Ethical Hacking Overview

15. Essential Terminology

Slide on the essential terminology. "Hack value" is the notion among hackers that something is really worth doing or it's interesting. So they may say that this doesn't have any hack value. Let's give you an example. Let's say I wanted to hack into Bank of America or wanted to hack into ABC preschool. all right? The likelihood of me getting something that is worth selling at ABC Preschool is very slim as opposed to the time that I would spend trying to break into Bank of America, as an example. So it's basically, is it worth doing or not? Is it interesting? Perhaps Daisy chaining actually gets our foot in the door. Oftentimes, we're going to be able to break in just enough to get our foot in the door. And then from that pivot point or that area, we may be able to get a little further into the network or maybe further into that particular machine. Because ultimately, what we want to do is get into the network as root or administrator or get into the machine as root or administrator. Sometimes we actually get in as a lowly user, and then we have to escalate our privileges up to root or administrator. The next term is called a "zero-day attack." And when I go out and I speak at a black hat or I speak at a defcon, you'll hear a lot of people in the halls. Do you have any odes? Do you have any others? Do you know of any ODIs? ODI is what they're referring to is zeroday. It gets its name from the fact that we have zero days to actually patch our system. all right? An attack that exploits computer application vulnerabilities before the developer knows about it or releases a patch. In order to resolve the issue,docsing is publishing personal, identifiable information about an individual collected from publicly available databases and social media. I'm going to show you this in the next section,and you will be amazed at how much information is just totally free and able to be obtained very easily. We all know a vulnerability is simply the existence of a weakness, some flaw in the design, some way that we implemented it, anything like that that can lead to an unexpected event, thuscompromising the security of the system. That's what's known as a vulnerability. The payload is a part of an exploit that actually runs the code. For example, we typically have three parts. We have the exploit itself, which you could think of as knocking the wall down, all right? And then we will typically try and shove in a payload,and the payload is our portion of the executable that we want that system to execute, thus giving us control. And then finally, we have something called a session. And by running that payload, we typically receive a session back to us that we can use. Finally, we have an exploit, which is just simply the breach of an IT system through that vulnerability. And we already discussed a little bit about a bot and we talked about a botnet earlier, and a bot is just simply an application you control remotely to execute or automate some type of predefined task.

