Professional Documents
Culture Documents
077 Sandeep Nair
077 Sandeep Nair
A SEMINAR REPORT
Submitted by
SANDEEP NAIR NARAYANAN
SCHOOL OF ENGINEERING
COCHIN UNIVERSITY OF SCIENCE & TECHNOLOGY,
KOCHI-682022
AUGUST 2008
DIVISION OF COMPUTER ENGINEERING
SCHOOL OF ENGINEERING
COCHIN UNIVERSITY OF SCIENCE AND TECHNOLOGY
KOCHI-682022
Certificate
Certified that this is a bonafide record of the seminar entitled
“ETHICAL HACKING”
done by the following student
SANDEEP NAIR NARAYANAN
th
of the VII semester,Computer Science and Engineering in the year 2008 in
partial fulfillment of the requirements to the award of Degree of Bachelor of
Technology in Computer Science and Engineering of Cochin University of
Science and Technology.
Date:
ACKNOWLEDGEMENT
At the outset, I thank the Lord Almighty for the grace, strength and hope to
make my endeavor a success.
Last but not the least, I thank all others, and especially my classmates and my
family members who in one way or another helped me in the successful completion of
this work.
Today more and more softwares are developing and people are
getting more and more options in their present softwares. But many are
not aware that they are being hacked without their knowledge. One
parties.
know about the various tools and methods that can be used by a black hat
From the point of view of the user one should know atleast some of
these because some hackers make use of those who are not aware of the
various hacking methods to hack into a system. Also when thinking from
the point of view of the developer, he also should be aware of these since
he should be able to close holes in his software even with the usage of the
various tools. With the advent of new tools the hackers may make new
tactics. But atleast the software will be resistant to some of the tools.
TABLE OF CONTENTS
i
2.6 Maintaining Access 23
2.6.1 Key Stroke Loggers 23
2.6.2 Trojan Horses & Backdoors 24
2.6.3 Wrappers 25
2.6.4 Elitewrap 25
2.7 Clearing Tracks 26
2.7.1 Winzapper 26
3. CONCLUSION 27
REFERENCES 29
ii
LIST OF FIGURES
iii
LIST OF SYMBOLS
iv
Ethical hacking
1.INTRODUCTION
1.1 Security
● Confidentiality
● Integrity
● Availability
For any information system to serve its purpose, the information must
be available when it is needed. Consider the case in which the data should have
integrity and confidentiality. For achieving both these goals easily we can make those
data off line. But then the data is not available for the user or it is not available. Hence
the data is of no use even if it have all the other characteristics. This means that the
computing systems used to store and process the information, the security controls
used to protect it, and the communication channels used to access it must be
functioning correctly.
All these factors are considered to be important since data lacking any of the
above characteristics is useless. Therefore security is described as the CIA trio.
Lacking any one of the CIA means there is a security breach.
There may be many more in the list due to security breaches. This means that
security is absolutely necessary.
1.3 Hacking
Hackers can be broadly classified on the basis of why they are hacking system
or why the are indulging hacking. There are mainly three types of hacker on this basis
● Black-Hat Hacker
● White-Hat Hacker
White hat hackers are those individuals professing hacker skills and
using them for defensive purposes. This means that the white hat hackers use their
knowledge and skill for the good of others and for the common good. These white hat
hackers are also called as security analysts.
● Grey-Hat Hackers
Due to some reasons hacking is always meant in the bad sense and hacking
means black hat hacking. But the question is can hacking be done ethically? The
answer is yes because to catch a thief, think like a thief. That’s the basis for ethical
hacking. Suppose a person or hacker try to hack in to a system and if he finds a
vulnerability. Also suppose that he reports to the company that there is a vulnerability.
Then the company could make patches for that vulnerability and hence they could
protect themselves from some future attacks from some black hat hacker who tries to
use the same vulnerability. So unless some body try to find a vulnerability, it remains
hidden and on someday somebody might find these vulnerability and exploit them for
their own personal interests. So this can be done using ethical hacking.
