ETHICAL HACKING

Basic Threats

1. Theft of password.
2. Email based threats.
3. Email based extortion.
4. Launch of malicious programs.
5. Internet time theft.

Corporate Threats

1. Web Defacement.
2. Corporate espionage.
3. Website based launch of malicious code cheats & frauds.
4. Exchange of criminal ideas and tools.
5. Cyber harassment.
6. Forged websites.

Online Threats

1. Email spamming.
2. Theft of software, electronics records, computer hardware’s
etc.
3. Cyber stalking
4. Email bombing.
5. Morphing.
6. Denial of service attack.
Other Thefts

1. Theft of information.
2. Email forgery.
3. Theft of e-cash, credit card numbers, online bank accounts
etc.

Cyber Crimes
– Dutch gulf war hackers

Tried to sell stolen documents to Iraq.

– Rom labs hackers.

UK teens looking for UFOs and cyber trophies.

– Master of downloading.

Member of Indian militants organization tried to buy stolen

material from Chameleon and others for 1000$.

What is information security?

Every information user is a node where information can leak
out.
Information security is necessary to secure the information
of any user.

It include following in today’s terms

 1. Data security.
2. Computer security.
3. LAN security.
4. Internet security.
5. Web or network security.

What is HACKING
Unauthorized use or attempts to bypass security mechanism of
any information system like computer/ server/ network.

Security and Hacking together

To catch a thief thinks like a thief.

The idea is that if as a security professional you don’t know what
threats you are facing from crackers or hackers, u will never be
able to build an efficient security system.

Hackers VS Crackers
Feature of a Hacker(White hat hacker)

1. Abundance of knowledge and experience.

2. Good guy.
3. Strong ethics.
4. Never indulge in cyber crimes.
5. Catches computer criminals.
Feature of a Cracker.

1. Abundance of knowledge and experience.

2. Bad guy.
3. Weak ethics.
4. Indulge in computer crimes.
5. Is a computer criminal himself.
Ethical Hacking or White hat hacking.

Definition:- Also known as penetration testing or white hat

hacking, it involves same tricks and techniques that hacker uses
but with difference.
– Ethical hacking is legal.
– Ethical hacking is done with target’s permission.
– The intent of ethical hacking is to discover vulnerabilities
in target system from hacker’s viewpoint so system can
be more secure.
– It’s part of overall risk management program that allows
for ongoing security improvements. Ethical hacking can
also ensure that vendors’ claims about security of their
products are legitimate.
– You need protection from hacker’s shenanigans.
– An Ethical hacker possesses the skills, mindsets and the
tools of hacker but it is also trustworthy.
– Ethical hackers perform hacks as security tests for their
systems.

What do Ethical Hacker do?

Ethical hackers tries to answer:

• What can the intruder see on the target system?
(Reconnaissance and Scanning phase of hacking)

• What can an intruder do with that information? (Gaining

Access and Maintaining Access phases)
• Does anyone at the target notice the intruders attempts or
success? (Reconnaissance and Covering Tracks phases)

If hired by any organization, an ethical hacker asks the

organization what it is trying to protect, against whom
and what resources it is willing to expend in order to
gain protection.

Black Hat Hacking

– This popularly known as cracking. This essentially means

hacking into systems for malicious purposes. The
community of black hat hacking is growing in number of
people and skills.

Steps to Ethical Hacking

1. Web Based Password Cracking

2. Scanning
3. Enumeration
4. System Hacking
5. Trojans and Backdoors
6. Sniffers
7. Denial of Service
8. Social Engineering
9. Session Hijacking
10. Hacking Web Servers
11. Web Application Vulnerabilities
12. Footprinting

Techniques
1. SQL Injection
2. Hacking Wireless Networks
3. Viruses
4. Novell Hacking
5. Linux Hacking
6. Evading IDS, Firewalls and Honey pots
7. Buffer overflow attack
8. Cryptography.

Phases of Hacking

Phase 1:- Reconnaissance

– Reconnaissance refers to the preparatory phase wherein attacker

seeks to gather as much information as possible about a target of
evaluation prior to launching an attack.

– It involves network scanning either external or internal without

authorization

– Business Risk – ‘Notable’ – Generally noted as a “rattling the door

knobs" to see if someone is watching and responding.

