Search

Strengthening the Attack by Effective “Scanning”

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.What is hacking and ethical hacking?Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.Steps in Ethical HackingTo successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.Types of scanning in ethical hackingScanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:Port Scanning – Detecting open ports and running services on the target hostNetwork Scanning – Discovering IP addresses, operating systems, topology, etc.Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a targetPort scanning could be further divided into 5 types:Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.What is network scanningNetwork is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.How is Network Scanning different from Reconnaissance?Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.Network Scanning tool – NMAP with examplesLet us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:HOST DISCOVERY:a. -sL: List Scan - simply list targets to scanb. -sn: Ping Scan - disable port scanc. -Pn: Treat all hosts as online -- skip host discoverySCAN TECHNIQUES:a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scansb. -sU: UDP Scanc. -sN/sF/sX: TCP Null, FIN, and Xmas scansd. --scanflags <flags>: Customize TCP scan flagsPORT SPECIFICATION AND SCAN ORDER:a. -p <port ranges>: Only scan specified portsb. --exclude-ports <port ranges>: Exclude the specified ports from scanningc. -F: Fast mode - Scan fewer ports than the default scanSERVICE/VERSION DETECTIONa. -sV: Probe open ports to determine service/version infoOS DETECTION:a. -O: Enable OS detectionSome examples are given below:nmap -v -A knowledgehut.comnmap -v -sn 192.168.0.1-100nmap -v -O 192.168.1.200-210nmap -v -iR 10000 -Pn -p 443You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.Some common scanning tools used in the industryWith the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).Concluding remarksScanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.

Strengthening the Attack by Effective “Scanning”

787
  • by Vatsal Jain
  • 18th Nov, 2020
  • Last updated on 11th Mar, 2021
  • 10 mins read
Strengthening the Attack by Effective “Scanning”

As per the Oxford dictionary, “Scanning” is defined as “to look at all parts of (something) carefully in order to detect some feature”. Scanning is a technique which is very widely used in the cyber security domain. Security engineers, hackers, and researchers often use various kinds of scanning in the course of their work. Network Scanning is a process where an attacker uses tools and techniques to gather information about the target. This information may be as simple as the active hosts within the network, to complex discoveries like gathering the OS of the hosts, open ports and active vulnerabilities on the host. Scanning is not only done on the network; it could also be application scanning, or website scanning, depending on the need. However, in this article, we will focus mainly on network scanning and will only briefly touch upon application and website scanning.

Scanning is an integral part of ethical hacking, and without understanding the basics of ethical hacking, we would not be able to do justice to this topic. Generally, after reconnaissance, scanning is the second step of any hacking attempt. For that purpose, we will look at the basics of ethical hacking and its steps, after which we shall understand scanning and its types, take a deep dive into network scanning and finally look at some tools which are used in the industry for various types of scanning.

What is hacking and ethical hacking?

Whenever we listen to the word ‘Hacker’, we imagine a guy with black hood, sitting alone in a room, having multiple screens in front of him and typing commands at a blazing speed! In reality, that is not the case. A computer hacker is a person with deep domain expertise in the fields of computers, who explores methods to overcome the defense mechanisms by exploiting vulnerabilities in a computer system or network. A hacker can be financially or politically motivated, or could be working with an organization to help them strengthen their infrastructure. The latter is also referred to an ethical hacker.

If we talk about the English definition of hacker as per the Oxford dictionary , it refers to a person who uses computers to get access to data in somebody else's computer or phone system without permission. An unethical hacker is someone who overcomes the security controls deployed by security teams to protect confidential and sensitive data by exploiting various vulnerabilities present in the system or network, and gains unauthorized access to the system. This is usually done for financial gain by unethical hackers.

Now when the word ‘ethical’ is attached to ‘hacking’, it changes the meaning a bit and also the intent of hacking. In ethical hacking, the hacker exploits the vulnerability, gains access to the data, but never alters, deletes or steals it or uses it for personal, professional or financial gain. The hacker, in this case, will disclose the vulnerability to the owner of the system with a “Proof of Concept” (PoC) and request the owner to get the vulnerability remediated. Generally, the ethical hackers have an explicit permission to exploit the target from the owner. The companies could hire ethical hackers on their payroll and pay them to do such hacking or may allow hackers around the globe to evaluate their websites or applications through bug bounty programs. In this case, the companies offer monetary rewards to hackers who report bugs to the companies.

