Labs have been included to get the most out of this book. The labs are designed to enhance the subject matter by supplying tangible examples of what is covered. To be successful with the labs, the following minimum system settings are required:

• 8 GB of RAM minimum (16 GB recommended)
• 50 GB of disk space
• The rights to install applications

Ethical hacking represents a group of skills within cyber security that manifests in a few distinctive roles, including pen testers, blue teamers, and purple teamers. Ethical hackers are also part of a larger group known as white hat hackers, whose focus is education and defense. We will discuss this in detail in the White hat hackers section later in this chapter.

What role does the ethical hacker play in organizational security? Unlike threat actors (black hats), who are motivated primarily by financial gain, ethical hackers align themselves on the defensive side of networks, attempting to secure networks by pointing out flaws and misconfigurations that malicious attackers would take advantage of. They are commonly associated with penetration testing but really can assume any role within an organization. Ethical hackers represent the apex of security practices within an organization. These practices start with core areas such as antivirus software and patch management and move on to more complex security issues such as remote automation and administration, as well as ingress and egress, encryption, and authentication.

Depending on their specific role, ethical hackers use a variety of tools and techniques to search for outdated software, misconfigured systems, and potential security weaknesses within the network. They use this information to not only bolster the overall organizational security but to find weaknesses and oversights that attackers would find by using the same techniques they use. Some other operations ethical hackers perform include discovering incomplete policies and procedures. They are also skilled in the tactics, techniques, and procedures (TTPs) of adversaries. This means they understand how attackers operate, what tools they use, how they find information, and how they use that to take advantage of an organization. Ethical hackers also realize security is an evolving discipline where learning and growth never end. One place to get a better understanding of attackers and the operations they perform is to review the MITRE ATT&CK framework, which lays out a matrix of 13 categories showing various attacks. For more information, see https://attack.mitre.org/.

How does one become an ethical hacker? There are several approaches that can be taken, including using this book, and courses covering hacking and cyber security that can get you started. There are also certifications, including the Offensive Security Certified Professional (OSCP), Certified Information Systems Security Professional (CISSP), and Certified Ethical Hacker (CEH). However, even with all these opportunities and paths that can be taken, the one thing needed more than anything else is just to be curious – about how all this technology works, how information is stored and communicated, and how technology interoperates with other machines and devices.

Now that we know what ethical hacking is, let’s take a look at what makes up information security.

Information security and, subsequently, ethical hacking methodologies revolve around three core principles: Confidentiality, Integrity, and Availability (CIA). These core principles provide the framework for information security and are used by ethical hackers and security professionals to test security and security solutions. These principles can be described as follows:

• Confidentiality: Data stored on networks in the form of databases, files, and so on carries a certain level of restriction. Access to information must be given only to authorized personnel. Some examples include nonpublic financial information that could be used to make investment decisions; this is also known as insider trading. Another example would be company patents or trade secrets.

  Ensuring this information is reserved for only those who need to know about it can be addressed through techniques such as encryption, network segmentation, and access restrictions, as well as practicing the principle of least privilege. These are the things ethical hackers check and test to make sure there are no gaps or exposure of information beyond what is authorized.

• Integrity: Data that is accessed and viewed, whether part of an email or viewed through a web portal, must be trustworthy. Ethical hackers and security personnel ensure that data has not been modified or altered in any way; this includes data at rest as well as data in transit. Examples of integrity checks include showing and storing hash values and the use of techniques, including digital signatures and certificates.
• Availability: The last principle is that of availability. Information that is locked down to a level where no one can access it not only defeats the purpose of having data but affects the efficiency of those who are authorized to access it. However, just like the other principles, there is a fine line between availability by authorized personnel and confidentiality. An ethical hacker tests availability in a number of ways. Some examples include remote access for employees, establishing hours of operation for personnel, and what devices can have access.

The concepts of CIA will be covered throughout the chapters as attack techniques are discussed and the principle(s) that are violated as part of an attack, as well as what practice (or practices) could be implemented to prevent/detect an attack. Next, let’s take a look at attackers and why they attack.

Attacks do not operate in a vacuum, and as such, attacks and intrusions can be broken down into three core areas, sometimes referred to as the intrusion triangle or crime triangle. In other words, certain conditions must exist before an attack can occur. These core areas are Motive, Means, and Opportunity.

We’ll look at what each of these in the following sections.

Motive

An attacker must have a reason to want to attack a network. These motives include exploration, data manipulation, and causing damage, destroying, or stealing data. Motives may also be more personal, including financial, retaliation, or revenge. Examples include a disgruntled employee who wants to do damage based on some grievance with the company managers or coworkers. Another would be a cybercrime group targeting a company or industry to extort money through ransomware or some other means. Still, another would be a script kiddie who stumbled upon the network and thought it might be interesting to see what they could get access to. More on script kiddies in the Types and profiles of attackers and defenders section.

