We use cookies on this website to improve the experience we provide. By continuing to use our site you agree to this, or visit our cookie policy to manage your settings.
Saved courses
Search website

What is ethical hacking?

Blog

What is Ethical Hacking?.mp4

 

[00:00:00] Speaker 1 If you've got a camera or a mic, I can turn those on. I can say hello to you at 3:00 in the morning in a very friendly Brummie accent, saying, Hi, I'm Ron. Today I'm going to do a brief ten- five, minute hack on Windows 8. Windows 8 is a little bit old, but we're not attacking Windows eight, were attacking an application called Java. Java is an application that runs on quite a lot of games. So if you're into games and you're doing Java games, you might have seen it. 

 

[00:00:36] People that have got computer skills, computer knowledge that are breaking into systems. Now if I'm a Whitehat hacker, I am doing that with permission. So I'm subject to the laws of the land and I'm doing it with permission of the owner of the network. A grey hat is somebody that's doing it full time as a white hack, but may be doing some research and we'll get into the laws a little bit later. A black hat. He's doing it maliciously. If you are ethical, you are generally working for a company and you are performing a security assessment or a security audit and working with that client to make sure that their security is robust. Really. So the bad guys or the bad girls nowadays can get into the network or can't get into the network. 

 

[00:01:27] It takes me about 5 minutes. And really what I'm trying to do is get you to click on a link. So this is a click jack attack where it would be something free, something useful that you want, but it's actually giving me access to your machine. I'm going to search for the Java signature. So there is a vulnerability in Java that allows me to do a reverse TCP connection. Now that's important because from your point of view, if I'm your machine and I'm connecting out to the internet, that traffic will go through your firewall. I'm not attacking you. You're connecting to me. I've got my local host address just for this demo. I don't actually need to do that for this to work. And I've got my local port set up. So that's four lines of code. I then say where I want that connection to come back to me onto my machine. Now, if I was doing this in slightly more detail, really, I would point that to a proper website. But in this demo I'm not doing that. I then create my payload, which is my reverse TCP connection. And as I said a moment ago, that's the connection from your machine through your firewall across the Internet to me. And that's six lines of code. So with six lines of code, I've got my website set up. 

 

[00:02:53] It's a vulnerability assessment. So it depends. There's many facets. I'm traditionally a network security person, so I would look at routers and switches. You can focus on applications. So if a new application comes out, you can do testing on that. Websites is huge. Everybody's got a website. You could do things like SQL injections on a website. So when you're logging into a website you would have a username and password. That username and password is going back predominantly to a database, usually an SQL database. If I inject code into that form, that database may give me information that it was never intended to do. 

 

[00:03:39] Now all I need to do is entice you to go and click on that URL. So how do I do that? What would get you to click? Would it be free food, free McDonald's, free kittens, a free day at the spa? It can be anything and everything. And I can send out hundreds of thousands of emails with all different versions of that. And as you can see, once you click the link, we go got a meterpreter session that's popped up. I've now got an encrypted connection from you to me, and unfortunately this is where it gets a little bit creepy. I've now got complete access to your machine. That's your C drive, that's your D drive, that's your camera that's your mics, absolutely everything. Any files that you've got, I've got complete access to. I can open up those files, I can download those files. And again, if I was being malicious, I would actually start to install other vulnerabilities and other viruses onto your system. I can take a screenshot which I'm just about to do. There you go. There's a screenshot of the desktop. Again, if you've got a camera or a mic, I can turn those on. I can record you, I can say hello to you at 3:00 in the morning in a very friendly Brummie accent, saying, Hi, I'm Ron. If you store your passwords - and again, I'm just going to show a little example. I've gone into my folder of Ron. I'm going to have a look. I've very foolishly stored my passwords as a plain text file. So very quickly now I can open up that plain text file. And even if it's in a word document or you've got some sort of encryption on it, I might be able to download that file and view my passwords so. And there you go. There's my BCU password, my bank account number, and my bank account pin. And that took, what, 10 minutes? Probably less than that to break into your machine. And I've got complete control. 

 

[00:05:52] So to be a good ethical hacker, you need a quite a rounded skill set, an understanding of operating systems. So Windows, Linux, Apple, Android, that's becoming quite a big area. A good understanding of networking. So the ISO seven layer model routers switches. And so again, from a course point of view you would be Cisco, Juniper, Palo Alto. They're different companies that we work with and teach those technologies. 

 

[00:06:26] It's very broad. I mean, you don't just have to do ethical hacking. So that's the more offensive side of security. So you're testing networks, you're working with clients, you can be on the defensive side. So that's blue teaming, working in a network operation centre, a secure operation, since it's your monitoring from a cyber security point of view. Oh, at the moment if you've got a lot of skills. So if you can do Windows, you can do Linux, you can do Web graduates 35 to 40 if you've been in the industry, 100,000 plus. 

 

[00:07:06] A student should come to BCU to study ethical hacking because it's the best model ever. You get paid to be naughty, you get to break into systems, you get to beat everybody else's security. There's a there's a mentality of, can I beat you? Can I beat your security? I'm better than you. That puzzles that lateral thinking about thinking outside the box. Actually, if you're on the spectrum, people that have got dyslexia, I'm dyslexic. We think differently. That's great because you think differently and therefore you can get round all of the security and you can get it. And that when you beat somebody is the best feeling in the world. 

