Location
The tests you’re performing dictate where you must run them from. Your goal
is to hack your systems from locations where malicious hackers can access
the systems. You can’t predict whether you’ll be attacked by a hacker from
outside or inside your network, so cover all your bases. Combine external
(public Internet) tests and internal (private network) tests.
You can perform some tests, such as password cracking and network-infrastructure
assessments, from the comfort of your office — inside the network.
But it may be better to have a true outsider perform other tests on routers,
firewalls, and public Web applications.
For your external hacks that require network connectivity, you may have to
go off-site (a good excuse to work from home) or use an external proxy server.
Better yet, if you can assign an available public IP address to your computer,
plug into the network on the outside of the firewall for a hacker’s-eye view of
your systems. Internal tests are easy because you need only physical access
to the building and the network.
Reacting to major exploits that you find
Determine ahead of time whether you’ll stop or keep going when you find a
critical security hole. Your manager or your customer may not ask you to,
but I think it’s best to keep going to see what else you can discover. I’m not
saying to keep hacking until the end of time or until you crash all your systems.
Simply pursue the path you’re going down until you can’t hack it any
longer (pun intended).
Silly assumptions
You’ve heard what you make of yourself when you assume things. Even so,
you must make assumptions when you hack your systems. Here are some
examples of those assumptions:
Computers, networks, and people are available when you’re testing.
You have all the proper hacking tools.
The hacking tools you’re using won’t crash your systems.
Your hacking tools actually work.
You know all the risks of your tests.
You should document all assumptions and have management or your customer
sign off on them as part of your overall approval process.
36 Part I: Building the Foundation for Ethical Hacking
Selecting Tools
The required security-assessment tools (hacking tools) depend on the tests
you’re running. You can perform some ethical hacking tests with a pair of
sneakers, a telephone, and a basic workstation on the network. However,
comprehensive testing is easier with hacking tools.
Not only do you need an arsenal of tools, but you should also use the right
tool for the task:
If you’re cracking passwords, a general port scanner such as SuperScan
or Nmap may not do the trick. For this task, you need a tool such as LC4,
John the Ripper, or pwdump.
If you’re attempting an in-depth analysis of a Web application, a Webapplication
assessment tool (such as Nikto or WebInspect) is more
appropriate than a network analyzer such as Ethereal.
If you’re not sure what tools to use, fear not. Throughout this book, I introduce
a wide variety of tools — both free and commercial — that you can use
to accomplish your tasks.
You can choose among hundreds, if not thousands, of tools for ethical
hacking — everything from your own words and actions to software-based
vulnerability-assessment programs to hardware-based network analyzers.
Here’s a rundown of some of my favorite commercial, freeware, and opensource
security tools:
@stake L0phtcrack (now called LC4)
Ethereal
Foundstone SuperScan
Qualys QualysGuard
GFI LANguard Network Security Scanner
John the Ripper
Network Stumbler
Nessus
Nikto
Nmap
Pwdump2
SPI Dynamics WebInspect
THC-RUT
ToneLoc
live forex charts
Thursday, November 13, 2008
Specific tests
Specific tests
You may have been charged with performing a general penetration test, or you
may want to perform specific tests, such as cracking passwords or war-dialing
into a network. Or you might be performing a social-engineering test or assessing
the Windows operating systems on the network. However you’re testing,
you may want to conceal the specifics of the testing to keep what you’re doing
covert or to protect your methodologies. In fact, your manager or customer
may not want the details. Either way, document and make known at a high level
what you’re doing. This can help eliminate any potential miscommunication
and keep you out of hot water.
A good way to provide evidence of what was tested, when it was tested, and
more is to enable logging on the systems you’re testing.
34 Part I: Building the Foundation for Ethical Hacking
Sometimes, you may know the general tests that you’re performing, but if you’re
using automated tools, it may be next to impossible to understand completely
every test you’re performing. This is especially true if the software you’re using
receives real-time vulnerability-testing updates from the vendor every time you
run it. The potential for frequent updates underscores the importance of reading
the documentation and readme files that come with the tools you’re using.
I have experienced surprising vulnerability updates in the past. I was performing
an automated assessment on a customer’s Web site — the same test I had
just performed the previous week. The customer and I had scheduled the test
date and time in advance. What I didn’t know is that the software vendor made
some changes to its Web form submission tests, and I flooded the customer’s
Web application, creating a DoS condition.
Luckily, this DoS condition occurred after business hours and didn’t affect
the customer’s operations. However, the customer’s Web application was
coded to generate an alert e-mail for every form submission. The application
developer and company’s president received 4,000 e-mails in their inboxes
within about 10 minutes — ouch! I was lucky that the president was techsavvy
and understood the situation. It’s important to have a contingency plan
in case a situation like this occurs.
Blind versus knowledge assessments
It may be good to have some knowledge of the systems you’re testing, but it’s
not required. However, a basic understanding of the systems you’re hacking
can protect you and others. Obtaining this knowledge shouldn’t be difficult if
you’re hacking your own in-house systems. If you’re hacking a customer’s
systems, you may have to dig a little deeper into how the systems work so
you know what’s what. That’s how I’ve always done it. In fact, I’ve never had
a customer ask for a fully blind assessment. Most people are scared of these
assessments. This doesn’t mean that blind assessments aren’t valuable. The
type of assessment you carry out depends on your specific needs.
The best approach is to plan on unlimited attacks, wherein any test is possible.
The bad guys aren’t hacking your systems within a limited scope, so why
should you?
Consider whether the tests should be undetected. This isn’t required but
should be considered, especially for social-engineering and physical security
tests. I outline specific tests for those subjects in Chapter 5 and Chapter 6.
A false sense of vigilance can be created if too many insiders know about your
testing which can end up negating the hard work you’re putting into this.
This doesn’t mean you shouldn’t tell anyone. Always have a main point of
contact within the organization — preferably someone with decision-making
authority — that both you and all employees can contact if and when something
goes wrong.
You may have been charged with performing a general penetration test, or you
may want to perform specific tests, such as cracking passwords or war-dialing
into a network. Or you might be performing a social-engineering test or assessing
the Windows operating systems on the network. However you’re testing,
you may want to conceal the specifics of the testing to keep what you’re doing
covert or to protect your methodologies. In fact, your manager or customer
may not want the details. Either way, document and make known at a high level
what you’re doing. This can help eliminate any potential miscommunication
and keep you out of hot water.
A good way to provide evidence of what was tested, when it was tested, and
more is to enable logging on the systems you’re testing.
34 Part I: Building the Foundation for Ethical Hacking
Sometimes, you may know the general tests that you’re performing, but if you’re
using automated tools, it may be next to impossible to understand completely
every test you’re performing. This is especially true if the software you’re using
receives real-time vulnerability-testing updates from the vendor every time you
run it. The potential for frequent updates underscores the importance of reading
the documentation and readme files that come with the tools you’re using.
I have experienced surprising vulnerability updates in the past. I was performing
an automated assessment on a customer’s Web site — the same test I had
just performed the previous week. The customer and I had scheduled the test
date and time in advance. What I didn’t know is that the software vendor made
some changes to its Web form submission tests, and I flooded the customer’s
Web application, creating a DoS condition.
Luckily, this DoS condition occurred after business hours and didn’t affect
the customer’s operations. However, the customer’s Web application was
coded to generate an alert e-mail for every form submission. The application
developer and company’s president received 4,000 e-mails in their inboxes
within about 10 minutes — ouch! I was lucky that the president was techsavvy
and understood the situation. It’s important to have a contingency plan
in case a situation like this occurs.
Blind versus knowledge assessments
It may be good to have some knowledge of the systems you’re testing, but it’s
not required. However, a basic understanding of the systems you’re hacking
can protect you and others. Obtaining this knowledge shouldn’t be difficult if
you’re hacking your own in-house systems. If you’re hacking a customer’s
systems, you may have to dig a little deeper into how the systems work so
you know what’s what. That’s how I’ve always done it. In fact, I’ve never had
a customer ask for a fully blind assessment. Most people are scared of these
assessments. This doesn’t mean that blind assessments aren’t valuable. The
type of assessment you carry out depends on your specific needs.
The best approach is to plan on unlimited attacks, wherein any test is possible.
The bad guys aren’t hacking your systems within a limited scope, so why
should you?
Consider whether the tests should be undetected. This isn’t required but
should be considered, especially for social-engineering and physical security
tests. I outline specific tests for those subjects in Chapter 5 and Chapter 6.
A false sense of vigilance can be created if too many insiders know about your
testing which can end up negating the hard work you’re putting into this.
This doesn’t mean you shouldn’t tell anyone. Always have a main point of
contact within the organization — preferably someone with decision-making
authority — that both you and all employees can contact if and when something
goes wrong.
Determining What Systems to Hack
Determining What Systems to Hack
You probably don’t want — or need — to assess the security of all your systems
at the same time. This could be quite an undertaking and could lead to
problems. I’m not saying you shouldn’t eventually assess every computer and
application you have. I’m just suggesting that whenever possible, you should
break your ethical hacking projects into smaller chunks to make them more
manageable. You may decide which systems to test based on a high-level risk
analysis, answering questions such as:
What are your most critical systems? Which systems, if hacked, would
cause the most trouble or the greatest losses?
Which systems appear to be most vulnerable to attack?
Which systems are not documented, are rarely administered, or are the
ones you know the least about?
After you’ve established your overall goals, decide which systems to test.
This step helps you carefully define a scope for your ethical hacking so that
you not only establish everyone’s expectations up front, but also better estimate
the time and resources for the job.
The following list includes systems and applications that you may consider
performing your hacking tests on:
Routers
Firewalls
Network infrastructure as a whole
Wireless access points and bridges
Web, application, and database servers
E-mail and file/print servers
Workstations, laptops, and tablet PCs
Mobile devices (such as PDAs and cell phones) that store confidential
information
Client and server operating systems
Client and server applications, such as e-mail or other in-house systems
32 Part I: Building the Foundation for Ethical Hacking
What specific systems you should test depends on several factors. If you have
a small network, you can test everything from the get-go. You may consider
testing just public-facing hosts such as e-mail and Web servers and their
associated applications. The ethical hacking process is flexible. Base these
decisions on what makes the most business sense.
Start with the most vulnerable systems, and consider the following factors:
Where the computer or application resides on the network
Which operating system and application(s) it runs
The amount or type of critical information stored on it
If you’re hacking your own systems or a customer’s systems, a previous
security-risk assessment or vulnerability test may already have generated
this information. If so, that documentation may help identify systems for
more testing.
Ethical hacking goes a few steps beyond the higher-level information risk
assessments and vulnerability testing. As an ethical hacker, you first glean
information on all systems — including the organization as a whole — and
then further assess the systems that appear most vulnerable. I discuss the
ethical hacking methodology in more detail in Chapter 4.
Another factor to help you decide where to start is to assess the systems that
have the greatest visibility. For example, focusing on a database or file server
that stores customer or other critical information may make more sense — at
least initially — than concentrating on a firewall or Web server that hosts
marketing information about the company.
Creating Testing Standards
One miscommunication or slip-up can send your systems crashing during
your ethical hacking tests. No one wants that to happen. To prevent mishaps,
develop and document testing standards. These standards should include
When the tests are performed, along with the overall timeline
What tests are performed
How the tests are performed, and from where
How much knowledge of the systems you acquire in advance
What you do when a major vulnerability is discovered
This is a list of general best practices. You can apply more standards for your
situation.
Chapter 3: Developing Your Ethical Hacking Plan 33
Timing
You know they say that it’s “all in the timing.” This is especially true when
performing ethical hacking tests. Make sure that the tests you’re performing
minimize disruption to business processes, information systems, and people.
You want to avoid situations like miscommunicating the timing of tests and
causing a DoS attack against a high-traffic e-commerce site in the middle of
the day, or forcing yourself or others to perform password-cracking tests in
the middle of the night. It’s amazing what a 12-hour time difference can make!
Everyone in the project should agree on a detailed timeline before you begin.
This puts everyone on the same page and sets correct expectations.
Notify any Internet Service Providers (ISP) or Application Service Providers
(ASPs) involved before performing any tests across the Internet. This way,
ISPs and ASPs will be aware of the testing going on, which will minimize the
chance that they will block your traffic if they suspect malicious behavior
that shows up on their firewalls or Intrusion Detection Systems (IDSs).
The timeline should include specific short-term dates and times of each test,
the start and end dates, and any specific milestones in between. You can
develop and enter your timeline into a simple spreadsheet or Gantt chart, or
you can include the timeline as part of your initial customer proposal and
contract. For example, you could use a timeline similar to the following:
Test Performed Tester Start Time Projected End Time
War dial Tommy Tinker July 1, 6:00 a.m. July 1, 10:00 a.m.
Password cracking Amy Trusty July 2, 12:00 p.m. July 2, 5:00 p.m.
This timeline will keep things simple and provide a reference during testing.
