class 1 – Introduction to Ethical Hacking
When we talk about ethical hacking, we mean the act of making controlled
penetration tests on computer systems; it means that the consultant or pentester, acting from the point of view of a cracker, will try to find vulnerabilities in the audited computers that can be exploited, providing – in some cases – access to the affected system; but always in a controlled environment and never jeopardizing the operation of the computer services being audited.
It is important to emphasize that while there is no doubt that the pentester should possess sound knowledge of technology to perform ethical hacking, computer knowledge is not enough to run successfully an audit of this type. It is also required to follow a methodology that enables us to keep our work in order to maximize our time in the operational phase, in addition to applying our common sense and experience. Even though unfortunately the experience and common sense cannot be transferred in a book, I will do my best to convey the methodology and best practices that I have acquired over the years of practice as an information security auditor.
Phases of hacking
Both the auditor and the cracker follow a logical sequence of steps when
conducting a hacking. These grouped steps are called phases.
There is a general consensus among the entities and information security
professionals that these phases are 5 in the following order:
3-> Gaining Access
4-> Maintaining Access
5-> Erasing Clues(covering tracks)
Usually, these phases are represented as a cycle that is commonly called “the circle
of hacking” (see Figure 1) with the aim of emphasizing that the cracker can continue the process over and over again. Though, information security auditors who perform ethical hacking services present a slight variation in the implementation phases like this:
3-> Gaining Access
4-> Writing the Report
5-> Presenting the Report
In this way, ethical hackers stop at Phase 3 of the “circle of hacking” to report their
findings and make recommendations to the client.
Types of hacking
When we execute ethical hacking is necessary to establish its scope to develop a
realistic schedule of work and deliver the economic proposal to the client. To determine the project extent we need to know at least three basic elements: the type of hacking that we will conduct, the modality, and the additional services that customers would like to include with the contracted service.
Depending on where we execute the penetration testing, ethical hacking can be
external or internal.
This type of hacking is done from the Internet against the client’s public network
infrastructure; that is, on those computers in the organization that is exposed to the Internet because they provide a public service. Examples of public hosts: router, firewall, web server, mail server, name server, etc.
As the name suggests, this type of hacking is executed from the customer’s
internal network, from the point of view of a company employee, consultant, or business associate that has access to the corporate network.
In this type of penetration test, we often find more security holes than our external
counterparts, because many system administrators are concerned about protecting the network perimeter and underestimate the internal attackers. The latter is a mistake since studies show that the majority of successful attacks come from inside the company.
To cite an example, in a survey conducted on computer security to a group of businessmen in the UK, when they were asked “who the attackers are”, these figures were obtained: 25% external, 75% internal2.
Depending on the information that the customer provides to the consultant, an
ethical hacking service could be executed in one of three modes:
The method chosen will affect the cost and duration of the penetration testing
audit, since the lesser the information received, the greater the time in research invested by the auditor.(hacking)
Black box hacking
This mode is applicable to external testing only. It is called so because the client
only gives the name of the company to the consultant, so the auditor starts with no
information, the infrastructure of the organization is a “black box”.
While this type of audit is considered more realistic since the external attacker
who chooses an X victim has no further information to start that the name of the
an organization that is going to attack, it is also true that it requires a greater investment of time, and therefore the cost incurred is higher too.
Additionally, it should be noted that the ethical hacker – unlike the cracker – does not have all the time in the world to perform penetration testing, so the preliminary analysis cannot extend beyond what is possible in practical terms because of cost/time/benefit.
Gray box hacking
This method is often used synonymously to refer to internal pen testing.
Nevertheless, some auditors also called gray-box-hacking an external test in which the client provides limited information on public computers to be audited.
Example: a list of data such as IP address and type/function of the equipment (router, web-server, firewall, etc.). When the term is applied to internal testing, it is given that name because the consultant receives the same access that an employee would have like having his laptop connected to the internal network and the NIC configured properly (IP address, subnet mask, gateway, and DNS server); but does not obtain additional information such as username/password to join a domain, the existence of related subnets, etc.
White box hacking White box hacking is also called transparent hacking. This method applies only to internal pen testing and is called this way because the client gives complete information to the auditor about its networks and systems.
This means, that besides providing a connection to the network and configuration
information for the NIC, the consultant receives extensive information such as network diagrams, detailed equipment audit lists including names, types, platforms, main services, IP addresses, information from remote subnets, etc. Because the consultant avoids having to find out this information, this kind of hacking usually takes less time to execute and therefore also reduces costs.
To be continued