UNIT – I : Introduction Ethics of Ethical Hacking: Why you need to understand your enemy’s tactics,

recognizing the gray areas in security, Vulnerability Assessment and Penetration Testing. Penetration
Testing and Tools: Social Engineering Attacks: How a social engineering attack works, conducting a social
engineering attack, common attacks used in penetration testing, preparing yourself for face-to-face
attacks, defending against social engineering attacks.

Why you need to understand your enemy’s tactics

1. Foster a Proactive Security Mindset: Understanding the enemy's perspective encourages a

proactive, rather than reactive, approach to security, enabling you to stay one step ahead.
2. Effective Defense: Understanding an adversary's tactics, techniques, and procedures (TTPs) allows
security professionals to implement effective defense mechanisms tailored to counter specific
threats.
3. Scenario-Based Exercises: Just like military exercises prepare soldiers for real battles, companies
simulate cyberattacks to understand hacker behavior and reinforce their security systems.
4. Hackers’ Evolution: Hackers are no longer just thrill-seekers but have become financially motivated.
Understanding this shift allows companies to anticipate more sophisticated, targeted attacks.
5. Malware Sophistication: Understanding how malware operates and evolves is crucial, as many
attacks are now automated, making it essential for organizations to stay ahead of malware
development and deployment strategies.
6. Botnets and DDoS Attacks: Knowledge of how botnets function and are used for distributed denial-
of-service (DDoS) attacks allows organizations to implement countermeasures to protect their
infrastructure.
7. Zero-Day Vulnerabilities: Understanding the nature of zero-day attacks and the tactics used to
exploit them is vital for organizations to develop strategies for timely detection and response.
8. Social Engineering Awareness: Familiarity with social engineering tactics used by attackers can help
organizations educate employees on recognizing and mitigating these types of threats.
9. Economic Impact of Attacks: Recognizing the financial implications of cyber attacks (e.g., downtime
costs) emphasizes the need for robust security measures and the understanding of enemy tactics to
minimize potential losses.
Recognizing the Gray Areas in Security

"Recognizing gray areas in security" means identifying situations where it's unclear whether something
is safe or a risk. These are areas where the rules or boundaries are not well-defined, making it harder to
determine the right security action.

1. BitTorrent trackers, which help share files via peer-to-peer networks and download files through
the BitTorrent protocol play a role in facilitating file sharing but do not actually store or host the files
themselves. This raises legal questions about whether they can be held responsible for distributing
illegal content, such as pirated movies or software since they don't directly possess or distribute the
material but provide the means for others to access it. This distinction creates a "gray area" in terms
of legal responsibility.
2. Search engines like Google are designed to help us find information on the internet. However, some
people try to trick search engines into showing their website first, even if it's not the best or most
relevant result. This is called "search engine optimization" (SEO), These methods blur the line
between acceptable and fraudulent behavior.
keywords stuffing: "We are a great SEO company, providing SEO services, SEO consulting, and SEO
optimization. Our SEO experts are the best in the business, providing top-notch SEO soln”
scraper sites: There are scraper sites that take (scrape) content from another website without au
thorization. The malicious site will make this stolen content unique enough that it shows up as new
content on the Web, thus fooling the search engine into giving it a higher ranking. These sites
commonly contain mostly advertisements and links back to the original sites.
Spamdexing: This involves creating a webpage that is optimized for search engines but provides little
or no value to users.

Example for spamdexing : "Lose weight fast with our proven weight loss tips"
A call-to-action that says "Click here to buy our weight loss product"
A large amount of repetitive and low-quality content that says "weight loss" and "lose weight"
multiple times .However, the webpage does not provide any useful or relevant information about
weight loss, and the content is not well-written or engaging. The webpage is only designed to attract
search engine traffic and sell a product, rather than provide value to users.

3. Hactivism during the 2009 Iran elections, people used websites to protest against what they saw as
unfair election results. Similarly, during the Israel-Gaza conflict, websites were defaced, and some
were even attacked to express political views. that certain behaviors or actions raise concerns about
whether they are morally right (ethical) but they are often illegal, Some people might see hactivism
as a way to bring attention to an important issue, while others might see it as a way to cause trouble
or break the law. This sentence is pointing to gray situation
Vulnerability Assessment and Penetration Testing

Vulnerability Assessment: Identifies and lists all vulnerabilities in a network.