Now when we have discussed ethical hackers, it would make sense to introduce the term, “White Hat Hacker”. A White Hat Hacker is an individual, generally working with or for a company to help the company strengthen its security posture. The white hat hacker has explicit permission from the system or the information owner to attack the system. The intent here is to fix the issues before the black hat hackers or the bad guys could exploit the vulnerability. Ethical hackers can also be referred to as white hat hackers.

Steps in Ethical Hacking

To successfully understand scanning, it is very important to understand what the various steps of hacking are. Any successful attack would need these steps to be followed:

  1. Reconnaissance or information gathering – As they say in the military, reconnaissance means to gather the information of the area by using foot soldiers, planes, drones, etc. In ethical hacking also, the process is similar. Here we try to gather as much information as we can about our target. The better the reconnaissance, the easier the attack would be. Basically, this step lays the foundation of our attack. Reconnaissance could be of two types, active and passive. In case of active reconnaissance, scanning is widely used for gaining information about the target. Generally, information that is available to the public is gathered in this phase.
  2. Scanning – The attacker has gained valuable insights about the target. But this is not enough, as deeper insights are required. Scanning helps in getting more specific information about the target. Web scanners help attackers understand the vulnerabilities in a website, while application scanners look at the application code and the lists of potential vulnerabilities and issues. Network scanners help the attacker to perform host discovery, identify ports and services and gain various details about the network, as we will discuss going forward.
  3. Gaining access – Now the attacker is armed with a lot of information on the IP ranges, key people of the organization, OS running on key servers, active hosts and so on. The attacker will now use techniques to deliver a payload (the actual virus or a malicious code) into the network of the target. This is generally done by using social engineering techniques like phishing.
  4. Maintaining access – This is the next step when the attacker has the access to the network and the system, and would now make sure that he has a persistent access to the resources. The attacker generally does this by creating a backdoor, which no one else is aware of. A backdoor is just like a secret way in and out of the system. This backdoor will ensure that even if the main gate (exploited vulnerability) has been closed by the target, there is a back gate which he could use to maintain the access to the compromised system.
  5. Covering tracks – Any attacker would want to remain anonymous while he is in the system or has left after stealing the information or damaging it. This is a very important step, since if this is not done, the hacker(if he is a black hat hacker) could land in jail. This is generally done by tampering (deleting or corrupting) the log files and/or using a VPN or a Virtual Private Network.

Types of scanning in ethical hacking

Scanning is the second step in ethical hacking. It helps the attacker get detailed information about the target. Scanning could be basically of three types:

  1. Port Scanning – Detecting open ports and running services on the target host
  2. Network Scanning – Discovering IP addresses, operating systems, topology, etc.
  3. Vulnerability Scanning – Scanning to gather information about known vulnerabilities in a target

Port scanning could be further divided into 5 types:

  1. Ping Scan – This is the simplest scan. Ping scan sends ICMP packets and wait for the response from the target. If there is a response, the target is considered to be active and listening.
  2. TCP Half Open – Also, referred to as SYN scan, this is another very common type of scanning method.
  3. TCP Connect – TCP connect is similar to TCP half open, except for the fact that a complete TCP connection is established in TCP connect port scanning.
  4. UDP – UDP is used by very common services like DNS, SNMP, DHCP. So, sending a UDP packet and waiting for a response helps gather information about UDP ports.
  5. Stealth Scanning – As the word says, stealth means a quieter activity. When an attacker wants to be undetected while scanning, a stealth scan is used.

What is network scanning

Network is the backbone of any information technology infrastructure, over which data and resources are shared. In today’s world, when the network is being used for almost everything, “Network Security”  is of critical importance. If the network is not secure, any other control is not worth applying! Network scanning is the process or technique by which we scan the network to gain details such as active hosts, open ports including running TCP and UDP services, open vulnerabilities, details about the host like operating system and much more. For IP (internet protocol) networks, generally “ping” is used for reaching a host and checking its status. Ping is an ICMP (Internet Control Message Protocol) utility and sends packets to the target and receives an ICMP echo reply.

Within an organization, network scanning is used by monitoring and management systems. These are legitimate uses of scanning and are very regularly used by network management tools and network administrators. On the other side, scanning used by an attacker relies on the same tools and protocols as used by network administrators for monitoring and management. The attacker would first obtain the IP address range of the target network generally using DNS or the whois protocol. Once the attacker has the IP range, he would scan the network for active host, their operating systems and related details as discussed above. Finally, with all this information, the attacker may attempt to breach the target systems.