For investigators, it is also important to differentiate between motives for criminal activity and the operational goals and objectives associated with the larger crime. As an example, compromising user accounts is not the goal of an attack; gaining access to the corporate network and stealing data is. The account compromise is simply an operational goal.

It may also be important to understand the intensity of an attack and the motives behind it. People who are desperate are more determined to achieve their goals. The employee who is in a bad financial situation may see accessing and stealing company funds as the only means to alleviate the situation. And with that, the higher the pressure, the more likely it is that the employee will not only commit the crime but take larger risks to meet that goal.

Means

Once an attacker has a motive, they need the means to perform the attack. Means refers to the technology plus an individual’s or group’s skills, knowledge, and available resources. By understanding these requirements to commit a given crime, plus the potential motivations, investigators can narrow down attribution to individuals or groups and eliminate others. Additionally, investigators need to be aware of technological innovations as potential means of committing cybercrimes in relation to the crime committed. By way of example, a nation-state actor in China would not have the means to access and sabotage an electrical plant in the United States physically. However, once the electrical plant installed IoT sensors and connected them to the internet, the means would be made available.

Opportunity

The third part, completing the triangle, is opportunity. Used in conjunction with motive and means, an opportunity is that moment or chance where the attack can be completed successfully. For an opportunity to be available, it means that various protective mechanisms were either ineffective or non-existent. This means that human, technological, or environmental factors were conducive to the crime being committed. For example, a power failure might cause locked doors to fail open for safety but allow criminals free access to all areas of the company. Or, unpatched servers exposed to the internet might be discovered during a scan, informing attackers what exploit(s) will be successful in accessing the core network. You can see a visual representation of the crime triangle in the following figure:

Figure 1.1 – Crime triangle

Of the three areas, the ethical hacker has the most control over opportunity. As a defender, you cannot eliminate motive as that comes from the personal desires of the attacker, whether they are acting as an individual or a group. You also cannot eliminate means as knowledge is readily available, and skills can be acquired. This leaves opportunity as the area from which the odds of defending against and preventing most attacks are the most successful.

Now that we have looked at why intrusions happen, let’s take a look at the different types of people that make up the cyber security landscape, from attacker to defender.

Now that we have spent time describing what is being protected and why attacks might occur, let’s look at our attackers and some of the areas where attacks take place.

The hacker community and the titles ascribed to or acquired by these groups have been a source of confusion furthered by movies and media. With all these names and titles, it can be challenging to understand who is on the good side, so to speak, versus the dark side. Let’s start by breaking these groups down, and defining what they do and where they operate.

Let’s start at the top, with Black Hats and White Hats. These monikers came from old Western movies where bad guys wore black hats, and the good guys wore white hats. The concept stuck, and from it, the black hat hacker was born, who uses their skills to perform criminal acts. On the other side is the white hat hacker, who uses their skills to help educate and defend companies and individuals from black hat activities. As with all groups and hats, for that matter, one size does not fit all, and as such, subgroups exist under these titles.

Let’s explore each of these in the following sections.

Black hat hackers

Black hat hackers are criminals who break into computer networks with malicious intent. Black hat hackers often start as novice script kiddies using purchased exploits and hacker tools – more on them in the Script kiddie section.

Their motivations lie in financial gain, revenge, or simply spreading havoc. Sometimes they might be ideological in nature, targeting industries and people they strongly disagree with.

How do black hat hackers operate? Well, they operate like any other big business; they have learned how to scale up campaigns and create distribution networks for their software. They have even developed specialties such as ransomware or phishing services they can sell or rent out.

Some even have call centers that they use to make outbound calls, pretending to represent organizations including Amazon, Microsoft, the IRS, and even law enforcement. In these scams, they try to convince potential victims to download remote control software allowing remote access. The attacker then uses their access to gather information from the victim including personal information, passwords, and banking information.

How do people end up becoming black hat hackers? Some will get a job from forums or other connections where they might be solicited and trained by organizations to make money quickly. Leading black hats are skilled hackers who may have formal training in the computer science or security fields.

Black hat hacking is extremely difficult to stop and a problem that is global in nature. The separation by geography, jurisdictions, and politics poses significant challenges for law enforcement.

Black hat hackers have several subcategories, including script kiddies, hacktivists, cyber terrorists, and cyber criminals, with slightly different motivations. Let’s look at these categories.

Script kiddies

Script kiddies, sometimes called skids or skiddies, are described as people who may be new to the area and have few skills, relying on the work of others to accomplish their goals. For their goals and motivations, this includes trading exploits, and attacking networks with well-known attacks that are in many cases easily thwarted. They may try to develop their skills or join other groups to gain experience, or possibly be used by criminal organizations. What makes this group dangerous is there are many of them and they do not necessarily have a core motivation, making them more difficult to profile.

