ISTM284E: Ethical Hacking

Introduction to Ethical
Hacking + OSINT

© Tobin Shields, M.S., M.Ed.

 Today’s Goals and Objectives
Overview of Today’s Topics:
▸ Course overview and introduction + CEH
overview
▸ Review “the hacking process”
▸ Reintroduce OSINT and Footprinting
▸ Dive into a range of Footprinting
techniques
Course Objectives:
▸ Apply a penetration a
testing framework and
methodology to find and
act upon vulnerabilities
in a given system
▸ Use OSINT tools to
conduct passive recon
on a target
© Tobin Shields, M.S., M.Ed.
 Course Intro +
CEH Details
© Tobin Shields, M.S., M.Ed.
 What is “Ethical Hacking”

Ethical hacking is the practice of

employing computer and network skills
in order to assist organizations in
testing their network security for
possible loopholes and vulnerabilities.

Another term for this is penetration

testing

© Tobin Shields, M.S., M.Ed.

 Essential Skills of a Pentester

The best penetration testers are system

administrators.

You need to have a good sense of how

systems and networks are built in order to
begin to tear them apart.

Watch This Defcon Talk:

You also have to be willing to learn a ton,
‘So you think you want to be a penetration tester’ and organize your resources so you can
retain (or recall) much of that information

© Tobin Shields, M.S., M.Ed.

 The Need For Effective Communication

Penetration testers must master the art of

system exploitation. They must stay up-to-date,
research, and constantly think outside the box.
They are highly skilled technical folks who take
abstract systems and make concreate results.

However, the most important skill required from a

pen tester is communication and summary
writing.

© Tobin Shields, M.S., M.Ed.

The Pentest Report

When a penetration tester is hired, the

expectation is that they will produce a
comprehensive final report that details their
methodology, attempts, successes, failures,
and even recommendations.

This is the single most important part of the

entire engagement and is what the client is
ultimately paying for.

© Tobin Shields, M.S., M.Ed.

 Are there certifications?
Top Ethical Hacking Certs:
▸ Certified Ethical Hacker (CEH)
▸ Offensive Security Certified
Professional (OSCP)
▸ The Global Information Assurance
Certification (GIAC)
A Note About Certifications:
While perusing certifications help
build resumes, and they can also
be a great learning path from
knowing nothing, pentesting is a
job field where technical
proficiency trumps everything
else. Certs can get your foot in the
door, but your skills is what lands
you a job.
© Tobin Shields, M.S., M.Ed.
This Course Is Aligned With The CEH Exam

This course will be aligned with the EC-

Council’s C|EH exam.

Pros to obtaining this cert:

▸ Appears on many cyber-related job
postings (even non-pentesting)
▸ Is a DoD recognized certification
▸ Covers lots of great entry-level
content
▸ Does not require work experience to
obtain

© Tobin Shields, M.S., M.Ed.

 But this course only covers part of the exam…

While we could cram for the entire

CEH exam in a single course, it’s not
ideal.
This course will cover the first two
“books” of the CEH curriculum (out
of four). These books focus on
system-level exploitation, which is the
perfect introduction.
But what about the rest?!
ISTM285E (Adv. Ethical
Hacking) and ISTM285W
(Web App. Pentesting)
covers the rest of the CEH
topics, and much more.

© Tobin Shields, M.S., M.Ed.

 Whoa—but why are the books so expensive?

Normally, the CEH costs $1200 to

attempt. However, if students go
through an ‘official’ EC-Council
training partner the cost is dropped
significantly ($300).

These books are apart of the official

curriculum + online labs are included.
$108.03 $108.03 We have student discounts on the
(reg 129.64) (reg 129.64)
books.

© Tobin Shields, M.S., M.Ed.

 Buying The Full Bundle

$108.03 $108.03 $108.03 $108.03 $432.12 (Total)

You can buy the bundle

for $417.50 and save
~$15.

This bundle is normally

$501 full retail.

Full instructions to buy any

of these can be found in
the syllabus and on
Blackboard.