Penetration Testing: Shows how these vulnerabilities can be exploited by attackers.

Vulnerability assessment
Automated Scanning: Vulnerability assessments typically utilize automated tools to scan networks for
open ports, services, operating systems, and application software. This automation helps identify
potential vulnerabilities quickly across a range of IP addresses. The findings from these scans are
compared against a database of known vulnerabilities, which allows the tool to generate reports listing
vulnerabilities along with recommended mitigations.

Limitations of Automated Tools:

 Contextual Understanding: Automated tools often lack the ability to interpret the context of
vulnerabilities within the specific environment. This can lead to misclassification of risk levels (e.g.,
marking low-risk vulnerabilities as high).
 Complex Threats: Tools may not recognize how seemingly minor vulnerabilities can be exploited in
conjunction with others to facilitate a larger attack.

Automated vulnerability assessments are useful for finding security problems. However, they should
be combined with manual testing and expert analysis. This combination helps organizations understand
and reduce the risks associated with vulnerabilities, leading to better overall security.

Penetration Testing

A penetration test is when ethical hackers try to find and exploit vulnerabilities in a system. They test
the weaknesses identified in a previous vulnerability assessment to see how serious those risks really
are. After the penetration test, ethical hackers provide advice on how to fix these vulnerabilities. They
suggest countermeasures to reduce risks, both individually and as a whole.

Goals: The main goal of ethical hackers during a penetration test is to break into a system and move
between systems until they gain full control over the network. This is known as "owning" the domain.
They achieve this by:
 Gaining root access on critical Unix or Linux systems.
 Taking control of the domain administrator account, which allows access to all network resources.
 Demonstrating Risks: Ethical hackers aim to show the company what a real attacker could do. By
demonstrating how vulnerabilities can be exploited, they help the organization understand the
potential risks.

Collecting Trophies: As they conduct the test, ethical hackers may gather sensitive information, referred
to as "trophies." These can include:
 Passwords of high-level executives (like the CEO).
 Confidential company documents.
 Administrative passwords for critical devices.
Collecting these trophies is important because it helps company leaders (like the CEO, CIO, and CFO)
grasp the real risks. While technical details may not engage them, showing them sensitive data or critical
information makes the risks more relatable and urgent.

Penetration Testing Process

1. Form two or three teams:
 Red Team: The Red Team consists of ethical hackers who simulate a cyberattack on Company
network. They try to exploit vulnerabilities, gain unauthorized access, and move through the
network to demonstrate weaknesses.
 White Team: The White Team includes the network administrators from Company. They
monitor the Red Team’s activities and ensure that the test stays within agreed boundaries.
 Blue Team (optional): This management team oversees the test and coordinates between the
Red and White teams.
2. Establish the ground rules:
• Testing objectives
• What to attack, what is hands-off
• Who knows what about the other team (Are both teams aware of the other? Is the testing single
blind or double blind?)
• Start and stop dates
• Legal issues: Just because a client asks for it, doesn’t mean that it’s legal. The ethical hacker must
know the relevant local, state, and federal laws and how they pertain to testing procedures.
• Confidentiality/Nondisclosure
• Reporting requirements
• Formalized approval and written agreement with signatures and contact information
• During the testing, it’s important to keep the formal agreement document close at hand. This
document contains written approval, legal permissions, and the scope of the test. In case any
legal issues or misunderstandings arise, this document acts as a "get out of jail free" card, proving
that the test is authorized and legitimate. Essentially, it serves as protection for the ethical
hackers if someone questions their activities.

