ASSIGNMENT -6 1. Define ethical hacking and distinguish it from malicious hacking, highlighting the importance of ethical considerations. answer: Also known as “white hats,” ethical hackers are security experts that perform these security assessments. The proactive work they do helps to improve an organization’s security posture. With prior approval from the organization or owner of the IT asset, the mission of ethical hacking is opposite from malicious hacking. What are the key concepts of ethical hacking? Hacking experts follow four key protocol concepts: Stay legal. Obtain proper approval before accessing and performing a security assessment. Define the scope. Determine the scope of the assessment so that the ethical hacker’s work remains legal and within the organization’s approved boundaries. Report vulnerabilities. Notify the organization of all vulnerabilities discovered during the assessment. Provide remediation advice for resolving these vulnerabilities. Respect data sensitivity. Depending on the data sensitivity, ethical hackers may have to agree to a non-disclosure agreement, in addition to other terms and conditions required by the assessed organization. How are ethical hackers different than malicious hackers? Ethical hackers use their knowledge to secure and improve the technology of organizations. They provide an essential service to these organizations by looking for vulnerabilities that can lead to a security breach. An ethical hacker reports the identified vulnerabilities to the organization. Additionally, they provide remediation advice. In many cases, with the organization’s consent, the ethical hacker performs a re-test to ensure the vulnerabilities are fully resolved. Malicious hackers intend to gain unauthorized access to a resource (the more sensitive the better) for financial gain or personal recognition. Some malicious hackers deface websites or crash backend servers for fun, reputation damage, or to cause financial loss. The methods used and vulnerabilities found remain unreported. They aren’t concerned with improving the organizations security posture. What skills and certifications should an ethical hacker obtain? An ethical hacker should have a wide range of computer skills. They often specialize, becoming subject matter experts (SME) on a particular area within the ethical hacking domain. All ethical hackers should have: Expertise in scripting languages. Proficiency in operating systems. A thorough knowledge of networking. A solid foundation in the principles of information security. Some of the most well-known and acquired certifications include: EC Council: Certified Ethical Hacking Certification Offensive Security Certified Professional (OSCP) Certification CompTIA Security+ Cisco’s CCNA Security SANS GIAC What problems does hacking identify? While assessing the security of an organization’s IT asset(s), ethical hacking aims to mimic an attacker. In doing so, they look for attack vectors against the target. The initial goal is to perform reconnaissance, gaining as much information as possible. Once the ethical hacker gathers enough information, they use it to look for vulnerabilities against the asset. They perform this assessment with a combination of automated and manual testing. Even sophisticated systems may have complex countermeasure technologies which may be vulnerable. They don’t stop at uncovering vulnerabilities. Ethical hackers use exploits against the vulnerabilities to prove how a malicious attacker could exploit it. Some of the most common vulnerabilities discovered by ethical hackers include: Injection attacks Broken authentication Security misconfigurations Use of components with known vulnerabilities Sensitive data exposure After the testing period, ethical hackers prepare a detailed report. This documentation includes steps to compromise the discovered vulnerabilities and steps to patch or mitigate them. What are some limitations of ethical hacking? Limited scope. Ethical hackers cannot progress beyond a defined scope to make an attack successful. However, it’s not unreasonable to discuss out of scope attack potential with the organization. Resource constraints. Malicious hackers don’t have time constraints that ethical hackers often face. Computing power and budget are additional constraints of ethical hackers. Restricted methods. Some organizations ask experts to avoid test cases that lead the servers to crash (e.g., Denial of Service (DoS) attacks). 2. Explain the concept of open-source intelligence (OSINT) and its role in information gathering for ethical hacking. answer:Key Takeaways Open source intelligence is derived from data and information that is available to the general public. It’s not limited to what can be found using Google, although the so-called “surface web” is an important component. As valuable as open source intelligence can be, information overload is a real concern. Most of the tools and techniques used to conduct open source intelligence initiatives are designed to help security professionals (or threat actors) focus their efforts on specific areas of interest. There is a dark side to open source intelligence: anything that can be found by security professionals can also be found (and used) by threat actors. Having a clear strategy and framework in place for open source intelligence gathering is essential — simply looking for anything that could be interesting or useful will inevitably lead to burnout. Of all the threat intelligence subtypes, open source intelligence (OSINT) is perhaps the most widely used, which makes sense. After all, it’s mostly free, and who can say no to that? Unfortunately, much like the other major subtypes — human intelligence, signals intelligence, and geospatial intelligence, to name a few — open source intelligence is widely misunderstood and misused. This widespread use and the growing sophistication of OSINT are reflected in market projections. In fact, according to a report by Future Market Insikt, the OSINT industry is predicted to reach a staggering $58 billion by 2033, highlighting its increasing importance and integration into various sectors. If you have ever asked yourself What does OSINT stand for? What is open source intelligence (OSINT)? Or what’s the OSINT meaning? Keep reading to find out. In this blog, we’re going to cover the fundamentals of Open Source Intelligence, or OSINT, including how it’s used, and the tools and techniques that can be employed to gather and analyze it. We'll delve into what is OSINT, exploring the OSINT meaning and the significant role it plays in the realm of intelligence gathering. What Is Open Source Intelligence? Before we look at common sources and applications of open source intelligence, it’s important to understand what it actually is. According to U.S. public law, open source intelligence: Is produced from publicly available information Is collected, analyzed, and disseminated in a timely manner to an appropriate audience Addresses a specific intelligence requirement The important phrase to focus on here is “publicly available.” OSINT Meaning The term “open source” refers specifically to information that is available for public consumption. If any specialist skills, tools, or techniques are required to access a piece of information, it can’t reasonably be considered open source. Crucially, open source information is not limited to what you can find using the major search engines. Web pages and other resources that can be found using Google certainly constitute massive sources of open source information, but they are far from the only sources. For starters, a huge proportion of the internet (over 99 percent, according to former Google CEO Eric Schmidt) cannot be found using the major search engines. This so-called “deep web” is a mass of websites, databases, files, and more that (for a variety of reasons, including the presence of login pages or paywalls) cannot be indexed by Google, Bing, Yahoo, or any other search engine you care to think of. Despite this, much of the content of the deep web can be considered open source because it’s readily available to the public. In addition, there’s plenty of freely accessible information online that can be found using online tools other than traditional search engines. We’ll look at this more later on, but as a simple example, tools like Shodan and Censys can be used to find IP addresses, networks, open ports, webcams, printers, and pretty much anything else that’s connected to the internet. Information can also be considered open source if it is: Published or broadcast for a public audience (for example, news media content) Available to the public by request (for example, census data) Available to the public by subscription or purchase (for example, industry journals) Could be seen or heard by any casual observer Made available at a meeting open to the public Obtained by visiting any place or attending any event that is open to the public At this point, you’re probably thinking, “Man, that’s a lot of information …” And you’re right. We’re talking about a truly unimaginable quantity of information that is growing at a far higher rate than anybody could ever hope to keep up with. Even if we narrow the field down to a single source of information — let’s say Twitter — we’re forced to cope with hundreds of millions of new data points every day. This, as you’ve probably gathered, is the inherent trade-off of open source intelligence. As an analyst, having such a vast quantity of information available to you is both a blessing and a curse. On one hand, you have access to almost anything you might need — but on the other hand, you have to be able to actually find it in a never-ending torrent of data. History of OSINT The term OSINT refers to the practice of collecting information from publicly available sources to be used in an intelligence context. This practice has been around for a while, but it's the digital era that really propelled OSINT into a league of its own. The foundational roots of OSINT are linked to the formation of the Foreign Broadcast Monitoring Service (FBMS) back in 1941. This organization was charged with the significant role of scrutinizing international broadcast communications to identify any potential dubious activities. According to the Association of Former Intelligence Officers (AFIO): “The US military first coined the term OSINT in the late 1980s”. This development stemmed from the recognition that intelligence reform was needed to effectively meet the rapidly changing informational demands, particularly at the tactical battlefield level. Initially, OSINT was a tool used primarily by intelligence agencies and law enforcement to gather publicly available information to assist in national security and criminal investigations. The methods involved were time-consuming, often requiring individuals to manually sift through public records, newspapers, and other documents to find relevant information. This manual gathering of information was often difficult due to the vast amount of