(2) ceh v5 module 01 introduction to ethical hacking
TRANSCRIPT
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 1/82
Module IIntroduction to EthicalHacking
Ethical Hacking Version 5
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 2/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Scenario
Jeffery came across some books that were related to hacking. He wascurious to know about hacking public and private networks. He
bought a book related to it from the nearby bookstore. Amazed to learn new techniques about hacking, Jeffrey wanted to gethands on. He visited a local library and plugged his laptop to itsnetwork in the pretext of searching the database of books. Jeffrey
wanted to find the vulnerability present in the library’s network andthen show the report to the concerned authorities.
Jeffrey launched the tools from a CD that was offered with the book and discovered lot of loopholes in the network!
What is wrong with Jeffrey’s act?
Is his action justified?
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 3/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Security News
Source Courtesy : http://www.securitypark.co.uk/article.asp?articleid=25511&CategoryID=49
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 4/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Objective
This module will familiarize you with the following:
~ Importance of Information security in today’s world
~ Elements of security
~ Various phases of the Hacking Cycle
~ Types of hacker attacks
~ Hacktivism
~ Ethical Hacking
~ Vulnerability research and tools that assist in the same
~ Steps for conducting ethical hacking
~ Computer crimes and implications
~ Cyber Laws prevailing in various parts around the World
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 5/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Module Flow
Importance of security
Legal perspective
Phases to performmalicious hacking
Elements of security
Ethical Hacking
Hacktivism
Computer crimes
and implicationsTypes of hacker attacks
Conducting ethical hacking
vulnerability researchand tools
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 6/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Problem Definition – Why Security?
~ Evolution of technology
focused on ease of use~Decreasing skill level needed for exploits
~Increased network
environment and network
based applications
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 7/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Problem Definition – Why Security?
(cont’d)~Direct impact of security breach on
corporate asset base and goodwill
~Increasing complexity of computer infrastructure administration and
management
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 8/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Essential Terminologies
~ Threat – An action or event that might compromise security. A
threat is a potential violation of security
~ Vulnerability – Existence of a weakness,design, or implementation error that can
lead to an unexpected, undesirable event compromising the security of the system
~ Target of Evaluation – An IT system, product, or component that is
identified/subjected as requiring securityevaluation
~ Attack – An assault on system securitythat derives from an intelligent threat. An
attack is any action that violates security
~ Exploit – Adefined way tobreach thesecurity of an IT
system throughvulnerability
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 9/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Elements of Security
~ Security – A state of well-being of information and infrastructures in
which the possibility of successful yet undetected theft, tampering,and disruption of information and services is kept low or tolerable
Security rests on confidentiality,authenticity, integrity, and availability
•Confidentiality – The
concealment of information orresources
•Authenticity – The identification
and assurance of the origin of information
•Integrity – The trustworthiness
of data or resources in terms of preventing improper andunauthorized changes
•Availability – The ability to usethe information or resourcedesired
Any hacking event will affect any one ormore of the essential security elements
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 10/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
The Security, Functionality, and Ease
of Use Triangle~ The number of exploits gets minimized when the number of
weaknesses is reduced => greater security
~ Takes more effort to conduct same task => reduced functionality
Functionality
Ease of UseSecurity
~ Moving the ball towards
security means movingaway from functionalityand ease of use
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 11/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Case Study
~ Alan was stranded at Newark airport. He was to attendhis friend's wedding and Continental airlines justannounced the cancellation of his hop-over flight
~He decided to purchase a seat on another airline, but theBank of America Corp ATM just wouldn’t work
~ All seemed wrong with the world as the airline staff wereusing pen and paper to take down new reservations. They
couldn’t even confirm the availability
http://www.cnn.com/2003/TECH/internet/01/25/internet.attack/
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 12/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What Does a Malicious Hacker Do?