– Could be future point of return when noted for ease of entry for an
attack when more is known on a broad scale about the target.

Passive reconnaissance involves monitoring

– Examples include sniffing, information gathering etc. Active

 reconnaissance involves probing the network to detect

– accessible hosts

– open ports

– location of routers

– details of operating systems and services

–
 Reconnaissanc Clearing Tracks
e
Phase 2 Scanning
– Scanning refers to pre-attack phase when the hacker scans the
network with specific information gathered during reconnaissance.

– Business Risk – ‘High’ – Hackers have to get a single point of entry

to launch an attack and could be point of exploit when
vulnerability of the system is detected. Maintaining Access
Scanning
– Scanning can include use of dialers, port scanners, network
mapping, sweeping, vulnerability scanners etc

Phase 3: Gaining Access Gaining Access

Gaining Access refers to the true attack phase.

– The exploit can occur over a LAN, locally, Internet, offline, as a

deception or theft.

– Examples include stack-based buffer overflows, denial of service,

session hijacking, password filtering etc.

– Influencing factors include architecture and configuration of target

system, skill level of the perpetrator and initial level of access
obtained. Business Risk – ‘Highest’ - The hacker can gain access at
operating system level, application level or network level.

Phase 4: Maintaining Access

– Maintaining Access refers to the phase when the hacker tries to
retain his ‘ownership’ of the system.

– The hacker has exploited a vulnerability and can tamper.

 Sometimes, hackers harden the system from other hackers as well
(to own the system) by securing their exclusive access with
Backdoors, Root Kits, Trojans horse and Backdoors.

– Hackers can upload, download or manipulate data /Reasons

include need for prolonged stay, continued use of resources,
removing evidence of hacking, avoiding legal action etc.

Phase 5: Covering Tracks.

– Covering Tracks refers to the activities undertaken by the hacker to
extend his misuse of the system without being detected.

– Reasons include need for prolonged stay, continued use of

resources, removing evidence of hacking, avoiding legal action etc.

– Examples include Steganography tunneling, altering log files etc.

Hackers can remain undetected for long periods or use this phase
to start a fresh reconnaissance to a related target system.

Phases of Hacking: Let us go some practical.

IP Revealed

IP (Internet Protocol role in Security and Hacking)

IP Addresses
a) Every system connected to a network have a unique IP address which acts as
its unique identity on network.

b) An IP address is 32 bit address which is divided in four fields of 8 bits each.

For example 198.168.0.77
 c) An attacker’s first step is to find the IP address of the target system.

Finding out an IP Address.

– A remote IP address ca be found out by any of the following methods.

1. Through instant messaging software.

2. Through internet relay chat.
3. Through your website.
4. Through email header.
5. Through message board postings.
Finding an IP Address by Instant Messenger

Instant Messengers
Ask your friend to come online and chat with u.

Case 1:-

If you are chatting on ICQ than following connection is exist between your system
and your friends system.

Your system -------directlink------ Your friend’s system.

Friend’s system---- direct link------Your system.

Now go to the MsDos command line and type

C:\>netstat –n

This command will give u the IP address of your friend’s computer.

Case 2:-

If u are chatting some other instant messengers like Yahoo or msn etc. then
following indirect connection is made.

Your system----chat server----- Friend’s system.

Friend’s system--chat sever----- Your system.

In this case you have to make direct connection between your system and your
system by sending a file or by call feature.

Then go to the MsDos and type

C:\>netstat –n

This will give u the IP address of your friend’s system.

Precautions:-

– Do not accept File transfer or call from unknown people.

– Chat online only after logging through a proxy server.

Protecting your IP Address: Proxy Servers

Proxy Servers
Definition

A proxy server acts as a buffer between u and the internet hence it protects your
identity on Internet.

Working:-

Case 1: your system ---proxy server ----- friend’s system.

Case 2: your system--- proxy server ------ chat server ------friend’s system.

Good Proxy Servers:-

– Wingate and WinProxy for windows platform.

– Squid (for Unix platform)

Proxy Bouncing
Definition:-

Proxy Bouncing is the phenomenon in which u connect to several proxies than to

actual system.

Working:

Your system--------proxy1----- proxy2------proxy3-------proxy4------

destination

Tools:- Multiproxy.

