Are we prepared for accepting ethical hacking?

Abstract The Internet is a Cyber-world and there as in real world are wars. Our enemies are governments, hackers and theft. All of them want to handle our Cyber world. In the Internet the computer is a double edged sword and as every great discovery from the world can be dangerous for who it use. Is society prepared to fight with the enemies? The Cyber-world society nowadays, tries to find solutions to save our intimates and confidential information from being leaked. In this war craft world, if you want to have intimates and to mitigate threat, it is needed to open the chest of weapons and start to evaluate and testing our vulnerability. What are the vulnerabilities of a computer? Software vulnerabilities are Achilles' heel that allows a hacker to compromise the integrity, availability, or confidentiality of that software or the data it processes. This report focuses on discovery our vulnerability, software vulnerability exploits, malicious and potentially unwanted software, and security breaches. Microsoft conducted a threat analysis (image 1),1 for its operating systems, detected by the Malicious Software Removal Tool (MSRT). During the first half of 2011, family threats were classified by the way of transmission and each has been documented to use to contaminate victims.

Image 1

http://www.microsoft.com/security/sir/default.aspx

Where: Exploit: zero-day vulnerability is a software vulnerability that makes possible successfully exploited before the software vendor has available securities update to address it. Of course the mysterious before of zero-day may be able to intimidating the network consumer and IT professionals because they do not know if their software is vulnerable. A recent example of exploit zero-day it is Trojan Duqu. It is capable to exploit loads shellcode when a user open a Microsoft Word document (.doc) and the attackers can command it to infect other computers2. But the zero-day vulnerabilities for computer are insignificant as number per year comparative with remaining threats. It is interesting to observe in this graphic that 44.8% of threats require the user interaction and 43.2% exploit the AutoRun vulnerability for USB and network. To combat the AutoRun to be exploiting, the Microsoft included the update for his platforms in February 2011. For an overview analyze must that the threats increase with 5.6% because we do not make update to software. In same report (image 2) a critical point of view can see it that increases the exploit vulnerabilities of Microsoft operating system in the second quarter of 2011.

Image 2 This increase is due to vulnerability CVE-2010-2568 that allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer3. Now, we can recognize that not only exploiting of vulnerability systems is the first threats, because the preponderance cases when somebody hack us an ingredients of deed it is our mistake and lack of interest.
2 3

http://www.symantec.com/connect/w32-duqu_status-updates_installer-zero-day-exploit http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568

There are various methods for simulating an attack and testing the defence of our computers with intimates or confidential data. A huge collection of tools are used to identify network vulnerabilities, applications or service programmers. The best mode to stop this immoral action is to think the way a hacker thinks. The practices described in this asset are not the only techniques available to perform the penetration test. New paths will be discovered, because hackers already know how to hack and they have the time and energy to develop new hacking techniques. Patterns of hackers The name hack originated at the MIT in the 1960s with the Tech Model Railroad Club when they wanted to hack the circuits to change the performance of their train transport. The hackers perform hacking either maliciously or defensive whilst crackers, in contrast with hackers, have offensive principles such as breaking into a computer network. The word hacker is used by media and people to sum all categories of hackers, regardless of level or experience. All hackers are not the similar because some hackers have malicious intent and others do not. Old fashioned hackers were out for fun is an endangered species. They are replaced by categories of cyber-criminals tend to be highly structured, with complex techniques and extensive resources. Foreign military and intelligence services, criminal and terrorist network may be now possible hackers or crackers and they can have a considerable impact on the economy, by sponsoring or attracting directly in well-known espionage industry. They use holes in security and law of the countries as well as the citizens' dependence on computers. Many organizations employ ethical hacker and accept to be the targets for them. The ethical hackers job can be an alternative concept for the old fashioned hackers because nowadays the risk for a hacker is too big. I will try to drawing a Code of practice for survival as hacker in nowadays, after a read the book Computer Crime Forensic Science, Computers, and the Internet by Eoghan Casey. Code of practice for survival First trick that you must to know is that hackers have their own security standards, a code of practice for survival. It is an antipode at with ISO/IEC 27002 is the Code of Practice for information security management. They have as guidance assessing security risk. Few tips I will be listing below:

