06-01-2011, 01:15 PM
[attachment=7962]
Submitted to:Miss.Mani (Lect. In CSE Dept.)
Submitted by:Savita
CSE-1(G-2)
OVERVIEW
What is a Ethical Hacking?
Defining hacker.
Ethical Hacking 101.
Understanding the Need to Hack Your Own Systems.
Some attacks.
Obeying the Ethical Hacking Commandmentes.
Sources.
What is a Ethical Hacking?
An ethical hacker is a computer and network expert who attacks a security system on behalf of its owners.
An ethical hacker is sometimes called a white hat, a term that comes from old Western movies, where the "good guy" wore a white hat and the "bad guy" wore a black hat.
Defining hacker
Hacker is a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software or electronic systems. Hackers enjoy exploring and learning how computer systems operate. They love discovering new ways to work electronically.
Recently, hacker has taken on a new meaning — someone who maliciously breaks into systems for personal gain. Technically, these criminals are crackers (criminal hackers). Crackers break into (crack) systems with malicious intent. They are out for personal gain: fame, profit, and even revenge. They modify, delete, and steal critical information, often making other people miserable.
One of the first examples of ethical hackers at work was in the 1970s, when the United States government used groups of experts called red teams to hack its own computer systems.
The good-guy (white-hat) hackers don’t like being in the same category as the bad-guy (black-hat) hackers. (These terms come from Western movies where the good guys wore white cowboy hats and the bad guys wore black cowboy hats.)
Hackers (or bad guys) try to compromise computers.
Ethical hackers (or good guys) protect computers against illicit entry.
Ethical Hacking 101
Ethical hacking — also known as penetration testing or white-hat hacking —involves the same tools, tricks, and techniques that hackers use, but with one major difference: Ethical hacking is legal. Ethical hacking is performed with the target’s permission. The intent of ethical hacking is to discover vulnerabilities of an overall information risk management program that allows for ongoing security improvements.
To hack your own systems like the bad guys, you must think like they think
Understanding the Need to Hack Your Own Systems
To catch a thief, think like a thief. That’s the basis for ethical hacking.
Protecting your systems from the bad guys — and not just the generic vulnerabilities that everyone knows about — is absolutely critical. When you know hacker tricks, you can see how vulnerable your systems are.
Attacking your own systems to discover vulnerabilities is a step to making them more secure. This is the only proven method of greatly hardening your systems from attack. If you don’t identify weaknesses, it’s a matter of time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them to protect your systems from them. You, as the ethical hacker, must know activities hackers carry out and how to stop their efforts. You should know what to look for and how to use that information to thwart hackers’ efforts.
It’s impossible to buttress all possible vulnerabilities on all your systems. You can’t plan for all possible attacks — especially the ones that are currently unknown. However, the more combinations you try — the more you test whole systems instead of individual units — the better your chances of discovering vulnerabilities that affect everything as a whole.
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management that vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Some attacks
Nontechnical attacks
Exploits that involve manipulating people — end users and even yourself —are the greatest vulnerability within any computer or network infrastructure. Humans are trusting by nature, which can lead to social-engineering exploits. Social engineering is defined as the exploitation of the trusting nature of human beings to gain information for malicious purposes.
Other common and effective attacks against information systems are physical. Hackers break into buildings, computer rooms, or other areas containing critical information or property.
Network-infrastructure attacks
Hacker attacks against network infrastructures can be easy, because many networks can be reached from anywhere in the world via the Internet. Here are some examples of network-infrastructure attacks:
Connecting into a network through a rogue modem attached to a computer behind a firewall
Exploiting weaknesses in network transport mechanisms, such as TCP/IP and NetBIOS
Flooding a network with too many requests, creating a denial of service(DoS) for legitimate requests
Installing a network analyzer on a network and capturing every packet that travels across it, revealing confidential information in clear text
Operating-system attacks
Hacking operating systems (OSs) is a preferred method of the bad guys. Oss comprise a large portion of hacker attacks simply because every computer has one and so many well-known exploits can be used against them.
Occasionally, some operating systems that are more secure out of the box —such as Novell NetWare and the flavors of BSD UNIX — are attacked, and vulnerabilities turn up. But hackers prefer attacking operating systems like Windows and Linux because they are widely used and better known for their vulnerabilities.
Here are some examples of attacks on operating systems:
Exploiting specific protocol implementations
Attacking built-in authentication systems
Breaking file-system security
Cracking passwords and encryption mechanisms
Application attacks
Applications take a lot of hits by hackers. Programs such as e-mail server software and Web applications often are beaten down:
Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) applications are frequently attacked because most firewalls and other security mechanisms are configured to allow full access to these programs from the Internet.
Malicious software (malware) includes viruses, worms, Trojan horses, and spyware. Malware clogs networks and takes down systems.
Spam (junk e-mail) is wreaking havoc on system availability and storage space. And it can carry malware.
Obeying the Ethical Hacking Commandments
Every ethical hacker must abide by a few basic commandments. If not, bad things can happen.
Working ethically:-
The word ethical in this context can be defined as working with high professional morals and principles. Whether you’re performing ethical hacking tests against your own systems or for someone who has hired you, everything you do as an ethical hacker must be aboveboard and must support the company’s goals. No hidden agendas are allowed!
Respecting privacy
Treat the information you gather with the utmost respect. All information you obtain during your testing — from Web-application log files to clear-text passwords — must be kept private. Don’t use this information to snoop into confidential corporate information or private lives. If you sense that someone should know there’s a problem, consider sharing that information with the appropriate manager.
Involve others in your process. This is a “watch the watcher” system that can build trust and support your ethical hacking projects.
Not crashing your systems
One of the biggest mistakes seen when people try to hack their own systems is inadvertently crashing their systems. The main reason for this is poor planning. These testers have not read the documentation or misunderstand the usage and power of the security tools and techniques.
Many security-assessment tools can control how many tests are performed on a system at the same time. These tools are especially handy if you need to run the tests on production systems during regular business hours.
