Ethical Hacker's Certification Guide (CEHv11): A comprehensive guide on Penetration Testing including Network Hacking, Social Engineering, and Vulnerability Assessment

By Mohd Sohaib

The 'Certified Ethical Hacker's Guide' summarises all the ethical hacking and penetration testing fundamentals you'll need to get started professionally in the digital security landscape. The readers will be able to approach the objectives globally, and the knowledge will enable them to analyze and structure the hacks and their findings in a better way.

The book begins by making you ready for the journey of a seasonal, ethical hacker. You will get introduced to very specific topics such as reconnaissance, social engineering, network intrusion, mobile and cloud hacking, and so on. Throughout the book, you will find many practical scenarios and get hands-on experience using tools such as Nmap, BurpSuite, OWASP ZAP, etc. Methodologies like brute-forcing, wardriving, evil twining, etc. are explored in detail. You will also gain a stronghold on theoretical concepts such as hashing, network protocols, architecture, and data encryption in real-world environments.

In the end, the evergreen bug bounty programs and traditional career paths for safety professionals will be discussed. The reader will also have practical tasks and self-assessment exercises to plan further paths of learning and certification

• Language: English
• Publisher: BPB Online LLP
• Release date: Oct 25, 2021
• ISBN: 9789391392215

Book preview

CHAPTER 1

Cyber Security, Ethical Hacking, and Penetration Testing

Introduction

The pace of innovation and advancement in the field of computing has been phenomenal. From gigantic machines capable of performing a few instructions per minute to handheld devices executing millions of instructions per second, the computing technology has not just evolved but has become more affordable and mainstream. And as with all good things, digital systems come with their own unique set of obstacles; information security being the biggest one. With the amount of information flowing through digital channels, they are the default targets of cyber criminals looking to fulfil their ulterior motives.

This book will help you understand the basics of cyber security, how an attacker works, and what you can do to secure your system. We will be getting into the shoes of a hacker to understand how one operates, strikes, and causes disruption. We will then define processes as a penetration tester to effectively simulate, detect, and mitigate any ill effects of the attacks.

Structure

We will cover the following topics in this chapter:

Cyber security introduction

Principles of security for information systems

Hacking concepts

Ethical hacking and penetration testing

Objectives

This chapter will focus on introducing you to the world of Information Systems and the risks associated with them. After going through the chapter, you should be able to have a basic understanding of how an information system works and the properties of a secure information system. We will also go through the general concepts of hacking, the steps taken by hackers, and their impact on the digital landscape. The last section aims to get you familiarized with the world of penetration testing, the importance of having this skill, and how a penetration tester is actually a hacker working on the right side of the law.

The Ten Thousand Feet View

A perfectly secure system is a myth. Well, not really if you are ready to bury the system six feet under concrete and never switch it back on again. But again, not many of us would have the choice or a fitting use case where we would procure a system just to use it as an ornament and never actually use it. For most of us living in the digital age, information and data security is as much a problem as getting the next meal. And though it might not look like that big a concern for most of the uninitiated folks, it surely has the potential to make or break each and every information system available to mankind.

Cyber Security

Before delving deep into the importance and know-how of cyber security, let’s establish a couple of definitions to set the scope.

Information Systems: Any and all logical and physical assets containing or leading to a piece of data, information, resource, or leverage is an information system. From a piece of memo on your office desk to the mobile phone in your pocket to the enterprise data centers, all in their own existence are information systems.

Information Security: The protection of an information asset from any unauthorized and unauthenticated access, modification, retrieval or erasure, all the while providing meaningful access to the actual system user constitutes the essence of information security. The security may hence be in the form of a security guard, a lock and key set, or a high-end multi-factor authentication.

The worldwide Information Technology spending was projected to be at $3.8 trillion. The industry in the US alone accounts for $1.8 trillion value-added GDP. For India, the IT and ITES grew to $181 billion in 2018-19.

An interesting and somewhat overlooked fact is that the Information Technology industry forms the backbone of nearly all the industries ranging from manufacturing to last mile goods delivery. This makes it altogether a much larger industry with a sizeable impact on world economies.

What this scale and widespread usage and applications mean is that there are a wide variety of generic and custom solution systems in place at every nook and corner of the digital landscape. And with the information being the new currency, the information systems are the new banks and lockers that everyone is after. With this being said, it is obvious to assume that the systems would naturally be resistant to intrusions and breaches, given their cost, usage, and market reputation at stake. This is one of the biggest myths in the information technology age.

Figure 1.1: Top cyber-attack targets

According the Hiscox, an insurance provider, the digital incidents cost an average of $200,000 and 60% of these businesses go out of business within six months of being victimized. Another report lays out the fact that affected businesses find it hard to attract new customers.