data one had to sift through. However, as the web evolved, so did the methods of collecting and analyzing publicly available data. The advent of the internet significantly amplified the means through which information could be collected. Suddenly, a wide range of data became publicly available and easily accessible online, from government reports to academic papers, and everything in-between. Websites became a primary data source for OSINT practitioners. These developments led to a boom in the creation of OSINT tools designed to automate the process of data collection and analysis. These tools could quickly gather information from various sources, including publicly accessible databases, social media platforms, and many other tools available in the digital realm. As the field of cybersecurity experienced rapid growth, the application of OSINT expanded. Cybersecurity professionals began to see the value in utilizing OSINT to identify vulnerabilities, assess potential security threats, and bolster organizational security. OSINT tools became essential in monitoring publicly accessible web servers, analyzing metadata, and assessing security vulnerabilities. The data gathered became invaluable in understanding the security posture of an organization, identifying potential threats, and developing strategies to mitigate risks. One notable trend is the integration of machine learning and analytics in OSINT tools to enhance the process of identifying patterns and trends from the collected data. This integration has not only made OSINT tools more effective but has also expanded the range of applications in which they can be utilized. For instance, security researchers now use OSINT to perform penetration tests, while businesses use it to gain insights into their competitors and the market environment. Moreover, the community of OSINT researchers has grown over time, with forums, conferences, and groups forming to share knowledge, discuss best practices, and develop new OSINT techniques. Many OSINT tools, including frameworks like Recon-ng, have communities of developers on platforms like GitHub, working to improve, customize, and create modules to extend the capabilities of these tools. The collective effort of these communities has played a significant role in refining the OSINT practice, making it a vital component in intelligence gathering and cybersecurity. In summary, the history of OSINT is a testament to the adaptability and ingenuity of individuals and organizations in leveraging publicly available information to enhance security, make informed decisions, and gain a competitive edge. As technology continues to evolve, so will the tools and methods used in OSINT, opening new avenues for gathering and analyzing publicly available data. How Is Open Source Intelligence Used? Now that we’ve covered the basics of open source intelligence, we can look at how it is commonly used for cybersecurity. There are two common use cases: 1. Ethical Hacking and Penetration Testing Security professionals use open source intelligence to identify potential weaknesses in friendly networks so that they can be remediated before they are exploited by threat actors. Commonly found weaknesses include: Accidental leaks of sensitive information, like through social media Open ports or unsecured internet-connected devices Unpatched software, such as websites running old versions of common CMS products Leaked or exposed assets, such as proprietary code on pastebins 3. Discuss the legal and ethical considerations involved in conducting network scanning and enumeration during ethical hacking activities. answer:Similarly, when you know about your target, half the task of Hacking is done. There are different ways to gather information about your target. In the previous blog, I have explained how to gather information using Footprinting. But knowing basic information is not enough. So in this blog, I will tell you how to gather specific details of your target using Network Scanning for Ethical Hacking. If you are interested in Ethical Hacking or Cybersecurity, check out the live training by Edureka. The topics covered in this blog are: What is Network Scanning? How is Network Scanning different from Reconnaissance? Types of Network Scanning for Ethical Hacking How to use Network Scanning Tools? What is Network Scanning? Network Scanning is the procedure of identifying active hosts, ports and the services used by the target application. Suppose you are an Ethical Hacker and want to find vulnerabilities in the System, you need a point in the System that you can try to attack. Network Scanning for Ethical Hacking is used to find out these points in the system that a Black Hat Hacker can use to hack the network. And then the respective teams work on improving the security of the network. If you are excited to know more about Ethical hacking, join the Ethical Hacking Course Online today. Every Organization has a Network. This network could be an internal network which consists of all the systems connected with each other, or it can be a network that’s connected to the internet. In either case, to hack the network, you will have to find a vulnerable point in the network that can be exploited. Network Scanning is used to find out such points in the network. Ethical Hacking Tutorial For Beginners | Ethical Hacking Course | Ethical Hacking Training | Edureka This Edureka Cybersecurity Interview Questions and Answers will help you in preparation for your interviews. How is Network Scanning different