Ethical Hacking

7. Framework for Protection Against Prosecution

Penetration Framework

An ethical hacker is someone who has been hired to penetrate an organisation's networks using the same knowledge and tools as a malicious hacker, but in a lawful and legitimate way.

Part of this legitmiacy is derived from following and agreed framework, which has been loosely followed in the previous exercises.

Following this framework help protect the ethical hacker from prosecution should they get caught. And if they are a pentester hopefully they will be is everything is secure.

Some of these steps are illustrated in the video opposite which shows a group of ethical hackers attempting to break into an organisation's computer network. Some of their steps work and others don't.

Watching the video will make you realise that not all hacking involves sitting behind a desk and it can be pretty exciting.

The Ethical Framework


The broad framework for hacking was covered in Phases of Attack

The framework for Pentesting is very, very similar. However, the emphasis is more on testing and identifying vulnerabilities rather than Maintaining Access or Covering tracks. And the idea is on recording the steps taken in the hack to demonstrate repeatability rather than the access being obtained through chance.

Once weaknesses have been identified then proper actions can be taken to close the vulnerabilities.

As with the Phases of Attack, the pentesting framework is iterative in that each stage feedback and can trigger another round of testing depending on the results.

Phase What it says

1. Planning

Good planning is key to a successful and productive ethical hack. The planning phase influences how the test is performed, the sorts of information gathered and how it is to be collected. These in turn will impact on the type of advice given and how the results are to change the current security program.

This is where the scope of the test is decided. How big it should be and what is exactly tested.

2. Operations - Rules of Engagement (ROE)

As explained at the start, the ROE sets out in detail who can do what when along with:-

  • How the test is to be controlled
  • What and who is out of bounds
  • What and who lies within bounds and can be tested.
  • What counts as a success or fail
  • How long the test the test should last and who decides when it stops
  • Who can see the results of the test.

3. Reconnaissance

A phase often missed out as it involves using publicaly available information. Nevertheless, as the video shows it can provide vital information.

The depth of reconnaissance can vary, involving

  • Ping scan to identify which IP addresses on a network will respond.
  • Scanning social media and news groups to identify employees divulging useful information.
  • Looking at company waste to see receipts for telecomms and IT services to discover suppliers
  • Theft, lying, tapping phones and networks, impersonating people, leveraging friendships.

The limits to whatever is done during the reconnaissance state is set by the Ruule of Engagement.

4. Enumeration: Vulnerability discovery

This involves using the results of the reconnaissance stage to possible entry point prior to the attack. As such it marks the boundary between a 'passive' attack and 'active' attack.

However, this boundary isn't always clearly defined, for example is an NMap port scan a passive or an active attack. Nevertheless, it is important part of identifying attack points.

It important to realise though Enumeration involves bringing ALL information together to list the possible attack point. This involves information that may be useful for Social Engineering attacks as well as through programes like Metasploit or BeEF.

5. Vulnerability Analysis: Planning the hack

Enumeration identifies a series of possible entry points. This section involves using the the information, first to identify those that are most likely to result in a successful attack and then second, the planning the actual hack itself.

The key features of this stage is however, the identification of goals, or what is trying to be achieved or tested during the attack.

Planning then continues on the steps likely to meet the goals. The planning would involve such details as timing of the attack; for example it might take place be late at night when there's less staff on duty or during shift changes. The plan will also identify the tools used, how to avoid detection, who to pretend to be etc.

6. Exploitation - The Hack

Before the commencement of the attack. It is broken down into a series of sub-steps that must be perfomed in order to meet a specific goal and what the tester (the ethical hacker) will do given certain responses.

Each part of the penetration test (the hack) is evaluated to ensure the expected outcome are met.

  1. Expectations. There are two sets of expectations here. There are the organisations' expectations. These are ones they expect to happen given a certain set of conditions. And there are the pentester's expectations or they expect to happen as a result of their attack. What actually happens is compared to these two sets expectation and go forward into the next stage
  2. Technical. This is recording how the system actually responds during the attack. This helps focus debate on the tsctics of performing the test rather than just looking at tactics of the exploitation itself.

7. Final Analysis

This stage involves taking an overview of the entire process, outlining the tests performed, the results and recommendations about what should happen in the future.

In making recommendations pentesters or ethicalhackers should consider three aspects.

  1. Mitigation. Any exposure on the internet or with computer networks involves risk. If a vulnerability is found, the the cost of solution has to be weighed against risk of leaving it unaddressed. If it's a minor risk which poses no threat it may not be worth building an expensive solution. On the other hand, a serious vulnerability presenting a possible data breah then it would be worthwhile.

