1/14/15

Instructor: Dr. Avinash Srinivasan

ETHICAL HACKING AND

INTRUSION DETECTION/
FORENSICS

Chapter Objectives

Identify

Understand

components of TCP/IP computer networking

fundamentals of security policies
essential terminology associated with ethical hacking

basic elements of information security

incident management steps

Define

ethical hacker and classifications of hackers

five stages of ethical hacking
types of system attacks
2

Lecture Outline

Fundamentals of TCP/IP Networks

Fundamentals of Information Security
Ethical Hacking Basics and Terminology
System Attacks - Taxonomy
Cyber Crime Laws
U.S. Federal Laws
International Laws

1/14/15

Networking 101

OSI

Reference Model

7 layers
TCP/IP

Model

4 layers

1/14/15

TRANSPORT LAYER

Overview

At the transport layer, two methods of data transfer are

available:
1. Connectionless UDP
2. Connection-oriented TCP

1/14/15

TCP vs UDP

10

UDP Header

11

TCP Header

12

1/14/15

TCP 3-way Handshake

13

3-way Handshake PCAP file

14

NETWORK LAYER

15

1/14/15

IPv4 Header

Minimum length = 20 bytes

Maximum length = 60 bytes
16

IPv6 Header

17

LINK LAYER

18

1/14/15

Ethernet Frame Format

19

Ethernet Frames in Transit

20

End-to-End Communication

21

1/14/15

Sender

Receiver

Message

Message

1
Seg-n

Seg-2

Seg-n

Seg-1

Seg-2

Packet-2

Seg-1

Header

Seg-n

Packet-n

Packet-1

Header

Seg-1

Header

Seg-2

Packet-2

Header

Header

Header

Seg-n

Seg-1

Packet-n

Seg-2

Packet-1

3
1-22

Application/Used Data Encapsulation

23

Information Security 101

Information Security Concepts

24

1/14/15

Security Functionality Ease of Use

Triangle

25

The more secure something gets, the less usable

and functional it becomes.
Want to completely secure a computer?
Leave it in the box and never turn it onJ
Want to make the system easy for anyone and
everyone to use?
Be prepared for the inevitable security breach

26

Objective

Start in the middle of the triangle

If you move the point toward Security
you move away from Functionality and Ease-of-Use
If you move the point toward Ease-of-Use
you move away from Security and Functionality

Axiom: as security increases,

the systems functionality
and ease of use decrease

27

1/14/15

Risk Analysis and Mitigation

ELEMENTS OF RISK

28

Goal: Identify what risks are present, quantify them on a

measurement scale, come up with solutions to:
mitigate, eliminate, or accept the risks.
To fully accomplish the goal:
be aware of the three basic elements of risk
asset, threat, and vulnerability
Combine them with:
probability of an attack + what would be the impact of
a successful attack
identify the associated risks as high, medium, and low.

29

Risk Analysis Matrix Example

30

10

1/14/15

Terminology

Asset is an item of economic value owned by an

organization or an individual.

Threat
any agent, circumstance, or situation that could cause
harm or loss to an IT asset.
Two broad classes- Human and Natural

Vulnerability is any weakness, such as a software flaw or

logic design, that could be exploited by a threat to cause
damage to an asset.
31

Security Controls
1.

2.

3.

Preventive
Example: smartcard for auth. , encryption, etc.
Detective
Example: alarm bells for unauthorized access to a
physical location, alerts on unauthorized access to
resources, and audits.
Corrective
Example: is designed for swift recovery - backups
and restore options.
32

Security Controls
1.

2.

3.

Physical
Example: guards, lights, cameras, etc.
Technical
Example: encryption, smartcards, and access control
lists.
Administrative
Example: training, awareness, and policy.

33

11

1/14/15

Security Triad

Three most widely accepted requirements of Information

Systems security:
1. Confidentiality C
2. Integrity
I
3. Availability
A

Known as the CIA of Security or Security Triad

CIA constitute the hall-marks of security we strive for

34

Security Triad

C
Data & Services
I

35

36

12

1/14/15

Confidentiality

Measures taken to prevent the disclosure of information

or data to unauthorized individuals or systems

Most common method to enforce confidentiality:

user ID + password based authentication however
applicable only to data at rest.

37

Confidentiality

Usefulness of login credentials user ID + password:

helps in confidentiality preservation

If another user accesses your login credentials (user ID +

password) leads to confidentiality breach

Impact of confidentiality breach

1. Unauthorized access to resources
2. Attacker could masquerade as you throughout the
session

38

Confidentiality

Various other enhanced security measures used for

providing confidentiality include:
1. Encryption

data-in-transit
data-at-rest

2. Biometrics

data-at-rest

3. Smart Cards

data-at-rest

39

13

1/14/15

Integrity

Refers to methods & actions taken to protect information

from unauthorized alteration:
Applies to both data-at-rest and data-in-transit

Purpose of Integrity measures

ensure data sent by sender arrives at the receiver
without any alteration.

