Although in Ethical Hacking, Ethical is an often overused and misunderstood word, the Merriam Webster Dictionary defines ethical perfectly i.e. conforming to accepted professional standards of conduct. Before going to the actual topic i.e Ethical Hacking, I would like to tell you something about hackers. We have all heard of hackers. Many of us even suffered the consequences of hackers’ action. So who are these Hackers? Why it is important to know about them? This question can easily be answered after reading this article.
Defining Hacker and Ethical Hacking.
Many people think of hackers as computer vandals and ethical hacking as crime. The main question arises from here that why most people think like that? The simple answer is the media which is responsible for this wrong assumption. People do not think twice before believing something that has been printed in the newspaper and magazines. Actually Real Hackers are good guy who are normally very helpful, intelligent and knowledgeable.(called, White Hat hackers.)
However after saying all this I must admit that there is a very thin line between hackers and crackers. Crackers are bad guy and having same knowledge as hackers (called, Black Hat Hackers). Their main aim is to catch a host and tap all important information.
After understanding the actual meaning of hackers we come to the topic Ethical Hacking. This is also known as penetration testing or white hat hacking involves the same tools, tricks and techniques that crackers use but with one major difference: Ethical hacking is legal.
The overall goals of ethical hackers:-
- Hack systems in a non-destructive fashion.
- Enumerate exposures and if necessary prove to upper management that exposure exists.
- Apply results to remove vulnerability and better secure your systems.
Understanding the threats our system face:
|Attacks||Threat Level||Ease Level||Incident Level|
|E-Mail Security||8/10 HIGH||10/10 HIGH||4/10 LOW|
|Instant Messenger||8/10 HIGH||10/10 HIGH||6/10 MEDIUM|
|Intellectual Property Thefts||9/10 HIGH||9/10 HIGH||9/10 HIGH|
|Password cracking Attacks||10/10 HIGH||8/10 HIGH||6/10 MEDIUM|
|Identity Attacks||5/10 LOW||5/10 LOW||6/10 MEDIUM|
|Input Validation Attacks||10/10 HIGH||7/10 MEDIUM||6/10 MEDIUM|
|Denial Of Service Attacks||10/10 HIGH||10/10 HIGH||10/10 HIGH|
|Buffer Overflow Attacks||10/10 HIGH||5/10 LOW||6/10 MEDIUM|
|Social Engineering Attacks||10/10 HIGH||10/10 HIGH||9/10 HIGH|
**The Rating given to each attack is based upon feedback received from over 50 different industry sources,clients and government bodies across South-East Asia and Australia.
Below are discussed some common attacks-
(1) Password Cracking Attack
There are following types of Password Cracking Attacks-
(a) Password Guessing
Here Personal information is gathered by an attacker ,then tries to guess the password.The common passwords that attacker tries:
- Loved one,s name + Birth date/phone number;example, elizabeth0302
(b) Default Password
A high number of application have inbuilt default password that have been configured by the programmers during development.Most people disable the default passwords during the installation period but many people didn’t do that.So it is easier for an attacker to crack it.
(c) Dictionary based attack
This is an example of hit and trial password-cracking technique used by an attacker.
(d) Brute force attack
This is a most effective attack.An automatic tool is used that tries all possible combinations of the available keys as victim’s password.
Popular tools are:
- John the Ripper
(2) Dos Attacks
ATTACKER——————>Sends malicious/infinite data————————>VICTIM
VICTIM———————Cannot Handle Malicious Data————————->CRASHES.
There are variety of known DOS attacks on the internet,namely:
(a) Ping of Death
(c) UDP flooding
(d) Smurf attacks
(e) SYN flooding
Popular tools are:
- Tribal Flood Network
(3) Social Engineering Attacks
(a) Impersonation: In this,social engineer pretends to be someone else like the system administrator,technical helpdesk, ISP and so on.
Attacker:Our primary FTP server is facing some problems because of which certain user accounts have been blocked.
Victim:Oh my god! Does that mean i will not be able to upload my projects updates for my clients.
Attacker:We are currently in the process of testing validity of all user accounts.i will need your help to test your account.
(b) Intimidation: In this the attacker pretends to be either working closely with the bosses or calling from global head quarters.The fear of displeasing the big bosses make the victim speak private information to an attacker.
(c) Fake Prompts: In this the victim is sent a fake login prompt that ask him/her to re-enter the login and password at the time of any network failure.
Example:The biggest problem that NASA have been facing in all its space missions is that of disposing human wastes and providing and storing pure drinking water for the crew aboard. Young biologists suggested, ‘Human wastes be converted into pure drinking water by passing it through advanced chemical processes.’ At first his colleagues had been uninterested of this rather strange idea. However later after some discussions, they conclude that negative non-useful elements can be used to get something good and useful.
From the above, history has shown that to eliminate harmful elements one needs to get some of these harmful elements onto his side and then only declare war. All the cyber laws in the world cannot discourage computer criminals. Crackers are getting really smart today and it is becoming increasingly easier for them to break into a system. Laws are absolutely useless when system administrators themselves are becoming ignorant of computer security. It has become necessary to teach people how crackers work and how to protect computers system from crackers. If this is not done soon, then the crackers will get way ahead in the security race.Due to this many ethical hacking program has been started like:
- AFCEH(Ankit Fadia certified ethical hacker program )
- CEH(Certified ethical hacker)
Finally my opinion is instead of being afraid of fire, it would be much better to live with fire and fight fire with fire itself. Computer security is a very dynamic field, with new loopholes, attacks and techniques being discovered every day. This makes it very important for us to keep up to date with the latest developments in the world.
Feel free to comment below…
Oureducation.in is the best source of your learning