    In either case, the pentester has to lay out options detailing the costs of further testing, piloting, implementating and validating possible solutions.

  2. Defence. Recommendations here would take a more strategic view of the entire security system, considering how it should grow and build on success

  3. Incident Management.Recommendations go into the formulation of an Incident Management plan detailing how to deal with attacks, covering detecting, responding and recovering from attack.

    The incident plan whould be practiced often, so that when an attack does occur, everyone knows what to do, rather than sitting around thinking about what to do. Time is important.

Tasks

An increasing number of tasks, from gaming, creative imagery, on-line retailing and office work are completed using web applications with the results stored in the 'cloud'. For a malicious hacker, these web applications provide a tempting target, for once the perimeter is breached, a whole range of possibilities become available.

For the ethical hacker/pentester the need to test the security of these web apps is obvious. However, trying to develop pentesting skills on websites without permission is highly illegal. Fortunateley there are number of web applications that have been set up to be deliberately vulnerable which can be used. See the OWASP (Open Web Application Security Project)

One of the most popular is the DVWA (Damn Vulnerable Web Application). It's popularity is due to the range of tests that can be completed on it. And can be used 'off-line' which makes it perfect for a Kali Linux hacking lab.

The downside is that there appears to be no definitive way of setting it up. So we are going to use Metasploitable 2 which includes an easily accessible version of DVWA and an 'out of the box' ready to go MySQL Server and database.

  1. Download Metasploitable 2. Unzip it and in school move it to the installs folder.
  2. Open Virtual Box and add Metasploitable as a new machine.
    1. Use the recommended settings apart from:
    2. In the Network options change the adapter to Host Only Adapter. Open the Advanced panel and change the Promiscious setting to All
  3. Start your Kali Linux Box and your new Metasploitable DVWA box
  4. In your Metasploitable 2 box (msfadmin/msfadmin for username and password), type ifconfig and record the IP or inet address for eth0
  5. In school only check you have the internet settings as shown in the slide and make sure you have imported the proxy certificate into the certificate section from the council.
  6. In the address bar of you Kali Box browser type the IP address from the Metasploitable box and this should result a Metasploitable window. Choose DVWA from the list and enter admin and password as the username and password

In your notebook create a page titled Web Applications and;

  1. Make a list of Web Apps used by you in school. Show My Homework is one example.
  2. Make a list of non school based Web Apps you use on your devices including phone, tablet, laptop etc. Facebook, SnapChat are a few examples.
  3. Make a list of any other used by you that require logins and authentication e.g on-line retailng, browser based applications like bookmarking synchronisation, Pinterest, Reddit etc.

Check the slides to configure your network settings (only in school).

Enter the IP address of the Metasploitable 2 DVWA target machine into Kali Linux attack box browser and it should see:

BURP! Excuse Me

BURP is modular testing framework. In this case it's a collection of modules use for testing the security of web sites. For this and the next few exercises, we shall be looking at how it can be used for pentesting on the DVWA site.

You're a Brute

Many web applications require a user to enter their log in credentials before starting the web. The following exercise shows how BURP can be used to test whether the log in credentials can be captured in a 'man in the middle (MITM)' attack.

add my own vid here
BURP! Pardon again!

SQL Injection

Behind web applications lie databases used for storing data. For web sites requiring authentication, databases will store user details like user names, passwords, email addresses and if they involve shoppping, also store their account details such as bank account, credit card numbers etc.

Also, on-line retailing stores use databases linked to web applications, so if they add new items, change stock levels or prices they only have to change them in the database and these changes are automatically reflected back through their web site.

SQL (Structured Query Language) is language used to manage databases (for searching, editing and managing data). In web apps, SQL requests are generated from forms. So any time a user has to add data on a web page in text boxes, filter items by choosing categories or use drop down boxes, use radio buttons or check boxes, these are combined into a SQL command when the submit button is clicked, and sent to the database server which executes the command and returns the results to the browser for the user to see.

For a hacker, such pages present an attractive target. If they can insert or inject a SQL command then they can manipulate the data stored in the database at the 'backend'. It is through such a method that hackers managed to cause major security breaches by fooling web apps to list username and passwords.

Follow the steps in the movie, to see how to carry out SQL Injection attack using BURP and SQL.

You should be able to:-
  • Identify stages of the ethical hacker pentesters framework.
  • Explain and give examples of the wide spread use of web applications on the internet.
  • Complete a 'hack' using a standard Web App Testing tool.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee