Hands-On Ethical Hacking Tactics: Strategies, tools, and techniques for effective cyber defense

Hands-On Ethical Hacking Tactics

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Dinesh Kharwa

Senior Editor: Isha Singh

Technical Editor: Yash Bhanushali

Copy Editor: Safis Editing

Proofreader: Safis Editing and Isha Singh

Indexer: Manju Arasan

Production Designer: Prashant Ghare

DevRel Marketing Coordinator: Marylou De Mello

First published: April 2024

Production reference: 1120424

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK.

ISBN 978-1-80181-008-1

www.packtpub.com

To my wife, Susan, for your love and support while taking this life-long journey with me.

To my sons, Jacob and Aiden, for reminding me that life moves quickly, and if you don’t stop once in a while and look around, you might miss it…

– Shane Hartman

Foreword

I have known and worked with Shane Hartman for more than 13 years. Shane is a leading ethical hacking and counterintelligence expert. In this book, Hands-on Ethical Hacking Tactics, Shane takes you on a learning journey that started nearly 30 years ago for him when he was hardening networks as an IT administrator and later specializing in identifying, responding to, and remediating the most advanced cyber threats to date. Shane is the kind of individual who tinkers with new technologies as they come out, such as near-field communication (NFC) in his lab, to see what he can break within a new protocol on a mobile device for payment systems, to review and understand new vulnerabilities to construct mitigations against attack.

In this book for undergraduates or those just starting in the business, Shane has leveraged his real-world field experience to build a practice guide for new practitioners in a hands-on approach to ethical hacking – bravo! All too often, we see books that academically discuss how to configure and harden a network or the opposite on how to generically perform a penetration test. We now have a generation of tool monkeys that don’t have much of an understanding beyond using a tool.

Real penetration testers worth their salt need to understand architecture, protocols, integrations, and more from both the red and blue team perspectives and must be tactical in how they achieve outcomes. They must also be able to prove it with trust but verify theories and approaches and, most importantly, validate, which is what this book is designed to do.

Shane provides that introduction here to ethical hacking, from both offensive and defensive perspectives to both orient and enable readers to start their journey. His view considers techniques, tactics, and procedures (TTPs) (MITRE ATT&CK) in everything he does, evidenced by how he thinks and walks readers through the training in this book. Practical guides lead the reader along the way, such as setting up a vulnerable Linux host, are clear, specific, and easy to follow, designed with both the setup and how the user leverages it for penetration testing.

Shane’s experience as the author of this book is significant. When I first met him well over a decade ago, he was a veteran expert within the IT administration field, eager to solve problems and learn the world of intelligence, counterintelligence, research, and response. This requires the pursuit of extreme problem solving with out-of-the-box thinking and mature critical thinking skills applied to complex problems within diversified and constantly changing cyber environments. Shane was hired and proved to be one of the most trusted, leading cyber threat intelligence analysts I know, responding to some of the most significant cyber challenges seen to date by sophisticated adversaries in cybercrime.

Since then, Shane’s experience now includes traditional commercial, federal, state, and local government, both small and large Fortune 100 organizations, to defend against nation-state actors, cyber-criminal rings, hacktivists, cyberterrorism, and more. He has real-world experience in dealing with the threat of the unknown and undiscovered for over a decade, managing incident response for emergent risks and identifying and countering adversarial TTPs. This combined experience provides Shane a unique and non-traditional view into the real world of how our adversaries are successfully attacking and attempting to breach, enabling him to author this book to help readers apply ethical hacking programs and proactive security measures to reduce risk in their organization.

Ken Dunham

CEO of 4D5A Security

Contributors

About the author

Shane Hartman is a senior incident response consultant for TrustedSec. In this capacity, he is responsible for delivering holistic incident response services using state-of-the-art host- and network-based tools. Using these tools, combined with advanced methodologies, he assists clients in obtaining situational awareness and rapidly identifying threats as part of a tactical response to intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data.