Successful ethical hackers possess a variety of skills. First and foremost, they
must be completely trustworthy. While testing the security of a client's systems, the
ethical hacker may discover information about the client that should remain secret. In
many cases, this information, if publicized, could lead to real intruders breaking into
the systems, possibly leading to financial losses. During an evaluation, the ethical
hacker often holds the “keys to the company,” and therefore must be trusted to
exercise tight control over any information about a target that could be misused. The
sensitivity of the information gathered during an evaluation requires that strong
measures be taken to ensure the security of the systems being employed by the ethical
hackers themselves: limited-access labs with physical security protection and full
ceiling-to-floor walls, multiple secure Internet connections, a safe to hold paper
documentation from clients, strong cryptography to protect electronic results, and
isolated networks for testing.
Ethical hackers also should possess very strong programming and computer
networking skills and have been in the computer and networking business for several
years. Another quality needed for ethical hacker is to have more drive and patience
than most people since a typical evaluation may require several days of tedious work
that is difficult to automate. Some portions of the evaluations must be done outside of
normal working hours to avoid interfering with production at “live” targets or to
simulate the timing of a real attack. When they encounter a system with which they
are unfamiliar, ethical hackers will spend the time to learn about the system and try to
find its weaknesses. Finally, keeping up with the ever-changing world of computer
and network security requires continuous education and review.
the system. An ethical hacker will always have the permission to enter into the target
network.
An ethical hacker will first think with a mindset of a hacker who tries to get in
to the system. He will first find out what an intruder can see or what others can see.
Finding these an ethical hacker will try to get into the system with those information
in whatever method he can. If he succeeds in penetrating into the system then he will
report to the company with a detailed report about the particular vulnerability
exploiting which he got in to the system. He may also sometimes make patches for
that particular vulnerability or he may suggest some methods to prevent the
vulnerability.
2.ETHICAL HACKING
The methodology of a hacker is similar to the one used for usual thefts. Lets
consider the case of a bank robbery. The first step will be to find information about
the total transaction of the bank, the total amount of money that may be kept in the
bank, who is the manager, if the security personals have a gun with them etc. This is
similar to the reconnaissance phase of hacking.
The next step will be to find the ways through which we can enter the
building, how many doors are present in the building, if there is a lock at each door
etc. This is similar to the second stage the scanning in which we will check which all
hosts are present, which all services are running etc.
The third step will be to enter the building which is similar to gaining access.
For entering in to a building we need some keys. Like that in case of network we need
some ids and passwords. Once we entered the building our next aim will be to make
an easier way inside when I come next time which is analogous to the next step
maintaining access. In the hacking case we use Trojans,back door worms etc like
placing a hidden door inside the building. Then the final step in which we will try to
hide the fact that I entered the building which is analogous to the clearing of tracks in
As described above there are mainly five steps in hacking like reconnaissance,
scanning, gaining access, maintaining access and clearing tracks. But it is not the end
of the process. The actual hacking will be a circular one. Once the hacker completed
the five steps then the hacker will start reconnaissance in that stage and the preceding
stages to get in to the next level.
2.3 Reconnaissance
organization profile with respect to network and system involved. As we are dealing
with the Internet we can find many information here which we may not intend to put
it publicly. We have many tools for such purposes. These include tools like samspade,
email tracker, visual route etc. The interesting thing to note is that we can even use the
simple googling as a footprinting tool.
2.3.1 Google
Google is one of the most famous search engines used in the Internet. Using
some kind of specialized keywords for searching we can find many such information
that is put in publicly. For example if we use some keywords like “for internal use
only” followed by the targets domain name we may get many such useful
information. Some times even if the company actually removed from its site, it
sometimes get preserved in the Google`s caches.
Some times even the job advertisement in Internet can also be used in
footprinting. For example if some company is looking for professional who are good
in oracle database, this can be telling to the world that they are using th oracle
database in their company. This can be helpful for the hacker since he can look for the
vulnerabilities of that particular object.
One of the main advantages of Google is it`s advanced search option. The
advanced search have many options like searching for particular domain, documents
published after a particular period of time, files of particular format, particular
languages etc.
2.3.2 Samspade
The above fig 2.1 represents the GUI of the samspade tool. In the text field in
the top left corner of the window we just need to put the address of the particular host.
Then we can find out various information available. The information given may be
phone numbers, contact names, IP addresses , email ids, address range etc. We may
think that what is the benefit of getting the phone numbers, email ids, addresses etc.
But one of the best way to get information about a company is to just pick up the
phone and ask the details. Thus we can much information in just one click.
