Ethical Hacking and Penetration Testing Lecture 1 PDF

Summary

This document is a lecture for the course Ethical Hacking and Penetration Testing at Nottingham Trent University. It outlines the module overview, teaching staff, module specification, learning outcomes, assessment, and provisional module content. It also details the resources used for the course.

Full Transcript

Ethical Hacking and
Penetration Testing
Lecture 1: Module Overview and Introduction to Penetration
Testing
Outline
 Module Overview
 COMP40741: Ethical Hacking and Penetration Testing
 Teaching Staff
 Module Specification
 Learning Outcomes
 Assessment(s)
 Introduction to Ethical Hacking and Penetration Testing
Module Overview
COMP40741: Ethical Hacking and Penetration Testing

26/01/2025
Teaching Staff
Module Leader: Dr. Nemitari Module Team:
Ajienka
Senior Lecturer, Certified Security Dr. Kwame Assa-Agyei
Testing Associate (7Safe, GCHQ Lecturer
Accredited)
Department of Computer Science
Department of Computer Science School of Science and Technology
School of Science and Technology Email: [email protected]
Email: [email protected]
Office: Mary Ann Evans Building
(MAE) 329 (moving to MAE 307).
Telephone: +44 (0) 115 848 8306
Module Specification
 Available in Learning Room on NOW
 Contains information on:
 module overview and aims,
 module content,
 delivery methods and schedule,
 indicative reading,
 learning outcomes, and
 assessment
Module Aims
 This module is designed to equip students with the knowledge, skills, and ethical
considerations required to identify and address vulnerabilities in computer
systems. The students will develop a comprehensive understanding of the
essential cybersecurity methods of ethical hacking and penetration testing.

 The overall aims of this module are to:
 Introduce students to the principles, methodologies, and tools of ethical hacking and penetration
testing.
 Develop practical skills in identifying and exploiting vulnerabilities in computer systems.
 Assess the ethical and legal considerations surrounding penetration testing.
 Understand the importance of risk assessment and mitigation in cybersecurity.
Learning Outcomes
Knowledge and understanding. After studying this Skills, qualities and attributes. After studying this module,
module, you should be able to: you should be able to:
 K1. Demonstrate an understanding of penetration  S1. Apply penetration testing techniques to identify and
testing methodologies. exploit vulnerabilities.
 K2. Demonstrate an understanding of ethical  S2. Develop effective strategies for securing computer
hacking principles and methodologies. systems and networks.
 K3. Evaluate the legal and ethical implications of  S3. Communicate security findings and recommendations
penetration testing. through comprehensive reports.
 K4. Identify, analyse and assess vulnerabilities and  S4. Demonstrate critical thinking in risk assessment and
threats in computer systems. mitigation
Assessment
Online in-class test (Individual, Report (Individual, 70%, K1, K4, S1
30%, K1 – K3) - S4)
Time-Constrained online in-class test Written report based on a hands-on
where students demonstrate clear penetration testing project where
understanding of theoretical aspects students demonstrate their ability to
of penetration testing, ethical hacking identify and exploit vulnerabilities,
and legal and ethical considerations. identify, and mitigate risks, provide
actionable recommendations, and
communicate findings.
Provisional Module Content
Week Topic(s)
1-3 Introduction to Ethical Hacking and Pentesting: Definitions and ethical considerations,
Overview of penetration testing methodologies
Information Gathering and Footprinting: Reconnaissance techniques, Passive and
Active information gathering, Open-source intelligence (OSINT) gathering
Scanning and Enumeration: Network scanning techniques, Enumeration of system
resources and services
4-5 Vulnerability Assessment: Identifying and assessing software and hardware
vulnerabilities, Common vulnerabilities and exposures (CVE), Threat modelling
techniques
6-8 Exploitation Techniques and tools: Developing and executing exploits (e.g., Attacking
windows and Linux machines, Password Cracking and other exploits), Post-exploitation
strategies and privilege escalation
9 Legal and Ethical considerations in penetration testing, Reporting and documentation
standards, Risk Assessment and Mitigation
10 Social engineering techniques/tactics and Support Sessions.
Resources or Reference Texts
 Graham, D. G. (2021). Ethical hacking: a hands-on introduction to break in. No Starch Press.
 Oriyano, S-P. (2017). Penetration testing essentials. Indianapolis, Indiana: Sybex.
 Khawaja, G. (2021). Kali Linux penetration testing bible. Wiley.
 Sabih, Z. (2018). Learn ethical hacking from scratch: your stepping stone to penetration
testing (1st ed.). Birmingham, England: Packt.
 Baloch, R. (2015). Ethical Hacking and Penetration Testing Guide (1st ed.). Auerbach
Publications.

