# Ethical hacking by Paulo Choupina (paulochoupina.com) ___ # What is ethical hacking? Ethical hacking is **when the hacker**, instead of doing malicious things with his skills, **uses** those same **skills** for **good**. An **ethical hacker**, uses the same knowledge and methods of a malicious hacker **to discover vulnerabilities** and to bypass security measures. But **instead of taking advantage** of his finding for **criminal activity**, the **ethical** hacker **reports** those vulnerabilities **to the respective affected entities**. So that those companies can **fix those vulnerabilities** before someone else takes advantage of them for malicious activity. --- # Role of an ethical hacker Ethical hackers all around the world, **help companies** and organizations protect their systems, **strengthening** their networks **security**, making it **harder for others** with bad intentions **to exploit weaknesses**. --- # White/Grey/Black - Hats Is common to **differentiate hackers** based on their **actions** or methods. By definition there are 3 types of hackers: **White Hats**, Black Hats, and Grey Hats. White Hats, also referred to as **Ethical Hackers**, try to **protect organizations**. **By responsibly reporting vulnerabilities**, and helping other professionals fix them. Meanwhile, **black hats**, also called **crackers**, try to **exploit vulnerabilities** they find, engaging in **criminal activity**. Sometimes for self profit other times for 15 minutes of fame. The **Grey Hats** are kind in the middle. They too search for vulnerabilities, and their course of action depends on their agenda. **Maybe they report a vulnerability or maybe they don't.** They might even exploit it for profit, or sell it... It all depends on their **objective**. --- ## How do white hat hackers operate? Well, there are **multiple platforms online**, where companies can create their profile and publicly disclose program. These are called "**Bug Bounty Programs**". It's the **recent** environment, where **companies pay hackers for their work according to the vulnerabilities** found. **BugCrowd** presentation video: {%youtube wpAJ1xDxC5E %} --- There are different **platforms** for **white hackers** to work as **freelancers**, for companies that want to improve their security. Plataforms such as:  (from the video);  is a big one also;  has losts of members;  (invite only) **Cobalt**, etc etc --- They **differ** in minor things, but in essence, **anyone** **that responsibly** **reports** a valid vulnerability, **gets** **paid** by the affected company. It's a **win-win situation**, where **companies can just focus on fixing the vulnerabilities** and **hackers get to hack legally and win money** in the process. --- # Skills - "What do I need to participate?" Well, that is entirely **subjective**. I have seen companies, pay researchers **500$** for simply report that the password could be defined to the character `1` Of course, **some things help**. Some examples: 1) For a **programmer** that has coding skills, will more **easily find a bug**, than **someone who never coded** or is just an initiated in security. 2) Someone that has **worked as a system administrator**, in general, will know better **what areas** are most commonly **affected by a specific vulnerability** than someone who never dealt with vulnerabilities. But **anyone can participate**, independently of their level, skill, age, profession, etc, etc. You get paid as long as: 1- the bug is **validated** 2- it's **serious** enough 3- that affected company has the policy of **rewarding** researchers in money 4- and the report **is not a duplicate** Sometimes, the company's **reward** hackers in other ways, such as **points**, **swag** (t-shirts, stickers, clothing, etc), place their name on the hall of fame (hosted on their website).. even award subscriptions or licenses for paid software. **As long as your intentions are good, it won't hurt you try.** At worst, you will learn something. --- # The process of "bug hunting" Well, there are **several** ways to go about it. There are known hackers like **@Jhaddix**, that openly share their methodology as "the bug bounty methodology". Includes **tools**, available **services** that one can use to **improve their chances of actually find a bug**. **Because the hard part here is:** there are so **many** people testing a company. For your **submission** to get appreciated and **rewarded**, you have to **find** something that everyone else **missed**. To do that you need to create your approach. That approach is normally called "**methodology**". --- # Methodology # 1) First things first: **Read the Disclosure Policy** of the company. After that, you will know what is **in-scope** (what you are legally allowed to do), and what is **out-of-scope** (what the company doesn't want you to do). There are different kinds of bug bounty programs. **For example**, companies that say "is fair game, as long as it belongs to us" will have a **wider scope** than others that only want reports in a specific place. A company that monetary rewards their researchers will be **more popular** than others that doesn't. **So to properly choose your target, you need to read their program first.** # 2) Recon **Recon** is getting **as much info** about the target **as you can**. Things like: - **what is the company work field?