Select College

Computer and Information Security

By.Molalign Tilahun(BSC in Computer Science, MSC in

Project Management and MSC in Information Technology)
Department of Computer Science College of
Computing and Informatics Select College

1
 Chapter Three

Vulnerability Assessment and

Ethical Hacking

2
 Ethical Hacking
• Ethical hacking involves an authorized attempt to gain unauthorized
access to a computer system, application, or data.

• Carrying out an ethical hack involves duplicating strategies and actions

of malicious attackers.

• This practice helps to identify security vulnerabilities which can then be

resolved before a malicious attacker has the opportunity to exploit them.

• Also known as ―white hats,‖ ethical hackers are security experts that
perform these assessments.

• The proactive work they do helps to improve an organization’s security

posture. With prior approval from the organization or owner of the 3
IT
asset, the mission of ethical hacking is opposite from malicious hacking.
 Ethical hacker
• Ethical hackers
– are employed either through contracts or direct employment to
test the security of an organization.
– use the same skills and tactics as a hacker but with permission
from the system owner to carry out their attack against the
system.
– do not reveal the weaknesses of an evaluated system to anyone
other than the system owner.
– work under contract for a company or client, and their contracts
specify what is off‐limits and what they are expected to do.
• Their role depends on the specific needs of a given organization.
• In fact, some organizations keep teams on staff specifically to
engage in ethical hacking activities.
4
 Key concepts of ethical hacking
• Hacking experts follow four key protocol concepts:
– Stay legal obtain proper approval before accessing and
performing a security assessment.
– Define the scope determine the scope of the assessment so
that the ethical hacker’s work remains legal and within the
organization’s approved boundaries.
– Report vulnerabilities notify the organization of all
vulnerabilities discovered during the assessment. Provide
remediation advice for resolving these vulnerabilities.
– Respect data sensitivity depending on the data sensitivity,
ethical hackers may have to agree to a non-disclosure
agreement, in addition to other terms and conditions required
by the assessed organization
5
 Types of Hackers
1. Script Kiddies have limited or no training and know how to use only
basic techniques or tools. Even then they may not understand any or all
of what they are doing.

2. White‐Hat Hackers think like the attacking party but work for the
good guys. They are typically characterized by having a code of ethics
that says essentially they will cause no harm. This group is also known
as ethical hackers or pentesters.

3. Gray‐Hat Hackers straddle the line between good and bad and have
decided to reform and become the good side. Once they are reformed,
they still might not be fully trusted.

6
 Types of Hackers
4. Black‐Hat Hackers are the bad guys who operate on the opposite
side of the law and may or may not have an agenda.

5. Suicide Hackers try to knock out a target to prove a point and are not
stealthy, because they are not worried about getting caught or doing
prison time.

6. Hacktivism is any action that an attacker uses to push or promote a

political agenda.
– Targets of hacktivists have included government agencies and large
corporations.

7
 Ethical Hacking and Penetration Testing
• Ethical hackers engage in sanctioned hacking—that is, hacking
with permission from the system’s owner.

• In the world of ethical hacking, most tend to use the term

pentester, which is short for penetration tester.

• Pentesters penetrate systems like a hacker but for benign

purposes.

8
 Ethical Hacking and Penetration Testing
• As an ethical hacker and pentester, you must become familiar
with the following terms you will encounter in pen testing:
– Hack Value describes a target that may attract an
above‐average level of attention from an attacker.
Presumably because this target is attractive, it has more
value to an attacker because of what it may contain.

– Target of Evaluation (TOE) is a system or resource that

is being evaluated for vulnerabilities. A TOE would be
specified in a contract with the client. Attack This is the act
of targeting and actively engaging a TOE.

– Exploit is a clearly defined way to breach the security of a

system. 9
 Ethical Hacking and Penetration Testing
• Zero Day This describes a threat or vulnerability that is
unknown to developers and has not been addressed. It is
considered a serious problem in many cases.
• Security This is a state of well‐being in an environment
where only actions that are defined are allowed.
• Threat This is considered to be a potential violation of
security.