Penetration Testing Activities

3. Passive Scanning: This is about gathering as much information as possible about the target without
interacting with it directly. You don’t touch the target’s systems but instead use public sources like:
 The company’s website and its source code.
 Social media profiles.
 Whois database (for domain info).
 Edgar database (for corporate filings).
 Newsgroups or online forums.
 Public databases like ARIN, RIPE, etc.
 Search engines like Google or job boards like Monster.com.
 Even methods like dumpster diving (looking for useful info in discarded documents).
4. Active Scanning: In this step, you actively probe the target using scanning tools to see what’s
publicly exposed. This involves:
 Using commercial scanning tools.
 Banner grabbing (collecting details about the system or services).
 Social engineering (tricking people into revealing information).
 War dialing (calling phone numbers to find modems).
 Checking DNS records (DNS zone transfers).
 Monitoring network traffic (sniffing).
 Driving around to find wireless networks (war driving).
5. Attack Surface Enumeration: This means examining the target’s network to identify and document
every device that’s exposed, like:
 Creating a map of the network.
 Finding routers and switches.
 Checking firewalls and connections between different networks (LAN, MAN, WAN).
6. Fingerprinting: This involves taking a deeper look at the target’s systems to find out details like:
 The type and version of the operating system.
 The applications in use and whether they’re updated.
 Open ports.
 Services running on the system.
 User accounts.
7. Target System Selection: Based on the previous steps, choose the most vulnerable and useful
systems to focus the attack on.
8. Exploiting Vulnerabilities: Use attack tools to exploit the vulnerabilities found. Some attempts may
fail, some may disrupt services (or even crash a server), but some will succeed in breaching the
system.
9. Escalation of Privilege: Once inside, the next step is to gain more control. This could mean:
 Getting admin or root access (highest level of control).
 Using cracked passwords to access more areas.
 Using techniques like buffer overflow to control systems locally rather than remotely.
10. Documentation and Reporting: Finally, everything is documented. This includes what was found,
how it was found, the tools used, vulnerabilities exploited, the timeline of actions, and what worked
or didn’t. This helps create a clear report of the test.

What Would an Unethical Hacker Do Differently?

1. Target selection
 Motivations would be due to a grudge or for fun or profit.
 There are no ground rules, no hands-off targets, and the white team is definitely blind to
the upcoming attack
2. Intermediaries
 The attacker launches his attack from a different system (intermediary) than his own to
make tracking back to him more difficult in case the attack is detected.
 There may be several layers of intermediaries between the attacker and the victim.
  Intermediaries are often victims of the attacker as well.
3. Next the attacker will proceed with penetration testing steps described previously.
 Passive scanning
 Active scanning
 Footprinting
 Target system selection
 Fingerprinting
 Exploiting the uncovered vulnerabilities
 Escalation of privilege
4. Preserving access
 This involves uploading and installing a rootkit, backdoor, Trojan’ed applications, and/or
bots to assure that the attacker can regain access at a later time.
5. Covering his tracks
 Scrubbing event and audit logs
 Hiding uploaded files
 Hiding the active processes that allow the attacker to regain access
 Disabling messages to security software and system logs to hide malicious processes and
actions
6. Hardening the system
 After taking ownership of a system, an attacker may fix the open vulnerabilities so no
other attacker can use the system for other purposes.

Penetration Testing and Tools: Social Engineering Attacks:

How a social engineering attack works

An attacker sends a fake email that looks real and familiar to the victim. The email tricks the victim into
clicking on a link that takes them to a fake website. The fake website looks like a real one, often
mimicking a company's internal system login. The victim enters sensitive information, thinking it's safe.
The attacker gets the sensitive information and uses it for malicious purposes.
Simple emotions :
• Greed: Promising something valuable to get the victim to do something.
• Lust: Offering something sexy or appealing to get the victim's attention.
• Empathy: Pretending to be someone the victim knows and needs help from.
• Curiosity: Creating a sense of intrigue or mystery to get the victim to click or read something.
• Vanity: Flattering the victim with a fake compliment or attention.
Complex emotions :
• A desire to be helpful “If you’re not busy, would you please copy this file from this CD to this USB
flash drive for me?” Most of us are taught from an early age to be friendly and helpful. We take
this attitude with us to the workplace.
• Authority/conflict avoidance “If you don’t let me use the conference room to e-mail this report to
Mr. Smith, it’ll cost the company a lot of money and you your job.” If the social engineer looks
authoritative and unapproachable, the target usually takes the easy way out by doing what’s
asked of them and avoiding a conflict.
• Social proof “Hey look, my company has a Facebook group and a lot of people I know have
joined.” If others are doing it, people feel more comfortable doing something they wouldn’t
normally do alone.
Conducting a social engineering attack

Client Communication and Test Secrecy: When we plan to test a company's security, we need to talk to
the client(company owner) about our plan. This is because our test might make some employees feel
uncomfortable or surprised. They might feel like they've been tricked into doing something they
shouldn't have done. If we get caught during the test, the employees might not understand what's going
on and might feel embarrassed. So, we need to make sure the client knows what we're going to do and
what might happen. We also need to keep the test a secret, so the employees don't know it's
happening. If they know, they might behave differently, and we won't get an accurate picture of the
company's security.