40

Integrity

Example:
Buying agent sends e-mail to customer with an offer
price of $300
Attacker alters offer price (in-transit) to $3,000
integrity breach (security failure)

Most common method to enforce Integrity:

through the use of a hash
e.g., MD5, SHA1, SHA2, etc.

41

Availability

Refers to the communications systems (resources) and

data being ready for use when legitimate users need
them.

Many methods are used to ensure availability:

Method used depends on the element under
consideration:
1. System
2. Network resource
3. Data

42

14

1/14/15

Availability

All methods attempt to ensure one thing:

when a system or data is needed, it can be accessed
by appropriate personnel.

Note: All availability attacks fall under Denial-of-Service (DoS)

43

Denial of Service (DoS) Attack

Attack against Availability

Designed to prevent legitimate users from having access

to a computer resource or service

DoS can take many forms

1. Consume all available bandwidth
2. Destroy authentication methods
3. Unplug the system/hardware
4. Unsuccessful login attempt
with incorrect credentials locks user account
44

Additional Concepts:
1.

Authenticity: security requirement verifying that

users are who they say they are
each input arriving came from a trusted source

2.

Accountability
Security goal that generates the requirement for
actions of an entity to be traced uniquely to that entity
Supports:
nonrepudiation, deterrence, fault isolation, IDS/IPS,
and recovery & legal action

45

15

1/14/15

ACCESS CONTROL
SYSTEMS

46

National Computer Security Center (NCSC): DoD

worked with NSA in 1983 for protection of information
(government information).

This group created all sorts of security manuals and

steps, and published them in a book series known as
the Rain- bow Series.

Orange Book: The centerpiece of the above effort

which held something known as the Trusted Computer
System Evaluation Criteria (TCSEC).
47

TCSEC A DoD Standard

Goal sets basic requirements for testing the effectiveness

of computer security controls built into a computer
system.

Idea if a computer system (network) was going to handle

classified information, it needed to comply with basic
security settings. TCSEC defined how to assess whether
these controls were in place, and how well they worked.

The settings, evaluations and notices in the Orange Book

survived all the way up to 2005.
48

16

1/14/15

Common Criteria (CC)

TCSEC replaced by Common Criteria for Info. Technology

Security Evaluation (aka Common Criteria, or CC).

Designed to provide assurance

system is designed, implemented, and tested
according to a specific security level.
basis for Gov. certifications; usually tested for US
Gov. agencies.

49

CC (cont.)

Evaluation Assurance Level (EAL)

controls and testing procedures a vendor follows to
have their tools, applications, or computer systems
and desire to make a security declaration.
Has seven levels (17)

50

ACCESS CONTROL
IMPLEMENTATIONS

51

17

1/14/15

Mandatory Access Control (MAC)

security policy is controlled by a security administrator.

users cant set access controls themselves.

OS restricts the ability of an entity.

Example:
when an entity (process) attempts to access or alter an object
(files, ports, etc.), if appropriate security attributes are in place,
then action is allowed.

52

Discretionary Access Control (DAC)

allows users to set access controls on the resources they

own or control.

a means of restricting access to objects based on the

identity of subjects and/or groups to which they belong.

Example:
NTFS permissions in Windows machines and Unix use of users,
groups, and read-write-execute permissions.

53

Security Policies
1.

Information Security Policy

2.

Information Protection Policy

3.

Password Policy

4.

E-mail Policy

5.

Information Audit Policy

54

18

1/14/15

The term Ethical Hacking was first coined by IBM

INTRODUCTION TO
ETHICAL HACKING

55

Who needs Ethical Hackers?

Companies and government agencies ask for penetration

tests for different reasons. Below are a few such reasons:
1. Accreditation Requirement:
Sometimes rules and regulations force the issue.
Example: HIPAA
2. Security Conscious Leadership:
Wants to know just how well existing security
controls are functioning.

3. After-the-fact Requirement:

effort to rebuild trust and reputation after a security breach

has already occurred.
56

EC-Council Definition

Ethical Hacker helps an organization take pre-emptive

measures against malicious attacks by attacking the
system himself.

Ethical Hacker always stays within legal limits.

57

19

1/14/15

Renowned Ethical Hackers

Mark Abene
Eric Corley
Przemysaw Frasunek
Raphael Gray
Kevin Mitnick
Robert Tappan Morris
Kevin Poulsen

Source: https://en.wikipedia.org/wiki/White_hat_(computer_security)

58

Hacker Classification
White Gray

Black

59

Hackers are classified into three groups based on their

intent.
1. Black Hat:
Non-ethical hackers with malicious intentions
2. White Hat:
Ethical hackers with good intentions + permission to hack
3.

