Increasingly we are seeing individuals and companies relying on the internet and the services provided such as internet banking, online shopping and information storage. As we have become increasingly dependent on these services, we have seen an increase in the threat of attack from hackers and, more importantly, to our information stored on computers.
Systems that have become more complicated have become more difficult to secure. Software vendors are releasing new versions of their product with inherent vulnerabilities as it is not cost effective to take the time to fully secure them. Developers rely instead on security by obscurity, and hope that vulnerabilities will be identified by ethical hackers and programmers before a non-ethical hacker exploits them.
What this has shown us is that there is a need for someone with the skills of a hacker yet the ethics of a public servant who can help to secure our networks and our personal information.
Although the ethical hacker is able to identify vulnerabilities in a system and provide advice on how to fix them, a lot of attacks could be negated by strengthening the systems we use. The responsibility for this must fall on the manufacturer, owner and operator of computer networks, systems and programmes. The product should be released with as few vulnerabilities as possible and systems and software must be updated and maintained. Training and information must be provided to the lowest level user who has been identified as the weakest link in your security as this person could prove to be your biggest point of failure if training and information is not given.
The ethical hacker’s five phases
Below is an explanation of the five phases of an ethical hack. This is just one model of an ethical hack and not every ethical hack will run in the same manner. Sometimes, with certain tools, you can run both footprinting and scanning together. Some techniques run throughout most stages, if not all of them; for example, social engineering (Rouse Oct 2006).
Attackers take advantage of human nature: more specifically, trust, fear, greed and the will to help. Attackers will attempt to persuade staff at their target to give them the information they want. To accomplish this they may ingratiate themselves with the person over the phone or face to face. The attacker may suggest that he or she is working for a manager who has given them permission, thereby reducing the victim’s liability through the distribution of blame. In some larger companies they may even impersonate a manager who is away on leave or at a meeting or a member of staff from another office (Lieu 2002).
Both Rouse (2006) and Lieu (2002) agree that social engineering works as it focuses on the weakest link in the security chain − people. Attackers who are given passwords do not have to spend time trying to break them. No amount of technical protection can stop this. Rouse (2006) and Lieu (2002) suggest training staff to recognise a social engineering attack as a method to defend against it.
Phase 1, Footprinting:
The first step in any type of attack, whether in warring countries, a computer attack or a pub brawl, is to gather information on your intended target (cYbeR#@x0r 2011), to assess their vulnerabilities, understand the layout of their forces (or computer network), and discover what their defensive capabilities are (Ali 2011).
The two types of footprinting used in ethical hacking are passive and active; Danseglio (2012) describes these as:
Passive – No direct contact with the target. This includes their websites, etc. The information comes from other sources. The benefit of passive footprinting is that it is very hard, if not almost impossible, to alert the target.
Active – The information gathered here comes from the target website, web servers, pinging and trace routing. This typically occurs after the passive phase.
This phase is probably the most important of the five. By taking the time to complete an in depth and methodical analysis to facilitate an understanding of the target, the hacker will be able to confirm whether the intended victim is a viable target, and it may provide the information needed to carry out further attacks.
Phase 2 – Scanning
This is the final phase before an actual attack. The hacker will use the general information discovered in phase one and use it to gain specific information on the target such as vulnerability. This is where they can find a point of entry to exploit the system (Anjum 2009). Bipin (2012) states that there are three types of scanning as described below:
- Network scanning – uses methods such as ping sweep. This type of scanning provides information on which systems are active, either in preparation for an attack or as part of a security inspection.
- Port scanning – is conducted to discover what services and applications are in use on the system. This is done by connecting to ports in order to discover if the target is running a service or listening. A tool regularly used for this form of scanning is Nmap. It may be possible at this point to gain unauthorised access if the system is configured incorrectly or there are vulnerabilities present. (EC-Council 2009)
- Vulnerability scanning – is conducted to try and identify vulnerabilities that can then be exploited. This can include scanning the operating system (OS) and then using any vulnerabilities to gain access.
The EC-Council (2009) states that:
The purpose of scanning is to discover exploitable communications channels, probe as many listeners [listening ports] as possible and keep track of the ones that are responsive.
The EC-Council (2009) also claims that ‘scanning is one of the most important phases of intelligence gathering for an attacker’. This statement has validity because by scanning a target you gain a specific vulnerability/point of entry into a system. Without this phase, resources would be spread across a wide area and result in wasted time and effort rather than a concentration of force to break through to your target. You would be attempting to attack the target from many angles instead of finding a specific vulnerability and exploiting it.
