Lab session 3

(A)

Address Resolution Protocol (ARP) spoofing, also known as ARP flooding,

ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an
Ethernet wired or wireless network. ARP Spoofing may allow an attacker to sniff
data frames on a local area network (LAN), modify the traffic, or stop the traffic
altogether. The attack can only be used on networks that make use of ARP and
not another method of address resolution.
The principle of ARP spoofing is to send fake, or "spoofed", ARP
messages to an Ethernet LAN. Generally, the aim is to associate the attacker's
MAC address with the IP address of another node (such as the default gateway).
Any traffic meant for that IP address would be mistakenly sent to the attacker
instead. The attacker could then choose to forward the traffic to the actual default
gateway (passive sniffing) or modify the data before forwarding it (man-in-the-
middle attack). The attacker could also launch a denial-of-service attack against
a victim by associating a nonexistent MAC address to the IP address of the
victim's default gateway. ARP spoofing attacks can be run from a compromised
host, or from an attacker's machine that is connected directly to the target
Ethernet segment.
(2)
In computer networking, MAC flooding is a technique employed to
compromise the security of network switches. Switches maintain a list (called a
CAM Table) that maps individual MAC addresses on the network to the physical
ports on the switch. This enables it to only send data out of the physical port
where the recipient computer is located, instead of indiscriminately broadcasting
the data out of all ports like a hub. The advantage of this method is that data is
only bridged to the network segment containing the computer that the data is
specifically destined for. In a typical MAC flooding attack, a switch is flooded with
frames, each containing different source MAC addresses. The intention is to
consume the limited memory set aside in the switch to store the MAC address-to-
physical port translation table. The result of this attack causes the switch to enter
a state called failopen mode, in which all incoming packets are broadcast out on
all ports (as with a hub), instead of just down the correct port as per normal
operation. A malicious user could then use a packet sniffer (such as Wireshark)
running in promiscuous mode to capture sensitive data from other computers
(such as unencrypted passwords, e-mail and instant messaging conversations),
which would not be accessible were the switch operating normally.

(3)MAC DUPLICATION ATTACKS: In the MAC Duplication Attacks , the

attacker changes its Mac address (MAC SPOOFING ) and pretends to the
victim. This fools the switch or hub into sending the data meant for the
victim, to both the attacker and the victim computer. Hence allowing the
attacker to spy upon all communication being carried out by the victim.

(B)
CAPTCHA
It short for “ COMPLETELY AUTOMATED PUBLIC TURING TEST TO
TELL
COMPUTERS AND HUMANS APART”. Capthcha is commonly used by
websites to distinguish between humans and automated computer scripts or
bots . At the bottom of web forms Capthcha displays an image with some
distorted text with various distracting colours, backgrounds, lines and marks.
Such text is usually only possible to be read by humans and cannot be read by
computers or automated scripts. It is commonly used on the internet to prevent ..
--Automated fake accounts and being created and entered.
--E-mail Spam.
--Brute Force Password Cracking Attacks.

CRACKING CAPTCHA
CAPTCHA as a technology is constantly being improved and slowly
becoming more and more foolproof.However,many researchers have devised
ways to break CAPTCHA systems used by various websites .Although none
of these cracking techniques have a 100% success rate.
GREG MORI & JITENDRA MALIK
(http://www.cs.sfu.ca/~mori/research/gimpy/)have devised an approach
to crack GIMPY,the CAPTCHA system that is used by Yahoo. There
cracking techniques has the following main steps:
• Locate possible letters at various positions using shape matching
techniques.
• Construct a graph of letters that could be used together in a word.
• Move through the graph looking for real words.
But such an approach may not work if.
1. Dictionary words are not used by CAPTCHA and instead random
characters are used.
2. If the captcha system requires user to recognize more than 1 word
(like reCAPTCHA),then the probability of cracking is reduced.