The total cost of hacks all over the world is ever increasing with $400 billion a year at the current rate. 62% of businesses experienced phishing and social engineering attacks in 2018. 71% of the breaches were financially motivated.

Although information and customer records top the itinerary of digital shoplifters, other items include:

Ransomware: A piece of code to hold digital assets hostage for monetary benefits. The code generally encrypts the information it infects, with the attacker being the only one with the readily available ability to decrypt the compromised information.

Denial of services by flooding the communication channel with requests to overwhelm the underlying systems and disrupting businesses.

Financial frauds by impersonating legitimate users or gaining access to their assets via differing means.

Cyber activism, wherein activists target digital infrastructure supporting unethical business practices or social misdemeanors.

Cyber terrorism employed by the new age terrorists, wherein they target government and military facilities via their digital infrastructure.

Maligning target reputation out of revenge or rivalry.

And while a software solution is expected to be inherently secure and tamper-proof, it is not the case for almost all of them. Let’s first define what factors would impact the security of an information system:

Quality of source code: The quality of the source code deployed for an application would directly affect the security of the application. For a developer, it is of paramount importance that there are no loopholes and backdoor entries to the application. An example of this would be to make sure the application does not process or execute any script code fed externally via inputs.

Development environment: An unsecure development or testing platform could potentially lead to the inclusion of bugs that are not directly associated with the code and the functionality of the system. These include bugs in a compiled code structure and its interpretation by the underlying system.

Deployment environment: The actual final place of residence of the application is its deployment environment, which is majorly an ecosystem of multiple software solutions. Since the code will execute in this environment, it is of paramount importance that the environment in itself is as thoroughly sanitized as the code. There could be unrestricted network access, backdoors, and bugs within the deployment environment which might have gone unnoticed by the vendor or unpatched by the system administrator.

System handlers: The people who maintain the system and have access to the application environment more often than not are the main vectors of breaches. A skipped patch or careless disposal of sensitive waste or simply not following the standard operation guidelines result in massive data breaches all the time.

End user: While a majority of the development happens in line with the happy scenarios of application usage, the end user is in fact the most unpredictable of all. A good system design could strive to cover all routes of execution, but with applications that have huge user base, this would be an impossible task. Another concern is the malicious user, the one who onboards the system just to break it.

Technological advancements: While advancements would sound great for a system, there is usually a cost involved in upgrading the solutions already deployed to bring them up at par. This often results in an environment being a mix of technologies that may not complement each other after a period of time as they were during the initiation phases. Also, the vendors tend to stop support and the patching of older systems to focus on maintaining the newer ones. This leaves the older systems at much greater risks.

The six feet deep concrete burial doesn’t sound like a bad idea now, does it? There is just one catch, you will find yourself locked out of the information you store and the retrieval would be a real pain each and every time. This establishes another fact in the information system – the importance of accessibility and availability. There are three basic principles upon which information policies are usually defined:

Confidentiality: That the information stored remain confidential, clear of prying eyes and void of any unauthorized access.

Integrity: That the information stored maintains the actual form and remains free of any adulteration via unauthorized means. This includes maintaining records of access and operations by legitimate system users as well to put the onus on them for their actions.

Availability: The information stored needs to be readily and timely available and accessible to the legitimate party in a manner agreed upon. Similar to justice, information delivered late is useless information.

In addition to these, there are two more principles that help close the information security loop:

Authenticity: This is to ensure that each user receives a genuine piece of information and is presented a means to check the authenticity at each step of information transfer. This is especially needed when 62% of all businesses are exposed to phishing and social engineering attacks.

Non-repudiation: This guarantees that a piece of information was successfully and actually sent by an identifiable source and indeed received by the intended destination. Non-repudiation ensures that there is no speculation on the communication of information, and neither the sender nor the receiver can deny participating in the transaction.

Figure 1.2: Components of effective information security solution

A good information system would take these into account and establish an optimal contract to ensure an acceptable security of the digital assets.

The words optimal and acceptable are of paramount importance here. Each of the underlying principle takes its fair share of:

Effort: To implement a measure would require effort and so would building doorways through it for a legitimate user.

Time: For every effort, there would be an associated timeline. Further, for each doorway, there would be an introduction of access delay.

Cost: For every set of effort and time, there would be an associated cost of development as well as maintenance.

In addition to these, there are going to be trade-offs on:

Functionality: With an increase in the number of functionalities, there would be an increase in the application footprint and so would there be an increase in the risk factors. A video addition to a messaging platform would require a video upload, video storage, and video streaming features. These would be additional assets to keep track and control of. Further, their handling would expose more ways to get in and out of the system.

Usability: The digital systems, nowadays, are as much focused on user experience as on their actual features. While there is less focus on enterprise applications, there is a growing demand of software with appealing look and feel at all fronts. With an increase in access restrictions and information access policies, the usability of a system would fall considerably due to an overhead in terms of user actions and time consumed in negotiating these policies.

