This action might not be possible to undo. Are you sure you want to continue?
1. Theft of password. 2. Email based threats. 3. Email based extortion. 4. Launch of malicious programs. 5. Internet time theft.
1. 2. 3. 4. Web Defacement. Corporate espionage. Website based launch of malicious code cheats & frauds. Exchange of criminal ideas and tools. 5. Cyber harassment. 6. Forged websites.
1. Email spamming. 2. Theft of software, electronics records, computer hardware’s etc. 3. Cyber stalking 4. Email bombing. 5. Morphing. 6. Denial of service attack.
1. Theft of information. 2. Email forgery. 3. Theft of e-cash, credit card numbers, online bank accounts etc.
– Dutch gulf war hackers
Tried to sell stolen documents to Iraq.
Rom labs hackers.
UK teens looking for UFOs and cyber trophies.
– Master of downloading.
Member of Indian militants organization tried to buy stolen material from Chameleon and others for 1000$.
What is information security?
Every information user is a node where information can leak out. Information security is necessary to secure the information of any user. It include following in today’s terms
1. Data security. 2. Computer security. 3. LAN security. 4. Internet security. 5. Web or network security.
What is HACKING
Unauthorized use or attempts to bypass security mechanism of any information system like computer/ server/ network.
Security and Hacking together
To catch a thief thinks like a thief. The idea is that if as a security professional you don’t know what threats you are facing from crackers or hackers, u will never be able to build an efficient security system.
Hackers VS Crackers
Feature of a Hacker(White hat hacker)
1. 2. 3. 4. 5. 1. 2. 3. 4. 5.
Abundance of knowledge and experience. Good guy. Strong ethics. Never indulge in cyber crimes. Catches computer criminals.
Feature of a Cracker.
Abundance of knowledge and experience. Bad guy. Weak ethics. Indulge in computer crimes. Is a computer criminal himself.
Ethical Hacking or White hat hacking.
Definition:- Also known as penetration testing or white hat hacking, it involves same tricks and techniques that hacker uses but with difference. – Ethical hacking is legal. – Ethical hacking is done with target’s permission. – The intent of ethical hacking is to discover vulnerabilities in target system from hacker’s viewpoint so system can be more secure. – It’s part of overall risk management program that allows for ongoing security improvements. Ethical hacking can also ensure that vendors’ claims about security of their products are legitimate. – You need protection from hacker’s shenanigans. – An Ethical hacker possesses the skills, mindsets and the tools of hacker but it is also trustworthy. – Ethical hackers perform hacks as security tests for their systems.
What do Ethical Hacker do?
Ethical hackers tries to answer:
• What can the intruder see on the target system? (Reconnaissance and Scanning phase of hacking)
• What can an intruder do with that information? (Gaining Access and Maintaining Access phases)
• Does anyone at the target notice the intruders attempts or success? (Reconnaissance and Covering Tracks phases) If hired by any organization, an ethical hacker asks the organization what it is trying to protect, against whom and what resources it is willing to expend in order to gain protection.
Black Hat Hacking –
This popularly known as cracking. This essentially means hacking into systems for malicious purposes. The community of black hat hacking is growing in number of people and skills.
Steps to Ethical Hacking
1. Web Based Password Cracking
2. Scanning 3. Enumeration 4. System Hacking 5. Trojans and Backdoors 6. Sniffers 7. Denial of Service 8. Social Engineering 9. Session Hijacking 10. Hacking Web Servers 11. Web Application Vulnerabilities
Techniques 1. 2. 3. 4. 5. 6. 7. 8. SQL Injection Hacking Wireless Networks Viruses Novell Hacking Linux Hacking Evading IDS, Firewalls and Honey pots Buffer overflow attack Cryptography.