Prior to joining TrustedSec, Shane was an incident response consultant for RSA, where he performed incident response, threat hunts, and training. Before RSA, Shane performed malware analysis for ISight Partners/FireEye, now Mandiant. In this capacity, he provided analysis and threat intelligence based on the behavioral profile of submitted samples. This role included producing actionable intelligence, threat modeling, and mitigation techniques. Prior to malware analysis, Shane was performing perimeter security operations. This role covered the monitoring and maintenance of perimeter security software and devices, including firewalls, VPNs, architecture, and web services.

Shane is experienced in several areas, including threat hunting, network packet and log analysis, and network architecture, and has been working in information technology for the past 25+ years with 15+ of those years in information security.

Shane has presented at several industry conferences on security-related research and has taught at the college level on topics such as digital forensics, ethical hacking, and offensive computing for the last 13 years.

Shane received his BS in business/E-business, and his MS in digital forensics. His graduate focus was on malicious applications in the Android environment. He holds or has held the following certifications: Certified Information Systems Security Professional (CISSP), GIAC Certified Intrusion Analyst (GCIA), and GIAC Reverse Engineering Malware (GREM).

About the reviewers

Ashley Pearson has over a decade of industry experience in various disciplines including system administration, incident response, threat hunting, and, more recently, cyber threat intelligence. She began her career in the United States Air Force as a system administrator, later specializing in host and network forensics as a cyber warfare operator. She is currently a senior threat analyst on Mandiant’s Advanced Practices team.

She received her BS in Cybersecurity and Information Assurance from Western Governor’s University, and her MS in digital forensics from the University of Central Florida.

I’d like to thank my husband, John. Thank you for always supporting my constant side projects and career ambitions, and for tolerating the occasional nerd conference. I’d also like to thank the Alliance of Noble Warriors for their encouragement throughout the years.

Ahmed Neil is a well-known thought leader in the cybersecurity domain whose work focuses on approaches to information security, threat hunting, threat intelligence, malware analysis, and digital forensics. He also has a passion for academic research in the field of cybersecurity. He holds an MSc in computer forensics. He is currently working at IBM as a cybersecurity engineer (operations).

Narendra Bhati, a seasoned cybersecurity professional with an impressive 12-year tenure and a passionate commitment as a bug bounty hunter, holds the position of Manager at Suma Soft Pvt. Ltd. He is OSCP, OSWP, and CEH certified.

His expertise extends to discovering critical vulnerabilities such as arbitrary code execution and the same-origin bypass vulnerability in Apple’s Safari browser. He has tackled spoofing and sandbox vulnerabilities in the Google Chrome browser along with identified vulnerabilities within recognized platforms such as Facebook, Twitter, Google, and Microsoft.

Narendra has also identified security issues within cryptocurrency wallets such as MetaMask, Coinbase, Enjin, and MyEtherWallet.

I extend my gratitude to my understanding family and friends, who recognize the commitment needed to navigate the ever-changing landscape of cybersecurity. Special thanks to the entire infosec security community and its trailblazers for making this field an exciting and dynamic workplace. Your contributions are truly valued, and I am always thankful for everything you do!

The author acknowledges the use of cutting-edge AI, such as ChatGPT, with the sole aim of enhancing the language and clarity within the book, thereby ensuring a smooth reading experience for readers. It's important to note that the content itself has been crafted by the author and edited by a professional publishing team.

Table of Contents

Preface

Part 1: Information Gathering and Reconnaissance

1

Ethical Hacking Concepts

Technical requirements

What is ethical hacking?

Elements of information security

Why do intrusions and attacks happen?

Motive

Means

Opportunity

Types and profiles of attackers and defenders

Black hat hackers

Script kiddies

Hacktivists

Cyber terrorists/cyber warriors

Cyber criminals

White hat hackers

Attack targets and types

Network

Application

Host

The anatomy of an attack

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command and control

Actions on objectives

Ethical hacking and penetration testing

Defensive technologies

Lab – setting up the testing lab

Setting up VirtualBox

Setting up Kali Linux

Setting up vulnerable hosts

Configuring the vulnerable Windows host

Setting up the vulnerable Linux host

Final checks

Summary

Assessment

Answers

2

Ethical Hacking Footprinting and Reconnaissance

Technical requirements

What is footprinting and reconnaissance?