Hacktivists

Hacktivism is where hacking meets political and/or social agendas. A hacktivist group has a clear focus on using their skills to target governments, corporations, and even individuals that fall into the agenda they support. Because of the nature of what they do, hacktivist groups can incorporate several other groups, including script kiddies and black hat hackers who agree with the agenda. Some of the most well-known hacktivist groups include Anonymous, LulzSec, and WikiLeaks.

Cyber terrorists/cyber warriors

This group tends to be more elite and includes cyber forces employed by their respective governments or powerful groups with the means, both financially and ideologically, to attract the people necessary to complete their tasks. These tasks cover several areas, including the following:

• Disruption of major or significant websites
• Disruption of critical infrastructure systems such as communications systems, electrical grids, and water resources
• Espionage to spy on the target government to gain a strategic or an intelligence advantage

A term also synonymous with this group is cyber warfare since a large portion of this group involves nation-state activity.

Cyber criminals

This is a group that is motivated by profit and is composed of individuals or teams who use technology with malicious intent. This group may be involved in all types of crimes from credit card and identity fraud to bank account and medical record resale.

White hat hackers

This group is sometimes referred to as ethical hackers and is the opposite of black hat hackers. They defend computer systems and networks by identifying security flaws and making recommendations for improvements. Depending on their specific role, they perform a series of tests to check the efficiency of a security system. These tests can be simple security scans, policy and procedure tests, or attacker simulation tests. They can be performed by internal employees or third-party contractors attempting to find gaps in security.

How do white hat hackers operate? They use the same hacking methods as black hats; however, they have permission from the system owners to perform the operations and there are defined guidelines about what is being tested, which makes the process completely legal. So, instead of exploiting vulnerabilities and taking advantage of systems, white hat hackers work to help fix issues before actors with malicious intent discover them.

White hat hackers have a number of subcategories, including Pentesters (Red Team), Blue Team, and Purple Team, with slightly different duties. Let’s look that these categories.

Pentesters (red team)

This group is associated with pentesting and works in the offensive computing space. They are commonly third-party contractors who simulate an attack against a computer system to check for any exploitable vulnerabilities.

Blue hat hackers (blue team)

This group works in the defensive computing space and is commonly the internal employees in charge of various security systems, policies, and procedures. They establish the security measures for what needs to be protected and then monitor those measures, adjusting them based on their own tests and feedback from outside operations such as pentests and audits.

Purple team

There are times when the red team and blue team do not work well together. This can be caused by personalities and things such as ego and embarrassment. Other times, it can be caused by a disconnect between what the red team is testing and communicating to the blue team and how they might go about understanding and correcting the issues. Purple team members are there to bridge gaps in understanding and communication by having skills in both disciplines so they can ingest, distill, and translate information and details from one group to the other.

An example might be the results of a pentest showing that the dependence on legacy application frameworks opens an exploit vector that is easily taken advantage of with a simple buffer overflow to the authentication input screen. The blue team, not really knowing what to do with this information, turns to the purple team, who repositions the result to say something like “the outdated application has a buffer overflow vulnerability.” While it cannot be addressed directly with a patch to the system, it should be placed network-wise in a high-security group where, if the exploit is attempted, the attacker cannot gain anything further from it. This approach of understanding the problem, translating it, and offering potential solutions is what purple teams can do when working together or communications are not as effective as they could be.

There is one more group that does not really fit into any specific category, and that is gray hat hackers. Gray hat hackers are a peculiar mix of both black hat and white hat characteristics. They operate on their own, looking for network faults and hacks in networks, systems, and applications. They do so with the intention of demonstrating to owners and administrators that have networks, systems, and applications under their care and control that a defect exists in their security posture. Once they have validated that a vulnerability exists in a network or application, they may offer to help correct it, or in the case of an application, inform the company through responsible disclosure before publishing information publicly. In contrast, a black hat will exploit any vulnerability or tell others how to as long as they profit from it.

In many cases, gray hats are just curious and do provide beneficial information to companies about the security of their applications and services. However, many security professionals do not view their methods as ethical. The exploitation of a network is illegal, and they have not received permission from an organization to attempt to infiltrate their systems. Gray hats say they mean no harm with their hacking, and they are simply curious about high-profile systems operating without regard to privacy or laws. Regardless of the reasons, it is still illegal, and depending on what was done, it could land them in court or jail.

How do gray hat hackers operate? As stated earlier, gray hats work at the fringe of being black hats, but they look for opportunities to work their craft legally if they can. They look for companies that have bug bounty programs that encourage hackers to report their findings. In these cases, it is a win-win for the company as it gives an area for hackers to work in and helps to mitigate the risk of exploitation by a malicious actor. Once the hacker finds an exploit or vulnerability, they need to contact the organization and present their findings. The intent at this point is for the company to recognize the security flaw and begin the process of correcting it, and hopefully compensate the hacker for their time.