Phases of Hacking
Phase 1:- Reconnaissance
Reconnaissance refers to the preparatory phase wherein attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack. It involves network scanning either external or internal without authorization Business Risk – ‘Notable’ – Generally noted as a “rattling the door knobs" to see if someone is watching and responding. Could be future point of return when noted for ease of entry for an attack when more is known on a broad scale about the target.
Passive reconnaissance involves monitoring
Examples include sniffing, information gathering etc. Active
reconnaissance involves probing the network to detect – accessible hosts – open ports – location of routers – details of operating systems and services
Phase 2 Scanning
Scanning refers to pre-attack phase when the hacker scans the network with specific information gathered during reconnaissance. Business Risk – ‘High’ – Hackers have to get a single point of entry to launch an attack and could be point of exploit when Maintaining Access vulnerability of the system is detected. Scanning Scanning can include use of dialers, port scanners, network mapping, sweeping, vulnerability scanners etc
Phase 3: Gaining Access
Gaining Access refers to the true attack phase.
The exploit can occur over a LAN, locally, Internet, offline, as a deception or theft. Examples include stack-based buffer overflows, denial of service, session hijacking, password filtering etc. Influencing factors include architecture and configuration of target system, skill level of the perpetrator and initial level of access obtained. Business Risk – ‘Highest’ - The hacker can gain access at operating system level, application level or network level.
Phase 4: Maintaining Access
Maintaining Access refers to the phase when the hacker tries to retain his ‘ownership’ of the system. The hacker has exploited a vulnerability and can tamper.
Sometimes, hackers harden the system from other hackers as well (to own the system) by securing their exclusive access with Backdoors, Root Kits, Trojans horse and Backdoors.
Hackers can upload, download or manipulate data /Reasons include need for prolonged stay, continued use of resources, removing evidence of hacking, avoiding legal action etc.
Phase 5: Covering Tracks.
Covering Tracks refers to the activities undertaken by the hacker to extend his misuse of the system without being detected. Reasons include need for prolonged stay, continued use of resources, removing evidence of hacking, avoiding legal action etc.
– Examples include Steganography tunneling, altering log files etc. Hackers can remain undetected for long periods or use this phase to start a fresh reconnaissance to a related target system.
Phases of Hacking: Let us go some practical. IP Revealed
IP (Internet Protocol role in Security and Hacking)
a) Every system connected to a network have a unique IP address which acts as its unique identity on network. b) An IP address is 32 bit address which is divided in four fields of 8 bits each. For example 18.104.22.168
An attacker’s first step is to find the IP address of the target system.
Finding out an IP Address.
A remote IP address ca be found out by any of the following methods.
Finding an IP Address by Instant Messenger
Ask your friend to come online and chat with u.
1. 2. 3. 4. 5.
Through instant messaging software. Through internet relay chat. Through your website. Through email header. Through message board postings.
If you are chatting on ICQ than following connection is exist between your system and your friends system. Your system -------directlink------ Your friend’s system. Friend’s system---- direct link------Your system. Now go to the MsDos command line and type C:\>netstat –n This command will give u the IP address of your friend’s computer.
If u are chatting some other instant messengers like Yahoo or msn etc. then following indirect connection is made. Your system----chat server----- Friend’s system. Friend’s system--chat sever----- Your system.
In this case you have to make direct connection between your system and your system by sending a file or by call feature. Then go to the MsDos and type C:\>netstat –n This will give u the IP address of your friend’s system. Precautions:– Do not accept File transfer or call from unknown people. – Chat online only after logging through a proxy server.
Protecting your IP Address: Proxy Servers
A proxy server acts as a buffer between u and the internet hence it protects your identity on Internet. Working:Case 1: your system ---proxy server ----- friend’s system. Case 2: your system--- proxy server ------ chat server ------friend’s system. Good Proxy Servers:Wingate and WinProxy for windows platform. – Squid (for Unix platform)
Definition:Proxy Bouncing is the phenomenon in which u connect to several proxies than to
actual system. Working: Your system--------proxy1----- proxy2------proxy3-------proxy4------ destination Tools:- Multiproxy.