Keeping inventory

Web searches and Google hacks

Exploring some useful Google hacks

Preventing exploitation through Google searches

WHOIS database records

Accessing WHOIS information

Understanding the name server entry

Third-party sources of intel

Sources for collecting intelligence

Accessing hidden information

Maltego

GitHub and online forums

SpiderFoot tool

Dmitry

Shodan

Archived information

Lab – Reconnaissance

Summary

Assessment

Answer

3

Ethical Hacking Scanning and Enumeration

Comparing scanning and enumeration

Exploring scanning techniques

Ping

Ping at scale

Traceroute

Understanding service enumeration

Introducing ports

How do port scans work?

Port scanning issues

Scanning countermeasures

Introducing the Nmap network scanning tool

Controlling Nmap scan speeds

Outputting results

The NSE

The Nmap GUI

Mapping the network

Lab – Scanning and enumeration

Summary

Assessment

Answer

4

Ethical Hacking Vulnerability Assessments and Threat Modeling

Vulnerability assessment concepts

Explaining vulnerability assessments

Types of vulnerability assessments

Vulnerability assessment life cycle

Vulnerability scanning tools

Introducing the Nessus vulnerability scanner

Best practices for vulnerability assessments

Vulnerability assessment reports

The elements of threat modeling

The finding

The kill chain

The single asset value

The organizational asset value

The estimated risk

Threat modeling frameworks

STRIDE

PASTA

VAST

Attack trees

CVSS

Threat modeling tools

Threat forecasting

Phase 1 - Research

Phase 2 - Implementation and analysis

Phase 3 - Information sharing and building

Threat model lab – personal computer security

Summary

Assessment

Answer

Part 2: Hacking Tools and Techniques

5

Hacking the Windows Operating System

Technical requirements

Exploiting the Windows OS

Exploiting Windows device drivers

Exploiting Windows networking

Address Resolution Protocol

Simple network management protocol

Server Message Block

NetBIOS

Exploiting Windows authentication

User authentication and movement

Obtaining and extracting passwords

Exploring password-cracking techniques

Authentication spoofing

Pulling Windows account names via null sessions

Tools for pulling account names via null sessions

Privilege elevation

Exploiting Windows services and applications

Server-side exploits

Client-side exploits

Exploring the Windows Registry

Windows Registry exploitation

Exploiting the Windows logs

Summary

Lab

Brute force password crack

Rainbow table crack

Assessment

Answers

6

Hacking the Linux Operating System

Exploiting the Linux operating system

Exploring the Linux filesystem

Exploiting the filesystem

Linux hidden files

Important files

Exploiting Linux networking

Exploiting Linux authentication

Cracking passwords

Linux updates and patching

The Linux logging system

Exploiting the Linux kernel

Checking your kernel version

Exploiting the kernel

Lab

Summary

Assessment

Answers

7

Ethical Hacking of Web Servers

Web servers’ architecture, configuration, and vulnerabilities

Adding processing logic

Threats, vulnerabilities, and exploits to web services

Web server authentication

Basic authentication

OAuth

Some real-world web servers and ways to combat attacks

IIS hardening tasks

Apache web server hardening tasks

Types of web server/website attacks

Website defacement

DoS/DDoS attack

HTTP response-splitting attack

Cross-Site Request Forgery

Deep linking

Directory traversal attack

Man-in-the-Middle/sniffing attack

Cookie tampering

Cookie-based session attacks

Session hijacking

DNS

Lab

Summary

Assessment

Answer

8

Hacking Databases

Finding databases on the network

Discovering databases on the network

Mitigating database discovery

Exploring databases and database structures

Database threats and vulnerabilities

Network-based database attacks

Database engine faults and bugs

Brute-force attacks on weak or default passwords

Misconfigurations

Remote code execution

Indirect attacks

Hidden database servers

Accessible backups

Privilege escalation

Insecure system architecture

Database server password cracking

Methods of attacking database servers

Scanning for vulnerabilities

Attacking the System Administrator account

Exploit module attacks

Google hacks

Perusing website source code

SQL replay attack

Protecting databases

Hidden or unknown databases