You probably don’t want — or need — to assess the security of all your systems
at the same time. This could be quite an undertaking and could lead to
problems. I’m not saying you shouldn’t eventually assess every computer and
application you have. I’m just suggesting that whenever possible, you should
break your ethical hacking projects into smaller chunks to make them more
manageable. You may decide which systems to test based on a high-level risk
analysis, answering questions such as:
What are your most critical systems? Which systems, if hacked, would
cause the most trouble or the greatest losses?
Which systems appear to be most vulnerable to attack?
Which systems are not documented, are rarely administered, or are the
ones you know the least about?
After you’ve established your overall goals, decide which systems to test.
This step helps you carefully define a scope for your ethical hacking so that
you not only establish everyone’s expectations up front, but also better estimate
the time and resources for the job.
The following list includes systems and applications that you may consider
performing your hacking tests on:
Routers
Firewalls
Network infrastructure as a whole
Wireless access points and bridges
Web, application, and database servers
E-mail and file/print servers
Workstations, laptops, and tablet PCs
Mobile devices (such as PDAs and cell phones) that store confidential
information
Client and server operating systems
Client and server applications, such as e-mail or other in-house systems
32 Part I: Building the Foundation for Ethical Hacking
What specific systems you should test depends on several factors. If you have
a small network, you can test everything from the get-go. You may consider
testing just public-facing hosts such as e-mail and Web servers and their
associated applications. The ethical hacking process is flexible. Base these
decisions on what makes the most business sense.
Start with the most vulnerable systems, and consider the following factors:
Where the computer or application resides on the network
Which operating system and application(s) it runs
The amount or type of critical information stored on it
If you’re hacking your own systems or a customer’s systems, a previous
security-risk assessment or vulnerability test may already have generated
this information. If so, that documentation may help identify systems for
more testing.
Ethical hacking goes a few steps beyond the higher-level information risk
assessments and vulnerability testing. As an ethical hacker, you first glean
information on all systems — including the organization as a whole — and
then further assess the systems that appear most vulnerable. I discuss the
ethical hacking methodology in more detail in Chapter 4.
Another factor to help you decide where to start is to assess the systems that
have the greatest visibility. For example, focusing on a database or file server
that stores customer or other critical information may make more sense — at
least initially — than concentrating on a firewall or Web server that hosts
marketing information about the company.
Creating Testing Standards
One miscommunication or slip-up can send your systems crashing during
your ethical hacking tests. No one wants that to happen. To prevent mishaps,
develop and document testing standards. These standards should include
When the tests are performed, along with the overall timeline
What tests are performed
How the tests are performed, and from where
How much knowledge of the systems you acquire in advance
What you do when a major vulnerability is discovered
This is a list of general best practices. You can apply more standards for your
situation.
Chapter 3: Developing Your Ethical Hacking Plan 33
Timing
You know they say that it’s “all in the timing.” This is especially true when
performing ethical hacking tests. Make sure that the tests you’re performing
minimize disruption to business processes, information systems, and people.
You want to avoid situations like miscommunicating the timing of tests and
causing a DoS attack against a high-traffic e-commerce site in the middle of
the day, or forcing yourself or others to perform password-cracking tests in
the middle of the night. It’s amazing what a 12-hour time difference can make!
Everyone in the project should agree on a detailed timeline before you begin.
This puts everyone on the same page and sets correct expectations.
Notify any Internet Service Providers (ISP) or Application Service Providers
(ASPs) involved before performing any tests across the Internet. This way,
ISPs and ASPs will be aware of the testing going on, which will minimize the
chance that they will block your traffic if they suspect malicious behavior
that shows up on their firewalls or Intrusion Detection Systems (IDSs).
The timeline should include specific short-term dates and times of each test,
the start and end dates, and any specific milestones in between. You can
develop and enter your timeline into a simple spreadsheet or Gantt chart, or
you can include the timeline as part of your initial customer proposal and
contract. For example, you could use a timeline similar to the following:
Test Performed Tester Start Time Projected End Time
War dial Tommy Tinker July 1, 6:00 a.m. July 1, 10:00 a.m.
Password cracking Amy Trusty July 2, 12:00 p.m. July 2, 5:00 p.m.
This timeline will keep things simple and provide a reference during testing.
Developing Your Ethical Hacking Plan
Getting Your Plan Approved
Getting approval for ethical hacking is critical. First, obtain project sponsorship.
This approval can come from your manager, an executive, a customer,
or yourself (if you’re the boss). Otherwise, your testing may be canceled suddenly,
or someone can deny authorizing the tests. There can even be legal
consequences for unauthorized hacking. Always make sure that what you’re
doing is known and visible — at least to the decision-makers. Chapter 20
outlines ten tips for getting upper management’s buy-in on your security
initiatives.
If you’re an independent consultant or have a business with a team of ethical
hackers, consider getting professional liability (also known as errors and
omissions) insurance from an agent who specializes in business insurance
coverage. This kind of insurance can be expensive, but it can be well worth it.
The authorization can be as simple as an internal memo from upper management
if you’re performing these tests on your own systems. If you’re performing
testing for a customer, you must have a signed contract in place, stating
the customer’s support and authorization. Get written approval as soon as
possible to ensure that your time and efforts are not wasted. This documentation
is your security if anyone questions what you’re doing.
Establishing Your Goals
Your ethical hacking plan needs goals. The main goal of ethical hacking is to
find vulnerabilities in your systems so you can make them more secure. You
can then take this a step further:
Define more specific goals. Align these goals with your business
objectives.
Create a specific schedule with start and end dates. These dates are
critical components of your overall plan.
Before you begin any ethical hacking, you absolutely, positively need everything
in writing and signed-off on.
Document everything, and involve upper management in this process. Your
best ally in your ethical hacking efforts is a manager who supports what
you’re doing.
The following questions can start the ball rolling:
Does ethical hacking support the mission of the business and its IT and
security departments?
What business goals are met by performing ethical hacking?
These goals may include the following:
• Prepping for the internationally accepted security framework of
ISO 17799 or a security seal such as SysTrust or WebTrust
• Meeting federal regulations
• Improving the company’s image
How will ethical hacking improve security, IT, and the general business?
What information are you protecting?
30 Part I: Building the Foundation for Ethical Hacking
This could be intellectual property, confidential customer information,
or private employee information.
How much money, time, and effort are you and your organization willing
to spend on ethical hacking?
What specific deliverables will there be?
Deliverables can include anything from high-level executive reports to
detailed technical reports and write-ups on what you tested along with
the outcomes of your tests. You can deliver specific information that is
gleaned during your testing, such as passwords and other confidential
information.
What specific outcomes do you want?
Desired outcomes include the justification for hiring or outsourcing security
personnel, increasing your security budget, or enhancing security
systems.
People within your organization may attempt to keep you from performing
your ethical hacking plans. The best antidote is education. Show how ethical
hacking helps support the business in everyone’s favor.
After you know your goals, document the steps to get there. For example, if
one goal is to develop a competitive advantage to keep existing customers
and attract new ones, determine the answers to these questions:
When will you start your ethical hacking?
Will your ethical hacking be blind, in which you know nothing about the
systems you’re testing, or a knowledge-based attack, in which you’re
given specific information about the systems you’re testing such as IP
addresses, hostnames, and even usernames and passwords?
Will this testing be technical in nature or involve physical security
assessments or even social engineering?
Will you be part of a larger ethical hacking team, often called a tiger team
or red team?
Will you notify your customers of what you’re doing? If so, how?
Customer notification is a critical issue. Many customers appreciate that
you’re taking steps to protect their information. Approach the testing in
a positive way. Don’t say, “We’re breaking into our systems to see what
information of yours is vulnerable to hackers.” Instead, you can say that
you’re assessing the overall security of your systems so the information
is as secure as possible from the bad guys.
How will you notify customers that the organization is taking steps to
enhance the security of their information?
What measurements can ensure that these efforts are paying off?
Getting approval for ethical hacking is critical. First, obtain project sponsorship.
This approval can come from your manager, an executive, a customer,
or yourself (if you’re the boss). Otherwise, your testing may be canceled suddenly,
or someone can deny authorizing the tests. There can even be legal
consequences for unauthorized hacking. Always make sure that what you’re
doing is known and visible — at least to the decision-makers. Chapter 20
outlines ten tips for getting upper management’s buy-in on your security
initiatives.
If you’re an independent consultant or have a business with a team of ethical
hackers, consider getting professional liability (also known as errors and
omissions) insurance from an agent who specializes in business insurance
coverage. This kind of insurance can be expensive, but it can be well worth it.
The authorization can be as simple as an internal memo from upper management
if you’re performing these tests on your own systems. If you’re performing
testing for a customer, you must have a signed contract in place, stating
the customer’s support and authorization. Get written approval as soon as
possible to ensure that your time and efforts are not wasted. This documentation
is your security if anyone questions what you’re doing.
Establishing Your Goals
Your ethical hacking plan needs goals. The main goal of ethical hacking is to
find vulnerabilities in your systems so you can make them more secure. You
can then take this a step further:
Define more specific goals. Align these goals with your business
objectives.
Create a specific schedule with start and end dates. These dates are
critical components of your overall plan.
Before you begin any ethical hacking, you absolutely, positively need everything
in writing and signed-off on.
Document everything, and involve upper management in this process. Your
best ally in your ethical hacking efforts is a manager who supports what
you’re doing.
The following questions can start the ball rolling:
Does ethical hacking support the mission of the business and its IT and
security departments?
What business goals are met by performing ethical hacking?
These goals may include the following:
• Prepping for the internationally accepted security framework of
ISO 17799 or a security seal such as SysTrust or WebTrust
• Meeting federal regulations
• Improving the company’s image
How will ethical hacking improve security, IT, and the general business?
What information are you protecting?
30 Part I: Building the Foundation for Ethical Hacking
This could be intellectual property, confidential customer information,
or private employee information.
How much money, time, and effort are you and your organization willing
to spend on ethical hacking?
What specific deliverables will there be?
Deliverables can include anything from high-level executive reports to
detailed technical reports and write-ups on what you tested along with
the outcomes of your tests. You can deliver specific information that is
gleaned during your testing, such as passwords and other confidential
information.
What specific outcomes do you want?
Desired outcomes include the justification for hiring or outsourcing security
personnel, increasing your security budget, or enhancing security
systems.
People within your organization may attempt to keep you from performing
your ethical hacking plans. The best antidote is education. Show how ethical
hacking helps support the business in everyone’s favor.
After you know your goals, document the steps to get there. For example, if
one goal is to develop a competitive advantage to keep existing customers
and attract new ones, determine the answers to these questions:
When will you start your ethical hacking?
Will your ethical hacking be blind, in which you know nothing about the
systems you’re testing, or a knowledge-based attack, in which you’re
given specific information about the systems you’re testing such as IP
addresses, hostnames, and even usernames and passwords?
Will this testing be technical in nature or involve physical security
assessments or even social engineering?
Will you be part of a larger ethical hacking team, often called a tiger team
or red team?
Will you notify your customers of what you’re doing? If so, how?
Customer notification is a critical issue. Many customers appreciate that
you’re taking steps to protect their information. Approach the testing in
a positive way. Don’t say, “We’re breaking into our systems to see what
information of yours is vulnerable to hackers.” Instead, you can say that
you’re assessing the overall security of your systems so the information
is as secure as possible from the bad guys.
How will you notify customers that the organization is taking steps to
enhance the security of their information?
What measurements can ensure that these efforts are paying off?
Maintaining Anonymity
Maintaining Anonymity
Smart hackers want to be as low-key as possible. Covering their tracks is a
priority. In fact, success often depends on it. They don’t want to raise suspicion
so they can come back and access the systems in the future. Hackers
often remain anonymous by using one of the following techniques:
Borrowed or stolen dial-up accounts from friends or previous employers
Public computers at libraries, schools, or kiosks at the local mall
Internet proxy servers or anonymizer services
Anonymous or disposable e-mail accounts from free e-mail services
Chapter 2: Cracking the Hacker Mindset 27
Open e-mail relays
Unsecured computers — also called zombies — at other organizations
Workstations or servers on the victim’s own network
If hackers use enough steppingstones for their attacks, they are hard to trace.
Smart hackers want to be as low-key as possible. Covering their tracks is a
priority. In fact, success often depends on it. They don’t want to raise suspicion
so they can come back and access the systems in the future. Hackers
often remain anonymous by using one of the following techniques:
Borrowed or stolen dial-up accounts from friends or previous employers
Public computers at libraries, schools, or kiosks at the local mall
Internet proxy servers or anonymizer services
Anonymous or disposable e-mail accounts from free e-mail services
Chapter 2: Cracking the Hacker Mindset 27
Open e-mail relays
Unsecured computers — also called zombies — at other organizations
Workstations or servers on the victim’s own network
If hackers use enough steppingstones for their attacks, they are hard to trace.
Planning and Performing Attacks
Planning and Performing Attacks
Hacking styles vary widely:
Some hackers prepare far in advance of a large attack. They gather
small bits of information and methodically carry out their hacks, as I
outline in Chapter 4. These hackers are more difficult to track.
