Search

Security blog posts

Introduction to Footprinting and Reconnaissance in Ethical Hacking

Footprinting is one of the most convenient ways for hackers to collect information about targets such as computer systems, devices, and networks. Using this method, hackers can unravel information on open ports of the target system, services running, and remote access probabilities.Since it is the initial phase of hacking it is really important to develop an accurate understanding of the entire process. The systematic footprinting of a target enables the attacker to get a blueprint of the target's security posture.In this article, we will get to know how malicious hackers perform footprinting on the organization or target's system, what all they can do, and how it will be harmful to businesses and individuals. On the other hand, white hat hackers who are well versed in footprinting will be able to improve the security of the organizations they work for. With systematic methodology, businesses can identify their vulnerabilities so they can patch and make changes in policy accordingly.Types of footprinting:Whois footprintingNetwork footprintingDNS footprintingCompetitive intelligenceEmail footprintingWebsite footprintingSocial EngineeringGoogle HackingHow to perform footprinting?Footprinting is the first step, during which the hacker gathers as much information as possible to find ways to enter a target system. For successful footprinting, the attacker needs to first check the visibility of the target and see how to gather related information on the internet through open sources. Through careful analysis, the attacker can determine the scope of potential entry points. The following information can be collected:Company namesDomain namesBusiness subsidiaries  IP AddressesBusiness emails  Network phone numbers  Key employeesand so on.In hacking terms, we can call it the "Front Door" of the castle on target.  The first step of footprinting is to determine what to attack to obtain the "footprint" of the target network which includes, but is not limited to the following:HostnamesNetwork address rangesExposed hosts  Exposed applications  OS and its versionsApplication and its versionsand many more.Apart from this, the attackers have to decide the scope of the target with regards to the entire organization or certain subsidiaries or locations. Based on the scope, they start to dig deep into the information like company web-pages, related organizations, employee details, contacts, e-mail addresses, currents events, locations, news, policies, disgruntled employees, mergers, acquisitions, or events to garner some clues, opportunities, and contacts for attackers.Methods of footprinting1. Port ScanningPort scanners are used to determine live hosts on the internet and find out which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are listening on each system, as well as which operating system is installed on the host. To identify the relationship of each host and potential security mechanisms between the attacker and targets, they use traceroutes.Tools:NSLookup - to perform DNS queries and zone transfersTracert - to create network maps of the target.Once port scanning and trace routing are done, attackers will create a network map that represents the target's internet footprinting.2. Google HackingDespite what you may infer from the name, this method does not involve hacking Google! This is a means by which you can collect information from the Google search engine in a smart way.Search engines have many features using which you can get uncommon, but very specific search results from the internet. Using these techniques, hackers and attackers perform a search using advanced operators, examples of which are given below.These types of operators can uncover much sensitive information that can potentially harm the target and should therefore not be revealed.Let's take an example. Go to google.com and paste this- allinurl:tsweb/default.htmYou will get more than 200 websites that have tsweb/default folder. Using this, the hacker gets a chance to get into the organization's servers. This is just one example. There is plenty of such information about targets available online, which hackers can take advantage of.3. Ping SweepIf the attacker wants to know which are the machines on your network that are currently live, they can perform a ping sweep. Ping uses ICMP packets to send echo requests to the target system,  and waits for an echo reply. If the device is not reachable, it will show a "request time out"; but if the device is online and not restricted from responding, it will send an echo reply back. Here are some tools used to perform ping sweeps through a range of devices that determine the active devices on the target network.NmapAngry IP scannerSuper Scan  Pinger etc.4.  Whois lookupThis method can be used to collect basic database queries like domain name, IP Address block, location, and much more information about the organization.Example of FootprintingLet's see an example of footprinting using the Linux tool p0f.p0f is a passive TCP/IP stack fingerprinting tool to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine on which it is running. p0f can also assist in analyzing other aspects of the remote system. Basically, it is a  tool used to perform a forensic investigation of a system that has been compromised or is under attack. Using this tool, you can analyze the structure of TCP/IP packets to determine OS and other configurations of the target host. Let's check how to do this.step 1 - Open Linux Terminal and type p0fStep 2 - Explore your target host using any browserOnce the connection is established with the target host, the client will start to interact with the server.You can see that my client IP 10.0.2.15 has established a connection with the target web server 72.163.4.185 using port 80.How to prevent Footprinting?Your every move, each activity, or data available on the internet is a potential footprint that can open layers of information for attackers.Now let's discuss preventive steps to avoid threats and reduce the security risk of the organization and individual.1. Delete or De-activate old accountsOnce your account is assigned online, it can be shared anywhere with your full name, email address, pictures, location, and other information. Official email accounts provided to the employees are also available online. Once the employee has left the organization, the email account must be deleted to avoid fraudulent transactions using the same.  2. Unsubscribe from unwanted mailsAll of us keep subscribing to newsletters, events registrations, offers and to many other mail lists. While some of these lists may be useful, most of them result in unnecessary clutter in our mailbox. Unsubscribe to all unnecessary emails so that you can reduce your digital footprinting on the internet.  3. Use stealth modeThere are many browsers which help you to surf with privacy. This is how you can search online with ease and avoid websites from tracking your interests, location, etc. Using browsers like TOR, Duck Duck Go with some advance settings in your regular browser can restrict the sharing of your information online.4. Use a VPNThere are many VPNs, or Virtual Private Networks, available that you can use for privacy.  A VPN provides you with an extra layer of security to protect your privacy over the internet. This will prevent others from tracking your web activity and being able to collect data by watching your surfing patterns.5. SEOPrevent search engines from crawling through your cached webpages and user anonymous registration details, and minimize unwanted footprints.6. Configure Web serversConfigure your web servers to avoid information leakage and block all unwanted protocols to prevent any unethical external scans. Use TCP/IP and IPSec Protocols.  Always maintain a separation between the internal and external DNS.7.  Do it yourselfPerform footprinting techniques as we have discussed above and do a check to see whether any sensitive or unwanted information of yours is available on the internet. Use the OSINT framework to delve deeper, and remove posted/ shared data that reveals any kind of sensitive information which can be a potential threat. Share tips and tricks to avoid fraud calls and social engineering.What is ReconnaissanceSimilar to footprinting, Reconnaissance is a very important stage in the initial hacking process. In this stage, attackers gather information, much like a detective does! This process involves gathering information about the target flaws, vulnerabilities that can be used in penetration testing, and the beginning of any data breaches.Any information gathered about the target may be a crucial piece of the jigsaw, needed to reveal the critical vulnerabilities of the target.What critical information can be revealed in the reconnaissance phase?1) Network InformationIP addressessubnet masknetwork topologydomain names2) Host Informationuser- namesgroup namesarchitecture typeoperating system family and versionTCP and UDP services running with versions3) Security Policiespassword complexity requirementspassword change frequencyexpired/disabled account retentionphysical security (e.g. access badges, door locks, etc.)firewallsintrusion detection systems4) Personnel detailsdesignationstelephone numbersocial hangoutscomputer skillsThere are two types of reconnaissance.1. Passive reconnaissanceThis is when the attacker gathers information about the target through openly available sources. There are multiple sources available free on the internet which may provide a blueprint of the organization or individual.2. Active reconnaissanceHere, the attacker directly interacts with the target's computer system to gain information using scanning, eavesdropping, and packet capturing techniques. The advantage of active reconnaissance is that the collected information is quite accurate and relevant; however, there is a risk of getting detected.Netcat, Nmap are the best tools for this.What is Enumeration?Once an attacker creates an active connection with the target, they are able to perform directed queries to gain more information. For example,UsernameshostnamesIP addressPasswords (or strength)configurationThe information gathered about the target can be used to identify vulnerabilities in the target system. Once an attacker gains this information, they can steal private data and sometimes, even worse, change the configuration.Types of EnumerationThere are multiple types of enumeration. Let’s take a look at one example.DNS EnumerationDNS enumeration is the technique employed to find all the DNS servers and their corresponding records for an organization. A list of DNS records provides an overview of database records.DNS zone transfer will allow replication of DNS data or DNS files. The user will perform a DNS zone transfer query from the name server. If the name server allows transfer by any other unauthorized user than all DNS names and IP addresses hosted by the name server will return in ASCII Test.Some of the tools that can be for this include nslookup, maltego, dnenum,  dnsrecon, etc.Here is an example that uses nslookup.NSlookup queries DNS servers for machine names and addresses.For example, if we want to find the IP address of Google's web server by entering nslookup, we will enter the below command.nslookup www.google.comand then the output will be like this.C:\>nslookup www.google.comServer:  dnsr1.sbcglobal.netAddress:  68.94.156.1Non-authoritative answer:Name:    www.1.google.comAddresses:  64.233.187.99, 64.233.187.104Aliases:  www.google.comThe first two lines of output tell us which DNS servers are being queried. In this case, it’s dnsr1.sbcglobal.net in Texas. The non-authoritative answer lists two IP addresses for the Google web servers.Responses from non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past, for which it has received an authoritative response.In the interactive mode, the user will be given a prompt of >; at which point, the user can enter a variety of options, including attempts to perform a zone transfer.The hackers can enumerate other information like network resources and sharing, routing tables, machine names, applications and banners, users, and groups, etc.There are other types of enumeration.Windows enumerationLinux enumerationLDAP enumerationNetBios enumeration  SNMP enumerationNTP enumeration etc.Steps to prevent enumeration.Use centralized network administration contact details in the NIC (Network Information Center) database to prevent social engineering against IT departments.Configure Name servers to disable DNS zone transfer for untrusted hosts.Configure web servers to prevent indexing of directories without index files and avoid keeping sensitive files and documents on publicly accessible hosts like FTP, HTTP, etc.Configure SMTP servers to ignore emails from unknown recipients.Disable SMBUse NTLM or basic authentication to limit access for authorized users only.Implement the group policy security option named "access restrictions for anonymous connections."ConclusionIn this article, you have learned about the initial steps involved in hacking, during the pre-attack phase, including information gathering, scanning, and mapping the network.The more information the hacker is able to gather, the higher are their chances of a successful attack. If you increase your security right from the initial phase, it will reduce the possibilities for an attacker to get into your system. By controlling your digital footprint, you can increase your security posture and keep your data safe from hackers.
Introduction to Footprinting and Reconnaissance in Ethical Hacking
KnowledgeHut