from Reconnaissance? Think of it like this: You are an army officer and you and your team are planning to attack a terrorist lair. You have found out the location of the lair and details about the surroundings and also found ways to send the team to the lair. You can consider all this as the information you’ve gathered using Reconnaissance. Now you have to find a point through which you can enter the lair and attack the enemy. This is Network Scanning. In simple terms, Reconnaissance is used to gather information and understand your target, and Network Scanning is a method used to find possible vulnerable points in the network through which you can hack the network. Depending on what kind of information the Scan identifies, Network Scanning can be classified into different types. Types of Network Scanning for Ethical Hacking Network Scanning can be classified into two main categories: Port Scanning Vulnerability Scanning Port Scanning As the name suggests, Port Scanning is a process used to find out active ports on the network. A Port Scanner sends client requests to the range of ports on the target network and then saves the details about the ports that send a response back. This is how active ports are found. There are different types of Port Scanning. Below is a list of some of the most used ones: TCP scanning SYN scanning UDP scanning ACK scanning Window scanning FIN scanning Vulnerability Scanning Vulnerability Scanning is a type of Network Scanning for Ethical Hacking used to find out weaknesses in the network. This type of scanning identifies vulnerabilities that occur due to poor programming or misconfiguration of the network. Now that you know what Network Scanning is, I will introduce you to some tools and tell you how to use them for Network Scanning. How to use Network Scanning tools? In this section of Network Scanning for Ethical Hacking blog, I will show you how to use some Network Scanning tools. The Operating System I am using for this is Kali Linux because it comes with many in-built tools for Hacking. If you want to learn how to install Kali Linux, refer to this link. And if you face any problems with this, you can ask for help on Edureka Community. Looking for a challenging and rewarding career in cybersecurity? Enroll in the CISSP Online Training. The first tool I am going to talk about is Nmap. 1. Nmap for Network Scanning Nmap is a free and open source network scanner. You can scan a network with Nmap either by using the IP address of the target: $ nmap 1.2.3.4 Or using the hostname $ nmap example.com Note that it is illegal to scan the network of any organization without prior authorization by the organization. So don’t try to scan just any random network. But if we can’t scan any network without permission, then how will we learn about Nmap? Don’t worry, the Nmap Organization has provided a website for us to practice scanning using Nmap: scanme.nmap.org Course Curriculum Certified Ethical Hacking Course - CEH v12 Let’s try scanning this. Open a terminal in your system and run the below command: $ nmap -v -A scanme.nmap.org nmap scan - network scanning for ethical hacking - edureka You can see how Nmap displays the open ports on the network in the result. In the above command, option ‘v‘ is for verbose output and option ‘A‘ is to detect the Operating System. There are a lot of options that can be used with the Nmap tool to obtain different kinds of results. To understand more about using the Nmap tool, check out this Nmap tutorial. Next tool we are going to use is Nikto. Nikto for Network Scanning Nikto is a Web Server Scanner that tests for dangerous files and outdated service software. And these details can be exploited and used to hack the network. Nikto is designed to scan the web server in the quickest possible time. To use Nikto, open the terminal and run the following command: $ nikto -host scanme.nmap.org You should see a similar output nikto scan - network scanning for ethical hacking - edureka The highlighted part in the above screenshot shows the results that Nikto has found. These results are helpful to understand the weaknesses of the network or application being scanned. Once you find the weakness of the network, you can choose relevant attacks to hack the network. Learn about the latest tools, technologies, and frameworks used in ethical hacking through this Ethical Hacking Internship. The next tool I am going to talk about is Nessus. Nessus for Network Scanning Nessus is one of the most powerful vulnerability scanners available. This scanner does not come pre-installed with Kali Linux. So, before telling how to use it, I will show you how to install it. Open a browser and go to www.tenable.com/downloads/nessus and click on “Get Activation Code“. nessus activation code - network scanning for ethical hacking - edureka You will see two versions of Nessus: A free version(Nessus Home) and a paid version. We shall use the free version, so click on the “Register Now” button under “Nessus Home“. nessus home - network scanning for ethical hacking - edureka Cyber Security Training In the next page, enter your first name, last name, and Email Id. A link will be sent to your Email Id and you will be redirected to the download page. Download a suitable file. I am downloading the .deb file for AMD64 architecture because that’s compatible for the Kali Linux I am using. nessus download - network scanning for ethical hacking - edureka After the download is complete, open the terminal and run the following command to install