module 1

INTRODUCTION TO ETHICAL HACKING

Syllabus

Introduction to Ethical Hacking, Federal Laws, Ethical Hacking Concepts, Elements of Information Security, Intrusion and Attacks, Types and Profiles of Attackers and Defenders, Attack Targets and Types, the Anatomy of an Attack, Ethical Hacking and Penetration Testing.

• The concept of the "hacker" originated in the 1960s, not from malicious activity but from university computer labs.
• The term was first coined at MIT (Massachusetts Institute of Technology).
• At MIT’s Tech Model Railroad Club (TMRC), a “hack” meant a clever or innovative solution to a technical problem.
  --
• It also referred to a quick, effective prototype of a new program.
• The original hackers were those who excelled at creating smart, creative, and efficient solutions.
  --
• They could fix software flaws, bypass machine limitations, and optimize code
• Innovate and create: the birth of foundational software
• Master the machine: deep understanding and craftsmanship

The Dark Turn: 1980s and the Criminalization of "Hacker"

• In the 1980s, the image of the hacker changed from innovator to criminal.
• As computers became networked, opportunities for malicious use appeared.
  --
• High-profile incidents like the 414s hacking group drew media and government attention.
• Sensationalized reports and fear-driven coverage reshaped the hacker’s public image.
• The term “hacker” became associated with illegal cyber activity instead of technical brilliance.

Media Sensationalism and Pop Culture Influence

• Movies such as WarGames (1983) and Hackers (1995) defined hackers as rebellious cyber-criminals.
• WarGames showed a teen nearly starting a nuclear war, exaggerating hacker power.
• Hackers depicted young anti-establishment geniuses, linking hacking with crime and style.
  --
• Media failed to distinguish between ethical hacking and criminal intrusion.
• This blurred portrayal led society to fear hackers, overshadowing their creative and ethical roots.

Legislative Action: The Criminalization of Hacking

• The 1980s rise in cybercrime led to growing fear and government response.
• Unauthorized access and data theft became major concerns for businesses and governments.
• The Computer Fraud and Abuse Act (CFAA) of 1986 (U.S.) made unauthorized computer access illegal—even without damage or theft.
  --
• While aiming to stop malicious hackers, the law also blurred the line between exploration and crime.
• By the end of the 1980s, “hacker” became a synonym for criminal, overshadowing the original values of creativity and innovation.

CYBER LAW IN INDIA – Overview

• Primary Legislation: Information Technology Act, 2000 (IT Act).

• Based on UNCITRAL Model Law on E-Commerce; provided legal recognition to electronic records & signatures.

• Aimed to promote e-governance and regulate cybercrime & data protection.
  --

• Amendment (2008):

  • Introduced Sensitive Personal Data or Information (SPDI).
  • Strengthened laws on data protection, hacking, and cyber terrorism.

• Key Sections:

  • Sec 43: Unauthorized access.
  • Sec 65: Tampering with source code.
  • Sec 66: Hacking with criminal intent.

--

• Established Cyber Appellate Tribunal (CAT) → later merged into TDSAT.
• Criticism: Reactive, slow to address new threats like social media misuse & zero-day exploits.

Cyber Law Framework & Implementation

• SPDI Rules (2011) under Sec 43A:
  • Mandate security practices and user consent for data handling.
• Sec 69: Government power to intercept, monitor, or decrypt data – criticized for privacy risks.
• Sec 66F: Defines cyber terrorism threatening India’s unity or security.
  --
• Enforcement Agencies:
  • CERT-In – national incident response team.
  • Police cyber cells – enforcement with jurisdictional challenges.
• Reflects balance between digital growth and civil liberties.

Digital Personal Data Protection Act, 2023 (DPDP Act)

• Triggered by 2017 Supreme Court privacy judgment (Puttaswamy case).
• Replaces SPDI rules; comprehensive data protection law.
• Introduces:
  • Data Fiduciary – decides data use.
  • Data Principal – owner of personal data.
    --
• Requires explicit consent, enforces huge penalties for violations.
• Aligns with GDPR and covers offshore data processing.
• Shifts focus from punishing cybercrime → regulating data usage and privacy.

Future of Cyber Law in India

• Must adapt to AI ethics, blockchain, cryptocurrency, and critical infrastructure security.
• Success depends on Data Protection Board of India (DPBI) and court interpretation.
• Challenges: Jurisdiction, digital evidence, and balancing freedom of speech.

ETHICAL HACKING CONCEPTS — What is Ethical Hacking?