~Reconnaissance• Active/passive
~Scanning
~Gaining access• Operating system
level/application level
• Network level
• Denial of service
~Maintaining access
• Uploading/altering/downloading programsor data
~Clearing tracks
ClearingTracks
Maintaining Access
Gaining Access
Scanning
Reconnaissance
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 13/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Phase 1 - Reconnaissance
~ Reconnaissance refers to the preparatory phase where an attackerseeks to gather as much information as possible about a target of
evaluation prior to launching an attack ~ Business Risk: Notable - Generally noted as "rattling the door
knobs" to see if someone is watching and responding
~ Could be future point of return when noted for ease of entry for an
attack when more about the target is known on a broad scale
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 14/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Reconnaissance Types
Passive reconnaissance involvesacquiring information without
directly interacting with thetarget
For example, searching publicrecords or news releases
Active reconnaissance involves
interacting with the target directly
by any means
For example, telephone calls to the
help desk or technical department
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 15/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Phase 2 - Scanning
~ Scanning refers to the pre-attack phase when the hacker scans thenetwork for specific information on the basis of information
gathered during reconnaissance~ Business Risk: High – Hackers have to get a single point of entry
to launch an attack
~ Scanning can include use of dialers, port scanners, network
mapping, sweeping, vulnerability scanners, and so on
NMAP ScannerFront End
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 16/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Phase 3 - Gaining Access
~ Gaining Access refers to the penetration phase. The hacker exploits the vulnerability in the system
~ The exploit can occur over a LAN, the Internet, or as a deception or theft.Examples include buffer overflows, denial of service, session hijacking, andpassword cracking
~ Influencing factors include architecture and configuration of the targetsystem, the skill level of the perpetrator, and the initial level of accessobtained
~ Business Risk: Highest – The hacker can gain access at the operating systemlevel, application level, or network level
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 17/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Phase 4 - Maintaining Access
~ Maintaining Access refers to the phase when the hacker tries to
retain his ownership of the system
~ The hacker has compromised the system
~ Hackers may harden the system from other hackers as well (to own
the system) by securing their exclusive access with Backdoors,
RootKits, or Trojans~ Hackers can upload, download, or manipulate data, applications,
and configurations on the owned system
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 18/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Phase 5 - Covering Tracks
~ Covering Tracks refers to the activities that the hacker undertakes
to hide his misdeed
~ Reasons include the need for prolonged stay, continued use of
resources, removing evidence of hacking, or avoiding legal action
~ Examples include Steganography, tunneling, and altering log files
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 19/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Types of Hacker Attacks
~ There are several ways an attacker can gain access to asystem
~ The attacker must be able to exploit a weakness or vulnerability in a system
~ Attack Types:
1. Operating System attacks
2. Application-level attacks
3. Shrink Wrap code attacks
4. Misconfiguration attacks
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 20/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
1. Operating System Attacks
~ Today’s Operating systems arecomplex in nature
~ Operating Systems run many services, ports and modes of accessand requires extensive tweaking tolock them down
~ The default install of mostoperating systems has largenumbers of services running andports open
~ Applying patches and hotfixes are
not so easy in today’s complexnetwork
~ Attackers look for OS vulnerabilities and exploit them togain access to a network system
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 21/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Security News: Default Installation
Source: http://www.vnunet.com/vnunet/news/2164855/atm-passwords-found-online
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 22/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
2. Application Level Attacks
~ Software developers are under tightschedules to deliver products on time
~ Extreme Programming is on the rise insoftware engineering methodology
~ Software applications come with tons of functionalities and features
~ There is not enough time to perform
complete testing before releasingproducts
~ Security is often an afterthought andusually delivered as "add-on”component
~ Poor or non-existent error checking inapplications which leads to “BufferOverflow Attacks”
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 23/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
3. Shrink Wrap Code Attacks
~ Why reinvent the wheel when you
can buy off-the-shelf “libraries”and code?
~ When you install an
OS/Application, it comes with
tons of sample scripts to make the
life of an administrator easy
~ The problem is “not fine
tuning” or customizing these
scripts
~ This will lead to default code or
shrink wrap code attack
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 24/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
4. Misconfiguration Attacks
~ Systems that should be fairly secure are hacked into because they were not configured correctly
~ Systems are complex and the administrator does not have thenecessary skills or resources to fix the problem
~Most often the administrator will create a simple configuration that works
~ In order to maximize your chances of configuring a machinecorrectly, remove any unneeded services or software
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 25/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Remember This Rule!