Other hackers — usually, the inexperienced script kiddies — act
before they think things through. For example, such hackers may try to
telnet directly into an organization’s router without hiding their identities.
Other hackers may try to launch a DoS attack against a Microsoft
Exchange e-mail server without first determining what version of
Exchange is running or what patches are installed.
These are the guys who usually get caught.
Although the hacker underground is a community, many of the hackers —
especially the elite hackers — don’t share information with the crowd. Most
hackers do much of their work independently from other hackers. Hackers
who network with one another use private bulletin board systems (BBSs),
anonymous e-mail addresses, hacker Web sites, and Internet Relay Chat (IRC).
You can log on to many of these sites to see what hackers are doing.
Whatever approach they take, most malicious hackers prey on ignorance.
They know the following aspects of real-world security:
The majority of systems that hackers want to attack aren’t managed
properly. The computer systems aren’t properly patched, hardened, and
monitored as they should be. Hackers often can attack by flying below
the average radar of the firewalls, IDSs, and authentication systems.
26 Part I: Building the Foundation for Ethical Hacking
Hacking in the name of liberty
Many hackers exhibit behaviors that contradict
what they’re fighting for — that is, they fight for
civil liberties and want to be left alone, and at the
same time, they love prying into other people’s
business. Many hackers claim to be civil libertarians
supporting the principles of personal privacy
and freedom. However, they act in an
entirely different way by intruding on the privacy
and property of others. They often steal the
property and rights of others, yet are willing to
go to great lengths to get their own rights back
from anyone who tries to take them away.
The case against copyrighted materials and
the Recording Industry Association of America
(RIAA) is a classic example. Hackers have gone
to great lengths to prove a point, from defacing
the Web sites of organizations that support copyrights
to illegally sharing music by using otherwise
legal mediums such as Kazaa, Gnutella,
and Morpheus.
Most network and security administrators simply can’t keep up with the
deluge of new vulnerabilities.
Information systems grow more complex every year. This is yet another
reason why overburdened administrators find it difficult to know what’s
happening across the wire and on the hard drives of their systems.
Time is a hacker’s friend — and it always seems to be on the hacker’s side. By
attacking through computers rather than in person, hackers have more control
over when they can carry out their attacks.
Hack attacks can be carried out slowly, making them hard to detect.
They’re frequently carried out after typical business hours — often, in
the middle of the night. Defenses are often weaker at night — with less
physical security and less intrusion monitoring — when the typical network
administrator (or security guard) is sleeping.
If you want detailed information on how some hackers work or want to keep
up with the latest hacker methods, several magazines are worth checking out:
2600 — The Hacker Quarterly magazine (www.2600.com). I’ve found gobs
of great information in 2600.
PHRACK (www.phrack.org).
Computer Underground Digest (www.soci.niu.edu/~cudigest).
Also, check out Lance Spitzner’s Web site www.tracking-hackers.com for
some great information on using honeypots to track hacker behavior.
Hackers learn from their hacking mistakes. Every mistake moves them one
step closer to breaking into someone’s system. They use this wisdom when
carrying out future attacks.
Hacking styles vary widely:
Some hackers prepare far in advance of a large attack. They gather
small bits of information and methodically carry out their hacks, as I
outline in Chapter 4. These hackers are more difficult to track.
Other hackers — usually, the inexperienced script kiddies — act
before they think things through. For example, such hackers may try to
telnet directly into an organization’s router without hiding their identities.
Other hackers may try to launch a DoS attack against a Microsoft
Exchange e-mail server without first determining what version of
Exchange is running or what patches are installed.
These are the guys who usually get caught.
Although the hacker underground is a community, many of the hackers —
especially the elite hackers — don’t share information with the crowd. Most
hackers do much of their work independently from other hackers. Hackers
who network with one another use private bulletin board systems (BBSs),
anonymous e-mail addresses, hacker Web sites, and Internet Relay Chat (IRC).
You can log on to many of these sites to see what hackers are doing.
Whatever approach they take, most malicious hackers prey on ignorance.
They know the following aspects of real-world security:
The majority of systems that hackers want to attack aren’t managed
properly. The computer systems aren’t properly patched, hardened, and
monitored as they should be. Hackers often can attack by flying below
the average radar of the firewalls, IDSs, and authentication systems.
26 Part I: Building the Foundation for Ethical Hacking
Hacking in the name of liberty
Many hackers exhibit behaviors that contradict
what they’re fighting for — that is, they fight for
civil liberties and want to be left alone, and at the
same time, they love prying into other people’s
business. Many hackers claim to be civil libertarians
supporting the principles of personal privacy
and freedom. However, they act in an
entirely different way by intruding on the privacy
and property of others. They often steal the
property and rights of others, yet are willing to
go to great lengths to get their own rights back
from anyone who tries to take them away.
The case against copyrighted materials and
the Recording Industry Association of America
(RIAA) is a classic example. Hackers have gone
to great lengths to prove a point, from defacing
the Web sites of organizations that support copyrights
to illegally sharing music by using otherwise
legal mediums such as Kazaa, Gnutella,
and Morpheus.
Most network and security administrators simply can’t keep up with the
deluge of new vulnerabilities.
Information systems grow more complex every year. This is yet another
reason why overburdened administrators find it difficult to know what’s
happening across the wire and on the hard drives of their systems.
Time is a hacker’s friend — and it always seems to be on the hacker’s side. By
attacking through computers rather than in person, hackers have more control
over when they can carry out their attacks.
Hack attacks can be carried out slowly, making them hard to detect.
They’re frequently carried out after typical business hours — often, in
the middle of the night. Defenses are often weaker at night — with less
physical security and less intrusion monitoring — when the typical network
administrator (or security guard) is sleeping.
If you want detailed information on how some hackers work or want to keep
up with the latest hacker methods, several magazines are worth checking out:
2600 — The Hacker Quarterly magazine (www.2600.com). I’ve found gobs
of great information in 2600.
PHRACK (www.phrack.org).
Computer Underground Digest (www.soci.niu.edu/~cudigest).
Also, check out Lance Spitzner’s Web site www.tracking-hackers.com for
some great information on using honeypots to track hacker behavior.
Hackers learn from their hacking mistakes. Every mistake moves them one
step closer to breaking into someone’s system. They use this wisdom when
carrying out future attacks.
Why Hackers Hack
Why Hackers Hack
The main reason hackers hack is because they can! Okay, it goes a little deeper
than that. Hacking is a casual hobby for some hackers — they just hack to see
what they can and can’t break into, usually testing only their own systems.
These aren’t the folks I’m writing about here. I’m focusing on those hackers
who are obsessive and often have criminal intent.
Many hackers get a kick out of outsmarting corporate and government IT and
security administrators. They thrive on making headlines and being notorious
cyberoutlaws. Defeating an entity or possessing knowledge makes them feel
better about themselves. Many of these hackers feed off instant gratification.
They become obsessed with this feeling. Hackers can’t resist the adrenaline
rush they get when breaking into someone else’s systems. Often, the more
difficult the job is, the greater the thrill.
The knowledge that malicious hackers gain and the elevated ego that comes
with that knowledge are like an addiction and a way of life. Some hackers want
to make your life miserable, and others simply want to be seen or heard. Some
common hacker motives are revenge, basic bragging rights, curiosity, boredom,
challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, and
corporate espionage.
Hackers often promote individualism — or at least the decentralization of
information — because many believe that all information should be free.
They think cyberattacks are different from attacks in the real world. They
easily ignore or misunderstand their victims and the consequences of hacking.
24 Part I: Building the Foundation for Ethical Hacking
Many hackers say they don’t intend to harm or profit through their bad deeds,
which helps them justify their work. They often don’t look for tangible payoffs.
Just proving a point is often a good enough reward for them.
Many business owners and managers — even some network and security
administrators — believe that they don’t have anything that a hacker wants or
that hackers can’t do much damage if they break in. This couldn’t be further
from the truth. This kind of thinking helps support hackers and their objectives.
Hackers can compromise a seemingly unimportant system to access
the network and use it as a launching pad for attacks on other systems.
It’s worth repeating that hackers often hack because they can. Some hackers
go for high-profile systems, but hacking into anyone’s system helps them fit
into hacker circles. Hackers use the false sense of security that many people
have and go for almost any system they think they can compromise. They
know that electronic information can be in more than one place at the same
time. It’s tough to prove that hackers took the information and possess it.
Similarly, hackers know that a simple defaced Web page — however easily
attacked — is not good for business. The following Web sites show examples
of Web pages that have been defaced in the past few years:
www.2600.com/hacked_pages
www.onething.com/archive
Hacked sites like these can persuade management and other nonbelievers
that information threats and vulnerabilities should be addressed.
Hacking continues to get easier for several reasons:
Increasing use of networks and Internet connectivity
Anonymity provided by computer systems working over the Internet
Increasing number and availability of hacking tools
Computer-savvy children
Unlikelihood that hackers are investigated or prosecuted if caught
Although most hacker attacks go unnoticed or unreported, hackers who are
discovered are often not pursued or prosecuted. When they’re caught, hackers
often rationalize their services as being altruistic and a benefit to society:
They’re merely pointing out vulnerabilities before someone else does.
Regardless, if justice is ever served, it helps eliminate the “fame and glory”
reward system that hackers thrive on.
These criminal hackers are in the minority, so don’t think that you’re up
against millions of these villains. Many other hackers just love to tinker and
The main reason hackers hack is because they can! Okay, it goes a little deeper
than that. Hacking is a casual hobby for some hackers — they just hack to see
what they can and can’t break into, usually testing only their own systems.
These aren’t the folks I’m writing about here. I’m focusing on those hackers
who are obsessive and often have criminal intent.
Many hackers get a kick out of outsmarting corporate and government IT and
security administrators. They thrive on making headlines and being notorious
cyberoutlaws. Defeating an entity or possessing knowledge makes them feel
better about themselves. Many of these hackers feed off instant gratification.
They become obsessed with this feeling. Hackers can’t resist the adrenaline
rush they get when breaking into someone else’s systems. Often, the more
difficult the job is, the greater the thrill.
The knowledge that malicious hackers gain and the elevated ego that comes
with that knowledge are like an addiction and a way of life. Some hackers want
to make your life miserable, and others simply want to be seen or heard. Some
common hacker motives are revenge, basic bragging rights, curiosity, boredom,
challenge, vandalism, theft for financial gain, sabotage, blackmail, extortion, and
corporate espionage.
Hackers often promote individualism — or at least the decentralization of
information — because many believe that all information should be free.
They think cyberattacks are different from attacks in the real world. They
easily ignore or misunderstand their victims and the consequences of hacking.
24 Part I: Building the Foundation for Ethical Hacking
Many hackers say they don’t intend to harm or profit through their bad deeds,
which helps them justify their work. They often don’t look for tangible payoffs.
Just proving a point is often a good enough reward for them.
Many business owners and managers — even some network and security
administrators — believe that they don’t have anything that a hacker wants or
that hackers can’t do much damage if they break in. This couldn’t be further
from the truth. This kind of thinking helps support hackers and their objectives.
Hackers can compromise a seemingly unimportant system to access
the network and use it as a launching pad for attacks on other systems.
It’s worth repeating that hackers often hack because they can. Some hackers
go for high-profile systems, but hacking into anyone’s system helps them fit
into hacker circles. Hackers use the false sense of security that many people
have and go for almost any system they think they can compromise. They
know that electronic information can be in more than one place at the same
time. It’s tough to prove that hackers took the information and possess it.
Similarly, hackers know that a simple defaced Web page — however easily
attacked — is not good for business. The following Web sites show examples
of Web pages that have been defaced in the past few years:
www.2600.com/hacked_pages
www.onething.com/archive
Hacked sites like these can persuade management and other nonbelievers
that information threats and vulnerabilities should be addressed.
Hacking continues to get easier for several reasons:
Increasing use of networks and Internet connectivity
Anonymity provided by computer systems working over the Internet
Increasing number and availability of hacking tools
Computer-savvy children
Unlikelihood that hackers are investigated or prosecuted if caught
Although most hacker attacks go unnoticed or unreported, hackers who are
discovered are often not pursued or prosecuted. When they’re caught, hackers
often rationalize their services as being altruistic and a benefit to society:
They’re merely pointing out vulnerabilities before someone else does.
Regardless, if justice is ever served, it helps eliminate the “fame and glory”
reward system that hackers thrive on.
These criminal hackers are in the minority, so don’t think that you’re up
against millions of these villains. Many other hackers just love to tinker and
Who Hacks
Who Hacks
Computer hackers have been around for decades. Since the Internet became
widely used in the late 1990s, we’ve started to hear more and more about hacking.
Only a few hackers, such as John Draper (also known as Captain Crunch)
and Kevin Mitnick, are well known. Gobs more unknown hackers are looking
to make a name for themselves. They’re the ones to look out for.
In a world of black and white, it’s easy to describe the typical hacker. A general
stereotype of a typical hacker is an antisocial, pimple-faced teenage boy.
But the world has many shades of gray and, therefore, many types of hackers.
Hackers are human like the rest of us and are, therefore, unique individuals,
so an exact profile is hard to outline. The best broad description of hackers is
that all hackers aren’t equal. Each hacker has motives, methods, and skills.
But some general characteristics can help you understand them.
Not all hackers are antisocial, pimple-faced teenagers. Regardless, hackers
possess curiosity, bravado, and often very sharp minds.
Computer hackers have been around for decades. Since the Internet became
widely used in the late 1990s, we’ve started to hear more and more about hacking.
Only a few hackers, such as John Draper (also known as Captain Crunch)
and Kevin Mitnick, are well known. Gobs more unknown hackers are looking
to make a name for themselves. They’re the ones to look out for.
In a world of black and white, it’s easy to describe the typical hacker. A general
stereotype of a typical hacker is an antisocial, pimple-faced teenage boy.
But the world has many shades of gray and, therefore, many types of hackers.
Hackers are human like the rest of us and are, therefore, unique individuals,
so an exact profile is hard to outline. The best broad description of hackers is
that all hackers aren’t equal. Each hacker has motives, methods, and skills.
But some general characteristics can help you understand them.
Not all hackers are antisocial, pimple-faced teenagers. Regardless, hackers
possess curiosity, bravado, and often very sharp minds.
Cracking the Hacker Mindset
Cracking the Hacker Mindset
In This Chapter
Understanding the enemy
Profiling hackers
Understanding why hackers do what they do
Examining how hackers go about their business
Before you start assessing the security of your own systems, it helps to
know something about the enemies you’re up against. Many information-
security product vendors and other professionals claim that you should
protect your systems from the bad guys — both internal and external. But
what does this mean? How do you know how these bad guys think and work?
Knowing what hackers want helps you understand how they work. Understanding
how they work helps you look at your information systems in a whole
new way. In this chapter, I describe what you’re up against, who’s actually
doing the hacking, and what their motivations and methods are so you’re
better prepared for your ethical hacking tests.
What You’re Up Against
Thanks to sensationalism, the definition of hacker has transformed from
harmless tinkerer to malicious criminal. Hackers often state that the general
public misunderstands them, which is mostly true. It’s easy to prejudge what
you don’t understand. Hackers can be classified by both their abilities and
underlying motivations. Some are skilled, and their motivations are benign;
they’re merely seeking more knowledge. At the other end of the spectrum,
hackers with malicious intent seek some form of personal gain. Unfortunately,
the negative aspects of hacking usually overshadow the positive aspects,
resulting in the stereotyping.
Historically, hackers have hacked for the pursuit of knowledge and the thrill
of the challenge. Script kiddies aside, hackers are adventurous and innovative
thinkers, and are always thinking about exploiting computer vulnerabilities.
(For more on script kiddies, see “Who Hacks,” later in this chapter.) They see
what others often overlook. They wonder what would happen if a cable were
unplugged, a switch were flipped, or lines of code were changed in a program.
These old-school hackers are like Tim the Toolman Taylor — Tim Allen’s character
on the late, great sitcom Home Improvement — thinking mechanical and
electronic devices can be improved if they’re “rewired.” More recent evidence
shows that many hackers are hacking for political, competitive, and even financial
purposes, so times are changing.
When they were growing up, hackers’ rivals were monsters and villains on
video game screens. Now hackers see their electronic foes as only that —
electronic. Hackers who perform malicious acts don’t really think about the
fact that human beings are behind the firewalls and Web applications they’re
attacking. They ignore that their actions often affect those human beings in
negative ways, such as jeopardizing their job security.
Hackers and the act of hacking drive the advancement of security technology.
After all, hackers don’t create security holes; they expose and exploit existing
holes in applications. Unfortunately, security technology advances don’t ward
off all hacker attacks, because hackers constantly search for new holes and
weaknesses. The only sure-fire way to keep the bad guys at bay is to use behavior
modification to change them into productive, well-adjusted members of
society. Good luck with that.
However you view the stereotypical hacker, one thing is certain: Some people
always will try to take down your computer systems through manual hacking
or by creating and launching automated worms and other malware. You must
take the appropriate steps to protect your systems against them.
In This Chapter
Understanding the enemy
Profiling hackers
Understanding why hackers do what they do
Examining how hackers go about their business
Before you start assessing the security of your own systems, it helps to
know something about the enemies you’re up against. Many information-
security product vendors and other professionals claim that you should
protect your systems from the bad guys — both internal and external. But
what does this mean? How do you know how these bad guys think and work?
Knowing what hackers want helps you understand how they work. Understanding
how they work helps you look at your information systems in a whole
new way. In this chapter, I describe what you’re up against, who’s actually
doing the hacking, and what their motivations and methods are so you’re
better prepared for your ethical hacking tests.
What You’re Up Against
Thanks to sensationalism, the definition of hacker has transformed from
harmless tinkerer to malicious criminal. Hackers often state that the general
public misunderstands them, which is mostly true. It’s easy to prejudge what
you don’t understand. Hackers can be classified by both their abilities and
underlying motivations. Some are skilled, and their motivations are benign;
they’re merely seeking more knowledge. At the other end of the spectrum,
hackers with malicious intent seek some form of personal gain. Unfortunately,
the negative aspects of hacking usually overshadow the positive aspects,
resulting in the stereotyping.
Historically, hackers have hacked for the pursuit of knowledge and the thrill
of the challenge. Script kiddies aside, hackers are adventurous and innovative
thinkers, and are always thinking about exploiting computer vulnerabilities.
(For more on script kiddies, see “Who Hacks,” later in this chapter.) They see
what others often overlook. They wonder what would happen if a cable were
unplugged, a switch were flipped, or lines of code were changed in a program.
These old-school hackers are like Tim the Toolman Taylor — Tim Allen’s character
on the late, great sitcom Home Improvement — thinking mechanical and
electronic devices can be improved if they’re “rewired.” More recent evidence
shows that many hackers are hacking for political, competitive, and even financial
purposes, so times are changing.
When they were growing up, hackers’ rivals were monsters and villains on
video game screens. Now hackers see their electronic foes as only that —
electronic. Hackers who perform malicious acts don’t really think about the
fact that human beings are behind the firewalls and Web applications they’re
attacking. They ignore that their actions often affect those human beings in
negative ways, such as jeopardizing their job security.
Hackers and the act of hacking drive the advancement of security technology.
After all, hackers don’t create security holes; they expose and exploit existing
holes in applications. Unfortunately, security technology advances don’t ward
off all hacker attacks, because hackers constantly search for new holes and
weaknesses. The only sure-fire way to keep the bad guys at bay is to use behavior
modification to change them into productive, well-adjusted members of
society. Good luck with that.
However you view the stereotypical hacker, one thing is certain: Some people
always will try to take down your computer systems through manual hacking
or by creating and launching automated worms and other malware. You must
take the appropriate steps to protect your systems against them.
Executing the plan
Executing the plan
Ethical hacking can take persistence. Time and patience are important. Be
careful when you’re performing your ethical hacking tests. A hacker in your
network or a seemingly benign employee looking over your shoulder may
watch what’s going on. This person could use this information against you.
It’s not practical to make sure that no hackers are on your systems before
you start. Just make sure you keep everything as quiet and private as possible.
This is especially critical when transmitting and storing your test results.
If possible, encrypt these e-mails and files using Pretty Good Privacy (PGP) or
something similar. At a minimum, password-protect them.
You’re now on a reconnaissance mission. Harness as much information as
possible about your organization and systems, which is what malicious hackers
do. Start with a broad view and narrow your focus:
1. Search the Internet for your organization’s name, your computer and
network system names, and your IP addresses.
Google is a great place to start for this.
2. Narrow your scope, targeting the specific systems you’re testing.
Whether physical-security structures or Web applications, a casual
assessment can turn up much information about your systems.
3. Further narrow your focus with a more critical eye. Perform actual
scans and other detailed tests on your systems.
4. Perform the attacks, if that’s what you choose to do.
Ethical hacking can take persistence. Time and patience are important. Be
careful when you’re performing your ethical hacking tests. A hacker in your
network or a seemingly benign employee looking over your shoulder may
watch what’s going on. This person could use this information against you.
It’s not practical to make sure that no hackers are on your systems before
you start. Just make sure you keep everything as quiet and private as possible.
This is especially critical when transmitting and storing your test results.
If possible, encrypt these e-mails and files using Pretty Good Privacy (PGP) or
something similar. At a minimum, password-protect them.
You’re now on a reconnaissance mission. Harness as much information as
possible about your organization and systems, which is what malicious hackers
do. Start with a broad view and narrow your focus:
1. Search the Internet for your organization’s name, your computer and
network system names, and your IP addresses.
Google is a great place to start for this.
2. Narrow your scope, targeting the specific systems you’re testing.
Whether physical-security structures or Web applications, a casual
assessment can turn up much information about your systems.
3. Further narrow your focus with a more critical eye. Perform actual
scans and other detailed tests on your systems.
4. Perform the attacks, if that’s what you choose to do.
The Ethical Hacking Process
The Ethical Hacking Process
Like practically any IT or security project, ethical hacking needs to be planned
in advance. Strategic and tactical issues in the ethical hacking process should
be determined and agreed upon. Planning is important for any amount of
testing — from a simple password-cracking test to an all-out penetration test
on a Web application.
Formulating your plan
Approval for ethical hacking is essential. Make what you’re doing known and
visible — at least to the decision makers. Obtaining sponsorship of the project
is the first step. This could be your manager, an executive, a customer, or
even yourself if you’re the boss. You need someone to back you up and sign
off on your plan. Otherwise, your testing may be called off unexpectedly if
someone claims they never authorized you to perform the tests.
Chapter 1: Introduction to Ethical Hacking 15
The authorization can be as simple as an internal memo from your boss if
you’re performing these tests on your own systems. If you’re testing for a
customer, have a signed contract in place, stating the customer’s support and
authorization. Get written approval on this sponsorship as soon as possible
to ensure that none of your time or effort is wasted. This documentation is
your Get Out of Jail Free card if anyone questions what you’re doing.
You need a detailed plan, but that doesn’t mean you have to have volumes of
testing procedures. One slip can crash your systems — not necessarily what
anyone wants. A well-defined scope includes the following information:
Specific systems to be tested
Risks that are involved
When the tests are performed and your overall timeline
How the tests are performed
How much knowledge of the systems you have before you start testing
What is done when a major vulnerability is discovered
The specific deliverables — this includes security-assessment reports
and a higher-level report outlining the general vulnerabilities to be
addressed, along with countermeasures that should be implemented
When selecting systems to test, start with the most critical or vulnerable
systems. For instance, you can test computer passwords or attempt socialengineering
attacks before drilling down into more detailed systems.
It pays to have a contingency plan for your ethical hacking process in case
something goes awry. What if you’re assessing your firewall or Web application,
and you take it down? This can cause system unavailability, which can
reduce system performance or employee productivity. Even worse, it could
cause loss of data integrity, loss of data, and bad publicity.
Handle social-engineering and denial-of-service attacks carefully. Determine
how they can affect the systems you’re testing and your entire organization.
Determining when the tests are performed is something that you must think
long and hard about. Do you test during normal business hours? How about
late at night or early in the morning so that production systems aren’t affected?
Involve others to make sure they approve of your timing.
The best approach is an unlimited attack, wherein any type of test is possible.
The bad guys aren’t hacking your systems within a limited scope, so why
should you? Some exceptions to this approach are performing DoS, socialengineering,
and physical-security tests.
Don’t stop with one security hole. This can lead to a false sense of security.
Keep going to see what else you can discover. I’m not saying to keep hacking
16 Part I: Building the Foundation for Ethical Hacking
until the end of time or until you crash all your systems. Simply pursue the
path you’re going down until you can’t hack it any longer (pun intended).
One of your goals may be to perform the tests without being detected. For
example, you may be performing your tests on remote systems or on a remote
office, and you don’t want the users to be aware of what you’re doing. Otherwise,
the users may be on to you and be on their best behavior.
You don’t need extensive knowledge of the systems you’re testing — just a
basic understanding. This will help you protect the tested systems.
Understanding the systems you’re testing shouldn’t be difficult if you’re hacking
your own in-house systems. If you’re hacking a customer’s systems, you
may have to dig deeper. In fact, I’ve never had a customer ask for a fully blind
assessment. Most people are scared of these assessments. Base the type of
test you will perform on your organization’s or customer’s needs.
Like practically any IT or security project, ethical hacking needs to be planned
in advance. Strategic and tactical issues in the ethical hacking process should
be determined and agreed upon. Planning is important for any amount of
testing — from a simple password-cracking test to an all-out penetration test
on a Web application.
Formulating your plan
Approval for ethical hacking is essential. Make what you’re doing known and
visible — at least to the decision makers. Obtaining sponsorship of the project
is the first step. This could be your manager, an executive, a customer, or
even yourself if you’re the boss. You need someone to back you up and sign
off on your plan. Otherwise, your testing may be called off unexpectedly if
someone claims they never authorized you to perform the tests.
Chapter 1: Introduction to Ethical Hacking 15
The authorization can be as simple as an internal memo from your boss if
you’re performing these tests on your own systems. If you’re testing for a
customer, have a signed contract in place, stating the customer’s support and
authorization. Get written approval on this sponsorship as soon as possible
to ensure that none of your time or effort is wasted. This documentation is
your Get Out of Jail Free card if anyone questions what you’re doing.
You need a detailed plan, but that doesn’t mean you have to have volumes of
testing procedures. One slip can crash your systems — not necessarily what
anyone wants. A well-defined scope includes the following information:
Specific systems to be tested
Risks that are involved
When the tests are performed and your overall timeline
How the tests are performed
How much knowledge of the systems you have before you start testing
What is done when a major vulnerability is discovered
The specific deliverables — this includes security-assessment reports
and a higher-level report outlining the general vulnerabilities to be
addressed, along with countermeasures that should be implemented
When selecting systems to test, start with the most critical or vulnerable
systems. For instance, you can test computer passwords or attempt socialengineering
attacks before drilling down into more detailed systems.
It pays to have a contingency plan for your ethical hacking process in case
something goes awry. What if you’re assessing your firewall or Web application,
and you take it down? This can cause system unavailability, which can
reduce system performance or employee productivity. Even worse, it could
cause loss of data integrity, loss of data, and bad publicity.
Handle social-engineering and denial-of-service attacks carefully. Determine
how they can affect the systems you’re testing and your entire organization.
Determining when the tests are performed is something that you must think
long and hard about. Do you test during normal business hours? How about
late at night or early in the morning so that production systems aren’t affected?
Involve others to make sure they approve of your timing.
The best approach is an unlimited attack, wherein any type of test is possible.
The bad guys aren’t hacking your systems within a limited scope, so why
should you? Some exceptions to this approach are performing DoS, socialengineering,
and physical-security tests.
Don’t stop with one security hole. This can lead to a false sense of security.
Keep going to see what else you can discover. I’m not saying to keep hacking
16 Part I: Building the Foundation for Ethical Hacking
until the end of time or until you crash all your systems. Simply pursue the
path you’re going down until you can’t hack it any longer (pun intended).
One of your goals may be to perform the tests without being detected. For
example, you may be performing your tests on remote systems or on a remote
office, and you don’t want the users to be aware of what you’re doing. Otherwise,
the users may be on to you and be on their best behavior.
You don’t need extensive knowledge of the systems you’re testing — just a
basic understanding. This will help you protect the tested systems.
Understanding the systems you’re testing shouldn’t be difficult if you’re hacking
your own in-house systems. If you’re hacking a customer’s systems, you
may have to dig deeper. In fact, I’ve never had a customer ask for a fully blind
assessment. Most people are scared of these assessments. Base the type of
test you will perform on your organization’s or customer’s needs.
Obeying the Ethical Hacking Commandments
Obeying the Ethical Hacking
Commandments
Every ethical hacker must abide by a few basic commandments. If not, bad
things can happen. I’ve seen these commandments ignored or forgotten when
planning or executing ethical hacking tests. The results weren’t positive.
Working ethically
The word ethical in this context can be defined as working with high professional
morals and principles. Whether you’re performing ethical hacking tests
against your own systems or for someone who has hired you, everything you
do as an ethical hacker must be aboveboard and must support the company’s
goals. No hidden agendas are allowed!
Trustworthiness is the ultimate tenet. The misuse of information is absolutely
forbidden. That’s what the bad guys do.
Respecting privacy
Treat the information you gather with the utmost respect. All information
you obtain during your testing — from Web-application log files to clear-text
passwords — must be kept private. Don’t use this information to snoop into
confidential corporate information or private lives. If you sense that someone
should know there’s a problem, consider sharing that information with the
appropriate manager.
14 Part I: Building the Foundation for Ethical Hacking
Involve others in your process. This is a “watch the watcher” system that can
build trust and support your ethical hacking projects.
Not crashing your systems
One of the biggest mistakes I’ve seen when people try to hack their own systems
is inadvertently crashing their systems. The main reason for this is poor
planning. These testers have not read the documentation or misunderstand
the usage and power of the security tools and techniques.
You can easily create DoS conditions on your systems when testing. Running
too many tests too quickly on a system causes many system lockups. I know
because I’ve done this! Don’t rush things and assume that a network or specific
host can handle the beating that network scanners and vulnerabilityassessment
tools can dish out.
Many security-assessment tools can control how many tests are performed
on a system at the same time. These tools are especially handy if you need to
run the tests on production systems during regular business hours.
You can even create an account or system lockout condition by social engineering
someone into changing a password, not realizing that doing so might
create a system lockout condition.
Commandments
Every ethical hacker must abide by a few basic commandments. If not, bad
things can happen. I’ve seen these commandments ignored or forgotten when
planning or executing ethical hacking tests. The results weren’t positive.
Working ethically
The word ethical in this context can be defined as working with high professional
morals and principles. Whether you’re performing ethical hacking tests
against your own systems or for someone who has hired you, everything you
do as an ethical hacker must be aboveboard and must support the company’s
goals. No hidden agendas are allowed!
Trustworthiness is the ultimate tenet. The misuse of information is absolutely
forbidden. That’s what the bad guys do.
Respecting privacy
Treat the information you gather with the utmost respect. All information
you obtain during your testing — from Web-application log files to clear-text
passwords — must be kept private. Don’t use this information to snoop into
confidential corporate information or private lives. If you sense that someone
should know there’s a problem, consider sharing that information with the
appropriate manager.
14 Part I: Building the Foundation for Ethical Hacking
Involve others in your process. This is a “watch the watcher” system that can
build trust and support your ethical hacking projects.
Not crashing your systems
One of the biggest mistakes I’ve seen when people try to hack their own systems
is inadvertently crashing their systems. The main reason for this is poor
planning. These testers have not read the documentation or misunderstand
the usage and power of the security tools and techniques.
You can easily create DoS conditions on your systems when testing. Running
too many tests too quickly on a system causes many system lockups. I know
because I’ve done this! Don’t rush things and assume that a network or specific
host can handle the beating that network scanners and vulnerabilityassessment
tools can dish out.
Many security-assessment tools can control how many tests are performed
on a system at the same time. These tools are especially handy if you need to
run the tests on production systems during regular business hours.
You can even create an account or system lockout condition by social engineering
someone into changing a password, not realizing that doing so might
create a system lockout condition.
Understanding the Dangers Your Systems Face
Understanding the Dangers
Your Systems Face
It’s one thing to know that your systems generally are under fire from hackers
around the world. It’s another to understand specific attacks against your systems
that are possible. This section offers some well-known attacks but is by
no means a comprehensive listing. That requires its own book: Hack Attacks
Encyclopedia, by John Chirillo (Wiley Publishing, Inc.).
Many information-security vulnerabilities aren’t critical by themselves.
However, exploiting several vulnerabilities at the same time can take its toll.
For example, a default Windows OS configuration, a weak SQL Server administrator
password, and a server hosted on a wireless network may not be
major security concerns separately. But exploiting all three of these vulnerabilities
at the same time can be a serious issue.
Nontechnical attacks
Exploits that involve manipulating people — end users and even yourself —
are the greatest vulnerability within any computer or network infrastructure.
Humans are trusting by nature, which can lead to social-engineering exploits.
Social engineering is defined as the exploitation of the trusting nature of human
beings to gain information for malicious purposes. I cover social engineering
in depth in Chapter 5.
Other common and effective attacks against information systems are physical.
Hackers break into buildings, computer rooms, or other areas containing critical
information or property. Physical attacks can include dumpster diving
(rummaging through trash cans and dumpsters for intellectual property,
passwords, network diagrams, and other information).
12 Part I: Building the Foundation for Ethical Hacking
Network-infrastructure attacks
Hacker attacks against network infrastructures can be easy, because many
networks can be reached from anywhere in the world via the Internet. Here
are some examples of network-infrastructure attacks:
Connecting into a network through a rogue modem attached to a
computer behind a firewall
Exploiting weaknesses in network transport mechanisms, such as TCP/IP
and NetBIOS
Flooding a network with too many requests, creating a denial of service
(DoS) for legitimate requests
Installing a network analyzer on a network and capturing every packet
that travels across it, revealing confidential information in clear text
Piggybacking onto a network through an insecure 802.11b wireless
configuration
Operating-system attacks
Hacking operating systems (OSs) is a preferred method of the bad guys. OSs
comprise a large portion of hacker attacks simply because every computer
has one and so many well-known exploits can be used against them.
Occasionally, some operating systems that are more secure out of the box —
such as Novell NetWare and the flavors of BSD UNIX — are attacked, and
vulnerabilities turn up. But hackers prefer attacking operating systems like
Windows and Linux because they are widely used and better known for their
vulnerabilities.
Here are some examples of attacks on operating systems:
Exploiting specific protocol implementations
Attacking built-in authentication systems
Breaking file-system security
Cracking passwords and encryption mechanisms
Application and other specialized attacks
Applications take a lot of hits by hackers. Programs such as e-mail server
software and Web applications often are beaten down:
Chapter 1: Introduction to Ethical Hacking 13
Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol
(SMTP) applications are frequently attacked because most firewalls and
other security mechanisms are configured to allow full access to these
programs from the Internet.
Malicious software (malware) includes viruses, worms, Trojan horses,
and spyware. Malware clogs networks and takes down systems.
Spam (junk e-mail) is wreaking havoc on system availability and storage
space. And it can carry malware.
Ethical hacking helps reveal such attacks against your computer systems.
Parts II through V of this book cover these attacks in detail, along with specific
countermeasures you can implement against attacks on your systems.
Your Systems Face
It’s one thing to know that your systems generally are under fire from hackers
around the world. It’s another to understand specific attacks against your systems
that are possible. This section offers some well-known attacks but is by
no means a comprehensive listing. That requires its own book: Hack Attacks
Encyclopedia, by John Chirillo (Wiley Publishing, Inc.).
Many information-security vulnerabilities aren’t critical by themselves.
However, exploiting several vulnerabilities at the same time can take its toll.
For example, a default Windows OS configuration, a weak SQL Server administrator
password, and a server hosted on a wireless network may not be
major security concerns separately. But exploiting all three of these vulnerabilities
at the same time can be a serious issue.
Nontechnical attacks
Exploits that involve manipulating people — end users and even yourself —
are the greatest vulnerability within any computer or network infrastructure.
Humans are trusting by nature, which can lead to social-engineering exploits.
Social engineering is defined as the exploitation of the trusting nature of human
beings to gain information for malicious purposes. I cover social engineering
in depth in Chapter 5.
Other common and effective attacks against information systems are physical.
Hackers break into buildings, computer rooms, or other areas containing critical
information or property. Physical attacks can include dumpster diving
(rummaging through trash cans and dumpsters for intellectual property,
passwords, network diagrams, and other information).
12 Part I: Building the Foundation for Ethical Hacking
Network-infrastructure attacks
Hacker attacks against network infrastructures can be easy, because many
networks can be reached from anywhere in the world via the Internet. Here
are some examples of network-infrastructure attacks:
Connecting into a network through a rogue modem attached to a
computer behind a firewall
Exploiting weaknesses in network transport mechanisms, such as TCP/IP
and NetBIOS
Flooding a network with too many requests, creating a denial of service
(DoS) for legitimate requests
Installing a network analyzer on a network and capturing every packet
that travels across it, revealing confidential information in clear text
Piggybacking onto a network through an insecure 802.11b wireless
configuration
Operating-system attacks
Hacking operating systems (OSs) is a preferred method of the bad guys. OSs
comprise a large portion of hacker attacks simply because every computer
has one and so many well-known exploits can be used against them.
Occasionally, some operating systems that are more secure out of the box —
such as Novell NetWare and the flavors of BSD UNIX — are attacked, and
vulnerabilities turn up. But hackers prefer attacking operating systems like
Windows and Linux because they are widely used and better known for their
vulnerabilities.
Here are some examples of attacks on operating systems:
Exploiting specific protocol implementations
Attacking built-in authentication systems
Breaking file-system security
Cracking passwords and encryption mechanisms
Application and other specialized attacks
Applications take a lot of hits by hackers. Programs such as e-mail server
software and Web applications often are beaten down:
Chapter 1: Introduction to Ethical Hacking 13
Hypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol
(SMTP) applications are frequently attacked because most firewalls and
other security mechanisms are configured to allow full access to these
programs from the Internet.
Malicious software (malware) includes viruses, worms, Trojan horses,
and spyware. Malware clogs networks and takes down systems.
Spam (junk e-mail) is wreaking havoc on system availability and storage
space. And it can carry malware.
Ethical hacking helps reveal such attacks against your computer systems.
Parts II through V of this book cover these attacks in detail, along with specific
countermeasures you can implement against attacks on your systems.
