Ethical HackingThe Culture for the CuriousJayashree S Kumar, IBM
About Me IBM-Java’s Classes Library developer Worked Extensively on JDK’s Testing IBM’s Invention Development Lead Runtimes team @ IBM Software Labs
Agenda What ? Why? How? - Hacking 4 types of Penetration Testing : Network Hacking- Pre-Connection, Gaining Access, Post-Connection Gaining Access Post Exploitation Website Hacking Conclusion
InternetDeep WebDarkWeb
WHAT ?
Hacking - Gaining Unauthorised AccessX PermissionSTEALHARMPermissionETHICALX PermissionX STEALX HARM
Why Learn?
Disclaimer: Its claimed that even he could get tricked So CAN You & Me
Existing industryLot of job opportunitiesBig Companies— Majorly InvestedBug Bounty ProgramsForewarned is Pre-armed
How to start?
LabPlace to experiment and practice hacking and pen testing.- A Hacking machine- Other machines to hack- Websites to hack- Networks(All In your Host - VirtualBox )
NetworkHacking
NH: Pre-connection attacksiwconfig / airmon-ng: Wireless Adaptor to Monitor Modeairmon-ng start wireless apaairodump-ng : Packets sniffing toolBasicairodump-ng wireless apadtorTargetedairodump-ng —bssid {Target Router MAC} —channel X —write Test wireless aaireplay-ng : Replay Deauthentication attackaireplay-ng --deauth 100000000 -a {Router Mac} -c {Client Mac} wireless adp
NH: Gaining accessaircrack-ng : Analyse the captured packets to get passwordWEP Crackingaircrack-ng basic wep.capcrunch: Creating wordlistcrunch [min][max][characters] -t[pattern]- o[FileName]WPA / WPA2 crackingaircrack-ng handshake wpa.cap -w wordlist.txt
NH: Post-connection attacksarpspoof: Basic ARP spoofing toolarpspoof -i [inerface] -t [clientIP] [gatewayIP]arpspoof -i [inerface] -t [gatewayIP][clientIP]bettercapbuttercup -iface interfaceUse HTTPs instead of HTTP — Can be bypassed - by downgradingUse HSTS - Http Strict Transport Security — Can be Manipulated
Detection n Prevention1. Do not use WEP encryption,2. Use WPA2 with a complex password3. Configuring wireless setting for maximum security1. Detect ARP Poisoning - Using xARP tool2. Detect Suspicious activities in Network - Using Wireshark3. Prevent MITM Attacks by- Encrypting the traffic — HTTPS everywhere plugging4. Simply use VPN
GainingAccess
Information Gathering: SystemsVery crucial, Gives lots details about target machine:- Operating System- Softwares and Services installed- Ports associated.TOOLs: NetDiscover, ZenMap, net.show, Shodan.com
GA : Server sideDoesn’t Requires User Intervention; Need the correct IP address Use Default Password to gain acces Use Mis-configured services. r service mostly to login rlogin -l root {target ip}Use services which have backdoorUse code execution vulnrablilitiesTooL: Metasploit — Readymade code to run Vulnerabilities (gets published)
GA : Client sideRequires User Intervention - Clicking on link, Downloading a file;Doesn’t Requires IPTooL: Veil Framework — Create BackdoorsGithub:Veil-EvasionVeil- OdesionEach having their own Payloads,written by Meterpreter developers
GA : Socail EngineeringInformation Gathering: UsersVery crucial, To build strategy accordingly.TooL: Maltego
Fake EMAILTooL : SendEmailsendemail -s smtp.sendgrid.net:25-xu apikey-xp zpftbqXwgoPhfnXjm 0-f "pratik@gmail.com"-t "jskethhac@gmail.com"-u “Cloud Native Reception"-m "Did you register for Cloud Native Yet?, Check thispicture to getting the mood https dropboxlink ?dl 1"-o message-header "From : Pratik Patel pratik@gmail.com "
PostExploitation
Open WebCamCapture KeyStokesUse the machine as Pivot to hack other machinesBlackmail /RansomewareSteal Information, Money & Privacy
PreventionDo NOT download outside trusted placeUse trusted NetworkDon’t be MITMedCheck type of file downloadedUse WinMD5 to check hash of the files
Conclusion
Thank U!
WebsiteHacking
Place to experiment and practice hacking and pen testing. - A Hacking machine - Other machines to hack - Websites to hack -Networks (All In your Host - VirtualBox ) Lab. Network Hacking. iwconfig / airmon-ng: Wireless Adaptor to Mo
Hacking Concepts 1.10 What is Hacking? 1.11Who is a Hacker? 1.12 Hacker Classes 1.13 Hacking Phases o Reconnaissance o Scanning o Gaining Access o Maintaining Access o Clearing Tracks Ethical Hacking Concepts 1.14 What is Ethical Hacking? 1.15 Why Ethical Hacking is Necessary 1.16 Scope and Limitations of Ethical Hacking
private sectors is ethical hacking. Hacking and Ethical Hacking Ethical hacking can be conceptualized through three disciplinary perspectives: ethical, technical, and management. First, from a broad sociocultural perspective, ethical hacking can be understood on ethical terms, by the intentions of hackers. In a broad brush, ethical
Benefits of Ethical Hacking Topic 1: Ethical Hacking Discuss the main benefits and risks of ethical hacking. Provide examples and/or details to support your ideas. If you have seen examples of ethical hacking, please share thes
to as “ethical hacking”—hacking for an ethical reason—whereby it will be argued that law and policy ought not to be the same here as for those hacking activities that are purely for economic gain or to cause harm or mischief. As will be seen, I have grouped ethical hacking int
what is ethical hacking?-what is hacking and it's intent?-what determines if a person is a hacker? - what is ethical hacking?-in what ways can hackers gain unauthorized access into system?-common tools used by malicious hackers-ethical hacking and how it plays a role in combating unauthorized access by malicious hackers?
Why Ethical Hacking is Necessary Ethical Hacker needs to think like malicious Hacker. Ethical hacking is necessary to defend against malicious hackers attempts, by anticipating methods they can use to break into a system. To fight against cyber crimes. To protect information from getting into wrong hands.
Definition: Ethical Hacking Hacking - Manipulating things to do stuff beyond or contrary to what was intended by the designer or implementer. Ethical Hacking - Using hacking and attack techniques to find and exploit vulnerabilities for the purpose of improving security with the following: Permission of the owners
Why the AMC’s are Trivial Brandon Jiang January 24, 2016 1 How to Use this Document This could possibly be used as a sort of study guide, but its main intent is to of- fer students some direction to prepare for this contest other than just doing past problems. Note that it is assumed that the reader is mathematically capable of understanding the standard curriculum at school. If not, the .