Site Loader
Get a Quote
Rock Street, San Francisco

ETHICAL HACKING AND PENETRATION TESTING

By

Best services for writing your paper according to Trustpilot

Premium Partner
From $18.00 per page
4,8 / 5
4,80
Writers Experience
4,80
Delivery
4,90
Support
4,70
Price
Recommended Service
From $13.90 per page
4,6 / 5
4,70
Writers Experience
4,70
Delivery
4,60
Support
4,60
Price
From $20.00 per page
4,5 / 5
4,80
Writers Experience
4,50
Delivery
4,40
Support
4,10
Price
* All Partners were chosen among 50+ writing services by our Customer Satisfaction Team

JAYDUTT PATEL
:–16BCE008

DEPARTMENT OF COMPUTER ENGINEERING
Ahmedabad 382481

ETHICAL HACKING AND PENETRATION TESTING

SEMINAR

Submitted in fulfillment of the requirements

For the degree of

Bachelor of Technology in Computer Engineering

By

JAYDUTT PATEL
16BCE008

Guided By
Dr. Sharada Ramakrishna Valiveti
DEPARTMENT OF COMPUTER ENGINEERING

DEPARTMENT OF COMPUTER ENGINEERING
Ahmedabad 382481

CERTIFICATE

This is to certify that the SEMINAR entitled ” Ethical Hacking And Penetration Testing” submitted by Jaydutt Patel(16BCE008), towards the partial fulfillment of the requirements for the degree of Bachelor of Technology in Computer Engineering of Nirma University is the record of work carried out by him/her under my supervision and guidance. In my opinion, the submitted work has reached a level required for being accepted for examination.

Dr. Sharada Ramakrishna Valiveti Dr. Sanjay Garg
ASSOCIATE PROFESSOR Dept. of Computer Engineering
Department of Computer Engineering, Institute of Technology,
Institute of Technology, Nirma University,
Nirma University, Ahmedabad
Ahmedabad

ACKNOWLEDGEMENT

THERE ARE MANY PEOPLE WHO HAVE CONTRIBUTED A LOT IN MY SEMINAR BUT THE MOST IMPORTANT FACTOR THAT INFLUENCED MY APPROACH TO THE TOPIC WAS THE PRESENCE OF MY FACULTY Dr. Sharada Ramakrishna Valiveti ,HER VISION AND GUIDANCE HELPED ME TO CRUISE THROUGH THE TOPIC EASILY.MOREOVER I WOULD LIKE TO DEDICATE MY WORK TO PARENTS WHO HAVE SUPPORTED ME THROUGH EACH AND EVERY PART AND PARCEL OF LIFE.THERE ARE SOME SUPPORTIVE FRIENDS WITH WHOM I WOULD LIKE TO SHARE MY CREDIT.

ABSTRACT

CONTENTS
Certificate
Acknowledgement
Abstract
Table of Contents
List of figures
List of tables

1. Introduction to Ethical Hacking
1.1 Types of hackers
1.2 Types of hacking
1.3 Process of hacking
1.4 Tools used in hacking
2. OWASP Top 10 Vulnerabilities
2.1. Injection
2.2. Broken Authentication and Session Management
2.3. Cross-Site Scripting (XSS)
2.4. Insecure Direct Object References
2.5. Security Misconfiguration
2.6. Sensitive Data Exposure
2.7.Missing Function Level Access Control
2.8.Cross-Site Request Forgery (CSRF)
2.9.Using Components with Known Vulnerabilities
2.10.Unvalidated Redirects and Forwards
3. Attacks
3.1 Man in middle attack
3.2 DDoS attack
3.3 Watrerhole
3.4 Keylogger
3.5
4. History of Ethical Hacking
5.Conclusion
6.References

Appendix – A List of Useful Websites

Introduction to Ethical Hacking
Ethical Hacking has been part of computer science for long time, It cover almost every field of computer science. After the first known hacking event in MIT in 1960 the term hacking became famous and been focus of every organization.

Hacking is the process of finding possible entry point in the computer system or the computer network and then get entry into it. Hacking is usually done to gain unauthorized access to a computer system or a computer network, either to harm the systems or to steal sensitive information available on the computer.

