Welcome to

PES University Executive Education

Ring Road Campus, Bengaluru
Ethical Hacking
Prof . Sushma E
Lecture 1
 Emergency Exit Assembly Point Washroom

No Chatting Phones on silent No Sleeping

Ethical Hacking 3
A Note on Security

☞ In this course, you will be exposed to information about security problems

and vulnerabilities with computing systems and networks.
☞ To be clear, you are not to use this or any other similar information to test
the security of, break into, compromise, or otherwise attack, any system or
network without the express consent of the owner.
☞ In particular, you will comply with all my instructions when doing the labs.
• My instructions are in consonance with applicable laws of India and PES
University policies.
• If in any doubt, please consult your professor!
☞ Any violation is at YOUR RISK!
And may result in severe consequences.
Ethical Hacking 4
Course Mechanics - Ethical Hacking

Ethical Hacking Education

ISFCR Executive 5
Prerequisites
☞ Students
• Should have a good understanding and strong foundation in
Computer Network Software security, Web security and
Cryptography concepts
• Should have a taken the course on Computer Networks
Security, Information security, cryptography
• Have a passion for Scripting/programming and Web
technologies
• Students should be interested in hands on

Ethical Hacking 6
Grading Scheme for Ethical hacking
Assessment policy: In Semester Assessment (ISA) Max : 30
Assessment policy: End Semester Assessment (ESA) Max: 20
Total = ISA + ESA = 50 marks

Activity Marks Remarks

ISA 1 30 Scale down to 10

ISA 2 20 Scale down to 10

Assignment 30 (approx.) Scale down to 5

Total Marks ISA 25

ESA 25

Total marks 50

Ethical Hacking 7
Course Mechanics - Instructor:

☞ Sushma: https://staff.pes.edu/nm1218

Your feedback is essential and is encouraged!

Email: [email protected]

Ethical Hacking 8
About Me

Sushma E
Experience:
● 4+ years of Experience in Teaching/
Research and 3 years in industry.
● Certified Ethical hacker from EC
council

Education:
● M.Tech(SE) – JNTUH. Bachelor of
Technology(CSE) – JNTUH, India.

Currently: Since 2019

● Assistant Professor - Computer Science
and Engineering, PES University

Courses Handled:
● Computer Network Security,
Information Security, Ethical Hacking,
Web security

Ethical Hacking 9
Course Objectives and Outcomes
Information Security

UE20CS346
Ethical
ISFCR Executive
Hacking
- Information
Education
Security 10
What is our goal in this course?

☞ Understand the key concepts underpinning Security

☞ Apply the concepts to solve real issues/problems.
☞ Higher Quality learning - LEARN by DOING!
• Learn to install and use various industry leading tools to
understand offensive and defensive security.
• Learn by doing the Labs
• Learn by doing Assignments
☞ Learn from discussions using Harvard Cases on Security
☞ Peer Learning

Ethical Hacking 11
What is our goal in this course?
☞ Our primary goal :

☞ Find weaknesses and vulnerabilities in security through penetration testing

☞ Find areas where sensitive data could be compromised in a cyber attack
☞ Attempt to exploit vulnerabilities as a malicious hacker would
☞ Give recommendations for protection
☞ Retest after recommendations are in place to ensure security

Ethical Hacking 12
What Will You Learn In This Class?

Ethical Hacking 13
Outcomes in summary

Be aware of
different methods
to protect your Data
across computer systems
And how to secure the same!

Ethical Hacking 14
Cybersecurity Career Outlook

Ethical Hacking 15
Cybersecurity Career Outlook

Ethical Hacking 16
Cybersecurity Career Outlook

Ethical Hacking 17
Cybersecurity career outlook
☞ Global cybersecurity job vacancies grew by 350 percent, from one million
openings in 2013 to 3.5 million in 2021, according to Cybersecurity
Ventures.
☞ The number of unfilled jobs leveled off in 2022, and remains at 3.5 million
in 2023, with more than 750,000 of those positions in the U.S.
☞ Industry efforts to source new talent and tackle burnout continues, but we
predict that the disparity between demand and supply will remain through
at least 2025

Ethical Hacking 18
Cyber Crime crisis

Ethical Hacking 19
Recent Cyber Attacks
Finnish Parliament Attack
In August 2022, the Finnish parliament's website experienced a DDoS attack while the parliament was in session. This
denial-of-service attack may be part of a coordinated campaign by Russian state-sponsored hackers to disrupt the Finnish
government’s websites in retaliation for the application to join NATO. A DDoS attack temporarily blocks access to a
website but does not cause permanent destruction.

