A white hat hacker is a company or individual that probes your network and computers to look for weaknesses. They try to breach the security of your systems and gain access to your computers. The goal is to show how your systems can be breached, so that you can then fix any gaps that they find. What they find would show that certain systems need patching (operating systems plus software), that you might need to boost employee training, and that you might need to change system audit and logging policies and install new software or network appliances or change the configuration in what you already have.
People also call this means of checking security “ethical hacking.” The “term white” hats refers to American Western Movies when people cry “here come the white hats” meaning that the good guys (the cavalry) were on their way to rescue the railroad train as it was being attacked by Butch Cassidy and the Sundance Kid (or something like that).
Ethical hackers know that the greatest weakness in security is people. So they probe how well your staff is trained by sending your employees phishing emails that contain links. They then consult the log of the web server where these links point to see how many employees clicked on it.
Ethical hackers also use employee social attacks by phoning up your employees and trying to get them to reveal customer or other data. The ethical hacker would probably need an actor or who had practiced a lot to be convincing at that.
In either of these two events, if results were less than satisfactory, they would then recommend that you give your employees more training regarding security.
The other tool in the ethical hacker’s arsenal is penetration testing software.
Penetration Testing Software
If a hacker was really dedicated or expensive, he or she would spend their time reading through hacker forums looking for known exploits. Most of these tools would not work anymore, because software updates would have blocked them, and because penetration tools would already have those programmed into their list of exploits. To deploy anything not widely known, they would have to purchase hacking software from un-ethical hackers. That could be expensive. To do that they would have to gain access to criminal forums were such things were sold. They would have to make up an identity and somehow gain the confidence of some black hat hacker who would let them in. I imagine some ethical hackers do this. I know that security researchers, like Mandiant, do.
There are various penetration tools ranging from free ones to costly enterprise ones. Here we look at two: Metasploit (enterprise) and Zenmap. In the case of Metasploit, I add my own observations about features that did not appear to not work or otherwise raised issues that would require further study of the product.
This tool installs itself as a web server on your PC then proceeds to run known exploits against all the hosts it can locate on the network. It asks you to turn off your firewall and antivirus software (Windows Defender, in case of Windows 8) on the machine where you install it. It then scans the network and proceeds to run known attacks on computers it finds. Presumably the software works like anti-virus software, meaning it downloads a list of know exploits as security researchers post that information on the internet, in order to update itself.
Note that it will only run against computers that are in the same virtual network (subnet as you). So you would have to run it in different networks in your office to do a complete test, since it could not reach all these networks from one subnet.
I downloaded the 7 day trial version. Then I ran it on my network with one Windows 8 PC, one Linux PC, two Android tablets, and two cell phones connected. It ran against the two PCs but not the tablets nor cellphones. It also did not probe my router. I do not know if it is supposed to have that ability.
When Metasploit finishes, it shows a detail run log in an .XML file and creates a summary PDF. Below I show each. The XML file was so large that Google Chrome took several minutes to load it up and Internet Explorer started paging through the file itself without me pressing any keys. That was strange.
Here is the console flying by as Metasploit ran on my PC. I say flying by, because it echoes the various exploits as it runs them, and they go by quickly. You can see the names of some of the known exploits on the screen and read about them in detail in the logs. So even if you do not buy the product, save the logs, as they would teach you a lot about what kind of exploits are out there.
Here is the summary report created when the scan was complete. It showed that it scanned 2 hosts. For my Linux PC, presumably because the firewall was up, it only checked the two services (meaning ports) that were open (and they were open only in the outbound direction). That must mean you would need to run it on the machine itself to check weaknesses on that system. You should be able to do this as Metasploit is installed as web server, so you can reach it from the other machine as long as the firewall where the software is installed has that port open. Or perhaps the idea is to explore the network and look for ports that are open, but should not be, and then look for known weaknesses there. I would have to spend more time with the software to know that, but you can read about it yourself on their web site and install a trial version too.
On the Windows 8.1 machine where I ran this test, it did not identify the OS as Windows 8.1. If it cannot identity the OS, then how can it try to exploit known weaknesses in that OS? On the other hand, it did run the tests one would normally associate with Windows, so one wonders why it did not list that operating system name correctly.
Here is the result of running it against my Linux PC. Since the firewall there was enabled, it was only able to look at the outbound traffic on that PC (Also I did not have any programs like the ssh daemon running, which is a tool that lets you log in to Linux from another machine. This means I did not have any inbound ports listening for inbound traffic, which is one way a hacker could get in, if they could steal a userid and password or exploit a weakness in the service listening there.).
Here is what it reported about the Windows 8 machine where I installed the software. It must be saying that the only service I have exposed is Netbios, which is the protocol that lets other computers each other on a Windows work. That would make sense that this was running.
One item to note is that is that i you maintain all the machines in your offices from a central point then they should all be the same if the users do not have the rights to install any other software. So in that aspect, probing one machine would be like probing that all. So that would give you valuable information about that.
Here is an example exploit. It is trying to run a SQL injection attack on CA Total Defense software version R12. I don´t have that software installed, but it ran the test anyway. As you can see it stores instructions on how to run each exploit in different .rb files. That must be what it would download as it updated its instruction set.
CA Total Defense Suite reGenerateReports Stored Procedure SQL Injection
This module exploits a SQL injection flaw in CA Total Defense Suite R12. When supplying a specially crafted soap request to ‘/UNCWS/Management.asmx’, an attacker can abuse the reGenerateReports stored procedure by injecting arbitrary sql statements into the ReportIDs element.
This tool is open source and free to download. As you can see below I gave it a host name (localhost) and asked it to run a quick scan. It basically scanned all the ports on the computer to show which were open. For example, it checked port 110 where pop3 is usually listening when people try to retrieve their email using pop3 from something like Microsoft Exchange.
This is just a short overview of ethical hacking and how you can use it to help protect your business. One thing that I learned from it was something not at all related to ethical hacking. When I looked to turn off antivirus software as it requested, I notice that Windows Defender had already been disabled. That I would blame on other antivirus software I have installed and since removed; so be aware of that. The other thing to note about penetration testing software is it knows about all known exploits and not those just limited to, say, Windows. If for no other reason than that, this is a good reason to use it yourself even if you do not hire an ethical hacker as Windows update will not fix software that is not itself. You would have to rely on the other programs on your PC to update themselves and not all companies allow that to run inside their network.
Posted on April 9, 2014