Ethical hacking is the type of hacking in which hacker is hired by the organization to find possible back doors or vulnerability in the system and remove them so that no one can hack into their system or get access to the sensitive information.
Now the question is why ethical hacking is so important? Every year world face billions of dollars loss because of hacking. Suppose that terrorist organization hack in the nuclear power plant, it will risk life of thousands of people because of this almost every multinational organization hire white hat hacker to secure their product from hacking. In India only private firms lost more than 4 billion $ because of the hacking.

1.1 Types of Hackers:
Black Hat:
Black Hat hackers are the type of hacker who break into the system and gain unauthorized access with bad intention like stealing sensitive data, damaging the system etc. It is completely illegal.
White Hat:
White Hat Hacker are the type of hacker who are hired by the organization to legally hack into their system to find weakness. It is legal because it is with the good intention of making system secure and unhackable.

Gray Hat:
Grey Hat Hackers hack into the system illegally but they do not harm it or steal sensitive information. They inform the organization about the weakness to get appreciation and little bounty from the owner.

Other:
There are lots of other categories of hacker as well based on their experience, how they hack, what they hack, their purpose etc. some of which are Red hat hacker, Blue hat hacker, Elite hacker, Script Hacker, Green hat hacker, Hacktivist.

1.2 Types of Hacking: Hacking can be classified into six major categories which are listed below, out of which Ethical hacking is discussed in detail.

Website Hacking: Hacking website is taking unauthorized access to the website and stealing sensitive information from the website.
Network Hacking: Network hacking is gaining information about the devices connected to the network, capturing packets flowing through the network.

Email Hacking: Email hacking is using victim’s email id without the permission.

Ethical Hacking: Ethical hacking is finding weakness or the vulnerabilities in the software and try to fix that.

Password Hacking: This is the process of finding password of the user form the data stored in the computer or from the data being transmitted over the network.
Computer Hacking: Computer hacking is gaining access to the computer without the permission by finding computer user id and password using hacking methods. This access can also be remote.

1.3 Process of Hacking: As the above diagram shows process of hacking can be subdivided into the following parts:

Reconnaissance: In this step hacker try to gather information about the about its target it can be organization or the single victim using active or passive methods.

Scanning: In this step attacker try to find vulnerability using which he can hack into the system. Most general vulnerabilities and their prevention are discussed in the next section.

Gaining Access: Using vulnerabilities found in the previous step we try to gain unauthorized access into the system and gain access to the sensitive data.

Maintaining Access: After we hack into the system and gained access we add some backdoor into the system using which we can enter into the system again in the future so that we don’t need to hack every time whenever we want to enter into the system.

Clearing Tracks: After we have carried out the attack onto the system before leaving we need to remove every evidence and the logs. So that no one cannot find out who hacked into their system.

Reporting: This is included only in the ethical hacking. After white hat hacker found out weakness and vulnerabilities into the system he need to give report to the organization regarding the same, so that they can remove it. It must contain detail information regarding the weakness and the amount of damage it can cause to the software if found out by the hacker.
1.4 Tools Used in Ethical Hacking:
Instead of downloading and installing different hacking and penetration testing tools hackers prefer to use kali linux operating system which have more than 600 tools pre installed and new tools being added in every new version of the kali linux.

List of some most famous and generally used tools along with their basic description is as follows:
Metasploit : Metasploit is the framework which is used to create different ethical hacking and penetration testing tools. It is most widely used software nowadays in the field of ethical hacking and pentesting.
NMap: NMap is the network security scanner find all the host and clients connected on the network and create map of the network. NMap send some special packets to the target device and analyse response from that devise and gather information about from that.

John the ripper: It the one of the most popular password testing and the cracking tool lots of different password crackers are inside one software.