We often used to receive many spam messages in our mail box. We don`t
know where it comes from. Email tracker is a software which helps us to find from
which server does the mail actually came from. Evey message we receive will have a
header associated with it. The email tracker use this header information for find the
location.
The above fig 2.2 shows the GUI of the email tracker software. One of the
options in the email tracker is to import the mail header. In this software we just need
to import the mails header to it. Then the software finds from which area does that
mail come from. That is we will get information like from which region does the
message come from like Asia pacific, Europe etc. To be more specific we can use
another tool visual route to pinpoint the actual location of the server. The option of
connecting to visual route is available in the email tracker. Visual route is a tool which
displays the location a particular server with the help of IP addresses. When we
connect this with the email tracker we can find the server which actually send the mail
. We can use this for finding the location of servers of targets also visually in a map.
The above fig 2.3 depicts the GUI of the visual route tool. The visual route
GUI have a world map drawn to it. The software will locate the position of the server
in that world map. It will also depict the path though which the message came to our
system. This software will actually provide us with information about the routers
through which the message or the path traced by the mail from the source to the
destination.
We may wonder what is the use of finding the place from which the message
came. Suppose you got the email id of an employee of our target company and we
mailed to him telling that u are his greatest friend. Some times he may reply you
saying that he don`t know you. Then you use the email tracker and the visual route to
find that he is not working from the office. Then you can understand that there are
home users in the company. We should understand the fact that the home users are not
protected like the employees working from office. This can be helpful for the hacker
to get in to the system.
Scanning is the second phase in the hacking methodology in which the hacker
tries to make a blue print of the target network. It is similar to a thief going through
your neighborhood and checking every door and window on each house to see which
ones are open and which ones are locked. The blue print includes the ip addresses of
the target network which are live, the services which are running on those system and
so on. Usually the services run on predetermined ports. For example the web server
will be making use of the port no 80. This implies that if the port 80 is open in a
particular system we can understand that the targets web server is running in that host.
There are different tools used for scanning war dialing and pingers were used earlier
but now a days both could be detected easily and hence are not in much use. Modern
port scanning uses TCP protocol to do scanning and they could even detect the
operating systems running on the particular hosts.
The war dialers is a hacking tool which is now illegal and easier to find out.
War dialing is the practice of dialing all the phone numbers in a range in order to find
those that will answer with a modem. Earlier the companies used to use dial in
modems to which their employees can dial in to the network. Just a phone number is
enough in such cases. War dialing software makes use of this vulnerability. A war
dialer is a computer program used to identify the phone numbers that can successfully
make a connection with a computer modem. The program automatically dials a
defined range of phone numbers and logs and enters in a database those numbers that
successfully connect to the modem. Some programs can also identify the particular
operating system running in the computer and may also conduct automated
penetration testing. In such cases, the war dialer runs through a predetermined list of
common user names and passwords in an attempt to gain access to the system.
2.4.2 Pingers
Pingers and yet another category of scanning tools which makes use of the
Internet Control Message Protocol(ICMP) packets for scanning. The ICMP is actually
used to know if a particular system is alive or not. Pingers using this principle send
ICMP packets to all host in a given range if the acknowledgment comes back we can
make out that the system is live. Pingers are automated software which sends the
ICMP packets to different machines and checking their responses. But most of the
firewalls today blocks ICMP and hence they also cannot be used.
A port scan is a method used by hackers to determine what ports are open or in
use on a system or network. By using various tools a hacker can send data to TCP or
UDP ports one at a time. Based on the response received the port scan utility can
determine if that port is in use. Using this information the hacker can then focus their
attack on the ports that are open and try to exploit any weaknesses to gain access. Port
scanning software, in its most basic state, simply sends out a request to connect to the
target computer on each port sequentially and makes a note of which ports responded
or seem open to more in-depth probing. Network security applications can be
configured to alert administrators if they detect connection requests across a broad
range of ports from a single host. To get around this the intruder can do the port scan
in strobe or stealth mode. Strobing limits the ports to a smaller target set rather than
blanket scanning all 65536 ports. Stealth scanning uses techniques such as slowing
the scan. By scanning the ports over a much longer period of time you reduce the
The fig 2.4 show the GUI of the superscan. In this either we can search a
particular host or over a range of IP addresses. As an output the software will report
the host addresses which are running. There is another option port list setup which
will display the set of services which are running on different hosts.
2.4.5 Nmap
Nmap ("Network Mapper") is a free and open source utility for network
exploration or security auditing. Many systems and network administrators also find it
useful for tasks such as network inventory, managing service upgrade schedules, and
monitoring host or service uptime. The fig 2.5 shows the GUI of the Nmap.
Nmap uses raw IP packets in novel ways to determine what hosts are available
on the network, what services those hosts are offering, what operating systems they
are running, what type of packet filters or firewalls are in use, and dozens of other
characteristics. It can even find the different versions. It was designed to rapidly scan
large networks, but works fine against single hosts. We also have the option of
different types of scan like syn scan, stealth scan, syn stealth scan etc and using this
we can even time the scanning of different ports. Using this software we just need to
specify the different host address ranges and the type of scan to be conducted. As an
output we get the hosts which are live, the services which are running etc. It can even
detect the version of the operating system making use of the fact that different
operating systems react differently to the same packets as they use their own protocol
stacks.
2.4.6 Enumeration
DumpSec etc.
This is the actual hacking phase in which the hacker gains access to the
system. The hacker will make use of all the information he collected in the pre-
attacking phases. Usually the main hindrance to gaining access to a system is the
passwords. System hacking can be considered as many steps. First the hacker will try
to get in to the system. Once he get in to the system the next thing he want will be to
increase his privileges so that he can have more control over the system. As a normal
user the hacker may not be able to see the confidential details or cannot upload or run
the different hack tools for his own personal interest. Another way to crack in to a
system is by the attacks like man in the middle attack.
There are many methods for cracking the password and then get in to the
system. The simplest method is to guess the password. But this is a tedious work. But
in order to make this work easier there are many automated tools for password
guessing like legion. Legion actually have an inbuilt dictionary in it and the software
will automatically. That is the software it self generates the password using the
dictionary and will check the responses.
Many types of password cracking strategies are used today by the hackers
which are described below.
● Dictionary cracking
In this type of cracking there will be a list of various words like the persons
children`s name, birthday etc. The automated software will then make use of these
words to make different combinations of these words and they will automatically try
it to the system.
This is another type of password cracking which does not have a list of pre
compiled words. In this method the software will automatically choose all the
combinations of different letters, special characters, symbols etc and try them
automatically. This process is of course very tedious and time consuming.
● Hybrid cracking
● Social Engineering
The best and the most common method used to crack the password is social
engineering. In this technique the hacker will come in direct contact with the user
through a phone call or some way and directly ask for the password by doing some
fraud.
2.5.2 Loftcrack
This is a software from @stake which is basically a password audit tool. This
software uses the various password cracking methodologies. Loftcrack helps the
administrators to find if their users are using an easy password or not. This is very
high profile software which uses dictionary cracking then brute force cracking. Some
times it uses the precompiled hashes called rainbow tables for cracking the passwords.
The fig 2.6 given above shows the GUI of loftcrack. Usually in windows the
passwords are stored in the sam file in the config directory of system 32. This file
operating system protected that is we cannot access this file if the operating system is
running. But with this loftcrack we just need to run a wizard to get the details of the
passwords stored in the sam file. As seen from the figure the software used the
dictionary of 29156 words in this case. It also got options to use the brute force and
pre-compiled hashes.
Privilege escalation is the process of raising the privileges once the hacker get
in to the system. That is the hacker may get in as an ordinary user. And now he tries to
increase his privileges to that of an administrator who can do many things. There are
many types of tools available for this. There are some tools like getadmin attaches the
user to some kernel routine so that the services run by the user look like a system
routine rather than user initiated program. The privilege escalation process usually
uses the vulnerabilities present in the host operating system or the software. There are
many tools like hk.exe, metasploit etc. One such community of hackers is the
metasploit.
2.5.4 Metasploit
In this type of system hacking we are not actually cracking the password
instead we let all the traffic between a host and a client to go through the hacker
system so that he can directly find out the passwords and other details. In the man in
the middle attack what a hacker does is he will tell to the user that he is the server and
then tell the server that I am the client. Now the client will send packets to the hacker
thinking that he is the server and then the hacker instead of replying forwards a copy
of the actual request to the actual server. The server will then reply to the hacker
which will forward a copy of the reply to the actual client. Now the client will think
that he got the reply from the server and the server will think that it replied to the
actual client. But actually the hacker,the man in the middle, also have a copy of the
whole traffic from which he can directly get the needed data or the password using
which he can actually hack in.
