INTRODUCTION

The explosive growth and advancement of the Internet has brought many good things and services: Electronic commerce, easy access to vast stores of reference material and information, collaborative computing, e-mail, and new avenues for advertising and information distribution, online gaming, socializing sites to name a few. As with most technological advances, there is also a dark(Negative) side also: criminal hackers and Hacking. Governments, companies, and private citizens around the world are anxious to be a part of this revolution for the purpose of evolution and development, but they are afraid that some hacker will break(creep) into their Web server and replace their logo with some undesired stuff and all, read their email, steal their credit card number from an on-line shopping and money transferring site, or implant software that will secretly transmit their organization's secrets to the open Internet (spyware etc). With these concerns and others, the ethical hacker can help with the same problem. This paper describes ethical hackers: their skills, their attitudes, and how they go about helping their customers find and plug up security holes and back doors and loose points. Hacking:- Computer hacking is when someone modifies computer hardware or software in a way that alters the creator's original intent. People who hack computers are known as hackers. Hackers are usually real technology buffs who enjoy learning all they can about computers and how they work. Hackers think that what they do is like an art form. They usually have expert-level skills in one specific program. Types of Hacking:Website Hacking : This term denotes as to Collapses the information from any website to be hacked and Make changes in the information on this website. Email Hacking : This term denotes as to collect business data and private information stored in email of any person. Network Hacking : This term denotes to hack a network. Password Hacking : This term denotes to hack any password protected data by guess password with password hint. Online banking Hacking : Many times Hackers create fake websites and send mail for update personal information Using proper website address. Computer Hacking : In this term hackers use Remote desktop connection techniques for Accessing other persons files.

Ethical Hacking:- Ethical hacking involves the same tools, tricks, and techniques that hackers use, but with one major difference: Ethical hacking is legal. Ethical hacking is performed with the targets permission. The intent of ethical hacking is to discover vulnerabilities from a hackers viewpoint so systems can be better secured. Its part of an overall information risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors claims about the security of their products are legitimate.

Types Of Hackers :-

Black Hat Hacker- Also referred as Cracker. A Black Hat Hacker's intention is
to break into others Network, and wish to secure his own machine. They often uses different techniques for breaking into systems which can involve advanced programming skills and social engineering.

White Hat Hacker- Also referred as Ethical Hacker or sometimes called as

Sneakers. A White Hat Hacker mainly focuses on securing corporate Network from outsider threat. They are with good intention who fight against Black Hat.

Grey Hat Hacker- They are Skilled Hacker who sometimes act legally and
sometime not. In simple word you may call a Grey Hat hacker as Hybrid between White Hat and Black Hat hacker

Goals of Ethical Hacking

Before an ethical hacker can begin the process they must create a plan, such as:

Identify any and all networks they will test Detail the testing interval Detail the testing process Create their plan and then share it with stakeholders Get the plan approved

Ethical Hacking Process:-

Preparation :- Identification of Targets company websites, mail servers, extranets, etc. Footprinting:-

Footprinting is a first step that a penetration tester used to evaluate the security of any IT infrastructure, footprinting means to gather the maximum information about the computer system or a network and about the devices that are attached to this network. Footprinting is a first and the important step because after this a penetration tester know how the hacker sees this network. To measure the security of a computer system, it is good to know more and more as you can because after this you will able to determine the path that a hacker will use to exploit this network. This is the basic block diagram which shows the steps that are include in the penetration testing methodology, in this article we will discuss the first one that is footprinting. The ECCouncil divides footprinting and scanning into seven basic steps. These include 1. Information gathering 2. Determining the network range 3. Identifying active machines 4. Finding open ports and access points 5. OS fingerprinting 6. Fingerprinting services 7. Mapping the network
penetration testing:1.Port Scanning

Port scanning is a common technique used by a penetration tester to find out the open doors, In technical terminology port scanning is used to find out the vulnerabilities in the services listing on a port. During this process you have to find out the alive host, operating systems involved, firewalls, intrusion detection systems, servers/services, perimeter devices, routing and general network topology (physical layout of network), that are part of the target organisation. Port scanning involve connecting with TCP and UDP ports on a system, once you have found the IP addresses of a target organisation by footprinting technique you have to map the network of this organisation.

There are so many automatic port scanner available on the Internet, but the most common and popular tool is nmap, Nmap is a network mapper and a power full, flexible, freely available and easy to use tool. It is available for both linux and windows based operating system.