 In addition, students are encouraged to access and read relevant research publications
from international conferences and journals.
Web-based Resources and Tools
 http://www.cyberedge.uk - Requires Registration
 Immersive Labs https://cybermillion.immersivelabs.online/register – Requires Registration (See Week
1 Lab for registration guide)
 https://www.digitalcyberacademy.com - Requires Registration
 VMWare / Virtual box - https://www.virtualbox.org
 Kali Linux - https://www.kali.org
 Metasploitable - https://www.vulnhub.com/entry/metasploitable-2,29/
 Seedubuntu - https://seedsecuritylabs.org/Labs_20.04/
 Ubuntu -
https://ubuntu.com/tutorials/how-to-run-ubuntu-desktop-on-a-virtual-machine-using-virtualbox#1-overvi
ew
Introduction to Ethical Hacking
and Penetration Testing

26/01/2025
Best Security Strategy?
Defensive Offensive
 Controls
 Pen Testing
 Auditing
 Ethical Hacking
 Policies
 Security Assessment
 Standards
 Guidelines  Risk Assessments
 Designing and Implementing Secure  Stress Testing
Network Architecture
Unfair Security Challenge!
The Internet allows an attacker to attack
from anywhere in the world from their
home desk.
They just need to find one vulnerability.

A security analyst needs to close every
vulnerability.
Who is the Enemy? A Hacker?
 1960s and 1970s:
Hacker: a positive term
A Hacker: An expert, knowledgeable about programming and operating
systems
 1970s onwards:
Hacker: a term, which progressively became more negative.
A Hacker: Someone using computers without authorization OR
Someone committing crimes by using computers
Other names for the enemy
Crackers: a hacker who uses his or her skills to commit unlawful acts, or to deliberately
create mischief

Script Kiddies: a hacker who downloads the scripts and uses them to commit unlawful acts,
or to deliberately create mischief, without fully understanding the scripts.

