Introduction to Ethical Hacking
Ethical Hacking and Penetration Testing-COMP6210|Binus International
Any tools, guidances, and tutorials in this Post is for Education Purpose Only.
There are several terms about Ethical Hacking:
- Ethical Hackers
Someone who employed by companies to perform a penetration tests to their own system (with the owner’s permission).
- Penetration Test
legal attempt to break into a company’s network to find its weekest link. (Tester only reports findings and offers solutions to secure or protect the network)
- Hackers
Someone who access computer system or network without authorization. (breaks the law can go to prison)
- Crackers
Someone who breaks into the systems to steal or destroy the data (U.S. Department of Justice calls both hackers)
The Role of Security and Penetration Testers
- Script kiddies or packet monkeys
Young inexperienced hackers (copy codes and techniques from knowledgeable hackers)
- Programming Language used by experienced penetration testers
Examples : Practical Extraction and Report Language (Perl), C, Python
- Script
Set of instructions that runs in sequence
Programming Language vs Script
Basically, scripting languages are programming language. But in theoretical the difference is scripting languages do not require compilation step and they are interpreted.
- Tiger box
Collection of Oss and hacking tools. To help penetration testers and security testers conduct vulnerabilities assessments and attacks.
Penetration Testing
Why do we need penetration testing ?
Because we need to make sure that our system is secure. We use the Penetration Testing to test the vulnerabilities of our system and find the solution and make our system more secure.
The Process
- Define the scope of the test (important, if not the project will never end)
- Extend of the testing
- What will be tested
- From where it will be tested
- By whom it will be tested
2. Performing the pen-test
3. Reporting and delivering results
Methodologies
- White box model
Tester is told everything about the network topology and technology.
Tester is authorized to interview IT personnel and company employees
Makes tester job a little easier
- Black box model
Company staff does not know about the test
Tester is not given details about the network
Tests if security personnel are able to detect an attack
- Gray box model
Hybrid of the white and black box models
Company gives tester partial information
Common Techniques
- Passive Research
2. Open Source Monitoring
3. Network mapping and OS fingerprinting
To know what the version of Operation System.
4. Spoofing
For instance: A tries to attack B and C.
Normally B and C will know that A is attacking them.
By spoofing techniques A can attack B and C as other person. A can attack the B as C and the B will know that the one who attacked him is C not A.
In simple its about how you attack other people by using other people.
You attack other IPs in the world by using another IPs.
5. Network Sniffing
Is the real-time monitoring of data packets in network.
Blue Team and Red Team
- Blue Team
People who defends the system, monitoring and checking the security of the systems.
- Red Team
People who performs the pen-test and attacking the systems.
