Jyothi Cameron

Current B.S. Cybersecurity Major

Ethical Hacking

My understanding of "Ethical Hacking" centers around two concepts: consent and intent.

Assuming "Ethics" is referencing all actions on the spectrum of morality and the term "ethical" directly alludes to "objectively positive and constructive actions" on said spectrum, I can extrapolate that definition to rephrase "Ethical Hacking" as "objectively positive and constructive hacking". Make no mistake, those who employ "Ethical Hacking" have the exact same skill set and often times use the exact same tools to get the same job done as their nefarious counterparts; but this is where consent and intent come in: the affected party (i.e. "the victim") is completely aware of the hacking taking place, most likely orchestrated it, and set forth "rules of engagement" that must be strictly followed. The authorized parties that are hired (i.e. "the hackers") follow the rules of engagement, perform vulnerability assessments and penetration testing (most commonly with the goal of data egress), and at the end of this process generate a report (or several) to help the victim assess their current security posture and formulate a plan to improve it. This could range from purchasing additional products that facilitate OSI Layer 1, 3, 4, 5, and 7 hardening to furthering employee training. Security research that is conducted for the purpose of getting published also falls under this umbrella.

I believe that only hacking done under these two constraints is truly "Ethical". There is a gray area where hacking done without consent but for the purpose of fixing flaws can be on the ethical side, but one runs the risk of the affected party being unreceptive and even hostile to those efforts, as they are still illegal without consent... especially if "consent" is synonymous with "warrant" in a given situation.

Computer crimes and data breaches are entirely unethical, as they are done both without the victim's consent and with the specific purpose of causing harm (defamation, theft) or damage (hardware, networking infrastructure, intellectual property).

To reiterate, "ethical hacking" refers to activities that are planned by an organization and performed by authorized parties to asses the security posture of said organization's information system. Its goal is to make known any vulnerabilities that could be exploited, methods a threat may use to exploit those vulnerabilities, and the risk associated with keeping those vulnerabilities live. Certain tools and technologies broadly used by ethical hackers include, but are not limited to:

  • Frameworks like the MITRE ATT&CK Framework and OWASP Top Ten to help structure the direction of an attack
  • Nmap or SuperScan for TCP/IP port scanning
  • Automated testing solutions like WebInspect to help streamline the process
  • Manual testing solutions like Burp Suite
  • Vulnerability/malware toolkits like Metasploit

Additionally, the attack sequence is as follows:

  • Reconnaisance: the attacker gathers useful information about the potential target. It is an important step because the more an attacker knows about he target before the attack, the more successful said attack can be. This has led to the misconception that "security by obscurity" is a strong defense, but it is not. Reconnaisance also encompasses "open source intelligence" (OSINT) - or the amount of public data about a target freely available on the internet.
  • Scanning: the attacker starts actively probing the target's entry points. All computers were designed to communicate, and finding which communication channels are open along with what protocols are being used by the target can shed light on what the internal network may look like. One example of this is that Mac, Windows, and Linux computers all use unique ports for certain tasks. One such port is 2049, the NFS port that is specific to Linux while port 139 is used for SAMBA, equivalent process in Windows. This may tell an attacker that there are one or a mix of computers thus increasing the attack surface.
  • Gaining access: the process of acting on discovered vulnerabilities to gain unauthorized access to a network.
  • Maintaining access: the attacker enables persistence, or  the ability to remain within a system and remotely access it at any time. The terms "Remote Access Trojan" (RAT) and "backdoor" apply here, enabling the attacker to pivot, perform lateral movement, conduct further reconnaissance, gain access to sensitive data, then egress that data.
  • Covering tracks: The attacker attempts to destroy all evidence of compromise, usually involving system and data logs. Many layers can be added here depending on the complexity of the "gaining access" step.

There are many Vulnerability Research Websites available to the public, and for my own convenience I will list a few here:

  • US-CERT: The United States Computer Emergency Readiness Team, or US-CERT, publishes information about a variety of vulnerabilities in the US-CERT Vulnerabilities Notes. While it does not contain solutions for all vulnerabilities, it can be a valuable, easily searchable resource.
  • National Vulnerability Database: The National Vulnerability Database is the main Web site for the U.S. government’s multiagency Information Security Information Program. It contains lists of known vulnerabilities and security alerts.
  • Securitytracker: Securitytracker provides information on security vulnerabilities.
  • SecuriTeam: SecuriTeam provides news and utilities in computer security from various mailing lists and hacker communities, as well as original content.
  • SecurityFocus: SecurityFocus provides information on security vulnerabilities.
  • SCMagazine: SCMagazine is a print and online magazine specializing in IT security.

This is the landing page for my foray into ethical hacking. All of my scripts and projects are linked here, as well as on my GitHub page and it is my intention to grow this page as I gain more experience. Welcome, and I hope you learn something along the way!

Continue