Blackhat Hackers -They hold unethical intentions and break into computers or networks for
their own reasons. Black hat hackers are also known as crackers. These types of hackers
continuously keep an eye on victims' computers for vulnerability. As soon as they find it, they
break into it for malicious intentions.
These types of hackers are engaged in almost all types of cyber crimes, such as ID theft,
money stealing from Credit Cards, piracy of paid content and so on. They can use malicious
websites and malicious software (worms) to start their journey in victim’s network.
What is their motivation?
 Profit – Ransomware, scareware, Financial data theft, theft of intellectual
property
 Fun/Challenge – Nasa Hack
 Information system’s criminals---Espionage and/or Fraud/abuse---for a
nation/company to gain a competitive advantage over its rivals
 Vandals---authorized users and strangers (cracker or a criminal)---motivated
by anger directed at an individual/organization/life in general
 Political and Ideological - Hacktivists
What is their motivation?
 Power assurance - to restore criminal’s self-confidence or self-worth
through low-aggression means;---e.g. cyber stalking
 Anger (retaliatory) - rage towards a person, group, institution, or a
symbol---the offender may believe that they are correcting some
injustice
 Sadistic - derive gratification from the pain/suffering of others
Goodies or Baddies?
 Black Hats – break into systems, develop and share
vulnerabilities, exploits, malicious code, and attack tools.
 Grey Hats – are in hacker ‘no-man’s land’, may work as
security professionals by day and ‘hack’ by night.
 White Hats – are part of the ‘security community’, help
find security flaws but share them with vendors so that
products can be made safer.
 There is a fine line between the ‘hats’ and the distinction
often becomes blurred. Often a matter of perspective.
Ethics Discussion
 This is an educational course
 It is intended to provide an insight into hacking for ETHICAL
PURPOSES ONLY
 Lab exercises should only be attempted on testbed system(s)
provided and NOT tested against university or other equipment.
Permission and Privacy
 As an ethical hacker, it is necessary to get permission and to understand
exactly what is and is not allowed.
 Gaining permission does not give you a free license to do as you please.
Operating outside the parameters of permitted activity can be just as
dangerous as not getting permission at all.
 When practicing hacking, it is likely that you will come across sensitive
information. This could include personal details of users, or even
encryption keys and passwords. Any information you may come across
must be kept confidential.
Permission and Privacy
 It is equally important that the name of the target and any
vulnerabilities are also kept secret.
 When working professionally within cyber security, it is likely you will
have to sign confidentiality and non-disclosure agreements before
carrying out any tests on a system.
Responsible Disclosure
 Responsible disclosure is the name given to the process of notifying a
company or organization about a security vulnerability.
 The person who identifies the issue agrees to allow a period for the
vulnerability to be patched, before publishing the details and making the issue
publicly known.
 This ensures that the public are made aware of the problem, whilst minimizing
the risk of someone exploiting the vulnerability before a patch is released.
 The amount of time given to fix this issue can be anything from a few days to a
few months, depending in the complexity of the vulnerability and the risk it
poses.
Legislations
 Across the world there are a wide variety of laws relating to the
misuse and unauthorized access of computer systems and networks.
 Computer Misuse Act 1990 (UK) -
https://www.legislation.gov.uk/ukpga/1990/18/contents
 Computer Fraud and Abuse Act 1986 (USA)
 Criminal Code Act Division 477-478 (AUS)
What is Ethical Hacking / Penetration Testing?
 Penetration Testing is the “legal and authorised attempt to locate and successfully
exploit computer systems for the purpose of making those systems more secure”
(Engebretson 2013)
 Probing for vulnerabilities
 “Proof of concept” attacks
 Specific recommendations for addressing and fixing issues discovered during
test
 Idea: find weaknesses by using the same tools / techniques as used by
attackers
Importance of Studying Ethical Hacking / Penetration
Testing?
 EC-Council Cyber Career Paths list - https://www.eccouncil.org/
 Vulnerability Assessment and Penetration Testing (VAPT) Career Path -
https://www.eccouncil.org/vapt-career-path/
Penetration Testing Framework
 Information Gathering
 Target Scanning
 Vulnerability Assessment
 Exploitation of Weaknesses
 Privilege Escalation
 Retaining Access
 Covering Tracks
http://www.pentest-standard.org/index.php/Main_Page
Penetration Testing Framework (ethical hacking)
 Planning / Pre-Engagement
 Execution
 Information Gathering
 Target Scanning
 Vulnerability Assessment
 Exploiting Weakness
 Privilege Escalation
 Retaining Access
 Covering Tracks
 Post Execution & Reporting