© Tobin Shields, M.S., M.Ed.

Taking The CEH Exam

© Tobin Shields, M.S., M.Ed.

 Weekly Course Routine
Learning Tasks:
▸ Attend a lecture, each week
with a focus on a new set of
topics (Day 1)
▸ Work on assigned labs (Day 2)
▸ Read portions out of the
textbook
Assessments (Graded work)
▸ A series of hands-on labs
▹ One per chapter read (2-3/week)
▸ A short online quiz
▹ Based on textbook chapters
© Tobin Shields, M.S., M.Ed.
 A Note About The Reading

The CEH textbook covers a range of topics—some might be review, especially if

you have recently taken Security+.

However, there will still be much that is specific to pentesting and ethical hacking
that will be new. That is why you are going to need to practice good reading skills
and learn when you can skim/review topics, and when you need to pause and
deeply read a section.

For instance, chapter 1 will be primarily review with only a few sections that might
be new information for students.

© Tobin Shields, M.S., M.Ed.

 Another Note About The Reading

You will not be asked to ever memorize a long list of tools—rather, you should
understand the objective (i.e. enumerate DNS, scrape a website, scan a network,
etc…) and why a ethical hacker might want that information. Tools come and go.

When you are reading, focus much on the first portion of a section, and then skim
through the tools.

However, there will be a handful of tools that you will be expected to know, and
they will be covered in-depth.

© Tobin Shields, M.S., M.Ed.

 Added to AC1271 Access List

You have all been added to the lab

access list. This means that as
long as there isn’t a class going on,
you can be in this lab (including
Weekends!)

If the room is locked, then go to the

security office and they will let you
in.

© Tobin Shields, M.S., M.Ed.

 “The Hacking
Process”
© Tobin Shields, M.S., M.Ed.
The “Hacking Process” (Engebretson 2013)

© Tobin Shields, M.S., M.Ed.

The Pen testing Process (Weidman 2014)

© Tobin Shields, M.S., M.Ed.

The “Hacking Process” (Velu 2017)

© Tobin Shields, M.S., M.Ed.

 “The Hacking Process” EC-Council

Reconnaissance

This model was

adopted by the
Scanning/
EC-Council, and it Clearing Tracks
Enumeration
widely taught as the
standard model for
how adversaries
break into a system.

Maintaining
Gaining Access
Access
© Tobin Shields, M.S., M.Ed.
 Introduction to
Footprinting/OSINT
© Tobin Shields, M.S., M.Ed.
 “The Hacking Process” EC-Council

Reconnaissance

The rest of this week

is going to focus on
the first phase of the Scanning/
Clearing Tracks
hacking process: Enumeration
“Footprinting” or as
we have called it,
OSINT

Maintaining
Gaining Access
Access
© Tobin Shields, M.S., M.Ed.
The “Recon” Phase

It is better to learn as much as

possible about an enemy
before engaging them.
Attackers will conduct extensive
Time spent on reconnaissance
reconnaissance is
70 percent of the work effort of
seldom wasted. a penetration test or an attack
John Marsden is spent conducting
reconnaissance.

© Tobin Shields, M.S., M.Ed.

Footprinting

Footprinting is the process of collecting

information about a target network and
its environment. Using footprinting, you
can find a number of opportunities to
penetrate and assess the target
organization’s network. There are two
categories:
▸ Active Footprinting
▸ Passive Footprinting

© Tobin Shields, M.S., M.Ed.

Passive Footprinting

Passive Footprinting involves gathering

information about the target without direct
interaction. Passive footprinting techniques
include:
▸ Finding information through search engines
▸ Collecting location information on the target through
web services
▸ Performing people search using social networking
sites and people search services
▸ Performing competitive intelligence

© Tobin Shields, M.S., M.Ed.

 Active Footprinting

Active Footprinting is where you learn

information about the target by actually
interacting with them. Some examples might
include:
▸ Extracting metadata of published documents and
files
▸ Gathering website information using web spidering
and mirroring tools
▸ Performing social engineering

© Tobin Shields, M.S., M.Ed.