How is Network Scanning different from Reconnaissance?

Reconnaissance, as discussed above, is the first step in ethical hacking. In this step, the attacker tries to gather as much information as possible. Reconnaissance could be of two types, active and passive. In passive reconnaissance, the attacker makes absolutely no contact with the target systems or the network. However, in active reconnaissance, the attacker makes direct contact with the target machines and network in order to gain some basic information. This is generally done by scanning and foot-printing.

You might be wondering, why are we talking about scanning in reconnaissance and then also discussing scanning as a different and independent step of ethical hacking? There is a thin line between the two.

As discussed above, during active reconnaissance, there is contact with the target network. However, in the scanning step (2nd step of ethical hacking), the attacker already has basic information about the network and the infrastructure. The aim is to get details like active host names, open ports, operating systems on the active hosts, etc. While they might seem the same, scanning is not possible or rather, would not be successful without an in-depth and detailed reconnaissance. The scanning step further expands reconnaissance and takes it to the next level.

Network Scanning tool – NMAP with examples

Let us have a look at nmap, a very commonly used network scanning tool and see some examples of its use. You can install nmap (Zenmap is the UI interface for Windows) from nmap [dot] org. Below is what the Zenmap looks like:

Network Scanning tool – NMAP with examples
We input the target IP or IP range in the “Target” field, choose a profile from the dropdown and input a command which specifies certain parameters. Below are some common parameters you can find in the nmap tool:

  1. HOST DISCOVERY:
    a. -sL: List Scan - simply list targets to scan
    b. -sn: Ping Scan - disable port scan
    c. -Pn: Treat all hosts as online -- skip host discovery
  2. SCAN TECHNIQUES:
    a. -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
    b. -sU: UDP Scan
    c. -sN/sF/sX: TCP Null, FIN, and Xmas scans
    d. --scanflags <flags>: Customize TCP scan flags
  3. PORT SPECIFICATION AND SCAN ORDER:
    a. -p <port ranges>: Only scan specified ports
    b. --exclude-ports <port ranges>: Exclude the specified ports from scanning
    c. -F: Fast mode - Scan fewer ports than the default scan
  4. SERVICE/VERSION DETECTION
    a. -sV: Probe open ports to determine service/version info
  5. OS DETECTION:
    a. -O: Enable OS detection

Some examples are given below:

  1. nmap -v -A knowledgehut.com
  2. nmap -v -sn 192.168.0.1-100
  3. nmap -v -O 192.168.1.200-210
  4. nmap -v -iR 10000 -Pn -p 443

You can refer to nmap official website (nmap [dot] org/book/man [dot] html) for more examples and use cases.

Some common scanning tools used in the industry

With the evolution of sophisticated attacks, the network security industry has evolved a great deal, and there are more than a dozen tools which help companies manage their network and ensure it is secure from all kinds of attacks. Below are some very common and trusted tools which are used across the industry:

  1. OpenVAS – OpenVAS or the Open Vulnerability Assessment System is an open source tool for network scanning and monitoring. OpenVAS allows a high level of customization and provides an option of intelligent scan. It provides three types of scans, namely, full scan, web server scan and WordPress scan.
  2. Nmap – As discussed above, nmap is one of the most reliable network scanners used across the industry. It is an open source tool and allows a lot of pre-configured commands. It comes with NSE or the Nmap Scanning Engine, which is very effective in detecting network misconfigurations and security issues. It is available both in graphical user interface (GUI) and command line interface (CLI).
  3. Nessus – One of the most widely used enterprise scanning tools, the Tenable owned Nessus provides amazing scanning capabilities, including many predefined templates. It has pre-configured scans (templates) for PCI compliance, Badlock detection, Malware Scan, DROWN Detection to name a few. It is one of the most trusted scanners used across the industry. Nessus provides free trial version and student editions (with limited features of course) for learning and research purposes.
  4. Acunetix – Acunetix is one of the most widely used web application scanners. The ability to integrate with trackers like Jira, repositories like GitHub and automation capabilities with Jenkins, makes Acunetix a must-have for enterprises. It also helps the security teams integrate security into their SDLC (Software Development Life Cycle) processes.
  5. Wireshark – Wireshark is a free and open source packet analyzer. Very widely used, this tool is often used by attackers when they have successfully entered a network for “sniffing” the traffic. Wireshark’s ability to capture real time packets, convert them to human readable form and a very easy to use and interactive GUI makes it one of the favorite tools of network administrators and security researchers (and hackers, of course!).