Finding an IP address via Email Headers

Email Headers

– Email service providers add the IP address of the sender to each outgoing
email.

– A typical analysis of the email header will tell u the IP address of the
computer from where the email has been originated.

Yahoo Email Header:-

To obtain yahoo mail header

a) Click on email which header you want to retrieve.
b) Click on the full headers on the right most corner of the email this will open
up the mail headers.

Google mail:-
To obtain Google mail headers

a) Click on mail which header u want to retrieve.

b) Click on “More Option”
c) Click on “Show Original”.

This will open up email header.

Email Tracking

You can track source email by email header.

This is used to detect
 a) Detect forged emails.
b) Abusive emails.
c) Catch criminals which use email as a crime.

How to Identified Secure Connection:-

– In the browser URL u notice a https://

– Right click on that page u are visiting and click on properties settings to
view the certificate of that page.

IP Spoofing

Definition:

It is the art of changing your system’s IP address so that target system thinks that u
are some one else.

A method of attack used by network intruders to defeat network security measures.

An attack using IP spoofing may lead to unauthorized access, and possibly root
access on the target system.
A method to prevent the IP spoofing is to install a filtering router that does not
allow incoming packets which have source address.

Phase 2: Scanning, Fingerprinting and Information Gathering.

“To attack a system you must know the system, must for an ethical hacker”

What is a port?

– The first step, once the target computer is decided is to find out as much
information as you can find out.
– In order to break in a system you need to exploit any vulnerability existing
in the services offered by it.
– Almost all system have certain open ports, which have certain services
running on them.
– Attacker have to scan the target system for open ports with certain services
running and choose which service can be exploited to get root or
administrator services.
There are two types of ports:

a) First are the hardware ports , which are slots existing behind the CPU
cabinet of your system, in which u plug in or connect your hardware . For
e.g.

COM 1, COM 2 Parallel Port

b) However a hacker is not interested in hardware ports. They are interested in

other type of ports which are virtual or software ports.

c) Such a port is basically a virtual pipe through which information goes in and
out.

All open ports have service running on these ports which provides a certain service
to the user who connects to it.

Example:-

Port 25 is always open on a server handling mails. It is the port where sendmail
service is running by default.

The attacker’s quest to break the system is to find out as much information on it as
possible

1. One has to find out the operating system of the target system. This can
be done as:-

a) Service grabbing.
b) Active fingerprinting.
c) ICMP message.
d) Passive fingerprinting.

2. One has to get a list of services running on the various open ports on the
target system and then decide on a vulnerable service which can be
compromised.

Steps to find out these information:-

 a) Port scanning.
b) Daemon grabbing.

3. Firewall Detection.

a) ICMP message.
b) Banner grabbing.
c) Port scanning.

4. One also needs to look into the details of the network to which the target
system belongs. For example how the network is organize , the subnet
addresses etc.

a) Traceroute.
b) ICMP messages.

Port Scanning:-
Definition :-

Port scanning means to scan the target system to obtain the list of open ports,
which are listening for the connection.

How does the port scanner deduce whether a particular port on the target
system is open or close?

There are various port scanning techniques employed by different port scanners.

– You launch telnet and manually telnet to each port.

– In a manual port scan, when you telnet to a port of a remote host, a full three
way handshake takes place, which means that a complete TCP connection
opens.
 – This is not more convenient method. To make it more convenient many new
port scanning techniques are developed.

P
Hacke
r Dial
Dial In
Mode
Serv
m

Intern
Outsid
e Insid
Firew e

Almost all port scan are based on the client sending a packet to the target port of
the system, containing a particular flag.

Thus we can recapitulate a TCP connect scan in following method.

1. The client sends a SYN packet to a particular port of the target system.
2. If that particular port is open, the target system replies with a SYN/ACK
packet.
3. A reset packet basically tells the client to end the connection.

Socket Pairs.
Socket pairs are the combination of IP addresses and the ports.

Like computer have IP address 99.99.99.99.

Example:-

99.99.99.99:25

Is a Socket Pair. It means if other system with different IP address want to

connect with HTTP and FTP ports simultaneously then target computer never
confused and it will automatically connect to the HTTP and FTP connections
and run the both the services simultaneously.