If a hacker wants to get
inside your system, he willand there is nothing you can
do about itThe only thing you can do ismake it harder for him toget in
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 26/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacktivism
~ Refers to the idea of hacking with or for a
cause
~ Comprises hackers with a social or politicalagenda
~ Aims at sending a message through their
hacking activity and gaining visibility for their
cause and themselves
~ Common targets include government
agencies, MNCs, or any other entity perceived
as bad or wrong by these groups or individuals
~ It remains a fact, however, that gaining
unauthorized access is a crime, no matter what
the intent
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 27/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hacker Classes
Black HatsIndividuals with extraordinary computing skills, resorting tomalicious or destructiveactivities. Also known ascrackers
White HatsIndividuals professing hackerskills and using them fordefensive purposes. Also knownas security analysts
Gray HatsIndividuals who work bothoffensively and defensively at various times
Suicide Hackers
Individuals who will aim to bringdown critical infrastructure for a"cause" and not worry about facing30 years in jail for their actions
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 28/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Security News: Suicide Hacker
http://www.zdnet.com.au/news/security/soa/Army_expects_suicide_hacker_attacks/0,130061744,339271362,00.htm
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 29/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ethical Hacker Classes
~Former Black Hats
– Reformed crackers
– First-hand experience– Lesser credibility perceived
~ White Hats
– Independent security
consultants (may be groups as well)
– Claim to be knowledgeable
about black hat activities
~Consulting Firms– Part of ICT firms
– Good credentials
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 30/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What Do Ethical Hackers Do?
~ “ If you know the enemy and know yourself, you need not fear the result of a hundred battles”
– Sun Tzu, Art of War
Ethical hackers try to answer thefollowing questions:
What can the intruder see on thetarget system? ( Reconnaissanceand Scanning phases) What can an intruder do withthat information? (Gaining
Access and Maintaining Access phases)Does anyone at the target noticethe intruders’ attempts orsuccesses? ( Reconnaissance and
Covering Tracks phases)
~ If hired by any organization, anethical hacker asks the organizationwhat it is trying to protect, against whom, and what resources it is willingto expend in order to gain protection
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 31/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Can Hacking be Ethical?
Hacker refers to a person who
enjoys learning the details of
computer systems and how tostretch their capabilities
Hacking describes the rapiddevelopment of new programs or the
reverse engineering of already existing
software to make the code better and
more efficient
Cracker refers to a person who uses
his hacking skills for offensive
purposes
Ethical hacker refers to
security professionals who
apply their hacking skills for
defensive purposes
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 32/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How to Become an Ethical Hacker?
To become an ethical hacker you must
meet the following requirements:
~ Should be proficient with programmingand computer networking skills
~ Should be familiar with vulnerability research
~ Should have mastery in different hackingtechniques
~ Should be prepared to follow a strictcode of conduct
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 33/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Skill Profile of an Ethical Hacker
~ A computer expert adept attechnical domains
~ Has in-depth knowledge of targetplatforms, such as Windows,Unix, and Linux
~ Has exemplary knowledge of
networking and related hardwareand software
~ Knowledgeable about security areas and related issues
~ In other words you must be
“highly technical” to launchsophisticated attacks
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 34/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
What is Vulnerability Research?
~ Discovering vulnerabilities and design weaknesses that will open an operating system and its applications toattack or misuse
~ Includes both dynamic study of products andtechnologies and ongoing assessment of the hackingunderground
~ Relevant innovations are released in the form of alertsand are delivered within product improvements forsecurity systems
~ Can be classified based on:
• Severity level (low, medium, or high)
• Exploit range (local or remote)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 35/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Why Hackers Need Vulnerability
Research?