• Vulnerability This is a weakness in a system that can be

attacked and used as an entry point into an environment.
• Daisy Chaining This is the act of performing several hacking
attacks in sequence with each building on or acting on the
10
results of the previous action.
 Penetration Testing
• When a pen test is performed it typically takes one of three forms
– Black Box A type of testing in which the pentester has little or no
knowledge of the target.
• This situation is designed to closely emulate the situation an
actual attacker would encounter because they would
presumably have an extremely low level of knowledge of the
target going in.
– Gray Box A form of testing where the knowledge given to the
testing party is limited.
• In this type of test, the tester acquires knowledge such as IP
addresses, operating systems, and the network environment,
but that information is limited.
• This type of test would closely emulate the type of knowledge
that someone on the inside might have; such a person would
have some knowledge of a target but not always all of it. 11
 Penetration Testing (cont …)
– White Box
• A form of testing in which the information given to the tester
is complete
• This means that the pentester is given all information about the
target system
• This type of test is typically done internally or by teams that
perform internal audits of systems

12
 Vulnerability Assessment
• The first step in any security protection plan begins with
assessment of vulnerabilities

• Vulnerability assessment is systematic and methodical

evaluation of exposure of assets to attackers, forces of
nature, and any other entity that could cause potential
harm.

• Variety of techniques and tools can be used in evaluating

the levels of vulnerability.

13
 Vulnerability Management
• It is a process that involves a continuous cycle of monitoring,
identification, assessment, remediation, and prevention of
flaws that may expose your IT assets to breaches and
unauthorized modifications.
• It comprises routine checks, evaluation of possible risks,
assessment of risk intensity, suggested remediation, and repeat
checks to see if the threat is still there.

14
 Vulnerability Assessment Vs Management
• Vulnerability assessment
– is a one-time project with a scheduled start and end date. It is not a
scan.
– Here, a third-party security consultant or a company will audit your
organization’s assets and prepare a detailed report on vulnerabilities
you are exposed to.
– When the final report is prepared by the external authority,
remediation measures are suggested, the report is delivered, and the
vulnerability assessment process ends.
• Vulnerability management
– is continuous and not a one-time process.
– Vulnerability assessment can be a part of the process in the
vulnerability management program, but they are not the same.

15
 Types of vulnerabilities
1. Network-based assessment - this scan helps pinpoint
possible flaws on wired and wireless networks.

2. Database assessment - this assessment involves locating

security loopholes in a database to prevent malicious attacks,
such as distributed denial-of-service (DDoS), SQL injection,
brute force attacks, and other network vulnerabilities.

3. Web application assessment - this scan involves a careful

evaluation of web applications and their source code to find
any security holes. The process can be done manually or
automated.
16
 Types of vulnerabilities (cont …)
4. Host-based assessment - this type of assessment
examines any possible weaknesses or threats in server
workstations and other network hosts. It also involves a
meticulous examination of ports and services.

5. Wireless network assessment - this scan validates

whether an organization’s wireless infrastructure is securely
configured to prevent unauthorized access.

17
 Phases of Vulnerability Assessments
1. Defining and planning the scope of testing
– Identify where your most sensitive data is stored.
– Uncover hidden sources of data.
– Identify which servers run mission-critical applications.
– Identify which systems and networks to access.
– Review all ports and processes and check for misconfigurations.
– Map out the entire IT infrastructure, digital assets, and any devices
used.
– The idea here is to streamline the entire process.
2. Vulnerability identification
– Conduct a vulnerability scan of your IT infrastructure and make a
complete list of the underlying security threats.
– To achieve this step you’ll need to do an automated vulnerability
scan as well as a manual penetration test to validate findings1718
and
reduce false positives.
 Phases of Vulnerability Assessments
3. Analysis
– A scanning tool will provide you with a detailed report containing
different risk ratings and scores for vulnerabilities.
– Most tools use a CVSS (common vulnerability scoring system) to
assign a numerical score. A careful analysis of these scores will tell
you which vulnerabilities you’ll need to deal with first. You can
prioritize them based on factors such as severity, urgency, potential
damage, and risk.