Introduction to Footprinting and Reconnaissance in Ethical Hacking

Footprinting is one of the most convenient ways for hackers to collect information about targets such as computer systems, devices, and networks. Using this method, hackers can unravel information on open ports of the target system, services running, and remote access probabilities.Since it is the initial phase of hacking it is really important to develop an accurate understanding of the entire process. The systematic footprinting of a target enables the attacker to get a blueprint of the target's security posture.In this article, we will get to know how malicious hackers perform footprinting on the organization or target's system, what all they can do, and how it will be harmful to businesses and individuals. On the other hand, white hat hackers who are well versed in footprinting will be able to improve the security of the organizations they work for. With systematic methodology, businesses can identify their vulnerabilities so they can patch and make changes in policy accordingly.Types of footprinting:Whois footprintingNetwork footprintingDNS footprintingCompetitive intelligenceEmail footprintingWebsite footprintingSocial EngineeringGoogle HackingHow to perform footprinting?Footprinting is the first step, during which the hacker gathers as much information as possible to find ways to enter a target system. For successful footprinting, the attacker needs to first check the visibility of the target and see how to gather related information on the internet through open sources. Through careful analysis, the attacker can determine the scope of potential entry points. The following information can be collected:Company namesDomain namesBusiness subsidiaries  IP AddressesBusiness emails  Network phone numbers  Key employeesand so on.In hacking terms, we can call it the "Front Door" of the castle on target.  The first step of footprinting is to determine what to attack to obtain the "footprint" of the target network which includes, but is not limited to the following:HostnamesNetwork address rangesExposed hosts  Exposed applications  OS and its versionsApplication and its versionsand many more.Apart from this, the attackers have to decide the scope of the target with regards to the entire organization or certain subsidiaries or locations. Based on the scope, they start to dig deep into the information like company web-pages, related organizations, employee details, contacts, e-mail addresses, currents events, locations, news, policies, disgruntled employees, mergers, acquisitions, or events to garner some clues, opportunities, and contacts for attackers.Methods of footprinting1. Port ScanningPort scanners are used to determine live hosts on the internet and find out which Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports are listening on each system, as well as which operating system is installed on the host. To identify the relationship of each host and potential security mechanisms between the attacker and targets, they use traceroutes.Tools:NSLookup - to perform DNS queries and zone transfersTracert - to create network maps of the target.Once port scanning and trace routing are done, attackers will create a network map that represents the target's internet footprinting.2. Google HackingDespite what you may infer from the name, this method does not involve hacking Google! This is a means by which you can collect information from the Google search engine in a smart way.Search engines have many features using which you can get uncommon, but very specific search results from the internet. Using these techniques, hackers and attackers perform a search using advanced operators, examples of which are given below.These types of operators can uncover much sensitive information that can potentially harm the target and should therefore not be revealed.Let's take an example. Go to google.com and paste this- allinurl:tsweb/default.htmYou will get more than 200 websites that have tsweb/default folder. Using this, the hacker gets a chance to get into the organization's servers. This is just one example. There is plenty of such information about targets available online, which hackers can take advantage of.3. Ping SweepIf the attacker wants to know which are the machines on your network that are currently live, they can perform a ping sweep. Ping uses ICMP packets to send echo requests to the target system,  and waits for an echo reply. If the device is not reachable, it will show a "request time out"; but if the device is online and not restricted from responding, it will send an echo reply back. Here are some tools used to perform ping sweeps through a range of devices that determine the active devices on the target network.NmapAngry IP scannerSuper Scan  Pinger etc.4.  Whois lookupThis method can be used to collect basic database queries like domain name, IP Address block, location, and much more information about the organization.Example of FootprintingLet's see an example of footprinting using the Linux tool p0f.p0f is a passive TCP/IP stack fingerprinting tool to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine on which it is running. p0f can also assist in analyzing other aspects of the remote system. Basically, it is a  tool used to perform a forensic investigation of a system that has been compromised or is under attack. Using this tool, you can analyze the structure of TCP/IP packets to determine OS and other configurations of the target host. Let's check how to do this.step 1 - Open Linux Terminal and type p0fStep 2 - Explore your target host using any browserOnce the connection is established with the target host, the client will start to interact with the server.You can see that my client IP 10.0.2.15 has established a connection with the target web server 72.163.4.185 using port 80.How to prevent Footprinting?Your every move, each activity, or data available on the internet is a potential footprint that can open layers of information for attackers.Now let's discuss preventive steps to avoid threats and reduce the security risk of the organization and individual.1. Delete or De-activate old accountsOnce your account is assigned online, it can be shared anywhere with your full name, email address, pictures, location, and other information. Official email accounts provided to the employees are also available online. Once the employee has left the organization, the email account must be deleted to avoid fraudulent transactions using the same.  2. Unsubscribe from unwanted mailsAll of us keep subscribing to newsletters, events registrations, offers and to many other mail lists. While some of these lists may be useful, most of them result in unnecessary clutter in our mailbox. Unsubscribe to all unnecessary emails so that you can reduce your digital footprinting on the internet.  