Ukrainian State Nuclear Power Company Attack

The Russian “hacktivist” group called the People’s Cyber Army engaged 7.25 million bots in August 2022 in a bot attack to
take the Energoatom website down. It used a flood of garbage web traffic and webpage requests. A disruption of online
services lasted for a few hours, but no permanent negative impact remained. The attack was part of a Russian psyops
campaign to create fear of a nuclear disaster and terrorize Europeans.

Greek Natural Gas Distributor Attack

Greek national gas distributor DESFA reported an incidence of a cyber attack in August 2022. The attack impacted part of
the company’s IT infrastructure and caused a data leak. The ransomware operation of cybercriminals called Ragnar Locker
is holding the stolen data hostage. They demand ransom not to expose sensitive data. The company refused to make a
payment.

Ethical Hacking 20
Recent Cyber Attacks
Attack on VMware ESXi

● Date: February 3, 2023

● Attack type: ESXiArgs Ransomware Attack
● Target: Unpatched VMware ESXi prior to version 6.7
● Vulnerability: CVE-2021-21974. Vulnerable Open Service Location Protocol
● Perpetrators: Nevada (Unconfirmed)
● Impact: Nearly 1000 ESXi servers have been infected

Bank Accounts Hacked in Nepal

● Date: February 3, 2023

● Attack type: credential theft
● Target: Individuals using net banking
● Impact: Several million rupees stolen

Ethical Hacking 21
Recent Cyber Attacks

Ethical Hacking 22
Introduction to Ethical Hacking

Ethical Hacking Education

ISFCR Executive 23
Outline
☞ What is cybersecurity?
☞ What is hacking? What is ethical hacking?
☞ Who are hackers? What are their motivations?
☞ Types of Hackers [Black hat, Grey hat and White hat hackers]
☞ Hacking Vocabulary/Jargon
☞ Potential Attack vectors
☞ Five stages of Ethical Hacking
☞ Why do we need Ethical Hacking?
☞ Red Team, Blue Team and Purple Team
☞ What is Pentesting? What is bug-bounty?
☞ Legalities associated with Ethical Hacking
☞ Getting started with CTFs
Ethical Hacking 24
What is Cybersecurity?

● Cybersecurity is the practice of protecting systems, networks,

and programs from digital attacks.
● These cyber attacks are usually aimed at accessing, changing, or
destroying sensitive information; extorting money from users
via ransomware; or interrupting normal business processes.

Ethical Hacking 25
What is Hacking?

• Hacking in cyber security refers to the

misuse of devices like computers,
smartphones, tablets, and networks
to cause damage to or corrupt
systems, gather information on users,
steal data and documents, or disrupt
data-related activity.

• A traditional view of hackers is a rogue programmer who is highly skilled in

coding and modifying computer software and hardware systems.
Ethical Hacking 26
What is “Ethical” about Hacking?

• Professionals are frequently assigned to hack their

computer networks.

• Ethical hacking is permissible because an ethical hacker's

admission into a network is allowed by the company that
operates that network.

Ethical Hacking 27
What is Ethical Hacking?
• Ethical hacking involves an
authorized attempt to gain
unauthorized access to a computer
system, application, or data.
Carrying out an ethical hack involves
duplicating strategies and actions of
malicious attackers.

• This practice helps to identify

security vulnerabilities which can
then be resolved before a malicious
attacker has the opportunity to
exploit them.
Ethical Hacking 28
Who are Hackers?
• Hackers are individuals who have
extensive knowledge of computer systems
and networks.

• A hacker is a person skilled in information

technology.

Ethical Hacking 29
Why do Hackers Hack?
• Just for fun.
• To show off their skills and knowledge.

• Notify many people of their thought process.

• Steal important information (Data Theft).

• Destroy enemy’s computer network during the war. (Cyber Warfare)

• Financial Gain

• Ideological Motives

Ethical Hacking 30
Types of Hackers

• Black-Hat Hacker
• Grey-Hat Hacker
• White-Hat Hacker

Ethical Hacking 31
Black-Hat Hacker

● Black hat hackers or crackers are

individuals with extraordinary
computing skills, resorting to
malicious or destructive activities.

● That is black hat hackers use their

knowledge and skill for their own
personal gains probably by hurting
others.