** - do they have a **website**? (subdomains, directories, pages) - **how** was it **made**? (software, plugins, versions) - what **IP range** belongs to that specific company (asn, domains) - what **services** are their IPs running? (apache, ngix, MySQL) - what are the **open ports** in a specific IP? (80, 8080, 443) - what are the **banners** of those ports? (versions, type of software running) etc etc Maybe you are a client of that company, and you know what they do and how they do it. For example, a hacker **reported** he could multiplicate his money using Paypal services because there was a problem in the verification of the withdraws. In this case, **the hacker knew exactly how the company operated** and took advantage of this privileged knowledge to find and **submit a vulnerability**. The **recon is a key step** in the methodology because for example, Yahoo Bug Bounty Program, they say: " ***.yahoo.com is in scope**" That means any **subdomain**, any **directory** of that subdomain and any **page/file** of that directory is a **potential place to find bugs**. So in cases such as these, if you don't do recon, such as: - **ASN**'s (IP range - **Acquisitions** (other companies that are in scope) - **Shodan** - **Reverse whois** (list all domains in shared IP) - **Subdomain enumeration** (passive, Bruteforce) - **Dorks** (Google, GitHub, bing) - **Link discovery** (visiting the site, burp suit) - **Scrape** (spiders, crawlers) etc etc (all these things will give you a **bigger area to test**) **If you don't do these things**, you are restricted/**limited** to the front page of the main domain. In that case, your chances of actually find, and be rewarded, by a bug you submitted are much **lower** than the ones of someone who does recon. **The better your recon is, the better are the chances of succeeding.** --- # Automatisation If you know a **specific task that is always done the same way** to every single target you have, and your time would be better invest in doing things you can't automatize... **Then automatize it!!** There are plenty of **tools** avaiable online, that will do practically anything for you. Ranging from **vulnerability scanners** to simple port scanners, crawlers, brute forcers, scripts that will inject code for you, others that will try to bypass security measures such as **upload bypasses**, etc, etc **It is up to you to learn how to use them properly and take advantage of their results and time & effort saved.** And if you can't find a tool for it, **just make your own**. **(Check: paulochoupina.tk for my Online SQLi/XSS Scanner)** --- # Code of conduct **When doing a security audit for a company, the ethical hacker has to have a good common sense.** **For example**: You found an **SQL Injection** that gave you access to an encrypted **administrator password** hash. You **cracked** the hash and **log in as admin**. Next you may find an **upload** feature that is easy to **bypass** and upload a **PHP backdoor**. Then you did a **reverse connection**, find the kernel version and ran the respective **local root exploit** and **BUM!!!** **You owned the box.** And only then, you report it. **MOST COMPANIES DON'T LET YOU DO THESE THINGS!!!** You **may have ethics**, but if the target **publicly says** in the program: -you should report SQL injection **immediately without injecting**, or just retrieve simple commands results such as user() version() an and database(); -the **upload** of software is **not allowed**; -that **you can't hack into** users/admins **accounts**; etc etc and you did all those things?!?!?! **Even if you report**, don't expect the company to be all smiles and hugs about it. **They will most probably not be thrilled and may even prosecute you...** Because you went **off-limits** and did things that **are consider a crime**. --- **Curiosity:** There is a famous hacker called **Tommy "dawgyg" DeVoss** one of the 6 milionares hackers.  Never does reports such as combining different kinds of bugs to escalate privileges. Those types of things where you are working months on the same target and find multiple bugs that when used together may grant you a bigger impact. He doesn't because as soon he finds a bug, he reports it. This is due to: he doesn't want to give any chance that the company may think he has done something off-limits. Even if you manage to get root without breaking the target's policies, most probably they only allow you to run a few basics command such as id and such. Maybe touch a file in the /root directory with your name as the filename. If you don't wanna face potential legal and ethical issues, **you got to check the rules before you do anything that might question your ethic.** (de boas intenções está o inferno cheio) --- # Jobs An **ethical hacker** can do most things in the security field. Such as: - system administrator; - security consultant; - security audits; - **pentesting**; - **bug bounty hunter**; - **security research**; - software testing; - website testing; - security analyst; etc --- # Certifications There are several certifications. Some of the entry-level, and others of advance levels. The **major** ones are: - **CompTIA Security+** most of the times this is the **first certification** professional get. It gives you proof that you understand the basics of security and can do simple tasks/projects related to this field. - **ECCouncil Certified Ethical Hacker** this one is the **standard** for ethical hackers and security professionals. It has a bigger spectrum of themes aborded and it is a good thing to have when you are coming into an interview. Especially if you don't have paid professional experience yet. - **Offensive-Security Certifications** these are to **best of the best** in the security certification business. They are what would be considered the **advanced** certifications and provide instant recognition to those who have them. The guys only certify you are the same group responsible for creating Kali Linux, Exploit-DB and Metasploit. It is an advantage to be certified by them. --- # Conclusion **In conclusion**, I just wanna show how I responsibly reported a bug to **Microsoft** last week and what you may expect when you have a good approach to a company. **The bug**: - Reflected Cross-Site Scripting in URL PATH of download.microsoft.com **Proof-of-Concept**: {%youtube XziEYWtmh_s %} The report in their **researchers portal**:  --- Details via email:  --- Response, with **vulnerability validated**:  --- Follow-up, with **Offical Acknowledgement**:  # Last one xD i swere: I reported this (há 4 dias):  Got this:  Responded this:      # Obrigado pela atenção! paulochoupina.com