I have always been a huge fan of movies, and one of my favorite genres growing up was ’80s and ’90s action films. From a young age, I was introduced to movies like The Matrix, Hackers, and War Games. This is what first piqued my interest in computer science and more specifically hacking. Since I didn’t see hacking as a viable career path, I chose to go down the former.
As an accelerator, I have had the unique opportunity to pursue this interest as part of an OKR project in the form of a Udemy course on Ethical Hacking.
In this two-part series, I’ll share some of the more interesting things I’ve learned about ethical hacking throughout the course. Part one will focus on what ethical hacking is and take a dive into phase 1 and 2 of one of the main strategies ethical hackers use, penetration testing. In part two of this series, we’ll look into phase 3 and 4 of penetration testing and next steps you could take to further your knowledge of ethical hacking.
What is ethical hacking?
First things first, what is ethical hacking? Ethical hacking includes finding vulnerabilities within a system, application, or organizational structure. This also involves identifying potential data breaches or threats within a network. The job of an ethical hacker is to improve security within these systems. Ethical hackers are hired to hack into a network or device with the intention to find as many vulnerabilities as possible and then secure these systems.
So what does it mean to “find vulnerabilities within a system”? And what exactly is a system? A system can be a network of multiple computers or just one single computer. It can be a company server where important data is stored, or it could be a website. A vulnerability is anything that could allow someone to gain unauthorized access to that system.
There are many types of vulnerabilities, such as weak defense measures within authentication, authorization, or encryption. Insecure connections can pave the way for threats like SQL injection or wifi cracking. Even employees can be a vulnerability through the use of phishing or social engineering. Malicious hackers exploit these vulnerabilities to gain access to a system.
Phase One – Information Gathering
One of the main strategies ethical hackers use is penetration testing, also known as pentesting. There are four main phases to pentesting: information gathering, scanning, gaining access, and post-exploitation.
As the name suggests, information gathering involves getting as much data about the target as possible. There are two methods of information gathering: active and passive. Active information gathering involves directly interacting with the target. The target could be a website, a network, or a company. With passive information gathering, there is a middle man. The information is not coming directly from the target but instead going through a middle source. For example, the information could be coming from a search engine or website.
So what exactly is the goal of information gathering? Well, many valuable pieces of data can be gathered this way. Those include the IP address(es) of the target, technologies used by the target, the number of networks a company has, what software they are running, operating systems used by the target, and much more. If the target is a website, you could find out how the website is built and what programming languages were used. It just takes exploiting one outdated or otherwise vulnerable piece of software on one machine to gain access.
Phase Two – Scanning
While information gathering focuses more on the human side of pentesting, scanning focuses on the technology side. Scanning helps you identify the ways a machine or system is vulnerable and how you can take advantage of that vulnerability. There are many types of scanning.
There’s network scanning, which identifies vulnerable systems within a wired or wireless network. The goal of this type of scan is to find out how many hosts are active and what their IP addresses are. Nmap is a popular network mapper used by ethical hackers. It’s an open-source tool for network discovery and security auditing.
Next, we have host-based scanning. This scan finds vulnerabilities in ports, configurations, or servers. The idea is to find open ports on a target system. Once these ports are found, you can identify what software is running on them, including what version. Wireless scans help you identify threats within a wireless network. Application scans test portals and mobile apps. These are just a few of the possible types of scans.
A Simple Port Scanner
Let’s create a simple port scanner using Python.
First, we need to import the socket library:
import socket
Next, we can create a function that takes in the IP address we want to scan and the port to scan for. We’ll then initialize the socket object and create a connection between the target and the port. If we are able to connect to the port, that means the port is open and we can use a print statement to show us which port is open. After the connection is made, we can close the socket.
def scan_port(ipaddress, port):
try:
sock = socket.socket()
sock.connect((ipaddress, port))
print("[+] Port Opened " + str(port))
sock.close()
except:
pass
So, the above code just scans a single port. To scan for multiple ports, we can create another function that takes in the target IP addresses and the number of ports we want to scan. For each port from one to whatever is specified, we will call scan_ports (the first function we created). We can add a print statement before the for loop so we know which port is currently being scanned.
def scan(target, ports):
print('\n' + ' Starting Scan For ' + str(target))
for port in range(1,ports):
scan_port(target,port)
Finally, we will add some prompts to get the IP address and the number of ports from the user. We can have the user split each target IP address with a comma, then use targets.split to scan one IP address at a time.
targets = input("[*] Enter Targets to Scan(split them with ,): ")
ports = int(input("[*] Enter How Many Ports You Want to Scan: "))
if ',' in targets:
print("[*] Scanning Multiple Targets")
for ip_addr in targets.split(','):
scan(ip_addr.strip(' '), ports)
else:
scan(targets, ports)
And that’s our port scanner!
More Resources for Ethical Hacking
This just scratches the surface of pentesting. I didn’t get to touch on the many tools used in information gathering, but I’ll list them here in case anyone is interested. There are tools such as Whois for obtaining IP addresses as well as physical addresses. Whatweb can identify web technologies such as CMS, JavaScript libraries, web servers, and embedded devices. It can also find version numbers, email addresses, and web framework modules among other things. To gather emails, there are tools like eHarvester or Hunter.io, and Sherlock can aid in accessing usernames. Kali Linux comes preinstalled with a lot of these tools plus more.
All those Hollywood hacking scenes may have inspired my interest in hacking, but as an adult now working as a software developer, I think it’s important to keep these concepts and strategies in mind when creating software. Learning the tricks of the trade and putting yourself in the hacker mindset at the very least encourages some creative thinking. It may also help you anticipate future security threats. In the next article, we will explore phase 3: exploitation/gaining access, and phase 4: post exploitation/covering your tracks and other resources to expand your knowledge on ethical hacking.