2. Enumeration

Enumeration is the first attack on target network, enumeration is the process to gather the information about a target machine by actively connecting to it. Enumeration means to identify the user account, system account and admin account. Enumerating windows active directory to find out these stuffs. Discovering NetBIOS name enumeration with NBTscan. Establishing null sessions and connections. Null sessions tools like Dumpsec, Winfo and Sid2User or more, may used to perform this attack.

Identification of Vulnerabilities Insecure Configuration Weak passwords Unpatched vulnerabilities in services, Operating systems, applications Possible Vulnerabilities in Services, Operating Systems Insecure programming Weak Access Control

Trojans and Malware

Both Trojans and malware represent a real danger to the security of end users systems. If an attacker can trick or seduce a user to install one of these programs the hacker may gain full control of the system. Much of this malware works under the principle of you cannot deny what you must permit. Meaning that these programs use ports like 25, 53, and 80. Ports the administrator usually has left open. If the programs dont use these ports the hacker always has the option of using port redirection or covert communication channels. These are the reasons these programs can be so dangerous. Various Trojan Types

Remote Access Trojans Password Sending Trojans Keyloggers Destructive Denial Of Service (DoS) Attack Trojans Proxy/Wingate Trojans FTP Trojans Software Detection Killers

Sniffing Attacks Sniffing gives the attacker a way to capture data and intercept passwords. These may be clear text FTP or Telnet password or even encrypted NTLM passwords. Man-in-the-middle attacks can be used to literally steal someone elses authenticated session. They will be logged in with the same rights and privileges as the user they stole the session from. They are free to erase, change, or modify information at that point. Sniffing, session hijack, and man-in-the-middle attacks all represent powerful tools for hackers.

Modes of Ethical Hacking

There are several ways to conduct security evaluation.

Remote network This simulates the intruder launching an attack across the internet. The primary defense that must be defeated here are border firewall, filtering routers etc.

Remote dial-up network This simulates the intruder launching an attack against the organization's modem pools. The primary defense that must be defeated here are user authentication scheme. Local network This simulates an employee or other authorized person who have legal/authorized connection to the organization network. The primary defense must be defeated here are intranet firewall, intranet web server and server security measures. Stolen equipment This is to test how user protection their information assets. For example, if a stolen laptop has stored password or critical information that can be easily accessed, this can a security breach. Attacker may remote dial up to the main server of the organization with proper authentication. Social engineering This test evaluate the integrity and awareness of the target organization's personnel. A typical quoted example of social engineering is that of an intruder calling the computer help line and asking for the external telephone number of the modem pool. Defense against this kind of attack is the hardest because people and personalities are involved. To be of assistance come naturally in organizations gearing more toward a service orientation and this may inadvertently lead to security compromise. Often see scenario include telling someone who appears to be lost where the computer room located, or let someone into the building who does not have proper identification credentials. The only defense against this is to raise the security awareness. Physical entry This test acts out the physical penetration of the organization's building. The primary defense here are strong security policy, security guard, access control and monitoring and security awareness.

Example of Ethical Hacking

One of the earliest examples of using ethical hackers occurred in the 1970's. At this time, the United States government utilized the knowledge and services of groups of experts, referred to as red teams. They enlisted these ethical hackers to hack into the United States government's computer system. The purpose was to evaluate how secure it was and to recognize any possible vulnerabilities. Ethical hacking is now a growing profession that is still used by the United States government, as well as technology companies and other corporations. Many large companies employ teams of ethical hackers to help keep their systems secure, such as IBM.

Conclusion To test the security and the other functionalities of product is not new. But in the early stages of Internet no one know about Ethical Hacking even about hacking, but with the passage of time people are more concern about the security of their data, especially due to hackers. Ethical Hacking is just a security system or tool for security to safe your data it is not an ultimate

solution of problem. You can not sit relax against the hacker after using this tool. To teach more people about hacking you produce more people who are eligible to stop hacker from hacking and they will give more ideas and solution to stop hacking. Time to time assessment, prepared interference recognition, good system administration performance and computer safety knowledge are all very vital part of a firms or companys security system. Failure in any of above may cast to the company or to the organization in the form of tangible or intangible loss. Its may include revenue, top secret or any thing that is very special for particular organization. Ethical hacker can only help the user to the better understanding of their security system, but its up to the organization that he palace its guards in right palace.