The main objectives behind running a network scan are:
- To discover IP addresses and what applications are running;
- To discover which ports are open and which OS is on the target system;
- To gather information on system vulnerabilities.
Phase 3 – Gaining Access
This phase is defined as ‘the actual hacking phase’ by N-Soft Technology (2012) because it is at this stage that the hacker will use all the information gained in the footprinting and scanning phases to try and gain access to the system of interest. N-Soft Technology (2012) goes on to state that this phase can be broken down into smaller stages, namely gaining access and escalating privileges.
One reason a hacker will escalate their privileges is because a low-level user will probably not have the access or the permissions they require to successfully prosecute and attack. There are many tools that can do this for you including programmes such as getadmin.
According to Clrgroup (n.d) this phase is the most important in terms of the potential for harmful effects to the target system. Attacks on the target can be internal or external. Attackers do not need to gain access to the system to wreak havoc with attacks such as Denial of Service (DoS), the intent of which is to significantly slow down or stop the operation of the target system.
Phase 4 – Maintaining Access
Once attackers have gained access to a system, they will probably want to maintain their access. This can be either to use the compromised system to exploit other systems, or to continue exploring the original victim’s system (Clrgroup, n.d).
Attackers who decided to stay within a compromised system to fully exploit it have several techniques available to them. These include backdoors and Trojans. Trojans have other uses too, such as the ability to send information (personal information or banking details, for example) to the attacker (Clrgroup, n.d).
For attackers to keep using the system as and when they want − after making sure they can re-enter the system − they will begin to ‘harden’ it. This means that they will patch up the entrance they used to try and stop other hackers gaining entry the same way (Clrgroup, n.d).
Phase 5 – Covering tracks
The final phase of an ethical hack is to cover the tracks to reduce the chance of the attacker being caught. An ethical hacker will have been contracted by someone at the target so would not want to leave any traces, so giving the game away. Conversely, unethical hackers would want to cover their tracks to avoid being discovered and punished, but also to maintain access to the compromised system (see phase 4).
Hackers can remove traces of their activity by destroying, deleting or modifying system logs and other relevant data. Hackers would need to remove anything that would arouse the suspicion of the user or the network administrator such as error messages and failed login attempts (Clrgroup, n.d).
Actions such as downloading or installing software will leave information in the server logs. To remove these so that they cannot be found, hackers will use tools such as auditpol.exe (which is a command line tool) (N-Soft Technology 2012).
The law regarding ethical hacking depends on your location. For instance, the laws of the UK and the US are different and there are even different laws in the various states in the US. It is of vital importance that an ethical hacker understands the laws they are subject to in order to avoid prosecution, a loss of professional standing or even bringing more disrespect to the term ‘ethical hacker’.
Ethical hacking can also fall under the remit of the European Convention on Human Rights which states that ‘everyone has the right to respect for his private and family life, his home and his correspondence’.
Under the computer misuse act of 1990, ethical hackers face the same punishment as an unethical hacker. The punishment can be up to five years imprisonment, a fine or, in some cases, both.
This law governs the use of computers and states that a person will have committed an offence if they have gained or intended to gain unauthorised access to a system or information; carried out unauthorised acts; or makes, adapts or supplies any article that is likely to be used to commit an offence with the purpose of impairing, accessing and facilitating access or impairment of a computer system.
These attacks do not need to target specific data, a programme or computer and no differentiation is made between temporary and permanent effects or damage.
In America, under a section of the ethical hacking law, it is possible for victims of an attack to sue the attacker. This has led to lawsuits between IT professionals (one suing another for running a port scan on his network). Luckily for the ‘attacker’ judges ruled that although time had been invested in an investigation, this did not amount to real damage and that, as the section of law states that ‘The damage must be impairment to the integrity and availability of the network’, running a port scan did not qualify in this instance (Poulson 2010).
Even when the ethical hacker is working within the law or acceptable practice, it is important that they have written permission from the client, with a clear list of what they can and cannot do such as systems they want testing and how far the ethical hacker is to proceed with the hack. If a company doesn’t want certain systems tested or wants to limit what the ethical hacker does, it is up to the ethical hacker to explain that the limitations could potentially lead to vulnerabilities in the system not being identified, and are then left for an unethical hacker to exploit. It is also important to manage the client’s expectations and make them aware that it may not be possible to identify all vulnerabilities in their system.
The need for ethical hackers is evident. However, they must take measures to protect themselves and their clients by working within the law, getting authorisation from the client and using the tools shown above and any others in circulation in the manner that is expected of an ethical hacker.