However, sometimes when organizations do not respond promptly or do not comply, the hacker may end up posting the vulnerability or exploitation method on the internet. This moral and ethical choice is what makes them gray hat hackers.

After exploring the different groups and their profiles, let’s look at the types of attacks that can be performed on networks and systems.

There are many things that can be targeted for an attack; however, all areas of an attack can be distilled down to three core areas. The first is the network, which is an attack on the communication structure of a network and it can target specific devices or communication protocols. The second is applications. This is the software running on devices and hosts. The third and last area is the host, which usually targets the endpoint operating system or user of the system. Let’s take a deeper look at these areas.

Network

Network attacks are usually one of the first types of attacks to occur. The most common of these types of attacks are flooding attacks, which overwhelm the receiving hardware, forcing it to perform unintended operations or to simply give up and not work at all, such as in a denial of service (DOS) attack. A DOS attack can occur internally or externally depending on the source. It occurs when a source generates more traffic than the receiver can handle; this can be on a specific service such as a web server or on an interface level, such as an ARP flood. Other types of network attacks include man-in-the-middle (MITM) attacks.

Application

Application attacks, as the name suggests, focus on applications or services. Most of these will be at the server level, however, they are not limited to servers and can exist on standalone devices or user workstations. Application attacks usually take advantage of misconfigurations or vulnerabilities. SQL injection and cross-site scripting are examples of this. Another type of application attack is kerberoasting, which is an attack on Microsoft Active Directory servers to grab and crack passwords. Misconfigurations or vulnerabilities can not only allow the exploitation of the application but can act as a conduit exposing the network to further exploitation, including credential dumping, data exposure, and financial loss.

Host

Host attacks, sometimes called endpoint attacks, are attacks that target end user systems through their desktop machines and laptops. Because of the nature of these machines, they tend to have a much larger number of applications installed, and the behavior of the users operating them is less defined. This gives the attacker a larger attack surface to work with. Some examples of host-based attacks include the following:

• Drive-by downloads and watering holes: Here, a victim becomes compromised simply by visiting a website.
• Attacks on unpatched or legacy applications: Java is one of the biggest culprits here as old versions of Java can be found on most machines.
• Phishing emails: This is one of the biggest and best attack vectors that exist solely at the host level. Phishing emails are likely the most common attack vector used to compromise enterprise networks today. They are simple, require few technical skills, and have proven to be highly effective. However, as training and technology improve, the success of this attack vector should begin to decline to a more manageable level.

However, before any type of attack takes place, a series of steps or actions take place, often referred to as the cyber kill chain. Let’s look at the cyber kill chain and see why it’s in the order it currently stands in.

The anatomy of an attack, sometimes referred to as the Cyber Kill Chain, basically lays out a series of actions and events attackers commonly take to exploit a system or network.

This model helps defenders with context and categorizing at what stage an attacker is at when detections are made.

The cyber kill chain was adopted from the military term kill chain, describing the structure of an attack. It was developed by Lockheed Martin as a model for identifying, detecting, and preventing intrusion activity using computers. It also describes the TTPs used during an attack.

The kill chain can be broken down into the following key areas, or order of operations:

Figure 1.2 – Cyber kill chain

In the following sections, we’ll describe the key areas in some detail.

Reconnaissance

Reconnaissance is the first step in an attack. The attacker needs to gather intelligence on their target. This information gathering helps the attacker profile the target and determine which vulnerabilities will meet their objectives. This part of the attack is usually the most prolonged and can take weeks, months, or even years depending on the target and the attacker’s goals. Given the current state of information available on the internet, the attacker’s job is made easier.

Here are some of the areas they look at:

• Company website
• Job listings
• Social networks (LinkedIn, Instagram, GitHub, etc.)
• Crafted searches using Google and Bing
• Email harvesting
• Network scanning – direct and indirect
• Registration services – Whois and hosting providers

For defenders, it is almost impossible to identify and detect reconnaissance due to how it is conducted. Over time, attackers can collect enough information without any active connection to have a comprehensive profile of the target. However, to discover servers exposed to the internet, what ports are open, and running services, adversaries need to actively connect to the target. If defenders can identify that activity, it can help them to determine the overall intent and subsequent actions. These will be covered in greater detail in subsequent chapters, including how these techniques are performed.

Weaponization

After sufficient time, when the collected information about the target nears completion, adversaries move into the weaponization phase. Weaponization may include preparing an exploit based on a vulnerability identified in the target’s environment. In other instances, an exploit is developed for a vulnerability, with attackers scanning the internet for anyone who appears vulnerable to deploy the payload to. This is opportunistic exploitation. The following are some preparation techniques used by adversaries as part of the weaponization process:

• Gathering launchable exploits based on vulnerabilities discovered
• Setting up Command and Control (C2) servers
• Determining the best delivery method

Security defenders cannot detect weaponization until near the end of this stage, when they contact the target. However, this is an essential phase for defenders to be prepared for by keeping their security controls hardened against these tactics or exploitation and deploying malware. By being vigilant and implementing best practices, security teams can be more resilient and mitigate attacks before they start. The following are some blue team techniques for countering the weaponization stage:

• Following the latest malware trends, that is phishing, ransomware, and so on
• Building detection rules for known patterns of exploitation, such as scanning
• Gathering intelligence about new campaigns, criminal groups, and targets
• Gathering intelligence and joining groups that share information specific to your industry, such as finance, oil and gas, and so on

Let’s learn about delivery next.

Delivery

At the completion of the weaponization stage, the attacker is ready for the delivery phase. They will launch their attack using the delivery method of choice and wait for the exploitation to take place. As noted in the previous stage, some common methods for launching an attack include the following:

• Phishing emails
• Watering hole or staging servers
• Direct exploitation of exposed services such as web, email, DNS, and VPN

Depending on how the weaponization is performed, this may be the first opportunity for security defenders to detect, analyze, and block the delivery. Depending on the size of the organization, security individuals or teams need to monitor incoming and outgoing traffic and classify and analyze behavior. They also need to monitor public-facing servers and services to detect and block malicious activities.

Exploitation

Exploitation is the stage where the attacker attempts to gain access to the victim. For this to take place, the adversary needs to exploit a vulnerability; this could be a vulnerability on an internet-facing system, it could be through phishing, or it could even be through some sort of social engineering. The adversary already has spent time collecting information about the vulnerabilities, not only in systems but in people, during the reconnaissance phase. The following is a short list of some of the weaponization techniques an adversary can use to exploit a victim:

• Using detected software or hardware vulnerabilities
• Using exploit code opportunistically
• Exploiting operating systems – especially Windows
• Social engineering
• Phishing, spear phishing, and whaling emails
• Click-jacking and browser exploits

Traditional security measures help to counter the exploitation phase; however, attackers are aware of these techniques. This means defenders will also need to understand new tactics and techniques attackers are developing. The following are some key traditional measures for security defenders to be aware of and implement in some form:

• User-awareness training
• Phishing email exercises
• Vulnerability scans and assessments
• Penetration testing
• Endpoint security and hardening
• Secure coding if there is internal development
• Network security and hardening

Installation

Once exploitation is successful, the attacker moves on to the installation phase. This is the time when the attacker entrenches the system and organization. They do this by establishing persistency by installing backdoors or opening a connection from the victim to a C2 server. Once entrenchment is complete, the attacker begins the process of lateral movement and further installations. The following are some ways attackers maintain persistence:

• Installation of web shells
• Installation of backdoors
• Adding auto-run keys to the registry
• Autoruns
• DLL path hijacking

Defenders use different security controls such as host-based intrusion detection systems (HIDS), endpoint detection and response (EDR), antivirus (AV) software, and even security information and event management (SIEM) platforms to detect block installation of backdoors. Security teams should monitor the following areas to detect installations:

• Anything using the Administrator account
• Applications using the Administrator account
• Using EDR reports to correlate endpoint processes
• The creation of suspicious files either by name or location
• Registry changes
• Auto-run keys
• Security control changes

Now let’s dive in and explore command and control.

Command and control

In the C2 phase, the attacker creates two-way communication with their server to issue commands from – this is known as a C2 server. This C2 server can be owned and managed by the adversary or rented from another group. This C2 server is set to command the infected hosts, much like other legitimate applications that use an agent on the endpoint to foster communications. The following are some characteristics of C2 channels:

• Two-way communication channel with a C2 server for check-in and commands
• Beaconing to the C2 server, which can be detected at the perimeter and in network traffic
• Most of the C2 communication is done through HTTP and DNS queries
• Encoded commands are common

For defenders, this is the last chance in this kill chain to detect and block an attack by blocking C2 communications. If the C2 channel is blocked immediately, the attacker cannot issue commands and may think the exploit was not successful. The following are some defense techniques for security teams when it comes to C2 communications:

• Collecting and blocking C2 IOCs via threat intelligence or malware analysis
• Proxy HTTP and DNS authentication and communications
• Setting up monitoring for network sessions

Finally, we will discuss the actions-on-objectives phase of the kill chain.

Actions on objectives

At this stage, the adversary has achieved the entrenchment of a victim network with persistent access and communications with the C2 server. Now the attacker can begin to move on to their objectives. What the adversary will do next depends on their intent. The following are some possible intents the attacker may have for a compromised network:

• The collection of credentials from infected machines
• Privilege escalation
• Lateral movement
• Data exfiltration
• Extortion/ransom

The defenders must detect the adversary as early as possible. Any delay in detection at this stage could have a severe impact. Security teams should be ready to respond at this stage to lower the impact. In many cases, this may have the same steps and procedures as outlined in a disaster recovery plan. The following are some preparations for security defenders:

• Incident response playbooks and plans
• Incident readiness testing through tabletop exercises, simulating reactions, and procedures
• Incident escalation and communication, including points of contact

Now that we have looked at the cyber kill chain and what roles the attackers and defenders play, we will move on to understand a pentester and their role as it most closely resembles that of an attacker.

As has been pointed out earlier, ethical hacking is commonly associated with penetration testing or pentesting. So, let’s take moment to talk about pentesting and the unique role that it plays in organizational security. Pentesting is when an individual or organization attempts to simulate a hostile attacker to test the overall security posture of the network and its staff. This legal form of hacking is commonly outsourced to a third-party company that specializes in this area. Before a pentest can take place, the team needs to get explicit permission to perform their operation, with clear definitions about what is in scope or covered under the project responsibilities or deliverables and what is off-limits. An example of something in scope might be “ping sweep of the entire subnet to inventory responding devices.” while something that might be out of scope would be “The capture and or attempt to crack user passwords is prohibited.” This document, loosely referred to as the get out of jail free card, contains those definitions and is signed by both parties before proceeding. Once signed, violation of this agreement could land an individual, or even the whole group, in jail, so be aware of that.

Penetration tests can take many forms but the two most common are black-box testing and white-box testing. Black-box testing is the testing of systems where no prior knowledge is provided. The testing is meant to resemble more closely what an attacker might see and the methods they would be most likely to choose. Some companies do not like this approach as there is time spent on research and they wish to get the most technical details as quickly as they can. This is where white-box testing comes in, and advanced knowledge of the system(s) is provided to help expedite tests and get the most technical details.

Penetration tests are also commonly used as part of a larger set of security controls and audits that are in place to confirm the overall effectiveness of the security controls in place.

When an organization decides to carry out a penetration test, there are certain questions that will need to be asked to establish goals. These might include the following:

• Why are you doing a penetration test?
• What is the goal of the organization from the test results?
• What are the limits or rules of engagement?
• What data and or services will the test include?
• Who are the data owners?
• What will be done with the results?

There are many other areas that might need to be covered depending on the scope and depth of the penetration test. Also note that the penetration test is something to be considered after the basics have been implemented, such as firewalls, access controls, and account management, otherwise, the results of the test will gravitate to this lowest common denominator.

Now that we have discussed penetration testing, let’s look at some of the defensive techniques and technologies.

Defensive technologies include software and devices used to thwart attackers. Some of these technologies are passive, presenting detections and alerts requiring intervention by any analyst. Other technologies are active, using workflows or rules to determine actions to take and act upon them. Antivirus software is an example of an active technology that acts upon a detection and then processes a rule. In this case, it would either be quarantine or delete. The following is a brief list of defensive technologies defenders can employ in the networks they are tasked to protect:

• Firewalls: Often considered the first line of defense, firewalls, like other security technologies, have advanced over the years. They originally started as just smart routers with access control lists (ACLs) on them. Later, they developed the ability to track and maintain state. The latest iteration, the next-generation firewall, goes beyond the previous two generations and incorporates the ability to look at and understand application behavior and apply intrusion prevention.
• Antivirus (AV) software: Just like firewalls, this was one of the first technologies to be developed to combat viruses. It, too, has gone through several enhancements over the years. In the beginning, antivirus was simply a set of signature-based rules that, once matched, the system was alerted and could even delete the malicious file(s) for you. As the industry matured, later generations began incorporating heuristic detection and the inspection of applications such as browsers, and merged with larger suites of products to perform multiple security operations. The latest generation has taken the previous lessons and not only applied them but added behavior detection for application and user interactions.
• Intrusion detection system (IDS): Intrusion detection systems in this category fall into two classifications. The first is network intrusion detection systems (NIDSs). In this configuration, a device or system is put into place that monitors the network traffic and applies a set of detection rules. Some NIDSs can also interact with network traffic. When this option is implemented, it is referred to as an intrusion prevention system or IPS. The second type is host intrusion detection system (HIDS), and unlike NIDS, these operate at the file system level on the monitored machines. HIDS, just like NIDS, have their limitations in that they only really look at one, or possibly two, elements of activity during transactions between machines. They are still widely implemented; however, other superior technologies such as next-gen firewalls and EDR systems have largely supplanted this category of security systems.
• Endpoint detection and response (EDR): EDR systems are some of the latest security tools to be introduced to enterprise security. This technology exists at the endpoint, be it a server or a workstation as an agent install. This agent collects and reports to a central repository where data is recorded and processed, applying and creating behavior profiles for applications and users alike. This can then be used to discover malicious behavior through alerts or hunting.
• Security information and event management (SIEM): SIEM can be described as the go-between for network detection and EDR systems. What SIEMs do is collect data from across the network, including logs, telemetry, and device information, to give a more holistic view of the enterprise. One example of the insight a SIEM brings would be if an attacker has gained access to a network and begins downloading tools and performing malicious activities. These activities would be detected by the SIEM based on rules and behaviors, leading to an alert to the appropriate security staff.