Now that we have defined all the basics, it would be a good time to address the two terms – optimal and acceptable and why they are associated with information systems.

Let us compare the security requirements for information systems of two different systems. One caters to a free online publishing system that puts out a weekly comic strip to the mail accounts of its online subscribers. The other caters to handling the electronic health records of patients for online 24*7 access.

Free comic strip subscription service

For the sake of simplicity, let’s say there are two kinds of actors in the system:

The Publisher: The person or system who compiles the strip and posts it to the mail boxes of the subscribers.

The Subscriber: The interested people who put in their mail IDs in the subscriber section to be able to receive the weekly emailer.

The information stored in the system would be:

Email addresses of the subscribers

Date of subscription

The very basic security concern would be to store the mail records to prevent unintended addition or deletion of subscription records.

Electronic health record service

The very basics of the electronic health record will have the following actors:

The patient: The person for whom the record is kept.

The doctor: The person creating, adding to and referencing the record.

The facility: The hospital or any other facility for check-ups and health-related actions.

The information system will contain:

Patient identification information like name, gender, age, contact

Patient vital information like height and weight

Patient medical history

Patient allergic conditions

Doctor information

Hospital occupants

Appointment information, and so on

Insurance and payment information

Login credentials for each actor in the system

As is inherently obvious, the electronic health record system will have quite a huge amount of data when compared to the comic strip subscription system. It is however imperative that the driving force of the design would be the nature of information stored in each of the systems here.

The information stored in the subscription system is the email ID. A person’s email ID can be treated as his or her digital address. Compromising the email ID would expose the said people to spam emails, email flooding, and possible gateways to frauds. There is no identification information and hence, the user would not be affected directly, physically. Another possible outcome could be that the attack deletes all the subscription database and the service is left with no subscribers. Another possibility is that the attacker gains control of the sender service and uses it to send malicious mails.

The last of the possibilities would pose the most serious threat as the already subscribed users would be trusting the mail from the sender and would therefore be at a higher risk of being victim to a financial fraud.

The maximum risk of a compromise in this system is hence a financial fraud.

The electronic health record system stores a whole array of personal information. A compromise in the system would expose a patient’s whereabouts, medical conditions, financial records, insurance information, and vital records. Further, more information pertaining to the doctors’ practice and hospital records could also be compromised.

All this data could be put up for sale on the black market and since it is related to personal identification data, there would be many buyers. The data could be used to create fake IDs, insurance frauds, extortions, delays in treatments, and for a highly-motivated professional, the health record would do more damage than a bullet.

The maximum risk of a compromise in this system is hence lives put at stake.

For the comic strip publishing system, the essential security measures would include:

Password-based authentication for publishing the comic strip

Added measures would include:

Encrypting stored email IDs

Using secure channels for people to subscribe to the service

Periodic backup of the subscriber base

For the electronic health record, the essential security features would include:

A very secure authentication process for a person to log in

Encrypted storage for information

Multiple backups at different geographical locations

Secure channels for each communication

Access logs for patient information access and update

System patching policy

Information purging policy

Added features would include:

Audit logs for all activities in the system

Data consistency checks

DOS prevention system

Intrusion detection systems

As is evident from these two cases, not all information systems require the same amount of security. The decision-making factors include:

What piece of information needs to be secured?

Do all assets require security?

Do all assets require similar security?

How long does an asset need to be secure?

What are the implications if the security measures fail?

What environment would the assets be exposed to?

What other internal or third-party systems would the system interact with?

What kind of access do the users need for the information?

What is the accepted latency in information access?

What kind of users will access the system?

By calibrating these factors for a system, we can determine what is the optimal and acceptable strategy for securing the information system.

Before advancing any further, let’s have a brief look at the major security concerns for an information system. For this, it is important to understand the point of entries for a vulnerability:

Operating System: The operating system being used to host the application could inherently contain some vulnerabilities. These are essentially certain faults in design or configuration and mostly fixed for a commercial or an active open-source project system. A major reason for exploitation of these vulnerabilities lies in the irregular system patching and security update installation.

Environment Configuration: While deploying an application, there are multiple components in play apart from the actual application. These majorly include the application server, internal and external network, database access, and so on. All of these have some environment defaults and initial configurations like default passwords, default access, and other security configurations along with other configurations. A secure system design handles these and removes any unwanted configuration and modifies the defaults to more secure values. However, there are numerous instances where the system configurators forget or overlook these and expose the system to various threats.

Information System Issues: The actual system being used is also open to multiple vulnerabilities if not properly designed. These may arise out of improper design, missed validations, code injections, and so on. Another common reason for these vulnerabilities is issue with the third-party code and libraries being implemented in a system, enabling hackers to carry out shrink-wrap code attacks. These libraries could themselves be using default configurations or contain known issues that were overlooked while implementation. These result in a direct system compromise and are often easiest to exploit.