How insecure databases are created

Weak auditing and insufficient logging

Lab – Database hacking

Setup

Exercise 1

Exercise 2

Summary

Assessment

Answer

9

Ethical Hacking Protocol Review

Exploring communication protocols

Introducing the OSI model

Introducing IP

Introducing TCP

The three-way handshake

UDP

ICMP

Comparing TCP and UDP

Well-known ports

Understanding protocol attacks

TCP attacks

UDP attacks

ICMP attacks

An overview of IPv6

The setup and configuration of IPv6

Reconnaissance and attack tools

Defending IPv4 networks

Defending IPv6 networks

Lab

Exercise 1

Exercise 2

Summary

Assessment

Answers

10

Ethical Hacking for Malware Analysis

Technical requirements

Why does malware exist and who are its sources?

Exploring types of malware

Virus

Worms

Trojans

Ransomware

Bots/botnets

Adware

Spyware

Malvertising

Fileless malware

Backdoors

Rootkits

How does malware get onto machines?

Analyzing a sample

Setting up a malware analysis lab

Static analysis

Dynamic analysis

Detecting malware and removing it

Perimeter monitoring

Malware prevention

Summary

Lab

Assessment

Answers

Part 3: Defense, Social Engineering, IoT, and Cloud

11

Incident Response and Threat Hunting

What is an incident?

The incident response plan

The incident response process

The preparation phase

Detection phase

Analysis phase

Containment and eradication phase

Recovery phase

Post-incident activities (postmortem)

Information sharing and coordination

Incident response team structure

Introducing indicators of incidents

Types of indicators

IOC tools

Introducing threat hunting

Threat hunting tools

Getting Started with the Threat hunting process

Best practices for threat hunting

Practical aspects of threat hunting

Lab: Security incident response simulation

Exercise 2: Threat Hunt

Summary

Assessment

Answers

12

Social Engineering

Introducing social engineering

Phases of a social engineering attack

Social engineering attack techniques

Physical-based social engineering

Electronic-based social engineering

Social engineering tools

Social-Engineer Toolkit

Browser Exploitation Framework

Social engineering defenses

Protecting businesses’ strategies

Protecting businesses’ policies and practices

Protecting individuals

The impact of AI on social engineering

Lab

Activities

Summary

Assessment

Answers

13

Ethical Hacking of the Internet of Things

What is IoT?

Understanding IoT communication

IoT communication layers

IoT communication models

IoT communication protocols

Attack vectors for IoT devices

Access control

Firmware attacks

Web attacks

Network service/communication protocol attacks

Unencrypted local data storage

Confidentiality and integrity issues

Cloud computing attacks

Malicious updates

Insecure APIs

Mobile application threats

Other attacks

An IoT hacking methodology

Understanding OT

An OT hacking methodology

Best practices for securing IoT/OT

Lab – discovering IoT devices

Summary

Assessment

Answers

14

Ethical Hacking in the Cloud

Understanding cloud service types

IaaS

PaaS

SaaS

Cloud deployment models

NIST Cloud Computing Reference Architecture

Understanding virtual machines / virtualization

Understanding containers

Comparing containers and VMs

Introducing serverless computing

Cloud threats and attacks

Data loss/breach

Abusing Cloud Service

Insecure interfaces and APIs

Inadequate identity and access management

Service hijacking

Session hijacking

Domain name system attacks

Implementing cloud security

Implementing policies, procedures, and awareness

Ensuring perimeter security

Application security

Maintaining computing storage and information security

Cloud security logs

Azure Cloud

AWS

Google Cloud Platform (GCP)

Summary

Assessment

Answers

Index

Other Books You May Enjoy

Preface

Ethical hacking is the practice of knowing and understanding your adversary by learning about how attackers operate, including what they look for, what tools they use, and what techniques they employ against their victims. As organizations and individuals rely more on digital platforms for communication, commerce, and storage, the risk of cyber threats looms larger than ever before. Ethical hacking is the answer to those threats by offering a proactive defense strategy against malicious actors seeking to exploit vulnerabilities for nefarious purposes.