Nessus: 1 2 $ cd Downloads $ dpkg -i Nessus-8.3.0-ubuntu910_amd64.deb install nessus - network scanning for ethical hacking - edureka Nessus will be installed and now you will have to start the Nessus service to use it. Refer to the below command: $ /etc/init.d/nessusd start Once the service starts, open a web browser and go to //kali:8834/ create nessus account - network scanning for ethical hacking - edureka Enter a Username and a Password and in the next page, enter the Activation Code that was sent to your Email Id. Find out our CISSP Course in Top Cities India India CISSP Training in Bangalore CISSP Training in India CISSP Training in Chennai CISSP Training in Pune CISSP Training in Hyderabad CISSP Training in Mumbai After successful activation, wait for Nessus to download necessary Plugins. Once Nessus completes the setup, you will see something like this: Nessus home - network scanning for ethical hacking - edureka To scan a network, click on “New Scan” on the top right corner. In the next page, you will see different types of scans that Nessus provides. I will choose “Basic Network Scan“. Nessus scan list - network scanning for ethical hacking - edureka Enter the name for your scan, description, folder, and the target and click on “Save“. For this Network Scanning for Ethical Hacking tutorial, I will scan my local network. Nessus scan save - network scanning for ethical hacking - edureka Next, select the scan and click on the start icon. nessus start - network scanning for ethical hacking - edureka Course Curriculum Certified Ethical Hacking Course - CEH v12 Weekday / Weekend Batches After the scan is complete, you can see the vulnerability report under the “Vulnerabilities” tab. Nessus scan result - network scanning for ethical hacking - edureka The scan results show the information and vulnerabilities found. This is how Nessus can be used for Network Scanning for Ethical Hacking. The more details you find out about the target, the easier it will be to test for vulnerabilities. Try using more Network Scanning tools such as OpenVAS, Core Impact, Retina, etc. If you have any question, ask it on Edureka Community and we will get back to you. If you wish to learn Cybersecurity and build a colorful career in Cybersecurity, then check out our Cyber Security Training Course which comes with instructor-led live training and real-life project experience. You can also take a look at our newly launched course on Comptia Security+ Course which is a first-of-a-kind official partnership between Edureka & CompTIA Security+. It offers you a chance to earn a global certification that focuses on core cybersecurity skills which are indispensable for security and network administrators. Learn Cybersecurity the right way with Edureka’s POST-GRADUATE PROGRAM with NIT Rourkela and defend the world’s biggest companies from phishers, hackers and cyber attacks. 4. How does Google Hacking contribute to footprinting and information gathering in ethical hacking? answer:Footprinting Using Advanced Google Hacking Techniques Footprint Using Advanced Google Hacking Techniques Query String: Google hacking refers to creating complex search queries in order to extract sensitive or hidden information. Vulnerable Targets: It helps attackers to find vulnerable targets. Google Operators: It uses advanced Google search operators to locate specific strings of text within the search results. Google Advance Search Operators (重要) Google supports several advanced operators that help in modifying the search: [cache:] Displays the web pages stored in the Google cache [link:] Lists web pages that have links to the specified web page [related:] Lists web pages that are similar to a specified web page [info:] Presents some information that Google has about a particular web page [site:] Restricts the results to those websites in the given domain [allintitile:] Restricts the results to those websites with all of the search keywords in the title [intitle:] Restricts the results to documents containing the search keyword in the title [allinurl:] Restricts the results to those with all of the search keywords in the URL [inurl:] Restricts the results to documents containing the search keyword in the URL Google Hacking Databases Google Hacking Database (GHDB): http://www.hackersforcharity.org Google Dorks: http://www.exploit-db.com Information Gathering Using Google Advanced Search Use Google Advanced Search option to find sites that may link back to the target company's website. This may extract information such as partners, vendors, clients, and other affiliations for target website. With Google Advanced Search option, you can search web more precisely and accurately 5. Describe the significance of networking fundamentals in the context of ethical hacking and incident response planning (IRP). answer:An incident response plan is defined as a “documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of malicious cyberattacks against an organization’s information systems.” When done right, an incident response plan will include the necessary processes, procedures, and documentation needed to detect, respond to, and recover from cyber-related incidents. The action steps outlined in an IRP will cover how an organization and its cybersecurity team respond to the following: Cyber threats (both active and passive) Natural disasters Unplanned Internet or general connectivity outages Assets accounted for by an IRP are your organization’s network, systems, and all related devices. The Importance of