Finding an IP address via Email Headers
Email service providers add the IP address of the sender to each outgoing email.
– A typical analysis of the email header will tell u the IP address of the computer from where the email has been originated.
Yahoo Email Header:To obtain yahoo mail header a) Click on email which header you want to retrieve. b) Click on the full headers on the right most corner of the email this will open up the mail headers.
Google mail:To obtain Google mail headers a) Click on mail which header u want to retrieve. b) Click on “More Option” c) Click on “Show Original”. This will open up email header.
You can track source email by email header. This is used to detect
a) Detect forged emails. b) Abusive emails. c) Catch criminals which use email as a crime.
How to Identified Secure Connection:– In the browser URL u notice a https:// – Right click on that page u are visiting and click on properties settings to view the certificate of that page.
It is the art of changing your system’s IP address so that target system thinks that u are some one else. A method of attack used by network intruders to defeat network security measures. An attack using IP spoofing may lead to unauthorized access, and possibly root access on the target system. A method to prevent the IP spoofing is to install a filtering router that does not allow incoming packets which have source address.
Phase 2: Scanning, Fingerprinting and Information Gathering.
“To attack a system you must know the system, must for an ethical hacker” What is a port? – The first step, once the target computer is decided is to find out as much information as you can find out. – In order to break in a system you need to exploit any vulnerability existing in the services offered by it. – Almost all system have certain open ports, which have certain services running on them. – Attacker have to scan the target system for open ports with certain services running and choose which service can be exploited to get root or administrator services.
There are two types of ports: a) First are the hardware ports , which are slots existing behind the CPU cabinet of your system, in which u plug in or connect your hardware . For e.g. COM 1, COM 2 Parallel Port b) However a hacker is not interested in hardware ports. They are interested in other type of ports which are virtual or software ports. c) Such a port is basically a virtual pipe through which information goes in and out. All open ports have service running on these ports which provides a certain service to the user who connects to it. Example:Port 25 is always open on a server handling mails. It is the port where sendmail service is running by default. The attacker’s quest to break the system is to find out as much information on it as possible
One has to find out the operating system of the target system. This can be done as:Service grabbing. Active fingerprinting. ICMP message. Passive fingerprinting.
a) b) c) d)
2. One has to get a list of services running on the various open ports on the target system and then decide on a vulnerable service which can be compromised. Steps to find out these information:-
a) Port scanning. b) Daemon grabbing.
a) ICMP message. b) Banner grabbing. c) Port scanning.
One also needs to look into the details of the network to which the target system belongs. For example how the network is organize , the subnet addresses etc.
a) Traceroute. b) ICMP messages.
Port Scanning:Definition :-
Port scanning means to scan the target system to obtain the list of open ports, which are listening for the connection. How does the port scanner deduce whether a particular port on the target system is open or close? There are various port scanning techniques employed by different port scanners. – You launch telnet and manually telnet to each port.
In a manual port scan, when you telnet to a port of a remote host, a full three way handshake takes place, which means that a complete TCP connection opens.
– This is not more convenient method. To make it more convenient many new port scanning techniques are developed.
P Hacke r Dial
Dial In Mode m Intern
Almost all port scan are based on the client sending a packet to the target port of the system, containing a particular flag. Thus we can recapitulate a TCP connect scan in following method.
1. The client sends a SYN packet to a particular port of the target system. 2. If that particular port is open, the target system replies with a SYN/ACK packet. 3. A reset packet basically tells the client to end the connection.
Socket pairs are the combination of IP addresses and the ports. Like computer have IP address 22.214.171.124.
126.96.36.199:25 Is a Socket Pair. It means if other system with different IP address want to connect with HTTP and FTP ports simultaneously then target computer never confused and it will automatically connect to the HTTP and FTP connections and run the both the services simultaneously.