Concluding remarks

Scanning is the second step of the ethical hacking process and until an attacker is proficient in this, it is highly unlikely that the attack will be successful. Network scanning not only tells you about the hosts and their basic configurations, it also tells an attacker about various vulnerabilities present in the hosts. On the other side, application scanners tell what vulnerabilities (generally from an OWASP standpoint) are existent in an application. Scanning, if done the right way can reveal a lot of information about the organization. Having said that, the network and security administrators within almost all organizations have tools deployed to ensure that any scanning attempt is detected almost instantaneously and a corrective action (generally blocking) is taken. This makes it even more difficult for any attacker to launch a scan on an organization’s network and come up with successful results. Many a times, scanning is blocked at the firewall level. This means, ICMP traffic is denied by default, except for some IPs and subnets where it is required for trouble-shooting purposes.

Vatsal

Vatsal Jain

Author

Vatsal Jain is an Information Security professional with close to 3 years of experience. He has worked with multiple MNCs and has exposure in Information Security Auditing, creating and maintaining InfoSec Policies and Procedures, Network Security and Risk Management. He has cracked exams like CISA, CISM and CEH. He also holds certifications like ISO 27001 LA, ITIL Foundation, ISO 22301 LI and AZ-900. He has done B.Tech. in CSE with a specialization in Cyber Security and Forensics.

Join the Discussion

Your email address will not be published. Required fields are marked *

Suggested Blogs

How To Clear CEH in First Attempt?

