Introduction To Ethical Hacking

that worked thank you kind of my talk it's an honor to be here at b-sides Delaware it's actually my first time at these sites Delaware it's been a great experience so far and I'm honored to be able to present here today today we're going to talk about introduction to ethical hacking what is an ethical hacker how to keep yourself from getting in trouble when you're hacking you know the ethical part that goes along with it a little bit about me who's this branding guy anyway just comes out of nowhere I am the lead cybersecurity practice at Appalachia technologies based out of the capital of Pennsylvania and Harrisburg PA we're right across the river but no one knows what that town is

so I do the capital people know where that is generally and we do a lot of cybersecurity we do a lot of titration testing a lot of mobility assessments we do along with going into different clients in incident response so that's what we do I have a master's of cybersecurity information assurance from Western Governors University very painfully achieved ec-council certified ethical hacker and certified hacking forensic investigator which means I studied a lot of flash products what that basically means so the important Prudential here is I like to program in Python and hack stuff because as we all know actually doing the work is what's important so today's agenda we're going to talk about what is a hacker what

makes an ethical hacker an introduction the ethical happy we're going to talk about the penetration testing execution standard it's been around for a long time still very important in the industry methodologies tend to stay the same while technology's tools and some processes change technologies remain the same 2+2 is still 4 although some people like to debate that nowadays in our current culture but in general those methodologies studying those fundamentals are the same I said just with the gentleman recently Paine in 1980 still works the same way today that hasn't changed fundamentals are important we got to talk about what's next in ethical hacking how can you hack things without getting into trouble so what is a hacker well

the modern definition of the word hacker is a person that gains unauthorized access to data or a cyber criminal but that's not what it always meant the original meaning of the word was a skilled computer expert that could reverse-engineer things that had a lot of knowledge that's what the original meaning of the term hacker met but in today's society and landscape it's it's unfortunately misused many times there is an effort in our industry and I heard everyone in this room if you're using the word hacker in a negative meaning to replace it with the word cyber criminal in order to change this mindset or an industry we need to use the terms correctly in our own industry if we want

to get other people in other industries to use our craft so what easily move fast and break things if you're talking about someone who is a cyber criminal don't move fast and break things and they don't really care if they break things for us in our industry when we're testing things for an organization we don't want to break things without thinking that's important if the server of our company goes down they could lose a lot of money so who do hackers talk and the defensive people in the mix and then purple team is sometimes a mix of both or sometimes people say that that's more management although I'd say purple has become more synonymous with doing both things and as

a Chris Robbins ed that reason everyone's purple now no one's red or blue anymore no it's like you would build up castle walls multiple layers of defense when you're architecting things that's a point of view you put up all those different layers when you're happy things you break down those letters you break through each layer and continue to go through until you get to that critical data you're looking for so what is this hacking methodology well it has just a couple of parts to it there's the pre engagement phase intelligence-gathering threat modeling vulnerability analysis exploitation post exploitation and then the most important part of the entire engagement because your management team anyone you work with will not care about the other parts

of this engagement they'll only care about the report and how valuable that is so when you're doing a pre engagement before you do a vulnerability assessment or a penetration test there's a couple of things you need to think about one of them is what is the reward for the engagement if you're doing it for your company the reward might be we're going to find out where we're going if you're doing it for a client what does the fee or monetary cost going to be to conduct a penetration test what is the scope of the engagement and the objectives one of the things we want to identify that are vulnerable and then what are the rules

for the engagement this is very important are we allowed to attack this web address and run penetration testing on this web address was very recently a discussion with a with the potential climb they were saying that someone that they had engaged to a penetration test actually attacked the wrong domain address they actually did penetration test against the wrong domain that is illegal they broke the law and even though it was a mission of error if you were to hit a building or hit someone with your vehicle and you said I didn't see them that would not mean that you're not guilty in the same way more using these tools and we're talking about ethical hacking you have to be very

careful with our targets it's a very methodical process if we want to do it legally which we all should want to do it legally I don't want to see any other white hats going to jail so intelligence gathering or reconnaissance there's a lot of ways we can do this you think of yourself kind of as a spy you want to gather intelligence on a company you're hired to do an engagement so there's two types of methods you can employ when you're gathering intelligence a passive method which is kind of stalkerish and creamy or very active method active methods tend to leave logs on clients servers good blue team members will pick up on abnormalities when you're doing active