3. Use stealth modeThere are many browsers which help you to surf with privacy. This is how you can search online with ease and avoid websites from tracking your interests, location, etc. Using browsers like TOR, Duck Duck Go with some advance settings in your regular browser can restrict the sharing of your information online.4. Use a VPNThere are many VPNs, or Virtual Private Networks, available that you can use for privacy.  A VPN provides you with an extra layer of security to protect your privacy over the internet. This will prevent others from tracking your web activity and being able to collect data by watching your surfing patterns.5. SEOPrevent search engines from crawling through your cached webpages and user anonymous registration details, and minimize unwanted footprints.6. Configure Web serversConfigure your web servers to avoid information leakage and block all unwanted protocols to prevent any unethical external scans. Use TCP/IP and IPSec Protocols.  Always maintain a separation between the internal and external DNS.7.  Do it yourselfPerform footprinting techniques as we have discussed above and do a check to see whether any sensitive or unwanted information of yours is available on the internet. Use the OSINT framework to delve deeper, and remove posted/ shared data that reveals any kind of sensitive information which can be a potential threat. Share tips and tricks to avoid fraud calls and social engineering.What is ReconnaissanceSimilar to footprinting, Reconnaissance is a very important stage in the initial hacking process. In this stage, attackers gather information, much like a detective does! This process involves gathering information about the target flaws, vulnerabilities that can be used in penetration testing, and the beginning of any data breaches.Any information gathered about the target may be a crucial piece of the jigsaw, needed to reveal the critical vulnerabilities of the target.What critical information can be revealed in the reconnaissance phase?1) Network InformationIP addressessubnet masknetwork topologydomain names2) Host Informationuser- namesgroup namesarchitecture typeoperating system family and versionTCP and UDP services running with versions3) Security Policiespassword complexity requirementspassword change frequencyexpired/disabled account retentionphysical security (e.g. access badges, door locks, etc.)firewallsintrusion detection systems4) Personnel detailsdesignationstelephone numbersocial hangoutscomputer skillsThere are two types of reconnaissance.1. Passive reconnaissanceThis is when the attacker gathers information about the target through openly available sources. There are multiple sources available free on the internet which may provide a blueprint of the organization or individual.2. Active reconnaissanceHere, the attacker directly interacts with the target's computer system to gain information using scanning, eavesdropping, and packet capturing techniques. The advantage of active reconnaissance is that the collected information is quite accurate and relevant; however, there is a risk of getting detected.Netcat, Nmap are the best tools for this.What is Enumeration?Once an attacker creates an active connection with the target, they are able to perform directed queries to gain more information. For example,UsernameshostnamesIP addressPasswords (or strength)configurationThe information gathered about the target can be used to identify vulnerabilities in the target system. Once an attacker gains this information, they can steal private data and sometimes, even worse, change the configuration.Types of EnumerationThere are multiple types of enumeration. Let’s take a look at one example.DNS EnumerationDNS enumeration is the technique employed to find all the DNS servers and their corresponding records for an organization. A list of DNS records provides an overview of database records.DNS zone transfer will allow replication of DNS data or DNS files. The user will perform a DNS zone transfer query from the name server. If the name server allows transfer by any other unauthorized user than all DNS names and IP addresses hosted by the name server will return in ASCII Test.Some of the tools that can be for this include nslookup, maltego, dnenum,  dnsrecon, etc.Here is an example that uses nslookup.NSlookup queries DNS servers for machine names and addresses.For example, if we want to find the IP address of Google's web server by entering nslookup, we will enter the below command.nslookup www.google.comand then the output will be like this.C:\>nslookup www.google.comServer:  dnsr1.sbcglobal.netAddress:  68.94.156.1Non-authoritative answer:Name:    www.1.google.comAddresses:  64.233.187.99, 64.233.187.104Aliases:  www.google.comThe first two lines of output tell us which DNS servers are being queried. In this case, it’s dnsr1.sbcglobal.net in Texas. The non-authoritative answer lists two IP addresses for the Google web servers.Responses from non-authoritative servers do not contain copies of any domains. They have a cache file that is constructed from all the DNS lookups it has performed in the past, for which it has received an authoritative response.In the interactive mode, the user will be given a prompt of >; at which point, the user can enter a variety of options, including attempts to perform a zone transfer.The hackers can enumerate other information like network resources and sharing, routing tables, machine names, applications and banners, users, and groups, etc.There are other types of enumeration.Windows enumerationLinux enumerationLDAP enumerationNetBios enumeration  SNMP enumerationNTP enumeration etc.Steps to prevent enumeration.Use centralized network administration contact details in the NIC (Network Information Center) database to prevent social engineering against IT departments.Configure Name servers to disable DNS zone transfer for untrusted hosts.Configure web servers to prevent indexing of directories without index files and avoid keeping sensitive files and documents on publicly accessible hosts like FTP, HTTP, etc.Configure SMTP servers to ignore emails from unknown recipients.Disable SMBUse NTLM or basic authentication to limit access for authorized users only.Implement the group policy security option named "access restrictions for anonymous connections."ConclusionIn this article, you have learned about the initial steps involved in hacking, during the pre-attack phase, including information gathering, scanning, and mapping the network.The more information the hacker is able to gather, the higher are their chances of a successful attack. If you increase your security right from the initial phase, it will reduce the possibilities for an attacker to get into your system. By controlling your digital footprint, you can increase your security posture and keep your data safe from hackers.
Introduction to Footprinting and Reconnaissance in...