Wireshark: Wireshark is the packet analyzer tool used to capture packets which are flowing from the wifi network, troubleshooting, network and communication protocol development, education etc…
Aircrack-ng: It is the software which include network tester, network sniffer, network encryption like WPA,WPA2,WEP cracking tools etc.
Burp suite: It is the java application which is used to secure the application or penetrate into the application. It contain lots of helpful tools like http proxy, scanner, intruder, spider, repeater, decoder, comparer, extender, sequencer etc.
2. OWASP vulnerabilities
The Open Web Application Security Project (OWASP) is the world wide non profitable organization with the main goal to improve security of the software. Every year they publish a list of top 10 vulnerabilities of the web application for the reference purpose. According to the top 10 vulnerabilities list published in 2018 they are as follows with the way to prevent them:

2.1 SQL Injection:
Injection attacks are the type of attacks with provide ability to the hacker for data theft, data loss and even full system compromise. In this attack attacker provide untrusted input to the program ,which then get executed by the interpreter and effect the software or data. Injection attack is one of the most powerful and oldest attack to hack the web application.

Suppose we have one application in which user need to login first in order to use the application. We ask for username and password and then using below SQL search query we search for the user, and compare it with the entered data if it mach user is logged in.

“SELECT * FROM Table WHERE Name=”+name;

Here we are taking data from the user and using it in the query without checking that it is valid or not. It provide attacker flexibility to run SQL query and do whatever he wants with the database. For example if we type { ” or “”=””; DELETE * FROM Table WHERE “1”=”1} instead of name of the user SQL search query will be converted into two queries which are as follows:
SELECT * FROM Table WHERE Name=”” or “”=””;
DELETE * FROM Table WHERE “1”=”1″

Here Second statement delete all the data form the table.

To prevent this attack we must check user input for validation some of the techniques by which injection attack can be prevented are as follows:

1. Parameterized query:
To make parameterized query developer need to first define all the SQL code and used parameters for the data as the placeholder and after that pass value of each parameter to the query later. This way we can differentiate between data and the code and make our software secure from SQL injection. Here regardless what user enters it will be considered as data not as the SQL code.

Example of the parameterized query for the query show above is as follows:
” SELECT * FROM Table WHERE [email protected]

Here @name is the parameter whose value we will provide later. Now if we try to do the attack using same method as before now entire data which user entered is treated as the name. Hence there are not two queries which will be executed here there is only one query and data we entered is treated as the name for the comparison purpose in the search query. By this we can ensure that query is doing what it is intended for.

2. Stored Procedures:
Stored procedure is the same as the parameterized query there is very small difference between then, in the stored procedure we are storing the procedure in the database itself and use it during the time of the executing by referring to their name. Here parameters are also used, hence we need to provide their value at the time of the execution.

Stored procedures are somewhat risky to use as compared with the parameterized query. While creating stored procedure special attention should be given to not use any unsafe dynamic query generation. If the dynamic query generation is needed then methods like input validation or the proper escaping should be used as described below.

3. White List Input Validation:
There are parts in search query where we should not use bind variable like name of the table, row, column and type of sorting. If we need to use bind variables in these places we should validate variable value means we should first check that name is the valid name or not, after that we should use it in the query.

4. Escaping All User Supplied Input:
This technique should be used only if the above techniques could not be applied. Here data enter by the used is escaped before entering it in the query. Meaning of escape is that special characters in the user inputted data is replaced by the escape sequences. So that data is no more treated as the SQL code but as the data only.

One important thing to note about this technique is that it is database specific means it might not work same for all database and might not be able to prevent all the SQL code from being injected.

2.2. Broken Authentication and Session Management:
In this attack hacker take advantage of the less secure authentication and session management method. Whenever we login into out account session id is given to use for further communication with the server, which is stored by the web browser until we close the browser. If we don’t close the browser just close the tab and walk away using session id stored in the browser attacker can get access to our account.
To prevent session id from being stolen method called session management at server side is used which drop old session id and give completely new one after some amount of time, so even attacker have out session id he/she will not be able to use our account because session id is changed and re-authentication is required.

In broken authentication attacker try lots of username and password which are very common or generated randomly. To prevent this attack biometric scan can be used but because it is costly we use another method in which we provide photo with some text in it and ask user to identify text.

Some other method to prevent this attack from happening is as follows:

Password Strength, Password change control, Password Storage, Session Id protection, Browser caching etc…

2.3 Cross-Site Scripting (XSS):
Malicious scripts are injected into the trusted website from the places where user can give input like text box, comment box or the search bar etc. so that whenever user load the page script is run and the specific task is carried out without being noticed.