- A hacker never reveals his identity. What does this mean? No one most knows that you are a hacker. They use a false name and false account. -they must hack only in public place! But they have to be careful because Remote Video Surveillance exists. When I read these rows three-quarters of Britons text, blog or surf the internet while on the toilet, according to a poll4 and a funny idea flash me. Maybe the safe places are toilets Why not for hacking? - do not put your name or date of birth in the password or in any signup. - do not use the same password twice and use a minimum password length of 16 characters - encrypt files because, encryption can protect files and folders from unauthorized viewing; - use Solid State Disk instead of classic hard disk drive because the possibilities to recover data are complicated after a good sanitization. Why? First, a point of view in term of forensic is: Wear-leveling and other types of performance-boosting algorithms have made each disk unique, built on very complicated controller technology. The proprietary algorithms are not available for the data forensics, which makes mapping an address to the physical media impossible.5 The reality is that numerous new SSDs can encrypt information by default and this procedure lead to a better security. It also provides a quick means to sanitize the device, since deleting the encryption key will, in theory, render the data on the drive irretrievable.6 - do not use network card included on motherboard. They use only USB wireless adapter because those are easy to be lost. - Always change MAC address (fictive cloning) - Clean registries, temporary internet files, recent, index.dat periodical. - Change the clock of BIOS before attack or format hard disk drive or media - Use live DVD/CD or live-USB with operating system for attack. - Do not burn live DVD/ CD with yours DVD-RW and be carefully what burning software is used for this, because it can burn information about you. - After a successful attack, use low level formatting immediately, to format hard disk drive, SSD or other media. Do not forget! In the information era the safest procedure to deleting is the hammer.
4

http://www.telegraph.co.uk/news/newstopics/howaboutthat/6077112/Twittering-on-the-toilet-Britainshttp://news.softpedia.com/news/Is-Data-Recovery-Possible-When-Using-Solid-State-Disks-77334.shtml http://cseweb.ucsd.edu/users/swanson/papers/Fast2011SecErase.pdf

bathroom-habits.html
5

- For Windows use periodical command cipher /w for removing data from available unused disk space on the entire volume. - Always use the proxy servers but be carefully because not all of them provide strong anonymity. You can see the effects of using proxi server in How to become anonymous - The hacker has to read news because he wants to be up to date. My opinion after I wrote the ranks above I try to imagine how many hackers make this for fun when they have to respect to lot of standards. These enthusiasts persons from beginner are an endangered species. I suggest them retraining as ethical hacker because they can combine the fun with the job. Creating a test plan Survivability of the systems (computer or network), is the ability to run services properly. Generally speaking, for a system to survive, the system must be able to respond and protect itself against attackers without having a negative effect on the services. How resilient is my network or a computer? My point of view is that nobody in the globe does know the absolute answer. The success of penetrating a computer or a network involves having a meticulous plan. How to become anonymous Always, the first advice for a hacker is to use the proxy server. What is a proxy server? The proxy server is a computer in the network that performs exchange of web pages, files, connections or other data from a server to clients. On the Internet you can find free proxy server that can be used to be anonymous. For example I searched free proxy server on Google and I found an actualising list with proxy servers from Romania. See Image 2 Most of the time, these proxy server are dangerous even for a hacker because these proxies are bursting with threats.

Personally as a proxy server for this project, prefer to choose The Onion Router (TOR). TOR releases a network of virtual tunnels that allow us to improve anonymity on the Internet. I made a personal test for Internet browser with name AURORA provided of TOR after that I will compare with Internet Explorer version 8.0 The results can be seen in the image of below.

You can view in the left place with Web Browser Internet Explorer my real location and IP address from UK. In right place Web Browser Aurora my IP address is 188.95.153.254 and location in Ukraine and ISP: PAN-SAM.ltd.

