
support of
on
implementation
security
Both onsite and offsite testing Full manual and automated testing of your network Remote access testing Clear and understandable reports
BENEFITS:
Allow management understands the organization susceptibility to Internet-based attacks and the ability to withstand such attacks. Fig 3:Steps
Allow
identification
and
STEP 1: RECONNAISSANCE
The first and foremost step for a penetration test is reconnaissance. The main objective is to gather information about the target system which can be used in a malicious manner to gain access to the target systems. Successful reconnaissance can
Increase
availability,
Facilitate the design and priority on needs. implementing safeguards based on realistic and practical
often be successfully achieved through passive steps such as social engineering. Here, the hacker will attempt to probe relevant personnel into revealing sensitive information. Unlisted phone numbers, passwords and even sensitive network information are often divulged by unsuspecting employees and managers. Other techniques used include dumpster diving where an
STEPS
INVOLVED
IN
PENETRATION TESTING:
A penetration test is divided into four stages which involve the ethical hacker simulating all known techniques
organization's passwords.
Scanning involves steps such as intelligent system port scanning which is used to determine open ports and vulnerable services. In this stage the attacker can use different automated tools to discover system vulnerabilities. Other techniques used in this phase include: Network Mapping Sweeping Use of Dialers Vulnerability Scanners
redundant sensitive information such as Active reconnaissance refers to the probing of a network in order to detect possible routes to access. These may include: Accessible hosts Open ports Location of routers OS details Details of services
At the end of this stage an intelligent attack strategy is compiled based upon relevant findings. The risk to a network if this stage of real life security attack was successful is considered to be very high. At the end of this stage the hacker would have established the points of entry with which to launch an attack.
STEP
2:
SCANNING
AND
ENUMERATION
Scanning refers to the stage where the hacker scans the network with specific information gathered from the reconnaissance phase. Scanning and Enumeration are intelligent ways of gathering sensitive information about the target companys network architecture. Information relating to the companys IP addresses, OS, DNS servers and Zone Transfer information can sometimes be extracted using specialist techniques that fall into this category. Scanning can essentially be considered the rational extension of reconnaissance.
or dialers. The penetration tester might need to use sniffer techniques in order to capture data packets from the target network. This is the most important stage of penetration testing in terms of establishing the potential damage to the target systems. During a real security breach it would be this stage where the hacker can utilize simple techniques to cause irreparable damage to the target system. What a hacker could and could not do would primarily Architecture Configuration of the target system Individual skill of the hacker Initial level of access obtained depend on four influencing factors:
In
order
that
the
target
companys security engineer or network administrator cannot detect the evidence of attack, the hacker needs to delete logs files and replace system binaries with Trojans. The attacker can use automated scripts and automated tools for hiding attack evidence and also to create backdoors for further attack.
ADVANTAGES:
Ethical hacking will reveal the flaws of what is being hacked (software, a website, a network, etc.) without actually causing any damage.An ethical hacker will find the flaw and report it to the owner so that it can be fixed as soon as possible.
CONCLUSION:
The security is a kind of trade off which has to be taken care of. If we are even dwelling the security into business the quality should not be trimmed down. This is applicable for both the service provider and the organization. Hacking has entered the age of mass production. People strongly disagree as to what a hacker is. Hacking may be defined as legal or illegal, ethical or unethical. With the present poor security on the internet, ethical hacking may be the most effective way to proactively plug security holes and prevent intrusions.
REFERENCE: