Introduction to Ethical Hacking, Footprinting, and Reconnaissance

Gabriel Avramescu
A free video tutorial from Gabriel Avramescu
Senior Information Security Consultant, IT Trainer
4.4 instructor rating • 15 courses • 19,318 students

Lecture description

The first step in any penetration testing is to gather as much information as possible about the target. In this vide I will go trough what information gathering is, different types and tools to perform that.

Learn more from the full course

Network & Infrastructure - Hacking and Penetration Testing

Learn how to hack networks and web applications like black hat hackers, and learn how to secure them from these hackers.

05:25:01 of on-demand video • Updated August 2019

  • Understand and perform the basic steps in order to performa penetration testing of an infrastructure or other computers in the network
  • Be able to gather information about your target
  • You will learn how to find open ports your target
  • You will learn how to find vulnerabilities in your target infrastructure
  • Exploit found vulnerabilities
  • Sniff and analyze network traffic
  • You will learn how to exploit Windows and Linux Systems
  • Understand and perform attacks using Metasploit
  • Understand cryptography
  • Understand the difference between backdoors, viruses and worms. Learn the basics of how to analyse them
  • Hack wireless networks
  • Understand the penetration testing process
  • As a network administrator you will learn how to secure your network
English Hello and welcome. My name is Gabriel Avramescu and I will be your trainer for the hacking network infrastructure course. We will start this course by getting familiar with some theoretical terms Also with some tools and methodologies then we will have some practical labs we can apply what we've learned. We'll start this presentation with an introduction to ethical hacking. Why is security so important nowadays? Because more and more businesses inclined to rely on IT. using IT is very beneficial for a business. But it comes with some disadvantages as well. One of them is security. Because in ​networks and systems are getting more and more complex, it's difficult to have a clear overview of them and also constantly be aware of possible attacks surfaces in your infrastructure As you can see the number of cyber attacks is rising. So it's important to learn ourselves how to protect in order to properly defense ourself we need first to learn to think as a hacker and to test our network as a real hacker would do it. So there are numerous examples of attacks at different levels from personal, organizational to national levels. You can read more about each of them your own. But what I'm really trying to underline here is that we need to be aware of those security threats and we don't need to be a big corporation to become a victim but rather to let some doors open. So this is why it is important to test properly our net are first. So we wouldn't let the door open for others to to try to get in. Of course, they'll try but be prepared. for your competition or someone who want to take your business, It's easy to hire someone to do such a dirty job as you can see and can be done completely anonymous. But it's more and more difficult to protect yourself as you can see it's a post on a forum that just wanna hire someone and it will pay in Bitcoins are so and it could be difficult to trace back. This is course is about teaching you become an ethical hacker either to test your network or to help you to start on it security If this is what you want coming back to security and IT security in your business organization we might say about security architecture​ that is like a fruit with the data is​ the most important thing to get access to. So could be the core of all security. There could be several layers of protection as you can see like security procedures firewalls anti-virus and so on. But it is important to have a good overview of them in order to use them properly and also to know exactly if they are configured properly if they work properly and so on. ,So in order to have a good idea of what is your level of security let's say in your network you should test it. This is actually the purpose of the security audit to test if all the security mechanics are in place - If they are working well at a certain time. We can say about a ​security audit that is like a picture. We the security level of the network or infrastructure at that time. But this is the reason also for which is important to test Periodically our business. Our security level of not just once but maybe in each couple of months or so. So there are several types of security audits each of them has​ different purposes. For instance,​ gape analysis would help us so to get enough of an idea of where we are comparing with some reference points and what can be done in order to improve our security. And this ​kind of analysis can be done using our employees or just by a third party or external auditor. we have here an example of different reference points that it can be checked. In the case of an ISO 27001,​ we saw a competition between expectations to be met and current level of security. so we can see, In some cases our security our expectations are met and so better than actually expected. But also there are some some areas where we need improvement then we have complaints. It's one very well known as PCI. Each it's used by payment Web sites, for instance, such as PayPal, usually does kind of audit should be done by third parties or external auditors. There are others compliance audits such as COBIT, ITIL and so on. As you can see here each of them could be aquired depending of the main business of the company which is kind of clients does it work, and so on. We have then security audits, This can be done internally by either manager or any certified personnel. Also, we have vulnerability scanning or vulnerability assessment. This can be performed​ using some tools to get an idea of the security level of your equipment and their configuration and also the security level of our network, of course, there are companies that perform these kinds of tests monthly on their infrastructure. This kind of assessment can be useful to discover low hanging fruit when it comes to security vulnerabilities but because it relies just on tools many security problems are not discovered. So in order to get more in depths overview, penetration tests projects are better to be used. This does not rely on tools but rather a combination of tools and manual testing of experienced auditors that this can be done from within the internal network external network such as Internet of course, or both internal and external network. Social engineering, as the name suggests, Of course means to heck people rather than machines because it's usually easier to find out a password from an employee by tricking him to tell you tell you the password or other information that you need. Then could be to hack a machine up or just the network and the most important thing is that it's very very difficult to protect against this this type of attack. When it comes to auditors there are several certifications. Those certifications are very good not just for auditors of course but for those who manages security in your business as well. In this course we will focus on penetration testing. Because it requires a very good knowledge of I.T. Security. But not only security as we will see so for the beginning, we'll discuss the main phases of penetration​ testing. And as we advance in the course we will talk in detail about each of them as we can see penetration testing can be divided into three phases. Information gathering, exploitation and the last one is reporting Moving forward, we will discuss ​a part of the first phase of penetration testing which is information gathering. And this part is called to footprinting and reconnaissance. So important this part the part of information gathering. Because you cannot test and you cannot attack what you don't know each information that you find out at this point can make your life easier in order to reach your objective in getting to the moderators. So there are different types of tests that we should get familiar with such as black box Federation testing Gray box and white box. The black box is when you don't know anything about the target just the target itself, of course. In the white box you know and have access everywhere you have access to locks you have access to systems you have access to username and password and so on. And it's very useful when you have for a limited time frame but you should know what to look for. So for instance you can test as you don't know anything and then you can just look behind the scene to learn about the effect that you had when you attacked that that box or that system mortar network. And as I said there is also a gray box penetration testing is a mix between black box and white box where you are informal just a little bit about a target such as such as firewall technology study use systems operating systems and so on. But we will focus more on the black box grey box penetration testing when we don't know anything just the target set. So what we should try to discover at this point is we have several types of view if we can say that such as system view logical functional view and so on up. Actually we we should try to learn as much as possible about the target as we can starting with the type of devices if they have laptops. What kind of laptops are workstations servers operate these systems if they use printers. If they use telephones what kind of software do they use. If they have anti viruses or not it you formation can be use useful later as you might see in the following lecture send in the labs In the black box penetration, often we don't know much about the target beside the target itself. The name of the target may be we don't know what size Web site they have what kind of Ifat infrastructure they have and so so the steps between just discovering some certain some public information about the target to the point when we get access to the job managers computer for instance will be discussed later on on the laps and on the following lectures. So we need to learn as much information as we can. But from where. So of course from Internet and from people as it has we talked earlier about social engineering information about their technology can be found on Google or shodan.com. This is searching engine for devices. If we can find anything on google shodan HQ is focused more on those devices. from vendors to technology and so on. So is it's very very useful. You can try it yourself and you'll have there are some examples on the web sites so you can find out more about the employees from social networks such as Facebook, Linkedin or Twitter. And so when you find out about who's working at the target company or the company get to you want to test. You can use social engineering in order to trick them to reveal you some useful information that you can use later. Any information is is very good. Using the process called spidering which is actually indexing the Web pages of their Web sites. You can find out very very much about the company and these Bain documents that can be useful and can reveal maybe internal data from the company. Here are some examples of softwares about the that can help you in the spidering process. So it's very useful to find out if they are using VPN or if they have their web made public on the internet so you can try different domains and subdomains such as the vpn.website.com com or outlook.website.com and so on. But it will will discuss a little bit more about this later about spidering tools. You can look up yourself if you want but actually we can use Google that has already spider web sites for us to find out more and to look up for specific information you might heard of or about Google Hechinger Google Docs using certain syntax. Google can help you find specific things on the Internet or on specific Web sites if we went to Google has in their database the Web site already indexed or spider so we can now just throw the the request or the questioning and then Google will throw back the information as we ask for so we can ask for specific file types of such such as PTF, doc, xls and so on. And also you can look for some specific page titles or specific areas you can find out more about Google hacking database on the hackersforcharity.org Web site. And we will practice a little bit of Google hacking on our lap. Here we have some examples in this example shows the result of google search that will show us some of public accessible links to password files. So when we look for a title that start with exists off and then email the fine. This is what will be revealed. Here we can find some security scan report those are our reports from Nessus Skinner. So in some examples those reports shouldn't be public. Maybe they refer to their internal paper so you can find out about their network from these results. And here again, some file types that contain the name restricted in their name, Also there are some authorities that manage the IP addresses and also the domains. There can be very very useful and very good source of information. Using tools like "whois" that is either online or is already installed on Linux and Mac OS. We can't find detailed formation about the owner of the target web site the IP address maybe can't find information about the phone number the address as in all we City which street and so on and deformation also can be use later for social engineering purposes. And of course it's free and it's legal. It's probably called their. So here we have one example for a request or a search on our Web sites when we try to find out information about two whoever is in charge. Doctoral domains and we have here phone numbers and address and name Curies. Another example from either Web sites or media and top level domain. And we have some some information about a certain web site or repair search where what he's in charge us or to whom a certain IP belongs to. And we have also and one number the name of the company or person of contact and and so other social information very good sourcing permission actually is necessary for either specific to the necessary work or for certain company that we want to to test to us to make a penetration penetration test or just publico Denis's servers such as Google. And if there were sense on our information such as IP addresses of course for email servers or for their specific domain name servers can be found using DNS if the DNS server is not properly configured the DNS server of the target company of course we can use some transfer in order to get information about all the IP addresses and those IP addresses can be sometimes internal and it contains internal names of servers and computers that can be very useful and at some point because it can contain the internal IP scheme I've done it for what IP they use in in inside the network and what servers they have and so on. It's very easy for here we have heard Dennis equerry for a certain web site. And so when we set type S or a we actually ask for who is responsible for this server. What is the domain name server responsible was this Web site. And here we have a Querrey. When we ask about oh my mail exchange your IP address so we use set type Agel equal mix when it comes to net or reconnoissance states that can be somehow useful. Does a traceroute comment can be found on both Windows and Linux and can be handles on my queries and e-discovery the entire path of business between the computer and the target machine or to target systems. They are also NMRA so be used to visual tools that can show us the same things but using maps and so on is it's nice to see that either. And the result is the same. And this is the output from a traceroute is issued on a Windows machine and we can see the different routers up through the through each of the packet. We will travel until you get to the destination more tools and information can be found also on those those websites. If you want to to learn more so some of those Web sites will show you and some will test though if the mail server. Well that NSA for main assembly is configured properly and so on. So you can just enter on each in one each of them and read a bit of their. And that concludes the first part of the first phase of an attack. Thank you.