Cybercrime and hacking attacks are doubling year on year. Not just corporate giants and government entities, but even small scale companies and start-ups are afraid of being victims of cyber theft. Organizations may face major losses not just in their profits but also loss of reputation, data, and customers. Therefore, almost all organizations want to keep their data and privacy of their customers safe from cyber criminals. These organizations spend a fortune on implementing robust technology architecture and on hiring professionals who can identify loopholes in the cyber security systems and patch them up before hackers can get through. These professionals, known as ethical hackers or white hat hackers, can help organizations protect their assets (people, process, and technology) from cybercriminals.Why CEH? The exponential rise in data, and our dependence on virtual systems has also consequently raised attacks from cyber criminals and data breaches. This has made the role of the ethical hacker among the most important job roles in these times. There is a huge demand for cybersecurity experts in almost all types of businesses. To hire security experts, organizations have some basic or minimum benchmarks set. These security experts are expected to have a good understanding of security concepts, and knowledge of the latest tools, processes, and frameworks so that they can be one step ahead of cyber criminals and prevent data breach.  This is where certifications such as the CEH - Certified Ethical Hacker by EC-Council comes into play. The CEH is the most comprehensive program for ethical hackers as it covers the latest hacking trends and familiarises professionals with the technologies that will help prevent data breaches. This international accreditation is recognised world over, so no matter where you are, your skills and knowledge will be considered valid by all organizations, anywhere in the world. To defeat the hacker, you need to think like a hacker. This program is all about developing the hacker mindset but in an ethical way. Once you are ready to jump into this, passing the CEH exam is your 1st milestone in your career. In this article, we will learn how to become a certified ethical hacker in the very first attempt, for which hard work and dedication are highly recommended.  Preparation Steps We will discuss here the 5 steps to prepare for CEH certification.  1. Plan the training Once you decide to achieve the certification, you need a concrete plan for training as well as practice. Choose the best source for training. We highly recommend choosing offline classroom training if you are a student or novice in cybersecurity. Usually, you can complete training in 3-4 months or less.  The reason we recommend an offline course is that meeting other like-minded learners and professionals will help you  develop the ethical hacker mindset. You can get in touch with proper mentors, people with similar mind-sets and take advantage of group study which can reveal many unknown issues, incidents, and examples. Of course, this will cost you more but you can’t learn to swim without getting wet.2. Get your hands dirty – Practice! The plus point of the latest version of CEH v11 is that it is more focused,  practical based and scenario-based with the latest content that equips students with hands-on skills. Remember, security is all about practice and implementation rather than a bunch of documents and do’s and don’ts checklist. In the course of gaining the credential you will learn about methods and tools that you can use to protect the organization such as security implementations, testing, and monitoring. Just bookish knowledge won’t help there. We recommend that spending at least 2 hours daily practice apart from training will improve your skills dramatically.3. Study Guides  While we did mention above not to be bookish, books are a treasure trove of knowledge and even for clearing the CEH you must do a thorough read of the recommended books.  You can religiously follow study guides and clear your concept on every topic in a very descriptive manner. This will answer all your “What and Why” in terms of cybersecurity and ethical hacking. Of course, this is world-class content and therefore you will get exact definitions, descriptions, and diagrams for almost all topics. We recommend studying at least 1 hour daily to get clear on all topics during the training.  4. Study groups - Community Study groups will polish your knowledge and skills for CEH topics. There are many study groups you can join where you can resolve your queries, clear your doubts, take help to learn something, and help others too. This will help you to stay in the company of like-minded people and you will get to learn fast.  However, it is recommended not to share any personal/sensitive information. Beware of any unknown person who asks for sensitive information like your IP address, location, personal information, or anything apart from CEH courseware.   We recommend making a study group with the people you know who are also attempting the exam. You can take the help of your trainer or mentor to manage this group. Be active and participate in group activities like quizzes or group discussions. 5. Self-assessment Keep learning is the key element of CEH training. Brush up your knowledge for the exam perspective as that is your main goal to become certified. For this, you need to learn how to give the exam and what type of questions are asked. For a second, let’s imagine the scenario of a war. If a new trainee soldier having knowledge of arms and wearing his 15 kgs protective suit jumped into the warzone, do you think he can fight better and save the lives of others without having any practice? Probably not, because he is unaware of war scenarios, combat methods, and ways of attack and defense in real war zones where the situation is uncertain. The same concept applies to CEH exams. You may face a lot of weird-looking or twisted or tricky questions with confusing multiple answers. Therefore, once you are done with your CEH training and you have knowledge of all topics, you need to test it like a mock drill of the war zone.There are many sources available where you can practice the exam questions. This platform will help you to understand the methods to ace the exam questions, and complete them within the required timeframe. Here we are sharing some links to practice for your exams. ( Note: We do not promote any website or any platform here. These links are shared to help students find good options for studying.) CEH ASSESSMENT- EC-CouncilEC-Council® CEH™ Exam PrepCEH practice examApart from this, you can follow blogs, industry experts, and relevant videos for more understanding and guidance.Required soft skills Every job roles needs certain skills apart from the core skills needed to perform on the job. These include soft skills that will help you grow as an individual and as a professional.Be Curious – Be hungry for knowledge and for learning new things and gaining new skills.  Be Enthusiastic - Be enthusiastic and motivated throughout your journey as a hacker and you will be rewarded.  Eliminate the distractions - Avoid time-wasting or non-productive activities during the training like spending time on online games or social media. About the exam After getting trained and completing your practice, it is time for the exam. The CEH exam is a 4 hour exam with 125 multiple choice questions. Check the below link for the exam blueprint to get an idea of the percentage ratio of each module during the CEH exam. Examination centres can be chosen based on your location. Keep your exam code with you. The exam organizers have a process to determine the difficulty rating of each question. For more information, you can check out the EC-Council website and get in touch with your training center.Conclusion So, start your journey on becoming a certified cyber security professional with the CEH course and credential. As with anything else, practice makes perfect and you will become better as an ethical hacker with practice. Work hard and you will definitely achieve your CEH certification at the very first attempt. 
9621
How To Clear CEH in First Attempt?

Cybercrime and hacking attacks are doubling year o... Read More

What Is SQL Injection (SQLi)