There are three main areas of coverage:

Chapters 1–4 are about information gathering and reconnaissance

Chapters 5–10 are about hacking techniques and tools

Chapters 11–14 are about defense and other areas of hacking (example, the cloud and IoT)

This introductory guide aims to demystify the realm of ethical hacking by providing a comprehensive overview of its fundamental concepts, methodologies, and tools. Through practical examples and hands-on exercises, you will embark on a journey to understand the principles of ethical hacking, explore common attack vectors, and learn best practices to secure digital assets effectively.

Whether you’re a seasoned professional seeking to enhance your cybersecurity skills or a novice intrigued by the intricacies of ethical hacking, this book serves as a valuable resource to confidently navigate the complex landscape of cybersecurity. Join me as we delve into the world of ethical hacking, and embark on a quest to safeguard systems and networks from the ever-evolving threat landscape.

There is a lot of demand for people with skills in the areas covered, including IT, security personnel, security operators, and incident responders.

Who this book is for

Hands-On Ethical Hacking Tactics: Strategies, Tools, and Techniques for Effective Cyber Defense is tailored for aspiring cybersecurity professionals, IT specialists, and students eager to delve into the world of digital defense by looking at how attackers operate and discussing tactics, techniques, and procedures (TTPs), as well as tools and concepts.

With hands-on exercises, tools of the trade, and expert insights, this book equips you with the tools and knowledge needed to safeguard networks, identify vulnerabilities, and mitigate cyber threats effectively.

What this book covers

Chapter 1

, Ethical Hacking Concepts, introduces you to the concepts and ideas related to hacking and security, including testing computer systems to find flaws and vulnerabilities. By identifying such threats before malevolent hackers can take advantage of them, this technique seeks to strengthen security protocols and ultimately improve cybersecurity overall.

Chapter 2

, Footprinting and Reconnaissance, discusses how attackers gather information about a target system or organization to identify potential vulnerabilities and attack vectors. This includes discovering network infrastructure, system configurations, and personnel details through passive and active reconnaissance techniques, laying the groundwork for subsequent penetration testing or ethical hacking activities.

Chapter 3

, Scanning and Enumeration, provides an overview of scanning and enumeration that often follow reconnaissance. Scanning involves actively probing target systems to identify open ports, services, and potential vulnerabilities. Enumeration goes further by extracting detailed information about the discovered services, such as user accounts, shares, and system configurations. These processes help ethical hackers assess the security posture of a network or system and prioritize potential attack vectors for further investigation and mitigation.

Chapter 4

, Vulnerability Assessment and Threat Modeling, discusses vulnerability assessments, involving systematically identifying, quantifying, and prioritizing vulnerabilities within a system or network infrastructure. Threat modeling uses vulnerability assessments and other information, in a proactive approach to cybersecurity, systematically identifying potential threats and vulnerabilities to predict and mitigate potential risks before adversaries can exploit them.

Chapter 5

, Hacking Windows, provides an overview of the process of exploiting vulnerabilities within the Microsoft Windows operating system for various purposes, including gaining unauthorized access, stealing data, or disrupting system operations. This can involve techniques such as exploiting software vulnerabilities or leveraging misconfigurations to compromise Windows-based systems.

Chapter 6

, Hacking Unix, like the previous chapter, discusses exploiting operating system vulnerabilities, including misconfigurations, weak user authentication, or software vulnerabilities, to gain unauthorized access but from a Unix-based system point of view. Attackers often study Unix systems extensively to understand their architecture and security mechanisms, aiming to improve defense strategies and protect against potential attacks.

Chapter 7

, Hacking Web Servers and Applications, takes a look at web server and application vulnerabilities in server configurations, web applications, and underlying software to gain unauthorized access or disrupt services. Attackers can target known weaknesses such as SQL injection, cross-site scripting (XSS), or remote code execution to compromise data or gain control over a server. Ethical hackers often employ penetration testing methodologies to identify and remediate these vulnerabilities, ensuring the security and integrity of web-based systems.

Chapter 8

, Hacking Databases, focuses on hacking databases, involving the exploitation of database management systems to gain unauthorized access to sensitive data or manipulate stored information. Attackers can target weaknesses such as insecure authentication mechanisms, misconfigured permissions, or missing patches. Ethical hackers often study database architectures, SQL syntax, and security best practices to identify and mitigate potential vulnerabilities, safeguarding critical data assets from exploitation.