16. OSSTMM Methodology

Now in this lecture, we're going to discuss theOSS methodology for penetration testing and ethical hacking. You might be asking yourself, what is that? Well, actually it's a set of predefined steps that were created by a gentleman by the name of Peter Herbert. As a result, it is more or less universally accepted as the way to properly do a penetration test. Why do we need to use a methodology? A methodology is simply a predefined set of steps to achieve some particular goal. In this particular case, the goal is to do a penetration test. The reason that we want to use amethodology is let's say Bob was doing the penetration test and Joe was doing the penetration test. If they both followed the OSSM methodology, then theoretically they should have arrived at the same result, given that they had all the same information that they gathered. So, consequently, it's a way so that we can compare apples and apples and we know that we're not going to be leaving something out. So in that case, you could think of it as more or less a checkbox, making sure that we accomplish all the steps. So, step number one. Step number one is regarded as footprinting. Now, footprinting is oftentimes thought of by the new individual that comes to pentesting as something that is done very quickly. Well, nothing could be further from the truth. The footprinting phase should actually be one of the longest phases because you're going to gather as much information as you possibly can before you start the attack. Because as soon as you start the attack, if they're doing a good job and they're on their toes, then they should be trying to shut you down. And so it's very helpful to know what's behind that closed door if they're using processes like we discussed before, such as defense, in depth. So it's very helpful to know what may be behind there so that we don't just crash down that first open door and then we're going to try and figure out how to crash down the second one. More than likely, if you take that approach,they're going to actually shut you down before you even get to the second one. So footprinting is defined as gathering broad, publicly available information from places like Aaron, Iana, and websites. Aaron and Iana are the register of the internet. Now the next thing we want to take a look at is from Footprinting.We used what we learned from fingerprinting to complete our scanning. So what we're going to do is, from the information we gathered from Footprinting, we're going to see what services are open, what ports are open, what operating systems are being used, that type of thing. Then the next step is what's referred to as enumeration. Enumeration is easily defined as everything you can get from an operating system or, perhaps more accurately, a component without identifying yourself or logging in to that particular component. So basically, you can think of it as what it gives up for free. Consequently, you can see that from our scanning results. We then try and enumerate certain things using specific operating system or service techniques to gather user account information, shared folders, exported information, all kinds of different things as you're going to see as we go along. The next one is after we've gotten all of these items. This is where we first start a real attack phase. Now, once we do the real attack phase, it's going to end up in one of two situations. Well, you got in, or perhaps you didn't get in. Think about the possibility of us not getting in at that point. all right? The penetration failed, all right? Consequently, What's more likely going to happen is the individual. Whether that be a hacker or a pen tester, More than likely, not a pen tester. They're going to launch some kind of a denial of service attack on if a young teenage hoodlum was trying to break into some store after hours and he wasn't able to do it. He may take a brick and throw it through the bars and the windows just to do damage. It made him mad. He wasn't able to get in. So I'm just going to cause you some damage. So either it's a tactic of last resort, an action of desperation in reality, or a good job on your part because you've actually kept the attacker out. It's a relatively unskilled attacker that would do something like this. Now let's take the flip side of the coin and let's assume we got in. In a perfect world, we're going to log in as root or as administrator. Well, as you can imagine, we don't live in a perfect world. Consequently, since we don't live in this perfect world,we're probably not going to break in at the highest level, such as administrator or route. If it's successful, the first thing we're going to do is try and elevate our privileges. Ultimately, we want to at least get a foothold in it. Then we're going to try to become root, super user, or admin. There are a number of different tools that we can use to accomplish this, and they're mainly based on bugs and vulnerabilities that we might be able to use after we become root or super user. The next thing we're going to do is what we came in there to do. copy the data, extract the information, whatever that information is that was so valuable, valuable enough for us to break, we're going to actually copy it. The next thing that's going to happen is we're going to attempt to cover our tracks. Now, when we cover our tracks, we're going to try and erase or edit the audit logs. The systems administrator is on their toes and they've done a good job. More than likely, they view something called a syslog server. And a syslog server is a server that all of the logs and audit logs go to one central location. They're generally stored on the particular device. Let's say, for example, it's a DHCP server, right? And on the DHCP server, you generally have a log. But in addition to that log, you're also going to have a log that is sent to the Syslog server. It's very possible that the individual could have gone in and erased the log files for the DHCP server, but it's not very likely he's going to be able to go in and erase all of the information from the Syslog server. I mean, that's a possibility, but not very likely. After he tries to cover his tracks, the next thing he's going to do is leave a back door. This way, he can come back whenever he wants. This is actually the end of the OSS TMM methodology. I was talking to Peter Herzog when I was speaking at a conference one time, and I told him, "Peter, I think that there's one more step that most hackers would actually put in." We were talking back and forth and he said, "What do you think that step is?" Well, hackers tend to be very territorial. In other words, they don't want somebody else to get into the same hole they got into, so they're going to patch your system for you. What a good guy. They're patching our system? I couldn't ask for more. Well, naturally they patch your system, but they leave a back door for themselves so they can come in, but nobody else can.