Starting a Social Engineering Attack (SEA):Begin with gathering information about the target
organization, just like in any penetration testing.
You can start with zero knowledge and use open sources to gather information. One way to start is by
searching for the company's phone directory or other publicly available information.Google is a great
way to start finding information about the target organization, such as names, job titles, and contact
information. Social media sites like Facebook, LinkedIn, MySpace, and Twitter can also be used to gather
information about employees. Once you find an employee's social media account, you may be able to
see their connections and identify coworkers. Depending on the employee's security settings, you may
be able to see their entire network of connections.

Reconnaissance: After researching the company online, start targeting key personnel internally.
Try to build a picture of who is who and develop rapport with potential sources.Key personnel might
include the CIO, CSO, Director of IT, CFO, Director of HR, VPs, and Directors. Find out who works in
which offices, who their personal assistants are, and when they're traveling or on vacation
Example: Let's say your goal is to obtain the internal employee directory. You call the assistant of a key
personnel and claim to be a consultant working with their boss. You ask the assistant to fax the company
directory to another location within the company. The assistant might not see any risk and fax the
directory to the other office. You can then call that office, give the same story, and ask them to fax the
directory to you at home. You give them a public fax number and retrieve your fax. Caller ID Spoofing:
Use services like Bluff My Call to make it seem like you're calling from inside the company.

Planning an Attack
Time and Patience: Planning an attack takes time, practice, and patience.
Imagination: As the attacker, you're limited only by your imagination.
Reading People: Your success depends on your team's ability to read the people at the target
organization and devise effective attacks.
Capture the Flag: Your goal is to access sensitive data to show your client how it can be done.
Sometimes this involves using legitimate access methods or stolen credentials.
Combined Efforts: Often, it takes a combined effort of getting hackers in position or delivering the right
payload behind network controls.
Advanced Techniques : Phony Websites, Emails, and Phone Numbers: As your attacks become more
sophisticated, you might need to set up fake websites, email addresses, and phone numbers to appear
legitimate.
Face-to-Face Meetings: Some attacks might require meeting the intended victim in person.

Social Engineering Skills: Social engineering is a team effort that requires a variety of skills. These skills
include charisma, phone skills, writing skills, and physical appearance. Hacking skills are also necessary
to gain unauthorized access to data assets.

common attacks used in penetration testing

Social Engineering Attacks (SEAs) used in penetration testing. These attacks may not always work
because every target is different. Success depends on the right conditions, so an attack that fails today
might succeed later.
1. The Good Samaritan
2. The Meeting
3. Join the Company

1. The Good Samaritan

The Good Samaritan attack is a type of social engineering attack that combines technical exploits with
psychological manipulation. The steps involved in the attack are as follows:
Step 1 : Download the LPInstaller.exe application from the SanDisk website.
 Execute the LPInstaller.exe application and allow it to download the default U3 ISO image from
the SanDisk website.
 Use an ISO editing tool, such as ISO Commander, to modify the ISO image.
 Extract the autorun.inf file from the ISO image and modify it to include a script that will execute
on the target machine.
 Create a new folder called "cruzer" and add the modified autorun.inf file, as well as the script
and any other necessary files, to the folder.
 Use the ISO Commander tool to add the "cruzer" folder to the ISO image.
 Save the modified ISO image to the USB drive.
Step 2 : Place the USB drive in a location where it will be found by an unsuspecting user.
Step 3 : The user inserts the USB drive into their machine and executes the script.
Step 4 : The script uses netcat to establish a remote connection and provide remote access to the target
machine.

The social engineering aspect of the attack relies on tricking the user into inserting the USB drive
and executing the script. This is typically done by placing the USB drive in a location where it will be
found by an unsuspecting user, such as a public area or a parking lot.
Mitigation : To mitigate this type of attack, it is recommended to disable autorun on USB drives,
implement network monitoring tools, and educate users about the risks of social engineering.
2. The Meeting