Footprinting is one of the most convenient ways fo... Read More

How much do Ethical Hackers Earn?

Technology has flourished at break neck speed in the past decade. Inventions and innovations have transformed the way we live and work. We live in an interconnected world where everything is online. While this has made our lives easier, it has also made us vulnerable to sophisticated cyber criminals, who at their malicious best attack not just an individual but even a company, and in more brazen attacks even a nation's security and financial health.According to the latest report by Verizon, 70% of cybercrimes were caused by malicious hackers and outsiders. With a lot of sensitive data now being present online, the perception threat has steadily grown over the years.One of the foremost methods to prevent cybercrime is to reinforce the security of IT systems. Moreover, adding a dedicated team of ethical hackers to the workforce can help fix loopholes and prevent malicious attacks. With the surge in cybercrime, the need for cybersecurity has increased. This in turn has led to a rise in the demand for skilled ethical hackers and information security professionals.What is the CEH certification?The CEH(Certified Ethical Hacking) credential from EC-Council demonstrates that you have hands-on knowledge of niche techniques used by security professionals and hackers to prevent cyber-attacks. CEH also provides skills to assess the security aspects, scan the infrastructure, and detect vulnerabilities in the organizations. With the CEH course, you can:Enter into the industry as a security professionalLearn the hacker mentality to get a step ahead of cybercriminalsBoost your career in IT securityImprove your skills and knowledge which is a primary requirement for career advancementThe demand for Ethical HackersAccording to Forbes, "in this current year of 2020-21, the Global security market is worth $173 billion and within the next 5 years this will grow to around $270 billion." Statistics by the Australian Cyber Security Growth Network show that organizations across the globe are expected to raise their security budget by 8% annually.Source: austcyber.comMalicious cyber activities are increasing around the world, as cybercriminals are using sophisticated strategies for infiltration of systems and networks. Therefore, the demand for cybersecurity experts or ethical hackers will continue to increase.Opportunities for an ethical hackerIn India alone, more than 20,000 websites faced defacement, DDoS, or ransomware attacks just in 2019 as per the report of CERT(Indian Computer Emergency Response Team).Therefore, from private organizations to government entities, everyone needs an ethical hacker or security professional to counter unauthorized hacking and strengthen their security needs. As per the NASSCOM report, there will be 72000 security professionals in the coming years.Types of roles and responsibilities of an Ethical HackerCybersecurity experts will get various types of work opportunities from small scale organizations to giant tech corporations, government agencies, research organizations, and many others.The work of ethical hackers will differ and is not limited to the size and requirement of the organization, but also the skills and experience of hackers. However, here are some overall responsibilities expected from ethical hackers.To protect IT infrastructures, networks, devices, and data from cybercriminalsMonitor application and network performanceTo perform security tests to validate the strength of application, devices, and networkImplement information security management system to be followed by the entire organizationTo set detection and prevention facilities and make a barrier from outer /unauthorized accessTo stay connected with top management with updated risk management and business continuity plans.To perform all the above tasks and operations there are multiple designations hired by organizations, ranging from entry-level security personnel to CISO (Chief Information Security Officer). This pyramid shows the various levels of roles for cyber security professionals.Job roles and salariesEthical hackers can take on a variety of roles.Consulting - As explained earlier, almost all organizations require security professionals to secure their network,  data, devices, etc. Some organizations prefer to outsource the security solution rather than hire on their own.  In this case, the organization expects customized security solutions and suggestions and advice on protection of their assets against cyber-attacks.Bug bounty - Many organizations and tech giants organize bounty programs for hackers to find out vulnerabilities in their applications or websites and offer attractive cash prices.Training - Ethical hackers can provide training to professionals and students for advancement in their careers. These types of training also help to spread awareness in the society against cybercrime and to keep them secure from any potential fraud.Events - Tech giants like Tesla invites hackers to hack their cars. There are similar events for hackers to perform their skills and earn prizes, or in some cases jobs with handsome packages.The salary range for ethical hackersLucrative salaries are the most attractive part of this profession. Salaries in this field vary based on location, designation, skill, and experience. As we have seen in the pyramid earlier, there are multiple roles in the security field, with packages increasing from bottom to top. All organizations value their security, and are ready to pay top dollar for qualified candidates.As per a survey, the average salary of an ethical hacker or information security officer is INR 12,00,000 per annum with 3-5 years of experience. This is just an average figure. In some cases in New Delhi & Mumbai, suitable candidates got paid as much as up to INR 18,00,000 p.a. even without work experience.The package information mentioned above was just for India. Let's have a look at the below table to understand the worldwide salary ratio based on designation and experience.Do you have the skills for it?Before you decide to pursue ethical hacking as a profession, here are some skills you have to master:FocusPatienceStrategy making abilityGood CommunicationCuriosityDisciplineZest for learningThinking out of the boxPositive attitudeTop 10 technical skills:-Excellent computer skills  LinuxNetworking & InfrastructureProgramming skillsDatabase management systemsCryptographyCloud technologiesWeb applicationWireless technologiesPenetration TestingImportance of ethicsHave you heard the term 'Royal Guards'?  It refers to an elite group of highly skilled warriors who act as a monarch’s personal security guards. The monarch and the kingdom trust them and feel safe while surrounded by royal guards.In this field as well, an ethical hacker or a team of security professionals act as royal guards of the organization. Organizations trust the security professionals expecting security and implicit loyalty. Security professionals must be highly ethical, as they can have access to the most vital information systems, data, or any other assets. An ethical hacker must follow ethical /genuine practices during the entire employment term (and even after leaving a company) and uphold the trust of the management.EC-Council has written 19 steps of  'Code - of - Ethics' which must be followed by all ethical hackers to maintain the dignity of the profession.Below is a sample:As an ethical hacker, you must keep private and confidential information gained in your professional work (in particular as it pertains to client lists and client personal information). You should not collect, give, sell, or transfer any personal information (such as name, e-mail address, Social Security number, or another unique identifier) to a third party without the client's prior consent.ConclusionHighly skilled hackers will always be in demand because in the digital age, all organizations need to stay protected from hackers at any cost. This is a career that is surely future-proof!
2389
How much do Ethical Hackers Earn?