Understanding the Need to hack your own systems
Understanding the Need to
Hack Your Own Systems
To catch a thief, think like a thief. That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers and
expanding knowledge of hackers combined with the growing number of system
vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your systems
from the bad guys — and not just the generic vulnerabilities that everyone
knows about — is absolutely critical. When you know hacker tricks, you can
see how vulnerable your systems are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how hackers
work. Attacking your own systems to discover vulnerabilities is a step to
making them more secure. This is the only proven method of greatly hardening
your systems from attack. If you don’t identify weaknesses, it’s a matter of
time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
to protect your systems from them. You, as the ethical hacker, must know
activities hackers carry out and how to stop their efforts. You should know
what to look for and how to use that information to thwart hackers’ efforts.
You don’t have to protect your systems from everything. You can’t. The only
protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security. What’s important is to protect your systems
from known vulnerabilities and common hacker attacks.
It’s impossible to buttress all possible vulnerabilities on all your systems. You
can’t plan for all possible attacks — especially the ones that are currently
unknown. However, the more combinations you try — the more you test whole
systems instead of individual units — the better your chances of discovering
vulnerabilities that affect everything as a whole.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
Chapter 1: Introduction to Ethical Hacking 11
in your office and no internal Web server running, you may not have as much
to worry about as an Internet hosting provider would have. However, don’t
forget about insider threats from malicious employees!
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management
that vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Hack Your Own Systems
To catch a thief, think like a thief. That’s the basis for ethical hacking.
The law of averages works against security. With the increased numbers and
expanding knowledge of hackers combined with the growing number of system
vulnerabilities and other unknowns, the time will come when all computer
systems are hacked or compromised in some way. Protecting your systems
from the bad guys — and not just the generic vulnerabilities that everyone
knows about — is absolutely critical. When you know hacker tricks, you can
see how vulnerable your systems are.
Hacking preys on weak security practices and undisclosed vulnerabilities.
Firewalls, encryption, and virtual private networks (VPNs) can create a false
feeling of safety. These security systems often focus on high-level vulnerabilities,
such as viruses and traffic through a firewall, without affecting how hackers
work. Attacking your own systems to discover vulnerabilities is a step to
making them more secure. This is the only proven method of greatly hardening
your systems from attack. If you don’t identify weaknesses, it’s a matter of
time before the vulnerabilities are exploited.
As hackers expand their knowledge, so should you. You must think like them
to protect your systems from them. You, as the ethical hacker, must know
activities hackers carry out and how to stop their efforts. You should know
what to look for and how to use that information to thwart hackers’ efforts.
You don’t have to protect your systems from everything. You can’t. The only
protection against everything is to unplug your computer systems and lock
them away so no one can touch them — not even you. That’s not the best
approach to information security. What’s important is to protect your systems
from known vulnerabilities and common hacker attacks.
It’s impossible to buttress all possible vulnerabilities on all your systems. You
can’t plan for all possible attacks — especially the ones that are currently
unknown. However, the more combinations you try — the more you test whole
systems instead of individual units — the better your chances of discovering
vulnerabilities that affect everything as a whole.
Don’t take ethical hacking too far, though. It makes little sense to harden your
systems from unlikely attacks. For instance, if you don’t have a lot of foot traffic
Chapter 1: Introduction to Ethical Hacking 11
in your office and no internal Web server running, you may not have as much
to worry about as an Internet hosting provider would have. However, don’t
forget about insider threats from malicious employees!
Your overall goals as an ethical hacker should be as follows:
Hack your systems in a nondestructive fashion.
Enumerate vulnerabilities and, if necessary, prove to upper management
that vulnerabilities exist.
Apply results to remove vulnerabilities and better secure your systems.
Introduction to Ethical Hacking
Introduction to Ethical Hacking
In This Chapter
Understanding hacker objectives
Outlining the differences between ethical hackers and malicious hackers
Examining how the ethical hacking process has come about
Understanding the dangers that your computer systems face
Starting the ethical hacking process
This book is about hacking ethically — the science of testing your computers
and network for security vulnerabilities and plugging the holes you
find before the bad guys get a chance to exploit them.
Although ethical is an often overused and misunderstood word, the Merriam-
Webster dictionary defines ethical perfectly for the context of this book and
the professional security testing techniques that I cover — that is, conforming
to accepted professional standards of conduct. IT practitioners are obligated to
perform all the tests covered in this book aboveboard and only after permission
has been obtained by the owner(s) of the systems — hence the disclaimer
in the introduction.
How Hackers Beget Ethical Hackers
We’ve all heard of hackers. Many of us have even suffered the consequences
of hacker actions. So who are these hackers? Why is it important to know
about them? The next few sections give you the lowdown on hackers.
Defining hacker
Hacker is a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software or
electronic systems. Hackers enjoy exploring and learning how computer
systems operate. They love discovering new ways to work electronically.
Recently, hacker has taken on a new meaning — someone who maliciously
breaks into systems for personal gain. Technically, these criminals are
crackers (criminal hackers). Crackers break into (crack) systems with
malicious intent. They are out for personal gain: fame, profit, and even
revenge. They modify, delete, and steal critical information, often making
other people miserable.
The good-guy (white-hat) hackers don’t like being in the same category as the
bad-guy (black-hat) hackers. (These terms come from Western movies where
the good guys wore white cowboy hats and the bad guys wore black cowboy
hats.) Whatever the case, most people give hacker a negative connotation.
Many malicious hackers claim that they don’t cause damage but instead are
altruistically helping others. Yeah, right. Many malicious hackers are electronic
thieves.
In this book, I use the following terminology:
Hackers (or bad guys) try to compromise computers.
Ethical hackers (or good guys) protect computers against illicit entry.
Hackers go for almost any system they think they can compromise. Some
prefer prestigious, well-protected systems, but hacking into anyone’s system
increases their status in hacker circles.
Ethical Hacking 101
You need protection from hacker shenanigans. An ethical hacker possesses
the skills, mindset, and tools of a hacker but is also trustworthy. Ethical hackers
perform the hacks as security tests for their systems.
If you perform ethical hacking tests for customers or simply want to add
another certification to your credentials, you may want to consider the ethical
hacker certification Certified Ethical Hacker, which is sponsored by ECCouncil.
See www.eccouncil.org/CEH.htm for more information.
Ethical hacking — also known as penetration testing or white-hat hacking —
involves the same tools, tricks, and techniques that hackers use, but with one
major difference: Ethical hacking is legal. Ethical hacking is performed with
the target’s permission. The intent of ethical hacking is to discover vulnerabilities
from a hacker’s viewpoint so systems can be better secured. It’s part
of an overall information risk management program that allows for ongoing
security improvements. Ethical hacking can also ensure that vendors’ claims
about the security of their products are legitimate.
10 Part I: Building the Foundation for Ethical Hacking
To hack your own systems like the bad guys, you must think like they think.
It’s absolutely critical to know your enemy; see Chapter 2 for details.
In This Chapter
Understanding hacker objectives
Outlining the differences between ethical hackers and malicious hackers
Examining how the ethical hacking process has come about
Understanding the dangers that your computer systems face
Starting the ethical hacking process
This book is about hacking ethically — the science of testing your computers
and network for security vulnerabilities and plugging the holes you
find before the bad guys get a chance to exploit them.
Although ethical is an often overused and misunderstood word, the Merriam-
Webster dictionary defines ethical perfectly for the context of this book and
the professional security testing techniques that I cover — that is, conforming
to accepted professional standards of conduct. IT practitioners are obligated to
perform all the tests covered in this book aboveboard and only after permission
has been obtained by the owner(s) of the systems — hence the disclaimer
in the introduction.
How Hackers Beget Ethical Hackers
We’ve all heard of hackers. Many of us have even suffered the consequences
of hacker actions. So who are these hackers? Why is it important to know
about them? The next few sections give you the lowdown on hackers.
Defining hacker
Hacker is a word that has two meanings:
Traditionally, a hacker is someone who likes to tinker with software or
electronic systems. Hackers enjoy exploring and learning how computer
systems operate. They love discovering new ways to work electronically.
Recently, hacker has taken on a new meaning — someone who maliciously
breaks into systems for personal gain. Technically, these criminals are
crackers (criminal hackers). Crackers break into (crack) systems with
malicious intent. They are out for personal gain: fame, profit, and even
revenge. They modify, delete, and steal critical information, often making
other people miserable.
The good-guy (white-hat) hackers don’t like being in the same category as the
bad-guy (black-hat) hackers. (These terms come from Western movies where
the good guys wore white cowboy hats and the bad guys wore black cowboy
hats.) Whatever the case, most people give hacker a negative connotation.
Many malicious hackers claim that they don’t cause damage but instead are
altruistically helping others. Yeah, right. Many malicious hackers are electronic
thieves.
In this book, I use the following terminology:
Hackers (or bad guys) try to compromise computers.
Ethical hackers (or good guys) protect computers against illicit entry.
Hackers go for almost any system they think they can compromise. Some
prefer prestigious, well-protected systems, but hacking into anyone’s system
increases their status in hacker circles.
Ethical Hacking 101
You need protection from hacker shenanigans. An ethical hacker possesses
the skills, mindset, and tools of a hacker but is also trustworthy. Ethical hackers
perform the hacks as security tests for their systems.
If you perform ethical hacking tests for customers or simply want to add
another certification to your credentials, you may want to consider the ethical
hacker certification Certified Ethical Hacker, which is sponsored by ECCouncil.
See www.eccouncil.org/CEH.htm for more information.
Ethical hacking — also known as penetration testing or white-hat hacking —
involves the same tools, tricks, and techniques that hackers use, but with one
major difference: Ethical hacking is legal. Ethical hacking is performed with
the target’s permission. The intent of ethical hacking is to discover vulnerabilities
from a hacker’s viewpoint so systems can be better secured. It’s part
of an overall information risk management program that allows for ongoing
security improvements. Ethical hacking can also ensure that vendors’ claims
about the security of their products are legitimate.
10 Part I: Building the Foundation for Ethical Hacking
To hack your own systems like the bad guys, you must think like they think.
It’s absolutely critical to know your enemy; see Chapter 2 for details.
Application Hacking
Part V: Application Hacking
Application security is gaining more visibility in the information-security arena
these days. An increasing number of attacks are aimed directly at various
applications, which are often able to bypass firewalls, intrusion-detection
systems, and antivirus software. This part discusses hacking specific applications,
including coverage on malicious software and messaging systems,
along with practical countermeasures that you can put in place to make your
applications more secure.
One of the most common network attacks is on Web applications. Practically
every firewall lets Web traffic into and out of the network, so most attacks are
against the millions of Web applications available to almost anyone. This part
covers Web application hack attacks, countermeasures, and some application
hacking case studies for real-world security testing scenarios.
Part VI: Ethical Hacking Aftermath
After you’ve performed your ethical hack attacks, what do you do with the
information you’ve gathered? Shelve it? Show it off? How do you move forward?
This part answers all these questions and more. From developing
reports for upper management to remediating the security flaws that you discover
to establishing procedures for your ongoing ethical hacking efforts,
this part brings the ethical hacking process full circle. This information not
only ensures that your effort and time are well spent, but also is evidence
that information security is as an essential element for success in any business
that depends on computers and information technology.
Part VII: The Part of Tens
This part contains tips to help ensure the success of your ethical hacking
program. You find out how to get upper management to buy into your ethical
hacking program so you can get going and start protecting your systems. This
part also includes the top ten ethical hacking mistakes to avoid and my top
ten tips for ethical hacking success.
Part VIII: Appendixes
This part includes two appendixes that cover ethical hacking reference materials.
This includes a one-stop reference listing of ethical hacking tools and
resources, as well as information on the Hacking For Dummies Web site.
Application security is gaining more visibility in the information-security arena
these days. An increasing number of attacks are aimed directly at various
applications, which are often able to bypass firewalls, intrusion-detection
systems, and antivirus software. This part discusses hacking specific applications,
including coverage on malicious software and messaging systems,
along with practical countermeasures that you can put in place to make your
applications more secure.
One of the most common network attacks is on Web applications. Practically
every firewall lets Web traffic into and out of the network, so most attacks are
against the millions of Web applications available to almost anyone. This part
covers Web application hack attacks, countermeasures, and some application
hacking case studies for real-world security testing scenarios.
Part VI: Ethical Hacking Aftermath
After you’ve performed your ethical hack attacks, what do you do with the
information you’ve gathered? Shelve it? Show it off? How do you move forward?
This part answers all these questions and more. From developing
reports for upper management to remediating the security flaws that you discover
to establishing procedures for your ongoing ethical hacking efforts,
this part brings the ethical hacking process full circle. This information not
only ensures that your effort and time are well spent, but also is evidence
that information security is as an essential element for success in any business
that depends on computers and information technology.
Part VII: The Part of Tens
This part contains tips to help ensure the success of your ethical hacking
program. You find out how to get upper management to buy into your ethical
hacking program so you can get going and start protecting your systems. This
part also includes the top ten ethical hacking mistakes to avoid and my top
ten tips for ethical hacking success.
Part VIII: Appendixes
This part includes two appendixes that cover ethical hacking reference materials.
This includes a one-stop reference listing of ethical hacking tools and
resources, as well as information on the Hacking For Dummies Web site.