As shown in below image we enter script into the comment box. This script send cookie to the attacker and send back image so that it will look like it is just the normal img tag of the HTML. This website do not check user input, it just store comment into the database and whenever page is loaded it retrieve comments from the database and show it onto the page. As our comment contain script whenever page is loaded script in the comment will execute and cookie will be send to the attacker, using this cookie attacker can do whatever he wants to our account.

To stop this type of attacks from being happening we must check every user input to make sure that it doesn’t contain any script.

script to send data to the attacker’s page and return image

comment stored in the database

stolen session id

2.4 Insecure Direct Object Reference:
Insecure Direct Object Reference occurs when reference to the object like file, database are revealed. Using this references attacker might get access to them and manipulate them without needing to go through all the authentication process. Hence all the internally implemented data reference must not be revealed.

Similar type of attack happen in Australian Taxation Office’s GST Start Up Assistance site in 2000, in which using reference to the database attacker gained access to all the companies sensitive information.

2.5 Security Misconfiguration:
Security Misconfiguration occur when the security setting are set to default for example developer forgot to disable debugging mode or default admin account which have name and password both as ‘admin’. There are tools available like appscan which find this type of general misconfiguration into the website.

2.6 Sensitive data exposure:
Sensitive data like user’s bank account details, credit card details, personal information are stored in many websites ,if the website is not secured this data might get stolen by the attacker using which he can perform credit card fraud, identity fraud and even stealing money from the user ban account. This also negatively affects the organization from which this data is stolen for example they might lost their users. Sensitive data should not be stored. If it is necessary to store data some strong encryption algorithms and authentication is mandatory.

2.7 Missing Function level access control:
Before performing any function it must be checked that the user who is asking for the function to be executed has proper level of access to execute that function, otherwise even normal user will also be able to use functions which are accessible to only admin or the owner of the website. To prevent this type of vulnerability user state or the level of access must be checked before accessing any resources or executing functions.

2.8 Cross site request forgery:
CSRF occur when one website uses our authentication and send request to the other website to perform specific function without permission of the user. For example suppose that we are logged into our bank website and doing some task, with this bank website open in one tab we open website of attacker by mistake in the other tab, now attacker website will send request to our bank website to send money from our account to his account as we are logged into our bank website bank will perform this task. To prevent this attack generally tokens are used, whenever we log into the bank account bank website give us token using which we can perform further task without needing re-authentication, now if attacker website try to send request to the bank website it won’t get executed because they do not have token.

2.9 Using components with known vulnerabilities:
Components used in the development of the web application might have vulnerabilities using which attacker might be able to hack into our system. For example old APACHE web server had 200 known vulnerabilities if the attacker knows about specific components used and their versions he might be able to hack into the system using their vulnerabilities. Hence to prevent this type of attack from happening we must hide the internal component information from the user. We also need to add security wrapper around all the components with have vulnerabilities.

2.10 Unvalidated Redirects and Forwards:
Almost every website nowadays redirects their user to some other page or the website. If the validation of the redirected website or page is not checked attacker might be able to redirect user to some phishing website or uses forward to access unauthorized pages. Hence to prevent this type of attack we must not uses redirect or forward and if it is necessary we should never use user input as the parameter of the redirection link and there must be one page as the conformation that the user is being redirected to specific page.

DDOS:
Distributed Denial of Service (DDoS) is the attack in which attacker send enormous data to the web server, server can not handle this much amount of data so that website become unavailable until it it restarted again.

In this attack attacker uses many devices which he hacked and gained access remotely, using which he send lots of packets to the web server. Here devices are spread across the glob hence it is hard to do prevention. This device network is known as the bornet. Amount of data send to the server many reach to GB per second.

DDoS attack can be classified into the following categories:
Volume based attack
Protocol attacks
Application layer attacks

Volume based attack: Volume based attack include TCP flood, UTP flood, ICMP flood etc.. Some of which are discussed in details below:
HTTP flood: Here large amount of GET and POST request are send to the web server which it can not handle and result into the system slowdown or complete shutdown.
UDP flood: Here random ports of the host are flooded with the UTP packets. Here mostly port no. 53 is chosen to enter the UTP packets.