~ To identify and correct network vulnerabilities
~ To protect the network from being attacked by intruders~ To get information that helps prevent security problems
~ To gather information about viruses
~ To find weaknesses in the network and to alert the network
administrator before a network attack ~ To know how to recover from a network attack
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 36/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Vulnerability Research Tools
US-CERT publishes information regarding a variety of vulnerabilities in “US-CERT Vulnerabilities Notes”
~ Similar to alerts but contain less information
~ Does not contain the solutions to all the vulnerabilities
~ Contains vulnerabilities that meet certain criteria
~ Contains information that is useful to the administrator~ Vulnerability notes can be searched by several key fields:
name, vulnerability ID number, and CVE-name
~ Can be cross checked with the Common Vulnerabilities andExposures (CVE) catalog
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 37/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Vulnerability Research Websites
~ www.securitytracker.com
~
www.microsoft.com/security ~ www.securiteam.com
~ www.packetstormsecurity.com
~
www.hackerstorm.com~ www.hackerwatch.org
S i
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 38/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Secunia (secunia.com/product/)
Secunia monitors vulnerabilities in more than 9,500 products
H k V l bili D b
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 39/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hackerstorm Vulnerability Database
Tool (www.hackerstorm.com)~ You can search CVS Vulnerability database using this tool
– Updates provided daily and are free
– You can view Vulnerability database offline (without Internetaccess)
– Easy to use Web-based GUI, requires a browser with flash
– Data includes description, solution, attack type, externalreferences, and credit
– Source is available for those who wish to contribute and enhancethe tool
– Data is provided by www.osvdb.org and its contributors
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 40/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Hackerstorm
k h
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 41/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
HackerWatch
www.hackerwatch.org
~ HackerWatch lets you report and shareinformation that helps identify, combat,
and prevent the spread of Internet threatsand unwanted network traffic
~ HackerWatch provides reports and
graphical up-to-date snapshots of unwantedInternet traffic and threats
~ Snapshots include critical port incidents
graphs, worldwide port activity statistics,and target and source maps showingunwanted traffic and potential threats toInternet security
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 42/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
HackerWatch
HackerWatch Live Animation of Virus
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 43/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
HackerWatch Live Animation of Virus
Outbreak
Zone h org Reports Web Page
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 44/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Zone-h.org Reports Web Page
Defacement Mirror Images~ Zone-h.org reports web attacks and cybercrimes as an
independent observatory and lists them on their website
~ You will be able to see tons of defaced webpages
~ The list is updated every day
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 45/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Zone-h.org Screenshot 1
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 46/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Zone-h.org Screenshot 2
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 47/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
MILWORM
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 48/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How to Conduct Ethical Hacking?
~Step 1: Talk to your client on the needs of testing
~Step 2: Prepare NDA documents and ask the client to sign them
~Step 3: Prepare an ethical hacking team and draw up schedule fortesting
~Step 4: Conduct the test
~Step 5: Analyze the results and prepare a report
~Step 6: Deliver the report to the client
Note: In-depth Penetration Testing methodology is covered in EC-
Council’s LPT program
h b
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 49/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
How Do They Go About It?
~ Any security evaluation involves three components:
Preparation – In this phase, a formal
contract is signed that contains a non-disclosure clause as well as a legal clauseto protect the ethical hacker against any prosecution that might otherwise attractduring the conduct phase. The contractalso outlines infrastructure perimeter,
evaluation activities, time schedules, andresources available to him
Conduct – In thisphase, the evaluationtechnical report isprepared based ontesting potential vulnerabilities
Conclusion – In thisphase, the results of the evaluation are
communicated tothe organization orsponsors andcorrective action istaken if needed
A h hi l ki
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 50/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Approaches to Ethical Hacking
~ Remote network – Thisapproach attempts tosimulate an intruderlaunching an attack over theInternet
~ Remote dial-up network –This approach attempts to
simulate an intruderlaunching an attack againstthe client’s modem pools
~ Local network – This
approach simulates anemployee with legal accessgaining unauthorized accessover the local network
~Stolen equipment – This approach
simulates theft of a critical
information resource, such as a laptop
owned by a strategist that was taken
from its owner and given to the ethical
hacker
~Social engineering – This approach
attempts to check the integrity of the