19
18
 Phases of Vulnerability Assessments
4. Treating the vulnerabilities
• With the vulnerabilities identified and analyzed, the next step is to decide how
you want to fix them. There are two ways to do this:
a) Remediation
• involves fixing a vulnerability fully to prevent any exploitation.
• can achieve it through the fresh installation of security tools, a
product update, or something more involved.
• is based on the priorities set during the analysis phase and requires
the participation of all stakeholders.
b) Mediation
• mitigation helps reduce the prospect of an attack when there’s no proper
fix or patch for an identified vulnerability and this helps to buy time
until remediation is possible.
• Part of the mitigation process should include deploying additional
reputable tools to help reduce cybersecurity risks like real-time antivirus
scanners, remote firewalls, and predictive artificial intelligence t20
1h9 reat
detection.
 Phases of Ethical Hacking
• Note: Hacking is illegal. The only purpose of hacking is to secure
networks, and think like a hacker to be able to secure networks.
• Of course, not necessarily a hacker has to follow these 5 steps in a
sequential manner:
•

21
20
 Phases of Ethical Hacking
• Phase 1 - Reconnaissance
– also called as Footprinting and information gathering Phase,
– hacker gathers information about a target before launching an attack.
– During this phase, he hacker finds valuable information such as old
passwords, names of important employees.
• These data include important areas like are enough to start a successful
attack.
– Finding out specific IP addresses
– TCP and UDP services
– Identifies vulnerabilities
• Footprinting : Active - directly interacting with the target and Passive: -
without directly accessing the target so for this purpose, hacker can use
social media, public websites, a search engine like maltego-researching
the target say a website (checking links, jobs, job titles, email, news, etc.),
HTTPTrack to download the entire website for later enumeration.2122
 Phases of Ethical Hacking
• Phase 2: Scanning
– In this phase, hackers are probably seeking any information that can
help them perpetrate attack such as computer names, IP addresses, and
user accounts.
– In fact, hacker identifies a quick way to gain access to the network and
look for information.
– This phase includes usage of tools like dialers, port scanners,
network mappers, sweepers, and vulnerability scanners to scan
data.
• Basically, at this stage, four types of scans are used:
– Pre-attack: Hacker scans the network for specific information based on the
information gathered during reconnaissance.
– Port scanning/sniffing: This method includes the use of dialers, port scanners,
and other data-gathering equipment.
– Vulnerability Scanning: Scanning the target for weaknesses/ vulnerabilities.
– Information extraction: In this step, hacker collects information about port2s232, live
 Phases of Ethical Hacking
• Phase 3: Gaining Access
• At this point, the hacker has the information he needs. So first he
designs the network map and then he has to decide how to carry out the
attack.
• There are many options, for example:
– Phishing attack
Anyway, hacker after
– Man in the middle attack
entering into a system, he
– Brute Force Attack has to increase his privilege
– Spoofing Attack to administrator level so he
– Dos attack can install an application
– Buffer overflow attack he needs or modify data or
hide data.
– Session hijacking
– BEC Attack
24
 Phases of Ethical Hacking
• Phase 4: Maintaining Access
• Once a hacker has gained access, they want to keep that access for
future exploitation and attacks. Also, the hacker secures access to the
organization’s Rootkits and Trojans and uses it to launch additional
attacks on the network.
• An ethical hacker tries to maintain the access to the target until he
finishes the tasks he planned to accomplish in that target.
• In this phase hacker has multiple e-mail accounts,, he/she begins to test
the accounts on the domain. The hacker from this point creates a new
administrator account for themselves based on the naming structure
and try and blend in.
• Hacker begins to look for and identify accounts that have not been used
for a long time.

25
 Phases of Ethical Hacking
• Phase 5 : Clearing Tracks
– An intelligent hacker always clears all evidence so that in the later
point of time, no one will find any traces leading to him/her.
He/she does this by:
– Clearing the cache and cookies
– Modifying registry values
– Modifying/corrupting/deleting the values of Logs
– Clearing out Sent emails
– Closing all the open ports
– Uninstalling all applications that he/she be used

26
 System Identification / OS Fingerprinting
• OS Finger printing
– tries to identify the nature of the OS by the unique ―fingerprints‖ that it returns.
– Those fingerprints (much like those on humans) can be compared to a database
of known fingerprints to determine with varying degrees of accuracy what OS the
target is running.

27
 Hacking methodologies
• A hacking methodology refers to the step‐by‐step approach used
by an aggressor to attack a target such as a computer network.

• There is no specific step‐by‐step approach used by all hackers. As

can be expected when a group operates outside the rules as
hackers do, rules do not apply the same way.

• A major difference between a hacker and an ethical hacker is the

code of ethics to which each subscribes.

28
Hacking process

29
 Hacking Process
1. Foot printing
– using primarily passive methods of gaining information from a
target prior to performing the later active methods.

