About Ethical Hacking
Ethical Hacking conceptually is a mode of helping an organization in finding weak loop holes which might raise security threats. Ethical Hackers find a way to get through the organizations’ security system so that these flaws can be taken care of in order to improve the security and prevent the system from being exploited by external hackers.
Ethical Hacking has been constantly criticized as people believe hacking can never be ethical even if it has been done to protect an organization. Very few people know, that there is a vast difference between hackers and ethical hackers. Where hacking is actually a big cyber crime, an Ethical Hacker is at all ethical if and only if it follows a certain norms.
Norms to be followed by an Ethical Hacker:
- One is supposed to posses permission (or a written consent) to get into the network.
- One is supposed to respect and obey the privacy of the organization and should only be looking for security issues in the network.
- One should not leave loop holes unreported in order to allow oneself or someone else to probe the network later on.
- All security issues detected should be reported to the concerned authorities for further verifications.
Tools for Ethical Hacking
Also known as Penetration Testing, Ethical Hacking has been automated to a large extend with the development of various Ethical Hacking Tools and Techniques. Ethical Hackers use tools like Static Analysis and Dynamic Analysis.
Few of the best tools used in Ethical Hacking are as follows:
Network Mapper (Nmap) is a powerful security scanner which produces a map of the network in order to detect the services and hosts in the network. This is done by sending packets to targets and analyzing the received packets.
The software provides various features like service and operating system detection and host discovery.
- Host Discovery
- Port Scanning
- Version Detection
- OS Detection
- Scriptable interaction with the target
This is a free of cost vulnerability scanner and is the most popular tool being used worldwide.
- Vulnerabilities that allow hacker to access sensitive data
- Default, common or few blank passwords in system. Hydra (external tool) can also be called by nessus for launching dictionary attack.
- Denial of service using mangled packets against TCP/IP stack.
- PCI DSS audit preparation.
It is a web server scanner that tests for outdated server software, dangerous files/CGIs and other problems.
This is an open source, free to use software which performs multiple tests on web servers for different items including 6700 vulnerable files/CGIs, version specific problems for over 270 servers, outdated files check for 1250 servers.
It is a intrusion detection system, network detector and packet sniffer for 802.11 wireless LANs. It works with any raw monitoring mode supporting wireless card.
- Basic IDS features
- Log all sniffed packets
- Fault detection
- find as many networks as possible
- logging of geographical coordinates
This as a computer security project which checks securityvulnerabilities and does testing in order to provide information.
- to choose and configure an exploit
- To check if target system is susceptible to exploit
- To choose and configure a payload
- To choose encoding system so that IPS does ignore encoded payload
- execute exploit
This is a windows tool for the detection of Wireless LANs using 802.11g, 802.11a and 802.11b WLAN standards.
- to verify network connections
- to find poor coverage locations in WLAN
- To detect wireless interference causes
- To detect unauthorized access
- aiming directional antennas
Ethical Hacking Techniques
As non government organizations migrate their important functions to Internet, criminals have better opportunity to gain access to critical information through Web applications. There is an estimation that 75% of Web hacks happen at application level as it easily gives access to valuable business information. Attackers enter the web application thinking like programmers and identifying how is the application supposed to work and find out shortcuts used. The hacker interacts with the app and its infrastructure maliciously by the use of browser.
Understanding the ways employed by hackers in manipulating web applications and stealing credit card data etc, is the most important step in determining ways to facilitate security for Web application.
Certified Ethical Hacker
For a person seeking to pursue ethical hacking as a professional career option, one is supposed to posses the Certified Ethical Hacker professional certification.
This certification is obtained by clearing CEH exam after either a two years training for ATC or self study, also one should possess two years experience in Information Technology.