 

[00:07:49] You have to have permission to be an ethical hacker. If you don't have permission, then you're an unethical hacker. And actually, I've just broken the Computer Misuse Act, Section one, Section two, and Section three. That will get you if you get caught and you probably will get caught nowadays up to ten years in jail. In prison. Not a very nice place to go, I would imagine. So please come to the university. We'll teach you how to do this ethically. 

 

[00:08:18] So there's a quick review of please don't click links that you shouldn't. Make sure you know who they come from and where they come from. And if the offer is true, Good. Too good to be true. Back away. Hopefully you found that informative. Thank you for watching. 

So, what is ethical hacking? Have you ever wondered how hacking could ever be legal? As technology becomes increasingly integrated into our daily lives, the need for strong cybersecurity measures is more important than ever. 

Associate Professor of Networks and Security, Ron Austin, has nearly two decades of industry experience in networking and teaches students at BCU. Ron is our expert on ethical hacking and is here to answer all your questions about the subject.  

View video transcription

What are the types of hackers? 

There are three – a White-hat Hacker, a Grey-hat Hacker, and a Black-hat Hacker. 

If I’m a White-hat, I am doing that with permission. So, I'm subject to the laws of the land, and I'm doing it with the consent of the network's owner. A grey hat is somebody doing it full-time as a White-hack, but they may be doing some research into how Black-hats operate. A Black-hat is someone who’s doing it maliciously.  

What is an ethical hacker, and what are they looking out for? 

If you are ethical, you are generally working for a company and performing a security check or a security audit and working with that client to ensure their security is robust. If you’re performing an ethical hack, it's a vulnerability assessment. Cybersecurity jobs have many facets: you could be a network security individual and look at routers and switches. Or you could focus on applications, so if a new application comes out, you can do testing on that website, which is enormous - everybody's got a website.  

What’s one of the easiest hacks going around? 

There’s something called a click-jack attack; really, they’re trying to get you to click on a link. Commonly they will be falsely advertising something free, practical, and what you want. If the link gets clicked, it gives the hacker complete access to your machine.  

Computing Courses

Find out more about our courses

Take me there

What skills are needed to become an ethical hacker? 

You need quite a rounded skill set and a wide understanding of networking and different operating systems: so, Windows, Linux, Apple, and Android. From a course point of view here, you’ll get the chance to learn Cisco, Juniper, and Palo Alto - they're different companies that we work with and teach those technologies.  

You don't just have to do ethical hacking - that's the more offensive side of security. You can also be on the defensive side, otherwise known as ‘blue teaming’; this is working on a security operation in a network operation centre, and you’re monitoring from a cyber security point of view.  

How much money does an ethical hacker earn? 

Currently, if you've got a lot of skills and can do Windows and Linux, you can do Web, and graduates can make 35-40k. If you've been in the industry a while, then 100,000k plus.  

Why study ethical hacking at BCU?  

It’s truly the best job ever - you get paid to be naughty: you get to break into systems, and you get to beat everybody else's security, It's especially great If you enjoy lateral thinking and thinking outside the box.

If you’re on the spectrum or dyslexic, like myself, we as individuals think differently, which is great because you can get around all the security, and you can get in. Lastly, it’s that feeling when you beat someone in this kind of challenge – it's the best feeling in the world.  

Do not forget - you must have permission to be an ethical hacker. If you don't have permission, you're an unethical hacker which is illegal and means ten years in jail. So come to BCU; we'll teach you how to do this ethically! 

In summary, studying Networks and Security here at Birmingham City University is a great way to gain the knowledge, skills, and connections needed to succeed in this in-demand field.

RON AUSTIN
Associate Professor of Networks and Security

What should you do next?

Find a course

We offer an extensive selection of more than 100 courses, spanning a wide range of subjects for you to explore.

Find a course

Come to an Open Day

Expert academics, state-of-the-art facilities and an inclusive student community - there's so much going on at Birmingham City University. Be at the heart of it all at one of our Open Days.

View our upcoming Open Days

Sign up to find out more

Our emails are a great way to learn more about the University and find out what it's really like to study with us!

Sign up to hear from us

Download one of our helpful Guides

Our guides contain expert advice and guidance designed to help you before joining university.

Follow us on social media

Follow our social media channels to stay up-to-date with everything that's going on at BCU.

What is Ethical Hacking?.mp4

 

[00:00:00] Speaker 1 If you've got a camera or a mic, I can turn those on. I can say hello to you at 3:00 in the morning in a very friendly Brummie accent, saying, Hi, I'm Ron. Today I'm going to do a brief ten- five, minute hack on Windows 8. Windows 8 is a little bit old, but we're not attacking Windows eight, were attacking an application called Java. Java is an application that runs on quite a lot of games. So if you're into games and you're doing Java games, you might have seen it. 