I will be listing below modality of opened proxy server circuit.

ian. 16 11:28:09.772 [Notice] Tor v0.2.2.35 (git-b04388f9e7546a9f). This is experimental software. Do not rely on it for strong anonymity. (Running on Windows XP Service Pack 3 [workstation]) ian. 16 11:28:09.772 [Notice] Initialized libevent version 2.0.16-stable using method win32. Good. ian. 16 11:28:09.772 [Notice] Opening Socks listener on 127.0.0.1:9050 ian. 16 11:28:09.772 [Notice] Opening Control listener on 127.0.0.1:9051 ian. 16 11:28:09.772 [Notice] Parsing GEOIP file .\Data\Tor\geoip. ian. 16 11:28:13.007 [Notice] OpenSSL OpenSSL 1.0.0f 4 Jan 2012 looks like version 0.9.8m or later; I will try SSL_OP to enable renegotiation ian. 16 11:28:13.007 [Notice] We now have enough directory information to build circuits. ian. 16 11:28:13.007 [Notice] Bootstrapped 80%: Connecting to the Tor network. ian. 16 11:28:13.007 [Notice] New control connection opened. ian. 16 11:28:13.663 [Notice] Bootstrapped 85%: Finishing handshake with first hop. ian. 16 11:28:13.991 [Notice] Bootstrapped 90%: Establishing a Tor circuit. ian. 16 11:28:15.522 [Notice] Tor has successfully opened a circuit. Looks like client functionality is working. ian. 16 11:28:15.522 [Notice] Bootstrapped 100%: Done.

Collect of information When we checking information on the Internet about an organization will be surprising how many information of interest we can find about it. Company web page, e-mail address, phone numbers, town, street details or employee name is few free things which you can find. Examine the web page of organization will provide us too much information that can be used by hackers for social-engineering, surveillance, extortion or other hustle. For example, I will see if I can to collect as much information about a company which it is own of page www.bacxx.xx. In this project I will changed the name of site and IP address for confidentiality and security reason. In the page contact we can see immediately important names, physical address e-mail and the phone number and other links where we can extract the key information. Physical address can be used for the strategy of attack and the detailed sketch can be provided of Google Earth.

After that, I can verify with help of command tracert what internet service provider is used for hosting the web page, IP address for web server.
C:\Documents and Settings\Sibi>tracert www.bacxx.xx Tracing route to bacxx.xx [109.99.XXX.XXX] over a maximum of 30 hops: 1 2 3 4 5 6 7 8 9 10 16 ms 10 ms 11 ms 8 ms 9 ms 15 ms 18 ms 18 ms 35 ms 39 ms * * * * * * * * * * 90 ms 9 ms 10.72.196.1 8 ms cdif-cam-1b-v114.network.virginmedia.net [62.254.255.221] 8 ms cdif-core-1b-ae2-0.network.virginmedia.net [195.182.175.209] 9 ms cdif-core-1a-ge-100-0.network.virginmedia.net [62.254.253.1] 12 ms brhm-bb-1a-as0-0.network.virginmedia.net [212.43.163.109] 27 ms nrth-bb-1b-ae2-0.network.virginmedia.net [62.253.185.85] 16 ms nrth-bb-1a-ae0-0.network.virginmedia.net [62.253.185.117] 13 ms nrth-tmr-1-ae1-0.network.virginmedia.net [213.105.159.30] 32 ms fran-ic-1-as0-0.network.virginmedia.net [62.253.185.81] * decix.romtelecom.net [80.81.192.54] 86 ms 109.99.XXX.XXX Trace complete.

11 106 ms

What Internet Service Provider? You can see immediately that is Romtelecom. Shall I be able to find physical location of the web server? Yes, I can. I introduce found IP address from tracer at http://whatismyipaddress.com/ip/109.99.XXX.XXX and I shall have the city where is located, in other words Bacau, Romania. In this moment we do not know exactly physical location of the server (street) but a false telephone call can very easy elucidate the mystery Good Morning. We are from Romtelecom and .. Other paths for collect of information can be disgruntled employees or collect data from IANA (Internet Assigned Numbers Authority) or TLDs (top level domains). Vulnerable services The plan must be adapted to the vulnerable services from both outside and inside network, anywhere is possible.