methods while passive methods sometimes aren't as passive as they seem such as dumpster diving which believe it or not is still very viable in today's age people still throw away very important documents in the trash one thing that I point out a lot is job ads we've been talking a lot and scrutinizing HR a lot for this but today even more so I think as the technical people in our organizations we have to be very careful when we're talking about advertising for jobs review a lot of information about our company and our infrastructure in those job ads this one for example we're talking about we know that they run Windows seven we know some of these frameworks they use that could

be very dangerous another unfortunate side effect of this website how many people have ever used Elliot advocacy nobody so Elliot advocacy is a website that gathers and aggregates all the contact information for CEOs and customer care representatives at all kinds of companies and I can see some faces in the room some people realize it may be bad parts of it so there's email addresses of CEOs that people can gather and gather that information times we do phishing attacks this can be very dangerous but this is out there it's free I think one can go and look at it so you can gather information and all these things we've not going on with the company's website they don't know we

gather this information of course you can do who is lookups that's often very common find out lots of different things about the domain showdown I'm sure many people in here have used it before it aggregates lots of information from various websites this is my own website you can find out lots of information about where I host my website it's no secret the way way back machine web archives we can go look at what websites look like this can give an indicator of attack if you're looking to break into a website without actually visiting that website there's other reconnaissance tools the harvester recon ng Mountie oh you can find all kinds of great information using these tools most of

them are command line tools but some of them like Malpica can actually map out the adversaries network in some cases will create a better network diagram that most companies even have internally which I often say if you don't know what your network looks like then your adversary probably does so those are the passive methods but there are times we need to move on we need to do more active methods of intelligence that doesn't give us quite enough it gives us a lot of information though but we need to move on to more active reconnaissance if we're doing web reconnaissance on a company we might actively visit the company's website to do some scanning and fingerprinting spider that website

look at all those directories there was a law firm I won't say which one they had a directory open they didn't realize it you could browse and see very important client documentation on their website these things happen all the time everyone today is in a rush to do things and oftentimes things get missed and then intercepting proxied you can intercept information man-in-the-middle attacks this is my awful website by like using as as as an example because I have permission to hack my website this is laughs Eliezer and what this tool will do is a google chrome plugin will actually worry and get you all the information on the frameworks of the website you're visiting so you can

see all the different version numbers of the JavaScript frameworks what it's running on gather that header information very important when you go into a website you can find out all kinds of really bad version information Nick doe is a server scanner you can look for misconfigurations examine HTTP headers and identify all kinds of frameworks being used now again you might just use web balagia but that doesn't work you can use neck bone it's very easy to use Nick doe and then H and the IP address and we're on a whole bunch of checks and oftentimes you'll get some information now these are noisy these are going to create traffic in the web application log in general but if no one is checking

it which is often the case no one will know and in general hopefully you were contracted out to do this so there will be some indicator that people know you're looking on their website skip fish is a high speed web vulnerability scanner to do over 400 requests per second it's very straightforward and easy to use and detect a wide range of issues using skip fish is very straightforward skip a test and you're doing your you select your URL and you run it again it's another command line code you can see how fast the requests add up it's very easy to brute force and attack systems using tools like this arachnids one of my favorite tools and it's not often talked

about it's a web application exploitation framework it can automate and schedule web vulnerability and application skins it has a very high success rate of detection it's 100% free and open source and it's very easy to use as an API things in it it's a very nice tool to check out I recommend it for people that's looking to dive into more web application security testing lot of cool things you can do with it Ola staff is an open source easy to use integrated pen testing tool for finding vulnerabilities of web applications it is an intercepting proxy and what that means is you can sit in front of web traffic it actually intercept web traffic on a

website this is why often you hear IT administrators ask why is SSL so important why is it so important we encrypt all this data I still get asked that today and often times I'm still explaining it but when you're looking at this you can intercept and change all that information that's going through verb suite is a commercial tool they do offer free version is similar to Olaf's app it's considered to be the facto standard if you if you have aspirations of doing anything a bug bounty hunting verb sweet is what you're going to use it's about $400 for the professional version I recommend it to a lot of people it can auto scan websites on hundreds of vulnerabilities intercept

it can repeat every classic and do a lot of cool things and it's extensible with Python and Java programming language network vulnerability scanners we have a lot of them in the industry and at the same time so few of them open das is the open source one this can be used and automated to automatically find vulnerabilities I'm pretty sure almost everyone in this room at one point has heard or used up necess it's the de facto standard in the industry for vulnerability scanning there is next post which is by rapid7 the same company con Metasploit and retina network security scanner and then and map in there too because despite what people think it's not just a network mapping