Technology has flourished at break neck speed in t... Read More

The Top Information Security Certifications to Consider

Cybercrimes have the ability to cripple even robust security systems in a matter of minutes. Malicious hacking has compromised the sensitive data of many individuals and enterprises. The only way to counter malicious hacking is to detect vulnerabilities in systems beforehand and take preventive measures.This is where ‘ethical hackers’ or ‘white hat hackers’ come into the scene. An ethical hacker, according to the EC-Council, is an individual who specializes in ethical hacking tools, techniques, and methodologies to secure an organization’s information systems. They work with organizations to make their security systems more fool proof. Ethical Hackers have become national treasures to governments as well as the most coveted assets to workforces in some of the finest companies across industries.If you are contemplating a career in ethical hacking, below are the top certifications you could consider getting to get a foothold in the ethical hacking industry.Certified Ethical Hacking (CEH)CEH is the oldest and most popular certification in ethical hacking. It is accredited by the prestigious EC-Council and is considered a must-have for aspiring ethical hackers. The latest version is CEH v11 and it trains you in the latest commercial-grade hacking tools, and methodologies every ethical hacker and information security professional should be aware of.On completion of the CEH course, you will have the skill set to detect vulnerabilities in target systems and undertake preventive measures to resolve them for the security of systems. The training will help you develop the mindset of an ethical hacker and validates your credibility as a skilled professional in white hacking.As far as jobs are concerned, the opportunities for CEH certified hackers are numerous. Typical job roles include:Penetration testerNetwork security specialistEthical hackerSecurity consultantSite administrator & auditor.This certification gives you the opportunity to not only work with corporates but also Government organizations. Since the threat of cybercrimes is always present, ethical hacking experts are an asset to the Govt IT sector, National Security Agency (NSA), the Committee on National Security Systems (CNSS) and the Department of Defense (DoD).Certified Information System Security Professional (CISSP)The CISSP certification trains you to design, implement and manage even the most complex cybersecurity programs. Accredited by the (ISC)², it validates your prowess as a security professional. It trains you in different areas like access control systems and methodology, business continuity planning and disaster recovery planning, physical security, operations, security, management practices, telecommunications and networking, security architecture application and systems development, law, and ethics.In order to be eligible for the CISSP credential, you should have a minimum of 5 years of relatable experience or four years of the aforementioned work experience, plus an information security degree from a National Center of Academic Excellence or a regional equivalent.With the CISSP, you become eligible for the following job titles:Security consultantSecurity analyst/ managerSecurity systems engineer/auditorDirector of securityIT manager/DirectorNetwork ArchitectSecurity ArchitectCertified Information Systems Auditor (CISA)People who hold CISA certifications are responsible for implementing the security controls in organisations. CISA is a sought after certification from ISACA, a global association that serves more than 145,000 members in more than 188 countries worldwide. CISA is the gold standard of achievement for professionals trained in auditing, monitoring, and assessing an organization’s business and IT systems. As a CISA certified auditor, you will have adequate knowledge to identify risks in target systems and fix them before malicious attacks occur.Certified Information Security Manager (CISM)The CISM certification, also from ISACA, indicates your expertise in multiple domains like information security governance, program development and management, risk management and incident management. It is highly recommended for security consultants and managers who have technical expertise in information security and controls. CISM is a natural fit after the CISSP certification, especially for a smooth transition into managing and overseeing information security at a strategic level.Certified in Risk and Information Systems Control (CRISC)This certification from ISACA validates your capacity to identify and manage IT risks while implementing and maintaining information systems controls. A highly-valued credential, the course explores various topics like IT Risk Identification, IT Risk Assessment, Risk Response and Mitigation Risk and Control Monitoring and Reporting.ISO 27001:2013 LI/LAISO27001 is a widely recognized certification in the information security industry. It has multiple related modules that explore various information security controls.There are two job titles you can pursue after this certification: Lead Implementer and Lead Auditor. The Lead Implementor is responsible for implementing the security measures in target systems as per ISO 27001:2013 standards. The Lead Auditor is hired by certification bodies to audit organizations that have applied for ISO certification and check if measures have been implemented properly.Certified Penetration Tester (CPT)Issued by the Information Assurance Certification Review Board (IACRB), this program trains you to become a well-versed penetration tester. Penetration testing or pen testing is the assessment of computers, application security architecture, and networks to detect loopholes that are prone to malicious hacking. The course trains you in Pen Testing, Network Testing and attacks, Windows vulnerability, Linux/Unix vulnerability, Enumeration, Web App Testing and Wireless Testing.CompTIA PenTest+This is another leading certification in cybersecurity from CompTIA.org. It offers security+ as a beginner certification, and Pentest+ as an advance level certification. CompTIA Pentest+ covers the entire process of vulnerability assessment starting from information gathering, scanning, exploitation, and reporting.This certificate will give you information about:Exploits and its useVulnerability enumerationInformation about BASH, PowerShell(windows), Python scriptReport CreationLicensed Penetration Tester (LPT)Yet another certification provided by EC-Council, is the Expert level Pen testing certification. This is an intensive certification program meant for expert cybersecurity professionals. Through this course, you will learn how to perform advanced penetration testing concepts such as fuzzing, PowerShell scripting, BASH, Python, Perl, and Ruby environments, scripting, and mobile device penetration testing, among others.Considering the above certifications, the onus to choose the right one is upon every aspiring cybersecurity professional out there. For a smooth learning journey, get started with a basic training program like CEH and gradually move on to the rest. Choose a recognized training provider with years of experience to help you chase your career goals with confidence.
5234
The Top Information Security Certifications to Con...