organization’s employees
~Physical entry – This approach
attempts to physically compromise
the organization’s ICT infrastructure
E hi l H ki T i
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 51/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ethical Hacking Testing
~ There are different forms of security testing. Examples include
vulnerability scanning, ethical hacking, and penetration testing
~ Approaches to testing are shown below
•Black box – With no prior knowledge of the infrastructure to betested•White box – With a complete knowledge of the network
infrastructure•Gray box – Also known as Internal Testing. Examines the extent of access by insiders within the network
Ethi l H ki D li bl
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 52/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Ethical Hacking Deliverables
An Ethical Hacking Report :
~ Details the results of the hacking activity,
matching it against the work scheduledecided prior to the conduct phase
~ Vulnerabilities are detailed and prevention
measures suggested. Usually delivered in
hard copy format for security reasons
~ Issues to consider – Nondisclosure
clause in the legal contract (availing the
right information to the right person),
integrity of the evaluation team,sensitivity of information
C t C i d I li ti
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 53/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer Crimes and Implications
Computer Crimes and Implications
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 54/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Co pu e C es a d p ca o s
(cont’d)~ The Cyber Security Enhancement Act of
2002 mandates life sentences for hackers
who recklessly endanger the lives of others
~ The CSI/FBI 2002 Computer Crime and
Security Survey noted that 90 percent of
respondents acknowledged security breaches, but only 34 percent reported the
crimes to law enforcement agencies
~ The FBI computer crimes squad estimates
that between 85 and 97 percent of computer
intrusions are not even detected
Legal Perspective
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 55/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
g p
(U.S. Federal Law)Federal Criminal Code Related to Computer Crime:
~ 18 U.S.C. § 1029. F r a u d a n d Rel a t ed A c t i v i t y i n Co n n ect i o n
w i t h Access D ev i ces
~ 18 U.S.C. § 1030. F r a u d a n d Rel a t ed A c t i v i t y i n Co n n ect i o n
w i t h Com p u t er s
~ 18 U.S.C. § 1362. Com m u n i ca t i o n L i n es, St a t i o n s, o r Sy st em s
~ 18 U.S.C. § 2510 et seq. W i r e a n d E l ect r o n i c
Com m un i ca t i o n s I n t er cep t i o n a n d I n t er cep t i o n o f Or a l
C ommu n i c a t i o n s
~ 18 U.S.C. § 2701 et seq. St o r ed W i r e a n d E l ect r o n i c
Com m u n i ca t i o n s a n d T r a n sa ct i o n a l R eco r d s A ccess
Section 1029
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 56/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Section 1029
Subsection (a) Whoever -
(1) knowingly and with intent to defraud produces, uses, or traffics in
one or more counterfeit access devices;(2) knowingly and with intent to defraud traffics in or uses one or
more unauthorized access devices during any one-year period, and by such conduct obtains anything of value aggregating $1,000 or
more during that period;(3) knowingly and with intent to defraud possesses fifteen or more
devices which are counterfeit or unauthorized access devices;
(4) knowingly, and with intent to defraud, produces, traffics in, has
control or custody of, or possesses device-making equipment;
Section 1029 (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 57/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Section 1029 (cont d)
(5) knowingly and with intent to defraud effects transactions, with 1 ormore access devices issued to another person or persons, to receivepayment or any other thing of value during any 1-year period theaggregate value of which is equal to or greater than $1,000;
(6) without the authorization of the issuer of the access device,knowingly and with intent to defraud solicits a person for thepurpose of—
(A) offering an access device; or
(B) selling information regarding or an application to obtain an accessdevice;
(7) knowingly and with intent to defraud uses, produces, traffics in,has control or custody of, or possesses a telecommunicationsinstrument that has been modified or altered to obtainunauthorized use of telecommunications services;
Section 1029 (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 58/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Section 1029 (cont d)
(8) knowingly and with intent to defraud uses, produces, traffics in,
has control or custody of, or possesses a scanning receiver;
(9) knowingly uses, produces, traffics in, has control or custody of, or
possesses hardware or software, knowing it has been configured to
insert or modify telecommunication identifying information
associated with or contained in a telecommunications instrument
so that such instrument may be used to obtain telecommunications
service without authorization; or
(10) without the authorization of the credit card system member or its
agent, knowingly and with intent to defraud causes or arranges foranother person to present to the member or its agent, for payment,
1 or more evidences or records of transactions made by an access
device
Penalties
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 59/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Penalties
(A) in the case of an offense that does not occur after a conviction foranother offense under this section--
• (i) if the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a), a fine under this title or imprisonment for not more than10 years, or both; and
• (ii) if the offense is under paragraph (4), (5), (8), or (9) of subsection (a),a fine under this title or imprisonment for not more than 15 years, or