A service is defined by transport layer protocol (TCP, UDP or SCTP) and port number (what identifies a location of connection). The computer could have thousands of port. Official list can be found on http://www.iana.org/assignments/service-names-portnumbers/service-names-port-numbers.xml . Example of well-known services includes: Port number 20 & 21 22 23 25 53 80 110 143 443 8080 Nmap How can know what services work on the server or computer? In our day we can used more application for services discovered. Nmap is a free security scanner for network exploration & security audits. It can be downloaded from web address http://nmap.org/download.html and it is available for the following platforms: Linux (all distributions), Microsoft Windows, Mac OS X, FreeBSD, OpenBSD, and NetBSD, Sun Solaris, Amiga, HP-UX, and Other Platforms. After install it, we shall be capable to verify available service on IP 109.99.XXX.XXX or www.bacxx.xx. The command to analyze the IP address is nmap -T4 -A -v 109.99.XXX.XXX
Port 22 tcp 53 tcp 80 tcp 8080 tcp 8081 tcp State (toggle closed [0] | filtered [0]) open open open open open Service ssh domain http http-proxy blackice-icecap Reason Product Version Extra info syn-ack OpenSSH 4.3 protocol 2.0 syn-ack syn-ack Apache httpd 2.2.3 (CentOS) syn-ack syn-ack

Transport protocol Tcp, udp, sctp Tcp, udp, sctp Tcp, udp Tcp, udp Tcp,udp Tcp, udp, sctp Tcp,udp Tcp,udp Tcp, udp, sctp TCP

Description File Transfer Protocol (FTP) Secure Shell (SSH) Telnet remote login service Simple Mail Transfer Protocol (SMTP) Domain Name System (DNS) service Hypertext Transfer Protocol (HTTP) used in the World Wide Web Post Office Protocol (POP3) Internet Message Access Protocol (IMAP) HTTP Secure (HTTPS) Hyper Text Transfer Protocol (HTTP) - alternative ports used for web traffic

Table 1 What we discovered? We can see the ports 22, 53, 80, 8080 and 8081 open it. For hackers always it is challenge when they see these open ports. It is as an invitation and provocation for hacking. The port 8080 is used sometimes by broadband routers as a web

server for remote management. In the WAN Administration the port 8080 is better to be disabled because it represents vulnerability in the security management. We will try to recognize more about this vulnerability and interrogate the port with nmap. Exploit Web Server Apache version 2.2.3 We can see that on the computer of this IP run a web server with application Apache server and as operating system is CentOS. The version of Apache server is 2.2.3 and the vulnerability of this version can be finding it at http://httpd.apache.org/security/vulnerabilities_22.html. When I write these rows last update released for Apache is version 2.2.22 from 31st January 2012 and the version 2.2.3 what run now was released in 27th July 2006! No comment. I do not know what happiness can have a hacker when find a server as this. I will present only few discovered vulnerability for version 2.2.3 of Apache: 1. When an Apache server has caching set as enable, in the mod_cache module, a hacker can send a crafted request and the Apache new (child) process conduct that request to crash. This procedure can lead to a denial of service (DoS) if the attacker uses MultiProcessing Module.7 2. A same bug which can lead to a denial of service was found because Apache server not verifies the new process previous to sending it pointer. For example a hacker if gain access to a local aria network can run the scripts on the HTTP server and can manipulate a procedure to communicate between its parent and child processes (scoreboard) and this cause random processes to be terminated. About gain access to a local aria network I will be wrote in the topic Exploit the vulnerability of routers. Conclusion regarding the utilization of the web server is that the attacker can exploits the vulnerability of the Apache server version 2.2.3 from www.bacxx.xx. Exploit Secure Shell version 4.3 In the table we can see that on the port 22 run Secure Shell version 4.3. SSH is the network protocol what helps the users to release a secure channel between two computers. The Linux an open source implement with the name OpenSSH. This version of SSH was not been update as Web Server Apache version 2.2.3 from 2006. Now the latest version is 5.9 released September 6, 2011. Conclusion regarding the utilization SSH service is that the signal handler was vulnerable to a race condition that could be exploited to perform a pre-authentication denial
7