Cybercrimes have the ability to cripple even robus... Read More

Introduction to Vulnerability Analysis in Ethical Hacking

In this article we will discuss the various aspects of Vulnerability analysis in ethical hacking. We will walk you through common examples of vulnerability, various lists and models to prevent them. The models we will be discussing are firewall, password, logical bombing and web hijacking, and in this article, we will talk about the methods to protect systems from these vulnerabilities.What is Vulnerability?Vulnerability can be defined as an issue in the software code that a hacker can exploit to  harm the systems. It can be a gap in the implementation of cybersecurity procedures or a weakness in the controls.What is an example of vulnerability?Examples of vulnerabilities exist in every industry. These include:Unauthorized network access by Hackers due to a weak FirewallCracking of Wi-Fi PasswordsExposure of sensitive data due to lack of application securityCredit card data, Health RecordsSecurity misconfigurationMisconfiguration of passwordsInsecure cryptographic storageWhat are the 4 main types of vulnerabilities?The  4 main types of vulnerabilities are:Faulty defenses – Poor defense measures pave the way for easy intrusion by hackers.  This may be due to weak authentication, authorization, and encryption.Resource management not adequate –The chances of buffer overflow and the potential to have many vulnerabilities are greater when there is inadequate resource management.Insecure connections – If the connection between the system, application and networks is insecure, there is a higher probability of many threats like SQL injection.End user errors and misuse – In many cases, the errors are caused by humans and misuse of the systems.What are vulnerability lists?Below are the various types of Vulnerability lists as per OWASP. There are around 60 in number at present, and the list is growing:Allowing Domains or Accounts to ExpireWhen domain names have expired, the hacker may buy them and set up a mail server. The hacker can find out the incoming mails and get to know the details.Buffer OverflowA process where there is more data added to the buffer and the excess data becomes corrupted and susceptible to vulnerabilities.Business logic vulnerabilityThe software code may be missing a security control like authentications, encryption, or authorization.CRLF InjectionCarriage Return Line Feed – Can be done by modifying the HTTP parameter of the URL.CSV InjectionWhen untrusted CSV files are embedded to the websites causing vulnerabilities.Catch Null Pointer ExceptionWhen the program contains the null pointer, it is highly risky.Covert storage channelThis can help the attackers easily and often happens due to faulty implementation.Deserialization of untrusted dataInjection of malicious data into the applications to stop execution of programs.Directory Restriction ErrorHappens due to the improper use of CHROOT.Doubly freeing memoryThis error occurs when free() is called more than once in the memory address.Empty String PasswordEmpty string password is highly insecure.Expression Language InjectionInjection happens when attacker-controlled data enters an EL interpreter.Full Trust CLR Verification issue Exploiting Passing Reference Types by ReferenceCreate a file called by ValueTypeTest.cs and compile it using csc by Value Type Test.csc.Heartbleed BugCatastrophic bug in OpenSSLImproper Data ValidationMultiple validation forms with the same name indicate that validation logic is not up-to-date.Improper pointer subtractionThe subtraction of one pointer from another to determine the size is dependent on the assumption that both pointers exist in the same memory chunk.Information exposure through query strings in url Information exposure through query strings in URL is when sensitive data is passed to parameters in the URL.Injection problemThe basic form of this flaw involves the injection of control-plane data into the data-plane in order to alter the control flow of the processInsecure Compiler OptimizationImproperly scrubbing sensitive data from memory can compromise security.Insecure RandomnessInsecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context.Insecure Temporary FileCreating and using insecure temporary files can leave application and system data vulnerable to attacks.Insecure Third-Party Domain AccessOccurs when an application contains content provided from a 3rd party resource that is delivered without any type of content scrub.Insecure TransportThe application configuration should ensure that SSL is used for all access-controlled pages.Insufficient EntropyPseudo Random Number Generators are susceptible to suffering from insufficient entropy when they are initialized, because entropy data may not be available to them yet.Insufficient Session-ID LengthSession identifiers should be at least 128 bits long to prevent brute-force session guessing attacksLeast Privilege ViolationThe elevated privilege level required to perform operations such as chroot () should be dropped immediately after the operation is performed.Memory leakA memory leak is an unintentional form of memory consumption whereby the developer fails to free an allocated block of memory when no longer needed.Missing Error HandlingMust define a default error page for 404 errors, 500 errorsMissing XML ValidationFailure to enable validation when parsing XML gives an attacker the opportunity to supply malicious input.Multiple admin levelsMultiple level admins may alter the login credentialsOther list of VulnerabilitiesNull DereferenceOWASP .NET Vulnerability ResearchOverly Permissive Regular ExpressionPHP File InclusionPHP Object Injection PRNG Seed ErrorPassword Management Hardcoded PasswordPassword Plaintext StoragePoor Logging PracticePortability FlawPrivacy ViolationProcess ControlReturn Inside Finally BlockSession Variable OverloadingString Termination ErrorUnchecked Error ConditionUnchecked Return Value Missing Check against NullUndefined BehaviorUnreleased ResourceUnrestricted File UploadUnsafe JNIUnsafe Mobile CodeUnsafe function call from a signal handlerUnsafe use of ReflectionUse of Obsolete MethodsUse of hard-coded passwordUsing a broken or risky cryptographic algorithmUsing freed memoryVulnerability templateXML External Entity (XXE) ProcessingWhat is Vulnerability Analysis?Vulnerability analysis is a procedure to check all the vulnerabilities in the systems, computers and other ecosystem tools. The vulnerability analysis helps in the analyzing, recognizing and ranking of the vulnerabilities as per the severity. It helps with the identification and assessment of threat details, enabling us to keep a resolution to protect them from hackers. The analysis can be done for every industry from Healthcare to Retail to IT.Objectives of the Vulnerability analysisTo identify vulnerabilities – Configuration, system, Design, Code, ProcessDocumenting the vulnerabilitiesPreparation of guidance to mitigate the vulnerabilitiesImportance of Vulnerability AnalysisDeep dive insights of the security issuesHelps us understand the risks associated with the entire ecosystemFor security breachesAssets that are prone to cyber attacksSteps for the vulnerability AnalysisHow to check if the organization requires Vulnerability AnalysisTypes of Vulnerability AssessmentNetwork Based ScansTo identify network vulnerabilities. This scan helps to find the vulnerable systems in the wired and wireless networksHost Based ScansThis scan is to identify vulnerabilities in the ports, configuration, server workstations, other hosts and patch historyWireless Network ScansComplete scan on wireless networks to find the vulnerabilitiesApplication ScansTo test all portals and mobile applications for vulnerabilitiesDatabase ScansTo scan all the databases for potential vulnerabilitiesModels of Vulnerability in Ethical HackingFirewall modelInsider attacks -  A Perimeter firewall should be decided and this can take care of the external attacksMissed security patchesWhen the patch management of firewall has not happenedConfiguration issuesIf there are faults in the configuration of firewallDDOS attacksOnly allow legitimate traffic to avoid these attacksPassword modelTo crack the password the hacker uses any of the following – Dictionary, Hybrid model and Brute forceLogical BombingThis usually happens when the hacker uses a malicious code to inject the web application or the cloud infrastructureWeb HijackingThis happens when an unauthorized user tries to access the application bypassing the authorization mechanismProtection from HackingWe need to follow some simple steps to prevent hackingUpdating of Operating systemsInstallation of the proper firewall to prevent intrusionDestroying all personal information from all the web sourcesNo use of Open Wi-FiPassword – Strong password which is not easy to find outSmart emailing – Avoid opening of phishing mailsKeep the sensitive data in the protected environmentIgnore spamShut down the systems after useSecure the networkBack up the dataConclusionIn this article we have discussed the various vulnerabilities that hackers can exploit to gain unauthorized access to a system. Best practices and techniques on how to find the vulnerabilities are also discussed. We have discussed the analysis of vulnerabilities and how it helps in preventing the system from being hacked. Finally, we have discussed models of vulnerabilities in ethical hacking and the ways to keep ourselves protected from hacking.
1255
Introduction to Vulnerability Analysis in Ethical ...