There have been debates about whether to teach ethical hacking, as many associate the term ‘hacker’ with people intending to steal money, information and secrets. But in modern society and in the future, the use of IT equipment and the internet is going to become increasingly prolific. There will be cyber security experts who will balance their technical hacking skills with the will and ethics to use them only for the benefit of normal users.
From the information presented above, you should be able to get a feel for the techniques used by modern ethical hackers as well as the tools they use, constraints and laws they must follow if they are to be successful and avoid any repercussions from their actions.
The number and type of tools available to hackers and ethical hackers is increasing all the time; Production of which is a double edged sword as for every good use there is a bad one, but the only way to progress to a vulnerability free state is to spend more time and effort in the development of programs and systems and to train sufficient ethical hackers in current techniques using the most up to date tools to combat the threat of hackers.
Rouse, M. (2006) techtarget [Online] Available from – searchsecurity.techtarget.com/definition/social-engineering [Accessed: 19/08/13]
Lieu, C. (2002) Social engineering attacking the weakest link [Online] 2000 – 2002 Available from -www.giac.org/paper/gsec/2082/social-engineering-attaking-weakest-link/
cYbeR#@x0r. (2011) learnhacking [Online] Available from – learnhacking.in/whatisfootprinting. [Accessed: 12/08/13]
Ali, W. (2001) hackesrthirst. [Online] Available from – www.hackersthirst.com/2011/05/footprinting-guide-in-terms-of-hacking.html. [Accessed:
Danseglio, M. (2012) trainsignal. [Online] Available from – www.trainsignal.com/blog/videos/ethical-hacking-passive-vs-active-footprinting [Accessed: 12/08/13]
Anjum, A. (2009) Hackguide4u [Online] Available from –
www.hackguide4u.com/2009/12/hacking-phase-2-scanning.html [Accessed: 14/08/13]
Bipin. (2012) mustbegeek [Online] Available from – www.mustbegeek.com/ethical-hacking/ [Accessed: 14/08/13]
EC-Council. (2009) eccouncil [Online] Available from – www.eccouncil.org/certificateseries/ehs-attack-phases [Accessed: 12/08/13]
N-Soft Technology (2012) Slideshare [Online] Available from –
www.slideshare.net/nitheeshadither/ethical-hacking-14277408 [Accessed: 14/08/13]
CLRgroup, (n.d) CLRgroup. [Online] Available from – www.clrgroup.com/site/pdf/ethicalhacking.pdf [Accessed: 14/08/13]
Win2008workstation. (2012) quickly find all the computers on your Windows network with nbtscan [Online video] 01 May 12. Available from – http://www.youtube.com/watch?v=EMuvR6WvnOc [Accessed: 14/08/13].
SorenNoob (2011) How to hack your friends passwords With Keylogger *HD. [Online video]. 20 Nov 11. Available from – http://www.youtube.com/watch?v=X8QiBRPwqTY. [Accessed: 28/08/13].
toddlegend (2007) brute force password cracking tutorial [Online video]. 03 Aug 07. Available from – http://www.youtube.com/watch?v=jR7ut-q3JJA. [Accessed: 28/08/13].
Archive. (2007) Windows vista vulnerable to Sticky Keys Backdoor. [Online]. Available from – http://blogs.mcafee.com/mcafee-labs/windows-vista-vulnerable-to-stickykeys-backdoor. [Accessed: 26/08/13]
Nutting, R. (2010) Backdoor netcat implants [Online] 28 May 10. Available from – http://securityisfutile.blogspot.co.uk/2010/05/backdoor-netcat-implants.html. [Accessed: 26/08/13].
Cysecure (2012) Netcat backdoor – Backtrack 5 R2[Online video]. 09 Jun 12. Available from – http://www.youtube.com/watch?v=-0vveYZ5SVA [Accessed: 28/08/13].
Trainsignal (2012) Ethical hacking – covering your tracks [Online video] 02 May 12 Available from – http://www.youtube.com/watch?v=ZLholWO1MYQ [Accessed: 28/08/13]
ENGLAND. Computer misuse act: Elizabeth II. Chapter 1-3a (1990) London: Queen’s Printer of Acts of Parliament.
EUROPEAN UNION (1950) European Convention for Human Rights. Place of publication: Strasbourg Council or Europe
Poulson, K. (2000) Securityfocus. [Online] Available from – www.securityfocus.com/news/126 [Accessed: 13/08/13]