– keep interaction with your target to a minimum to avoid detection,

thus alerting the target that something is coming in their direction.

– Tools
• Whois queries (https://whois.domaintools.com/),
• Harvesters, Google searches, job board searches, and discussion
groups
– Information that was gathered during this phase include
• IP address ranges, Namespaces, Employee information, Phone
numbers, Facility information, Job information
30
 Hacking Process
2. Scanning
– is the phase in which you take the information gleaned from the
footprinting phase and use it to target your attack much more
precisely.
– The idea here is to act on the information from the prior phase, not
to blunder around without purpose and set off alarms.
– Scanning means performing tasks like ping sweeps, port scans, and
observations of facilities.
– Tools: Nmap, which is very useful for this purpose.
– During this phase we utilized techniques such as these:
• Pings
• Ping sweeps
• Port scans
• Tracert 31
 System Identification / OS Fingerprinting
• All fingerprinting techniques are based on detecting the subtle differences in
packets generated by different operating systems.
• Common techniques are based on analyzing the following:
– IP TTL values, IP ID values, TCP Window size, TCP options (generally, in TCP
SYN and SYN+ACK packets), DHCP requests, ICMP requests, HTTP packets
(generally, the User-Agent field), Running services, Open port patterns
• Active Fingerprinting with Nmap
– To perform OS detection with nmap perform the following:
nmap –O <ip-address>

Note how nmap not only guesses the OS; it even ranks the possibilities in decreasing
order of confidence. Also note that the results specifically call out the device as well.
32
 Hacking Process
3. Enumeration
– is the process of extracting information from a target system to
determine more of the configuration and environment present.
– Information gathered during this phase generally falls into the
following types:
• Network resources and shares
• Users and groups
• Routing tables
• Auditing and service settings
• Machine names
• Applications and banners
• SNMP and DNS details
• Unlike with previous phases, Enumeration needs active connections to a
system in an effort to gather a wide range of information, and you may33have
greater chances of getting caught.
 Hacking Process
Enumeration Techniques
1. Extracting Information from Email IDs
– This technique is used to obtain username and domain name information from
an email address or ID. An email address contains two parts: The first part
before the @ is the username and what comes after the @ is the domain name.
2. Obtaining Information through Default Passwords
– Every device has default settings in place, and default passwords are part of this
group.
– It is common to find default settings either partially or wholly left in place,
meaning that an attacker can easily gain access to the system and extract
information as needed.
3. Using Brute-Force Attacks on Directory Services
– A directory service is a database that contains information used to administer the
network and it is a big target for an attacker looking to gain extensive
information about an environment.
– Many directories are vulnerable to input verification deficiencies as well as other
holes that may be exploited for the purpose of discovering and comprom3434ising
user accounts.
 Hacking Process
Enumeration (continued)
4. Exploiting Simple Network Management Protocol (SNMP)
– If SNMP is allowed to remain open, hackers are able to obtain information such
as ARP table network information, usernames and open TCP ports
5. Exploiting Simple Mail Transport Protocol (SMTP)
– SMTP can be exploited by an attacker who can connect to and extract
information about usernames through an SMTP server.
6. Working with DNS Zone Transfers
– Zone transfer is the process of copying the contents of the zone file on a
primary DNS server to a secondary DNS server.
– Using zone transfer provides fault tolerance by synchronizing the zone file in a
primary DNS server with the zone file in a secondary DNS server.
– A zone transfer in DNS is a normal occurrence, but when this information falls
into the wrong hands, the effect can be devastating.
4. Capturing User Groups
– This technique involves extracting user accounts from specified groups, storing
35
the results, and determining whether the session accounts are in the group.
 Hacking Process
4. System hacking
– plan and execute an attack based on the information you uncovered.
– choose user accounts to attack based on the ones uncovered in the enumeration
phase.
– craft an attack based on service information uncovered by retrieving banners
from applications or services.
5. Escalation of privilege
– obtain privileges that are granted to higher privileged accounts than you broke
into originally.
– Depending on hacker skills, it might be possible to move from a low‐level
account such as a guest account all the way up to administrator or system‐level
access.
6. Covering tracks
– is the phase when you attempt to remove evidence of your presence in a system.
– You purge log files and destroy other evidence that might give away the valuable
clues needed for the system owner to determine an attack occurred.
7. Planting of backdoors 36
– means to leave something behind that would enable you to come back later if you wanted.
 Ethical hacking techniques
1. Phishing
– is a type of social engineering attack often used to steal user data, including
login credentials and credit card numbers.
Phishing Email Fake Websites

37
 Ethical hacking techniques
2. Sniffing attack or a sniffer attack
– In the context of network security, corresponds to theft or interception of data by
capturing the network traffic using a packet sniffer.