In this article we will discuss the various aspect... Read More

Strengthening the Attack by Effective “Scanning”

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.What is hacking and ethical hacking?Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.Steps in Ethical HackingTo successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.Types of scanning in ethical hackingScanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:Port Scanning – Detecting open ports and running services on the target hostNetwork Scanning – Discovering IP addresses, operating systems, topology, etc.Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a targetPort scanning could be further divided into 5 types:Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.What is network scanningNetwork is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.How is Network Scanning different from Reconnaissance?Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.Network Scanning tool – NMAP with examplesLet us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:HOST DISCOVERY:a. -sL: List Scan - simply list targets to scanb. -sn: Ping Scan - disable port scanc. -Pn: Treat all hosts as online -- skip host discoverySCAN TECHNIQUES:a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scansb. -sU: UDP Scanc. -sN/sF/sX: TCP Null, FIN, and Xmas scansd. --scanflags : Customize TCP scan flagsPORT SPECIFICATION AND SCAN ORDER:a. -p : Only scan specified portsb. --exclude-ports : Exclude the specified ports from scanningc. -F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTIONa. -sV: Probe open ports to determine service/version infoOS DETECTION:a. -O: Enable OS detectionSome examples are given below:nmap -v -A knowledgehut.comnmap -v -sn 192.168.0.1-100nmap -v -O 192.168.1.200-210nmap -v -iR 10000 -Pn -p 443You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.Some common scanning tools used in the industryWith the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).Concluding remarksScanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.
Strengthening the Attack by Effective “Scann...

As per the Oxford dictionary, “Scanning” is de... Read More

How to Hack a Web Server?