Purpose of Footprinting

Footprinting can help:

▸ Reveal the Security Posture
of the target organization
▸ Reduce the focus area
▸ Identify Vulnerabilities
▸ Draw Network Map

© Tobin Shields, M.S., M.Ed.

Footprinting Threats

As a defender, the following are

attack vectors and threats that
attackers will often exploit or use:
▸ Social Engineering
▸ Information Leakage
▸ Corporate Espionage

© Tobin Shields, M.S., M.Ed.

 Footprinting
Techniques
© Tobin Shields, M.S., M.Ed.
Offensive vs Defensive OSINT

© Tobin Shields, M.S., M.Ed.

 CEH Textbook Topics

There are numerous ways to

conduct OSINT and
Footprinting attacks—however,
the CEH exam expects that
you know how to do the
following:

© Tobin Shields, M.S., M.Ed.

Search Engine Footprinting

© Tobin Shields, M.S., M.Ed.

Advanced Google Searching

Google allows users to build

custom and advanced search
queries using advanced search
operators.

Pen testers and hackers can

leverage these operators to find
publicly sensitive information.

© Tobin Shields, M.S., M.Ed.

 Google Hacking Database / Google Dorks

https://www.exploit-db.com/google-hacking-database

A vast collection of advanced search

strings have been aggerated into the
Google Hacking Database
maintained by Offensive Security.

This database is free to view and

contribute to. Each entry is called a
dork.

© Tobin Shields, M.S., M.Ed.

Footprinting through Web Services

© Tobin Shields, M.S., M.Ed.

 Finding Company’s Top-level Domains

A company's top-level domains

(‘TLDs’) and sub-domains can
provide a lot of useful information
to an attacker. It may contain
information such as organizational
history, services and products,
and contact information.

© Tobin Shields, M.S., M.Ed.

Footprinting TLD

▸ Netcraft (Website)
▸ Sublist3r (Python Script)
▸ Fierce (Built into Kali)

© Tobin Shields, M.S., M.Ed.

Social Media Footprinting

© Tobin Shields, M.S., M.Ed.

 What is Social Media Footprinting?

Social networking services are online

services, platforms, or sites that focus on
facilitating the building of social networks
or social relations among people.

Attackers can leverage this wide network

of associated information to discover
possibly sensitive or useful information.

© Tobin Shields, M.S., M.Ed.

People Searching Websites

The first type of profiles searching is actually

by using people search engines, which are
unrelated to social media, but create a profile
on a target based on public records. Popular
engines include:
▸ Truepeoplesearch.com
▸ Pipl.com
▸ Spokeo.com

© Tobin Shields, M.S., M.Ed.

 Manual Social Media Recon

When conducting social media recon, it’s good

to simply manually review the page and look
for the following:
▸ Connections
▸ Posts
▸ Trends
▸ Interactions
Once you know their username on one site, see
if they appear on other popular sites as well

© Tobin Shields, M.S., M.Ed.

Automated Social Media Footprinting

Many social media websites have opened

their platform via APIs so that 3rd-party
developers can build tools to integrate into
their app.

Attackers can leverage these API’s to build

tools that help to automate information
gathering

See our book for a list of great tools

© Tobin Shields, M.S., M.Ed.

Example LinkedIn Automation

© Tobin Shields, M.S., M.Ed.

 Footprinting Through Job Posting Sites

Attackers can gather valuable

information about the operating
system, software versions, company’s
infrastructure details, and database
schema of an organization, through
footprinting job sites using different
techniques.

© Tobin Shields, M.S., M.Ed.

 Example Information From Job Sites

These were found by typing “System

Administrator” into Indeed.com.
These were found on three different
job posting on the first page.

© Tobin Shields, M.S., M.Ed.

 Using OSINT to Build WordLists - CUPP

Once you profile someone, you can

use the Common User Password
Profiler (CUPP) tool.

This is a python tool that allows the

tester to generate a wordlist that is
specific to a particular use by feeding
it information about that person.