17. Tools vs Technique

Now, the next lecture that we want to discuss is Tools Versus Techniques. First off, we need to understand that you have to have a thorough understanding of the technology, because the tools are only going to get you so far. So you're going to have to adapt to doing something a little bit further. You're also going to have to improvise things to think outside the box. This particular slide always reminds me of the story that when I was teaching in Dubai. As you know, normally at the beginning of a class, when everybody is kind of getting settled in, we all go down and tell us a little bit about themselves and what they want out of the class, what they do right now, and what their current position is. And I have a slide that they tell me the things that I want to know so that I can provide a good, effective class for them. I remember this one individual from the United Arab Emirates, and the United Arab Emirates oftentimes employs individual contractors to do the work that requires a lot of skill. And so when it got to him, he basically said, "For his job, I'm a pen tester." I got to thinking to myself. I thought,okay, what are you doing in this class? Because the ethical hacker is a starting point for pen testing, So if he was already a poster, why was he in this class? As we went through the class, it became apparent that what he was calling himself a pen tester was nothing more than running one of the particular tools. So the tool that they actually were using was a very popular and very expensive tool called Core Impact. Core Impact currently charges about $65,000 a year for this particular tool. But I mean, it's like driving the big Cadillac. I'm telling you, you just sit back, high school kids can run this thing. And the beauty of this is, if you break in using that particular tool, it's just as broken in as if I wrote myself my own Python script to break in. It makes no difference how you get in, as long as you get in. But here's the kicker to this. Just like the slide is saying, you have to adapt because the tools are only going to get you so far. So, when I teach this class, we do everything by hand so that you can understand exactly how the tools work. Because on the inside, the tools will actually do the manual processes or manual steps to get to some point. And if the tool is really good, it will actually do everything from start to finish. And that's basically what Core Impact was doing. As I talked about before, as the class went along,it turned out that he was just using the tool. And all you do with Core Impact is simply type in a range of IP addresses on a subnet, click the button to go and sit back and see if it breaks in. I mean, that's it. It really couldn't get any simpler than that. It will actually apply the various vulnerabilities. It will give you a shell. I mean, it does everything and it's a wonderful tool. But there were times when the tool wouldn't break, and unfortunately for him, he was simply stuck. I guess you can't get in and that's not necessarily true. If you're a really good pen tester, what you would do would start doing your research, go onto the internet and start looking for various exploits that attempt to use this to attempt to use the vulnerabilities that you may have found. And so sometimes you have to work around certain things, changing the code up just a little bit to make it work for your environment. This is what we're talking about when we're saying adapt,because the tools are only going to get you so far, and you need to think outside the box to get around certain things that may be thrown at you. At the end of the class, this gentleman, after he got done, basically did a debriefing of the class, and I asked each person. I said, well,what do you think of the class? He said, "Well, this is a fantastic class." I said, So you still consider yourself a pen tester? He said no, I think I would call myself a Core Impact Operator. I said, "Well, you said it, I didn't." But that was actually pretty much true.

18. Things are not always as they seem

Sometimes the answer seems to be obvious when you very first look at it. I selected this picture because I know what you're thinking: when I grow up, I want to be just like Mommy. A fourth grade class was asked to draw a picture of what they wanted to be when they grew up. That's a homework assignment turned in by a little girl in the class. The following day, the teacher put a note on the board asking the parent if she might call or come to see her as soon as possible. Here's the response from a very ashamed parent. She returned to school the next day with the following note from her mother in a sealed envelope: Dear Mrs. Jones, I wish to clarify that I am not now, nor have I ever been, an exotic dancer. I work at Home Depot, and I told my daughter how hectic it was last week before the blizzard hit. I told her we were sold out of every single snow shovel we had. And then I found another one in the back room and that several people were fighting over who would get it. Her picture doesn't show me dancing around a pole. It's supposed to depict me selling the last snow shovel we had at Home Depot. So when you think about it and really dig deep into a problem, sometimes things look completely different.

19. Calculating Risk & Formulas

Now, there are portions of the tests where you're going to need to know just a little bit of CISSP type things,and one of them is calculating risk and formulas. They have one or two questions on this that you may see on your test, and we need to prepare you for those. So I'm going to show you a few equations that you need to become familiar with. First off is the threat equation, which is described as saying a threat is equal to the intent times the capability. The next one is the risk equation, and risk is considered to be equal to threats times vulnerabilities. And let's talk about this for just a second. Let's take threats as an example, all right? "Threat" means that we are dependent upon two factors: intent and capability. Unless both are present to some degree, the threat really doesn't exist. That's the reason these two factors are the ones in the risk assessment formula subject to the multiplier effect. The other factors of vulnerability and consequence are additive. Let's give you an example. A homegrown Al Qaeda sympathiser may have the intent of placing a small nuclear device in his checked baggage, but he has no capability of doing so. Therefore, in that scenario, the nuclear device and checked baggage, the threat factor is zero. And if you remember from your high school algebra, anything multiplied times zero is, yes, you got it, zero. If we take a look at the vulnerability itself, the vulnerability is actually described as the best judgement of those most closely associated with the threat being analyzed. In this risk assessment model, vulnerability is assigned a weight between one and 20 and is determined by an assessment of the likelihood of a successful threat event based upon existing known mitigators. For example, law enforcement, presence-hardened facilities, and maybe public awareness. Let's give us an example here. airport ticket lobby that has armed officers assigned to it. Round the clock would actually be less vulnerable to a lone shooter than would one that has officers able and available to respond but not actually present 24 hours a day.

ExamSnap's ECCouncil 312-50v10 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, ECCouncil 312-50v10 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.