• Authorized, lawful probing of systems to find vulnerabilities before malicious actors do.
• Improve security by identifying weaknesses, validating defenses, and recommending fixes.
• Actors: White-hat hackers (ethical), contrasted with black-hat (malicious) and grey-hat (ambiguous).
• Scope: Networks, applications, devices, cloud, IoT, social engineering.

Types of Ethical Hacking

• Network Penetration Testing: Evaluate routers, switches, firewalls, internal/external network exposure.
• Web Application Testing: Find injection, auth, session, XSS, logic flaws in web apps/APIs.
• Mobile App Testing: Platform-specific issues, insecure storage, broken auth.
  --
• Wireless & IoT Testing: Weak encryption, default creds, insecure firmware.
• Social Engineering: Phishing, pretexting, physical access tests.
• Red Teaming: Full-scope adversary simulation combining technical + human attack vectors.

Typical Phases (Engagement Lifecycle)

1. Scoping & Rules of Engagement: Define targets, limits, legal permissions, deliverables.
2. Reconnaissance (Passive/Active): Footprinting, OSINT, service discovery.
3. Scanning & Enumeration: Port scans, service/version detection, user/enumeration.
   --
4. Exploitation: Validate vulnerabilities by safe exploitation or proof-of-concept.
5. Post-exploitation & Privilege Escalation: Assess impact, lateral movement potential.
6. Reporting & Remediation: Clear reproducible findings, risk rating, remediation steps.
7. Retest: Confirm fixes applied.

Tools & Techniques (Representative)

• Recon & Scanning: whois, theHarvester, Shodan, nmap.
• Web Testing: Burp Suite, OWASP ZAP, sqlmap.
• Exploitation & Post-exploitation: Metasploit, custom scripts, Empire/Cobalt Strike-style frameworks (ethical labs only).
  --
• Password/Hash Attacks: hashcat, John the Ripper.
• Forensics & Logging: SIEM analysis, packet captures (tcpdump, Wireshark).
• Note: Use in controlled, consented environments; avoid destructive options unless authorized.

Ethics, Laws & Best Practices

• Authorization First
• Minimal Impact
• Privacy Respect
• Responsible Disclosure
• Compliance
• Continuous Learning

Elements of information security

• Confidentiality
• Integrity
• Availability

Elements of Information Security

• Confidentiality: Ensuring only authorized users can access data.
  Example: Encrypting emails or using passwords to protect files.

• Integrity: Maintaining data accuracy and consistency.
  Example: Using checksums or digital signatures to detect unauthorized changes.
  --

• Availability: Ensuring systems and data are accessible when needed.
  Example: Using backup servers or DDoS protection to prevent downtime.

intrusions and attacks?

Crime Triangle

Core Elements of an Attack

• Motive: The reason or intent behind the attack.
  Examples:
  • Financial gain (stealing credit card info).
  • Political or ideological goals (hacktivism).
  • Personal revenge or curiosity.
    Motive defines why the attacker acts.

--

• Means: The tools, skills, and resources used to perform the attack.
  Examples:
  • Exploit kits, malware, phishing tools.
  • Technical knowledge of systems or coding.
    Means represent the capability to execute the attack.
    --
• Opportunity: The favorable circumstances that allow the attack to happen.
  Examples:
  • Unpatched software, weak passwords, poor monitoring.
  • Insider access or careless employees.
    Opportunity defines when and how easily an attack can succeed.
    --

⚠️ All three — Motive, Means, and Opportunity — must align for an intrusion to occur.

Introduction — Types & Profiles of Attackers and Defenders

• Overview: groups vary by intent, skill, and methods.
• Why it matters: helps prioritize defenses, assign roles, and tailor countermeasures.
• Profiles: Black Hat, Script Kiddies, Hacktivists, Cyber Terrorists/Warriors, Cyber Criminals, White Hat, Pentesters (Red Team), Blue Team, Purple Team, Gray Hat.
  --

Black Hat Hackers

• Definition: Criminal actors who exploit systems for malicious ends.
• Motives: Financial gain, revenge, disruption, ideological attacks.
• Behavior: Use malware/ransomware, phishing, exploit marketplaces; operate at scale (service models, call-centers).
  --

Script Kiddies

• Definition: Novices using prebuilt tools/exploits with little understanding.
• Motives: Thrill, reputation, learning; sometimes recruited.
• Behavior: Run known exploits, noisy attacks, easily detected but numerous.