In today’s world cyber-attacks are triggered to alter or steal the information of a person or an organization in a huge volume of data. It is very much important to protect the data/database from security related attacks.SQL injection is one of the top trending cyber attack techniques recognized by the world’s top non-profit security foundation OWASP (Open Web Application Security Project). SQL injection attacks are made by inserting or injecting the SQL query input from the client end of the application. In this article, we will learn about the SQL injection, types of attacks using SQL injection and preventive steps.  What is SQL Injection? SQL injection attack is used to insert malicious SQL statements into an entry field for execution. This injection technique is the most common web application hacking attack that allows an attacker to get unauthorised access, commit identity spoofing, tamper, take control or destroy your database. This is an attack that is very simple and easy to carry out even for script kiddies.  As we can see in the above picture, this is the second most common vulnerability that can impact databases. SQL injection flaws occur because of poorly designed web applications that can exploit SQL statements that execute malicious code.  How SQL injection is used is very much dependent on the intention of the hacker. With unauthorized access to a database server, what can attackers do? Here are some examples: Download unauthorized data of a person or an organization Delete/modify data Permanently destroy data/backups Add a virus to a system Alter security Encrypt/steal/alter data and hold it for ransom Publicly shame an organization via a web or social media hack Use data to harm business operations How does SQL injection work? To understand SQL injection, you need to know what SQL is.   SQL – SQL stands for Structured Query Language. This language is mainly developed for interacting with the relational database. For data manipulation, Query is used to insert data, modify the database, or just to access the required data.Image SourceSQL Injection is one of the most vulnerable threats which may exploit the entire database of any private organization or government sector where code is injected in a web page.  An SQL statement will be altered in a manner which goes with ALWAYS TRUE as constraint. (In simple words 1=1  This will be always true) It allows an attacker to view unauthorized data. This might include data belonging to other users, or any other data that the application itself is able to access. An attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.SQL injection TypesThere are a wide variety of SQL injection vulnerabilities, attacks, and techniques, which arise in different situations. Some common SQL injection examples include:Tautologies – Used to Bypass AuthenticationSelect * from USERTable where uid=‘xyz’ and pwd =’x’ or ‘5’=’5’;Union – Used to Extract Data. A different dataset is returned from the Database.  Illegal/Logically Incorrect Queries - Used to Identify injectable parameters.  Piggybacked Queries - Multiple queries are executed without the knowledge of the user which may lead to Database exploitation. Injected queries are added to the normal executable query. Inference - Different responses from the database are cross checked by changing its behavior.  Stored procedure - Injection is done to the stored procedure present in the Database.Common Causes and how to avoid SQL Injection Attack-If we are assuming our application’s code/web forms are well protected against any kind of attack by default, application changes and assumptions that were true in the past or present may not be true in the future and may require additional changes. These assumptions eventually lead to compliance and security auditing failures. Using unsupported or legacy software/code/tools or features may lead to security holes and there could be chances of delay in catching or fixing such issues. Running patched and upgraded versions of code is critical to avoid security exploits. Continuously monitoring for new security vulnerabilities and reacting as needed is an important step towards avoiding unnecessary surprises. Reviewing old code is very important, and timely changes in the code are highly recommended as technologies keeps changing. The versions, functions, and extensions require regular upgrades. Older versions or codes are quite vulnerable and might be unable to maintain the integrity of your application. How to detect SQL injection vulnerabilitiesAs a pentester, you can use two techniques to find SQL injection vulnerabilities with high efficiency - manual and automated testing.Manual Testing During application development there are set of tests performed on each level, that help to detect any SQL injection vulnerability, if it exists. Check with the single ' character ‘ and look for errors or other anomalies. The tester can add some SQL specific syntax into code that can evaluate the original value of the entry point and other values, and check for different responses by the application. Another method is to create a Boolean condition, for example “OR 1=1” and “OR 1=2”, and check again to see if the application response is different.  There are some payloads available that are designed to trigger time delays if executed in SQL query, and you can check if there is any delay in response. Automated TestingThere are many good tools and frameworks available in the market. Here is the list of some of the best tools for SQL injection detection. SQLMap Appsider by Rapid7 Accunetix Wapiti Netsparker etc.How to prevent SQL injection vulnerability? To prevent or avoid SQL injection vulnerability, we must first understand why it occurs, and why it is listed as one of the vulnerabilities in the OWASP top 10.  The SQL injection is so easy to perform, that even a script kiddie can make an attempt.  Another reason is the treasure of critical data that lures the attacker to use SQL injection.  Below is the vulnerable code for SQL injection where the user input is concatenated directly into the query: String query = “;SELECT * FROM products WHERE category = ‘";+ input + "’" Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(query); Check out the code below that helps to prevents the user input from interfering with the query structure: PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?");  statement.setString(1, input);  ResultSet resultSet = statement.executeQuery(); Primary recommendations: Use Parameterised queries  Least Privilege Use stored procedures if required White listing the input fields Avoid displaying detailed error messages that are useful to an attacker. It is also important to get patch updates regularly, as every day there are many new vulnerabilities that are found.  It is also recommended to use a Web Application Firewall to protect your application, which can help you to filter and find malicious data.  Where Do We Go Next? It is very important to identify and mitigate this notorious vulnerability and take immediate actions to keep your systems secure. Many skilled attackers are waiting to take advantage of your mistakes, like poor code, so that they can hack into the database. We know this vulnerability is very old but we have to be aware of the outcomes of this type of vulnerability and try to prevent this during the development phase, rather than covering up the liability later.  
7375
What Is SQL Injection (SQLi)