How This Book Is Organized
How This Book Is Organized
This book is organized into eight parts — six regular chapter parts, a Part of
Tens, and a part with appendixes. These parts are modular, so you can jump
around from one part to another as needed. Each chapter provides practical
methodologies and best practices you can utilize as part of your ethical hacking
efforts, including checklists and references to specific tools you can use,
as well as resources on the Internet.
Introduction 3
Part I: Building the Foundation
for Ethical Hacking
This part covers the fundamental aspects of ethical hacking. It starts with an
overview of the value of ethical hacking and what you should and shouldn’t
do during the process. You get inside the hacker’s mindset and discover how
to plan your ethical hacking efforts. This part covers the steps involved in
the ethical hacking process, including how to choose the proper tools.
Part II: Putting Ethical Hacking in Motion
This part gets you rolling with the ethical hacking process. It covers several
well-known hack attacks, including social engineering and cracking passwords,
to get your feet wet. The techniques presented are some of the most
widely used hack attacks. This part covers the human and physical elements
of security, which tend to be the weakest links in any information-security
program. After you plunge into these topics, you’ll know the tips and tricks
required to perform common general hack attacks against your systems, as
well as specific countermeasures to keep your information systems secure.
Part III: Network Hacking
Starting with the larger network in mind, this part covers methods to test
your systems for various well-known network infrastructure vulnerabilities.
From weaknesses in the TCP/IP protocol suite to wireless network insecurities,
you find out how networks are compromised using specific methods of
flawed network communications, along with various countermeasures that
you can implement to keep from becoming a victim. This part also includes
case studies on some of the network hack attacks that are presented.
Part IV: Operating System Hacking
Practically all operating systems have well-known vulnerabilities that hackers
often use. This part jumps into hacking three widely used operating systems:
Windows, Linux, and NetWare. The hacking methods include scanning your
operating systems for vulnerabilities and enumerating the specific hosts to
gain detailed information. This part also includes information on exploiting
well-known vulnerabilities in these operating systems, taking over operating
systems remotely, and specific countermeasures that you can implement to
make your operating systems more secure. This part also includes case studies
on operating-system hack attacks.
This book is organized into eight parts — six regular chapter parts, a Part of
Tens, and a part with appendixes. These parts are modular, so you can jump
around from one part to another as needed. Each chapter provides practical
methodologies and best practices you can utilize as part of your ethical hacking
efforts, including checklists and references to specific tools you can use,
as well as resources on the Internet.
Introduction 3
Part I: Building the Foundation
for Ethical Hacking
This part covers the fundamental aspects of ethical hacking. It starts with an
overview of the value of ethical hacking and what you should and shouldn’t
do during the process. You get inside the hacker’s mindset and discover how
to plan your ethical hacking efforts. This part covers the steps involved in
the ethical hacking process, including how to choose the proper tools.
Part II: Putting Ethical Hacking in Motion
This part gets you rolling with the ethical hacking process. It covers several
well-known hack attacks, including social engineering and cracking passwords,
to get your feet wet. The techniques presented are some of the most
widely used hack attacks. This part covers the human and physical elements
of security, which tend to be the weakest links in any information-security
program. After you plunge into these topics, you’ll know the tips and tricks
required to perform common general hack attacks against your systems, as
well as specific countermeasures to keep your information systems secure.
Part III: Network Hacking
Starting with the larger network in mind, this part covers methods to test
your systems for various well-known network infrastructure vulnerabilities.
From weaknesses in the TCP/IP protocol suite to wireless network insecurities,
you find out how networks are compromised using specific methods of
flawed network communications, along with various countermeasures that
you can implement to keep from becoming a victim. This part also includes
case studies on some of the network hack attacks that are presented.
Part IV: Operating System Hacking
Practically all operating systems have well-known vulnerabilities that hackers
often use. This part jumps into hacking three widely used operating systems:
Windows, Linux, and NetWare. The hacking methods include scanning your
operating systems for vulnerabilities and enumerating the specific hosts to
gain detailed information. This part also includes information on exploiting
well-known vulnerabilities in these operating systems, taking over operating
systems remotely, and specific countermeasures that you can implement to
make your operating systems more secure. This part also includes case studies
on operating-system hack attacks.
What You Don’t Need to Read
What You Don’t Need to Read
Depending on your computer and network configurations, you may be able to
skip chapters. For example, if you aren’t running Linux or wireless networks,
you can skip those chapters.
Foolish Assumptions
I make a few assumptions about you, aspiring information-security person:
You’re familiar with basic computer-, network-, and information-securityrelated
concepts and terms.
You have a basic understanding of what hackers do.
You have access to a computer and a network on which to test these
techniques.
You have access to the Internet in order to obtain the various tools used
in the ethical hacking process.
You have permission to perform the hacking techniques in this book.
Depending on your computer and network configurations, you may be able to
skip chapters. For example, if you aren’t running Linux or wireless networks,
you can skip those chapters.
Foolish Assumptions
I make a few assumptions about you, aspiring information-security person:
You’re familiar with basic computer-, network-, and information-securityrelated
concepts and terms.
You have a basic understanding of what hackers do.
You have access to a computer and a network on which to test these
techniques.
You have access to the Internet in order to obtain the various tools used
in the ethical hacking process.
You have permission to perform the hacking techniques in this book.
How to Use This Book
How to Use This Book
This book includes the following features:
Various technical and nontechnical hack attacks and their detailed
methodologies
Hack-attack case studies from well-known and anonymous hackers and
other security experts
Specific countermeasures to protect against hack attacks
Each chapter is an individual reference on a specific ethical hacking subject.
You can refer to individual chapters that pertain to the type of systems you’re
assessing, or you can read the book straight through.
2 Hacking For Dummies
Before you start hacking your systems, familiarize yourself with the information
in Part I so you’re prepared for the tasks at hand. The adage “if you fail
to plan, you plan to fail” rings true for the ethical hacking process. You must
get written permission and have a solid game plan.
This material is not intended to be used for unethical or illegal
This book includes the following features:
Various technical and nontechnical hack attacks and their detailed
methodologies
Hack-attack case studies from well-known and anonymous hackers and
other security experts
Specific countermeasures to protect against hack attacks
Each chapter is an individual reference on a specific ethical hacking subject.
You can refer to individual chapters that pertain to the type of systems you’re
assessing, or you can read the book straight through.
2 Hacking For Dummies
Before you start hacking your systems, familiarize yourself with the information
in Part I so you’re prepared for the tasks at hand. The adage “if you fail
to plan, you plan to fail” rings true for the ethical hacking process. You must
get written permission and have a solid game plan.
This material is not intended to be used for unethical or illegal
About This Book
About This Book
Hacking For Dummies is a reference guide on hacking computers and network
systems. The ethical hacking techniques are based on the unwritten rules of
computer system penetration testing and information-security best practices.
This book covers everything from establishing your hacking plan to testing
your systems to managing an ongoing ethical hacking program. Realistically,
for many networks, operating systems, and applications, thousands of possible
hacks exist. I cover the major ones that you should be concerned about.
Whether you need to assess security vulnerabilities on a small home-office
network, a medium-size corporate network, or across large enterprise systems,
Hacking For Dummies provides the information you need.
Hacking For Dummies is a reference guide on hacking computers and network
systems. The ethical hacking techniques are based on the unwritten rules of
computer system penetration testing and information-security best practices.
This book covers everything from establishing your hacking plan to testing
your systems to managing an ongoing ethical hacking program. Realistically,
for many networks, operating systems, and applications, thousands of possible
hacks exist. I cover the major ones that you should be concerned about.
Whether you need to assess security vulnerabilities on a small home-office
network, a medium-size corporate network, or across large enterprise systems,
Hacking For Dummies provides the information you need.
Wednesday, November 12, 2008
Who Should Read This Book?
Who Should Read This Book?
If you want to find out how to maliciously break into wireless networks this
book is not for you. In fact, we feel so strongly about this, we provide the following
disclaimer.
If you choose to use the information in this book to maliciously hack or
break into wireless systems in an unauthorized fashion — you’re on your
own. Neither Kevin nor Peter as the co-authors nor anyone else associated
with this book shall be liable or responsible for any unethical or criminal
choices you may make using the methodologies and tools we describe. This
book and its contents are intended solely for IT professionals who wish to
test the security of wireless networks in an authorized fashion.
So, anyway, this book is for you if you’re a network administrator, informationsecurity
manager, security consultant, wireless-network installer, or anyone
interested in finding out more about testing 802.11-based wireless networks
in order to make them more secure — whether it’s your own wireless network
or that of a client that you’ve been given permission to test.
About This Book
Hacking Wireless Networks For Dummies is inspired by the original Hacking
For Dummies book that Kevin authored and Peter performed the technical
editing. Hacking For Dummies covered a broad range of security testing
topics, but this book focuses specifically on 802.11-based wireless networks.
The techniques we outline are based on information-security best practices,
as well as various unwritten rules of engagement. This book covers the entire
ethical-hacking process, from establishing your plan to carrying out the tests
to following up and implementing countermeasures to ensure your wireless
systems are secure.
There are literally hundreds, if not thousands, of ways to hack wireless network
systems such as (for openers) laptops and access points (APs). Rather
than cover every possible vulnerability that may rear its head in your wireless
network, we’re going to cover just the ones you should be most concerned
about. The tools and techniques we describe in this book can help
you secure wireless networks at home, in small-to-medium sized businesses
(SMBs) including coffee shops, and even across large enterprise networks
If you want to find out how to maliciously break into wireless networks this
book is not for you. In fact, we feel so strongly about this, we provide the following
disclaimer.
If you choose to use the information in this book to maliciously hack or
break into wireless systems in an unauthorized fashion — you’re on your
own. Neither Kevin nor Peter as the co-authors nor anyone else associated
with this book shall be liable or responsible for any unethical or criminal
choices you may make using the methodologies and tools we describe. This
book and its contents are intended solely for IT professionals who wish to
test the security of wireless networks in an authorized fashion.
So, anyway, this book is for you if you’re a network administrator, informationsecurity
manager, security consultant, wireless-network installer, or anyone
interested in finding out more about testing 802.11-based wireless networks
in order to make them more secure — whether it’s your own wireless network
or that of a client that you’ve been given permission to test.
About This Book
Hacking Wireless Networks For Dummies is inspired by the original Hacking
For Dummies book that Kevin authored and Peter performed the technical
editing. Hacking For Dummies covered a broad range of security testing
topics, but this book focuses specifically on 802.11-based wireless networks.
The techniques we outline are based on information-security best practices,
as well as various unwritten rules of engagement. This book covers the entire
ethical-hacking process, from establishing your plan to carrying out the tests
to following up and implementing countermeasures to ensure your wireless
systems are secure.
There are literally hundreds, if not thousands, of ways to hack wireless network
systems such as (for openers) laptops and access points (APs). Rather
than cover every possible vulnerability that may rear its head in your wireless
network, we’re going to cover just the ones you should be most concerned
about. The tools and techniques we describe in this book can help
you secure wireless networks at home, in small-to-medium sized businesses
(SMBs) including coffee shops, and even across large enterprise networks
Introduction
Welcome to Hacking Wireless Networks For Dummies. This book outlines
plain-English, wireless-network hacker tricks and techniques you can
use to ethically hack 802.11-based wireless networks (yours or someone else’s
if you’ve been given permission) and discover security vulnerabilities. By
turning the tables and using ethical hacking techniques, you then have a leg
up on the malicious hackers — you’ll be aware of any vulnerabilities that
exist and be able to plug the holes before the bad guys have a chance to
exploit them.
When we refer to ethical hacking, we mean the professional, aboveboard, and
legal type of security testing that you — as an IT professional — can perform
as part of your job. Villains need not apply.
Wireless networks are popping up everywhere. They provide a lot of freedom
but not without cost: All too many wireless networks are left wide open for
attack. As with any other computer or network, you must be up on the latest
security concepts to properly secure 802.11-based wireless networks. But
locking them down involves more than just port-scanning testing and patching
vulnerabilities. You must also have the right security tools, use the
proper testing techniques, and possess a watchful eye. And know your enemy:
It’s critical to think like a hacker to get a true sense of how secure your information
really is.
Ethical hacking is a means of using the bad-guy (black-hat) techniques for
good-guy (white-hat) purposes. It’s testing your information systems with the
goal of making them more secure — and keeping them that way. This type of
security testing is sometimes called penetration testing, white-hat hacking, or
vulnerability testing, but it goes further than that as you’ll see when we outline
the methodology in this book.
If you use the resources provided in this book, maintain a security-focused
mindset, and dedicate some time for testing, we believe you’ll be well on your
way to finding the weaknesses in your wireless systems and implementing
countermeasures to keep the bad guys off your airwaves and out of your
business.