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1863

of service. Exploit the vulnerability of routers At a quick look can see that it is possible to be a WAP (wireless access point) and this router running OS: Tomato 1.27 (Linux 2.4.20). Is it vulnerable OS Tomato 1.27? After a short search, Google It reveals a point of view of Martin Eian from Norwegian University of Science and Technology, Department of Telematics which says that the router Linksys WRT54GL with firmware Tomato 1.27 [16] it is vulnerable8. He found in experiments that The attacker captures one frame, then modifies and transmits it twice to disrupt network access for 60 seconds. We do not know exactly if the router is model Linksys but it is possible to be same. To clarify the information and know more about router an intense scanning can bringing news.
Starting Nmap 5.51 ( http://nmap.org ) at 2012-02-03 01:44 GMT Standard Time NSE: Loaded 57 scripts for scanning. Initiating Ping Scan at 01:44 Scanning 109.99.XXX.XXX [4 ports] Completed Ping Scan at 01:44, 0.50s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 01:44 Completed Parallel DNS resolution of 1 host. at 01:44, 0.05s elapsed Initiating SYN Stealth Scan at 01:44 Scanning 109.99.XXX.XXX [1000 ports] Discovered open port 22/tcp on 109.99.XXX.XXX Discovered open port 80/tcp on 109.99.XXX.XXX Discovered open port 53/tcp on 109.99.XXX.XXX Discovered open port 8081/tcp on 109.99.XXX.XXX Completed SYN Stealth Scan at 01:44, 7.75s elapsed (1000 total ports) Initiating Service scan at 01:44 Scanning 4 services on 109.99.XXX.XXX Completed Service scan at 01:46, 106.08s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 109.99.XXX.XXX Retrying OS detection (try #2) against 109.99.XXX.XXX WARNING: OS didn't match until try #2 Initiating Traceroute at 01:46 Completed Traceroute at 01:46, 6.09s elapsed Initiating Parallel DNS resolution of 2 hosts. at 01:46 Completed Parallel DNS resolution of 2 hosts. at 01:46, 0.03s elapsed NSE: Script scanning 109.99.XXX.XXX.
8

Initiating NSE at 01:46 Completed NSE at 01:46, 1.66s elapsed Nmap scan report for 109.99.XXX.XXX Host is up (0.089s latency). Not shown: 996 filtered ports PORT | STATE SERVICE VERSION 1024 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) ssh-hostkey:

94:72:3f:92:8a:20:e7:c9:31:ef:20:2e:92:01:1e:5c (DSA) |_2048 fc:ac:22:1e:a4:fe:ff:93:4e:80:92:d4:ad:d8:c8:8c (RSA) 53/tcp open domain 80/tcp open http Apache httpd 2.2.3 ((CentOS)) | http-methods: GET HEAD POST OPTIONS TRACE | Potentially risky methods: TRACE |_See http://nmap.org/nsedoc/scripts/http-methods.html |_http-title: Bacxx 8081/tcp open blackice-icecap? 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port8081-TCP:V=5.51%I=7%D=2/3%Time=4F2B3C1D %P=i686-pc-windows-windows%r SF: (GetRequest,7B,"HTTP/1\.1\x20401\x20Unauthorized\r\nConn ection:\x20Keep SF:-Alive\r\nWWWAuthenticate:\x20Basic\x20realm=\"HuaweiHomeGateway\"\r\ n SF:Content-Length:\x200\r\n\r\n") %r(FourOhFourRequest,7B,"HTTP/1\.1\x20401

http://www.item.ntnu.no/~eian/publications/2010/tkip_ccmp_dos.pdf

SF:\x20Unauthorized\r\nConnection:\x20KeepAlive\r\nWWW-Authenticate:\x20B SF:asic\x20realm=\"HuaweiHomeGateway\"\r\nContentLength:\x200\r\n\r\n"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: WAP Running: Linux 2.4.X OS details: Tomato 1.27 (Linux 2.4.20) Network Distance: 14 hops TRACEROUTE (using port 22/tcp)