Chapter 9

, Hacking Packets – TCP/IP Review, examines the fundamentals of TCP/IP attacks used to compromise network communications and systems. Attackers can launch various assaults such as TCP SYN flooding, IP spoofing, or TCP session hijacking to disrupt services, intercept data, or gain unauthorized access. Understanding TCP/IP vulnerabilities and implementing robust security measures are essential to mitigate these attacks and ensure the integrity, confidentiality, and availability of network resources.

Chapter 10

, Malware Analysis, explores malware. As a defender, you will come across malware, and as such, you should be ready to handle it when it comes. Malware analysis is the process of dissecting and understanding malicious software to uncover its functionality, behavior, and potential impact on systems. This chapters introduces you to analyst techniques, such as static and dynamic analysis, to identify malware’s characteristics and intentions. By comprehensively analyzing malware, security professionals can develop effective countermeasures, enhance threat intelligence, and fortify defenses against evolving cyber threats.

Chapter 11

, Incident Response and Threat Hunting, introduces you to incident response techniques, involving a systematic approach to managing and mitigating security incidents when they occur. This chapter also looks at threat hunting, a proactive process of actively searching for and identifying potential threats or malicious activities within an organization’s network or systems before they manifest as incidents. By integrating incident response and threat hunting practices, organizations can effectively detect, contain, and eradicate cyber threats, bolstering their overall cybersecurity posture.

Chapter 12

, Social Engineering, looks at the deceptive techniques used by attackers to manipulate individuals into divulging confidential information or performing actions against their better judgment. It relies on psychological manipulation and exploiting human emotions, such as trust or fear, to deceive targets into providing access to sensitive data or systems. Effective defense against social engineering involves raising awareness, implementing strict security policies, and providing ongoing training to recognize and thwart these deceptive tactics.

Chapter 13

, Hacking Internet of Things (IoT), discusses Internet of Things (IoT) device vulnerabilities and exploiting interconnected smart devices to gain unauthorized access or disrupt operations. Attackers target weak security measures, default credentials, or insecure communication protocols to compromise IoT devices and networks. As IoT technology increases across various sectors, understanding and addressing IoT security risks are paramount to safeguarding personal privacy, critical infrastructure, and data integrity.

Chapter 14

, Hacking the Cloud, dives into exploiting cloud technologies such as Azure and AWS, using vulnerabilities within cloud infrastructure, services, and applications to compromise data integrity, confidentiality, or availability. Attackers may target misconfigurations, weak access controls, or shared resources to gain unauthorized access or launch attacks against cloud-based environments. As organizations increasingly adopt cloud solutions, understanding and mitigating cloud security risks are essential to maintain trust, compliance, and resilience in the digital ecosystem.

To get the most out of this book

To get the most out of this book, refer to the following software/hardware and OS requirements:

If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Hands-On-Ethical-Hacking-Tactics

. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/

. Check them out!

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: You can also search for deep links if the path is known or common – for example, link:my-site.com/phpmyadmin.

A block of code is set as follows:

User-agent: *Disallow /

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

md5sum /usr/share/windows-resources/mimikatz/x64/mimikatz.exe

Any command-line input or output is written as follows:

cd /etc/network

sudo vi interfaces

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: This group is sometimes referred to as ethical hackers and is the opposite of black hat hackers.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected]

and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata

and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected]

with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Hands-On Ethical Hacking Tactics, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page

for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/978-1-80181-008-1

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1:Information Gathering and Reconnaissance

In this part, you will get an overview of the hacking concepts and an introduction to the attacker process often referred to as the kill chain. In addition, we will also look at some of the defender’s first lines of defense, including vulnerability assessments and threat modeling.

This section has the following chapters:

Chapter 1

, Ethical Hacking Concepts

Chapter 2

, Footprinting and Reconnaissance

Chapter 3

, Scanning and Enumeration

Chapter 4

, Vulnerability Assessments and Threat Modeling

1

Ethical Hacking Concepts

Hackers and hacking are usually associated with criminal activity, but it wasn’t always that way. In the 1960s, learning and working on computers wasn’t readily available. They were difficult to work with and those that could get things working often hacked things together. In other words, hackers were innovators who could solve complex problems.