--

Hacktivists

• Definition: Actors motivated by political/social agendas.
• Motives: Protest, expose, embarrass targets (govt, corp).
• Behavior: DDoS, defacement, data leaks; may aggregate volunteers and skids.

--

Cyber Terrorists / Cyber Warriors

• Definition: Highly-skilled groups—often state-linked—targeting national/critical infrastructure.
• Motives: Strategic advantage, disruption, espionage.
• Behavior: Sophisticated campaigns: critical infrastructure attacks, long-term espionage, coordinated campaigns.

--

Cyber Criminals

• Definition: Organized for profit—individuals or syndicates.
• Motives: Monetary theft, fraud, resale of data.
• Behavior: Banking fraud, credit-card theft, ransomware-as-a-service, data marketplaces.

--

White Hat Hackers

• Definition: Ethical security professionals who test and defend systems.
• Motives: Improve security, compliance, protect users.
• Behavior: Authorized testing, vulnerability disclosure, build defenses and reports.

--

Pentesters (Red Team)

• Definition: Offensive security specialists who simulate realistic attacks.
• Motives: Validate defenses, find exploitable gaps.
• Behavior: Scoped simulated intrusions, deliver actionable reports and PoCs.

--

Blue Team

• Definition: Defensive professionals responsible for detection & response.
• Motives: Maintain confidentiality, integrity, availability.
• Behavior: Monitor logs, harden systems, run incident response and threat hunting.

--

Purple Team

• Definition: Bridge between Red (offense) and Blue (defense).
• Motives: Improve collaboration, translate findings into remediations.
• Behavior: Facilitate exercises, refine controls, translate attacker findings into operational fixes.

--

Gray Hat Hackers

• Definition: Operate between ethical and illegal—find flaws without explicit permission.
• Motives: Curiosity, notification-based remediation, reputation.
• Behavior: Report or publish vulnerabilities (sometimes disclose if ignored); legally risky despite often helpful intent.

Attack Targets & Types

• Attacks concentrate on three core areas: Network, Application, and Host.
• Each area has distinct vectors, vulnerabilities, and impacts.
• Understanding these helps prioritize defenses and map the cyber kill chain.

Network Attacks

• Focus: Communication infrastructure and protocols (routers, switches, links).
• Common types: Flooding / DoS, DDoS, ARP/ARP spoofing, Man-in-the-Middle (MITM).
  --
• Impact: Service outages, intercepted traffic, lateral movement opportunities.
• Network-level failures can disable entire services and facilitate deeper compromise.

Application Attacks

• Focus: Software and services (web servers, APIs, application logic).
• Common types: SQL Injection, Cross-Site Scripting (XSS), remote code execution, Kerberoasting (AD attack).
  --
• Impact: Data theft, unauthorized actions, credential compromise, pivot into network/hosts.
• Application flaws often expose sensitive data and provide footholds for broader attacks.

Host (Endpoint) Attacks

• Focus: End-user devices and OS (desktops, laptops, servers).
• Common types: Drive-by downloads / watering holes, exploitation of unpatched apps, phishing, credential dumping.
  --
• Impact: User compromise, malware installation, data exfiltration, insider-level access.
• Hosts are plentiful and user behavior increases attack surface — phishing remains top vector.

The anatomy of an attack

The anatomy of an attack, sometimes referred to as the Cyber Kill Chain

Reconnaissance

• Initial intelligence-gathering phase to profile the target and find potential weaknesses.
• Attacker activities: OSINT (company site, job ads), social networks (LinkedIn, GitHub), crafted search queries, email harvesting, WHOIS, passive footprinting, and selective network probing.
• Can take weeks → years depending on target and goals.
• Detection is hard: Much of recon is passive (no direct connection).
  --
• Early indicators to monitor: spikes in domain lookups, repeated WHOIS queries, unusual public-scan hits, credential-harvesting attempts, suspicious GitHub scrapes.
• Defenses: limit public exposure, reduce metadata on public pages, monitor telemetry (web logs, DNS), threat intel on targeted brand abuse, and employee awareness for social-engineering signals.

Weaponization

• Building the attack payload and infrastructure once target profiling is sufficient.
• Attacker activities: assemble exploits, tailor payloads, prepare C2 servers, choose delivery vectors (phishing, exploit kit), and test payloads for target environment.
  --
• Visibility is low until delivery: weaponization often happens off-network.
• Signals to surface: discovery of commodity exploit kits or staging infrastructure linked to your industry, leaked tooling correlated to your stacks.
  --
• Defenses: patch management, hardening, vulnerability scanning, threat intel ingestion, and create detection rules for exploit scanning patterns and suspicious outbound setup to C2-like infrastructure.