both;
(B) in the case of an offense that occurs after a conviction for anotheroffense under this section, a fine under this title or imprisonment fornot more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any personalproperty used or intended to be used to commit the offense
Section 1030 – (a) (1)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 60/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 – (a) (1)
Subsection (a) Whoever--
(1) having knowingly accessed a computer without authorization or exceedingauthorized access, and by means of such conduct having obtained
information that has been determined by the United States Governmentpursuant to an Executive order or statute to require protection againstunauthorized disclosure for reasons of national defense or foreign relations,or any restricted data, as defined in paragraph y of section 11 of the AtomicEnergy Act of 1954, with reason to believe that such information so obtainedcould be used to the injury of the United States, or to the advantage of any foreign nation willfully communicates, delivers, transmits, or causes to becommunicated, delivered, or transmitted, or attempts to communicate,deliver, transmit or cause to be communicated, delivered, or transmitted thesame to any person not entitled to receive it, or willfully retains the same andfails to deliver it to the officer or employee of the United States entitled toreceive it;
Section 1030 (2) (A) (B) (C)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 61/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 (2) (A) (B) (C)
(2) intentionally accesses a computer without
authorization or exceeds authorized access, and thereby
obtains--(A) information contained in a financial record of a financial
institution, or of a card issuer as defined in section 1602(n) of
title 15, or contained in a file of a consumer reporting agency on
a consumer, as such terms are defined in the Fair Credit
Reporting Act (15 U.S.C. 1681 et seq.);
(B) information from any department or agency of the United
States; or(C) information from any protected computer if the conduct
involved an interstate or foreign communication;
Section 1030 (3) (4)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 62/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 (3) (4)
(3) intentionally, without authorization to access any nonpubliccomputer of a department or agency of the United States, accesses
such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for theGovernment of the United States and such conduct affects that use
by or for the Government of the United States;
(4) knowingly and with intent to defraud, accesses a protectedcomputer without authorization, or exceeds authorized access, and
by means of such conduct furthers the intended fraud and obtainsanything of value, unless the object of the fraud and the thing
obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period;
Section 1030 (5) (A) (B)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 63/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 (5) (A) (B)
(5)(A)(i) knowingly causes the transmission of a program,information, code, or command, and as a result of such conduct,
intentionally causes damage without authorization, to a protectedcomputer;
(ii) intentionally accesses a protected computer without authorization,and as a result of such conduct, recklessly causes damage; or
(iii) intentionally accesses a protected computer without authorization,and as a result of such conduct, causes damage; and
(5)(B) by conduct described in clause (i), (ii), or (iii) of subparagraph(A), caused (or, in the case of an attempted offense, would, if
completed, have caused)--
Section 1030 (5) (B) (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 64/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 (5) (B) (cont d)
(i) loss to 1 or more persons during any 1-year period (and, forpurposes of an investigation, prosecution, or other proceeding
brought by the United States only, loss resulting from a related
course of conduct affecting 1 or more other protected computers)aggregating at least $5,000 in value;
(ii) the modification or impairment, or potential modification orimpairment, of the medical examination, diagnosis, treatment, or
care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a governmententity in furtherance of the administration of justice, nationaldefense, or national security;
Section 1030 (6) (7)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 65/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Section 1030 (6) (7)
(6) knowingly and with intent to defraud traffics (as defined in section1029) in any password or similar information through which a
computer may be accessed without authorization, if--(A) such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) with intent to extort from any person any money or other thing of
value, transmits in interstate or foreign commerce any communication containing any threat to cause damage to aprotected computer;
Penalties
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 66/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
Penalties
(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the case of an offense under subsection (a)(1) of this section whichdoes not occur after a conviction for another offense under this section, or
an attempt to commit an offense punishable under this subparagraph; and(B) a fine under this title or imprisonment for not more than twenty years, or
both, in the case of an offense under subsection (a)(1) of this section whichoccurs after a conviction for another offense under this section, or anattempt to commit an offense punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under this title orimprisonment for not more than one year, or both, in the case of anoffense under subsection (a)(2), (a)(3), (a)(5)(A)(iii), or (a)(6) of thissection which does not occur after a conviction for another offense under