SYN/HALF OPEN SYN PORT SCANNER
TCP scanners were detectable so programmers around the world developed a new kind of port scanner, a new kind of port scanner, the SYN scanner ,which did not establish a complete TCP connection. The working of SYN or half open SYN port scanner. SYN port scanner sends a TCP packet containing the SYN flag (which in turn contain the port number) to the remote host. b) The remote system replies with either SYN/ACK or RST/ACK. c) If the client receives a SYN/ACK from the server, then the port is in listening state. However if client system receives a RST/ACK then it means that the port is not in listening or in other there is no service is running on that particular system.
Detection of the SYN scan:-
1. SYN sent from client 2. SYN/ACK sent from Server
3. ACK sent from
If we give the following netstat command and observe several connections in the SYN_RECIEVED state (initiated by the same remot client) then it probably means that your system is being SYN scanned: C:/windows>netstat –a 1. One can easily counter-attack TCP SYN scans by simply adding rules in
the firewall which will block such SYN scan attempts. TCP FIN Scanning:TCP FIN scan are very popular. They are mostly used on UNIX systems, as other operating systems, due to the way their stacks are designed, are known to respond to FIN packets sent to open ports with a RST packet. This irregularity in the implementation employed by the various operating systems can also be used for remote OS fingerprinting. Using a Port scanner to get information on the target system:a)
The first step is to get good port scanner, preferably a stealthy one and then do a port scan on the target system. Most of the stealthy port scanners are detectable. So code your own port scanner is better. The best port scanner are those which send SYN/FIN packets from a spoofed address or host.
The most common ports are:Port No. 21 23 25 53 79 80 110 111 389 512 Some Utilities are – – – – NMAP SATAN HPing Port Scanners etc. Services FTP Telnet SMTP DNS Finger HTTP POP not useful not useful rlogin
Try to keep eye on TCP port 12345 and UDP port 31337. These are the default ports for popular Trojans: NetBus and BO Although there is simply no way that one can prevent or stop client from port scanning your machine, it is highly advisable one uses software to detect and track the port scanning attempts.(For UNIX system- Scanlogd and for windows systemBlack ICE) One should install a firewall or some kind of sniffing tools.
Daemon Banner Grabbing
All open ports have service running on them. As soon as you telnet or connect to such open ports, you are greeted by a welcome message, which is actually known as daemon banner. A daemon banner contains certain information about the daemon running on that particular port, other system information and sometimes message of the day. It contains operating system name, daemon name and version time and date, etc.
The Internet Control Message Protocol(ICMP) is the defacto protocol used for reporting errors that might have occurred while transferring the data packets over network. Extremely useful in Information Gathering. Can be used for find the following: – – – – Host detection. Operating system information. Network topography information. Firewall detection. ICMP scanning: Host Detection Technique. This technique reveals whether a particular operating system is connected or not. It makes use of the ‘echo request’ and ‘echo reply’ ICMP messages.
Working:Client --------- ICMP Echo Request--------- Host Case 1: (Alive) Host ----------- ICMP Echo Reply--------Client. Case 2: (Not Alive) ------------ There is no response.
• The PING utility can also use for
– Host detection purpose. – To clog up valuable network resources by sending infinite ‘Echo Request’ ICMP messages. – Firewall detection. Echo requests or ping messages can e3asilly filtered at the router level by using the below Access Control List (ACL) • Access list 101 deny icmp any any 8
• Traceroute cane easily be used for following purposes
• • • • OS detection Firewall detection Network topography information Geographical location of the host.
• Remote OS Fingerprinting
• Active Fingerprinting • Passive Fingerprinting The underlying concept behind the remote OS fingerprinting is the fact that due to different stacks different OS responds differently to the same packet that is to sent by some system.
This difference in responses is used as benchmark of differentiating between various operating system.