Now, to begin your journey into ethical hacking, let’s start by creating a lab environment in which we can test and explore.

The lab environment will be an integral part of your journey into ethical hacking. Here, we will install test machines, test out code and exploits, and see how to detect them in the chapters to come.

Setting up VirtualBox

The first step to setting up the lab environment is to install virtualization software, allowing us to run multiple systems on one machine without having to purchase a lot of hardware and software. We will use VirtualBox as our virtual machine manager; however, if you prefer to use VMware or Hyper-V, they should work just as effectively with some adjustments:

1. Go to https://www.virtualbox.org/. At the time of writing, VirtualBox was at version 7.0.10.
2. Select the downloads link or find the downloads page and download the platform package appropriate for your operating system. In addition to the core package, you will need the extension package, which provides additional functionality.
3. Install VirtualBox, accepting all the defaults, followed by the extension pack. Once complete, launch VirtualBox and you should be greeted with a screen similar to the one in the following figure:

Figure 1.3 – VirtualBox setup complete

This will complete the installation of VirtualBox. Next, we will set up our virtual attack machine using Kali Linux.

Setting up Kali Linux

Kali Linux is an offensive virtual machine that contains several attack tools. This machine will be used as the attack machine in the lab. You will need to take the following steps:

1. Go to https://www.kali.org/ and select Downloads. Find the VirtualBox VM and download it. The file downloaded will be something like kali-linux-<number>-virtualbox-amd64.ova. The file is large and will take some time to download.
2. Once the download is complete, open VirtualBox and select Import, and navigate to the downloaded file. Use the defaults and begin the imports, and it will do the following:

Figure 1.4 – VirtualBox showing Kali installed

By default, Kali will be in NAT mode. To perform the required operations, the network needs to be enabled.

3. Click Settings in VirtualBox Manager, select Network, and from the Attached to: drop-down menu, select Bridged Adapter and select OK:

Figure 1.5 – VirtualBox adapter settings

4. Next, the actual adapter address needs to be configured. Boot your Kali Linux instance and log in. The default credentials are kali/kali.
5. To set the network configuration to be used, click the Kali icon in the upper-left corner and select Settings | Advanced Network Configuration. From here, select your connection, probably Wired connection 1, and click the small cog icon at the bottom that says Edit the Selected Connection. A new window will be presented. Click the tab that says IPv4 Settings and change the method from DHCP to Manual.
6. Next, you will need to add an address. Select the Add button and enter the following elements:
   • Address: 192.168.255.10
   • Netmask: 24
   • Gateway: 192.168.255.1

Now that our attack machine is set up, we can set up our victim machines. A company called Rapid7 provides two vulnerable machines for testing free of charge. The machines are Windows and Linux. We will use the following instructions to download and install them automatically.

Setting up vulnerable hosts

In this section, we will set up virtual machines that will contain known vulnerabilities. These machines are the ones you will be attacking in future labs as we learn about attacks, attackers’ methods, and how to defend against them:

1. Download and install vagrant on your machine. Vagrant is an open source tool used to automate the installation of virtual machines. Vagrant can be downloaded from https://www.vagrantup.com/downloads.

   Once vagrant is installed, run the following command:

   vagrant plugin install vagrant-reload

   This will install the vagrant-reload plugin and support the reloading of the virtual machines should there be an error during installation.

2. Once complete, you are ready to download and install the test virtual machines:
   • If your host machine is Linux, please run the following commands:

     mkdir metasploitable3-workspace
     cd metasploitable3-workspace
     curl -O https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile && vagrant up

   • If your host machine is Windows, please run the following commands:

     mkdir metasploitable3-workspace
     cd metasploitable3-workspace
     Invoke-WebRequest -Uri "https://raw.githubusercontent.com/rapid7/metasploitable3/master/Vagrantfile" -OutFile "Vagrantfile"

3. These commands will download a Vagrant file, which you need to open with a text editor and add the following line:

   config.vm.provision :reload

   It should resemble the following when completed:

   Vagrant.configure("2") do |config|
     config.vm.provision :reload
     config.vm.synced_folder

4. Run the next command to start the process:

   vagrant up

Once this has been completed, you will have two more virtual machines installed and your VirtualBox main screen should look similar to that shown in Figure 1.6. However, even though the machines are set up, we still need to configure them to participate in our lab.