HOP RTT 1 ... 3 4

ADDRESS cdif-core-1a-ge-100-0.network.virginmedia.net

15.00 ms

(62.254.253.1) 5 ... 13 14 109.00 ms 109.99.XXX.XXX Read data files from: C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 134.19 seconds Raw packets sent: 2138 (98.042KB) | Rcvd: 43 (2.680KB)

Another point of view is that the router is a Huawei Home Gateway. We must correlate the information founded by Nmap with the implement technology by Internet Service Provider. After the quick search that we investigate on the Internet, we concluded that the Romtelecom operates with four types of routers Huawei9. EchoLife HG510 Home Gateway EchoLife HG520s Home Gateway SmartAX MT882 Router VDSL2/ADSL2+ HG 655b

A new search and can found information about default username and password for these routers. Vendor Model Huawei Echolife HG510,520s Huawei SmartAX MT882 Huawei HG 655b Username admin admin admin Password admin admin admin

Can be router Huawei HG 655b a possible vulnerability for this company? Firstly must know if this router can have a possible vulnerability. I suppose to us a possible way that a hacker can follow for exploit the vulnerability of wireless access point. The modern router Huawei HG 655b support Wi-Fi Protected Setup. This wireless standard simplified the procedure to allow the mobile device to configure wireless home network. These procedures uses an authenticate method that only requires the router's PIN to connect at networks and the users will receive require information as password and keys for security protocol as WEP or WAP. US-CERT (United States Computer Emergency Readiness Team) introduced in the January 06, 2012, on his site10, the Technical Cyber
9

http://www.romtelecom.ro/personal/asistenta/internet/manuale-de-utilizare/
http://www.us-cert.gov/cas/techalerts/TA12-006A.html

10

Security Alert TA12-006A where present the exploitation of Wi-Fi Protect Setup (WPS). They say that an attacker can exploit a design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks and freely available attack tools can recover a WPS PIN in 4-10 hours. How can hack the vulnerability? Firstly we can know the vulnerability of WPS principle. For example in the image on below you can see the symbol and WPS PIN from a router.

When a hacker try to connect with a wrong PIN to a router this send an EAP-NACK message back to the hacker. Vulnerability Note VU#723755 in terms WiFi Protected Setup (WPS) PIN brute force, from the US CERT site tell as: The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total. This huge vulnerability appears because the hacker can exploit the fact that the PIN is static. WPScrack and Reaver 1.3 are two programs that can exploit this vulnerability11. Few possibilities to eject this vulnerability are to make disable this setting or to make update the firmware if the manufacturer create new firmware to evict this security problem. In our case we do not know if the company who router has exactly Huawei or Linksys and if can be vulnerable but a hacker can be trying it. This fact supposes that a hacker within radio range can try to gain wireless access via local area connection. A hacker if gain access can insert malware, spyware, or rootkit in the local network. In same time can initiate Denial of Service attack, deployment of rogue WLAN devices, monitors WLAN data transmissions or traffic flow analysis. This is the possible first piece discovered of the possible disaster puzzle with help of the Nmap. A legitimise question is if the million users know about this new vulnerability. The Internet Service Providers in many cases are providers of equipment. They inform the users about this vulnerability or update the firmware? Im sure that majority
11

https://docs.google.com/spreadsheet/lv?pli=1&key=0AgsJmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c&f=true&noheader=true&gid=0

of users who use these equipment do not know this vulnerability and the possible risk they are exposed. Exploit the vulnerability of DNS We can see in the listing that the server providing more services and it is not use only as http server. After identifying the services on IP address we can see that on the server running a service for DNS. DNS translate an IP address for service as web pages, e-mail, ftp to hostnames and vice versa. The BIND is the free software that assuring the service of DNS for Linux. When the DNS it is under attack and the services as WWW, FTP, MAIL will be affected. The BIND is the software what making the link between users and these important service. The settings of the BIND are made it with help of the file named zone. Firstly a hacker will try of view which are containing in the file zone configuration and what version of BIND runs on the server to know its vulnerabilities. The interrogation will be made with the command dig and we can see partial information from zone file: name of server, serial, refresh, retry, expire, TTL (time to live)
caine@caine:~$ dig bacxx.xx ; <<>> DiG 9.7.0-P1 <<>> bacxx.xx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7677 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;bacxx.xx. IN A