Thus the working of OS Fingerprinting can be described as:
Attacker -------------customized packet ----------- Remote Host Remote Host------ Responses --------- Attacker Depending on this responses the OS of the remote system is identified
• Active Fingerprinting
In active fingerprinting attacker performs these operations • A customized packet is send to the remote system. • The response thus generated from the remote host, is logged using a packet sniffer. • By studying and comparing the logged responses against the known responses, the exact • OS running on the host can be pinpointed. The best tool available for Active fingerprinting is: Nmap
• Passive Fingerprinting:Passive Fingerprinting is totally anonymous. It is carried out in following manner – The attacker gets hold of data packets sent by the target host to any other system. A sniffing tool is used to carry out the process of capturing the data packets sent by the target system. – The various fields of these captured data packets then studied for charecteristics values unique to a particular OS. Following fields of data are compared. a) TTL values. b) The windows size.
c) Don’t fragment bit. d) Types of services(TOS) For example if a captured data packet has a ‘windows value’ of 9000 ‘ Types of services’ as 0 and ‘Don’t fragment bit’ as YES then host is most probably Windows 9x or Windows NT.
Email Header Fingerprinting:In this method, the email header of an email sent from the mail service running o he remote host is studied. Basic Threats
• Theft of password. • Email based threats. • Email based extortion. • Launch of malicious programs. • Internet time theft.
• • • • • •
Web Defacement. Corporate espionage. Website based launch of malicious code cheats & frauds. Exchange of criminal ideas and tools. Cyber harassment . Forged websites.
• Email spamming. • Theft of software, electronics records, computer hardwares etc. • Cyber stalking • Email bombing. • Morphing. • Denial of service attack.
Other Thefts • Theft of information.
• Email forgery. • Theft of e-cash, credit card numbers, online bank accounts etc.
Some examples of attacks on the Operating System: • • • • Exploiting specific protocol implementation. Attacking built in authentication system. Breaking files system security. Cracking password and encryption mechanisms.
Hypertext transfer protocol (HTTP) and Simple mail transfer protocol (SMTP) applications are frequently attacked because most firewall and other Security mechanisms are configured to full access to these program from the internet. b) Malicious software (malware) includes viruses, worms, Trojan horses and Spyware, Malware clog network and takes down the system.
VIRUS & WORMS SPYWARES Spyware is a software which gathers information about victim (i.e. spies on the victim) and passes on that information to the attacker without even taking victim’s consent
Spying on activities.
b) Stealing of victim’s secret password. c) Misuse of computer memory for attacker’s own malicious or non malicious purposes. How can you be infected:– Spyware is normally built into a EXE file or utility. – If you download and executed a infected EXE file, then spyware becomes active. – Always scan the software that you download from the internet. Use tools like SPYCHECK, SPYWARE INFO, SPY STOPPER etc.
Virus: - A Definition
A Virus is a malicious piece of code which causes an unexpected harmful and negative behavior on the victim’s system.
A Worm is a similar to Virus, but has the additional ability to reside in the memory of infected computer, duplicate itself and spread copies of itself via email, chat or network. Hence they usually clog up the network bandwidth. Anti-Virus software is ideal solution for the Viruses and Worms.
In a DOS attack, the attacker chokes the target system with
infinite data and hence crashes it.
Technical Definition:DOS attacks are aimed at denying valid, legitimate internet and Network users access to the services offered by the target system. • In other words, a DOS attack is one in which you clog up so much memory on the target system that it cannot serve legitimate users. • There are numerous types of Denial of Service Attacks.
• Steps involved in Denial of Service Attack:-
Attacker ----------- Malicious data ------- Target Network. b) Target network gets choked or cannot handle the malicious data and hence crashes. c) As a result, even legitimate user cannot connect to target network.
PINGS OF DEATH ATTACK:– The maximum packet size allowed to be transmitted by TCP\IP on a network is 65536. – In the Ping of Death Attack. A packet having a size greater than this maximum size allowed by TCP/IP is sent to the target system
As soon as the target system receives a packet exceeding the allowable size then it crashes, reboots or hangs.