Ethical Hacking 32
White-Hat Hacker

● White hat hackers are those

individuals professing hacker skills
and using them for defensive
purposes.

● This means that the white hat

hackers use their knowledge and skill
for the good of others and for the
common good.

Ethical Hacking 33
Grey-Hat Hacker
● These are individuals who work both
offensively and defensively at various
times.

● We cannot predict their behavior.

● Sometimes they use their skills for the

common good while in some other
times they use them for their personal
gains

Ethical Hacking 34
 Hacking Vocabulary - 1
● Hack value - Perceived value or worth of a target as seen by
the attacker.

● Vulnerability - A system flaw, weakness on the system.

● Threat - Exploits a vulnerability.

● Exploit - Exploits are a way of gaining access to a system

through a security flaw and taking advantage of the flaw for

their benefit.

Ethical Hacking 35
Hacking Vocabulary - 2

● Payload - Component of an attack; is the part of the private user text which could also contain
malware such as worms or viruses which performs the malicious action; deleting data, sending
spam or encrypting data.

● Zero-day attack - Attack that occurs before a vendor knows or is able to patch a flaw.

● Daisy Chaining / Pivoting - It involves gaining access to a network and /or computer and then using
the same information to gain access to multiple networks and computers that contains desirable
information.

● Doxxing - Publishing PII about an individual usually with a malicious intent

Ethical Hacking 36
Attack Vectors
Path by which a hacker can gain access to a host in order to deliver a payload or
malicious outcome

● APT - Advanced Persistent Threats

● Cloud computing / Cloud based technologies

● Viruses, worms, and malware

● Ransomware

Ethical Hacking 37
Attack Vectors

● Botnets
○ Huge network of compromised systems used by an intruder to perform
various network attacks

● Insider attacks
○ Disgruntled employee can damage assets from inside.
○ Huge network of compromised hosts. (used for DDoS).

● Phishing attacks

● Web Application Threats

○ Attacks like SQL injection, XSS (Cross-site scripting)...

Ethical Hacking 38
The Five Stages of Ethical Hacking

Ethical Hacking 39
 1. Reconnaissance
Gathering evidence about targets; There are two types of Recon:

● Passive Reconnaissance: Gain information about targeted

computers and networks without direct interaction with the
systems.

● Active Reconnaissance: Involves direct interaction with the

target.

Ethical Hacking 40
2. Scanning and Enumeration

Obtaining more in-depth information about

targets.

● e.g: Network Scanning, Port Scanning,

Which versions of services are running.

Ethical Hacking 41
3. Gaining Access
Attacks are leveled in order to gain access to a system.

● e.g: Can be done locally (offline), over a LAN or over the

internet.

● Can be done using many techniques like command

injection, buffer overflow, DoS, brute forcing credentials,
social engineering, misconfigurations etc.

Ethical Hacking 42
4.Maintaining Access and 5.Covering Tracks

4. Maintaining Access

Items put in place to ensure future access.

5. Covering Tracks
Steps taken to conceal success and intrusion;
Not be noticed.

Ethical Hacking 43
Why do we need Ethical Hacking?

Ethical Hacking 44
How do companies employ Ethical Hacking?
● Companies integrate ethical hacking to enhance their cybersecurity posture.
● They engage skilled professionals to simulate real-world attacks on their systems, identifying
vulnerabilities before malicious hackers exploit them.
● This proactive approach involves penetration testing as red and blue teams, vulnerability
assessment, and risk analysis.
● This process ensures continuous
improvement, safeguards sensitive data,
and upholds customer trust, ultimately
bolstering the organization's overall
security framework.

Ethical Hacking 45
Red Team

● A group of skilled cybersecurity experts tasked with

simulating real-world attacks on an organization's
systems, applications, and infrastructure.

● Their goal is to identify vulnerabilities and

weaknesses that could potentially be exploited by
malicious hackers.

Ethical Hacking 46
Blue Team

● The defensive counterpart to the red team, the

blue team is responsible for safeguarding an
organization's assets and responding to
simulated attacks.

● Blue teams monitor networks, detect and

mitigate threats, and maintain overall security.
They implement measures to prevent and
mitigate breaches, ensuring the organization's
systems remain resilient and protected.

Ethical Hacking 47
Purple Team
● The purple team approach involves
collaborative efforts between red and blue
teams.

