Hacker Classes

Hackers can be classified into various categories based on their activity profiles.

• Black hats
• Individuals with extraordinary computing skill who use their skill with malicious intent for illegal purpose. This category of hacker are often associated with criminal activities and sought by law enforcement agencies.
• White hats
• Individuals professing hacker skill and using them for defensive purpose. Also known as "Security Analysis".
• Grey hats
• Individuals who work both offensively and defensively at various times. They believe in full disclosure that other people who come across information disclosed are able to make a judicious use of the information.

Ethical hacker are information security professional who are engaged in evaluating the threats to an organization from attackers. Ethical hackers can be classified into following categoris:

• Former black hats
• This groups comprises of former cracker who have taken to the defensive side. They are better informed about security related matters as they have no dearth of experience and have access to the right information through hacker network. However they do not earn credibility for the very same reason as they may pass along sensitive information knowingly or inadvertently to the hacker network, thereby putting the enterprise at risk.
  
• White hats
• They profess to have skill on par with the black hats. However, it remains to be seen if they can be as efficient in information gathering as black hats.
• Consulting firm
• This is a new trend being seen in ICT consulting services with the increasing demand for third party security evaluations. These firms boast of impressive talent and credentials. However a word of caution is necessary with regard to background checks of these individuals as they may include former black hats and even script kiddies, who take up assignment for the thrill it gives them.

Anatomy of Attack

Now we come to some real fun. What does an hacker do?

In general, a hacker attack can be dissected into five phases.

1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Covering Tracks
   

Reconnaissance
Reconnaissance refers to the very initial stage where the hacker try to collect as much information as possible about the target before start any attack. The hacker will use both technical knowledge and social skill to learn more about the target. Social skill or social engineering can be surprisingly efficient in collect internal information.

Technical skill can be categorized into Active and Passive reconnaissance. Active reconnaissance involve using tools to interact with the target, while passive reconnaissance will collect the publicly available information, social engineering, dumpster diving etc. Active reconnaissance is usually used by newbie who discern a low threat to his reconnaissance activity to be detected.

As an ethical hacker, you must be able to identify different reconnaissance methods and able to advise preventive measure in respect of the potential threat.

Scanning

Scanning refers to pre-attacking stage when the attack scans the target with specific information gathered during reconnaissance. Scanning can be considered as an extension of active reconnaissance which involve automated tools such as network/host scanners, war dialer to discover any vulnerability. Attack can gather information such as mapping of system, router and firewall by using simple tool such as traceroute or Cheops to add sweeping functionality along with that rendered by traceroute.

Port scanner can be used to detect listening port to find information of the services running on the target machine. The primary defense is to shut down services that are not needed. Vulnerability scanner can be used to detect vulnerabilities on the target network. This gives attack advantage of time become he has to find just one vulnerability to enter while the system professional need to apply several patches.

Organizations that deploy intrusion detection system still have to worry as attacker can use evasion techniques at both application and network level. However a probably configured NIDS cannot be detected and all the better ones do anomaly detection, making to difficult for evasion.

Gaining Access

Gaining access refers to the true attack stage. Attacker can exploit the target over LAN, locally, internet, offline as deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking etc.

Spoofing is a technique to exploit the system by pretending to be someone else or a different system. The attack can use this technique to send malformed packet containing bug to the target system to exploit the vulnerability. Packet flooding can b used to remotely stop the availability of essential services. Smurf attacks try to elicit the available user on the network and the use their legitimate address of services.

The perceived risk involved when attacker gains access is high; as attacker can gain access at operating system level, application level or even network level.

Maintaining Access
Maintaining access refer to the phase when the hacker try to retain his "ownership" of the system. Once gaining access to the target system, the attacker can choose to use the system and resources to launch another attack to other system, or keep a low profile and continue exploit the system. Both are damaging to the organization. For instance the attack can install a sniffer to capture all the network traffic.

Sometimes, attackers harden the system from other hacker to secure their exclusive access with Backdoor, RootKits, Trojans and Trojan horse backdoors.

Attackers try to remain undetected by removing evidence of their entry and use backdoor or other Trojan to gain repeat access.

Covering Tracks
Covering Tracks refer to the activities to remove evidence of his presence and activities so that he can maintain access or evading criminal punishment. This normally entail removing log files and replacing system binaries with trojan, such as ps or netstate, so that system administrator cannot detect the intruder on the attacked system. Just as there are automated scripts for hacking, there are also automatic script for hiding intruders, often called rootkits.

Other techniques including Steganography, tunneling etc. Steganography is the process of hiding data. Tunneling take advantage of transmission protocol by carrying one over the other. Even extra space in TCP and IP header can be used for hiding information.

Basic Terminology

Yes, it is boring, but it is essential to understand some basic term. Just bear with it, there are just a few and I have kept it simple and short.


Threat - A potential violation of security.

Vulnerability - Existence of a weakness, design or implementation error that can lead to an unexpected and undesirable event compromising the security of the system, network, application or protocol involved.

Target of Evaluation - An IT system, product or component that is identified/subjected as requiring security evaluation.

Attack - An assault on system security that dervied from intelligent threat, i.e. an intelligent act that is a deliberate attempt to evade security services and violate security policy of a system.

Exploit -A defined way to breach security of an IT system through vulnerability.

Make an analogy, Target of Evaluation is a person who has weakness (vulnerability), because of the weakness he is subject to certain potential dangerous act or event (threat). A thief (cracker) can exploit his weakness to cheat (attack) on him.

It is important to note the difference between threat and vulnerability. Not every threat result sin an attack and not every attack succeeds. Success depends on degree of vulnerability, the strength of attacks and the effectiveness of countermeasures. If the attack needed to exploit the vulnerability is very difficult to carry out, then the vulnerability may be tolerable.

Attack can be classified as active and passive. The difference between these categories is that while an "active attack" attempts to alter system resource or affect operation, a "passive attack" attempts to learn or make use of the information without make any change to the system.

Attack can also be classified as originating from internal or external.

OK, just add a few words to the list.

Security - A state of well-being of information and infrastructure in which the possibility of successful yet undetected theft, tampering, and disruption of information and services is kept low or tolerable.

Confidentiality - Concealment of information or resources.

Authenticity - Identification and assurance of origin of information.

Integrity - Trustworthiness of data or resource in terms of preventing improper and unauthorized change.

Availability - Ability to use information or resource desired.

Can Hacking Be Ethical?

Yes! That is why I start writing this blog.

The next question you would probably ask is "How can hacking be considered as ethical?". The idea of hacking in general mind is an act of unauthorized access to computer resource. How can unauthorized access be considered as ethical?

Yes, it can! Unauthorized access can still be ethical and moral if the objective is to help not to destroy. After gaining unauthorized access you can abuse the information or privilege you have, or on the other hand you can help improve the security of the system.

Large corporates have begun to realize the need to evaluate their system for vulnerabilities and correct security holes. They need some one who can think like a cracker and simulate their act to hack into their system without doing anything harmful.