In today’s world cyber-attacks are triggered to ... Read More

The Importance Of PCI ; Data Security Standard (DSS)

As the world moves towards digital means of payments and transactions, there has also been concerns over the security and protection of cardholder information. According to the PCI Security Standards Council, more than 500 million card holder records with confidential information have been breached since 2005. Merchants, who accept digital forms of payments, are at the centre of digital payments, and can become a victim of financial fraud at multiple points, including: • The point-of-sale device or machine • Wireless hotspots • Connected computer or any other device • Transmission of the cardholder data to the service provider. Risk factors According to a business survey conducted by Forrester Consulting, a majority of businesses conduct activities increase the risk of card fraud, including storage of card number, expiration date, any verification code, and customer date. Introduction to Data Security Standard (DSS) The Payment Card Industry’s Data Security Standard (PCI-DSS) is a security standard mandatory for organizations that handle payments using cards, issued from major card types including MasterCard, Visa, and American Express. This PCI standard is mandatory for all card brands and is administered by the PCI Security Standards Council. The sole aim of the PCI standards is to protect cardholder data and to reduce card frauds. Objectives The objective of PCI-DSS course is the protection of cardholder data during storage, processing, and transmission. Cardholder account information includes the unique primary account number (PAN) printed in the front of every card. Merchants or any service provider, who process card payments, must never store sensitive information about the transaction after the authorization. This includes confidential data that is stored in the magnetic stripe of the card, along with any personal identification information entered by the cardholder. Requirements The PCI Data Security Standards specifies a list of 12 mandatory requirements, which are grouped under 6 control objectives, as listed below: 1) Build and maintenance of a high-security network, which includes: * Installation of a secure firewall to protect cardholder data. This restricts (or blocks) all traffic from untrusted networks, and prohibit direct public access between the Internet and the cardholder data environment. * Changing of the vendor-provided default password and other security measures. This is important as most card fraudsters are able to break into the cardholder’s internal network using the default passwords. 2) Protection of cardholder information, which includes: * Encryption of cardholder information that is transmitted over public networks. Encryption technology renders the transmitted data unreadable by any unauthorized person. Use of cryptography and security protocols such as SSL/TLS or IPSec can be used to safeguard customer data. * Protection of the stored cardholder data. Sensitive data on the magnetic chip of the card must not be stored. In case the PAN needs to be stored, it must be stored in an unreadable format. Limit the duration of storage of cardholder data. 3) Maintenance of a vulnerability management program, which includes: * Use and regular updates of anti-virus software programs on all systems. Harmful viruses can enter the user network through email and other online activities. Anti-virus software is an effective tool to protect computer systems from external attacks. * Development and maintenance of secure systems and applications. Security vulnerabilities in the system and applications can enable cyber criminals to access PAN and other secure data. Ensure that all the systems and application are updated with the latest security patch from the vendor. 4) Secure access control measures, which includes: * Restricting business access to cardholder information. Limit access to confidential cardholder data to only those users whose work requires this information. Additionally, restrict the access to the least amount of data required for business purpose. * Assigning of a unique ID to every person with computer access. This is important to be able to trace if the access to critical data has been executed by only authorized persons. 5). Restricting of the physical access to cardholder data. Physical access to cardholder data must be restricted to all onsite personnel, visitors, and all paper and electronic media. 6) Regular monitoring and testing of networks, which includes: * Tracking and monitoring of all access points to network resources and cardholder data. Use of logging mechanisms and tracking of user activities are included. * Regular testing of security procedures and processes. Periodic testing of security controls is important, along with internal and external network scans. 7) Maintaining of an information security policy, which includes: * Maintenance of a company policy that addresses information security. This includes establishing a security policy that addresses all the PCI-DSS requirements, along with an annual process to detect any vulnerability. These set of requirements is mandatory for companies that manufacture devices that accept and process PIN-based transactions or any other type of digital payments. Financial institutions, merchants, and service providers must ensure that they only use devices, approved for PTS (PIN transaction security).
The Importance Of PCI ; Data Security Standard (DS...

As the world moves towards digital means of paymen... Read More