© Tobin Shields, M.S., M.Ed.

Footprinting Via Websites

© Tobin Shields, M.S., M.Ed.

 Discovering Information Via Websites

An organization’s website is often a

treasure trove of useful information for an
attacker—sometimes it provides passive
OSINT, while other times it might contain
contact information, or even leak some
sensitive information. Information can be
found via:
▸ Spiders
▸ Scraping

© Tobin Shields, M.S., M.Ed.

Website Spidering

Sometimes its important to simply

have an understanding of all the
pages within a website. Software
called “spiders” or “crawlers” can
enumerate all of the public pages on
a given website.

See our book for spider tools

Some even “fuzz” for pages by
guessing names that might not be
public.
© Tobin Shields, M.S., M.Ed.
 Web Scraping

Some websites have tons of great

information, but it can feel overwhelming to
collect and filter all of it.

Web Scraping is the term used for

automated tools that navigate a website
and collect targeted information. These are
also sometimes called bots or spiders and
can be malicious or innocuous.

© Tobin Shields, M.S., M.Ed.

 Web Scraping Tools

The Harvester The Streamliner CeWL

This is a tool built into This is a simple tool CeWL is a ruby app,
Kali that targets a that will take a large which spiders a given
web page and will email list and filter URL and returns a
find interesting out all of the emails list of words, which
information like found in it. This has can then be used for
emails or other useful to be downloaded. password crackers
information.

© Tobin Shields, M.S., M.Ed.

Beautiful Soup + Scrapy

Beautiful Soup 4 (bs4) Scra.py

Beautiful Soup is a Python Scrapy provides a powerful
library for getting data out of framework for extracting the
HTML, XML, and other markup data, processing it and then
languages. save it.

© Tobin Shields, M.S., M.Ed.

Data Miner – Extension

Data Miner
Data Miner is a Google Chrome
extension that helps you scrape
data from web pages and into a
CSV file or Excel spreadsheet.

Link to download

© Tobin Shields, M.S., M.Ed.

Arachnid Demo

© Tobin Shields, M.S., M.Ed.

Footprinting Via WHOIS

© Tobin Shields, M.S., M.Ed.

 Tool - Whois

The whois command is a OS

tool that lets users query the
public online database for those
who register a domain name.

This is an old system that is a

relic of a much smaller internet.

© Tobin Shields, M.S., M.Ed.

Whois vs GDPR

Link to article

© Tobin Shields, M.S., M.Ed.

Other Footprinting Tools
Worth Noting

© Tobin Shields, M.S., M.Ed.

Maltego – The MVP of OSINT

Maltego is one of the most capable OSINT

framework for personal and organizational
reconnaissance.

It is a GUI tool that provides the capability of

gathering information on any individuals, by
extracting the information that is publicly
available on the internet by various methods.

This can be downloaded for free. It is

preinstalled into Kali
© Tobin Shields, M.S., M.Ed.
Shodan – Learn About Systems

Shodan is a search engine for

publicly exposed IoT devices and
systems. This tool highlights that
many systems run default
configurations, or don’t even have a
login.

https://www.shodan.io/

© Tobin Shields, M.S., M.Ed.

Buscador – The OSINT OS

Buscador is a custom VM built as a

curation of OSINT tools. Think of this
similar to Kali, but with a singular
focus on Footprinting and OSINT.

However, the author is no longer

maintaining this, and is
recommending that users now build
their own tools.

© Tobin Shields, M.S., M.Ed.

Michael Bazzell Tools

https://amzn.to/2pTXdz1 https://amzn.to/339avqo

© Tobin Shields, M.S., M.Ed.

Other Footprinting Topics – Covered In Book

1. Email Footprinting (scanning email system for data leakage)

2. Competitive Intelligence (learning about an organization that
might influence strategic decision making)
3. DNS Footprinting (learn more about DNS records—something
that will be covered in-depth next week)
4. Network Footprinting (Also covered in-depth next week)

© Tobin Shields, M.S., M.Ed.