 

[00:00:36] People that have got computer skills, computer knowledge that are breaking into systems. Now if I'm a Whitehat hacker, I am doing that with permission. So I'm subject to the laws of the land and I'm doing it with permission of the owner of the network. A grey hat is somebody that's doing it full time as a white hack, but may be doing some research and we'll get into the laws a little bit later. A black hat. He's doing it maliciously. If you are ethical, you are generally working for a company and you are performing a security assessment or a security audit and working with that client to make sure that their security is robust. Really. So the bad guys or the bad girls nowadays can get into the network or can't get into the network. 

 

[00:01:27] It takes me about 5 minutes. And really what I'm trying to do is get you to click on a link. So this is a click jack attack where it would be something free, something useful that you want, but it's actually giving me access to your machine. I'm going to search for the Java signature. So there is a vulnerability in Java that allows me to do a reverse TCP connection. Now that's important because from your point of view, if I'm your machine and I'm connecting out to the internet, that traffic will go through your firewall. I'm not attacking you. You're connecting to me. I've got my local host address just for this demo. I don't actually need to do that for this to work. And I've got my local port set up. So that's four lines of code. I then say where I want that connection to come back to me onto my machine. Now, if I was doing this in slightly more detail, really, I would point that to a proper website. But in this demo I'm not doing that. I then create my payload, which is my reverse TCP connection. And as I said a moment ago, that's the connection from your machine through your firewall across the Internet to me. And that's six lines of code. So with six lines of code, I've got my website set up. 

 

[00:02:53] It's a vulnerability assessment. So it depends. There's many facets. I'm traditionally a network security person, so I would look at routers and switches. You can focus on applications. So if a new application comes out, you can do testing on that. Websites is huge. Everybody's got a website. You could do things like SQL injections on a website. So when you're logging into a website you would have a username and password. That username and password is going back predominantly to a database, usually an SQL database. If I inject code into that form, that database may give me information that it was never intended to do. 

 

[00:03:39] Now all I need to do is entice you to go and click on that URL. So how do I do that? What would get you to click? Would it be free food, free McDonald's, free kittens, a free day at the spa? It can be anything and everything. And I can send out hundreds of thousands of emails with all different versions of that. And as you can see, once you click the link, we go got a meterpreter session that's popped up. I've now got an encrypted connection from you to me, and unfortunately this is where it gets a little bit creepy. I've now got complete access to your machine. That's your C drive, that's your D drive, that's your camera that's your mics, absolutely everything. Any files that you've got, I've got complete access to. I can open up those files, I can download those files. And again, if I was being malicious, I would actually start to install other vulnerabilities and other viruses onto your system. I can take a screenshot which I'm just about to do. There you go. There's a screenshot of the desktop. Again, if you've got a camera or a mic, I can turn those on. I can record you, I can say hello to you at 3:00 in the morning in a very friendly Brummie accent, saying, Hi, I'm Ron. If you store your passwords - and again, I'm just going to show a little example. I've gone into my folder of Ron. I'm going to have a look. I've very foolishly stored my passwords as a plain text file. So very quickly now I can open up that plain text file. And even if it's in a word document or you've got some sort of encryption on it, I might be able to download that file and view my passwords so. And there you go. There's my BCU password, my bank account number, and my bank account pin. And that took, what, 10 minutes? Probably less than that to break into your machine. And I've got complete control. 

 

[00:05:52] So to be a good ethical hacker, you need a quite a rounded skill set, an understanding of operating systems. So Windows, Linux, Apple, Android, that's becoming quite a big area. A good understanding of networking. So the ISO seven layer model routers switches. And so again, from a course point of view you would be Cisco, Juniper, Palo Alto. They're different companies that we work with and teach those technologies. 

 

[00:06:26] It's very broad. I mean, you don't just have to do ethical hacking. So that's the more offensive side of security. So you're testing networks, you're working with clients, you can be on the defensive side. So that's blue teaming, working in a network operation centre, a secure operation, since it's your monitoring from a cyber security point of view. Oh, at the moment if you've got a lot of skills. So if you can do Windows, you can do Linux, you can do Web graduates 35 to 40 if you've been in the industry, 100,000 plus. 

 

[00:07:06] A student should come to BCU to study ethical hacking because it's the best model ever. You get paid to be naughty, you get to break into systems, you get to beat everybody else's security. There's a there's a mentality of, can I beat you? Can I beat your security? I'm better than you. That puzzles that lateral thinking about thinking outside the box. Actually, if you're on the spectrum, people that have got dyslexia, I'm dyslexic. We think differently. That's great because you think differently and therefore you can get round all of the security and you can get it. And that when you beat somebody is the best feeling in the world. 

 

[00:07:49] You have to have permission to be an ethical hacker. If you don't have permission, then you're an unethical hacker. And actually, I've just broken the Computer Misuse Act, Section one, Section two, and Section three. That will get you if you get caught and you probably will get caught nowadays up to ten years in jail. In prison. Not a very nice place to go, I would imagine. So please come to the university. We'll teach you how to do this ethically. 

 

[00:08:18] So there's a quick review of please don't click links that you shouldn't. Make sure you know who they come from and where they come from. And if the offer is true, Good. Too good to be true. Back away. Hopefully you found that informative. Thank you for watching.