Over the past decade, more individuals have access to the internet than ever before. Many organizations develop web-based applications, which their users can use to interact with them. But improper configuration and poorly written codes in web servers are a threat and can be used to gain unauthorized access to the servers' sensitive data. This article tries to give an overview on Web Servers. We will be covering some topics which include working of a server, top web servers in the industry,web server vulnerabilities, web server attacks, tools and some counter measures to protect against such attacks. Among the biggest web server attacks was the breach of GitHub in 2018.                                 GitHub is the most popular online code management service used by millions of developers. On February 28, 2018 it was hit by the largest ever DDoS attack  The platform was not prepared for the massive influx of traffic, which peaked at a record-breaking 1.3 terabits per second. In this attack, there was no involvement of botnets, but instead, attackers used a method called mem caching; a caching system used to speed up websites and networks. The attackers could spoof GitHub’s IP address and then massively amplify the traffic levels directed at the platform. Luckily, within 10 minutes of the attack the company could contain and stop the attack from continuing as the company was using a DDoS Protection Service. What are Web Servers? Web servers are hardware, computer, or software, used to host websites. Web servers run on various operating systems connected to the back-end database and run various applications. The use of Web Servers has increased in past years as most online services are implemented as web applications. Web servers are mostly used in web hosting or the hosting of data for websites and web applications. How does Web Server work?  A web server can be accessed through a websites' domain name.  It ensures delivering the site's content to the requesting user by using Hypertext Transfer Protocol (HTTP). A Web server can be considered to be a hardware that is used to store or host the Web server's software and files related to websites. So a web server can be used to indicate the hardware or software or both together. It is used in the transfer of files, email communications, and for many other purposes. Web servers are so powerful that they can efficiently deliver the same file or any other file to thousands of website visitors simultaneously. Web Server Security Issue Web Servers may be vulnerable to network-level attacks and operating system attacks. Web Server as a hardware is used to store Web server software and files related to websites such as images, scripts, etc. Usually, an attacker will target vulnerabilities in the configuration of the web server and exploit it. Some Vulnerabilities may include : Inappropriate permissions of the directory Lack of security Bugs Misconfigured SSL certificates Enables unnecessary services Default setup Top 3 standard Web Server software Apache HTTP Server - This is the most common server used in the industry. Apache Software Foundation develops it and it is a free and open-source software for Windows, Mac OS, Linux, and many other Operating systems.  Microsoft Internet Information Services (IIS) - Microsoft develops this software for Microsoft platforms. It is not free or open-source. Nginx - This free and open-source software was created by Igor Sysoev and publicly released in 2004. This web server can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. Web Server Attacks      Web Server Attacks include many techniques. Some of them are provided below: Dos/DDoS -   Denial of Service where an attacker attacks by sending numerous service request packets overwhelming the servicing capability of the web server, resulting in crashing and unavailability for the users. DNS Server Hijacking -  DNS Server Hijacking, is also known as DNS redirection, where an attacker modifies DNS configurations. DNS redirection's primary use is pharming, where attackers display unwanted ads to generate some revenue, and Phishing--where attackers show fake websites to steal credentials.  DNS Amplification Attack -  A DNS Amplification Attack happens when an attacker spoofs the lookup request to the DNS Server with the DNS recursive method. The size of the requests results in a Denial of Service attack. Directory Traversal Attacks -  Directory traversal, also is known as Path Traversal, is an HTTP attack that allows attackers to access restricted directories and reveal sensitive information about the system using dot and slash sequences. Man in the Middle Attack -  A Man in the Middle / Sniffing attack happens when an attacker positions himself between a user and the application to sniff the packets. The attacker's goal is to steal sensitive information such as login credentials, credit card details, etc. Phishing Attacks -  A Phishing attack is a social engineering attack to obtain sensitive, confidential information such as usernames, passwords, credit card numbers, etc. It is a practice of fraudulent attempts that appear to come from a reputable source. Scammers mostly use emails and text messages to trick you in a phishing attack. Website Defacement - Website Defacement is an attack where an attacker changes the website/web page's visual appearance with their messages. SQL injection attack is mainly used in web defacement. An attacker can add SQL strings to craft a query maliciously and exploit the webserver.  Web Server Misconfiguration -  Web Server Misconfiguration is when unnecessary services are enabled, and default configurations are being used. The attacker may identify weaknesses in terms of remote functions or default certifications, and can exploit them. An attacker can easily compromise systems by some attacks such as SQL Injection, Command Injection. HTTP Response Splitting Attacks -  HTTP Response Splitting is a straightforward attack when the attacker sends a splitting request to the server, which results in the splitting of a response into two responses by the server. The second response is in the hand of the attacker and is easily redirected to the malicious website. Web Cache Poisoning -  A web cache is an information technology for storing web documents such as web pages, passwords and images temporarily. Web Cache Poisoning is a technique where the attacker sends fake entry requests to the server, wipes out all the server's actual caches and redirects the user to the malicious website. SSH Brute Force Attacks -  Brute force is where an attacker uses trial and error to guess login info by submitting many passwords or paraphrases. In an SSH Brute force attack, the intruder brute forces the SSH tunnel to use an encrypted tunnel. The encrypted tunnel is for communicating between the hosts. Hence, the attacker gains unauthorized access to the tunnel. Web Server Password Cracking Attacks -  In this attack, the attacker cracks the server password and uses it to perform more attacks. Some of the common password cracking tools are Hydra, John the Ripper, Hashcat, Aircrack, etc. Hacking Methodology Information Gathering Information Gathering is a process of gathering different information about the victim/target by using various platforms such as Social engineering, internet surfing, etc. Footprinting  Footprinting is a crucial phase where an attacker may use different tools to gather information about the target. In this phase, an attacker uses passive methods to find information about the victim before performing an attack. The attacker keeps minimum interactions with the victim to avoid detection and alerting the target of the attack. Footprinting can quickly reveal the vulnerabilities of the target system and can exploit them. There are various methods to gather information such as Whois, Google Searching, Operating system detection, network enumeration, etc.  Web Server Footprinting  In webserver footprinting, information is gathered using some specific tools that are focused on web servers such as Maltego,httprecon, Nessus, etc. resulting in details like operating system, running services, type, applications, etc. 1. Vulnerability Scanning -  Vulnerability scanning is the next process taken after performing footprinting to precisely target the attack . A vulnerability scanner is a computer program made to discover system weaknesses in computers and networks. Some methods used in vulnerability scanning are port scanning, OS detection, network services, etc. Common tools used for scanning are Nmap, Nikto, Nessus, and many more. Different Types of Vulnerability Scanning Vulnerability Scanning is classified into two types: unauthenticated and authenticated scans. Authenticated Scan: In this, the tester logs in as a network user and finds the vulnerabilities that a regular user can encounter. He also checks all the possible attacks by which a hacker can take benefit. Unauthenticated Scan: In this, the tester performs all the scans that a hacker would likely do, avoiding direct access to the network. These points can reveal how to get access to a network without signing in. 2. Session Hijacking -  Session Hijacking/ cookie hijacking is an exploitation of the web session. In this attack, the attacker takes over the users' sessions to gain unauthorized access to get information about its services. Session hijacking mostly applies to web applications and browser sessions.  The attacker needs to know the Session-Id (session key ) to perform session hijacking successfully. It can be obtained by stealing the session or just by clicking on some malicious links provided by the attacker. Once the attacker gets the key, he can take over the session using just the same session key, and the server will now treat the attacker's connection as the initial session.  3. Password Attacks -  Password cracking is a method of extracting passwords to gain authorized access to the legitimate user's target system. Password cracking can be performed using social engineering attack, dictionary attack, or password guessing or stealing the stored information that can help obtain passwords that give access to the system. Password Attacks are classified as: Non-Electronic Attack  Active Online Attack Passive Online Attack Default Passwords Offline Attack Defensive measures to Protect Webserver   For Securing a web server from internal and external attacks or any other threat, the essential recommendation is to keep it in a secure zone. Security devices like firewalls, IDS, and IPS must be deployed. Maintaining the servers in an isolated environment protects them from other threats.  Website Change Detection System is a technique used to detect any unexpected activity or changes in the Web server. Scripting is focused on inspecting any modifications made in the files used to detect hacking attempts.  To defend a web server from attack, do ensure that services on the web server are minimized. Disable all unnecessary and insecure ports. Always allow encrypted traffic only. Disable tracking. Continuously monitor your traffic to ensure there is no unauthorized activity. Use Port 443 HTTPS over 80 HTTP to secure web browser communication. Conclusion: In this article, we learnt about working of the web server, security issues, and hacking methodologies with various examples. As an ethical hacker it is important to know about the common web server attacks, and understand the use of best practices and defensive measures to protect web servers against any attack. 
7221
How to Hack a Web Server?

Over the past decade, more individuals have access... Read More