Distributed Denial of Service Attack:-
DOS Attack dDOS Attack
Only one attacker Several attackers Not that effective More effective
Steps involve in dDOS attack • Attacker takes control of a less secure network say X. • Let us assume there are 100 systems in X’s network. • Attacker uses all these 100 systems to attack the actual target T. • Hence instead of one attacker there are 100 attackers.
Input Validation Attack
Most common dangers of such Input Validation Attack are:• Remote execution of malicious commands. • Gaining access to sensitive data. • Stealing password Some of the most atrocious examples of input validation attacks are:a) Enter 1000 random characters as the password and gain root access. b) Enter the path of the password file in the search box of a website and actually get access to it.
SQL Injection Attacks:•
SQL Injection Attacks are form of input validation attack
wherein the attacker uses specially crafted SQL queries or commands to carry out malicious activities on the target system. • This vulnerability exist due to a lack of validation of input when a database query is made on the internet. • The best part about SQL injection attacks- like most other input validation attacks- is that they can easily be executed with the help of only browser.
SQL Injection Attack: ILLIGAL ACCESS
If a user wants to retrieve all records whose name field is SPORTS:
http://www.domain.com/index.asp?querysring=sports SELECT*FROM database WHERE querystring =’sports’ However, consider the following input:
http://www.domain.com/index.asp?querysring=sports’ or 1=1SELECT*FROM database WHERE querystring =’sports’ or 1=1--‘ SELECT*FROM database WHERE querystring =’sports’ or 1=1 NOTE:In this attack, 1=1 or 1=1__is always true and hence The query will evaluate to true and hence will display all records.
Cryptography 1. RSA 2.MD-5 3.SHA 4.SSL 5.PGP 6.SSH
7. Encryption Cracking Techniques
Public-key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman. Anyone can send a confidential message just using public information, but it can only be decrypted with a private key that is in the sole possession of the intended recipient. Each person's public key is published while the private key is kept secret. In this system, each person gets a pair of keys, called the public key and the
RSA is a public-key cryptosystem developed by MIT Professors Ronald L Rivest, Adi Shamir, Leonard M Adleman in 1977 in an effort to help ensure internet encryption standards. RSA uses modular arithmetic and elementary number Theories to do computation using two very large prime Numbers. RSA encryption is widely used and is the 'de-facto' Security.
The MD5 algorithm is intended for digital signature applications, where a large file must be "compressed" in a secure manner before being encrypted with a private (secret) key under a public-key cryptosystem such as RSA. The MD5 algorithm takes as input a message of arbitrary length and produces as output a 128- bit "fingerprint" or "message digest" digest of the input.
The SHA algorithm takes as input a message of arbitrary length and produces as output a 160-bit " fingerprint" or "message digest" of the input. The algorithm is slightly slower than MD5, but against brute-force collision and inversion the larger message digest makes it more secret attacks.
SSL stands for Secure Sockets Layer, SSL is a protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. SSL Protocol is application protocol independent.
RC5 is a fast block cipher designed by RSA Security in 1994. It is a parameterized algorithm with a variable block size, a variable key size and a variable number of rounds. The key size is 128 bit. The key size is 128 bit. RC6 is a block cipher based on RC5. Like RC5, RC6 is a parameterized algorithm where the block size, the key size and the number of rounds are variable again. The upper limit on the key size is 2040 bits
The program SSH (Secure Shell) is a secure replacement for telnet and the Berkeley r-utilities (rlogin, rsh, rcp and rdist). It provides an encrypted channel for logging into another computer over a network, executing commands on a remote computer, and moving files from one computer to another. SSH provides a strong host-to host and user authentication as well as secure encrypted communications over an insecure internet. SSH2 is a more secure, efficient and portable version of SSH that includes SFTP, an SSH2 tunneled FTP.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.