this section, or an attempt to commit an offense punishable under thissubparagraph;
Penalties (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 67/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
( )
~ (B) a fine under this title or imprisonment for not more than 5 years,or both, in the case of an offense under subsection (a)(2), or anattempt to commit an offense punishable under this subparagraph, if-
-
• (i) the offense was committed for purposes of commercial advantage orprivate financial gain;
• (ii) the offense was committed in furtherance of any criminal or tortuous
act in violation of the Constitution or laws of the United States or of any State; or
• (iii) the value of the information obtained exceeds $5,000;
~ (C) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(2), (a)(3)or (a)(6) of this section which occurs after a conviction for anotheroffense under this section, or an attempt to commit an offensepunishable under this subparagraph;
Penalties (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 68/82
EC-CouncilCopyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
( )
(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the case of an offense under subsection (a)(4) or
(a)(7) of this section which does not occur after a conviction foranother offense under this section, or an attempt to commit anoffense punishable under this subparagraph; and
(3)(B) a fine under this title or imprisonment for not more than ten
years, or both, in the case of an offense under subsection (a)(4),(a)(5)(A)(iii), or (a)(7) of this section which occurs after aconviction for another offense under this section, or an attempt tocommit an offense punishable under this subparagraph; and
Penalties (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 69/82
EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited
( )
(4)(A) a fine under this title, imprisonment for not more than 10 years, or both, in the case of an offense under subsection(a)(5)(A)(i), or an attempt to commit an offense punishable under
that subsection;
(4)(B) a fine under this title, imprisonment for not more than 5 years,or both, in the case of an offense under subsection (a)(5)(A)(ii), oran attempt to commit an offense punishable under that subsection;
(4)(C) a fine under this title, imprisonment for not more than 20 years, or both, in the case of an offense under subsection(a)(5)(A)(i) or (a)(5)(A)(ii), or an attempt to commit an offensepunishable under either subsection, that occurs after a conviction
for another offense under this section
Japan’s Cyber Laws
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 70/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
p y
Law No. 128 of 1999 (in effect from February 3, 2000)
Husei access kinski hou
Article 3. No person shall conduct an act of unauthorized computeraccess.
(1) An act of making available a specific use which is restricted by an accesscontrol function by making in operation a specific computer having that access
control function through inputting into that specific computer, viatelecommunication line, another persons identification code for that accesscontrol function
(2) An act of making available a restricted specific use by making in operation aspecific computer having that access control function through inputting into it,
via telecommunication line, any information (excluding an identification code)or command that can evade the restrictions placed by that access controlfunction on that specific use
Japan’s Cyber Laws (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 71/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
p y
(3) An act of making available a restricted specific use by making in operation
a specific computer, whose specific use is restricted by an access control
function installed into another specific computer which is connected, via a
telecommunication line, to that specific computer, through inputting into it,
via a telecommunication, any information or command that can evade the
restriction concerned
Article 4. No person shall provide another person's identification code relating toan access control function to a person other than the access administrator for
that access control function or the authorized user for that identification code,
in indicating that it is the identification code for which specific computer's
specific use, or at the request of a person who has such knowledge, excepting
the case where such acts are conducted by that access administrator, or with
the approval of that access administrator or of that authorized user
Japan’s Cyber Laws (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 72/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Article 8. A person who falls under one of thefollowing items shall be punished with penal
servitude for not more than one year or a fine of not more than 500,000 yen:
(1) A person who has infringed the provision of
Article 3, paragraph 1; Article 9. A person who has infringed the
provision of Article 4 shall be punished with a
fine of not more than 300,000 yen
United Kingdom’s Cyber Laws
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 73/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Computer Misuse Act 1990
(1) A person is guilty of an offense if-
(a) he causes a computer to perform any function with the intent to secureaccess to any program or data held in any computer,(b) the access he intends to secure is unauthorized, and(c) he knows at the time when he causes the computer to perform the functionthat that is the case
(2) The intent a person has to have to commit an offense under thissection need not to be directed at:
(a) any particular program or data,(b) a program or data of any particular kind, or(c) a program or data held in any particular computer
(3) A person guilty of an offense under this section shall be liable onsummary conviction to imprisonment for a term not exceeding sixmonths or to a fine not exceeding level 5 on the standard scale or to