SYN/HALF OPEN SYN PORT SCANNER

TCP scanners were detectable so programmers around the world developed a

new kind of port scanner, a new kind of port scanner, the SYN scanner ,which
did not establish a complete TCP connection.

The working of SYN or half open SYN port scanner.

a) SYN port scanner sends a TCP packet containing the SYN flag (which in
turn contain the port number) to the remote host.
b) The remote system replies with either SYN/ACK or RST/ACK.
c) If the client receives a SYN/ACK from the server, then the port is in
listening state. However if client system receives a RST/ACK then it means
that the port is not in listening or in other there is no service is running on
that particular system.
 Detection of the SYN scan:-

1. SYN sent from

client

2. SYN/ACK sent from Server

3. ACK sent from

– If we give the following netstat command and observe several connections

in the SYN_RECIEVED state (initiated by the same remot client) then it
probably means that your system is being SYN scanned:

C:/windows>netstat –a

1. One can easily counter-attack TCP SYN scans by simply adding rules in
 the firewall which will block such SYN scan attempts.

TCP FIN Scanning:-

TCP FIN scan are very popular. They are mostly used on UNIX systems, as other
operating systems, due to the way their stacks are designed, are known to respond
to FIN packets sent to open ports with a RST packet. This irregularity in the
implementation employed by the various operating systems can also be used for
remote OS fingerprinting.

Using a Port scanner to get information on the target system:-

a) The first step is to get good port scanner, preferably a stealthy one and then do
a port scan on the target system. Most of the stealthy port scanners are
detectable. So code your own port scanner is better. The best port scanner are
those which send SYN/FIN packets from a spoofed address or host.

The most common ports are:-

Port No. Services

21 FTP
23 Telnet
25 SMTP
53 DNS
79 Finger
80 HTTP
110 POP
111 not useful
389 not useful
512 rlogin

Some Utilities are

– NMAP
– SATAN
– HPing
– Port Scanners etc.
Try to keep eye on TCP port 12345 and UDP port 31337. These are the default
ports for popular Trojans: NetBus and BO

Although there is simply no way that one can prevent or stop client from port
scanning your machine, it is highly advisable one uses software to detect and track
the port scanning attempts.(For UNIX system- Scanlogd and for windows system-
Black ICE)

One should install a firewall or some kind of sniffing tools.

Daemon Banner Grabbing

All open ports have service running on them. As soon as you telnet or connect to
such open ports, you are greeted by a welcome message, which is actually known
as daemon banner.

A daemon banner contains certain information about the daemon running on that
particular port, other system information and sometimes message of the day.
It contains operating system name, daemon name and version time and date, etc.

ICMP Scanning
The Internet Control Message Protocol(ICMP) is the defacto protocol used for
reporting errors that might have occurred while transferring the data packets over
network.

Extremely useful in Information Gathering. Can be used for find the following:

– Host detection.
– Operating system information.
– Network topography information.
– Firewall detection.
ICMP scanning: Host Detection Technique.

This technique reveals whether a particular operating system is connected or

not.
It makes use of the ‘echo request’ and ‘echo reply’ ICMP messages.
 Working:-

Client --------- ICMP Echo Request--------- Host

Case 1: (Alive) Host ----------- ICMP Echo Reply--------Client.

Case 2: (Not Alive) ------------ There is no response.

• The PING utility can also use for

– Host detection purpose.

– To clog up valuable network resources by sending infinite ‘Echo Request’
ICMP messages.
– Firewall detection.

Echo requests or ping messages can e3asilly filtered at the router level by using the
below Access Control List (ACL)

• Access list 101 deny icmp any any 8

• Traceroute cane easily be used for following purposes

• OS detection
• Firewall detection
• Network topography information
• Geographical location of the host.

• Remote OS Fingerprinting
• Active Fingerprinting

• Passive Fingerprinting

The underlying concept behind the remote OS fingerprinting is the fact that due to
different stacks different OS responds differently to the same packet that is to sent
by some system.
This difference in responses is used as benchmark of differentiating between
various operating system.

Thus the working of OS Fingerprinting can be described as:

Attacker -------------customized packet ----------- Remote Host

Remote Host------ Responses --------- Attacker

Depending on this responses the OS of the remote system is identified

• Active Fingerprinting
In active fingerprinting attacker performs these operations

• A customized packet is send to the remote system.