;; AUTHORITY SECTION: bacxx.xx. 8788 IN SOA ns1.bacxx.xx. cirsteasebastian.gmail.com. 2011101501 3600 7200 1209600 604800 ;; Query time: 9 msec ;; SERVER: 194.168.4.100#53(194.168.4.100) ;; WHEN: Sat Jan 28 23:30:12 2012 ;; MSG SIZE rcvd: 98

In the authority section we can see the name of name server ns1.bacxx.xx and de email of the administrator of server cirsteasebastian@gmail.com Serial is numerical value for the zone serial number, and it must be incremented when the zone file is modified. The serial for domain is 2011101501 leading to the assumption that the domain was release in 15 octomber, 2011 rev.01 Refresh is the number of seconds between update requirements from slave name servers, in our case 3600 seconds

Retry is the number of seconds the slave server will stay before retrying when the last attempt has failed, in our case 7200 seconds. Expire is the number of seconds a slave servers will respond before taking into consideration the out of date if it cannot obtain at the primary name server, in our case 1209600 second or 2 weeks. TTL (time to live) it is the number of seconds a domain name is locally memory before of expiration and return to primary or secondary name servers for actualize data, in our case 604800 or 7 days To find the version of BIND the comand is: dig @109.99.XXX.XXX version.bind txt chaos
caine@caine:~$ dig @109.99.XXX.XXX version.bind txt chaos ; <<>> DiG 9.7.0-P1 <<>> @109.99. XXX.XXX version.bind txt chaos ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22451 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. ;; ANSWER SECTION: version.bind. 4.P1.el5_4.2" 0 CH CH TXT TXT "9.3.6-P1-RedHat-9.3.6-

;; AUTHORITY SECTION: version.bind. 0 ;; ;; ;; ;;

CH

NS

version.bind.

Query time: 99 msec SERVER: 109.99.159.110#53(109.99. XXX.XXX) WHEN: Mon Feb 6 00:32:32 2012 MSG SIZE rcvd: 91

On the http://www.cvedetails.com/12 we can see that the version of BIND is 9.3.6. was reported three vulnerability. Firstly vulnerability CVE-2009-4022 informs that the attackers can modify system files or information but do not have the availability impact or gained access Second vulnerability CVE-2010-0290 informs that the attackers can modify system files or information. The integrity and availability impact is partial, but do not gained access.

12

http://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-86672/ISC-Bind9.3.6.html

Third vulnerability CVE-2010-0382 informs that confidentiality and integrity and availability impact can be complete but do not gained access. Conclusions regarding the exploitation of BIND version 9.3.6 is it that the hacker can provide the DNS completely unavailable.

Conclusions In present report study I demonstrate that: In the most of the case to infect a computer with malware it is needed the user intervention The hackers expected in most of case our mistake and lack of interest. The computers are not only our vulnerability. Vulnerable can be environment and peripheral device as modems, router or access points. The updates of software not guarantee one hundred percent the fact that you will not be hacked. The hacking for fun is endangered species and a alternative for hackers is to activate in the field as ethical hacker.

As you saw the fact that a person or organization is hacked it is collection of mistake belongings all troupe playing in the scene of computer crime. We can not accuse only the development of software, internet provider or hackers for what is going on the Internet. It is better first to analyze if we can do first before to accuse. We do not live in the world where the name of century is Flower Power. We are the soldiers without knowing in the new century where the Information is the new weapon to the Internet War. The great players conquest new virtual territories, pick and choose the benefits of information and not only. Hack I.T Security Through Penetration Testing T.J Klevinsky, Scott Laliberte, Ajay Gupta , Ed. Pearson Education 2002 Penetration Testing and Network Defense Andrew Whitaker Daniel Newman CISCO Press 2006 http://www.item.ntnu.no/~eian/publications/2010/tkip_ccmp_dos.pdf