The ethical hacking tests and system-hardening tips outlined in this book can
help you test and protect your wireless networks at places like warehouses,
coffee shops, your office building, your customer sites, and even at your house
plain-English, wireless-network hacker tricks and techniques you can
use to ethically hack 802.11-based wireless networks (yours or someone else’s
if you’ve been given permission) and discover security vulnerabilities. By
turning the tables and using ethical hacking techniques, you then have a leg
up on the malicious hackers — you’ll be aware of any vulnerabilities that
exist and be able to plug the holes before the bad guys have a chance to
exploit them.
When we refer to ethical hacking, we mean the professional, aboveboard, and
legal type of security testing that you — as an IT professional — can perform
as part of your job. Villains need not apply.
Wireless networks are popping up everywhere. They provide a lot of freedom
but not without cost: All too many wireless networks are left wide open for
attack. As with any other computer or network, you must be up on the latest
security concepts to properly secure 802.11-based wireless networks. But
locking them down involves more than just port-scanning testing and patching
vulnerabilities. You must also have the right security tools, use the
proper testing techniques, and possess a watchful eye. And know your enemy:
It’s critical to think like a hacker to get a true sense of how secure your information
really is.
Ethical hacking is a means of using the bad-guy (black-hat) techniques for
good-guy (white-hat) purposes. It’s testing your information systems with the
goal of making them more secure — and keeping them that way. This type of
security testing is sometimes called penetration testing, white-hat hacking, or
vulnerability testing, but it goes further than that as you’ll see when we outline
the methodology in this book.
If you use the resources provided in this book, maintain a security-focused
mindset, and dedicate some time for testing, we believe you’ll be well on your
way to finding the weaknesses in your wireless systems and implementing
countermeasures to keep the bad guys off your airwaves and out of your
business.
The ethical hacking tests and system-hardening tips outlined in this book can
help you test and protect your wireless networks at places like warehouses,
coffee shops, your office building, your customer sites, and even at your house
80C51 Family
Indirect Addressing
In indirect addressing the instruction specifies a register which
contains the address of the operand. Both internal and external
RAM can be indirectly addressed.
The address register for 8-bit addresses can be R0 or R1 of the
selected bank, or the Stack Pointer. The address register for 16-bit
addresses can only be the 16-bit “data pointer” register, DPTR.
Register Instructions
The register banks, containing registers R0 through R7, can be
accessed by certain instructions which carry a 3-bit register
specification within the opcode of the instruction. Instructions that
access the registers this way are code efficient, since this mode
eliminates an address byte. When the instruction is executed, one of
the eight registers in the selected bank is accessed. One of four
banks is selected at execution time by the two bank select bits in the
PSW.
Register-Specific Instructions
Some instructions are specific to a certain register. For example,
some instructions always operate on the Accumulator, or Data
Pointer, etc., so no address byte is needed to point to it. The opcode
itself does that. Instructions that refer to the Accumulator as A
assemble as accumulator specific opcodes.
Immediate Constants
The value of a constant can follow the opcode in Program Memory.
For example,
MOV A, #100
loads the Accumulator with the decimal number 100. The same
number could be specified in hex digits as 64H.
Indexed Addressing
Only program Memory can be accessed with indexed addressing,
and it can only be read. This addressing mode is intended for
reading look-up tables in Program Memory A 16-bit base register
(either DPTR or the Program Counter) points to the base of the
table, and the Accumulator is set up with the table entry number.
The address of the table entry in Program Memory is formed by
adding the Accumulator data to the base pointer.
Another type of indexed addressing is used in the “case jump”
instruction. In this case the destination address of a jump instruction
is computed as the sum of the base pointer and the Accumulator
data.
Arithmetic Instructions
The menu of arithmetic instructions is listed in Table 1. The table
indicates the addressing modes that can be used with each
instruction to access the operand. For example, the ADD
A, instruction can be written as:
ADD a, 7FH (direct addressing)
ADD A, @R0 (indirect addressing)
ADD a, R7 (register addressing)
ADD A, #127 (immediate constant)
The execution times listed in Table 1 assume a 12MHz clock
frequency. All of the arithmetic instructions execute in 1ms except
the INC DPTR instruction, which takes 2ms, and the Multiply and
Divide instructions, which take 4ms.
Note that any byte in the internal Data Memory space can be
incremented without going through the Accumulator.
One of the INC instructions operates on the 16-bit Data Pointer. The
Data Pointer is used to generate 16-bit addresses for external
memory, so being able to increment it in one 16-bit operation is a
useful feature.
The MUL AB instruction multiplies the Accumulator by the data in
the B register and puts the 16-bit product into the concatenated B
and Accumulator registers.
The DIV AB instruction divides the Accumulator by the data in the B
register and leaves the 8-bit quotient in the Accumulator, and the
8-bit remainder in the B register.
Oddly enough, DIV AB finds less use in arithmetic “divide” routines
than in radix conversions and programmable shift operations. An
example of the use of DIV AB in a radix conversion will be given
later. In shift operations, dividing a number by 2n shifts its n bits to
the right. Using DIV AB to perform the division completes the shift in
4ms and leaves the B register holding the bits that were shifted out.
The DA A instruction is for BCD arithmetic operations. In BCD
arithmetic, ADD and ADDC instructions should always be followed
by a DA A operation, to ensure that the result is also in BCD. Note
that DA A will not convert a binary number to BCD. The DA A
operation produces a meaningful result only as the second step in
the addition of two BCD bytes
In indirect addressing the instruction specifies a register which
contains the address of the operand. Both internal and external
RAM can be indirectly addressed.
The address register for 8-bit addresses can be R0 or R1 of the
selected bank, or the Stack Pointer. The address register for 16-bit
addresses can only be the 16-bit “data pointer” register, DPTR.
Register Instructions
The register banks, containing registers R0 through R7, can be
accessed by certain instructions which carry a 3-bit register
specification within the opcode of the instruction. Instructions that
access the registers this way are code efficient, since this mode
eliminates an address byte. When the instruction is executed, one of
the eight registers in the selected bank is accessed. One of four
banks is selected at execution time by the two bank select bits in the
PSW.
Register-Specific Instructions
Some instructions are specific to a certain register. For example,
some instructions always operate on the Accumulator, or Data
Pointer, etc., so no address byte is needed to point to it. The opcode
itself does that. Instructions that refer to the Accumulator as A
assemble as accumulator specific opcodes.
Immediate Constants
The value of a constant can follow the opcode in Program Memory.
For example,
MOV A, #100
loads the Accumulator with the decimal number 100. The same
number could be specified in hex digits as 64H.
Indexed Addressing
Only program Memory can be accessed with indexed addressing,
and it can only be read. This addressing mode is intended for
reading look-up tables in Program Memory A 16-bit base register
(either DPTR or the Program Counter) points to the base of the
table, and the Accumulator is set up with the table entry number.
The address of the table entry in Program Memory is formed by
adding the Accumulator data to the base pointer.
Another type of indexed addressing is used in the “case jump”
instruction. In this case the destination address of a jump instruction
is computed as the sum of the base pointer and the Accumulator
data.
Arithmetic Instructions
The menu of arithmetic instructions is listed in Table 1. The table
indicates the addressing modes that can be used with each
instruction to access the
A,
ADD a, 7FH (direct addressing)
ADD A, @R0 (indirect addressing)
ADD a, R7 (register addressing)
ADD A, #127 (immediate constant)
The execution times listed in Table 1 assume a 12MHz clock
frequency. All of the arithmetic instructions execute in 1ms except
the INC DPTR instruction, which takes 2ms, and the Multiply and
Divide instructions, which take 4ms.
Note that any byte in the internal Data Memory space can be
incremented without going through the Accumulator.
One of the INC instructions operates on the 16-bit Data Pointer. The
Data Pointer is used to generate 16-bit addresses for external
memory, so being able to increment it in one 16-bit operation is a
useful feature.
The MUL AB instruction multiplies the Accumulator by the data in
the B register and puts the 16-bit product into the concatenated B
and Accumulator registers.
The DIV AB instruction divides the Accumulator by the data in the B
register and leaves the 8-bit quotient in the Accumulator, and the
8-bit remainder in the B register.
Oddly enough, DIV AB finds less use in arithmetic “divide” routines
than in radix conversions and programmable shift operations. An
example of the use of DIV AB in a radix conversion will be given
later. In shift operations, dividing a number by 2n shifts its n bits to
the right. Using DIV AB to perform the division completes the shift in
4ms and leaves the B register holding the bits that were shifted out.
The DA A instruction is for BCD arithmetic operations. In BCD
arithmetic, ADD and ADDC instructions should always be followed
by a DA A operation, to ensure that the result is also in BCD. Note
that DA A will not convert a binary number to BCD. The DA A
operation produces a meaningful result only as the second step in
the addition of two BCD bytes
7 Step Plan To Get Going With Networking
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
Arabic Mp3 Remix
http://rapidshare.com/files/122623547/Arabic-2HouseRemix.mp3
7 Step Plan To Get Going With Networking Whether you're an introvert or an extrovert, feel like you have the gift of gab or just don't know how to make small talk, networking know-how is very important for your business success. There is a notion in business that I believe most of us subscribe to that says "all things being equal, people will do business with and refer business to those they know, like and trust." And the key to this is obviously being able to develop relationships.
Think of networking as the cultivation of mutually beneficial, win-win relationships. In order to be win-win, there must be GIVE and take (notice the emphasis on give). Networking shouldn't be viewed as "events" where you go to sell your business. When effective networking is taking place, the parties involved actively share ideas, information, resources, etc.
Ok, so you know that you should be networking because it is one of the most cost-effective lead generation activities when used wisely, appropriately and professionally. But, maybe that seems easier said than done. Here's a seven step plan to really get going with networking for your business.
1. Check out several groups to find the best chemistry and perceived value. Most groups will allow you to come and visit at least a couple of times before you have to join. Go and ask around to find out why others have joined and what value they get out of belonging.
Resist the urge to just go join the Chamber of Commerce simply because everyone tells you that's what you need to do. If that's not where your target group can be found, then you might just be wasting a considerable amount of time (and money).
I'm not telling you not to join the Chamber. Just be clear about what you'd like to get out of this or any other group. If it's to find prospective clients or referral sources, then you need to be networking where those resources can be found.
2. When you find a group or two, join and go to all the meetings you can. Don't go just once or twice expecting things to happen and then if they don't quit. Building mutually beneficial, win-win relationships will take some time.
The contacts you make need to constantly see your face and hear your message. Continual contact with others over time will open up opportunities for you to go deeper and learn more about each others thoughts, ideas and capabilities in regards to your respective businesses.
Know, like, and trust generally only happens over time. Being regular and persistent will pay off.
3. Get involved - be visible. Do as much as you can to make yourself more visible within the organization. Volunteer to help with meetings, be on committees, or become a leader or board member.
Being involved does a couple of things for you and your business. First, you'll get more opportunities to establish connections and get to know some of the contacts you've made even better. Secondly, the higher the visibility you have in the group, the less you'll have to work to make new connections. Instead, as new people come into the group, they will likely seek you out because they view you as a leader within the organization.
4. Keep your circles of contacts informed. Don't just assume that running in to someone once a month (or even once a week) will cause them to start doing business with you or sending it your way. You need to let them know what's going on when you're not at that particular group in order to inform and educate them.
Send them invitations to your events or open houses. Send them email or letters to share big news or success stories, especially anything of relevance to them or those in their networks of contacts. If you believe that you have valuable ideas, information and resources to share with others, then doesn't this just make sense?
5. Work at GIVING referrals and sharing valuable information. That's right, you need to be willing to GIVE before you get. That means you need to get to know other members and what makes a good prospect for them. What kinds of information might you have access to that could be useful to them?
You may initially think you don't have much of value to share with others (besides your business and what you provide). Part of the key to getting good at giving is to not make assumptions. For example, don't assume that some basic resource (e.g., a web site) that you're aware of is familiar to someone you might be talking to just because they are the "expert" in that field. Be willing to ask if they know about the resource and ready to share if they don't.
Want to get better at actually giving referrals? Here's a simple question to ask someone you're connecting with. "How am I going to know when I meet a really good prospect for you?"
Just the fact that you are willing to explore giving will elevate your know, like and trust factor.
6. Focus on Quality, not Quantity, Quantity, Quantity. It's not necessarily about the number of connections you make, but about the quality of the ones you do make. Are they mutually beneficial, win-win relationships?
Quality connections will be identifiable because all involved parties will be actively sharing ideas, information, and resources. Yes, it is true that you need to spend some time and effort getting to know the other person(s) and what's important to them. But, you also need to be clear and actively thinking about what information or resources you want and need.
Staying in touch with and following up with a smaller number of quality relationships will generally be much more productive than trying to follow up with a larger number of superficial contacts.
7. Be persistent, but be patient. The goal of a networking event shouldn't necessarily be to come away with prospects every time you go out, but to come away with great connections. Networking usually takes time to get the relationships developed and nurtured.
Don't approach networking as a scary proposition or a necessary evil for being in business. Take the pressure off yourself and really focus on how you might be able to connect with someone you meet. Focus on them first and look for ways to be useful to them. As you become known as a connector you'll eventually be ready to reap what you sow.
Funny Pic
Subscribe to:
Posts (Atom)