The preceding discussed factors constitute the system end of vulnerabilities. A major cause of breaches, however, is usually a much bigger factor for the information security industry: the user interaction. Often the weakest link, weak passwords, loosely stored information, unintended disclosures, and inside jobs contribute to the bulk of the problem.

This brings us to the discussion of major attack vectors for a digital information system. Attack vectors are means of orchestrating and exploiting a system vulnerability. These either open entry points into a system or use an already open access point to gain entry and exploit the target system. Common attack vectors include:

92% of malware is either delivered or initiated via E-Mail. --PURPLESEC

Malware: These are specially designed pieces of code that perform specific malicious actions on a host. The actions include providing remote access to an attacker, altering, deleting or transferring host machine data, creating backdoors for information stealing, and so on. Common malwares include virus, worms, trojans, botnet, and ransomwares. The malware enters a host system via a user-initiated action like clicking on links, installing software, or connecting external storages or networks.

Figure 1.3: Total cost of malware infections over the past decade -- PURPLESEC

Phishing: Phishing refers to the act of impersonating a legitimate resource or information to let the user interact and unknowingly pass on actual system information like credentials, credit card information, and so on. The attack is usually initiated when a user opens a link that has been contaminated by an attacker. Rather than accessing the actual resource, the user lands on an impersonation and is tricked into performing various actions.

1 in 99 E-mails is a phishing attack.

2 in 3 attacks contain malicious links.

1 in 2 contains malware embedded in them.

--Avanan's Global Phish Report

System Hardening: The process of analyzing an application environment and attack surface to identify and remove unused code, unwanted functions, and default environment configurations. This can be done on many levels in the system including but not limited to:

Application Level

Operating System

Server

Database

Network

Web Attacks: These include attack opportunities on web interfaces, mainly websites for businesses. Common among these are SQL Injection and cross-site scripting attacks. These attacks exploit the weak input validations and security considerations to inject and execute code snippets. While SQL injection targets the underlying database to access credentials and the underlying application models, cross-site scripting targets the front-end JavaScript which gets executed in client browser, thereby executing malicious scripts via the client browser.

Denial-of-service: Denial-of-service or DOS attacks aim to flood a service with overwhelming traffic and requests rendering it inaccessible by the actual intended users. This results in the interruption of services and a loss of business. The attacks themselves do not aim to steal or alter information, but are often used as distractions and cover-ups for other malicious activities. Given the scale of applications and their deployment hardware, the DOS attacks are often carried out via multiple systems pooling at the same time. This ensures that the target capacity is reached before an individual attacker’s system resources exhaust. This collaboration is known as Distributed DOS or DDoS attack.

Session Attacks: A session can be defined as a group of user interactions from the web to server for an application. A general practice to secure web applications is to authenticate the user at the beginning of the session and store the authentication information in an object at the server side with an identifier being sent to the web end. The subsequent requests are validated on the basis of that parameter being passed to the server and the server validating it against the session information at its end. A poorly handled session can result in session hijacking or a man in the middle attack, wherein the attacker gains access to an active user session or replicates it and the system is unable to differentiate between the attacker and a legitimate user.

Credential Harvesting: With a large digital footprint across apps and websites, a common problem nowadays is with credential storage and memorizing. This often leads to weak and easily breakable credentials. Another issue arises when a person uses the same set of credentials across multiple applications and one of them compromising leaves all the accounts compromised.

Insider Threats: Perhaps the hardest to mitigate, the insider threats for an organization refers to attacks orchestrated by people having partial or complete knowledge of the internal workings of the system. Poor security awareness or assessment leading to accidental leaks tend to be one of the factors but majorly, these are usually disgruntled employees or people looking to make quick bucks by selling insider information. Another issue arises if the information access policy does not securely handle ex-employees and their access is not revoked in time.

Now that we have a basic understanding of an information system and the security aspects, it is time to understand the actual players of the game.

Figure 1.4: Breach Incident Sources --PURPLESEC

Ethical Hacking

Hacking refers to an act of short-circuiting your way into and around a system. The process bends, circumvents, and reengineers the rules of a system to achieve one’s goals. For an information system, it is an act of gaining access to a piece of information or some resource that someone is not entitled to.

A simple real-world example to understand hacking is jump starting a car. In normal usage, the battery of the car supports the ignition and the process starts the car. But let’s say you forgot to turn off the lights one night and the battery is all drained in the morning. One solution is to tow your car to a mechanic and have the battery charged, or to remove the battery yourself and get it charged. However, a much simpler solution that most of us use is to get another car, connect one end of the jumper cables to the battery of