In the late 1970s, computers became accessible to the public through homebrew kits, and at that time, curiosity and innovation were still a part of the hacking community. It wasn’t until the 1980s that hacking took on a negative tone, with the release of movies such as WarGames and Hackers, and the image of a hacker changed from an enthusiast to a criminal. Since this time, the term hacker has been associated with criminal and malicious activity.

Fast-forward to today and we have a concept known as ethical hacking, meaning we take the concepts and techniques used by hackers and apply them for the benefit of organizations and individuals in an attempt to elevate their security posture. This is the first chapter in your journey to understand and apply the concepts of hacking in an ethical manner.

In this chapter, we’re going to cover the following main topics:

What is ethical hacking?

Elements of information security

Why do intrusions and attacks happen?

Types and profiles of attackers and defenders

Attack targets and types

The anatomy of an attack

Ethical hacking and penetration testing

Defensive technologies

Lab – setting up the testing lab

Technical requirements

Labs have been included to get the most out of this book. The labs are designed to enhance the subject matter by supplying tangible examples of what is covered. To be successful with the labs, the following minimum system settings are required:

8 GB of RAM minimum (16 GB recommended)

50 GB of disk space

The rights to install applications

What is ethical hacking?

Ethical hacking represents a group of skills within cyber security that manifests in a few distinctive roles, including pen testers, blue teamers, and purple teamers. Ethical hackers are also part of a larger group known as white hat hackers, whose focus is education and defense. We will discuss this in detail in the White hat hackers section later in this chapter.

What role does the ethical hacker play in organizational security? Unlike threat actors (black hats), who are motivated primarily by financial gain, ethical hackers align themselves on the defensive side of networks, attempting to secure networks by pointing out flaws and misconfigurations that malicious attackers would take advantage of. They are commonly associated with penetration testing but really can assume any role within an organization. Ethical hackers represent the apex of security practices within an organization. These practices start with core areas such as antivirus software and patch management and move on to more complex security issues such as remote automation and administration, as well as ingress and egress, encryption, and authentication.

Depending on their specific role, ethical hackers use a variety of tools and techniques to search for outdated software, misconfigured systems, and potential security weaknesses within the network. They use this information to not only bolster the overall organizational security but to find weaknesses and oversights that attackers would find by using the same techniques they use. Some other operations ethical hackers perform include discovering incomplete policies and procedures. They are also skilled in the tactics, techniques, and procedures (TTPs) of adversaries. This means they understand how attackers operate, what tools they use, how they find information, and how they use that to take advantage of an organization. Ethical hackers also realize security is an evolving discipline where learning and growth never end. One place to get a better understanding of attackers and the operations they perform is to review the MITRE ATT&CK framework, which lays out a matrix of 13 categories showing various attacks. For more information, see https://attack.mitre.org/

.

How does one become an ethical hacker? There are several approaches that can be taken, including using this book, and courses covering hacking and cyber security that can get you started. There are also certifications, including the Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). However, even with all these opportunities and paths that can be taken, the one thing needed more than anything else is just to be curious – about how all this technology works, how information is stored and communicated, and how technology interoperates with other machines and devices.

Now that we know what ethical hacking is, let’s take a look at what makes up information security.

Elements of information security

Information security and, subsequently, ethical hacking methodologies revolve around three core principles: Confidentiality, Integrity, and Availability (CIA). These core principles provide the framework for information security and are used by ethical hackers and security professionals to test security and security solutions. These principles can be described as follows:

Confidentiality: Data stored on networks in the form of databases, files, and so on carries a certain level of restriction. Access to information must be given only to authorized personnel. Some examples include nonpublic financial information that could be used to make investment decisions; this is also known as insider trading. Another example would be company patents or trade secrets.

Ensuring this information is reserved for only those who need to know about it can be addressed through techniques such as encryption, network segmentation, and access restrictions, as well as practicing the principle of least privilege. These are the things ethical hackers check and test to make sure there are no gaps or exposure of information beyond what is authorized.