tool you can find a lot of vulnerabilities and things just using n map an n that can be programmatically set up so you can find a lot of different vulnerabilities lots of options and of course if you want to dive very deep into the weeds you can roll your own using things like Python and things like scaping you can create your own packets and information you can create your own scanners and you can even use a ml ITM proxy which is a command-line proxy it's very similar to berber is that we can intercept web requests send commands but be in the command line and more scripting and automated fashion so what is reconnaissance is really just gathering

information and the more information you have when you're conducting a penetration test more valuable it's going to be so then threat modeling what did you find how valuable is what you found what's the threat to the business or the organization and what threats does the organization face from cyber criminals there's a lot of times where different organizations will face various threats for your financial institution maybe it's all the the routing numbers of banking numbers if you're a restaurant maybe you process thousands of credit cards no understanding your threats specific to your organization is important in order to be successful exploitation and post exploitation this is the part where you need permission so everything we've looked at a lot of the scanning in

general won't get you in trouble if we compare it to the physical world oftentimes you might be outside someone's house and kind of looking at it saying that's a really nice house they have some really bad hinges on the door and it's wide open you know you're kind of looking at what you haven't done anything you haven't trespassed you hasn't broken in when you're exporting vulnerability that's kind of like just walking into someone's home and oftentimes you'll hear a lot of cyber security professionals and I'm guilty of this to say well they really should have secured that they should have known better but just because they left the door open doesn't mean you can trespass

go in and walk out with their big screen TV they're not going to come you love to draw it's like okay I can stop to get a new big-screen TV I left the door open that's not how that works that's not how it works in cybersecurity either you can't just pick on companies because they didn't have the right security measures in place you can't just hack into them that's still breaking the law so when we're exporting we're actively testing those vulnerabilities to try and penetrate

well I will have the link to all the slides of Bury only have like three minutes left this is a fire talk and one forgot so network exploitation tools there's a lot of them we have Metasploit we have canvas immunity exploit pack is a great tool made by by this guy in the Netherlands I talk to them all time it's a great open source exploitation tool if you're looking for something other than Metasploit I recommend it 400 exploits in the free open-source version over 38,000 and the paid version and then there's some other ones on here you don't think about bash shell scripting I thought PowerShell a lot of malware is being written in these in shell

scripting and programming languages these are exploitation tools you don't think about them as exploitation tools but they are and then how many people has ever used B whether it is a web application training tool has a lot of different things of it and just so everyone understand what we're talking about when we're talking on exploitation we are going to log in as Alice by simply taking advantage of the lack of PHP and commenting out the line of code so now we've logged in as Alice I didn't do a whole lot I commented I exploited sequel injection you're like and that's a really basic why you showing it up because if you didn't get permission to do that you just come into

the crime this is what we're talking about ethical doing that could give you three to five years in prison in my opinion no legal advice and this is why it's so important when we're talking about hacking and I get it I'm very passionate about this stuff as well it's very interesting to me but we have to understand from an ethical standpoint we can't do these things willy-nilly we need to be very careful and strategic about how we do it I know many people who don't even knew bug bounty hunting because of the methodical planning that has to go into making sure you're attacking the right website and you're not doing anything adverse or illegal and then reporting reporting is very

important as I said but there isn't a lot of great standards for reporting there's a couple of open-source tools there's draya's there's Faraday but there isn't a lot of de facto standard things for creating reports every organization seems to have a different way of doing and some people use the built-in reporting and necess or Metasploit a lot of companies will write their own offensive security has a great reporting framework that they use but a lot of it is just really methodology what are you going to include in that report whether you're doing an internal or next and attraction test you want your information to be concise and clear executives don't like reading long 300 page reports I've discovered this

through a very painful process you want to include the executive summary of your findings if you're doing bug bounties want to include a short video how you exported the bug you found because oftentimes if you don't they're going to ask show me how you did this so oftentimes you need to show proof of why is this vulnerable how does this affect this company or organization show me the work so to speak if anyone remembers from math class oftentimes I figured out I was using a calculator so it doesn't work very well for me give an explanation the impact of the vulnerability to the organization how critical is it that they fixed us equal facts whether good or bad which was all

bad really the executive from that one of the quotes that he said was the cybersecurity professionals did it adequately tell me how bad this vulnerability was whether he was telling the truth or just saying that to cover himself is irrelevant as cybersecurity professionals we are put in a position of responsibility that we have to make sure upper management executives know the impact of these threats we have to be careful not to be the boy who cried wolf because if we're screaming every day they're never going to listen to us one it's a critical threat to the organization so there's lots of examples of reports you can go out there and look at them penetration testing is a very

