Ethical Hacking

Black Hat Hackers

• Hackers with strong technical skills

• Use their skills for malicious or destructive purposes

• Often involved in cybercrime, data theft, or system sabotage

White Hat hackers

• Ethical hackers who help protect systems

• Use their skills for defensive purposes

• Often work as security analysts or penetration testers

• Help find and fix vulnerabilities before attackers exploit them

Gray Hat hackers

• Hackers who operate in both legal and illegal territories

• Sometimes act ethically, sometimes not

• May break into systems without permission but without malicious intent

• Often try to point out flaws for attention or reward

Suicide Hackers

• Hackers motivated by a cause or ideology

• Aim to bring down systems or infrastructure

• Willing to face jail time or serious consequences

• May conduct large-scale cyber-attacks or digital terrorism

What are Hacking phases

1. Reconnaissance

   • Gather information about the target (passively or actively)

   • Tools: OSINT, WHOIS, Google Dorking

2. Scanning

   • Identify open ports, services, and vulnerabilities

   • Tools: Nmap, Nessus, Nikto

3. Gaining Access

   • Exploit vulnerabilities to get inside the system

   • Could involve password cracking, buffer overflows, or malware

4. Maintaining Access

   • Install backdoors or rootkits to return later

   • Try to stay undetected

5. Clearing Tracks

   • Erase logs and hide any evidence of the intrusion

   • Makes it harder to trace the attack back to the hacker

Passive Reconnaissance

• Involves collecting information without direct contact with the target

• Stealthy and often undetectable

• Common sources:

  • Public records

  • News articles

  • Websites

  • WHOIS databases

Active Reconnaissance

• Involves direct interaction with the target system or personnel

• More likely to be detected by the target

• Can involve:

  • Phone calls (e.g., help desk)

  • Probing a network

  • Social engineering via email

Scanning

• A process of identifying live hosts, open ports, OS, and services running on a network

• Used to gather intelligence about the target system

• How it works:

  • The attacker sends TCP/IP probes to the network

  • They analyze responses to learn about hosts, services, and potential vulnerabilities

• Main Objectives of Network Scanning:

  1. Discover live hosts, IP addresses, and open ports

  2. Identify operating systems and system architecture

  3. Discover running services on hosts

  4. Find vulnerabilities in live systems

Gaining Access

• Goal: Exploit vulnerabilities to enter the target system

• Tools Used:

  • Vulnerability Scanners: OpenVAS, Nessus

  • Exploit Frameworks: Metasploit (for building/testing exploits)

• Common Techniques:

  • Exploiting software or OS vulnerabilities

  • Password guessing or cracking

  • Social engineering (e.g., phishing)

Privilege Escalation

• A technique used to gain higher or unauthorized privileges on a system

• Starts with access via a non-admin account

• Exploits OS flaws, bugs, config errors, or design issues

Types of Privilege Escalation

• Vertical Privilege Escalation

  • Gaining higher privileges than your current access

  • Example: A normal user becomes an admin

• Horizontal Privilege Escalation

  • Gaining access to another user's account with the same access level

  • Example: Logging in as another employee to steal their data

DLL Hijacking

• DLL (Dynamic-Link Library):
  A file containing code that multiple programs can use (e.g., to connect to a network, read files, etc.)

• Most applications rely on pre-installed Windows DLLs to save effort (why reinvent the wheel?).

• DLL Hijacking occurs when:

  • An attacker places a malicious DLL file in a directory where the application mistakenly loads it instead of the legitimate one.

  • The program unknowingly executes the malicious DLL, granting the attacker unauthorized or elevated privileges.

Privilege Escalation Using DLL Hijacking

• Exploits the way apps load DLLs (code libraries)

• A malicious DLL is placed where a program expects a real one

• The program loads and executes the attacker's DLL, granting access

• Allows attackers to run code with the same privilege level as the app

Covering Tracks

• Goal: Avoid detection after gaining system access

• Actions Include:

  1. Disabling auditing – so activity isn’t recorded

  2. Clearing logs – removing records of activity

  3. Manipulating logs – altering entries to hide evidence

Auditing disabled using AuditPol

• They use the command-line tool auditpol to disable auditing

• This prevents the system from logging their activity

• Before leaving, they can re-enable auditing to avoid suspicion

clear logs on Windows systems

• Scripts: Clear_Event_Viewer_Logs.bat, clearlogs.exe

• Metasploit's meterpreter shell:

  • Command: clearev (wipes all logs)

• Manual Method:

  • Navigate to:
    Control Panel > System and Security > Administrative Tools > Event Viewer

  • Right-click log types (e.g., Application, System) → Clear Logs

clear logs on Linux systems

• Navigate to the /var/log/ directory

• Open log files like /var/log/messages using a text editor

  Manually delete log entries created during the compromise