The goal of this attack is to place an unauthorized wireless access point (WAP) on the corporate
network.
 To set up an unauthorized WAP on a corporate network using social engineering techniques, the
following steps can be taken:
 Preparation: Gather the necessary equipment, including a WAP, double-sided Velcro tape or sticky
tape, a 12-inch or longer CAT5 patch cable, and a screwdriver, utility knife, and duct tape.
 Set up the meeting: Create a pretext for a face-to-face meeting, such as purchasing goods or
services, and schedule the meeting time for just after lunch.
 Arrival at the target location: Arrive about 30 to 45 minutes before the scheduled meeting time and
explain to the receptionist that you have a meeting scheduled after lunch but were in the area on
other business and decided to come early.
 Gain access to a conference room: Have an accomplice phone you shortly after you enter the
building and act slightly flustered after answering the phone. Ask the receptionist if there is some
place you can take your call privately, and most likely, you'll be offered a conference room.
 Install the WAP: Close the door to the conference room and find a wall jack to install your WAP.
Secure the WAP out of view using Velcro or double-sided tape.
 Configure the WAP: Check for a computer in the room and unplug its network cable. Attempt to
boot it from a Linux Live CD or flash drive and connect the WAP to the computer and clone the MAC
address of the computer.
 Validate the setup: After setting up the WAP, have a team member check if they can connect to the
WAP from outside the building. They should also confirm that they can see the corporate network.
This means they are making sure that everything is working correctly and that the WAP is providing
access to the corporate network.
 Exit the scene: Inform the receptionist that you'll call to reschedule your appointment and leave.

3. Join the Company

In this attack, we’ll use social media to attract employees of the target company to join our social
networking group. The goal of the attack is to learn enough about the employees of the target company
to successfully impersonate one well enough to gain physical access.

 First Sign up on LinkedIn and create a profile that matches the target company. Search for
employees of the target company by name and location. Send connection requests to identified
employees, personalizing the invitations. Follow the employees' posts and updates to learn more
about their roles.
 Create a group on LinkedIn dedicated to the target company. Invite employees to join the group.
Identify an employee who is away from the office, such as on vacation. Ensure the chosen employee
has similar physical characteristics to someone on your team who will be sent into the company.
 Develop a story that explains why you need temporary access to the company. Examples of pretexts
include:
o Urgent business that requires access to the company network.
o Planned visit to the area and need to do some work for a few hours.

 Use spoofed caller ID to call security and request access . Use a fake ID badge to gain access ,Use the
information gathered from LinkedIn to be knowledgeable about company matters. Once physical
access is gained, use the opportunity to achieve your objective.
 Ensure that your actions are aligned with the goals of the penetration test and that you are acting in
a legal and ethical manner.

Preparing for Face-to-Face Attacks

When you're doing a social engineering attack (SEA) online, it's easy to send an email or chat with
someone and then wait to see what happens. But when you're face-to-face with someone, it's a
different story. You never know what they'll say or do, so you need to be prepared for anything.
 Look and act like the person you're pretending to be.
 Always be comfortable and relaxed, like you're having a conversation with a friend.
 Relaxation techniques: Meditation, acupressure, and reflexology can help you relax and calm your
nerves.
 Rehearse your plan multiple times to feel more comfortable and confident.
 Practice with a team to anticipate different scenarios and feel more prepared.
 Think about your body language: Practice standing with your hands in a comfortable position and
think about what to do with your hands during the encounter.
 Know your resting heart rate: Buy a wrist heart rate monitor or take your pulse when you wake up
to determine your resting heart rate.
 Aim for a calm heart rate: When interacting with a face-to-face target, try to keep your heart rate
within 20% of your resting heart rate. For example, if your resting heart rate is 65 beats per minute
(bpm), aim for a heart rate of 80 bpm or less.

The Fight-or-Flight Response :When you're in a face-to-face encounter, your body's natural response is
to release adrenaline, which can make your heart rate increase, palms sweat, and face flush. This is a
natural response to a perceived threat or conflict. . Inexperienced social engineers often have a heart
rate of 120 bpm or more during their first face-to-face attempts, which can be a giveaway.

Defending Against Social Engineering Attacks

 Employees are the vulnerable point: SEAs target employees, who are often unaware of the risks and
consequences of their actions.
 Perceived risk is low: Employees often don't perceive the risk of SEAs, even if they've been
victimized before.
 Awareness training is essential: The best defense against SEAs is awareness training, which helps
employees recognize the value of the assets being protected and the costs associated with a breach.
 Simulated attacks are necessary: Simulated targeted attacks should be regularly performed to test
the effectiveness of the awareness program and provide real-world examples of the threat. Results
from simulated attacks should be fed back into the awareness program to improve its effectiveness.