both
United Kingdom’s Cyber Laws (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 74/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
(4) A person is guilty of an offense under this section if he commits anoffense under section 1 above (" the unauthorized access offense") withintent
(a) to commit an offense to which this section applies; or(b) to facilitate the commission of such an offense and the offense heintends to commit or facilitate is referred to below in this section asthe further offense
(5) This section applies to offences
(a) for which the sentence is fixed by law; or(b) for which a person of twenty-one years of age or over (notpreviously convicted) may be sentenced to imprisonment for a term of five years
(6) It is immaterial for the purposes of this section whether the further
offense is to be committed on the same occasion as the unauthorizedaccess offense or on any future occasion
(7) A person may be guilty of an offense under this section even thoughthe facts are such that the commission of the further offense isimpossible
United Kingdom’s Cyber Laws (cont’d)
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 75/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
(8) A person guilty of an offense under this section shall be liable
(a) on summary conviction, to imprisonment for a term not exceeding thestatutory maximum or to both; and(b) on conviction on indictment, to imprisonment for a term not exceeding
five years or to a fine or to both(9) A person is guilty of an offense if -
(a) he does any act which causes an unauthorized modification of thecontents of any computer; and -(b) at the time when he does the act he has the requisite intent and the
requisite knowledge.(10) For the purposes of subsection (1)(b) above the requisite intent is an
intent to cause a modification of the contents of any and by so doing -
(a) to impair the operation of any computer;(b) to prevent or hinder access to any program or data held in any computer; or(c) to impair the operation of any such program or the reliability of any such data
Australia’s Cyber Laws
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 76/82
EC-Council Copyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
According to CYBERCRIME ACT 2001
The Cyber crime Act 2001 amended the Criminal Code Act
1995 to replace existing outdated computer offences. A person is guilty of an offence if:
(a) the person causes any unauthorized access to, ormodification of, restricted data
(b) the person intends to cause the access or modification(c) the person knows that the access or modification isunauthorized
(d) one or more of the following applies:
– (i) the restricted data is held in a Commonwealth computer
– (ii) the restricted data is held on behalf of the Commonwealth
– (iii) the access to, or modification of, the restricted data is caused by means of a telecommunications service
Penalty: 2 years imprisonment
Germany’s Cyber Laws
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 77/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Penal Code Section 202a. Data Espionage:
(1) Any person who obtains without authorization,for himself or for another, data which are notmeant for him and which are specially protectedagainst unauthorized access, shall be liable toimprisonment for a term not exceeding three yearsor to a fine .
(2) Data within the meaning of subsection 1 areonly such as are stored or transmittedelectronically or magnetically or in any form notdirectly visible.
Penal Code Section 303a: Alteration of Data
(1) Any person who unlawfully erases, suppresses,
renders useless, or alters data (section 202a(2))shall be liable to imprisonment for a term notexceeding two years or to a fine.
(2) The attempt shall be punishable
Singapore’s Cyber Laws
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 78/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Chapter 50A: Computer misuse Act
Section 3 – (1) Any person who knowingly causes a computer to perform any function for the purpose of securing access without authority, shall be liable on
conviction to a fine not exceeding $ 5.000 or to imprisonment for a term notexceeding 2 years or to both.
(2) If any damage is caused as a restut of an offence under thissection, a person convicted of the offence shall be liable to a fine not exceeding
$ 50.000 or to imprisonment for a term not exceeding 7 years or to bothSection 4: Access with intent to commit or facilitate commission of offence
(1) This section shall apply to an offence involving property,fraud, dishonesty or which causes bodily harm and which is punishable onconviction with imprisonment for a term of not less than 2 years.
(2) Any person guilty of an offence under this section shall beliable on conviction to a not exceeding $ 50.000 or to imprisonment for a termnot exceeding 10 years or to both
What happened next?
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 79/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
Even though Jeffrey’s intention was honest, hisaction is considered illegitimate.
Hacking into networks, without priorpermission of concerned authorities and a legal
clearance from the court of law, is considered acriminal offence
Summary
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 80/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited
~ Security is critical across sectors and industries
~ Ethical Hacking is a methodology to simulate a
malicious attack without causing damage
~ Hacking involves five distinct phases
~ Security evaluation includes preparation, conduct, andevaluation phases
~ Cyber crime can be differentiated into two categories
~ U.S. Statutes ξ 1029 and 1030 primarily address cyber
crime
7/28/2019 (2) CEH v5 Module 01 Introduction to Ethical Hacking
http://slidepdf.com/reader/full/2-ceh-v5-module-01-introduction-to-ethical-hacking 81/82
EC-CouncilCopyright © by EC-Council
All Rights reserved. Reproduction is strictly prohibited