● They work together to share insights, findings,

and expertise. This collaboration enhances
communication, facilitates knowledge
exchange, and leads to the development of
more effective defense strategies.

● The purple team's goal is to bridge the gap between offensive and
defensive operations, fostering a comprehensive and proactive
cybersecurity environment.
Ethical Hacking 48
What is Pentesting?
• Penetration testing, often abbreviated as "pen testing," is a proactive approach to
cybersecurity that involves simulating cyberattacks on computer systems, networks,
applications, or other digital assets to uncover vulnerabilities that could be exploited by
malicious hackers.

• Ethical hackers, known as penetration testers, employ various techniques, tools, and
methodologies to identify weaknesses and assess the effectiveness of security measures.

• The goal of penetration testing is to provide organizations with insights into their security
posture, helping them address vulnerabilities before malicious actors can exploit them.

Ethical Hacking 49
What is Bug Bounty?

• A bug bounty program is a structured initiative offered

by companies, websites, or organizations to encourage
individuals, often security researchers and ethical
hackers, to discover and report security vulnerabilities
or bugs in their software, websites, or applications.

• Participants who find valid security issues are rewarded

with financial compensation, recognition, or other
incentives.
• Bug bounty programs help organizations idenify and fix
vulnerabilities before they can be exploited by
malicious attackers, contributing to enhanced
cybersecurity and strengthening the overall security of
digital platforms.

Ethical Hacking 50
Pentesting vs Bug Bounty

Ethical Hacking 51
 Laws in Ethical Hacking Landscape

1. Computer Fraud and

Abuse Act (CFAA) - (US):
The CFAA criminalizes unauthorized access to computer systems.
Ethical hackers should ensure they have proper authorization before conducting any
testing.

Ethical Hacking 52
Laws in Ethical Hacking Landscape

2. Convention on Cybercrime (Budapest Convention):

Also known as the Budapest Convention, this treaty aims to address
cybercrime globally. It facilitates international cooperation in investigating
and prosecuting cybercrimes, including hacking, data breaches, and
computer-related offenses.

3. General Data Protection Regulation (GDPR) -

European Union: While not specific to ethical hacking, GDPR mandates data
protection practices. Ethical hackers must handle personal data responsibly
and adhere to privacy principles.

Ethical Hacking 53
 Getting Started
With CTF

Ethical Hacking
Executive MTech in Cybersecurity Engineering 54
What is Capture the Flag(CTF)?

● Stands for ‘Capture The Flag’

● Gaming x Hacking
● Participants solve a set of challenges, Solving each challenge gives
them points
● Team with Maximum point at last wins the competition.

● International CTFs have huge pool money for winners

● Reputed CTF players get high paid jobs at Fortune 500 companies.

Ethical Hacking 55
What are Flags?

● Flags are string or pattern of text, carefully hidden

throughout the system or network.
● Solve challenges to find the flag
● Each flag has points , depending on the difficulty level.
● Team with most points (flag) wins the CTF

Ethical Hacking 56
Example of CTF Dashboard

Ethical Hacking 57
 Examples of FLAG Strings

Ethical Hacking
Executive MTech in Cybersecurity Engineering 58
 TYPES OF CHALLENGES IN CTF

WEB PWN Others

Hacking Websites ● Cryptography - decrypting or encrypting a
Exploiting a local server or
to find the flags piece of data
OS to find flags
● Steganography - Tasked with finding
information hidden in files or images
● Binary - Reverse engineering or exploiting a
binary file

Ethical Hacking
Executive MTech in Cybersecurity Engineering 59
Types of CTF

● Jeopardy
○ A set of challenges. Solving each gives points, Next
challenge can be unlocked only after solving previous.
Team with max points win.
● Attack Defense
○ Every team has own network with vulnerable services.
Defend your system, while attacking others system
● Misc
○ A combination of both spread over online and offline
challenges

UE20CS346
Ethical Hacking
- Information Security 60
Ethical Hacking
Executive MTech in Cybersecurity Engineering 61
RESOURCES TO GET STARTED

LEARNING

http://ctfs.github.io/resources/
https://ctftime.org/writeups
Medium Write-ups
r/ctf and r/netsec

Resources

https://cftime.org
https://github.com/apsdehal/awesom
e-ctf - Comprehensive list of tools
and further reading
PRACTICE PRACTICE

Ethical Hacking 62
 Thank you!

Follow us

isfcr.pesu www.isfcr.pes.edu ISFCR