https://csrc.nist.gov/pubs/sp/800/115/final
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf - p2-2
Types of Penetration Testing
 Network / Infrastructure pentest
 Database pentest
 Web pentest
 Wireless pentest
 Social Engineering pentest
 Physical pentest
Types of Penetration Tests
 There are three types of penetration tests: black-box, white-box, and
grey-box.
 black-box: the client provides no information prior to the start of
testing.
 In a white-box assessment, the client may provide the penetration
tester with full and complete details of the network and applications.
 In grey-box assessments, the client may provide partial details of the
target systems.
Pre-engagement
 http://www.pentest-standard.org/index.php/Pre-engagement
Pre-engagement
 Pre-engagement is a conversation with our client (target) to find out what they
want from the test.
 Like most things there are different levels of a penetration test.
 a simple testing of a specific set of IP addresses,
 a single physical location,
 one web application.
 a full simulation of an attack and do exactly what a real attacker would do.
 Regardless of the complexity of the test, you should require a written and signed
document giving permission to perform these tests
Topics for Pre-engagement
 Scope
 Documentation
 Rules of Engagement
 Third-Party-Hosted / Cloud Environments
 Success Criteria
 Review of Past Threats and Vulnerabilities
 Avoid scan interference on security appliances
Defining Scope
 One of the most important components of a penetration test, yet it is
also one of the most overlooked.
 Neglecting to properly complete pre-engagement activities has the
potential to open the penetration tester (you/company) to: scope
creep, unsatisfied customers, and even legal troubles. The scope of a
project specifically defines what is to be tested.
Questions – Network Penetration Test
 Why is the customer having the penetration test performed against their environment? Is the
penetration test required for a specific compliance requirement?
 When does the customer want the active portions (scanning, enumeration, exploitation, etc...) of the
penetration test conducted? Office hours/Weekends?
 How many (internal or external if applicable) IP addresses are being tested?
 Any devices in place that may impact the results of a penetration test such as a firewall, intrusion
detection/prevention system, web application firewall, or load balancer?
 In the case that a system is penetrated, how should the testing team proceed?
 Attempt to gain the highest privileges (root on Unix machines, SYSTEM or Administrator on Windows machines) on the compromised
machine?
 Perform no, minimal, dictionary, or exhaustive password attacks against local password hashes obtained?
Questions – Web Penetration Test
 How many web applications are being assessed?
 How many login systems are being assessed?
 How many static pages are being assessed?
 How many dynamic pages are being assessed?
 Will the source code be made readily available?
 Will there be any kind of documentation, and if so what type?
 Does the client want role-based testing performed against this application?
 Does the client want credentialed scans of web applications performed?
Questions – Wireless Penetration Test
 How many wireless networks are in place?
 Is a guest wireless network used? If so:
 Does the guest network require authentication?
 What type of encryption is used on the wireless networks?
 What is the square footage of coverage?
 Will enumeration of rogue devices be necessary?
 Will the team be assessing wireless attacks against clients?
 Approximately how many clients will be using the wireless network?
Questions – Physical Penetration Test
 How many locations are being assessed?
 Is this physical location a shared facility? If so:
 How many floors are in scope?
 Which floors are in scope?
 Are there any security guards that will need to be bypassed? If so:
 Are the security guards employed through a 3rd party?
 Are they armed?
 Are they allowed to use force?
 How many entrances are there into the building?
 Is the use of lock picks or bump keys allowed? (also consider laws)
Questions – Physical Penetration Test
 Is the purpose of this test to verify compliance with existing policies and procedures or for
performing an audit?
 What is the square footage of the area in scope?
 Are all physical security measures documented?
 Are video cameras being used?
 Are the cameras client-owned? If so:
 Should the team attempt to gain access to where the video camera data is stored?
 Is there an armed alarm system being used?
Questions – Social Engineering Testing
 Does the client have a list of email addresses they would like a Social
Engineering attack to be performed against?
 Does the client have a list of phone numbers they would like a Social Engineering
attack to be performed against?
 Is Social Engineering for the purpose of gaining unauthorized physical access
approved? If so:
 How many people will be targeted?
Scope Creep
Scope creep is one of the most efficient ways to put a penetration testing firm out of business
 Specify Start and End Dates
 Specify IP Ranges and Domains
 Validate Ranges
 Dealing with Third Parties
 There are several situations where an engagement will include testing a service or an application that is being hosted by a
third party. This has become more prevalent in recent years as “cloud” services have become more popular.
 The most important thing to remember is that while permission may have been granted by the client, they do not speak for
their third-party providers.
 The single biggest issue with testing cloud service is there is data from multiple different organizations stored on one
physical medium.
 Often the security between these different data domains is very lax
ISP
 Verify the ISP terms of service with the customer. In many commercial situations the ISP will have
specific provisions for testing.
 MSSP- Managed Security Service Providers also may need to be notified of testing. Specifically,
they will need to be notified when the systems and services that they own are to be tested.
 If determining the actual response time of the MSSP is part of the test, it is certainly not in the best
interest of the integrity of the test for the MSSP to be notified
 Countries Where Servers are Hosted
 It is also in the best interests of the tester to verify the countries where servers are being housed.
 After you have validated the country, review the laws of the specific country before beginning testing.
Summary
 Module Overview (COMP40741 - Ethical Hacking and Penetration Testing)
 Teaching Staff
 Module Specification
 Assessment(s)
 Introduction to Ethical Hacking and Penetration Testing
This Week’s Lab
In this week’s lab, you will complete introductory material (e.g., Command Line Introduction) which will be
useful throughout the semester and the rest of the lab exercises as well as the portfolio exercises.
Create an account on Immersive Labs. The new registration page is now:
https://cybermillion.immersivelabs.online/register
Please use the code CYBER-MILLION to register with your NTU email address.
Explore the available labs on the platform which you could use to practice some of the topics
under the penetration testing framework outside of locally hosted virtual machines on e.g.,
VMWare / Virtual Box
Complete the Command Line tutorials / examples (found under the Week 1 section on NOW) in the
Ubuntu Virtual Machine
Complete the Google Dorks Lab under the Week 1 section on NOW
Copy or download the VM files / images and setup your personal computer with Virtual Box / VMWare
if you have not already done so
Reading List
 Penetration Testing Cheat Sheet -
https://github.com/ivan-sincek/penetration-testing-cheat-sheet
Next Week
 Information Gathering and Footprinting:
 Reconnaissance techniques,
 Passive and Active information gathering,
 Open-source intelligence (OSINT) gathering
Questions?