(C)
1. Use your password reset disk to recover the Windows password Vista
and Windows 7 allow you to create a password reset disk, which enables you to
reset your password without much hassle. The problem with this option is that
you have to create the reset disk before the password is lost. Thus if you don’t
have a password reset disk, this option is not for you. You can find a description
of how to create a
password reset disk here.
2. Restore Windows 7 or Windows Vista to a previous state If you
configured a new password recently and can still remember the password you
used before, then you can restore Windows to a point in time before you
changed the password. The Restore function of Windows 7 and Windows Vista
will make sure that you don’t lose personal data. However, programs that have
been installed since the corresponding restore point have to be installed again.
All you need for this procedure is a Windows 7 or Windows Vista setup DVD. If
you are uncertain what System Restore is doing with your computer, read this
first. This approach doesn’t work with Windows XP.
3. Boot up Windows XP in Safe Mode and log on with the built-in
administrator account When you installed Windows XP, you had to set a
password for the Administrator account. If you still know this password, you can
boot up in Safe Mode (by pressing F8 when your computer starts) and log on
with the Administrator account. Read this Microsoft Knowledge Base article for
more information about Safe Mode. Note that whenever you reset the password
for a user using another account, this user will no longer be able to access files
that have been encrypted with EFS (Encrypted File System). Stored credentials
in the Windows Vault and Internet Explorer will also no longer be available. This
method doesn’t work in Vista and Windows 7 because the administrator account
is disabled by default in Safe Mode with these Windows versions. Below you will
learn how to enable the built-in admin account in Windows 7 and Vista.
 4. Use the Sticky Keys trick to reset the Windows 7, Windows Vista,
and Windows XP password The Sticky Keys trick to restore a forgotten
administrator password is reliable, easy to carry out, and does not require third-
party software. All you have to do is boot up from a Windows 7 or Windows Vista
setup DVD, launch the Windows Recovery Environment (RE), and then replace
the sethc.exe file with cmd.exe. You can also use this method for Windows XP,
but you have to use a Vista or Windows 7 DVD.
5. Offline enable the built-in administrator account in Windows 7 and Vista
This method is useful if no other user account on this machine has administrator
privileges. You also need a Windows setup DVD (Vista or Windows 7). With this
DVD you can boot up Windows RE and edit the Registry to offline enable the
built-in administrator account. Also read my article about the offline Registry
editor if you don’t know how to edit the Registry in offline mode. After you enable
the built-in Administrator, you can log on with this account without requiring a
password and then reset the Windows password of any user account.
6. Get Petter Nordhal-Hagen’s free ntpasswd tool to reset the Windows
password The downside of this option is that you have to create a password
reset CD first. Then you can boot up with this CD and manipulate the Security
Accounts Manager (SAM) database. Please note that resetting the password
with third-party tools can also cause data loss as described in option 4. Also note
that this tool comes without any warranty. However, I’ve been using it quite a few
times and never had
any problem with it. The latest version also supports Windows Vista and
Windows
7. The advantage of this method is that it is quick if you
already have the password CD in your tool box. Thus it is useful for
admins who have to perform this procedure often. In all other cases I
recommend option 4. You can download the tool from net.

(D)
www.dtdc.com is website in which sql injection work.

(E)
What is that Birthday Paradox ?
The birthday paradox gets its name from the "strange" fact that in a
gathering of
23 persons, it's likely that 2 of these persons will have the same
birthday date.
To understand it, no need to be an ace in mathematics.
You're in a party and you go to ask someone his birthday date, the
chances that you
not sharing the same birthday date with this person are 364/365 or
0.997, therefore
the probability that you do share the same birthday date is 1 - 0.997 = 0.003
Now if you ask somebody else, the chances that you don't share the same
birthday
date than him AND the guy before are (364/365) x (363/365) = 0.992 and so we
can
deduce that the probability that at least, 2 of all of you share the
same birthday
date is 1 - 0.992 = 0.008
If we carry on these computations for some time, we find out that in a group of
23 persons, the chances are 50% that you someone finds someone else who
has the
same birthday date than him. You can use the following C code snippet to see
how
chances are evoluating in function of the number of persons.