Integrity: Data that is accessed and viewed, whether part of an email or viewed through a web portal, must be trustworthy. Ethical hackers and security personnel ensure that data has not been modified or altered in any way; this includes data at rest as well as data in transit. Examples of integrity checks include showing and storing hash values and the use of techniques, including digital signatures and certificates.

Availability: The last principle is that of availability. Information that is locked down to a level where no one can access it not only defeats the purpose of having data but affects the efficiency of those who are authorized to access it. However, just like the other principles, there is a fine line between availability by authorized personnel and confidentiality. An ethical hacker tests availability in a number of ways. Some examples include remote access for employees, establishing hours of operation for personnel, and what devices can have access.

The concepts of CIA will be covered throughout the chapters as attack techniques are discussed and the principle(s) that are violated as part of an attack, as well as what practice (or practices) could be implemented to prevent/detect an attack. Next, let’s take a look at attackers and why they attack.

Why do intrusions and attacks happen?

Attacks do not operate in a vacuum, and as such, attacks and intrusions can be broken down into three core areas, sometimes referred to as the intrusion triangle or crime triangle. In other words, certain conditions must exist before an attack can occur. These core areas are Motive, Means, and Opportunity.

We’ll look at what each of these in the following sections.

Motive

An attacker must have a reason to want to attack a network. These motives include exploration, data manipulation, and causing damage, destroying, or stealing data. Motives may also be more personal, including financial, retaliation, or revenge. Examples include a disgruntled employee who wants to do damage based on some grievance with the company managers or coworkers. Another would be a cybercrime group targeting a company or industry to extort money through ransomware or some other means. Still, another would be a script kiddie who stumbled upon the network and thought it might be interesting to see what they could get access to. More on script kiddies in the Types and profiles of attackers and defenders section.

For investigators, it is also important to differentiate between motives for criminal activity and the operational goals and objectives associated with the larger crime. As an example, compromising user accounts is not the goal of an attack; gaining access to the corporate network and stealing data is. The account compromise is simply an operational goal.

It may also be important to understand the intensity of an attack and the motives behind it. People who are desperate are more determined to achieve their goals. The employee who is in a bad financial situation may see accessing and stealing company funds as the only means to alleviate the situation. And with that, the higher the pressure, the more likely it is that the employee will not only commit the crime but take larger risks to meet that goal.

Means

Once an attacker has a motive, they need the means to perform the attack. Means refers to the technology plus an individual’s or group’s skills, knowledge, and available resources. By understanding these requirements to commit a given crime, plus the potential motivations, investigators can narrow down attribution to individuals or groups and eliminate others. Additionally, investigators need to be aware of technological innovations as potential means of committing cybercrimes in relation to the crime committed. By way of example, a nation-state actor in China would not have the means to access and sabotage an electrical plant in the United States physically. However, once the electrical plant installed IoT sensors and connected them to the internet, the means would be made available.

Opportunity

The third part, completing the triangle, is opportunity. Used in conjunction with motive and means, an opportunity is that moment or chance where the attack can be completed successfully. For an opportunity to be available, it means that various protective mechanisms were either ineffective or non-existent. This means that human, technological, or environmental factors were conducive to the crime being committed. For example, a power failure might cause locked doors to fail open for safety but allow criminals free access to all areas of the company. Or, unpatched servers exposed to the internet might be discovered during a scan, informing attackers what exploit(s) will be successful in accessing the core network. You can see a visual representation of the crime triangle in the following figure:

Figure 1.1 – Crime triangle

Of the three areas, the ethical hacker has the most control over opportunity. As a defender, you cannot eliminate motive as that comes from the personal desires of the attacker, whether they are acting as an individual or a group. You also cannot eliminate means as knowledge is readily available, and skills can be acquired. This leaves opportunity as the area from which the odds of defending against and preventing most attacks are the most successful.

Now that we have looked at why intrusions happen, let’s take a look at the different types of people that make up the cyber security landscape, from attacker to defender.

Types and profiles of attackers and defenders

Now that we have spent time describing what is being protected and why attacks might occur, let’s look at our attackers and some of the areas where attacks take