Delivery

• The act of sending the payload to the target (first active contact).
• Common vectors: phishing/spearphishing, watering holes, drive-by downloads, malicious attachments, or direct exploitation of exposed services (VPN, web, email).
  --
• Detection opportunities: email gateways, web proxies, WAFs, ingress/egress network monitoring.
• Defenses: advanced email filtering, URL sandboxing, WAF rules, blocklists, proxy inspection, content disarm & reconstruction (CDR), user training, and monitoring for anomalous download behavior.

Exploitation

• Using a vulnerability, social-engineer, or misconfiguration to gain initial code execution or credential access.
• Tactics: exploit code, OS/app vulnerabilities (often Windows), phishing/spearphishing, browser exploits, click-jacking.
  --
• Detection points: EDR, network IDS/IPS, anomalous process spawn, abnormal auth/events.
• Defenses: timely patching, secure coding, vulnerability assessments, phishing exercises, EDR with process/child-chain monitoring, multi-factor authentication to reduce credential-based exploits.

Installation

• Establishing persistence on compromised hosts (backdoors, autoruns, web shells).
• Techniques: install web shells, backdoors, registry autoruns, DLL hijacks, scheduled tasks, and persistence via service installs.
  --
• Detection signals: new autorun keys, suspicious services/processes, unexpected file writes in system directories, unusual registry changes.
• Defenses: EDR/AV blocking known persistence techniques, baseline integrity monitoring, restrict admin privileges, application whitelisting, monitor for changes to startup/registry and critical file paths.

Command & Control (C2)

• Two-way channel allowing attacker to control compromised hosts and issue commands.
• Characteristics: beaconing behavior, HTTP/DNS tunneling, encoded/obfuscated payloads, use of legitimate infrastructure or compromised cloud services.
  --
• Detection opportunities: unusual periodic beacons, anomalous DNS queries, encrypted outbound patterns, connections to known-malicious IPs/domains.
• Defenses: block known IOCs, proxy & inspect HTTP/DNS, TLS inspection (where legal/feasible), anomaly detection on egress, threat-intel-based blocking, and sinkholing/blackholing confirmed C2 domains.

Actions on Objectives

• Post-compromise activities to achieve the attacker’s end goals (data theft, extortion, disruption).
• Activities: credential harvesting, privilege escalation, lateral movement, data discovery & exfiltration, deployment of ransomware or destructive tools.
  --
• Key detection signals: large data transfers, unusual use of admin credentials, abnormal lateral-authentication patterns, exfil via uncommon channels.
• Defenses & readiness: instrument endpoints/networks/cloud with telemetry (EDR, NDR, identity logs), SIEM/XDR correlation, playbooks & runbooks, automated containment (SOAR), regular red/blue/purple drills, retention of logs for forensics, and blameless post-incident reviews to close gaps.

ETHICAL HACKING & PENETRATION TESTING

• Simulates real-world attacks to test network and staff security.
• Legal Authorization: Requires a signed agreement defining scope, rules, and limitations — known as the “get out of jail free card.”
• Purpose: Identify vulnerabilities before malicious hackers exploit them.

TYPES OF PENETRATION TESTING

• Black-box testing: No prior system knowledge — imitates real attacker perspective.
• White-box testing: Full system knowledge — speeds up technical evaluation.
• Goal: Assess effectiveness of existing security controls and policies.

PENETRATION TEST PLANNING

Key questions before testing:

• Why conduct the test?
• What are the goals and scope?
• What systems/data are in scope?
• Who owns the data?
• What will be done with the results?
  Testing should follow after implementing basic controls (firewalls, access, account management).

DEFENSIVE TECHNOLOGIES

• Firewalls: First line of defense, evolved to next-gen with app-level inspection.
• Antivirus (AV): From simple signatures → heuristic + behavioral detection.
  --
• IDS/IPS: Monitors and optionally blocks malicious traffic (Network or Host-based).
• EDR: Endpoint monitoring, behavior profiling, and real-time alerts.
• SIEM: Centralized log and event analysis to correlate network and endpoint threats.

SECURITY STRATEGY OVERVIEW

• Combine pentesting with defensive technologies for layered security.
• Use SIEM + EDR + Firewalls for comprehensive visibility.
• Continuous improvement through testing, monitoring, and training.