an Incident Response Plan With notable organizations such as, but not included to, Indigo, Uber, NATO, and MSI reporting significant data breaches, businesses of all sizes should note the importance of an incident response plan… and either A) get one in place, or B) refine any pre-existing IRPs that may have already been drafted. A thorough IRP process gives your organization instructions regarding how to effectively minimize losses, remedy exploitable vulnerabilities in your cyber infrastructure, restore all impacted systems and devices, and shut down the attack vector that was used to guarantee that no similar attack will succeed in the future. IRPs are integral to preventing cyber-related incidents, protecting sensitive data, pinpointing the root causes of security breaches, and how to recover in the worst-case scenario. They cement the best practices for cybersecurity incident handling and outline a step-by-step breakdown of how your organization should notify law enforcement, employees, staff, and any impacted clients. The top benefits of an iron-clad IRP are: Minimizing the duration of security breaches: The average lifecycle of a security breach is up to 287 days, with organizations taking 212 days on average to identify a breach and 75 days to completely contain it. Rolling back the damage done by threat actors: With 68 records lost or stolen every second, the average data breach costing organizations $4.35 million, and the number of cyberattacks skyrocketing by the year, the damage done through just one data breach can be borderline insurmountable if not dealt with ASAP. Streamlining the digital forensics process: What data has been compromised, and what are your attackers likely to try to do with it? Digital forensics is the science of identifying, processing, analyzing, and reporting on electronically-stored data–with an emphasis on how that data can be used for potentially criminal purposes. Common criminal uses of data include ransom or fraud. Bolstering your organization’s recovery time: Recovery time for business can be slow, regardless of the type of data breach at hand. Having an IRP in place maximizes your response times and guarantees that every member of your organization knows what part they can play to get your systems back up and running. Mitigating negative publicity in the wake of a breach: A hit to one’s reputation, trust, or client base are all common drawbacks of experiencing a cyberattack. By showcasing to your client base that you are targeting the problem at hand and prioritizing the safety of their personal information, you can keep reputational loss to a minimum. Who is Responsible for Incident Response Planning? Does your organization have a computer security incident response team (CSIRT) established yet? If not, take this as your sign to prioritize the formation of one. The typical roles held in a CSIRT are: The Incident Response Manager, who oversees actions during the detection, counter, and recovery of a cyberattack The Security Analyst, who implements operational controls during all phases The Threat Intelligence, who utilizes threat intelligence to understand prior, existing, and potential future threats to the organization’s cybersecurity There are generally multiples of each role in CSIRTs for medium-to-large organizations. Because most SMBs don’t have the capacity to hire internal staff to act as Threat Intelligence, that role is often outsourced to third-party pentesting vendors like the team here at Packetlabs who can monitor an organization’s infrastructure for leaked credentials, provide recommendations on how to strengthen security posture, and analyze existing and future threats. Ideally, a CSIRT will be composed of staff from a business’s legal, human resources, IT, public relations, and leadership vectors to become fully cross-functional if (and when) an emergency strikes. What Can An IRP Prevent? IRPs cover common security threats. The types of cyberattacks and related incidents that generally fall under the umbrella of an organization’s IRP include, but are not limited to: Social engineering Ransomware DLL hijacking Data breaches Man-in-the-middle tactics Regardless of the type of cyberattack at play, an IRP will work to prevent and recover from both internal breaches and data breaches suffered by any third-party or fourth-party vendors the organization may be partnered with. Key IRP Metrics As an organization, what metrics should your incident response be measured against in order to determine how effective it is–as well as what about it can be improved? Here is our comprehensive list of key performance indicators for IRPs: An organization’s security rating The security rating of major competitors The number of third-party or fourth-party vendors The average security rating of these vendors Which vendors are lowest-rated for security Which vendors have least-improved their security year-after-year Which vendors are highest-rated for security Which vendors have most improved their security year-after-year The number of incidents detected in a year The number of incidents not detected in a year The number of incidents that required action in a year The number of repeated or similar incidents in a year The average incident remediation time The number of data breaches in a year Other crucial elements are the number of stakeholders involved in incident response planning, general cybersecurity awareness training within the organization, and what measures have been taken to strengthen security posture.