• The response thus generated from the remote host, is logged using a packet
sniffer.
• By studying and comparing the logged responses against the known
responses, the exact
• OS running on the host can be pinpointed.

The best tool available for Active fingerprinting is: Nmap

• Passive Fingerprinting:-
Passive Fingerprinting is totally anonymous.

It is carried out in following manner

– The attacker gets hold of data packets sent by the target host to any other
system. A sniffing tool is used to carry out the process of capturing the data
packets sent by the target system.
– The various fields of these captured data packets then studied for
charecteristics values unique to a particular OS.

Following fields of data are compared.

a) TTL values.
b) The windows size.
 c) Don’t fragment bit.
d) Types of services(TOS)

For example if a captured data packet has a ‘windows value’ of 9000 ‘ Types of
services’ as 0 and ‘Don’t fragment bit’ as YES then host is most probably Windows
9x or Windows NT.

Email Header Fingerprinting:-

In this method, the email header of an email sent from the mail service running o
he remote host is studied.

Basic Threats
 • Theft of password.
• Email based threats.
• Email based extortion.
• Launch of malicious programs.
• Internet time theft.

Corporate Threats

• Web Defacement.
• Corporate espionage.
• Website based launch of malicious code cheats & frauds.
• Exchange of criminal ideas and tools.
• Cyber harassment .
• Forged websites.

Online Threats

• Email spamming.
• Theft of software, electronics records, computer hardwares
etc.
• Cyber stalking
• Email bombing.
• Morphing.
• Denial of service attack.

Other Thefts
• Theft of information.
 • Email forgery.
• Theft of e-cash, credit card numbers, online bank accounts
etc.

Cyber Crimes

Some examples of attacks on the Operating System:

• Exploiting specific protocol implementation.
• Attacking built in authentication system.
• Breaking files system security.
• Cracking password and encryption mechanisms.

a) Hypertext transfer protocol (HTTP) and Simple mail transfer

protocol (SMTP) applications are frequently attacked because
most firewall and other Security mechanisms are configured to
full access to these program from the internet.
b) Malicious software (malware) includes viruses, worms, Trojan
horses and Spyware, Malware clog network and takes down the
system.

VIRUS & WORMS

SPYWARES

Spyware is a software which gathers information about victim (i.e.

spies on the victim) and passes on that information to the
attacker without even taking victim’s consent

Dangers:-

a) Spying on activities.
 b) Stealing of victim’s secret password.
c) Misuse of computer memory for attacker’s own
malicious or non malicious purposes.

How can you be infected:-

– Spyware is normally built into a EXE file or utility.

– If you download and executed a infected EXE file,
then spyware becomes active.
– Always scan the software that you download from the
internet.
Use tools like SPYCHECK, SPYWARE INFO, SPY STOPPER
etc.

Virus: - A Definition

A Virus is a malicious piece of code which causes an

unexpected harmful and negative behavior on the
victim’s system.

Worms:-

A Worm is a similar to Virus, but has the additional ability

to reside in the memory of infected computer, duplicate
itself and spread copies of itself via email, chat or
network. Hence they usually clog up the network
bandwidth.

Anti-Virus software is ideal solution for the Viruses and

Worms.

DOS Attack
In a DOS attack, the attacker chokes the target system with
infinite data and hence crashes it.

Technical Definition:-

• DOS attacks are aimed at denying valid, legitimate internet

and Network users access to the services offered by the
target system.
• In other words, a DOS attack is one in which you clog up so
much memory on the target system that it cannot serve
legitimate users.
• There are numerous types of Denial of Service Attacks.

Steps involved in Denial of Service Attack:-

a) Attacker ----------- Malicious data ------- Target Network.

b) Target network gets choked or cannot handle the malicious
data and hence crashes.
c) As a result, even legitimate user cannot connect to target
network.

PINGS OF DEATH ATTACK:-

– The maximum packet size allowed to be transmitted by
TCP\IP on a network is 65536.

– In the Ping of Death Attack. A packet having a size greater

than this maximum size allowed by TCP/IP is sent to the
target system

– As soon as the target system receives a packet exceeding

the allowable size then it crashes, reboots or hangs.