– When data is transmitted across networks, if the data packets are not encrypted,
the data within the network packet can be read using a sniffer

38
 Ethical hacking techniques
3. Social Engineering
– is any type of attack that is nontechnical in nature and that involves some type of
human interaction with the goal of trying to trick a victim into revealing
information or violate normal security practices.
– Social engineers are interested in gaining information they can use to carry out
actions such as identity theft or stealing passwords, or in finding out information
for later use.

39
 Ethical hacking techniques
4. SQL injection is a code injection technique used to attack data-driven
applications, in which malicious SQL statements are inserted into an entry
field for execution.

40
 Ethical hacking techniques
5. Session hijacking
– is synonymous with a stolen session, in which an attacker intercepts and takes
over a legitimately established session between a user and a host.
– The user–host relationship can apply to access of any authenticated resource,
such as a web server, Telnet session, or other TCP-based connection.
– Attackers place themselves between the user and host, thereby letting them
monitor user traffic and launch specific attacks.
– Once a successful session hijack has occurred, the attacker can either assume the
role of the legitimate user or simply monitor the traffic for opportune times to
inject or collect specific packets to create the desired effect.

41
 Denial of service (DoS)
6. DoS is an attack that aims at preventing
normal communication with a resource
– disabling the resource itself or by
– disabling an infrastructure device
providing connectivity to it.

• Common form of DoS is to flood a

victim with so much traffic that all
available resources of the system are
overwhelmed and unable to handle
additional requests.

• The attacker floods the victim network

with extremely large amounts of useless
data or data requests, thereby
overwhelming the network and rendering
it useless or unavailable to legitimate
users. 42
 7. DDOS
• DDoS attacks have the same goal as regular DoS methods; however,
the difference lies in the implementation of the attack.
• A standard DoS attack can be launched from a single malicious client,
whereas a DDoS attack uses a distributed group of computers to
attack a single target.
DDoS Tools
Trinoo This DDoS tool uses UDP fl ooding. It can
attack single or multiple IPs.
LOIC Low Orbit Ion Cannon (LOIC) has become
popular because of its easy one-button operation.
Some people suspect that groups such as
Anonymous, which uses DDoS attacks as its
primary weapon, use LOIC as their main tool.
TFN2K This DDoS attack tool is based on TFN
(Tribe Flood Network) and can perform UDP,
SYN, and UDP fl ood attacks.
Stacheldraht This DDoS tool has similar attack
capabilities as TFN2K. Attacks can be configured
to run for a specifi ed duration and to specifi c
ports. 43
 8. Spoofing
• Spoofing attack is a situation in which
a person or program successfully
identifies as another by falsifying data,
to gain an illegitimate advantage.
• Spoofing occurs when an attacking
party pretends to be something or
someone else, such as a user or
computer.
• The attacker does not take over any
session.
• MAC Spoofing is a simple concept in
which an attacker (or pentester)
changes their MAC address to the
MAC address of an existing
authenticated machine already on the
44
network.
 Attack Prevention
• Corporations now employ many defensive measures, each with its own
way of putting a stop to your attack.
– Intrusion detection systems (IDSs) - is an application or device
used to gather and analyze information that passes across a network
or host. An IDS is designed to analyze, identify, and report on any
violations or misuse of a network or host.
– Intrusion prevention systems (IPSs) -
– firewalls,
– honeypots, and other

45
 Honeypots
• A honeypot may sound like something out of a Winnie the Pooh book,
but it is actually a device or system used to attract and trap attackers
who are trying to gain access to a system.
• A honeypot is a computer security mechanism set to detect, deflect, or,
in some manner, counteract attempts at unauthorized use
of information systems.
• Generally, a honeypot consists of data (for example, in a network site)
that appears to be a legitimate part of the site and contain information
or resources of value to attackers. It is actually isolated, monitored, and
capable of blocking or analyzing the attackers.

46