Now the hacker is inside the system by some means by password guessing or
exploiting some of it`s vulnerabilities. This means that he is now in a position to
upload some files and download some of them. The next aim will be to make an
easier path to get in when he comes the next time. This is analogous to making a small
hidden door in the building so that he can directly enter in to the building through the
door easily. In the network scenario the hacker will do it by uploading some
softwares like Trojan horses,sniffers, key stroke loggers etc.
Key stroke loggers are actually tools which record every movement of the
keys in the keyboard. There are software and hardware keystroke loggers the directly
records the movement of keys directly. For maintaining access and privilege
escalation the hacker who is now inside the target network will upload the keystroke
logging softwares in to the system.
The software keystroke loggers will stay as a middle man between the
keyboard driver and the CPU. That is all the keystroke details will directly come to
the software so that the tool keeps a copy of them in a log and forwarding them to the
CPU.
The hackers will place these Trojan softwares inside the network and will go
out. Then after sometimes when he come back the Trojan software either authenticate
the hacker as a valid user or opens some other ports for the hacker to get in. There are
many genere of Trojans like
● password sending/capturing
● FTP Trojans
● Keystroke captures Trojans
● Remote access Trojans
● Destructive Trojans
● Denial of Service Trojans
● Proxy Trojans
There are many examples for trojans like Tini, netcat, subseven, barkorffice
etc. Tini is a very tiny Trojan which just listens to the port 7777. so after introducing
the tini the hacker can send his commands to that port number. Netcat is another
Trogen which have the ability to connect to any local port and could start out bound
or inbound TCP or UDP connections to or from any ports. It can even return the
command shell to the hacker through which the hacker can access the system.
Subseven and barkorffice are other Trojans which have a client server architecture
which means that the server part will reside in the target and the hacker can directly
access the server with the knowledge of the user.
2.6.3 Wrappers
There are some tools like blindslide which will insert and extract the data into
just jpeg or bmp pictures. Actually what they does is that they will insert the data into
the white spaces that may be present in the files. The most attractive thing is that most
of the time they will not alter the size of the file.
2.6.4 Elitewrap
will start working and will start listening to some ports which will be exploited by the
hackers.
Now we come to the final step in the hacking. There is a saying that
“everybody knows a good hacker but nobody knows a great hacker”. This means that
a good hacker can always clear tracks or any record that they may be present in the
network to prove that he was here. When ever a hacker downloads some file or
installs some software,its log will be stored in the server logs. So inorder to erase
those the hacker uses man tools.
One such tool is windows resource kit`s auditpol.exe. This is a command line
tool with which the intruder can easily disable auditing. There are some other tools
like Eslave which directly clears all the event logs which tell the administrator that
some intruder has come in. Another tool which eliminates any physical evidence is the
evidence eliminator. Sometimes apart from the server logs some other informations
may be stored temporarily. The Evidence Eliminator deletes all such evidences.
2.7.1 Winzapper
This is another tool which is used for clearing the tracks. This tool will make a
copy of the log and allows the hackers to edit it. Using this tool the hacker just need to
select those logs to be deleted. Then after the server is rebooted the logs will be
deleted.
3.CONCLUSION
One of the main aim of the seminar is to make others understand that there are
so many tools through which a hacker can get in to a system. There are many reasons
for everybody should understand about this basics. Lets check its various needs from
various perspectives.
● Student
● Professionals
● Users
The software is meant for the use of its users. Even if the software
menders make the software with high security options with out the help of users it
can never be successful. Its like a highly secured building with all doors open
carelessly by the insiders. So users must also be aware of such possibilities of hacking
so that they could be more cautious in their activities.
In the preceding sections we saw the methodology of hacking, why should we aware
of hacking and some tools which a hacker may use. Now we can see what can we do
against hacking or to protect ourselves from hacking.
REFERENCES
1. “http://netsecurity.about.com”
2. “http://researchweb.watson.ibm.com”
3. “http://www.eccouncil.org”
4. “http://www.ethicalhacker.net”
5. “http://www.infosecinstitute.com”
6. “http://searchsecurity.techtarget.com”