Distributed Denial of Service Attack:-

DOS Attack
dDOS Attack
• Only one attacker
Several attackers
• Not that effective
More effective

Steps involve in dDOS attack

• Attacker takes control of a less secure network say X.

• Let us assume there are 100 systems in X’s network.
• Attacker uses all these 100 systems to attack the actual
target T.
• Hence instead of one attacker there are 100 attackers.

Input Validation Attack

Most common dangers of such Input Validation Attack are:-

• Remote execution of malicious commands.

• Gaining access to sensitive data.
• Stealing password

Some of the most atrocious examples of input validation attacks

are:-

a) Enter 1000 random characters as the password and gain

root access.
b) Enter the path of the password file in the search box of a
website and actually get access to it.

SQL Injection Attacks:-

• SQL Injection Attacks are form of input validation attack

 wherein the attacker uses specially crafted SQL queries or
commands to carry out malicious activities on the target
system.
• This vulnerability exist due to a lack of validation of input
when a database query is made on the internet.
• The best part about SQL injection attacks- like most other
input validation attacks- is that they can easily be executed
with the help of only browser.

SQL Injection Attack: ILLIGAL ACCESS

If a user wants to retrieve all records whose name field is SPORTS:

http://www.domain.com/index.asp?querysring=sports

SELECT*FROM database WHERE querystring =’sports’

However, consider the following input:

http://www.domain.com/index.asp?querysring=sports’ or 1=1-

SELECT*FROM database WHERE querystring =’sports’ or 1=1--‘

SELECT*FROM database WHERE querystring =’sports’ or 1=1

NOTE:-

In this attack, 1=1 or 1=1__is always true and hence

The query will evaluate to true and hence will display all records.
Cryptography

1. RSA
2.MD-5
3.SHA
4.SSL
5.PGP
6.SSH
 7. Encryption Cracking Techniques

Public-key cryptography was invented in 1976 by Whitfield Diffie and

Martin Hellman.

Anyone can send a confidential message just using public information, but
it can only be decrypted with a private key that is in the sole possession of
the intended recipient.

Each person's public key is published while the private key is kept secret.
In this system, each person gets a pair of keys, called the public key and the

private key.
RSA
RSA is a public-key cryptosystem developed by MIT Professors Ronald L
Rivest, Adi Shamir, Leonard M Adleman in 1977 in an effort to help ensure
internet encryption standards.

RSA uses modular arithmetic and elementary number Theories to do

computation using two very large prime Numbers.

RSA encryption is widely used and is the 'de-facto' Security.

MD5

The MD5 algorithm is intended for digital signature applications, where a

large file must be "compressed" in a secure manner before being encrypted
with a private (secret) key under a public-key cryptosystem such as RSA.
The MD5 algorithm takes as input a message of arbitrary length and
produces as output a 128- bit "fingerprint" or "message digest" digest of
the input.

SHA

The SHA algorithm takes as input a message of arbitrary length and

produces as output a 160-bit " fingerprint" or "message digest" of the input.

The algorithm is slightly slower than MD5, but against brute-force collision
and inversion the larger message digest makes it more secret attacks.
SSL
SSL stands for Secure Sockets Layer, SSL is a protocol developed by
Netscape for transmitting private documents via the Internet.

SSL works by using a private key to encrypt data that is transferred over the
SSL connection.

SSL Protocol is application protocol independent.

RC5

RC5 is a fast block cipher designed by RSA Security in 1994.

It is a parameterized algorithm with a variable block size, a variable key size

and a variable number of rounds. The key size is 128 bit. The key size is 128
bit.
RC6 is a block cipher based on RC5. Like RC5, RC6 is a parameterized
algorithm where the block size, the key size and the number of rounds are
variable again. The upper limit on the key size is 2040 bits

SSH

The program SSH (Secure Shell) is a secure replacement for telnet and the
Berkeley r-utilities (rlogin, rsh, rcp and rdist).

It provides an encrypted channel for logging into another computer over a

network, executing commands on a remote computer, and moving files
from one computer to another.

SSH provides a strong host-to host and user authentication as well as

secure encrypted communications over an insecure internet.

SSH2 is a more secure, efficient and portable version of SSH that includes
SFTP, an SSH2 tunneled FTP.