#define POSSIBILITIES 365.0

void main (void)
{
float chances;
int i, j;
for (i = 1; i < 100; i++)
{
for (j = 1, chances = 1; j < i; j++)
chances *= (float)((POSSIBILITIES - j) / POSSIBILITIES);
printf("For %d people, chances are %f\n", i, 1-chances);
}
}

For people unable to compile this code, here's an interesting array of outputed
values :
People 2 9 16 23 30 37 44 65 79
Chances 0.0027 0.0946 0.2836 0.5073 0.7063 0.8487 0.9329 0.9977
0.9999

(F)
DNS Spoofing is the art of making a DNS entry to point to an another
IP than it would
be supposed to point to. To understand better, let's see an example.
You're on your web browser and wish to see the news on www.cnn.com,
without to think of
it, you just enter this URL in your address bar and press enter.
Now, what's happening behind the scenes ? Well... basically, your
browser is going to
send a request to a DNS Server to get the matching IP address for
www.cnn.com, then
the DNS server tells your browser the IP address of CNN, so your
browser to connect
to CNN's IP address and display the content of the main page.
Hold on a minute... You get a message saying that CNN's web site has
closed because
they don't have anymore money to pay for their web site. You're so
amazed, you call
and tell that to your best friend on the phone, of course he's
laughing at you, but
to be sure, he goes to CNN web site to check by himself.
You are surprised when he tells you he can see the news of the day as
usual and you
start to wonder what's going on. Are you sure you are talking to the
good IP address ?
Let's check. You ask your friend to fire up his favorite DNS resolving tool (or
simply ping) and to give you the IP address he's getting for www.cnn.com.
Once you got it, you put it in your browser URL bar : http://212.153.32.65
You feel ridiculous and frustrated when you see CNN's web page with
its daily news.

Well you've just been the witness of a DNS hijacking scenario. You're
wondering what
happened, did the DNS Server told you the wrong IP address ? Maybe...
At least this
is the most obvious answer coming to our mind.
In fact there are two techniques for accomplishing this DNS hijacking.
Let's see the
first one, the "DNS ID Spoofing" technique.

- A) DNS Cache Poisoning

As you can imagine, a DNS server can't store information about all
existing names/IP on
the net in its own memory space.
That's why DNS server have a cache, it enables them to keep a DNS
record for a while.
In fact, A DNS Server has the records only for the machines of the
domain it has the
authority, if it needs to know about machines out of his domain, it
has to send a request
to the DNS Server which handles these machines and since it doesn't
want to ask all the
time about records, it can store in its cache the replies returned by
other DNS servers.
Now let's see how someone could poison the cache of our DNS Server.
An attacker his running is own domain (attacker.net) with his own
hacked DNS Server
(ns.attacker.net)
Note that I said hacked DNS Server because the attacker customized the
records in
his own DNS server, for instance one record could be
www.cnn.com=81.81.81.81

1) The attacker sends a request to your DNS Server asking it to

resolve www.attacker.net

2) Your DNS Server is not aware of this machine IP address, it doesn't

belongs to his
domain, so it needs to asks to the responsible name server.
3) The hacked DNS Server is replying to your DNS server, and at the
same time, giving
all his records (including his record concerning www.cnn.com)
Note : this process is called a zone transfer.

4) The DNS server is not "poisoned".

The attacker got his IP, but who cares, his goal was not to get the IP
address of his
web server but to force a zone transfer and make your DNS server
poisoned as long as
the cache will not be cleared or updated.

5) Now if you ask your DNS server, about www.cnn.com IP address it will give
you
172.50.50.50, where the attacker run his own web server. Or even
simple, the attacker
could just run a bouncer forwarding all packets to the real web site
and vice versa,
so you would see the real web site, but all your traffic would be
passing through the
attacker's web site.