Gray Hat:
Hackers that can flip-flop between back & white hat
Dont have owners approval at any point in time
Often feel a compelling social responsibility
60

20

1/14/15

Contract/Agreement

61

Owner Consent & Ethical Hacking

Always work within the confines of an agreement made

with a client.
Client may restrict the types of attacks you can run:
Example:
Password hacks may be OK
DoS may not be OK

62

Owner Consent & Ethical Hacking

Agreement is: a carefully laid-out plan,

meticulously arranged, and documented to
protect both the EH and the client

Agreement isnt: a smile, a conversation, and a

handshake just before you flip open a laptop
and start hacking away.

BIG BIG NO

63

21

1/14/15

Attack Types

Once the EH is engaged, several different categories or

labels are placed on the actual type of attack being used.

EC Council broadly defines attacks in four categories:

1. Operating system attacks
2. Application-level attacks
3. Shrink-wrap code attacks
4. Misconfiguration attacks

64

Operating System Attacks

Targets common mistakes users make when installing

OS accepting default settings and configurations.
Example:
administrator accounts with no passwords
all ports left open
guest accounts enabled/created

OSs are never released fully secure hackers benefit

potential for an old vulnerability in newly installed OS.

65

Application Level Attacks

Attacks on the actual programming codes of an

application.

Users secure their OS and network but a vast

majority often overlook the apps they are running.

Many apps arent tested for vulnerabilities as part of

their creation can have vulnerabilities built into them.

Vulnerable apps on a network are a goldmine for most

hackers.
66

22

1/14/15

Shrink-wrap Code Attacks

Take advantage of the built-in code and scripts which

most off-the-shelf applications come with.

Scripts and code pieces are designed to make

installation and administration easier.

Same scripts and code pieces can lead to vulnerabilities

if not managed appropriately.

67

Misconfiguration Attacks

Take advantage of systems that are on purpose or by

accident not configured appropriately for security.

Take advantage of the admin who simply wants to make

things as easy as possible for the users:
Leaves security settings at the lowest possible level
Enables every service
Opens all firewall ports

Note: Its certainly easier for the users, but creates a

goldmine for the hacker.
68

Ethical Hacking Phases

Once an Ethical Hacker is within the assessment phase

of the pen test its time to begin the actual attack
the Ethical Hack.

There are many different terms for these phases and

EC Council has defined the standard hack as having five
separate phases.

Irrespective of the attackers intentions ethical

(White Hat) or malicious (Black Hat) these five
phases capture the full breadth of the attack.
69

23

1/14/15

Ethical Hacking Phases

Reconnaissance
Scanning & Enumeration
Gaining Access
Escalation
of Privilege
Maintaining Access
Covering Tracks

70

RECONNAISSANCE
(RECON) PHASE 1

71

Overview

The most difficult phase to understand

Steps taken to gather evidence and information on the

targets you wish to attack

Can be classified into:

1. Passive reconnaissance
2. Active reconnaissance

72

24

1/14/15

Passive reconnaissance
Active reconnaissance
gathering information about your
uses tools and techniques that
target without their knowledge.
may or may not be discovered.
Example:
puts your activities at greater risk
of discovery.
simply watch the outside of
Example:
the building to see what
physical security measures are
walk up to the entrance or
in place.
guard shack and try to open
Search information about the
the door (or gate).
target on the Internet.
Make DNS queries.

73

SCANNING & ENUMERATION

PHASE 2

74

Use recon information (phase 1) and actively apply tools

and techniques to gather more in-depth information on
the targets.

Example:
Can be as simple as running a ping sweep or a network
mapper to see what systems are on the network.
Can also be as complex as running a vulnerability
scanner to determine which ports may be open on a
particular system.

75

25

1/14/15

GAINING ACCESS PHASE 3

76

Attack targets enumerated during the scanning & enum

phase (phase 2).

Example:
Can be as simple as accessing an open and non-secured
wireless AP and later manipulating it for other purpose
OR
Can be as complex as writing and delivering a buffer
overflow or SQL injection against a web application.

77

MAINTAINING ACCESS
PHASE 4

78

26

1/14/15

This phase is the Hackers attempt to ensure they have

a way back into the already compromised machine or
system.
Back doors are left open by the attacker for future use
especially if:
system in question has been turned into a zombie
and/or
system is used for further information gathering
Ex: sniffer placed on a compromised machine to
watch traffic on a specific subnet.
Access can also be maintained through the use of
Trojans, rootkits, or a number of other methods.

79

COVERING TRACKS
PHASE 5

80

Attackers attempt to conceal their success and avoid

detection by security professionals.
Steps taken here include but are not limited to:
1. removing or altering log files aka log scrubbing
2. hiding files with hidden attributes or directories
3. using tunneling protocols to communicate with the
system

81

27

1/14/15

Auditing turned on:

Log files are an indicator of attacks on a machine
Clearing log files completely is just as big an indicator
of spurious activity
Selective editing of log files is your best bet
Another great method - simply corrupt the log file

Phase 5 truly defines a good pen tester.