ICMP flood: This is similar to the UDP flood but here both input and output bandwidth are consumed, this result in the high ping value so that system slowdown occur.

Protocol attack:
DNS Flood: Here infrastructure and DNS application both are attacked using DNS Flood attack and entire network bandwidth is consumed because of that.

Ping of Death: Maximum size of the packet is 65,535 bytes if the packet size is higher than this it will lead to the memory overflow which will result in the violation of the network protocol and the failure of the system.

Application layer attack:
Application attack: Here attacker make lots of time consuming task request like log-in, database entry, search request etc.. Lot’s of this kind of request result in overloading of the website. It is very difficult to identify the this attack because it look very similar to the normal network traffic to the server.

Slowloris: Http header is required to established the connection. Attacker send lots of Http header but never complete the request, server keeps them so that request can be completed after some time capacity of the server is full ,now it can not receive request even from the legitimate user and result in the DDoS attack.

Preventions From DDoS Attack
First all possible application and OS level vulnerabilities must be removed and next all the unnecessary ports must be closed.
If the DDoS attack is small firewall applications are useful but if the DDoS attack is of the magnitude of GB per second firewall might not help to prevent it in this situation DDoS prevention service provider company might be a better option because it provide more security and robustness as compared with the other option.

Man In Middle Attack:

Attacker work as the middleman between web server and the client hence all the traffic flow through attacker and attacker can see whatever is written in the packets and no one will get even a small hint about it. Example of man in the middle attack is as follows:
Attacker create one open wifi network using one wireless adapter card and then uses another network internet card wireless or wired to connect itself to the high speed internet. Client connect with this wifi network to use free internet. Whenever user want some particular page it send request through the network attacker as the man in the middle capture packet read the packet and then transfer the it to its right place and then return response to the client. As the attacker can read every packet send from the client and received by the client it can also capture and read password or sensitive information.

There is another variation to the man in the middle attack. Suppose one user wants to connect to some particular web service, so he will ask the web service for its public key so that using that they can communicate with each other. What attacker does is it capture the client public key request and then return its own public key rather than web service public key. Now whatever data web service send to the client will be received by the attacker, attacker will decrypt the packet read it and encrypt it again and send it to the client, client will think that he received this packet from the web server but actually his data is being stolen.

There are lots of examples of Man in middle attack one of which happened in iraq where entire iraq google user data was being stolen by the man in the middle attack because of the breached certificate authentication.Almost for two months iraq google user data was stolen.

To prevent this from happening we must not use the open public wifi to send sensitive data. Most secure way to prevent Man in middle attack is the certificate authority which provide us guarantee that the public key we received is the legitimate public key from the web service and if even one single bit changes in the public key certificate authority will known about it.

Waterhole:
When the source of the river is poisoned entire river will be poisoned and all the animals depending on the river water will be on the great threat. Waterhole attack is something similar here attacker hack the website which is frequently visited by the victim and using it he will add backdoor into the victim’s system.

Defence against this attack is very hard because here our own network or software is not hacked but the others is hacked. Fist of all we must provide information related to the waterhole attacker to the user who have access to the sensitive part of the application because if that user computer is hacker our website will also be in threat.We also need to have a eye on most frequently used website by the employs.

KeyLogger:
Keylogger is the programme which monitor each and every keystroke on the device keyboard. Using keylogger attacker is able to get username and password or anything which user type. Screen keyboard are generally not affected by the keylogger. Keylogger can be installed in our computer by the attacker using many ways like phishing email ,hacked website which we visited etc… Main problem with keyloggers is that once it is up and running there is no way you will notice , because it will not show up in start menu, programs files and even it can’t be seen in the task manager.

Keylogger need to send data to the attacker using internet, hence watching data being send from our computer to the outside might reveal the keylogger but if the data being send is just one or few keystroke it will be hard to detect. More secure and accurate way to do prevention against keylogger is the firewall it monitor our computer very closely. Whenever some application need to send data using internet firewall will show notification to us for the permission using which we can find keylogger installed in our computer.

Conclusion

References
OWASP
Wikipedia
Tutorialspoint

Post Author: admin