expensive endeavor the average penetration testing engagement cost $33,000 a bug Valley's start at 50 up to $120,000 for finding one flaw at DEFCON I listen to the the guy found the flaw in uh he found one flaw in Google pixel Google paid about one hundred and twenty thousand dollars one of the largest walls ever I don't know how many hours he spent reverse engineering web assembly to figure out what he did there is money to be made here by being an ethical hacker and understanding these things there is plenty of incentive to do this if you like doing this in the field even better because we need more passionate people involved in this industry so what's next

that's kind of the framework it goes through all of these different facets but what's next so now Brandon you told me all this you scared me a lot by talking about jail a lot and giving your opinion so now what do I do well now the training begins cue Rocky mantra and you can download a lot of different tools to hack ethically on your own systems Oh boss broken web apps is a great one for web applications it's a little older it's not fully supportive but the great part about using outdated web applications is a couple of years later they're still just outdated web applications they don't really change right so you can download that and that

has several different tools that you can use to hack ethically in a safe environment Metasploit able to is a tool that was built to test Metasploit but it's just a great tool for learning how to hack ethically in an environment where you're not affecting any life systems and you can use birth it's good you can use VirtualBox VM where any of those virtualization tools for doing your testing a Windows 10 has hyper-v built-in some people don't like hyper-v but it works in a pinch if you've got nothing else web security dojo is another great one that the tools and the vulnerable web applications in one iso image so i recommend everyone download kali linux wounded up in a vm give it a try

and another great resources hack splaining explains a lot of the different web application hats so this example all the different applications on the broken web apps including web code security shepherd be whap as we saw earlier and it has some old horrible real world web applications too like WordPress because I'm sure no one in here has ever visited a WordPress website many of them are vulnerable then there's a lot of great websites for learning more about ethical hacking and how to hack ethically events offensive security has a great resource on learning Metasploit with their Metasploit unleashed course no life wonder how to calm has a ton of great tutorials on learning Python learning all kinds of

exploits again you want to do it in a safe environment hack the box is a great CTF or capture-the-flag platform for testing out things in a safe environment cyber IP has tons tons of great free video resources one that I recommend it's very new only a couple weeks old a good friend of mine 10 underhill who will probably get me flack for saying his name later did a great course on penetration testing ethical hacking I recommend everyone check it out after all it's free now bug bounty hunting I recommend everyone who's a cyber scary professional do a little bit above bounty hunting it's it's fun it's a great activity as long as you make sure

you're doing it in a legal manner and you follow all the rules of the coaming set some engagement it can be a great way to learn and based off bug crowds report they say a pro bug valley hunter now the key word there's pro someone who's done condiments very good expert can make an additional ten to five hundred thousand dollars a year now I assume that guy who made 120 thousand throws off this whole scale a little bit but there again you can make additional if that incentivizes you to learn this stuff a great resources is hacker one calm but crowd calm and hacker 101 calm which will actually teach you about bug bounty hunting that is all that side is about

it's sponsored by hacker and then again we talked about hack the box but there's a lot of additional resources for capture-the-flag in fact if you've never participated catified there's one going upstairs right now and capture the flags where you're hacking different boxes you find different text files with a long string and that's what we call a flag and then you insert then you get points for everything you hack and that's it's a great way to learn while also having fun too in a safe environment these are all additional websites most of them are free I think a couple of them are paid that you can use to again up your ethical hacking skills and there's other great resources I

encourage everyone to always go to events like this one meetups find your local events I do one in Central PA called PA hackers and we meet every month and we just discussed all kinds of things again cyber is a great resource you learn security comm is one of my favorite resources for learning penetration testing it's not a very well-known training resource but their courses are very cheap and the training is just phenomenal so I recommend them if you're looking and they actually do have a bare-bones free course that you can do and I always recommend in this field and I say it even all of our IT staff everyone should learn hiya in fact Microsoft which you wouldn't

think they'd do this they did a course on just learning Python is actually pretty good and it's free so you can learn Python by going through Microsoft's course so in sum we learned what is a hacker what's the ethical hacking lifecycle on how to get started in the goal happening so this is the time for I have like 30 seconds for question answers or somehow made it but you can visit my my terrible blog I don't update nearly enough brand new key calm for all kinds of different security updates run a meetup group called PA hackers in Central PA love to see anyone who's out NPA at some point if you're in the area when we're doing

some that come see us the link to the slides is github.com slash be a hacker slash presentations find this whole presentation there and again I did say there is a free course you can get they don't pay me to do this I just recommend it because I've gone through it love their content you learn security does offer a free penetration testing student course if you register for the ethical hacking Network and with that any questions thank you

[Music]

[Music]

[Music]

[Music]

[Music]