82

Penetration Testing

Ethical Hacking and Pen Testing are often used either in

combination and/or interchangeably

We will treat the two independently

Pen Test: is a clearly defined, full-scale test of the security

controls of a system or a network in order to identify the
security risks and vulnerabilities.

Pen Test has three major phases (remember it as PAC)

Preparation
Assessment
Conclusion
83

PEN TEST PHASES

84

28

1/14/15

1.

Preparation phase:
time period during which actual contract is
hammered out.
scope of the test, types of attacks allowed,
individuals assigned to perform the activity are all
agreed upon in this phase.

2.

Assessment phase:
aka the security evaluation phase
actual assaults on security controls happens during
this phase.
85

3.

Conclusion (or post-assessment) phase:

time when final reports are prepared for the
customer
reports include details of test findings including
types of tests performed
at times even provides recommendations to
improve security for the customer.

86

Ethical Hacking Testing Types

1.

Black Box

2.

White Box

3.

Grey Box

87

29

1/14/15

Black Box Testing

EH has absolutely no knowledge of the Target of

Evaluation (TOE)
Designed to simulate an unknown, outside attacker
Most time consuming and the most expensive
Drawback: focuses solely on the threat outside the
organization; does not take into account any trusted
users on the inside insider threat.

88

White Box Testing

Exact opposite of black box testing

EH has complete knowledge of the TOE
Process is easier, quicker and cheaper
Designed to simulate a knowledgeable internal threat

89

Grey Box Testing

Also known as partial knowledge testing

Different from black box testing in the assumed level
of elevated privileges the tester has
Assumes only that the attacker is an insider

90

30

1/14/15

Computer and Cyber Crime

All computer crimes fall into one of two major categories:

1. Crimes where a computer or network was used in
the commission of a crime
2. Crimes where the computer or network itself was
the target of the crime

91

U.S. CYBER CRIME

LAWS

92

Hacking specifically is addressed under the law in

United States Code Title 18: Crimes and Criminal
Procedure, Part I: Crimes, Chapter 47: Fraud and
False Statements, 1029 and 1030.

Other regulations and laws are also described in this

section.

93

31

1/14/15

Section 1029: Fraud and related activity in connection

with access devices,
Has several subsections and statutes defined.
Gives the U.S. government authority to prosecute
criminals who traffic in, or use, counterfeit access
devices.
Criminalizes the misuse of credentials- passwords, PIN
numbers, token cards, credit card numbers, and the like.
Creating or selling devices that fake credentials, or if
they traffic the credentials created by the fake
machines- punishable under the law.

94

The SPY Act (2007) Securely Protect Yourself Against

Cyber Trespass

Freedom of Information Act (FoIA) & the Privacy Act of

1974

Federal Information Security Management Act FISMA

USA PATRIOT Act of 2001: Uniting and Strengthening

America by Providing Appropriate Tools Required to Intercept
and Obstruct Terrorism.

95

More US Cyber Crime Laws Cyber

96

32

1/14/15

INTERNATIONAL
CYBER CRIME LAWS

97

Cyber Crime Law in Mexico Section 30-45-5:

Unauthorized computer use
Cyber Crime Law in Brazil Art. 313-A:
Entry of false data into the information system. Art. 313B: Unauthorized modification or alteration of the
information system
Cyber Crime Law in Canada
Canadian Criminal Code Section 342.1
Cyber Crime Law in the United Kingdom
Computer Misuse Act 1990 and Police and Justice Act
2006

98

Cyber Crime Law in Europe Section 1:

Substantive Criminal Law
Cyber Crime Law in France Chapter III:
Attacks on Systems for Automated Data Processing,
Article 323-1 and Article 323-2
Cyber Crime Law in Australia
The Cybercrime Act 2001
Cyber Crime Law in India
The Information Technology Act, 2000
Cyber Crime Law in Japan
Law No. 128 of 1999

99

33

1/14/15

Cyber Crime Law in Singapore Chapter 50A:

Computer Misuse Act
Cyber Crime Laws in Korea Chapter VI:
Stability of the Information and Communications
Network: Article 48, Article 49, and Chapter IX Penal
Provisions: Article 61
Cyber Crime Law in Malaysia
Computer Crimes Act 1997

100

Summary
In

this chapter you learn about

Basic elements of information security- CIA

Relationship among security, functionality, ease of use
Hacker Classification and terminology
Three stages of pen testing
Five stages of ethical hacking
Types of system attacks
U.S. federal laws related to cyber crime
Various international laws related to cyber crime

101

Questions?
Floor open for discussions

102

34