Configuring the vulnerable Windows host

Configuring the Windows system requires changes in two separate areas. The first one is the virtual machine settings in VirtualBox. The second is the network configuration inside the virtual machine. These steps are outlined as follows:

1. After the Windows machine is installed, open the settings, and modify the network settings to Bridged Adapter, just as was done with the Kali installation. It will look something like this:

Figure 1.6 – Setting Network Adapter Settings

2. Boot the machine and log in with the vagrant account and the vagrant password.
3. Navigate to the control panel and then to Network and Sharing Center | Change adapter settings.
4. Find the network adaptor, right-click on it, and select Properties.
5. Navigate to Internet Protocol Version 4(TCP/IPv4) | Properties.
6. Select the radio button labeled Use the following IP address and enter the following values:
   • IP address: 192.168.255.2
   • Subnet mask: 255.255.255.0
   • Default gateway: 192.168.255.1
7. Leave the other section alone. Select OK and then close out any open windows.

This will complete the lab setup of the Windows vulnerable host.

Setting up the vulnerable Linux host

Just like the Windows system, the Linux machine requires changes in two separate areas. The first one is the virtual machine settings in VirtualBox. The second is the network configuration inside the virtual machine. These steps are outlined here:

1. After the Linux machine is installed, open the settings, and modify the network settings to Bridged Adaptor, just as was done with the Kali installation.
2. Boot the machine and log in with the vagrant account and the vagrant password.
3. This machine only has command-line access and from the command-line console, we need to change the network settings. To do this, perform the following commands:

   cd /etc/network
   sudo vi interfaces

4. Press the i key, for insert. You should see -- INSERT -- at the bottom of the screen.
5. Use the arrow keys to move down and change the section to look like the following:

   # The primary network interface
   auto eth0
   iface eth0 inet static
   address 192.168.255.3
   netmask 255.255.255.0
   gateway 192.168.255.1
   dns-nameservers 192.168.255.1, 192.168.255.2

This will complete the lab setup for the vulnerable Linux host.

Final checks

Once all the machines are set up, the lab will be complete and ready for testing. The VirtualBox interface should look like the following, showing all three machines set up:

Figure 1.7 – VirtualBox main screen

The following diagram outlines what the virtual network looks like when all the configuration and setup is complete:

Figure 1.8 – Virtual lab network

With the configurations in place, an isolated virtual lab has been created inside your network. The virtual lab will allow the testing and execution of the lab exercises without damaging or intruding on your host machine or network.

This chapter addressed what ethical hacking is and what roles it plays in enterprise security. Ethical hackers are individuals who possess training and skills as hackers; however, ethical hackers use their skills to improve the overall security of the organizations that engage them. Unlike black hat hackers, ethical hackers are professionals who work within a set of rules that define engagement. These rules are never exceeded because anything outside of those rules could result in the operator facing legal consequences.

Conversely, hackers do not follow any rules or have the same ethical boundaries. As such, the results that hackers can achieve are limited only by the means, motives, and opportunities available.

This chapter also discussed the anatomy of an attack, the cyber kill chain, and the phases of an attack, including reconnaissance, exploitation, and command and control. Finally, we closed the chapter by looking at defensive technologies such as firewalls, antivirus software, and EDR solutions.

In the next chapter, we will start our journey into ethical hacking with our first stop, footprinting and reconnaissance, where we will learn about the techniques used by attackers to gather information about their targets.

1. Hackers who use their skills with malicious intent are known as:

   A. Ethical hackers

   B. White hat hackers

   C. Hardware hackers

   D. Black hat hackers

2. The second stage of the cyber kill chain is:

   A. Command and control

   B. Reconnaissance

   C. Weaponization

   D. Delivery

3. One of the things that separates black hat from white hat hackers is:

   A. Tools

   B. Procedures

   C. Techniques

   D. Ethics

4. In the field of information security, CIA stands for:

   A. Coverage, Information, Applications

   B. Confidentiality, Integrity, Availability

   C. Confidentiality, Intelligence, Archiving

   D. Coverage, Integrity, Authentication

5. The team that encompasses both offensive and defensive techniques bridging the gaps between these skills is called the ______ team:

   A. Gray Hats

   B. Purple team

   C. Red team

   D. Blue team

6. Which of the following is not an area of attack?

   A. Memory

   B. Host

   C. Application

   D. Network

7. The one group that does not have a clear definition of where they operate in the security ecosystem is:

   A. Black hats

   B. Gray hats

   C. White hats

   D. Blue hats

8. Which type of attack targets user tokens?

   A. SQL injection

   B. Watering hole

   C. Man-in-the-middle

   D. Kerberoasting

9. What is not an area to look at when doing reconnaissance?

   A. Company website

   B. Watering hole

   C. Social networks

   D. Job board or listings

10. Before a pentest can take place, one of the documents needed is:

    A. Network diagram

    B. Company organization chart

    C. Company 10-K

    D. Get out of jail free card

1. D
2. C
3. D
4. B
5. B
6. A
7. B
8. D
9. B
10. D